This Innovative Practice full paper describes a technical innovation for scalable teaching of cybersecurity hands-on classes using interactive learning environments.

We present our research effort and practical experience in designing and using learning environments that scale up hands-on cybersecurity classes.

The environments support virtual networks with full-fledged operating systems and devices that emulate real-world systems. The classes are organized as simultaneous training sessions with cybersecurity assignments and learners' assessment. 

The environment can be repeatedly created for different classes on a massive scale or for each student on-demand.

Moreover, our approach enables learning analytics and educational data mining of learners' interactions with the environment.

These analyses inform the instructor about the student's progress during the class and enable the learner to reflect on a finished training. Thanks to this, we can improve the student class experience and motivation for further learning.

The learners value the realistic nature of the environments that enable exercising theoretical concepts and tools. The instructors value time-efficiency when preparing and deploying the hands-on activities.

Engineering and computing educators can freely use our software, which we have released under an open-source license.

We also provide detailed documentation and exemplary hands-on training to help other educators adopt our teaching innovations and enable sharing of reusable components within the community.

You can also check our video that summarizes the key messages of the paper.

The physical and cyber worlds are increasingly intertwined and exposed to cyber attacks. The KYPO cyber range provides complex cyber systems and networks in a virtualized, fully controlled and monitored environment.

Time-efficient and cost-effective deployment is feasible using cloud resources instead of dedicated hardware infrastructure.

This paper describes the design decisions made during its development.

We prepared a set of use cases to evaluate the proposed design decisions and to demonstrate the key features of the KYPO cyber range. It was especially cyber training sessions and exercises with hundreds of participants who provided invaluable feedback for KYPO platform development.

This paper presents the experience gained from the preparation and execution of cyber defence exercises involving various participants in a cyber range.

The exercises follow a Red vs Blue team format. The Red team conducts malicious activities against emulated networks and systems that have to be defended by Blue teams of learners. Although this exercise format is popular and used worldwide by numerous organizers in practice, it has been sparsely researched.

We contribute to the topic by describing the general exercise life cycle, covering the exercise's development, dry run, execution, evaluation, and repetition.

Each phase brings several challenges that exercise organizers have to deal with. We present lessons learned that could help organizers to prepare, run and repeat successful events systematically, with lower effort and costs, and avoid a trial-and-error approach that is often used.

Cybersecurity research relies on relevant datasets providing researchers with a snapshot of network traffic generated by current users and modern applications and services.

The lack of datasets coming from a realistic network environment leads to the inefficiency of newly designed methods that are not useful in practice.

This data article provides network traffic flows and event logs (Linux and Windows) from a two-day cyber defence exercise involving attackers, defenders, and fictitious users operating in a virtual exercise network.

The data are stored as structured JSON, including data schemes and data dictionaries, ready for direct processing. The network topology of the exercise network in NetJSON format is also provided.

Hands-on training is an effective way to practice theoretical cybersecurity concepts and increase participants’ skills.

This paper discusses the application of visual analytics principles to the design, execution, and evaluation of training sessions.

We propose a conceptual model employing visual analytics that supports the sensemaking activities of users involved in various phases of the training life cycle.

The model emerged from our long-term experience in designing and organizing diverse hands-on cybersecurity training sessions. It provides a classification of visualizations and can be used as a framework for developing novel visualization tools supporting phases of the training life-cycle.

We demonstrate the model application on examples covering two types of cybersecurity training programs.