Five years of GenCyber camps: what the data actually shows
From 2018 through 2022, we ran GenCyber camps in Wyoming — week-long, summer cybersecurity experiences funded by the National Security Agency and designed for both K-12 students and teachers. Over five iterations, we worked with hundreds of participants across rural and urban communities, refined the curriculum multiple times, and collected evaluation data at every stage.
The GenCyber program nationally has shown consistent positive results. Our camps were no exception. But the specific findings shaped how we think about cybersecurity education — and PD design more broadly — in ways that the high-level outcomes do not capture.
What worked immediately
The hands-on, activity-first structure of the camps produced measurable gains in both teacher and student knowledge of cybersecurity concepts. Participants learned the GenCyber Cybersecurity First Principles (including the “hand model” — confidentiality, integrity, availability, think like an adversary, keep it simple, defense in depth) through physical activities rather than lecture.
Teachers built Caesar cipher wheels by hand before programming them on micro:bits. Students programmed robots to navigate obstacle courses that simulated network security scenarios. Every concept had a tangible, manipulable artifact attached to it.
In our published evaluation data, 87% of participating teachers reported increased confidence in integrating cybersecurity concepts into their existing curricula — a number consistent with national GenCyber outcomes. Pre- and post-assessments showed statistically significant gains in content knowledge for both teacher and student cohorts.
What surprised us
Three findings from the longitudinal data reshaped our approach.
First, the strongest predictor of classroom implementation was not content knowledge — it was peer collaboration during the camp itself. Teachers who formed working relationships with other participants during the camp were significantly more likely to implement cybersecurity activities during the subsequent academic year. The social infrastructure of the PD mattered as much as the content.
This is why every activity in our current PD programs uses groups of three or more. Pairs produce polite conversation. Groups of three or more produce working relationships — the kind where a teacher texts a colleague in November to ask, “How did you handle the cipher activity with your sixth graders?”
Second, teachers wanted micro-credentials, not just experience. By year three, we heard a consistent request: participating teachers wanted a formal credential they could show administrators. This led directly to our work developing a cybersecurity microcredential program, which we designed in collaboration with the Wyoming Department of Education and published in Education Sciences.
Third, rural access was a design constraint, not a logistics problem. Wyoming is the least populous state in the country. Many of our participants drove three or more hours to attend. The assumption that “just make it virtual” would solve access turned out to be wrong — rural teachers with limited bandwidth and no local support network needed the in-person, intensive format. Virtual follow-up worked well after the initial face-to-face experience, but it could not replace it.
The publications
Our GenCyber work generated several peer-reviewed publications, all open access:
- Wolf, S., Burrows, A.C., Borowczak, M., et al. (2020). Integrated Outreach: Increasing Engagement in Computer Science and Cybersecurity. Education Sciences, 10(12), 353.
- Burrows, A.C., Borowczak, M., Mugayitoglu, B. (2022). Computer Science beyond Coding: Partnering to Create Teacher Cybersecurity Microcredentials. Education Sciences, 12(1), 4.
These papers document both the program design and the evaluation methodology. If you are designing a cybersecurity PD program for your district, the evaluation instruments and findings are freely available.
Scaling beyond a single state
The GenCyber model is nationally replicated — camps run at dozens of universities across the country. But the specific design decisions that made our Wyoming camps effective are not universal. Other sites have reported similar outcomes on content knowledge but lower implementation rates during follow-up. The difference, based on our published data, is in the design of the follow-up itself.
A week-long camp without follow-up is a week-long experience. A week-long camp with structured academic-year support — virtual coaching sessions, shared lesson design, peer observation — is a professional development program. The camp is the catalyst. The follow-up is the intervention.
Districts considering cybersecurity PD would benefit from studying the GenCyber model not as a summer program but as a design template for year-round teacher support. The content modules are publicly available. The research base is open access. The question is whether the delivery model matches the implementation timeline.
What it taught us about PD design
GenCyber confirmed something we had suspected from our earlier RAMPED and WySLICE programs: the most effective professional development is not the one with the best content. It is the one that builds relationships, provides follow-up, and gives teachers formal recognition for their work.
Content is necessary. It is not sufficient.
Every PD engagement we design now builds on that lesson. The content is rigorous. The delivery is hands-on. But the architecture of the experience — the group structures, the follow-up cadence, the credentialing pathway — is what determines whether the work lasts beyond the workshop.