Part 5 of a multi-part series on why you should avoid Msc. Applied Cybersecurity at Queen’s University Belfast, collaboratively written by students on the course.
Failing to deliver
The Msc. Applied Cybersecurity course teaches six modules: Network Security (ELE8093), Ethics & Legal Issues (ECS8065), Malware (ELE8092), Computer Forensics (ELE8091), Software Assurance (ELE8094) and Applied Cryptography (ELE8090), with the additional untaught module Individual Research Project (ELE8095).
In this post, I will detail some of the issues with each module. We have documented over 14 pages of issues so this can only be a brief summary.
There is a summary at the bottom which summarises many of the major points below.
Labs & Coursework
Feedback was often not given for any of the labs or coursework for many months. In the case of the Malware module students took the exam before receiving their marks or feedback on their coursework or labs, meaning that students had no idea how well they were doing or if there were areas of the course content that they needed to work on. As it was too late to act, feedback was effectively non-existent.
Labs for many modules were non-functional. In Malware, the lecturer had not setup the labs before starting them so instead he had students use their own devices to share virtual machines between computers. For the first lab, it wasn’t until 4–4:30pm that the labs were ready for all students, with the bus arriving at 5pm students were left with no choice but to leave and setup the environment at home as the rest of the week required that the labs were done at the end of each day.
It was policy not to make students aware of the marking criteria for coursework. This has been confirmed by talking to the course director. The reason given being “to avoid students gaming the system”. We are aware now that this is in stark contrast to other courses in the school, where students are made fully aware of how coursework is to be graded.
Software Assurance
The module went effectively un-taught. After a week of lectures containing little-to-no course content whatsoever consisting primarily if not entirely of irrelevant anecdotes of the lecturer’s work experience and talk of her upcoming business trip, students left feeling that they knew more about the lecturer’s business trip itinerary than the actual subject of the module.
The lecturer made it clear to students that she would not respond to any emails after the tutorial week and to get any questions out of the way before she leaves for her business trip. This meant that not only did students have no physical contact hours, but had no contact with the lecturer whatsoever outside of class.
Malware
From day one and many times after, the lecturer made it clear that much of the course content had been removed from previous years, despite many of the slides remaining in a disjointed manner. He often skipped through many slides without making it clear whether the slides were irrelevant (being from the content that was expunged) or not part of the class lesson and to be studied later.
The coursework was only briefly discussed in class, to the extent that students were instructed to “think from the perspective of a criminal”. The specification did not make clear a primary marking criterion, which we only found out after we received feedback, which was that the coursework was to be presented as an advertising poster. There is no reasonable way that students in a course about Cybersecurity would ever presume that a piece of coursework on “Malware As A Service” would not be paper, but an advertisement.
The lecturer failed to respond to many students emailing him asking for follow-up details about the coursework, in some instances not replying at all, and in others not replying (despite multiple repeated attempts) until the day of the deadline — forcing students to submit late and receive late penalties.
All the labs were heavily shortened or limited versions of the labs from the book “Practical Malware Analysis” — all the answers were available in the book, or online.
Then there is the question of originality. Most of the sources of the slides are available online and not referenced in any manner.
Computer Forensics
As with Malware, the computer lab was completely unusable — to the point that some students had to go home early (via Taxi or personal transport) to do the work at home as the lab environment was not fit for purpose.
The reading week notes for this module were uploaded so late that there was not enough time for students to prepare before class started. The reading week is critical as it is a whole week dedicated to learning the surrounding topics before diving into the subject in class.
This module can only be best described as an introduction into Forensics. The software covered is only freeware available online, and not any industry used tools like X-Ways, Encase, Autopsy, The Sleuth Kit, Magnet Axiom or many other such tools. The only tool used was a free version of FTK imager — not even the professional version. It should be noted that many if not all these tools have available a free 30day trial that students would’ve been entitled to use for any coursework, so it is not a matter of cost to the University that these tools are not covered. Its bad enough that student’s aren’t given the opportunity to work with these tools, but they aren’t even taught about them — at all. This is a glaring omission that leaves students ignorant to industry norms.
Speaking with experts in the field, it is clear that no student would be able to pursue a career in Digital Forensics given the extraordinarily shallow nature of this module. Some students have already had to abandon plans to pursue this as a career because they simply cannot get any jobs in the field.
Law & Ethics
This module had the least content of the entire course. It was well produced but 4 weeks dedicated to it is way beyond what it reasonable for the amount of content available.
As is now a regular pattern, students were not given feedback for approximately 4 months. Well past the time where they could’ve done anything with that feedback.
The coursework was a footnote on the last day, and as with Malware was barely mentioned or even discussed. As such, and with the policy of students being kept in the dark with regards to the marking criteria, students were ignorant of what was expected or how they would be graded.
This is bad enough with students for whom English is their mother tongue, but many students are international — probably more than half. This module of all was the most troubling for some of them due to it being so English-Language heavy, so the lack of guidance or marking schemes really hit some students more than others. Unfairly we would say.
Summary
- Feedback was given far too late for it to be of any use to students. In at least two instances, students had completed all their labs, coursework, and exams before receiving any kind of feedback from a lecturer.
- Labs were very poorly organised and essentially unavailable for most students, leaving them to work overnight at home on their own computers. This left them tired and exhausted for the next day.
- The marking criteria was intentionally hidden from students so that they wouldn’t score too highly. The head of the school admitted that this should’ve been available to students.
- There was little to no discussion of what was expected from the coursework for most modules. Two lecturers outright admitted that the coursework was not only vague but intentionally vague so that “students would not game the system” in meetings with students.
- There were no contact hours with lecturers. Students have no one-to-one time with lecturers to discuss their understanding of the content. The only time students and lecturers meet is during the tutorial class week and the timing is very contracted — there is no free time in the day to talk to the lecturer.
- Lecturers often were uncontactable. The Malware lecturer did not respond to multiple emails from students about coursework, The Software Assurance lecturer made it clear she would not respond to emails and so on.
- Some modules had very little content. Others had overwhelming amounts (Applied Cryptography). This was massively inconsistent and really messed with students expectations.
- For most modules, the tutorial week was overwhelming. There is only one week every month where an entire subject must be learned and then students are graded on it — both during and after that week. The reading week does not prepare students, especially when lecturers fail to upload the reading week notes in time.
Next in the series:
An International Perspective, on the jeopardising of international student’s visas and ability to work in the UK.
