CYBER 520

Weeks 1 and 2

Weeks 1 and 2 - Human Aspects of Cybersecurity and

Information Gathering
Overview
"If it is urged that an abuse of the rhetorical faculty can work great mischief, the same charge can be brought
against all good things (save virtue itself), and especially against the most useful things such as strength, health,
wealth, and military skill. Rightly employed, they work the greatest blessings and wrongly employed, they work the
greatest harm." - Aristotle

"Knowing a great deal is not the same as being smart; intelligence is not information alone but also judgment, the
manner in which information is collected and used." Dr. Carl Sagan

Concepts
People are and always will be the weakest link in security - there is no "patch the human". You cannot effectively
manage security without understanding people. We begin with an overview of the course topics of human factors,
social engineering, and leadership, and discuss the two sides of Influence in Security: the positive aspect that
helps sell the security program and its initiatives, and the negative aspect that is used by social engineers for the
disclosure or unauthorized use of technology or data. Then, we move into information gathering as we review
both technical and non-technical ways of gathering information. This is a critical step in hacking/intrusion, social
relationships, and sales. We will check your skills to pull information from multiple sources to create a picture of a
target.

Oh, and we will frighten you so much that you will probably never trust a stranger again:-D

Learn
Formulate the definitions associated with human aspects of security.
Consider relationships between humans and IT and how humans use IT today.
Summarize technical and non-technical techniques for gathering information about a person, business,
or organization.
Research and analyze the steps for collecting information

Read
Hadnagy, Social Engineering, Foreword, Chapters 1 and 2 - make sure you listen to the podcast
episodes listed on p. 5
Cialdini, Influence, Chapter 1
Schneier, "The Psychology of Security", January 18, 2008, http://www.schneier.com/essay-155.html
Google Hacking Demo: http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf
Google Hacking Database: http://www.hackersforcharity.org/ghdb/

Field Trips
Social-Engineer.com http://www.social-engineer.com/ (the website for the Social Engineering book)
Social-Engineer.org http://www.social-engineer.org/ (the website for the Social Engineering podcast &
newsletter)
Influence at work http://www.influenceatwork.com/ (the website for the Influence book)

Watch (there is a method to our madness - they all relate to Human Aspects of Cybersecurity)
Johnnie Long - No Tech hacking http://www.youtube.com/watch?v=5CWrzVJYLWw
Professor Risk http://www.youtube.com/watch?v=a1PtQ67urG4
 Hacking is easy https://vimeo.com/11328554
Selective Attention test http://www.youtube.com/watch?v=vJG698U2Mvo
Count the F's http://www.youtube.com/watch?v=QdwDOL34LIA
The Door Study http://www.youtube.com/watch?v=FWSxSQsspiQ
Awareness test http://www.youtube.com/watch?v=ubNF9QNEQLA

Do
View the video and instructions at http://content.bellevue.edu/cst/cybr/520/id/memory-game/ (make sure you
can see the big arrow in the lower right) - you will be taking a quiz (located in the Weeks 1 and 2
assignment folder) instead of filling out the Word document and turning it in.

"Signaling" (handy extra background information for Weighty Post Option #2)
There is a concept in behavioral economics called "signaling". It doesn't have anything to do with using your
flashers before moving from one lane into another - this signaling is more in the sense of "these are my
beliefs...which more than likely go along with these other beliefs and behaviors" - it's a bit like a bumper sticker.
It's really a literal signal, like a flashy something. Monarch butterflies signal to predators through their coloration
that they don't taste good. Viceroy butterflies taste good, so they adopted Monarch-like coloration to influence
predators to not eat them, too. Someone who drives a Tesla is signaling something different from someone who
drives a Ford 150 Pickup. Here's an interesting Freakonomics podcast episode that mentions signaling in the
case of hybrid automobiles:
http://freakonomics.com/podcast/hey-baby-is-that-a-prius-youre-driving/ (you can listen to the podcast or read the
transcript) One of the scholars interviewed for the podcast has written a piece on signaling:
http://www.overcomingbias.com/2015/05/what-is-signaling.html - and here's one on fashion:
http://www.overcomingbias.com/2015/02/fashion-excuses.html, where he points out that our real motives are
different from the ones we admit to.

The profile pictures and banner images we choose for social media are signaling our affiliation with something, an
idea or a group....some more subtly than others. One can probably size up a person's politics in a few questions
about things that have nothing to with politics (in fact, Time magazine did just that recently:
http://labs.time.com/story/can-time-predict-your-politics/). One would do this so one would know what topics of
conversation to avoid, because nothing, including facts, ever changes anyone's mind about political opinions,
which are arrived at through non-logical/emotional means. Even if one enjoys a spirited debate, one will try to
steer clear of things that people are likely to take personally - religion is deeply personal, so folks won't have
personal discussions about religion, period. These days, religion tends to highly correlate with politics so folks will
find themselves avoiding political discussions if they detect strong religious beliefs - and folks would pick up on
those beliefs because that person is signaling them through phrases or types of music or jewelry or a sticker on
their car.

One of the things this course is designed to accomplish is to make you all realize that anything you say or do or
write or wear or drive or whatever can be used by someone else to gain influence - good or bad. Someone might
do recon on you to make you feel more at ease - to do you a favor at a party, so they can introduce you to
someone who is helpful for your career, or a prospective mate, or merely interesting. Someone might also gain
influence to scam you. It's not hard to learn what language, as it were, certain groups speak. Geek is certainly a
language style. Think how easy it would be for someone to learn enough Geek to infiltrate a geek group. Sports
fans have their own language. Religious groups have theirs - and they are probably the least likely to see it
coming. There was a past CYBR 520 student who did a project on teaching security awareness to a church
group. The class agreed those poor lambs were extraordinarily unprepared for the criminal mischief that is out
there. This shouldn't have to said, but an awesome thing about IT and cybersecurity courses is that anyone's
politics (signaled or otherwise) don't matter in here. Maybe some differences of opinion about, say, the 4th
Amendment will come up, but we can discuss things like that in a measured if intense fashion and still go out and
have metaphorical drinks together.

Meme Challenge
For something fun - that works in concert with DDA and assignment posts - you are challenged to incorporate
appropriate and amusing meme images into your posts. Why? Because we said so. Because memes help
reinforce a point with humor, using recognizable cultural images. Studies have shown that humor aids in the
absorption and retention of information (http://www.apa.org/monitor/jun06/learning.aspx). You can introduce a
potentially controversial topic by presenting it in a meme and get people discussing the topic because they're put
more at ease by the humor. Also, the proofreading skills of the Internet are displayed at their finest when
someone messes up on a meme ;-) If you were to do a meme about an article it could be a visual TL; DR. Last,
it's just more fun to include memes in class.

If you are unfamiliar with memes this is a

decent primer:

http://webtrends.about.com/od/reddit/a/Internet-Memes.htm Here is a list of tools you can use to create your own
meme images:

Livememe
Quickmeme
Meme Generator
AutoMotivator

What's in it for you all? Well, outside of the intrinsic benefits of humor and helping others learn more through
humor...nothing else;
sometimes we do things because of the intrinsic value :-)

Written Discussion Board Assignments

All discussion board assignments, in addition to being posted as a draft to the discussion board for Designated
Devil's Advocate (DDA) interaction and general feedback, will have a final version submitted through an
assignment tool link in their respective bi-weekly assignment folder. The assignment tool link will take the
submission through the SafeAssign process, to check for problematic overlap, and also provide for a more
consistent submission and grading process. Grading for these assignments begins on the day after the last day of
the bi-weekly period, so the final versions of the Weeks 1 and 2 written assignments are due to the assignment
tool link on the last day of Week 2, and grading will begin the day after that. Feedback will be given before the
next set of bi-weekly assignments are due (so, in the example above, Weeks 1 and 2 feedback will be given
before Weeks 3 and 4 final versions are due); please refer to your professor's grading policy for more precise
information.

Weighty Posting
In order to keep discussions lively please choose at least ONE of the weighty questions below and post
your draft to the discussion board no later than the start of Week 2

Compose and submit to the Weeks 1 and 2 Discussion Board, as a reply to the appropriate Weighty Post Option
thread, a structured post (a structured post has an introduction, a conclusion, and a developed body that flows
well generally at least a few paragraphs - at least 250 words), using your own words, on at least one of these
weighty questions:

1. Harmless Internet Surveillance Exercise: Determine someone who you know has an Internet footprint to
create a dossier for (if you can't think of someone, use "Jonathan S. Tuttle" - the one affiliated with Bellevue
University - or contact your professor for the names of friends who are willing to be experimental subjects
heck, you can use your professor if you haven't already done this in your spare time ;-) Here are the steps:
Search the Internet for all information about your subject. You can use the articles on Google Hacking in
 this unit's reading to help you. Respond to ALL of the following: 1) What does your subject do for a living?
2) Where did your subject go to school? (this can be high school, college, etc.) 3) What social networks is
your subject on? 4) Where did you go to get information on your subject? (List your sources of information.)
5) List all that you can find about your subject - this could include screen names, birthdates, hobbies,
friends/family/acquaintances, marriage licenses, tax records, etc. (keep it PG-13 or safer) It's optional about
whether you want to give the subject's full name or just provide initials. (No, you may not contact the NSA to
use their file ;-) Write all this up in a post that isn't merely a list of answers. Be engaging - think Buzzfeed or
Cracked.com with more substance and fewer swear words ;-)

2. Harmless workplace/neighborhood/community Surveillance Exercise: You've seen them everywhere - and

might even have one yourself - cars with stickers on them. Family stickers, "My child is an honors student at
[school]!" stickers, cheer/dance/soccer/football/bowling team stickers, sports stickers, political campaign
stickers, park passes...a car can be a walking..okay, driving social engineering hazard. While some news
programs have highlighted how family stickers and cheer/dance/soccer/football/bowling team stickers can
put children in danger of abduction or alert burglars (see
https://thestir.cafemom.com/parenting_news/183944/3_stickers_youve_probably_got for an example),
social engineering is much more than that (although how a predator would lure a child is a subset of social
engineering). Social engineering is gathering intelligence about people to gain an advantage for yourself.
Building rapport (which we discuss at length later) is an excellent way to gather intelligence...but you need
some place to start.
Oh, look, this person
who holds the key to
security access at
their company is a
Harry
Potter/Huskers fan
from California! Hey,
this other person
you need
information from
rescues dogs and
has a kid who plays
soccer! (Even
Professor Karla, the
course designer, the
Queen of "So, what
kind of funeral do
you want to have?"
Small Talk could
come up with a
convincing line of conversation for the drivers of these cars.) There are a
 variety of reasons people affix stickers to their cars see Shankar Vedantam's classic article on the topic:

http://www.washingtonpost.com/wp-
dyn/content/article/2008/06/15/AR2008061501963.html?sid=ST2008061502199 So, your task is to find as
many of these walking driving advertisements as you can and figure out how what is on their cars could be
used against them by someone bent on developing rapport. (You are not to harm or scare anyone! This is
an observation and analysis exercise - you are not going to use the information against them) Spend a few
days documenting what you find - you can share photos, but if the license plate isn't personalized try to blur
that out - as the previous owner of a vanity plate, "PROF KAR", Professor Karla knew she was fair game. If
you get a chance to engage in conversation with the driver, try developing rapport based on the car's
stickers, but don't be creepy - remember, keep the target safe :-) After you've gathered some data, write up
your observations, at least 250 words, and keep us entertained :-D

3. Create an infographic that explains Bruce Schneier's "The Psychology of Security" to people who know
nothing about the topic. Make sure you cover at least five data points. Post the infographic and explain why
you chose the data points you did. You might find this link useful for the infographic:
http://www.edudemic.com/diy-infographics/

4. Find a Dilbert cartoon strip that relates to social engineering. 1) Attach the cartoon or a link to the cartoon.
2) Pretend the class is filled with clueless Dilbert-boss managers and explain the relevance of the cartoon
to social engineering. 3) Compare the strip's scenario to something you personally have encountered at
work, or, if you haven't been so lucky, interview someone else who has encountered such.

You need to support your Weighty Posts with references to worthy* sources in addition to your book/book
resource site and the Gartner article or video or cartoon you're discussing. The BRUIN library is a great place to
start. Feel free to use worthy* news articles as sources (remembering that they always have a bias, that is),
making sure to list those and all other sources at the bottom of the post (please use more than a URL!).
Quotations by famous people are allowed, as well - you only have to identify the speaker, not the specific work, in
the case of well-known quotations, e.g. "If you reveal your secrets to the wind, you should not blame the wind for
revealing them to the trees." - Kahlil Gibran
*Worthy means the author or the publisher of the source has authority and credibility on the topic, the source has
been QAed through editors or a peer review system, the source is recent or has historical value, the source is
factual and accurate, if the source is an opinion piece, the arguments are backed up with evidence and reasoning
("only a Sith deals in absolutes"), and any facts or stories in the source can be corroborated through another
unrelated source. Determining what is and isn't a good source is an art - it's something you develop over time.
You can also check the Written Assignment rubric in the Syllabus section for more information.

The CARS checklist is very handy for evaluating sources:

Credibility trustworthy source, author's credentials, evidence of quality control, known or
respected authority, organizational support. Goal: an authoritative source, a
source that supplies some good evidence that allows you to trust it.
Accuracy up to date, factual, detailed, exact, comprehensive, audience and purpose
reflect intentions of completeness and accuracy. Goal: a source that is
correct today (not yesterday), a source that gives the whole truth.
Reasonableness fair, balanced, objective, reasoned, no conflict of interest, absence of fallacies
or slanted tone. Goal: a source that engages the subject thoughtfully and
reasonably, concerned with the truth.
Support listed sources, contact information, available corroboration, claims supported,
documentation supplied. Goal: a source that provides convincing evidence
for the claims made, a source you can triangulate (find at least two other
sources that support it).
Written Discussion Board Assignments (continued)
Summaries and Analyses
In order to keep discussions lively please post your drafts of your summaries and analyses to the
discussion board no later than the start of Week 2

Background (aka "why we are tormenting you thusly" :-D): A great way to curry favor with managers is to make
them look good. Managers often have little time to stay current on developments in technology, particularly longer
articles or thought-provoking lectures. Knowledge, though, is power, and it's important for everyone - and
particularly essential for those in decision-making positions - to know the latest discussions, discoveries, and
dilemmas that are out there. A great skill to hone is the ability to distill a longer item to its essence by summarizing
and analyzing its content and points for another. Pretend your manager needs to have a surprise power lunch
with her or his manager and doesn't have time to get current on the latest developments in cybersecurity and
social engineering. You ride to the rescue, bearing two one-page (250 words) documents, summarizing both an
academic item (since you have access to a University library even as an alumni ;-) and a more popular (yet still
edited) item you found on the Internet.

It's okay to reference classic items, as long as you can point out in your analysis why the item is still relevant or
has historical value.

TL;DR

Part of being an effective sharer is being able to quickly

capture the attention of the target of your sharing, whether
that's an individual manager, a small group of colleagues, or
the public (such as on Twitter or LinkedIn). "TL;DR" stands for
"Too long; didn't read", and while it started as a slam on wordy
comments on the Internet, it now also means a short but
informative summary a spoiler, if you will, of your longer
message. A comparable military version might be "Bottom
Line Up Front". So, in addition to your summary and analysis,
as detailed below, you will need to provide a TL;DR to your
post that encapsulates the essence of what the item is trying
to say (and, trust us, that's rarely the title of the item ;-). We'll
 start with a guideline of 140 characters (which is what Twitter allows), but if that is too limiting, you can use more
characters - still, keep it short. Consider it a challenge to be that brief. You will still be providing the traditional
summary and
analysis; this is an add-on.

Academic Item

Choose one academic/scholarly article or presentation, related to cybersecurity or social engineering, from any
relevant academic journal or given by an academic/scholarly person (e.g. Avi Rubin, "All your devices can be
hacked", http://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked - you can search the ted.com site
for "professor" and get results). The journals for the ethics classes would work (Ethics and Information
Technology or Computers in Human Behavior.) The journals are available free of charge via the university online
library. The library has also developed a LibGuide for Cybersecurity: http://libguides.bellevue.edu/Cybersecurity
You can get assistance on how to use the online library by visiting the Student Services tab in the main
Blackboard window. We strongly recommend you go through the BUILD IT modules if you are new to the
Bellevue library: http://lib.bellevue.edu/buildit/index.html.

The Pew Research Center Internet, Science & Tech organization (http://www.pewinternet.org/) counts as
academic for the purposes of this assignment.

Note: if you are having trouble gaining access to library resources there are pdf copies of various journal
articles here - ACM and IEEE journal articles, as well as Gartner papers, count as academic for the
purposes of this assignment: https://app.box.com/s/6y09j7i8lmzqewf36qj5

Compose and submit to the Weeks 1 and 2 Discussion Forum - "Summary and Analysis: Academic" thread a
structured post (a structured post has an overall introduction, an overall conclusion, and a developed body that
flows well - generally at least a few paragraphs - at least 250 words, not including the question text itself), using
your own words. Please include, as well:

1. An APA/MLA/Chicago/etc. reference for the item - basically, let your professor and your classmates know
how to find it if we want to read/watch it.
2. TL;DR
3. Why you chose this item.
4. A brief summary of the main points that the author made in the item.
5. An analysis of the item. Points to address (all 7 of them):
1. Did the author have a clear purpose for the item? What makes you believe so?
2. Was this purpose accomplished? How?
3. Did the author present compelling evidence to support main points?
4. Does the item have gaps? What sort?
5. Did the author present the information in a way that readers would find appealing? In what way?
6. Is the world a better place for this item being written/given? How?
7. How does this item relate to the real world, either business-wise, or personally? If it doesn't, state
why.

You don't have to write in a boring and stilted academic style in your summary and analysis - it's all right (and
encouraged!) to write in an engaging style! It's recommended that you do make a clear distinction between the
summary and analysis sections of the paper, if only to remember to address all 7 points of the analysis
assignment.

Non-Academic Item

Choose one item, related to cybersecurity or social engineering, from any worthy (see page 3 for the definition of
worthy) edited/QAed online source, such as MIT Technology Review, Wired, Ars Technica, TechDirt, Atlantic, The
New York Times, The Washington Post, Christian Science Monitor Passcode, CNET, CSO, Information Security,
SC, Security (that is not an exhaustive list), a TED Talk (http://www.ted.com/ - you can also find TED Talks on
YouTube) by anyone (e.g. James Lyne, "Everyday cybercrime — and what you can do about it",
http://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it), or some of the
films from the library's extensive film collections, Films on Demand, Alexander Street, and Kanopy. Look for their
Computer Science & IT collections. An example is "Cyberwar Threat"
Compose and submit to the Weeks 1 and 2 Discussion Forum - "Summary and Analysis: Non-Academic" thread a
structured post (a structured post has an overall introduction, an overall conclusion, and a developed body that
flows well - generally at least a few paragraphs - at least 250 words, not including the question text itself), using
your own words. Please include, as well:

1. An APA/MLA/Chicago, etc. reference for the item - basically, let your professor and your classmates know
how to find it if we want to read/watch it.
2. TL;DR
3. Why you chose this item.
4. A brief summary of the main points that the author made in the item.
5. An analysis of the item. Points to address (all 7 of them):
1. Did the author have a clear purpose for the item? What makes you believe so?
2. Was this purpose accomplished? How?
3. Did the author present compelling evidence to support main points?
4. Does the item have gaps? What sort?
5. Did the author present the information in a way that readers would find appealing? In what way?
6. Is the world a better place for this item being written/given? How?
7. How does this item relate to the real world, either business-wise, or personally? If it doesn't, state
why.

Again, you don't have to write in a boring and stilted academic style in your summary and analysis - it's all right
(and encouraged!) to write in an engaging style!

It's recommended that you do make a clear distinction between the summary and analysis sections of the paper, if
only to remember to address all 7 points of the analysis assignment.

Memory Game Quiz

Visit the Memory Game link listed in the "Do" section on the first page of these assignments. Follow the
instructions on the video until you reach the part where it says to click and download a document. Instead, you'lll
come to Blackboard, to your Weeks 1 and 2 folder, and take the Memory Game quiz. The quiz will be graded as
Complete or Incomplete, not for the score you get, so no double monitor-quiz-on-one-screen/video-on-the-other,
okay? ;-) We're using Blackboard's AI to grade these, but your professor can always override spelling issues.

Personal Reflection Journal

You are required to keep a journal to reflect on what you're learning about social engineering. Every two weeks
you should add approximately one page to your journal on what you've observed, learned, or experienced during
that two-week period (you are certainly free to write more, though!). There will be suggestions on what to write on
in the bi-weekly assignments, but you are free to write about whatever strikes you.
This journal is private and only viewable by you and the professor. Feel free to have a little fun with your journal.
It's okay to be creative, experiment, and try new things here with your writing style and content. You can try
freestyle writing if you like, where you let your thoughts run without worrying about being graded for style,
grammar and spelling.

We hope you see that keeping a journal is a good way to collect your thoughts on different topics. Journaling is a
great way to improve your writing skills.

Please do write in this regularly - we want you to reflect as the class is going on, not wait until the end. The entire
journal counts for 10% of your overall grade. You are evaluated on quality and quantity of journal entries. Graded
as Complete/Incomplete, where a B or higher is Complete.

Here's a suggestion for Weeks 1 and 2: Watch this video, "19 Simple Psychological Tricks That Actually Work"
https://www.youtube.com/watch?v=l4tWdTmYZoM and try out as many of the tips as you feel comfortable trying
or have occasional to try. What happened?

As If You Weren't Having Enough Fun Already...

"Designated Devil's Advocate" or DDA

All
students will play

Designated Devil's Advocate (DDA). The role of Devil's Advocate is to challenge posts - be skeptical and find
holes in the logic or facts - even if the DDA happens to agree with the poster's point. The purpose of the exercise
is to make the posters and the DDA engage in deeper and more critical thinking. Devil's Advocates are used in
business to prevent "groupthink".

Post as Anonymous Option

DDAs have the option to be anonymous when posting. There's an extra step to take before posting in order to be
Anonymous - see the image below.

(Although your post will be anonymous to your fellow students, your professor can tell who has posted what,
when, and where, so behave ;-)

If you forget and don't check the Post message as Anonymous box and you press submit, you can still edit your
post after the fact, but anyone with the subscription feature turned on will see who is behind your DDA Secret
Agent Code Name (explained below). That shouldn't be a problem (because we're all being polite :-) but it can be
embarrassing. We had an Agent Piranha blow his cover after only 30 minutes one term and he needed to select a
new DDA Secret Agent Code Name. A best practice is to check the box before typing in anything.

If you choose not to post as Anonymous it's helpful to your professor and your classmates if you can identify in
your post that you are playing Devil's Advocate.
DDA Code Names - Now Required if Posting as Anonymous
If you have chosen to post as Anonymous, you are required to use your DDA Secret Agent Code Name (which
you select through the "DDA Secret Agent Code Name Request" tool*, located in the main Assignments folder)
when you are posting in your DDA capacity. This helps you keep track of how many DDA posts you've made,
because you can search by that code name. This also adds more excitement to the class, as you can feel like a
Cold War Spy. You may include the Secret Agent DDA Code Name in the subject line or in the body of the post
(or both).

There is a list of suggested "dangerous critter" (animals, mythical characters, microbes, etc.) names in the DDA
Secret Agent Code Name Request tool, but you are free to choose any name you want, dangerous or otherwise.
If nothing on the list strikes your fancy, try this Code Name Generator: http://www.codenamegenerator.com/ - one
probably doesn't want to run across an "Aurulent Titanium Hyrax" (in a dark alley, late at night, with a full wallet).

If your DDA post does not include your DDA Secret Agent Code Name you will NOT receive credit for the DDA
post. You have the ability to edit your posts, so if you forget, you can go back and put in your identity.

*Your Secret Agent Code Name request needs to be confirmed by your professor (in case of request
collisions). Please check the top of the gradebook for your code name.

Grading
An initial DDA post needs to ask a question. If there isn't a question it's not a DDA post. Subsequent dialog
doesn't have to continue questioning.

When acting as DDA, it might be helpful if you think of how you would have answered the question and then find
the difference between the two – ask if the original poster thought of x, y, and z. Or, you can find a current worthy
article (Internet or the BRUIN library) that deals with the topic and ask if the original poster had run across that
and if its information or conclusions would have altered his or her findings. You can always ask if the original
poster has experienced the issue on his or her own. These are not the only types of DDA activities, by any
means. Feel free to improvise!

It is perfectly acceptable to perform basic peer review observations in your DDA role. If someone needs
to proofread better, you may address that. If you have questions about their sources and whether they
are "worthy", you may address that. If you think someone hit the submit button accidentally early (i.e. the
post isn't at least 250 words), you may address that.

Another option is to look at the tips for posts (see the Wikialien's Lair area of the classroom); if those weren't
addressed, you, as the DDA, can ask:

Why did it happen?

How did it
happen?
What might have prevented it from happening?
How did it affect other things?
What are connections that most other people have missed?
What will happen as a result of it?
What might have happened if it didn't happen?
What have you found out about it that nobody knew before?
What are some unanswered questions that nobody thought of before?

Your DDA performance is 30% of your overall grade, so make it count! The base expectation is 20 DDA posts
during the term (i.e. at least 20 times during the current term that you have posted a DDA post that includes at
least one question per post), but you are welcome to make as many as you like. If you're having a blast posting as
"Secret Agent Cholera" you don't have to stop when you reach 20!

Please try to read other DDA posts (you can tell because the posts will have Anonymous as the author and a
DDA Secret Agent Code Name somewhere) before making your DDA post. It's not good if students start to feel
like they are being tag-teamed by raptors ;-)

When someone has DDAed your post, understand that the DDA is not attacking you personally, but helping to
strengthen your argument by pointing out how it can be better. It is not intended to be a comment on your value
as a person and it is not intended to be rude or snarky or hostile.
It might be helpful for the class to see the DDAs as
looking like this adorable giant panda cub:

(Yes, we recognize the inherent contradiction in

directing you to pick dangerous critter names and then
asking you to see each other as panda cubs...)

Tips from past DDAers

"The DDA is such a wonderful tool; I wish more classes
utilized it. For a while I tried to figure out who was who,
but then I just let it go :-)"

"Imagine debating against the point that was just made.

Analyze the argument. Stretch the parameters - where
does it break? What important considerations were left
out? Did the poster make correct or fair assumptions? Try to make each participant in the discussion to think more
critically. It also lies upon you to frame your response in a way that would make the discussion more intellectually
stimulating. What other avenues of thought can be explored - especially ones that others may be reluctant to
bring up without the veil of anonymity? You are the shadow on the wall with the power to ask any question and
unravel more truths. Think."

"For me, the DDA assignment was a license to ask the questions that I would have otherwise filtered and/or
avoided asking, even though they should be asked. Basically, if I felt any hesitation in a normal response, I would
switch it to a DDA. When I first learned about DDA responses, I thought the idea was kind of corny, but quickly
learned that they can really add spark to the conversation."

"There is nothing wrong with being a little bit of an antagonist. The DDA is intended to get people using their
heads and stirring the pot a little. Post the questions that stir debate; the best ones are the ones that are
completely contrary to what you believe is right. An extreme example: most people agree that stealing a car is
wrong. So pose the question, 'If someone is dumb enough not to properly secure their car, would it not teach
them a lesson by taking it? Besides, isn't that what insurance is for?'"

"A DDA must be willing to go against the grain of majority thinking. Simply arguing for the sake of it won't do; one
must understand the problem and become the bad or unpopular solution. There will be those that will side with
the DDA, and those that will argue against the DDA....to make someone believe the DDA is the "anti-them" and
stimulate conversation at the same time should be the goal of the DDA. You are the bad-guy in wrestling. You are
the guy played by James Woods in movies. You are the person that makes the other students remember you
when you leave the class because of your comments against what they think. You must own the DDA position in
order to perform it well!"

Final Projects (there are two sets)

You have two sets of final projects.

The first is a Security Awareness Training Campaign. It has three parts.

The second is a choice between doing a Social Engineering PSA (Public Service Announcement)
or a Phishing Campaign. Either option will be amazingly fun.

Both sets of your final projects are due by the end of the term.

More details are available in the Final Projects folder.

Please let your professor know if you have any questions about any parts of the assignment. You can use the
"Ask the Professor Anything" discussion board.