Real-World Cyber Experience is Hard to Get. This CMU Program Could Change That.

For young people entering the rapidly growing(opens in new window) cybersecurity workforce, hands-on internship experience is often hard to come by. Researchers at Carnegie Mellon University have partnered with the Community College of Allegheny County (CCAC)(opens in new window) to address that challenge.

“It’s really hard for cybersecurity students to get internships because of the very nature of the work,” said Lee Branstetter(opens in new window), the James M. Walton Professor of Economics and Public Policy at CMU’s Heinz College of Information Systems and Public Policy(opens in new window). “A cybersecurity employee has high-level access to extremely sensitive information and systems, and companies will only trust seasoned experts with that kind of material.”

It took a team to find a solution to this problem. Branstetter worked with former CCAC professor Matthew Kisow, CCAC professor James Winyard, CMU professors Lauren Herckis and Carolyn Rosé, and CMU post-doctoral researcher Judeth Choi to develop the idea of using simulations to create this experience. 

They approached Rotem Guttman(opens in new window), a Ph.D. student at CMU’s Human-Computer Interaction Institute(opens in new window). Together with CMU master's student Will Nichols, they worked to create a cybersecurity simulation system that gives CCAC students first-hand experience identifying and mitigating cyber threats. 

“We wanted to simulate a corporate information network where there’s a cybersecurity attack that students have to respond to,” Branstetter said. “In the system we built, we can track their interactions and see what they’re struggling with and figure out how best to support them.”

A fictional workplace designed to mirror real-world cyberattacks

The simulation Guttman designed is called Cyber SimLab, and it provides the backbone of CCAC’s Ethical Hacking Lab, a one-credit lab course that revolves around a fictional company full of competing departments, and employees that get into all kinds of cybersecurity related problems that the students have to identify, mitigate and resolve. 

“It’s a realistic company that has narratives and storylines, and includes all kinds of cybersecurity threats and problems that we can throw at students,” Guttman said. “Nearly all of the tactics and techniques represented in the frameworks that we are aware of in the cybersecurity industry are represented in this company.”

One example features a character Guttman created named Cassandra Reichardt, who accidentally falls for a spear phishing scam — a cybersecurity attack in which a person’s identity is compromised through targeted communication. Reichardt is a single parent with two kids. After her daughter gets a scholarship to CMU, Reichardt shares the news online. Then, she receives an email.  

“The email looks like it came from CMU that says ‘Hey, we’re missing critical financial information. Please click this link to log in in the next 24 hours and confirm your income and financial information, otherwise you lose the scholarship,’” Guttman said. “Cassandra clicks the link, fills out the information, giving it to the bad guys and downloads the PDF receipt. But the receipt is weaponized and compromises her work computer.”

Just like professional cybersecurity experts, students in the Cyber SimLab access Reichardt’s computer remotely and triage the problem exactly like they would in a real work environment.

“They use the same technology that employees at cybersecurity firms use,” Guttman said. 

Larry Luther, who recently earned an associate degree in cybersecurity from CCAC, was one of the students who took the course. 

“It was extremely hard as we were figuring out what to do,” said Luther. “But we were really proud of how we did. After the class ended, I asked Rotem, ‘Can I go back and do it again?’”

Luther said being exposed to a scenario that closely mirrored what cybersecurity professionals do every day was instructive and eye opening.

“Our team went in blind, to a large degree,” he said. “We had to scan all the machines and find and test vulnerabilities in those machines. It’s hard to get hands-on keyboard experience in a real environment like that. Out of all the classes I took at CCAC, the lab probably taught me the most in the least amount of time, because we had to learn so much so quickly.” 

The important soft skills in cybersecurity

After students identify a cyberattack, they then have to present the problem to “management,” roles played by representatives from employers in the Pittsburgh region. 

“This is a critical part of the program, because it teaches students how to communicate the implications and severity of a complicated technological attack with people who are not always technologically savvy,” Branstetter said.

Guttman said these skills will come in handy frequently, especially in situations when the risks a company faces aren’t immediate or obvious. 

“The most interesting, difficult issues to communicate are the ones in the medium-risk security problems, the ones where there wouldn’t be an immediate loss,” Guttman said. “In his final presentation to management, one of our CCAC students said, ‘It’s like thieves coming by and peering in your windows. They’re going to look and see what kind of locks you have and where you keep the valuables. They’re going to take all that information and make plans, so when they do break in, they already know where everything is. They’re going to grab everything and be out the door before you even know they were there.’ Management understood the threat he was talking about immediately.”

“The students did an amazing job,” Branstetter said. “We believe this experience can help bridge the gap and help more students find successful employment in the cybersecurity field.”

Students who complete the course receive a document stating that the course is recognized by CMU. The Cyber SimLab was rolled out to students in late 2024, and Branstetter hopes to offer the course again in 2026. 

“We really want to keep hammering away at it, because we really do feel like this idea is somewhat different from everything else that’s out there,” Branstetter said. “It provides a way for people to simultaneously build technical, social and human skills. We can imagine an ecosystem that allows the program to keep building and growing.”