Teaching pentesting to social sciences students using experiential learning techniques to improve attitudes towards possible cybersecurity careers


  • Aleksandras Melnikovas General Jonas Žemaitis Miltary Academy of Lithuania https://orcid.org/0000-0003-3940-4320
  • Ricardo G. Lugo Department of Information Security and Communication Technology, Norwegian University of Science and Technology; Department of Information Security and Communication Technology, Norwegian University of Science and Technology https://orcid.org/0000-0003-2012-5700
  • Kaie Maennel School of Information Technology, Tallinn University of Technology, Tallinn, Estonia; School of Computer and Mathematical Sciences, The University of Adelaide, Adelaide, Australia https://orcid.org/0000-0002-3886-9532
  • Agnė Brilingaitė Institute of Computer Science, Vilnius University, Vilnius, Lithuania https://orcid.org/0000-0001-9768-4258
  • Stefan Sütterlin Faculty of Health, Welfare and Organisation, Østfold University College, Norway; Faculty of Computer Science, Albstadt-Sigmaringen University, Sigmaringen, Germany
  • Aušrius Juozapavičius General Jonas Žemaitis Military Academy of Lithuania, Lithuania https://orcid.org/0000-0002-8852-8605




Military education, Pentesting, Kolb’s experiential learning cycle, Cybersecurity, Student attitude


Labor market analysis shows that there is a significant shortage of experienced cybersecurity professionals, and this trend is expected to continue in the future. In addition, young people who are reluctant to choose STEM subjects in school typically do not see cybersecurity as a part of their future because they believe it demands exclusive technical knowledge that is beyond their reach. We aimed to change this perception among students of the social sciences, assuming that by providing social science students with the basics of cybersecurity, it would be possible to raise their awareness and encourage them to consider this field as a potential career option. Our team has designed a concise technical course based on Kolb's model that employs experiential learning to provide students with a basic knowledge of ethical intrusion (penetration testing). During the 32-hour subject, cadet officers with no prior IT education experienced all the steps of hacking both into a remotely accessible and physically accessible computer, including initial reconnaissance, vulnerability scanning, exploitation, and privilege escalation. A hands-on practical task of breaking into a highly vulnerable remote computer allowed for the evaluation of knowledge and skills as well as the reinforcement of learning experiences. In order to assess how the students' perceptions of the cybersecurity profession have changed based on the theory of planned behavior, they were asked to provide feedback immediately after the course and one year later. The results indicate that the short, technically challenging, but practical course based on experiential learning had a significant and positive effect on participants' attitudes: they were substantially more likely to consider cybersecurity as a future career, and some of them began participating in other cybersecurity courses or activities. It is reasonable to assume, therefore, that providing similar technical courses to social science students will encourage them to pursue cybersecurity-related careers in the future.