picoCTF: How gamified cybersecurity piques curiosity in STEM
The Transformational Tech series highlights Cisco’s nonprofit grant recipients that use technology to help transform the lives of individuals and communities.
Around the world, the need for information security skilled workers is growing. In the U.S. the Bureau of Labor Statistics anticipates a 35 percent increase of IT skilled employment by 2031. This area of expertise is growing faster than the average of all occupations. In the European Union, Parliament is working to build cybersecurity capabilities across the Union to mitigate threats and ensure the continuity of services. In these contexts, students who are studying computer science and cybersecurity will play pivotal roles in society. As such, it’s critical to encourage the next generation of information security experts and ethical hackers.
To bring down the barriers to access computer science and cybersecurity education to students, particularly by girls and women, intervention is needed at earlier grade levels and supported by trained teachers in school classrooms.
Since 2011, picoCTF has steadily broken down the barriers to access cybersecurity education to become one of the most trusted, high-quality, free resources for computer security education for learners and teachers across the globe. Originally intended as a uniquely offensive capture the flag style online competition, picoCTF made an impression right from the start. And with some well-timed grant support from Cisco starting in 2019, they have expanded to year-round, easy and accessible access to their program for anyone with a computer and Wi-Fi.
Making space and bypassing barriers
Prior to programs like picoCTF, the only way young people could interact with computer materials were through established high school computer security competitions.
Created by Carnegie Mellon University’s (CMU) Cylab Security and Privacy Institute (Cylab), picoCTF initially focused its efforts on generating interest in computer science among highschoolers. Its name is filled with meaning; with ‘pico’ being a unit that represents one trillionth in the metric scale, and ‘CTF’ short for capture the flag. During their annual fall competition, picoCTF contestants would explore valuable life and career skills through a free online, ethical hacking-based game with a capture the flag framework. Within this game, players are challenged to test their creativity, technical skills, and problem-solving ability. Challenges cover a number of categories. And when solved, the winner gains a string (called a flag) that is then submitted for online scoring.
Because picoCTF platform access is free, significantly more students could access and engage with the program. For instance, results from picoCTF’s 2019 competition reported that 64 percent of players said they were “more interested in pursuing cybersecurity as a career as a result of playing [the game].” And with this positive feedback, the people behind picoCTF knew they had what it takes to engage students.
A place to stretch and workout
In 2019, Cylab’s leaders, like Special Projects Manager, Megan Kearns, determined that the program needed further engagement with teachers and classrooms throughout the world but didn’t have the money or the resources to reach that goal. The team proposed a concept for Cisco investment in picoCTF to build teacher centric and classroom changes into their platform.
In addition to teacher and classroom improvements, picoCTF as a team focused on offering more structured learning materials for middle and lower secondary students and high school students. Within a year, picoCTF launched picoGYM, an always-open learning playground where learners can access all previous years’ picoCTF challenges, along with treasure hunts, quizzes, and more.
With the launch of picoGYM came a fully-accessible, year-round learning platform—rather than a three month competition-focused website. “picoCTF began as just a competition to introduce students.” Megan said that picoCTF “has now evolved into this year-round program for people to apply what they’re learning in their classes and test out concepts they faced in the workplace but never got to address themselves.”
picoGYM launched in September 2020. By December, Cylab had measured over 65,000 visitors to the account-based site.
Encouraging girls to pursue cybersecurity
With an offering accessible to teachers in classrooms, Cisco’s second investment centered on increasing female participation in cybersecurity education. “Part of our initiative [with Cisco] includes female testers in our outreach,” explained Dr. Hanan Hibshi, faculty advisor at CMU and research investigator for picoCTF. “So when we invite people to test our challenges, we pay special attention to female responses.”
Dr. Hibshi clarified that by paying attention to female feedback, particularly with details related to the game’s organization and interface—they’ve found success. This success is measured by the increase in female users over time, which is proof of focused engagement. In 2021, the website measured only 1900 learners who identified as female. And in 2022, that number leaped to over 10,000 girls and young women who accessed the picoCTF website. Megan recounted that the “picoCTF development team has seen an increase in female challenge writers, which have made an impact on the increase in female players.” She believes it is connected to their outreach efforts because female CMU students and experienced CTF players go to conferences and classrooms to talk to students about picoCTF and how to engage in CTF competitions.
With picoCTF’s more comprehensive and complementary learning structure, new platform, and year-round access to picoGYM, learners of all skill levels can access cybersecurity content, think creatively, problem solve challenges, and have fun while learning cybersecurity concepts. At Cisco we are curious and delighted to see more female students enrolling and getting excited about cybersecurity.
“The grants from Cisco have made a significant positive impact. It has allowed us the funding to focus on areas of improvements in the platform, facilitate user studies, go to conferences, and expand our understanding of what CTFs are, what they are capable of doing in the education space.” Megan clarified, “this is an area where diversity has the potential to make a huge difference in how we move forward in cybersecurity. Diversity is so important because creativity is so important to cybersecurity.”
The future is bright
Megan Kearns reports that, over the years, people have approached her countless times to tell her they’ve switched careers after they played picoCTF. Her favorite story like this involves a high school teacher who mentored his students through their picoCTF competition, which then led to ten years of his dedicated work as team coach in many other computer security competitions. One Twitter user, @Dawnlight246810 told Megan, “When I got into cybersecurity, picoCTF was my first-ever CTF I played. I learned so much from playing pico that I fell in love with security, got involved with infosec communities, and decided to pursue a career in security.”
“Of course our immediate goal is to increase the cybersecurity workforce.” Dr. Hanan added, “but my long-term vision is that it becomes so everyone knows enough to stay safe online, enough not to be scammed, or to spend time to secure your passwords. Because you cracked systems before, you broke passwords through picoCTF, and you know that this is feasible and hackers can do it. So maybe you should do a better job of protecting yourself.”
Megan hopes for another ten years of success for picoCTF. “Eventually, I would like for us to be redundant because everyone already understands cybersecurity,” she continues, “the way they understand algebra or mathematics.”
Share: