Peer-review is a well-known process by which peers evaluate one another's work. In educational settings, peer review involves students evaluating the work of classmates. Peer evaluations can serve many educational purposes: they foster comprehension skills (as students read the work of others), encourage self-assessment and meta-reflection (as students contrast their solutions to others'), demand synthesis of comments from multiple perspectives (as students combine feedback from multiple reviews), and develop professional skills around giving and receiving critique from colleagues.
The skills that educational peer review attempts to foster are critical in cybersecurity: code review is part of modern industrial software practice (and has identified high-profile security bugs), security problems are multi-faceted and require developers who can synthesize needs of many stakeholders, and developers must prioritize among vulnerabilities identified through different sources and processes. Peer review, with its emphasis on developing students' reflective skills, thus promises to be a valuable mechanism in training security professionals. There are, however, many configurations of peer review, each of which could engage students in different ways. Educational research focused on linking peer review configurations to learning outcomes in cybersecurity is thus critical to using this mechanism effectively.
This project will experiment with peer-review configurations in a variety of cybersecurity courses. The courses span several areas of cybersecurity (software, system, and policy), as well as both undergraduate and graduate students. The project will explore how various cybersecurity-specific learning objectives manifest through peer review. It will also yield software infrastructure for using and assessing peer review across a variety of courses and configurations. Expected deliverables from the project include observations about students' reviewing practices, refined research questions about how to use peer-review successfully in security education, and software tools that others can use for similar projects (which will be made publicly available).
