Teaching IT Security – zyBooks case study

Avatar photo Scott Crews

Hi! My name is Scott Crews and I teach cybersecurity at Samford University in Birmingham, AL. This past year I had the privilege of teaching our university’s first cybersecurity class to 31 excited students (who had no idea how much of a beta test they just signed up for). It was a great experience, and I’d like to share a few notes I took that might be helpful if you are considering teaching a class like this.

First, some details—this was a 100% in-person class, meeting 3 days a week for 65 minutes per class period. It was a 200-level class in our university catalog. Students ranged from second-year to graduating seniors. We already use zyBooks in many of our computer science classes, so choosing the new zyBooks “Introduction to Security with CompTIA Security+ and Labs” book was a natural choice for our course curriculum.

Here’s the TL; DR – The class was a big success, students earned industry-standard certifications, and zyBooks was an essential part of the process.

Here are three things that I did that (I believe) were key ingredients for our success.

1. Consistent structure

I put a consistent structure in the class meetings – Each week had a topic. I flipped the classroom, which meant that students completed the zyBook content over the 5 days leading up to Monday.

a. On Monday, we would do lectures. I would recap the zyBook assignments, trying to use the time to help the students prioritize and understand the topics are crucial, foundational concepts. Unrelated to the zyBook lecture, I also had 2-3 students give a brief presentation each week on a high-profile breach that they were assigned to research at the beginning of the semester. I made zyBooks activities 10% of the overall grade in the class and the student presentation was 5%.

b. On Wednesday, we would do labs. I always use zyBooks labs as in-class exercises. Pro tip: Week 1, use the “Malware” lab where you create a virus and “steal” a file full of fake credit card data off the victim machine. Students pointed to that lab as a significant “aha!” moment in the class. I made labs 30% of the overall grade in the class.

c. On Friday, we would do quizzes. I purposely made quizzes low-stakes by making them open-book, open-notes quizzes that students could take 3 times, and I would keep the highest score. I loaded the questions supplied by zyBooks into our LMS (Canvas) and configured each quiz to contain 20 questions, chosen at random from the question bank. I would remind students throughout the semester that this quiz taking exercise was critical mental preparation for professional certification exams. The low stakes quizzes averaged out to be 20% of the overall grade in the class.

d. I did give a midterm and a final in the class as well. The midterm and final were each worth 12.5%, totaling to 25% of the overall grade in the class. More about that below.

e. The remaining 10% of the class was a participation score that I assigned at my discretion.

2. Set the bar high

I set the bar high, and I communicated it often. I told the students repeatedly: The knowledge to get an A in this class should generally equal the knowledge for a passing score on the Security+ certification exam. The midterm was an especially crucial part of this process. It was the first closed book assessment I had given all semester. I used one of the practice tests supplied by zyBooks, where I removed the questions from chapters that we had not yet covered as a class. Most student scores on the midterm were between 50%-80%. Students were initially rattled by their low midterm scores, but I think it created a helpful moment to remind students that professional certifications like the Security+ do not have letter grades, and passing scores are very different from traditional higher education.

3. Challenge students

I challenged the students, and they responded well. With 2 weeks remaining in the semester, all my students had a grade average of 80 or higher, so I decided to issue a challenge:

If a student could pass the CompTIA Security+ or the ISC (2) CC exam before the scheduled date/time of our final, he/she could skip my final and I would curve his/her final grade to an “A” in my class.

I don’t believe our students had ever received an offer like this, but it resonated with them. Of the 17 students who had a 90 or better grade average in the class, 11 of them passed either the Sec+ or CC certification exam. Of the 14 students who had a grade average between 80 and 90, two of them passed either the Sec+ or the CC exam. Overall, students were very receptive to the challenge. I was especially impressed by the way that students worked together to study and even carpool to testing centers so that they could encourage each other before and after the exams.

Final thoughts

We ended the semester on a very, very positive note. In 5 months, we transformed from a university campus that never had a moment of cybersecurity instruction into a campus with over a dozen certified future cybersecurity professionals in our student body. Also, our students gained valuable first-hand experience in the world of professional certifications that will likely play a role in their future careers in technology.

It was an incredibly exciting semester for us, and I am convinced that it would not have been possible without the high-quality content and labs created by zyBooks! Thanks zyBooks!

If you have your own best practices for teaching IT security, we’d love to know! Please email us at officehours@zybooks.com.

Avatar photo
Author Bio

Scott Crews

Scott Crews returned to Samford after graduating in 2005 with a BS in Computer Science. Since graduation, Scott has led teams with information security, audit and technology for non-profit, public accounting and retail companies around the southeast. Scott recently earned an MS in Cybersecurity from Georgia Tech while leading a global information security team for Lowe's Home Improvement.