Dr. Babak Shoraka

Lead author, zyBooks Introduction to Security with CompTIA™ Security+
MSc Software and Systems Security – University of Oxford / M.S. Computer Science – University of Florida / Ph.D. Information Systems – Nova Southeastern University

In a dozen-plus years of teaching IT Security I’ve relied on these best practices to keep my students engaged, excited and, most importantly, retaining what they’re learning. These practices have been invaluable to me. I hope you find them useful, too.

1. Emphasize foundational principles

Although the security threat landscape is continuously changing, the foundational principles of information security remain the same. The goal of information security is to preserve the “CIA triad,” that is, the principles of: 

  • Confidentiality
  • Integrity
  • Availability of information

Nearly every topic in a security course relates to the CIA triad, and you should present course topics in the context of each security principle. 

CIA triad examples

For teaching encryption concepts, emphasize the role of encryption in preserving the confidentiality principle. Similarly, access control lists are aimed at preventing unauthorized information access to preserve the integrity principle, while load balancers are designed to preserve the availability principle. 

2. Connect theory with practice

IT is a practice-based discipline. I always keep this front-of-mind when I’m teaching.

Students come to IT security courses with diverse backgrounds and varying knowledge levels. Theory is boring to most students, and focusing only on technical information can discourage students without a deep IT background. 

Use real-world examples 

IT security is about the real world, and it’s critical that you leverage real-world events and issues to teach security concepts.

For example, at the start of each lecture, you can present a recent security breach, and then guide a class discussion on how the breach could have been prevented by applying one of the security controls covered in the course.

3. Assign hands-on lab exercises

Your students need to gain hands-on experience with the systems and tools they’ll be using in their future careers. That’s where IT labs come in, to help them master key course concepts through hands-on training.

Live virtual-machines, like those used by zyBooks, are the gold standard in IT education, exposing students to the complex challenges of real systems. Use VM-based lab assignments so students can apply the theoretical concepts taught in the class to real hardware, operating systems, applications and tools. 

Hands-on labs are also a critical form of active learning, engaging students in the learning process while at the same time preparing them for the real world.

4. Develop a learning community

In the real-world, of course, IT security professionals collaborate closely to deploy, maintain and troubleshoot security systems. So it makes sense for your students to practice working together in group assignments to learn more effectively. 

Assign group projects that develop your students’ collaboration skills by enabling them to contribute to a more involved assignment that demands engagement, as well as compromise and decision-making skills. Use classroom and online discussion forums and group projects to promote active student participation and peer-to-peer interaction. 

Remember the individual student, too. Individual contributions to group projects should be taken into account when assigning grades to reward group members who took on more responsibility in the project.

5. Implement a flipped classroom model

I’m a huge proponent of the flipped classroom model to study IT security. With flipped learning, you assign the reading prior to class and focus on more active learning during your lesson.

Use class time to engage students in class discussions, group work and practice, instead of just lecturing to convey content. With the flipped model, you’ll be helping your students develop independent learning skills and build a deeper understanding of the course material.

Assign reading ahead of your lesson 

For example, assign a reading on vulnerability assessment prior to class and use lecture time to demonstrate the use of a vulnerability scanner to assess a computer, network, or application for weaknesses.

6. Avoid the “expert blind spot”

IT instructors with deep expertise in security topics sometimes underestimate the difficulties students experience when engaging with the material for the first time. That’s the expert blind spot. 

IT students are often career changers with limited or no background in technical fields. So they may need more time and substantial cognitive energy to understand the security concepts you’re teaching. Important to be sensitive to this. 

Low-stakes quizzes

One way to find out whether students are keeping up with the course concepts is to introduce low-stakes quizzes. Based on the quiz results, you can plan to spend some lecture time reviewing material students are struggling to understand.

Final thought: My colleagues on the zyBooks content team are all veteran professors, so if you have your own best practices for teaching IT security, we’d love to know! Please drop us an email here. We’ll share them with the community. Thank you.