Unit 4: Software development
Sample approaches to developing an assessment task
Area of Study 2
On completion of this unit the student should be able to respond to a teacher-provided case study to examine the current software development security strategies of an organisation, identify the risks and the consequences of ineffective strategies and recommend a risk management plan to improve current security practices.
Step 1: Requirements of the outcome
The
VCE Applied Computing Study Design pages 43–44 provides details of the key knowledge and key skills related to Unit 4 Outcome 2 and the corresponding area of study, Cybersecurity: software security.
Teachers should be familiar with the area of study and outcome statement, relevant key knowledge and key skills in order to plan for the assessment task. It should be noted that the assessment task does not have to identify every key knowledge and key skill dot point; nor should the task focus on too narrow a range of key knowledge and key skills.
Step 2: Determining teaching and learning activities
Teaching and learning activities should be selected to enable students to demonstrate their understanding of the key knowledge and key skills. These activities should include a range of theoretical and practical activities to develop and extend student knowledge. Sample
teaching and learning activities are included in the
Advice for teachers.
Step 3: Designing the assessment task
Students should be advised of the timeline and conditions under which the task is to be completed. The assessment task must directly assess the student’s understanding of the key knowledge and key skills as well as their ability to apply these to the assessment task. Due dates and duration of assessment is a school-based decision.
Students should be given instructions regarding the requirements of the task, including time allocation, format of student responses and the marking scheme/assessment criteria. The marking scheme/assessment criteria used to assess the student’s level of performance should reflect the VCAA performance descriptors for
Unit 4 Outcome 2 (docx - 59.51kb).
Regardless of the assessment task type selected by the classroom teacher, all tasks require the creation of a case study. Each task type requires students to apply their knowledge to the given context.
The approach that teachers employ to develop their assessment task may follow the steps below.
- Decide on the assessment approach based on the task types from the study design.
- Use the key knowledge and key skills to determine the required content to be used. Consider
performance descriptors (docx - 59.69kb).
- Based on the selected approach, draft prompts (written or multimedia report) or structured questions that relate to the selected key skills and performance descriptors.
- For the development of a case study, consider a fictitious organisation but one that is a real-world example with a reasonable level of complexity. Media articles can assist with this.
- Write the case study for the organisation. Key content within the case study should be based on the targeted key knowledge and key skills selected.
- A case study for this task needs to refer to one organisation, which is currently developing software and has some development security strategies in place that can be analysed and discussed. This should be a more complex organisation than an owner-operator sole proprietor business developing his or her own software.
- In order for students to evaluate the effectiveness of the organisation’s software development security strategies, the case study needs to consider how vulnerabilities may pose a security risk to development practices, and reduce the effectiveness of development practices. The organisation should have some weaknesses in these areas, which allows students to recommend improvements.
- In order to create an environment where students can assess threats, consider the types of vulnerabilities in the key knowledge for this outcome: data breaches, lack of version control, poor user authentication practices, irregular software updates, man-in-the-middle attacks, social engineering, or lack of encryption. There is no requirement for teachers to include all of these vulnerabilities within the case study; however, there should be some reference to the types of vulnerabilities selected by the teacher.
- Students should be able to clearly identify the relevant legislation impacting the case study. This could be the Privacy Act 1988, Health Records Act 2001 or Privacy and Data Protection Act 2014. Therefore, students could be given information on the type of organisation, the amount the organisation earns each year, the location of the organisation, whether it is a government or private organisation, and how the ineffective practices may be impacted by the relevant legislation.
- When the case study has been written, refine and finalise the structured questions or prompts based on the case study.
- Teachers may develop their own marking schemes for this outcome, provided they are consistent with the performance descriptors for
Unit 4 Outcome 2 (docx - 59.51kb). To be consistent with the performance descriptors, teacher-generated schemes must take into account the following points:
- analysis and discussion of security controls to protect software development practices
- identification and discussion of the risks to software and data security
- proposal and application of evaluation criteria to measure the effectiveness of security practices
- discussion of legal and ethical consequences of ineffective practices
- recommendation and justification of an effective risk management strategy
Teacher judgement should be used to determine the weighting of each criterion within the SAC task. While weightings are not explicit within the VCAA performance descriptors, teachers must also understand that the criteria are not intended to be equally weighted.
- Teachers should first complete the assessment task themselves by writing the solutions to the questions or prompts using only the case study. This will assist them to understand how students may respond to the case study. It will further ensure that marking schemes are appropriate for the task being provided. Refinements to the task may occur as a result of this process..
If tasks produced commercially are used as stimulus material when developing assessment tasks, they should be significantly modified in terms of context and content to ensure the authentication of student work
Step 4: Conditions of the assessment task
The teacher must decide the most appropriate time and conditions for conducting this assessment task and inform the students ahead of the date. This decision is a result of several considerations including:
- the estimated time it will take to teach the key knowledge and key skills for the outcome
- the likely length of time required for students to complete the task
- the classroom environment the assessment task will be completed in
- whether the assessment task will be completed under open-book or closed-book conditions
- any additional resources required by students
- when tasks are being conducted in other subjects and the workload implications for students.
Step 5: Marking the assessment task
The
performance descriptors (docx - 59.51kb) in the
Advice for teachers give a clear indication of the characteristics and content that should be apparent in a student response at each level of achievement from very low to very high. The specified assessment task is listed on page 45 of the study design. The assessment task is to be out of 100 marks.