Associate professor Gaute Wangen, and CTO in Diri, have taught students information security risk management since 2014 at NTNU in Gjøvik. In his course, now called DCSG2005 Risk Management, the students learn the basics of the risk management process, how to conduct a security audit and report the results.
The course consists of two primary deliverables:
“In previous years, data collection, risk analysis, and treatment planning were conducted using various tools like Word and Excel, which the students stumbled upon. While I have always maintained that any tool is acceptable as long as it meets minimum quality requirements, we recognized the potential benefits of utilizing a purpose-built, modern tool”, says Wangen.
“To explore this idea, we conducted a voluntary trial with the DCSG2005 students in 2022, introducing them to the Diri application for their risk management project. The trial was a success, paving the way for its adoption in this year’s curriculum. As a result, the usage of Diri became mandatory for the first report on social media usage, and voluntary for the second report.”
The implementation of Diri yielded great results this year, and the students expressed their satisfaction with working in a state-of-the-art risk analysis tool. Remarkably, even though the usage of Diri for the second report was voluntary, every single student opted to utilize the application and incorporate its generated content into the final report. This enthusiastic response speaks volumes:
Figure 1, Question 8 asks how useful it was to use Diri in the course with a Likert going from “no use” blue to “very high utility” purple. Out of 27 responding students, 20 said high and very high utility.
Question 11 asks if the student would recommend using Diri for the next year’s students, with a simple “yes”, “no” and “other” answer. Here there is almost a unanimity vote for yes! Keep reading if you are interested in how we used it.
“Firstly, we set up a secure and locally hosted educational instance of Diri on NTNU’s SkyHigh OpenStack cluster separate from our production environment in Azure. The application was only accessible inside of the NTNU network and not visible from the internet (requiring VPN for remote work)”, Wangen explains.
“We quickly onboarded 85 students using the NTNU tenant ID and the “Sign in with Microsoft” option. My skilled teaching assistants (Jo Kristian, Michael, and Simen) worked as administrators for each branch and sorted the students into their respective groups (Figure 2). The security in the organisational tree is top-down and silo-based, meaning that each user cannot see the levels above or beside his organisation.”
“What worked great was that the students could create multiple risk assessments juxtaposed in Diri and use the aggregated data for analysis and reporting”, says Wangen. Figure 3 shows how each risk assessment is stored in Diri.
Each risk assessment is its own object in Diri, and groups worked on the risk assessment of each application separately and some chose to report the risk picture of each application separately in the hand-in. Illustrated with a severe risk picture of TikTok by the group Ernik in Figure 4.
Furthermore, using the data aggregation in the dashboard, the groups could evaluate their current risk picture from all the applications in their portfolio, and add risk-reducing treatments to the unacceptable risks, as illustrated in picture 5.
“In summary, using Diri for this purpose worked great and we remain committed to providing our students with the best resources and tools to excel in their studies. The successful integration of Diri into our risk management curriculum sets a benchmark for future endeavours, ensuring that our students receive a comprehensive and cutting-edge education”, says Wangen.
“But we also see the need for strengthening the report-generating part of the tool. While most of the risk assessment work was done in Diri, there was still a need for creating the final report outside of the tool (as visible in picture 5).”
Wangen tells that both the students and Diri’s customers have asked for better reporting possibilities and customization options for report generation. “We will investigate this and maybe for next year’s students, the report can be generated entirely in Diri. Additionally, threat and vulnerability analysis was missed for this semester. However, in summary
The overwhelming participation and positive outcomes underscore the effectiveness and efficiency of Diri in facilitating risk management projects. By adopting this modern tool, we have witnessed a marked improvement in the student’s experience and the quality of their work.”