CTF for education
Yi Lyu, Luke Dotson, Nic Draves, Andy Zhang
TL;DR
The paper investigates how Capture the Flag (CTF) formats affect cybersecurity education and whether different formats complement each other. It categorizes challenges into attack-based, defense-based, jeopardy, and gamified/wargame types and analyzes content coverage, accessibility, and difficulty using literature and competition data. Key contributions include mapping format strengths and weaknesses and recommending a blended approach to maximize learning gains. The findings have practical implications for educators and organizers aiming to design more holistic, scalable, and accessible CTF-based curricula, while highlighting the need for quantitative efficacy studies.
Abstract
In this paper, we take a close look at how CTF can be used in cybersecurity education. We divide the CTF competitions into four different categories, which are attack-based CTFs, defense-based CTFs, jeopardy CTFs and gamified and wargames CTFs. We start our analysis by summarizing the main characteristics of different CTF types. We then compare them with each other in both learning objectives and other aspects like accessibility. We conclude that combining all four CTF formats can help participants build one's cybersecurity knowledge. By doing that, we hope that our findings will provide some useful insights for future CTF educators.
