Gaute Wangen, CTO in Diri, also teaches students information security risk management as an associate professor.

Successful use of Diri in cybersecurity education

Associate professor Gaute Wangen, and CTO in Diri, have taught students information security risk management since 2014 at NTNU in Gjøvik. In his course, now called DCSG2005 Risk Management, the students learn the basics of the risk management process, how to conduct a security audit and report the results.

The course consists of two primary deliverables:

  1. Risk assessment of their social media application portfolio where the students are the risk owners. This case is for practising method and tool application.
  2. Conducting a security audit of a real case in the industry. Here we collect cases from industry actors and internally from NTNU and put the students in touch with them to conduct audits. These audits run for about three months and are concluded with a final presentation and an audit report.

Satisfied students

“In previous years, data collection, risk analysis, and treatment planning were conducted using various tools like Word and Excel, which the students stumbled upon. While I have always maintained that any tool is acceptable as long as it meets minimum quality requirements, we recognized the potential benefits of utilizing a purpose-built, modern tool”, says Wangen.

“To explore this idea, we conducted a voluntary trial with the DCSG2005 students in 2022, introducing them to the Diri application for their risk management project. The trial was a success, paving the way for its adoption in this year’s curriculum. As a result, the usage of Diri became mandatory for the first report on social media usage, and voluntary for the second report.”

The implementation of Diri yielded great results this year, and the students expressed their satisfaction with working in a state-of-the-art risk analysis tool. Remarkably, even though the usage of Diri for the second report was voluntary, every single student opted to utilize the application and incorporate its generated content into the final report. This enthusiastic response speaks volumes:

Figure 1 – Students assessing the utility of Diri Q8, and recommendation of Diri for next year’s students Q11. N=27

Figure 1, Question 8 asks how useful it was to use Diri in the course with a Likert going from “no use” blue to “very high utility” purple. Out of 27 responding students, 20 said high and very high utility.

Question 11 asks if the student would recommend using Diri for the next year’s students, with a simple “yes”, “no” and “other” answer. Here there is almost a unanimity vote for yes! Keep reading if you are interested in how we used it.

Use case for DCSG2005

“Firstly, we set up a secure and locally hosted educational instance of Diri on NTNU’s SkyHigh OpenStack cluster separate from our production environment in Azure. The application was only accessible inside of the NTNU network and not visible from the internet (requiring VPN for remote work)”, Wangen explains.

“We quickly onboarded 85 students using the NTNU tenant ID and the “Sign in with Microsoft” option. My skilled teaching assistants (Jo Kristian, Michael, and Simen) worked as administrators for each branch and sorted the students into their respective groups (Figure 2). The security in the organisational tree is top-down and silo-based, meaning that each user cannot see the levels above or beside his organisation.”

Figure 2 – Organisational sorting for DCSG2005 in Diri. The teaching assistants had three groups each. The security works top-down and silo-based.

“What worked great was that the students could create multiple risk assessments juxtaposed in Diri and use the aggregated data for analysis and reporting”, says Wangen. Figure 3 shows how each risk assessment is stored in Diri.

Figure 3 – The group Salus risk assessed TikTok, Instagram, Reddit, and YouTube as their scope.

Each risk assessment is its own object in Diri, and groups worked on the risk assessment of each application separately and some chose to report the risk picture of each application separately in the hand-in. Illustrated with a severe risk picture of TikTok by the group Ernik in Figure 4.

Figure 4 – Summarized risk analysis of TikTok. (Group: Ernik)

Furthermore, using the data aggregation in the dashboard, the groups could evaluate their current risk picture from all the applications in their portfolio, and add risk-reducing treatments to the unacceptable risks, as illustrated in picture 5.

Figure 5 – The aggregated risk picture before and after treatments for all the applications. (Group: Assets & System Security)

“In summary, using Diri for this purpose worked great and we remain committed to providing our students with the best resources and tools to excel in their studies. The successful integration of Diri into our risk management curriculum sets a benchmark for future endeavours, ensuring that our students receive a comprehensive and cutting-edge education”, says Wangen.

“But we also see the need for strengthening the report-generating part of the tool. While most of the risk assessment work was done in Diri, there was still a need for creating the final report outside of the tool (as visible in picture 5).”

Wangen tells that both the students and Diri’s customers have asked for better reporting possibilities and customization options for report generation. “We will investigate this and maybe for next year’s students, the report can be generated entirely in Diri. Additionally, threat and vulnerability analysis was missed for this semester. However, in summary

  • The students embraced Diri wholeheartedly, recognizing its value in their projects.
  • The seamless integration of Diri’s features enhanced their risk analysis process.
  • The utilization of Diri’s content generation capabilities enriched the quality of their final reports.

The overwhelming participation and positive outcomes underscore the effectiveness and efficiency of Diri in facilitating risk management projects. By adopting this modern tool, we have witnessed a marked improvement in the student’s experience and the quality of their work.”

Cyber Security
Risk Assessment