Provost’s Learning Innovation Grants · However, recent malware studies have stated that mobile antivirus tools are likely to catch less than 20% of these attacks. Further, many

1

Instructions: Complete this form in its entirety and email it to Jenna Sadue (2210 Eastman Hall, [email protected], 475-2078) no later than February 27, 2013. Please note to save and rename this document substituting your name (in place of “NAME”) in the file name.

To find out more about flipped classroom projects already ongoing at RIT, please contact Marybeth Koon, [email protected], before submitting your application. Name: Rick Mislan and Tae Oh Email: [email protected] Phone: 5-2481 Department/College: Dept. of Computing Security (Rick Mislan) and Dept. of Information Sciences and

Technologies (Tae Oh) Department head name and e-mail: [email protected] Faculty rank: (full-time lecturer, tenured, and tenure-track faculty only): Lecturer (Rick Mislan), Tenure

Track (Tae Oh) Proposed project name: MoSeVERE - Mobile Security and Vulnerability Exploitation Research and

Education Total funds requested: (Focus grants of $1,000-$5,000 will be considered): $5,000 Include these statements under the appropriate heading beginning on page 4. Statement of utility: (two pages maximum) 1. Provide an overview of the project you are proposing, including:

• Project objectives • An explanation of the teaching/learning problem(s) it is designed to address • An explanation of the significance of the project to student outcomes and/or the student

experience. 2. Provide a brief description of how the project integrates with activity already underway at RIT in the

priority area and/or how this approach has been successfully used at RIT already. Statement of creativity: (three paragraphs maximum) Provide a brief description of how this is a novel approach, or a new application of an existing mode or model of teaching and learning, or represents an entirely new paradigm. (Please note that special consideration will be given to proposals that demonstrate a new use/application of a model, system, or technology already in use at RIT.)

Provost’s Learning Innovation Grants

FOCUS GRANT APPLICATION FORM 2013: FLIPPED CLASSROOM

2

Statement of efficacy: (two pages maximum) Provide a brief description of the experiment/research design, methodology, and methods of data collection you will use to gauge efficacy.

3

Budget: Provide information on how the funds will be used, modifying the following categories as needed to match your project. (Please note that the budget total must match the “Total funds requested” amount on page one of the application.)

Budget item Amount requested

Amount committed from other sources Brief statement of explanation/justification

Personnel (including course release, consulting support, etc.)

$2000

Summer support to develop course materials such as lecture slides, lab instructions, tests and syllabus Rick Mislan $1000 Tom Oh $1000

Equipment $1500 Purchase Mobile Devices

Licenses (i.e., software)

Travel

Reearch Assistant $1500 Help develop Lab materials including lab instructions and setup

Other Resources (specify)

Other Resources (specify)

Total $5000 $ Proposed timeline: Provide a high-level timeline for your investigation (see the Dissemination Agreement section of this application for more details)

Task Date

Preliminary findings complete June 21, 2013

Summary of final findings complete 1st week of spring semester 2014.

Final budget accounting complete Jan. 15, 2014

Course, activity, or tool (re)design complete (design and development support may be provided by the ILI Teaching & Learning Studio) Jan. 5, 2014

Faculty Teaching & Learning Commons entry complete (development facilitated by the ILI Teaching & Learning Studio) Jan. 31, 2014

Participation in faculty panel event complete (event to be planned and facilitated by the ILI Teaching & Learning Studio) May 20, 2014

Please note that the timeframe for milestone completion must align with the PLIG timeline.

Provost’s Learning Innovation Grants

FOCUS GRANT APPLICATION FORM 2013: FLIPPED CLASSROOM

4

Dissemination agreement: By completing this grant application, I agree to provide the materials described here, in support of disseminating what is learned from this project to other faculty at RIT.

I also agree to return all/a portion of the funds that I receive for this project to RIT if I fail to complete or provide the materials described here.

• Project plan (including roles and responsibilities, milestone dates, and pertinent project details) • Overview of preliminary findings (may include experiment/study design, lessons learned, initial

data collection, and/or literature review summary) • Final project summary (including data collection, lessons learned, implications for further study,

and which may be in the form of an article abstract, conference presentation outline, or short report)

• Course, activity, or tool (re)design (Materials that will allow other faculty to adopt the mode of model of teaching and learning effectively and efficiently. Design and development to be supported by the ILI Teaching & Learning Studio

• Faculty Teaching & Learning Commons entry (excerpts from research findings summary, the development of which is facilitated by the ILI Teaching & Learning Studio)

• Participation in faculty panel event (presentation of a brief summary of project and lessons learned and response to faculty questions. Event is planned and facilitated by the ILI Teaching & Learning Studio)

• Final budget accounting (reconciliation of budget provided with your application and the actual project expenses)

By submitting this application through my RIT email account, I accept this agreement.

Provost’s Learning Innovation Grants

FOCUS GRANT APPLICATION FORM 2013: FLIPPED CLASSROOM

5

Statement of utility: Overview

As mobile devices have become essential to the daily social fabric of our lives they have also become a popular platform to exploit. The security of mobile devices is a growing necessity, yet many in our population are woefully inexperienced in providing proper security measures. In an effort to address this need, this proposal is the development of a unique classroom model based on the flipped classroom that provides a repository website of integrated course resources and virtualized laboratories for the education of “Mobile Security and Vulnerability Exploitation.” Given the specific needs of this type of mobile security modeling, it is imperative that our students participate in a secured laboratory setting. To meet this specific necessity, we propose the development of a website repository and the inclusion of video lectures, presentations, and virtualized laboratory exercises specific to two new courses, “Mobile Security” and “Mobile Vulnerability Exploitation.” Needs Statement

Mobile devices have become an integral part of the daily social fabric of our lives and have also become a popular platform to attack. The past year has seen an over 2000% increase in unique malware variant attacks. However, recent malware studies have stated that mobile antivirus tools are likely to catch less than 20% of these attacks. Further, many devices do not have any mobile malware prevention tools installed. With always-connected capabilities, mobile devices have become the ultimate access point to a person’s most private and personal information. Once a device has been maliciously compromised, personal data is accessible both locally (on the device) and over the network (in “the cloud”). To top things off, blurring the line between personal and professional is the critical issue of Bring Your Own Device (BYOD), which impacts both industry and government sectors.

As the use of mobile devices continues to rise in our personal and professional worlds, there is a growing need to educate future professionals in the topics of mobile security and vulnerability exploitation. Currently in the United States, there are more wireless mobile devices than there are people (331.6M/311.5 at 106%). As the ultimate human computer interface, the mobile device allows almost anyone to do almost anything, anywhere. The mobile device transcends space and time through its multitude of communication, transaction, and entertainment tools.

As important as these devices have become, security of mobile data and mobile devices is an element that is still overlooked. There is a strong sense of urgency to build awareness and protection, and to prevent such mobile device threats. Currently, no academic institution focuses on the insecurity of these personal mobile devices as a threat to private and personal information. Though some programs may add the topic as a week of content into a single cyber security course, this approach is functionally inadequate to address the volume of issues facing the mobile environment. This provides an excellent opportunity to develop a novel curriculum and establish a comprehensive, best in class mobile security and vulnerability exploitation online resource center. Project Objectives:

As published in numerous articles and journals, the flipped classroom promotes a stronger student/teacher relationship and creates a collaborative learning environment in the classroom. By shifting the preparation of the student to an online component, the in-class laboratory exercises will be much more meaningful and provide time for collaboration and curiosity. The focus of this effort will be placed on the development of two opposing courses, Mobile Security (Defend) and Mobile Vulnerability Exploitation (Attack), and their related online components.

To increase student knowledge of mobile security and vulnerability exploitation, the following objectives are proposed: Objective 1: Development of lectures In developing the lectures specific to the subject area, each video will be 5-7 minutes in length. Major topics will be broken into smaller “digestable” topics. These will be built for preparing the student for the laboratory exercises to be held during class. Objective 2: Development of website as a repository of integrated course resources To support the development of the flipped classroom, an online repository of integrated course resources and virtualized laboratories will be built. This website will categorize the information related to each weekly topic. Each week will have resources categorized as: “Laboratories,” “Presentations,” “Research,” “Videos,” and “Assessments.” These will be used both in class and out of class. Objective 3: Development of virtualized laboratories The unique situation of mobile security and vulnerability exploitation is that most laboratory exercises must be performed off of

6

any mobile carrier network. To that end, the laboratory exercises must either be virtualized in an online simulation or carried out through a privately establish low-power network. The former option is much less expensive and much more controllable. For that reason alone, it is necessary to establish virtualized laboratory exercises. Objective 4: Development of assessment tools In an effort to continually improve the process of flipped classroom learning, students will be assessed through a variety of pre- and post- type of assessments. Online resources will survey students’ knowledge before viewing video lectures or presentations. These same online resources will survey students’ gained knowledge after viewing the presentation. Short answer questions related to the content as well as multiple choice and true-false type assessment tools will be employed to validate strengths and weaknesses of the provided lectures and/or presentations. To finalize the project, all curricula, lab information, key findings, and pilot results will be transparently shared through presentation, reports, and the specific curriculum website. Through the deployment of this project, students will obtain critical skills and knowledge directly related to security and vulnerability exploitation in a mobile environment. In the most basic terms, this project will increase the number of students capable and qualified to teach others about mobile security through curriculum, academic sharing of materials, and collaborative research opportunities. By extension, this will also increase student learning in this critical area, increasing the pipeline to the workforce of qualified graduates to support and secure our mobile cyber infrastructure. Significance of the Project to Student Outcomes and Experience

Almost every student has a mobile phone; however, many of these students have no foundational understanding of mobile security aspects. Using the flipped classroom model, this proposal will provide virtualized laboratory exercise that will provide a hand-on approach through the use of mobile device emulator tools. As RIT has strong career-motivated students, it is our responsibility to offer bleeding edge laboratory experiences. The virtualized hand-on experiences from laboratory exercises will promote student curiosity, interest and knowledge.

Funding this work will benefit students by providing availability to state-of-the-art virtualized laboratory exercises and resource materials, thus providing them an increased level of knowledge in this area of critical need. Students will benefit through their development of knowledge and expertise in this area, as well as the associated research opportunities that come with such expertise.

The impact to the student of not receiving this support is at the very least a significant missed opportunity. The world of mobile computing continues to grow, and the vulnerabilities associated with such devices as well. Early consideration of how to fill the employment pipeline with qualified candidates to address such issues should be high on our list of priorities. Without this funding, such a program is much less likely to be developed in such a timely fashion. We currently have a critical mass at RIT with the motivation and capability to efficiently develop this idea into an innovative curriculum and add to our already excellent program.

• Provide a brief description of how the project integrates with activity already underway at RIT in the priority area

and/or how this approach has been successfully used at RIT already. Recently, the faculty of the Golisano College of Computing and Information Sciences formed a new department called Computing Security. The department offers BS and MS degree programs in Information Security and Forensics. These programs are designed to produce graduates who will be experts in the identification of computer security vulnerabilities and the detection of computer security exploits. During the Winter Quarter, this new department has been exploring Mobile Security and Vulnerability Exploitation as a focused area of research and education. This project will enhance mobile device security experience for students as well as motivate out-of-box thinking for students. GCCIS in RIT promote learning by doing concepts and the mobile device security and vulnerability exploitation courses meet the RIT’s requirements. In addition, the proposed project could lead to creating additional innovative courses while providing challenging but enjoyable learning environment. Also, the author expects to continue to develop mobile device project to encourage and inspire students to get involve in research in mobile device security and vulnerability exploitation. As no man is an island, other successful RIT community members will be contacted; especially those who have successfully implemented the model of a flipped classroom. One example is that of Rob Garrick of CAST who has taken his time to create short videos of his lectures, reviewing the specific concepts that would prepare his students for the focused classroom experience of problem solving and application of concepts. In addition to Rob, we would also reach out to other faculty who act as “guides on the side” in their classrooms.

7

Statement of creativity: (three paragraphs maximum)

The objectives of the proposed curriculum and course materials are focused on developing students who understand the current trends and issues of mobile device security and vulnerability exploitation. To provide the foundational knowledge of these trends and issues, instructors will utilize current online resources (mobile device security vendor’s white papers, videos, and journal research) for students to read/watch before attending class. Instructors will also develop their own lectures to describe the specific principles and concepts necessary to understand before each class session. The use of these out of class resources, prepares the students for in-class discussions, problem-solving, and laboratory exercises. For example, a video could consist of various demos from mobile security related conventions such as Defense Readiness Condition (DEFCON) or Shmoo Conference (ShmooCon). Since students prepare by reading and watching prepared resources at their leisure, they already have a general idea of the concepts and content of the class session and can maximize their time with the instructor, the expert in the room. Implementing the flipped classroom model provides for less time spent lecturing and more time interacting with students.

Throughout the course, laboratory exercises will be used to encourage “out of the box” thinking; to instill curiosity, resolve issues, and find solutions. These exercises might include the use of virtualized mobile device emulators and the actual physical devices in both group and individual settings. With the flipped classroom model, the main design goal for each laboratory exercise will be for students to explore, modify, design, implement or test existing mobile security components or exploits and perform analysis of different types of mobile malware. This variety helps to broaden student experience, keep student interest high, address different learning styles, and to ensure continued interest in the field. Additionally, the curriculum from the project will be unique and the first of its kind in the nation.

Finally, the project website will become a complete compendium for everything related to this effort. Providing access to laboratory exercises, lectures, and papers, the website will provide the students with enough resources to surround themselves with enough foundational knowledge that they will feel prepared for the in class discussion and exercises. It is quite possible that much of the students work will also become resources for future students in these courses.

Provost’s Learning Innovation Grants

FOCUS GRANT APPLICATION FORM 2013: FLIPPED CLASSROOM

8

Statement of efficacy: (two pages maximum) Provide a brief description of the experiment/research design, methodology, and methods of data collection you will use to gauge efficacy.

Experiment/research design Creating and developing mobile device security and vulnerability exploitation courses are certainly

exciting for students and instructors since the mobile devices have such a huge impact in their daily lives. To date, the implementation of the flipped classroom model with lab materials has not been applied to any cyber security courses . To aid in this effort, various mobile device experts, security education instructors, and security students will collaborate to create and build a set of effective and interesting security courses. When the mobile device security and vulnerability exploitation courses are offered during the Fall semester (2014), feedback mechanisms will be implemented to improve and update the courses and flipped model curriculum as the instructors teach the courses. This semi-real time improvement can offer fine-tuning capabilities to adjust and fit the students who are taking the courses. This is very important since the types of students who are enrolled in the Computing Security program varies from no experience in the security field to several co-op experience from various security companies. To implement a feedback mechanism, three steps are proposed:

1. Create and develop the mobile device security and vulnerability exploitation courses.This includes

the implementation of the flipped classroom model with a combination of labs and problem solving exercises.

2 . Get online feedback from course students every two weeks. The feedback consists of

effectiveness and comprehension of course materials, lab exercises and problem solving exercises as well as the students' continued interest levels.

3. Adjust the course content according to the feedback. The content of the course materials may not

be directly changed but the approaches of delivering the contents to students will be adjusted as necessary. The adjustments can be done by increasing or decreasing the activities of the flipped model curriculum, lectures, and/or laboratory materials. Methodology

To create a standard expectation for the course curriculum, the objectives for each course will be aligned to the stated outcomes used for accreditation by ABET/Middle States. Once these objectives are defined, weekly course materials for two course topics will be built: 1) Introduction to Mobile Security and 2) Mobile Vulnerability Exploitation. Through these courses, students will learn about mobile device history, mobile communications technologies, mobile operating systems, current threats, mobile malware, vulnerabilities, and exploits, security management models, security policies for mobile, and code and application analysis tools and techniques. For many of these topics, flipped classroom model and hands-on lab modules will be created to reinforce the classroom learning. Through the use of a flipped classroom curriculum and various collaboration opportunities, this effort will enhance and strengthen the capabilities of RIT students and faculty. Ongoing research and development activities of mobile device security and vulnerability exploitation will be created and developed to encourage participation of other faculty and students as well as other Universities.

Provost’s Learning Innovation Grants

FOCUS GRANT APPLICATION FORM 2013: FLIPPED CLASSROOM

9

Methods of Data Collection The evaluation of this project will be conducted through a variety of formative and summative tools. The

process evaluation tools that will be used to determine the effectiveness of the flipped classroom model and its correlated laboratory exercises include:

DoNows

Before class starts, each student will take short quizzes from the previous-to-classroom viewed materials. The results of the quiz will indicate the comprehension level of the students. If the score is low, the instructor will determine reasons for the low grade and update the course materials to adjust the course delivery methods.

Quizzes

Before and after each instructor prepared video lecture related to course concepts, each student will take a short online survey to assess pre- and post- knowledge and comprehension. Short answer questions related to the content as well as multiple choice and true-false type assessment tools will be employed to validate strengths and weaknesses of the provided lectures and/or presentations. If the average scores are too low or too high, the instructor will determine reasons for the low or high scores and update the course materials to improve the course delivery methods.

Laboratory Exercises

The laboratory exercises will apply the concepts from lectures and video demonstrations and the grade from laboratory report will indicate the students’ comprehension, understanding and learning level.

In-class Evaluation

The third measure will from the student feedback about this project. The instructor will be very interested in their interest level and learning effect. Collecting student’s ideas and suggestions will improve the projects. The progress will be closely monitored through classroom discussion as well as online discussion boards from the course website.

Conference Submission

The students and each instructor will submit articles about teaching mobile device security using flipped classroom setting to several conferences. The articles will include development of the flipped classroom curriculum and laboratory exercises and materials as well as feedback from students and colleagues.

Peer Review

The last measure of evaluation will be from other RIT faculty and other university faculty. Faculty members from Penn State University, Purdue University and Regent University are very interested in synonymous course work and the authors will include them in the development feedback cycle. If funded, the project materials including all feedback will be disseminated through the course website, paper publication, and conference presentations.

At the end of the Fall semester (2014), these courses will be evaluated and restructured as necessary. In an effort to share our successes (and possible failures), information about the course curriculum, laboratory exercises, and classroom activities will be posted on the course website for sharing with other faculty and members of the computing security world.