Excitement was high and adrenaline was pumping as a four-member team of BYU Marriott information systems students worked together to hack into a Furby, pick a lockbox, shoot targets with Nerf guns, dive into piles of (clean) trash, and slide under string “laser beams,” all with the end goal of identifying—and then fixing—vulnerabilities in a wireless computer security system.
This escape-room experience, offered for the first time in Fall 2019, was the culmination of the IS 560: Information Security Management course, a fall semester class taught by associate IS professor Jeff Jenkins. Course objectives include providing a working knowledge of ways to protect data, building familiarity with attack vectors, and learning methods of threat modeling and of attack prevention and detection.
Jenkins was looking for a way to provide his students with an experiential learning opportunity to apply the knowledge learned during the course when Julian Sookhoo, a student who had previously taken the class, suggested an escape room. Jenkins loved the idea, so under Jenkin’s direction, Sookhoo and two other students— Scott Young and Jenkins’s TA Eric Clinger—worked to create the experience.
It’s basically a class about protecting individuals and organizations against cyber attacks.
“Cybersecurity is a hands-on field, especially the concepts taught in Dr. Jenkins’s course,” says Clinger. “The escape room provided a concrete way to combine all of the concepts taught in the course in a fun but educational way. Cybersecurity is all about solving problems and moving from one task to another, exactly like an escape room.”
Jenkins estimates that the three students spent at least ten hours a week for two months working on the project. Ultimately, the escape room experience included six challenges that students had to solve before moving on:
- Identify and conduct a live organizational phishing training simulation. • Assess password security and social engineering.
- Evaluate web application and IoT security, which involved testing an online system for vulnerabilities and hacking into a Furby.
- Gauge physical security and pick locks.
- Identify document security, which involved dumpster diving to find pieces of a shredded document that contained an encrypted code.
- Gain access to a wireless network, scan for vulnerabilities, and evaluate a software security exploit.
The week before the escape room went live, Jenkins and the three student creators spent hours setting up the activity in the old Provo High School. Approximately twenty teams of students from two IS 560 courses went through the escape room over the course of one week. “All of the teams were eventually successful,” Jenkins said, noting that about 70 percent of the teams completed the tasks in the allotted time period.
Jenkins plans to implement the escape room activity into the course permanently, although the Provo High facility likely won’t be available in the future. “We’ll find a way to set it up,” he vows. “It was too effective not to.” In addition, Jenkins and the students are working to make the information available online so that other IS departments looking for similar experiences can use it.
“The escape room was a huge success,” continues Jenkins, who says the activity never would have been possible without the support of BYU Marriott and the Department of Information Systems. “Students were able to integrate things they’d learned throughout the semester in a single setting. In reviews for the course, we received a ton of comments from students who not only loved it but noted how challenging but rewarding the whole experience was.”
Article written by Kellene Ricks Adams