Cybersecurity Lessons for Educational Practice

The system I am dedicated to safeguarding daily is the educational experience of my students. This system faces threats from various fronts, ranging from inexperienced users who may unintentionally disrupt learning to malicious actors seeking to exploit vulnerabilities for personal gain. Additionally, the overall educational posture, including outdated or hard-to-maneuver systems and inadequate resources, poses challenges to the effectiveness of the learning environment. Defense in depth, proactive monitoring, incident response, vulnerability assessment, patch management – can we apply cyber security concepts to create a fortified learning environment that not only withstands disruptions but also fosters meaningful academic growth and development? 

Last year, I was scheduled to teach Introduction to Finite Math for the first time in 5 years. As I was preparing the course, I was looking at the content with a new perspective focusing on authentic applications that I have been employing in my other, mostly calculus, courses. A field of study that sparked my interest as modern and particularly relevant to students in this course is the field of cyber security.

We live in a world of information, and we increasingly live in a world where personal information is sold, stolen and used. Cyber attacks from small to large occur daily and have serious implications for national security. On a regular basis now, we hear of high-profile breaches to Canadian critical infrastructures. A main problem in the field of cyber security is the current shortage of specialists that can help build and support systems resilient to attacks, but the ongoing growth of technology means ongoing demand for such specializations, which is a problem that requires long-term vision and support.

Despite various certifications, most cyber security jobs require academic degrees in computer science, information systems, computer engineering or mathematics, yet few of our students get exposed to any cyber security notions in math or computer science curriculum. This results in students being unaware of potential career options and also missing out on opportunities to acquire relevant skills and experiences during their degrees (such as co-ops, internships, additional certifications, etc.). Moreover, even if a student is not going to pursue a career in cyber security, as a modern citizen they should be aware of how to protect themselves, their data and their assets from cyber crime. With all that in mind, I decided to create content introducing cyber security notions into my first-year courses. 

One of the easy notions to introduce, one that yields several mentions throughout the course, is the concept that goes by many names. Defense in depth, layered defense or castle approach is a network security approach that deploys a series of defensive measures that are layered in order to prevent an attacker from penetrating the system. Since no single security control can provide complete protection against all possible attacks, the idea here is to stagger the defenses so that if one fails, another one will prevent the breach. Multi-factor authentication (MFA) is one example of this approach, which involves a user presenting two or more pieces of information (password, answer to a security question, one-time code) in order to gain access. This way, if your password has been compromised, there is another layer of protection that hopefully prevents unauthorized access. It is easy to see that this layered authorisation is much more secure than a single defense layer or a parallel approach that consists of choosing only one of several available authorisation options.

Putting my math instructor hat on, we can utilize MFA to discuss the differences between logical operations of conjunction and disjunction as well as during applications of multiplication and addition principles of counting. Here are a couple of examples. 

Example 1.

a.      Suppose your password provides 70% security and the text PIN provides 90% security. How secure is the two-factor authentication in this case?
b.     Suppose you also have an option to log into your account by answering two security questions, which by themselves provide only 40% security each. How secure is the system now?

Example 2. 

The Internet protocol (IP) assigns addresses to each connected device. Depending on the version of the protocol, the format of the address is different.
a.     IPv4 uses addresses in the form of 4 digits, each between 0 and 255. How many possible addresses are there? Do you believe this is enough for the current number of Internet users?
b.     IPv6 uses addresses in the form of y : y : y : y : y : y : y : y, where each segment y is a hexadecimal value between 0 and FFFF. How many possible addresses are there?

Indeed, these are fairly straightforward questions. However, when my university introduced multi-factor authentication, everyone complained – and I mean EVERYONE. This example drives home the increased security of the method. And, despite the fact that I teach many computer science students in my Finite Math class, few of them have thought about the format of IP and the fact that version 4 simply cannot sustain the increased number of user devices in the world. 

On a meta scale (not that meta), the defense in depth concept seems like a useful way to think about approaching a course: just as layers of security protect a network against diverse threats, a multi-faceted approach to course design and management can enhance resilience in the face of educational challenges. The more I thought of cyber security examples to inject into my courses, the more I started to see how the education system itself can be seen through this lens. 

At their core, many systems operate on similar principles. Once the system is established, we all operate within its boundaries and constraints. We can (and often should) question the set up, but for now let us assume that we cannot change the system itself and rather focus on the experience. We can then roughly divide system participants into two categories: honest and corrupt. Honest individuals operate in good faith, but can make unintentional mistakes; corrupt individuals try to game the system to their advantage and sometimes believe that their malicious activities do not affect the experiences of others. 

Students are users of the educational offerings and instructors, as facilitators of learning, are administrators of the learning experience.  From this perspective, the (educational) system’s defenses take a hit from a variety of errors coming from both honest and corrupt side: 

• user errors: students miss deadlines, submit a wrong file, plagiarize, …
• admin errors: instructors forget to upload notes, make unannounced syllabus changes, plagiarize, …
• implementation errors: outdated materials, disorganized classroom activities, assessment misalignment, …
• platform errors: university’s learning management system is down, the campus gets snowed in, classroom’s projector doesn’t work, … 
• platform design errors: lack of accessibility features, outdated policies, small or non-existent board space in a classroom, permanently attached desks and chairs, …

All of the above result in vulnerabilities and a weakened system. Planning the new course, which weaknesses do I believe will cause the most potential damage? Which vulnerabilities should I plan to strengthen my defenses against? Which error types can I approach systematically or eliminate altogether? 

Getting back to defense in depth. The goal is to protect the system from failure in a systematic layered approach. In cyber security, as mentioned, this involves multiple layers of various security controls such as firewalls, antivirus software, intrusion detection, encryption, patching and more. Each layer adds a barrier and is different from the others so that an intruder breaking one layer won’t be able to use the same exact techniques to penetrate the next one. What can this mean from each the student and instructor point of view? How do I arrange my course planning to provide my students with extra layers of protection against failure? What options can I put in place for my students so that one missed skill doesn’t affect their entire course experience? The key nuance in defense in depth that often gets missed in its implementation is that each layer of protection must be different in nature. In the MFA example, asking two basic security questions in a row doesn’t actually strengthen the system because chances are that if a threat actor stole your personal information, they stole more than one piece, so they both know your postal code and your mother’s maiden name. A good MFA must include a combination of at least 2 of: 

• Something you know: A PIN, password, or security question
• Something you have: Your phone, a token, or a fob
• Something you are: Your fingerprint, your face, your eyes, or your voice

In designing my course, I realized I needed to adopt a similar philosophy: layering varied supports to give students multiple and, importantly, distinct opportunities to succeed. This might mean offering both (or a choice of) traditional assignments and collaborative projects, standard written tests and oral exams, best k of n quizzes (for some value of k<n), choice of k of n assignments to submit, the format of the submissions (typed, written, poster, oral presentation, video, interpretative dance, etc.), flexible policies for unexpected life events. Each support targets different potential points of failure — academic, technical, personal — just as each cyber defense layer counters a different type of attack. By structuring the course this way, I aim to make student success less brittle: missing one opportunity or still working on developing fluency within one particular type of course component doesn’t automatically doom a student’s outcome, just as breaching one security measure doesn’t bring down the entire network.

Ultimately, seeing education through the lens of cyber security allows a different view of the course planning process and the instructor’s role. I am not simply a content deliverer – I am a system architect, designing an environment that fosters resilience and growth. Just as in cyber security, perfect protection is impossible, but thoughtful, layered design can make a system robust enough to absorb shocks and support genuine, lasting learning.