Teaching Log Data Analysis in Indian Cybersecurity Classrooms: A Mixed-Methods Study of Pedagogical Challenges and Learner Difficulties

Priya V. NagvekarSyaamantak Das^*Sridhar Iyer^*

• Centre for Educational Technology, Indian Institute of Technology Bombay, Mumbai, India

Log data analysis is a core competency in cybersecurity education, critical for investigating cyberattacks and identifying root causes. However, its teaching and learning pose distinct challenges in resource-constrained contexts such as India. This mixed-methods study examines the dual perspectives of cybersecurity faculty and novice learners to understand pedagogical gaps and cognitive difficulties in teaching log data-based root cause analysis (RCA). We surveyed 47 faculty members from diverse Indian institutions to uncover systemic barriers, such as inadequate prerequisite knowledge among students, limited infrastructure, and rigid curricula. Complementing this, we conducted an empirical study involving 24 undergraduate learners and 3 industry experts, where participants performed RCA on simulated cyberattacks using log files and methods like the 5 Whys, fault trees, and attack trees. Novice learners struggled with technical interpretation, premature analysis termination, and cognitive biases, while experts demonstrated structured reasoning and cross-functional integration. Our findings reveal a significant disconnect between instructional intent and student preparedness, further complicated by institutional constraints. We propose actionable recommendations for curriculum design, teaching strategies, and faculty development to support more effective cybersecurity education in India. This study contributes to bridging the expert-novice divide and enhancing pedagogical practices in computing education across underrepresented contexts.