Assessing the Learning Outcomes of Capture the Flag Challenges for Secure Mobile Application Development

Abstract

Capture the Flag (CTF) challenges are becoming increasingly popular as a learning environment for cybersecurity education. However, the learning outcomes and results of CTF challenges are not always clear. In this paper, a systematic evaluation methodology is developed using popular open taxonomies to determine the learning outcomes of CTF challenges for secure mobile application development. Two CTF challenges, Damn Insecure and Vulnerable App (DIVA) and Extremely Vulnerable Android Labs (EVABS), were evaluated using Open Web Application Security Project (OWASP), MITRE Common Weakness Enumeration (CWE), and National Initiative for Cybersecurity Education (NICE) frameworks. The results show that DIVA and EVABS effectively cover the technical aspects related to mobile cybersecurity and specifically the development of secure mobile applications. The evaluation methodology proposed in this paper can be used by educators to extract learning outcomes from existing or upcoming CTF challenges. Additionally, this paper stresses the importance of educational frameworks in cybersecurity, and how they can be used to optimize learning from CTF challenges.