Just Google It! How Students Engage With the Web While Solving Security Education Challenges
Abstract
Vulnerability discovery is an essential security skill that is daunting for beginners to develop as there is a large body of knowledge to learn. They are often encouraged to search the web for information or “Just Google It!”, but whether this advice is effective is unclear. We conducted semi-structured observational interviews with 37 vulnerability discovery beginners attempting to exploit 51 vulnerable programs. We capture the questions beginners have when trying to identify and exploit vulnerabilities, how they search for answers, and the challenges they face applying the results of their searches. We performed a rigorous qualitative coding of our dataset of 3950 events characterizing our participants’ actions to identify several behaviors and obstacles they faced, along with quantitative measures to determine their most frequent issues. We found beginners struggle to understand how to exploit vulnerabilities, craft their solutions, and even complete common technical tasks. They were often unable to find relevant information online to overcome these struggles, as they lacked the relevant vocabulary to craft effective keyword searches. When they did find relevant web pages, they struggled to properly transfer information from the web to their challenges due to misunderstandings and missing context. Based on our results, we offer suggestions for vulnerability discovery educators and resource creators to produce higher-quality materials to help facilitate beginner learning.
Bio:
James is a 5th-year PhD candidate in the Tufts Security and Privacy (TSP) lab working under Daniel Votipka. His research investigates the intersection of security education and usable tool development. When he’s not toiling away at his research, you can find James making cocktails, skiing, and dominating the rest of TSP lab in their Great British Bake Off bracket.