2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No.

1, Winter 2024

Develop and Disseminate Hands-on Lab Materials of

Privacy Concepts and Technologies to Educators
Na Li Lin Li Mengjun Xie Bugrahan Yalvac
Department of Computer Department of Computer Department of Computer Department of Teaching,
Science Science Science and Engineering Learning and Culture
Prairie View A&M University Prairie View A&M University University of Tennessee at Texas A&M University
Prairie View, TX, USA Prairie View, TX, USA Chattanooga College Station, TX, USA
nali@pvamu.edu lilin@pvamu.edu Chattanooga, TN, USA yalvac@tamu.edu
0000-0001-9296-1260 0000-0002-9652-8111 mengjun-xie@utc.edu 0000-0002-3675-1936
0000-0001-5089-9614

Abstract—In the era of digitalization, a massive amount of AT&T $25 million for failing to protect the clients’ personal
data has been generated from people’s online activities or use information in 2015 [6]; and the University of Mississippi
of portable/wearable devices. The data often carries rich Medical Center was hit with a $2.75 million fine in 2016 by
information about people. Therefore, privacy technologies are the Department of Health and Human Services over a health
needed, from data generation to usage and from transmission data breach [7]. According to Ponemon Institute, the average
to storage, to protect people’s sensitive information. Although total cost of a data breach increased from $3.86 million in
the research community is making great progress in addressing 2020 to $4.24 million in 2021 [8]. The occurrence of the
advanced privacy protection technologies, very few educational
violations caused people to panic [9], especially considering
materials have been developed to incorporate the latest
their daily online activities which generate a massive amount
research results and engage students in learning privacy
technologies, especially for younger generations. In this paper,
of data containing personal information.
we present our newly designed educational materials on Research on privacy has been intensively conducted in
privacy technologies, which can be used for training high the scientific community. Despite the critical societal
quality cybersecurity professionals to meet the ever-increasing importance, privacy education has not been well integrated
demand. The developed learning modules not only incorporate into the undergraduate computer science curricula. Privacy
the latest research results in privacy technologies but also issues are often treated as optional topics instead of key
include effective hand-on lab activities. To help other
fundamental concepts in security learning. A main obstacle
institutions effectively teach privacy technologies, we organized
a faculty training workshop in summer 2022. Twenty-nine
is the serious lack of effective learning materials which can
faculty from twenty institutions nationwide participated in the enable students to understand critical privacy concepts and
training. Survey results show that the participants gained a gain hands-on skills. To address these problems and better
better understanding of privacy issues and demonstrated prepare qualified graduates for future U.S. workforce, the
strong interest in teaching privacy technologies after attending researchers from AAA University and BBB University
the workshop. collaborated in developing innovative learning materials on
privacy protection.
Keywords—Data Privacy, De-anonymization, Relationship
Privacy, Image Privacy, Location Privacy, Web Tracking, IoT
The rest of this paper is organized as follows: Section II
Security and Privacy presents a background of current privacy education and our
project objectives. Section III briefly introduces seven lab
I. INTRODUCTION modules that we developed. Section IV gives two examples
of the hands-on lab activities of the learning modules: Data
With the fast development of the networking services Anonymization and Web Tracking. Section V analyzes the
such as social networks, Internet of Things, and mobile
feedback of the faculty who attended our training workshop
applications, cybersecurity has never been more challenging
on using the developed lab modules. Section VI concludes
than today [1], [2]. Cybersecurity education has been
the paper.
attached with great importance in the newly released
computer science curricula. Similarly, industries favor II. BACKGROUND AND PROJECT OBJECTIVES
qualified workers with security technologies and the demand
is higher than ever [3], [4]. A student possessing this skill set Recently, a team of cross-disciplinary members,
will have a distinct competitive advantage in the market. As including computer scientists, educators, and social
an integral part of cybersecurity, privacy protection has scientists, at the International Computer Science Institute
gained more and more attention from both industry and (ICSI) and UC Berkeley, developed an online privacy
academia due to serious privacy breaches in recent years. For curriculum which targets younger students [10]. This team
example, Facebook was sued over the Cambridge Analytica designed and implemented ten principles with the purpose of
data scandal [5] in which 87 million users’ profiles were spreading the awareness of protecting privacy among
harvested; the Federal Communications Commission fined younger students and helping them better understand what

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 1 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

happens to personal information when it goes online, how it Learning Outcomes: Students will be able to (1) explain
might be used to negatively affect users, and how they can the importance and necessity of data privacy, (2) explain k-
defend their privacy by limiting what they share. They anonymity and its weaknesses, (3) analyze the utility of
focused on online privacy in general, which doesn’t cover as anonymized data, and (4) apply ARX to anonymize sensitive
broad topics of privacy protection as we do in this project. personal data.
Additionally, they are more knowledge based instead of
hands-on learning based. Lab Design and Implementation: This lab consists of
three tasks. The first task is about linkage attack. In this task,
In this project, we focused on developing effective and a brief explanation of linkage attack is provided and then an
hands-on learning modules on privacy protection. Through exercise is given for students to apply the linkage attack on a
the engaging lab activities, we expect to motivate students’ small dataset. The second task is on k-anonymity. In this task,
interests in privacy technologies and deepen their the relevant concepts of k-anonymity protection model are
understanding of privacy issues. The specific objectives of first provided with small examples; Then, how to apply an
the project include: open-source software, ARX, to data anonymization using the
k-anonymity model is introduced. Hands-on exercises are
• Design self-contained privacy learning modules by provided for both parts. The reason that ARX was picked for
encapsulating the hands-on labs and related lecture this lab is two-fold: First, ARX is free, open-source,
contents, which can be infused into teaching functionally rich, and well maintained. Second, ARX can be
different security and privacy subjects and be easily installed on Windows, Linux, and macOS. The third task is
adapted by other institutions. on attacking k-anonymity in which two attack methods,
• Develop effective hands-on labs on privacy breach homogeneity attack and background knowledge attack, are
and protection on various topics, including cutting- introduced and practiced.
edge fields such as the Internet of Things (IoT) and Challenges: Students are required to apply a linkage
social media, with a special effort on developing attack and explain the attack result in the first task. In the
engaging lab setting/labware which enables students second task, students need to apply the k-anonymity model
to gain first-hand experience. to a given table and perform required operations using ARX
• Evaluate the effectiveness of the experiential to anonymize a given dataset. Students are asked to use k-
learning approach on students’ learning outcomes, anonymity attack methods to perform attacks on a large
experience, motivation and attitudes towards privacy anonymized dataset in the third task.
study. B. De-anonymization
III. LAB MODULE OVERVIEW De-anonymization is referred to as re-identifying target
people from anonymized data with extra knowledge. The
So far, we have developed seven privacy learning anonymized dataset is called Target Set (TS) and the dataset
modules on different topics, including Data Privacy, De- with extra knowledge is called Auxiliary Set (AS). De-
anonymization, Relationship Privacy in Online Social anonymizing social media data can use either descriptive
Networks, Image Privacy, Location Privacy, Web Tracking, information, such as users’ hobbies, membership groups,
and IoT Security & Privacy. We created a VirtualBox image location information or behavioral patterns online [13]–[16],
for each lab in the modules, which can easily be adopted by or structural information, such as centrality and
educators from other institutions. Next, we briefly introduce neighborhood topology [17]–[21], or both [22]. De-
the lab modules. Two detailed lab examples will be described anonymization can be implemented with seed based and
in Section IV. signature based attacks. The seed based attacks [23], [24]
A. Data Privacy start with a small number of seeds which are identifiable
Prevalent data collection, both offline and online, by users, and attempt to identify their neighbors, and then their
governments and private entities has gradually become a new neighbors’ neighbors, and so forth. The signature based
“norm”. On the one hand, new technologies such as artificial attacks do not assume the availability of any seeds; instead,
intelligence and data mining heavily rely on gigantic volumes they rely on node signatures [22], [25], [26], which are
of data. On the other hand, privacy concerns about uniquely generated from the nodes’ descriptive or/and
omnipresent data collections have been growing especially structural information, and then match node signatures
when many different datasets can be obtained and crossed by between TS and AS to re-identify users.
the same entity. A well-known linking attack against Learning Outcomes: students will be able to (1) master
people’s data privacy was revealed by Dr. Sweeney [11]. the definition of de-anonymization, (2) know some de-
This module aims to highlight the importance and challenges anonymization technologies, (3) understand how the target
of data privacy and provide hands-on experience for students set and the auxiliary set are prepared, (4) understand the
to understand data anonymization. The lab introduces basic implementation of seed based de-anonymization, (5)
concepts of data anonymization, linkage attack, and the k- understand how to use profile and topological attributes in
anonymity privacy model. This lab provides an opportunity de-anonymization and (6) analyze experiment results to
for students to practice using ARX [12], a data observe what could impact the de-anonymization accuracy.
anonymization tool, to apply k-anonymity.

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 2 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

Lab Design and Implementation: we developed a web = 4. A user can make queries using any display strategies
application using Angular JS, Node.js, Spring, and implemented and visualize the results in a graph
MongoDB. A dataset [27] collected from Weibo (i.e., a implemented with Cytoscape Web [28]. In reality, each
Chinese Twitter) was used to generate TS and AS. The user’s impact on the sociability of an OSN should be
system consists of three primary components: TS and AS measured by multiple factors, including but not limited to his
data generation, de-anonymization, and experiment analysis. online activities and social connections. However, due to the
The data generation component allows users to configure the restriction on the use of Twitter APIs, only a certain number
size of each set, and the percentage of their common nodes of queries can be made in a time window through Twitter
as well as how to anonymize TS, like injecting randomness APIs, therefore, a real-time evaluation was not doable.
into gender or year of birth values. The de-anonymization Instead, the system randomly selects node weights in [0,
component runs a seed-based algorithm in the backend and 1000) as impact indicators. The total weight of nodes visible
visualizes results in a graph implemented with Cytoscape.js in the result graph represents those nodes’ impact on the site
[28]. It allows users to specify the number of initial seeds and sociability and it increases with more queries. A line chart is
decide what information to leverage for de-anonymization, plotted with the number of users whose relations are
either profile attributes (i.e., Year of Birth and Gender) or compromised with queries.
structural attributes (i.e., degree and centrality). The
summary of the de-anonymization result presents with the Challenges: Students are required to run several queries
number of pairs of nodes matched between TS and AS and with three different display strategies and observe their
the number of correct matches. Lastly, the analysis privacy violation levels. Also, they need to compare the
component provides a user-friendly interface to analyze the impact of the strategies on the sociability of OSNs to evaluate
experiment results by plotting different charts. the trade-off between the preservation of relationship privacy
and the retention of sociability.
Challenges: Students are required to run several groups
of experiments with different configurations, from data D. Image Privacy
generation to de-anonymization. Then they need to observe Photo sharing has become a popular activity for online
and analyze what could affect the de-anonymization social network users. Semantically rich photos often contain
accuracy of TS (e.g., how much of TS is anonymized) and not only the information that the uploaders want to share but
how. also the information that is sensitive to others. However, most
of the current OSNs do not have well-defined mechanisms
C. Relationship Privacy for user privacy protection. This labware, which we named
Among the massive amount of data generated by social Facelock was developed for teaching photo privacy. The goal
media platforms, relationship data has been focused more on is to increase students’ awareness of privacy protection while
protection in recent years [29], [30]. Researchers noticed that sharing photos in OSN. Through the hands-on activities,
users’ relationship privacy might be compromised by others students will gain understanding of photo privacy and the
using friend search engines [31]. A friend search engine is an essential concepts of face recognition.
application which can retrieve friend lists of individual users.
In designing a friend search engine, OSN operators tend to Learning Outcomes: Students will (1) be aware of the
display the entire friend list in response to each query in order privacy issues related to photo sharing on OSNs, (2) gain
to increase sociability of the site. However, some users may basic understanding of face recognition and object detection
not feel comfortable to displaying their full friend lists. In through deep learning technologies, (3) know how to use
[31], the author proposed a privacy-aware friend search blurring techniques to maintain a trade-off between privacy
engine which handles the trade-off between privacy protection and utility loss, and (4) understand the access
protection and the sociability of OSNs by setting a k value to control mechanism of OSN users for image sharing and
control the number of friends displayed and selecting which privacy protection.
friends should be displayed. Labware Design and Implementation: The photo privacy
Learning Outcomes: Students are able to (1) be aware that labware consists of three components: (1) a SQLite database,
their behaviors through OSN applications may compromise (2) a web server, and (3) a deep learning based face
other users’ privacy, (2) observe the results from different recognition library. The SQLite database is used to store the
display strategies of a friend search engine, (3) compare and information of the registered users, including their post
evaluate different display strategies in terms of privacy records, profiles, friend lists, etc. For face recognition
preservation and impact on sociability, and (4) understand purposes, each registered user must upload a ”standard”
the trade-off between preserving users’ privacy and picture as part of his profile. The picture will be used for user
enhancing the sociability of OSNs. detection in the photos through a face recognition library.
The Facelock web server hosts a Facebook-like social
Labware Design and Implementation: We developed a network environment where users can post messages and
web application interacting with the Twitter API “GET pictures, search people, and join friend circles, etc. Besides,
followers/list” [32] to query users’ followers. The system Facelock reinforces photo privacy protection. When a user
implements three display strategies Random K (randomly attempts to post a photo, the web server will use the face
selecting K friends), Rank K (choosing the most influential recognition library to tag users in the photo. Each tagged user
ones to the sociability of the OSN) and Top K [31], where K will receive an alert and then take action to edit the photo to

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 3 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

meet his privacy preference. The post will not be made users, the server can plot charts to show how a particular
publicly available until all tagged users respond with their user’s privacy preference changes over time.
privacy protection choices. The face recognition library plays
a key role in user tagging. There have been different deep Challenges: Students are required to use our Android
learning models developed for face recognition. Considering client to request landmarks with different anonymization
the model complexity and the speed required, the one options. Then, they need to go to the LSB web site to filter
adopted by Facelock is an open source application available requests and view his trace on the map. Last, students are
on GitHub [33]. This library is light weight and highly required to visit the analytic service to analyze the trade-off
accurate. Requiring only one profile picture for each OSN of location protection and its cost (i.e., the accuracy loss of
user, it can achieve the recognition accuracy of 99.38%. LBS responses).

Challenges: Students are required to play different roles F. Web Tracking

in the social network: post uploader, user(s) involved in the Web tracking happens when visitors browse the Internet.
photos, and normal post readers. With different blurring The websites or the third parties collect, store, and share
schemes, students can observe their privacy violation level. information about visitors’ activities. By analyzing users’
behaviours, the websites may infer their preferences and
E. Location Privacy in Location Based Services provide content that attract the visitors in order to maximize
Location Based Services (LBS) have been applied in the commercial benefits. In general, web tracking
many web and mobile applications. With LBS-enabled technologies can be categorized into two groups: stated
services, individuals can share their real-time and historical tracking and stateless tracking. The former is usually done
geographic location information online to facilitate social through cookies, and the latter is often conducted by browser
interactions or events. However, alongside the benefits, fingerprinting. This lab was developed for teaching both
mobile LBS capabilities also cause users’ privacy concerns. concepts.
Therefore, a large group of researchers have been devoted to
designing secure and practical mechanisms to protect users’ Learning Outcomes: through the hands-on activities,
location information in LBS [34]–[36]. students will (1) be aware of web tracking and its commercial
importance and potential threats to user privacy, (2) be able
Learning Outcomes: Students will be able to (1) increase to explain the cookie mechanism and how to prevent web
their awareness of location privacy protection, (2) know tracking through cookies, (3) be able to explain the browser
basic anonymization algorithms to protect their location fingerprint mechanism and how to prevent web tracking
information, (3) understand how to track users based on their through browser fingerprint, and (4) be able to analyze web
requests from the perspective of a malicious LBS, (4) scripts and effectively prevent web tracking.
understand the trade-off between location anonymization and
its cost from the viewpoint of a privacy analyst, and (5) Labware Design and Implementation: The web tracking
understand different users’ privacy preferences. lab consists of three components: (1) several E-commerce
websites, (2) an OSN website, and (3) the advertisement
Labware Design and Implementation: The labware we server. The E-commerce websites host different product
developed consists of three components: an Android client, a information (e.g., appliances, shoes, phones, etc.) and each
LBS server, and an analytic server. First, the Android client web page is embedded with a script from the advertisement
provides users with an interface to request the nearest server. When a visitor browses the products from page to
landmark searched by individual requestors with Google page, the script will track the browsing record and transmit
Places APIs. The Android client implements three the information, including the visitor computer’s ID (i.e.,
anonymization approaches, no anonymization (using real cookie or fingerprint) and the product ID, to the
location), shift based anonymization (using a dummy advertisement server. The OSN website plays a third-party
location for query) and area based anonymization (instead of role in which the visitor browses for other purposes (e.g.,
sending a single location point, an area is included in the social networking). Similarly, a script from the advertisement
query). Second, the LBS server is assumed to be semi- server is embedded into the website. After a visitor browses
trustable, therefore, it has only whatever is included in users’ some products of the E-commerce websites and then comes
queries, instead of their real location information. The server to visit the OSN website, the script can retrieve the cookie or
can filter queries and plot traces of individual users based on fingerprint information and compare it with the historic
the queries they have made. Lastly, the analytic server records stored at the advertisement server. The user’s
gathers data from both the Android client and the LBS server behaviors will be analyzed. A result will be displayed at the
in order to analyze the trade-off between preserving users’ OSN website for advertising purposes. The advertisement
location privacy and its cost which is referred to as the server is the hub for user information collection, storage, and
distance between the real nearest landmark requested and the analysis. Since its scripts are embedded in a hidden mode in
one returned from the LBS. The analytic server can also filter the E-commerce and OSN websites, it is invisible to the
queries according to the time period of data collection, user visitors unless they know how to examine the website source
id, or anonymization approach. Additionally, the server can code and how to analyze the network traffic.
analyze users’ privacy preferences, showing the distributions
of uses using different anonymization options. For individual Challenges: Students are required to browse different
commercial websites, study scripts embedded into each web

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 4 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

page, observe the change of database records upon each IV. EXAMPLES OF HANDS-ON LAB ACTIVITIES
product browsing activity, and analyze how the
advertisement server displays the visitors’ browser history A. Data Anonymization
information on the third-party website. Students are also Our data privacy lab asks students to apply the knowledge
required to manipulate browser settings to understand of data anonymization and k-anonymity and skills of using
different web tracking and protection mechanisms. ARX anonymization tool to anonymize a reasonably large
dataset that contains 30,162 records. During the hands-on
G. IoT Security & Privacy practice, the instructor will first provide the necessary
Recent years have witnessed the exponential growth of background of k-anonymity and then introduce ARX and
Internet of Things (IoT) technologies as well as the soaring demonstrate its basic operations. After that, students can
increase of attacks against IoT devices. Those attacks often launch ARX from the provided VirtualBox VM instance.
exploit weak security protection exposed on many IoT They need to follow the instructions to perform the following
technologies. Once IoT devices are compromised, they often operations: (1) start a new project; (2) import the provided
become “bots” and are remotely controlled by attackers. dataset using the File Import function; (3) mark quasi-
Those IoT bots can be used to launch a variety of attacks that identifying attributes in the input data section; (4) create a
not only can damage system security, such as distributed hierarchy for each quasi-identifying attribute without a
denial-of-service (DDoS) attacks against legitimate servers, predefined hierarchy or import a hierarchy file for its
but also can breach data privacy, such as data theft or corresponding attribute; (5) create a k-anonymity privacy
espionage through compromised wireless routers and model with k set to 2 once all the hierarchies are set; (6)
Internet cameras. The famous Mirai botnet is such an customize certain configuration attributes in the general
example [37]. This module was designed to help students settings; (7) perform anonymization; (8) visualize and review
better understand how IoT security and privacy are attacked anonymization results; (9) analyze utility; and (10) generate
in practice by adapting the Mirai source code. a certificate file. A screenshot of the ARX interface after step
5 is depicted in Fig. 1.
Learning Outcomes: Students will be able to (1) describe
key facts about the Mirai malware, (2) explain Mirai operates
in both the infecting and the attacking phases, (3) explain
how to prevent the spread of Mirai, and (4) practice infecting
a simulated Internet of Things (IoT) device with provided
Mirai emulation executables.
Lab Design and Implementation: This lab was built using
modified Mirai source code, which was carefully designed to
preserve essential Mirai operations including infection and
spreading without the worry of security breach on the local
area network (LAN) or even Internet. The lab environment
consists of four virtual machines (VM): a command and
control (C&C) server VM, a loader VM, a router VM, and a
LAMP (Linux, Apache, MySQL, PHP/Perl/Python) server
Fig. 1. A Screenshot of Using ARX for Data Anonymization
VM. The C&C server VM is to control the execution of the
Mirai “botnet”, which is the router VM in our case. The
B. Web Tracking by Browser Fingerprinting
router VM is the machine to be infected and used to launch a
DoS attack on the LAMP server VM, which is a local web Our web tracking lab, depicted in Fig. 2, was developed
server accessible to all other VMs. The loader VM is used to on top of Dr. Wenliang Du’s SEED lab “Web Tracking” [38]
load Mirai onto the router VM. All the four VMs are placed which only introduces web cookies. Therefore, we focus on
in an internal network within VirtualBox to contain the the introduction of our browser fingerprinting lab and skip
spread of Mirai. The lab implemented important functions for the cookie part. During the hands-on activities, students are
operating a Mirai botnet including network scanning for required to take the following steps to understand the
victims, loading appropriate code to attack a victim, concepts, observe the results, and study the scripts: (1) visit
controlling a bot remotely, and launching an attack from a E-commerce websites and browse the products; (2) log into
bot. the MySQL database of the advertisement server, select the
database (named “revive adserver”), and open the record
Challenges: Students are required to follow instructions table (named “bt FingerprintLog”). After selecting each
to perform a sequence of command line operations on product, they will observe the record change in the table; (3)
different VMs to practice how an IoT (emulated) device can visit the E-commerce site (“www.wtlabelgg.com”) and
be compromised by Mirai and later used for spreading observe the product displayed in the banner area; (4) revisit
malware or launching an attack. an E-commerce website and open the source code of it to
examine the JavaScript code on how the browser fingerprint
is generated and how the product information is embedded;
(5) open each product page and examine the source code,
study how the web uses PHP script to pass the browser

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 5 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

Fig. 2. Illustration of Web Tracking

fingerprint and product ID to a tracking script at the Before the workshop, participants were not well aware of
advertisement server side; (6) open the source code of the the session topics. The means of their responses to a 5 point
tracking script to examine how the browser fingerprint and scale was around 3.51, which meant they knew only a few
product information are inserted into the database; (7) revisit words about the session topics. After the workshop was
the social network and open its source code to study how the completed, participants’ response mean increased to 4.66,
script retrieve the historic records from the advertisement which meant that they knew the basic terms and could apply
server and display the result based on an analysis of the the concepts. Comparing the participants’ responses to the
visitor behaviors. Finally, students will be asked to pre- and post-workshop surveys, we found that participants
manipulate the scripts to display different private information statistically significantly improved their awareness of all the
of the user. seven session topics: Data Privacy (DP), Relationship
Privacy (RP), Image Privacy (IP), De-anonymization (DA),
V. EVALUATION IoT Security & Privacy (IoT), Location Privacy (LP), and
Some of the developed lab modules had been tested Web Tracking (WT). The means and standard deviations of
among students through some security courses that we taught the participants’ awareness of the workshop session topics
in the past few years [XX, YY, ZZ]. To disseminate the before and after the workshop, the paired sampled student t-
project outcomes and widely evaluate the lab modules, we test results, and cohen’s 𝑑𝑑 effect sizes are presented in Table
organized a faculty training workshop in summer 2022. We I. The comparisons of the pre versus post awareness found
believe that the well trained faculty can broaden the project statistically significant difference at p = 0.01 level. This
impact and engage more students into the fields of privacy means that participants greatly improved their awareness of
and cybersecurity. In this paper, we focus on the survey the session topics. Cohen’s d effect sizes close to 1 or bigger
analysis of the workshop participants. than 1 indicate a large group mean difference.
A total of 29 faculty from twenty institutions nationwide TABLE I. CHANGES IN PARTICIPANTS’
participated in the workshop, including 20 men (69%) and 9 AWARENESS OF THE TOPICS
women (31%). There were 10 Full Professors (34%), 8
Assistant Professor (28%), 6 Associate Professor (21%), 4 Lab Pre: µ (σ) Post: µ (σ) t df p-value d
lecturers (14%), and 1 part-time instructor (3%). 25
participants completed both the pre-workshop and post- DP 4.08 (0.79) 4.84 (0.36) 5.467 24 < 0.001 * 1.072
workshop surveys. Majority of the respondents were at the
Computer Science Department in their institutions. RP 3.44 (1.06) 4.72 (0.79) 6.799 24 < 0.001 * 1.333
Computer science and computer security were the two mostly
reported course titles among the courses participants have IP 3.32 (0.88) 4.56 (0.63) 6.972 24 < 0.001 * 1.367
taught. 17 of the participants (68%) reported their ethnicity
as Asian, 5 of them (20%) as African American, and 3 of DA 3.04 (1.25) 4.52 (0.81) 6.268 24 < 0.001 * 1.229
them (12%) as Caucasian.

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 6 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

were relevant and useful. (6) The presenter(s) provided

Lab Pre: µ (σ) Post: µ (σ) t df p-value d
adequate time for Q&A. (7) The session materials provided
were useful.
IoT 3.04 (1.25) 4.52 (0.81) 5.892 24 < 0.001 * 1.155
Table III presents participants’ responses to the session
LP 3.44 (1.13) 4.56 (0.75) 4.594 24 < 0.001 * 0.901 surveys on a 6 point Likert-Scale (1 = Strongly disagree, 2 =
Disagree, 3 = Slightly disagree, 4 = Slightly Agree, 5 =
WT 3.56 (1.09) 4.64 (0.55) 5.417 24 < 0.001 * 1.062 Agree, 6 = Strongly Agree). Results show that almost all
participants agreed that the sessions increased their
knowledge and skills in the privacy technologies and they
Similarly, before the workshop, participants were learned how to teach the topics effectively. Participants
moderately interested in teaching the session topics. The reported that the sessions were well organized, objectives
means of their responses to a 5 point scale was around 3.95, were stated clearly and met, the information provided and/or
which meant they were “somewhat” to “a lot” interested in skills presented were relevant and useful, presenter(s)
teaching the topics. After the workshop, participants’ provided adequate time for questions and answers, and the
response mean increased to 4.25, which meant that they were session materials were useful.
“a lot” to “a great deal” interested in teaching the topics to
their students. The pre and post surveys show that TABLE III. PARTICIPANTS’ RESPONSES
TO THE SEVEN STATEMENTS.
participants statistically significantly improved their interest
in teaching all the session topics, however the group mean
# DP RP IP DP IoT LP WT
differences were not statistically significant. Table II presents
the results about the participants’ interest change before and (22) (22) (19) (20) (18) (18) (21)
after the workshop. For the Data Privacy and Location
Privacy, participants’ pre and post responses show 1 5.27 5.61 5.42 5.35 5.67 5.33 5.43
statistically significant difference at p = 0.05 level. This
means that participants’ interest in teaching these two topics 2 5.14 5.3 5.11 5.05 5.44 5.11 5.24
greatly improved. In other session topics, participants also
increased their interests to teach the topics. But the group 3 5.41 5.70 5.58 5.40 5.72 5.50 5.29
mean differences were not statistically significant. Cohen’s d
effect sizes close to 0.5 indicate a medium group mean 4 5.45 5.57 5.63 5.35 5.72 5.72 5.19
difference. Effect sizes close to 0.1 indicate a very small
group mean difference. 5 5.55 5.65 5.58 5.30 5.67 5.61 5.38

TABLE II. CHANGES IN PARTICIPANTS’ 6 4.95 5.70 5.74 5.60 5.50 5.67 5.48
INTEREST IN TEACHING THE TOPICS
7 5.36 5.65 5.53 5.40 5.67 5.44 5.43
Lab Pre: µ (σ) Post: µ (σ) t df p-value d
The # within the Parenthesis Represents the Surveys Returned
DP 4.16 (0.96) 4.56 (0.69) 2.28 24 0.031 * 0.447

RP 3.72 (1.11) 4.04 (1.11) 1.557 24 0.132 0.305

VI. CONCLUSION
IP 3.76 (0.99) 3.96 (1.14) 0.787 24 0.439 0.154 Privacy education is critical for training younger
generations to become future cybersecurity professionals.
DA 3.72 (1.18) 4.04 (1.07) 1.504 24 0.145 0.295 The emergence of new communication methods (e.g., OSN
and IoT) and networking services (e.g., Location Service) has
IoT 4.24 (0.91) 4.48 (0.85) 1.604 24 0.121 0.314 greatly improved people’s life quality. While people benefit
from these new technologies, they also expose more personal
LP 3.92 (0.97) 4.28 (0.91) 2.178 24 0.039 * 0.427 information to the Internet which brings serious concerns
about privacy protection. Thus, we designed multiple privacy
WT 4.12 (0.81) 4.36 (0.79) 1.883 24 0.071 0.369 labs to help students learn specific privacy issues. We
organized a faculty training workshop to disseminate our
project outcomes and enable them to teach privacy topics
After each session, the participants were surveyed about effectively. Our study shows that the faculty trainees were
the learning materials and workshop organization in terms of very satisfied with the lab materials in terms of concept
the following seven statements: (1) This lab increased my learning and hands-on experience.
knowledge and skills in [session topic]. (2) I learned how to
teach [session topic] more effectively. (3) The session was
well organized. (4) The session objectives were stated clearly
and met. (5) The information provided and/or skills presented

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 7 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

ACKNOWLEDGEMENT [17] W. Peng, F. Li, X. Zou, , and J. Wu, “A two-stage deanonymization

attack against anonymized social networks,” IEEE Transactions on
This project is supported by the National Science Computers, vol. 63, no. 2, 2014.
Foundation (NSF) under grant DUE-1712496. [18] S. Nilizadeh, A. Kapadia, and Y.-Y. Ahn, “Community-enhanced
de-anonymization of online social networks,” in Proceedings of the
REFERENCES 2014 ACM SIGSAC Conference on Computer and Communications
Security, pp. 537–548, 2014.
[1] P. Thomas, “Cybersecurity: A look at performance and growing
opportunities,” November 09, 2015. [19] S. Ji, W. Li, M. Srivatsa, and R. Beyah, “Structural data de-
http://marketrealist.com/2015/11/ise-cyber-security-etf-perform-last- anonymization: Theory and practice,” IEEE/ACM Transactions on
week/. Networking, vol. 24, no. 6, 2016.
[2] W. House, “Fact sheet: Biden administration and private sector [20] K. Sharad and G. Danezis, “An automated social graph de-
leaders announce ambitious initiatives to bolster the nation’s anonymization technique,” in Proceedings of the 13th Workshop on
cybersecurity,” August 25, 2021. Privacy in the Electronic Society, pp. 47–58, 2014.
https://www.whitehouse.gov/briefing-room/statements- [21] S. Ji, W. Li, M. Srivatsa, J. S. He, and R. Beyah, “General graph
releases/2021/08/25/fact-sheet-biden-administration-and-private- data de-anonymization: From mobility traces to social networks,”
sector-leaders-announce-ambitious-initiatives-to-bolster-the-nations- ACM Transactions on Information and System Security, vol. 18, no.
cybersecurity/. 4, 2016.
[3] U. B. of Labor Statistics, “Occupational outlook handbook, [22] H. Fu, A. Zhang, and X. Xie, “Effective social graph
information security analysts,” last accessed, August 12, 2022. deanonymization based on graph structure and descriptive
https://www.bls.gov/ooh/computer-and-information- information,” ACM Transactions on Intelligent Systems and
technology/information-security-analysts.htm. Technology, vol. 6, no. 4, 2015.
[4] Cybint, “15 alarming cyber security facts and stats,” December 23, [23] A. Narayanan and V. Shmatikov, “De-anonymizing social
2020. https://www.cybintsolutions.com/cyber-security-facts-stats/. networks,” in Proceedings of the 2009 IEEE Symposium on Security
[5] Wikipedia, “Facebook–cambridge analytica data scandal,” last and Privacy, pp. 173–187, 2009.
accessed August 8, 2022. https://en.wikipedia.org/wiki/Facebook- [24] A. Narayanan, E. Shi, and B. I. P. Rubinstein, “Link prediction by
Cambridge_Analytica_data_scandal. de-anonymization: How we won the kaggle social network
[6] R. R. Ruiz, “F.c.c. fines AT&T $25 million for privacy breach,” last challenge,” in Proceedings of the 2011 International Joint
accessed August 8, 2022. Conference on Neural Networks, pp. 1825–1834, 2011.
https://bits.blogs.nytimes.com/2015/04/08/f-c-c-fines-att-25-million- [25] K. Henderson, B. Gallagher, L. Li, L. Akoglu, T. Eliassi-Rad, H.
for-privacy-breach/?r%20=%200. Tong, and C. Faloutsos, “It’s who you know: Graph mining using
[7] L. Clason, “Mississippi medical center hit with $2.75m fine for recursive structural features,” in Proceedings of the 17th ACM
privacy breach,” last accessed August 8, 2022. International Conference on Knowledge Discovery and Data
https://thehill.com/policy/healthcare/289131-mississippi-medical- Mining, pp. 663–671, 2011.
center-hit-with-275m-fine-for-privacy-breach/ [26] M. Korayem and D. J. Crandall, “De-anonymizing users across
[8] IBM, “Cost of a data breach report 2021,” last accessed, August 8, heterogeneous social computing platforms,” in Proceedings of the
2022. https://www.dataendure.com/wp- 7th International AAAI Conference on Weblogs and Social Media,
content/uploads/2021_Cost_of_a_Data_Breach_-2.pdf. 2013.
[9] J. Fitzgerald, “The 10 biggest data breaches of 2022 (so far),” July [27] “Kdd cup 2012, track 1, predict which users (or information sources)
01, 2022. https://www.crn.com/news/security/the-10-biggest-data- one user might follow in tencent weibo.,” 2012.
breaches-of-2022-so-far-. [28] M. Franz, C. T. Lopes, G. Huck, Y. Dong, O. Sumer, and G. D.
[10] I. C. S. Institute and U. of California-Berkeley, “Teaching privacy,” Bader, “Cytoscape.js: a graph theory library for visualisation and
last accessed August 15, 2022. https://teachingprivacy.org/. analysis,” Bioinformatics, vol. 32, no. 2, 2016.
[11] L. Sweeney, “k-anonymity: A model for protecting privacy,” [29] N. Li, N. Zhang, and S. Das, “Preserving relation privacy in online
International journal of uncertainty, fuzziness and knowledge-based social network data,” IEEE Internet Computing, vol. 15, no. 3, pp.
systems, vol. 10, no. 05, pp. 557–570, 2002. 35– 42, 2011.
[12] F. Prasser, F. Kohlmayer, R. Lautenschläger, and K. A. Kuhn, “Arx [30] Y. Liu and N. Li, “Retrieving hidden friends: A collusion privacy
- a comprehensive tool for anonymizing biomedical data,” in AMIA attack against online friend search engine,” IEEE Transactions on
Annual Symposium Proceedings, pp. 984–993, American Medical Information Forensics and Security, 2018.
Informatics Association, 2014. [31] N. Li, “Privacy-aware display strategy in friend search,” in
[13] R. Zafarani and H. Liu, “Connecting users across social media sites: Proceedings of IEEE International Conference on Communications
a behavioral-modeling approach,” in Proceedings of the 19th ACM (ICC), Communication and Information Systems Security
SIGKDD international conference on Knowledge discovery and data Symposium, pp. 951–956, 2014.
mining, SIGKDD’08, pp. 41–49, 2013. [32] “Get followers/list,” n.d.
[14] T. Okuno, M. Ichino, T. Kuboyama, and H. Yoshiura, “Content- [33] A. Geitgey, “Face recognition,” last accessed, July 20, 2022.
based de-anonymization of tweets,” in Proceedings of the Seventh https://github.com/ageitgey/face_recognition.
International Conference on Intelligent Information Hiding and [34] H. Kido, Y. Yanagisawa, and T. Satoh, “An anonymous
Multimedia Signal Processing, pp. 53–56, oct 2011. communication technique using dummies for location-based
[15] T. Okuno, M. Ichino, T. Kuboyama, and H. Yoshiura, “Re- services,” in Proceedings of the Second IEEE Annual Conference on
identification of anonymized cdr datasets using social network data,” Pervasive Computing and Communications Workshops, pp. 88–97,
in Proceedings of the Third IEEE International Workshop on the 2005.
Impact of Human Mobility in Pervasive Systems and Applications, [35] A. R. Beresford and F. Stajano, “Mix zones: User privacy in
pp. 237–242, mar 2014. location-aware services,” in Proceedings of International
[16] J. Qian, X.-Y. Li, C. Zhang, L. Chen, T. Jung, and J. Han, “Social Conference on International Conference on Pervasive Services, pp.
network de-anonymization and privacy inference with knowledge 127–131, 2004.
graph model,” IEEE Transactions on Dependable and Secure [36] B. Gedik and L. Liu, “Location privacy in mobile systems: A
Computing, 2007. personalized anonymization model,” in Proceedings of 25th IEEE

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 8 www.cisse.info

 2024 Journal of The Colloquium for Information Systems Security Education, Volume 11, No. 1, Winter 2024

International Conference on Distributed Computing Systems, pp.

620–629, 2005.
[37] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J.
Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis,
D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N.
Sullivan, K. Thomas, and Y. Zhou, “Understanding the mirai
botnet,” in 26th USENIX Security Symposium (USENIX Security 17),
(Vancouver, BC), pp. 1093–1110, USENIX Association, Aug. 2017.
[38] W. Du, “Seed,” last accessed August 8, 2022.
https://seedsecuritylabs.org/.

979-8-8797-4077-6/24/$36.00 ©2024 CISSE 9 www.cisse.info