Anyone setting up a hands-on cybersecurity training course should read this paper. Greenlaw and associates describe a clear set of learning objectives, and the steps they took. While there are several components missing from their description, they provide an excellent starting point. As a computer security professional, I was excited to learn that all first-year students at the US Naval Academy are required to take an introductory course in cybersecurity with a hands-on component. This should have substantial impact as they move into leadership roles.

The authors describe both the physical and logical environment in which hands-on training was provided. This provides a baseline for the contemporary reader. They then describe the order in which they introduce computing and networking concepts and tools, followed by basic information security theory. The most interesting part of the paper was their description of how they taught their students to visualize how network vulnerabilities could be used to mount a successful network attack and a sample of student documentation (a useful artifact for someone learning basic penetration testing). In the final section, they provided quantitative performance assessments of the students, along with the students’ own ranking of the usefulness of the labs. I would be equally interested in hearing a qualitative assessment of the labs from the students.

The only disappointment I felt was that half of the citations were no longer current, so interested readers were unable to follow the references provided. I was especially interested in the notes they developed for their class. Sadly, the link to those notes didn’t work. All in all, though, I found it an interesting read, and have already recommended it to colleagues who have information security training responsibilities.