Dale C. Rowe
Barry M. Lunt
Joseph J. Ekstrom
ABSTRACT
30,000 qualified cyber-security specialists in the US Public Sector alone despite being one of the best financially compensated technology-related domains. Against ever evolving cyber-threats the need to graduate students skilled in the concepts and technologies of cyber-security is becoming a critical responsibility of academic institutions in order to help preserve the sovereignty of the US and her allies. This paper discusses the role of cyber-security in an IT education context and explains why IT programs should champion this topic. The relationship between Information Assurance and Security as a currently recognized discipline within IT and advanced cyber-security topics are presented. Recommendations for the placement and structure of a cyber-security emphasis within a curriculum are presented using an adaptable framework that we have named "Prepare, Defend, Act." We rationalize and discuss this framework along with teaching methods we have found to be effective in helping students maximize their cyber-security learning experience. Finally, four recommendations are proposed that we invite IT program-offering institutions to review.
- Lunt, B. M., Ekstrom, J. J., Gorka, S., et al., Information Technology 2008: Curriculum Guidelines for Undergraduate Degree Programs in Information Technology. Association for Computing Machinery (ACM); IEEE Computer Society, November 2008.Google Scholar
- BBC, US Pentagon to treat cyber-attacks as 'acts of war'. British Broadcasting Corporation, June 1, 2011. http://www.bbc.co.uk/news/world-us-canada-13614125 (Last Accessed: June 1, 2011).Google Scholar
- BBC, UK beefs up cyber warfare plans. British Broadcasting Corporation, May 31, 2011. http://www.bbc.co.uk/news/technology-13599916 (Last Accessed: June 1, 2011).Google Scholar
- Spacewar.com, White House proposes new cybersecurity bill. Space War, May 12, 2011. http://www.spacewar.com/reports/White_House_proposes_new_cybersecurity_bill_999.html (Last Accessed: June 1, 2011).Google Scholar
- Whitehouse, Cyberspace Policy Review. Government Collaborative, Washington DC, 2011. http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf (Last Accessed: June 2, 2011).Google Scholar
- Herrera-Flanigan, J., Cyber Attention: Why Now? Cybersecurity Report, Nextgov, May 27, 2011. http://cybersecurityreport.nextgov.com/2011/05/cyber_attention_why_now.php (Last Accessed: May 30, 2011).Google Scholar
- Singel, R., Cyberwar Hype Intended to Destroy the Open Internet. Wired, March 1, 2010. http://www.wired.com/threatlevel/2010/03/cyber-war-hype/ (Last Accessed: May 30, 2011).Google Scholar
- Intelligence2, The Cyber War Threat Has Been Grossly Exaggerated. June 8, 2010. http://intelligencesquaredus.org/index.php/past-debates/cyber-war-threat-has-been-grossly-exaggerated/ (Last Accessed: May 30, 2011).Google Scholar
- Mello, J. P., NSA Chief: Cyberwar Rules of Engagement a Policy Minefield. 15 Apr, 2010. http://www.technewsworld.com/story/69780.html?wlc=1279739450&wlc=1306808884 (Last Accessed: May 30, 2011).Google Scholar
- Lawson, S., Sow "Cyberwar" Rhetoric, Reap The NSA's "Big Brother". The Firewall - The World of Security, Forbes, July 8, 2010. http://blogs.forbes.com/firewall/2010/07/08/sew-cyberwar-rhetoric-reap-the-nsas-big-brother/ (Last Accessed: May 31, 2011).Google Scholar
- Schneier, B., Worst-Case Thinking. Schneier on Security, May 13, 2010. http://www.schneier.com/blog/archives/2010/05/worst-case_thin.html (Last Accessed: May 30, 2011).Google Scholar
- Schneier, B., Cyberwarfare Policy. Schneier on Security, 12 Dec, 2009. http://www.schneier.com/blog/archives/2009/12/cyberwarfare_po.html (Last Accessed: May 30, 2011).Google Scholar
- Schneier, B., U.S. Enables Chinese Hacking of Google. CNN, Jan 23, 2010. http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html (Last Accessed: May 30, 2011).Google Scholar
- Schneier, B., Crypto-Gram Newsletter: Cyberwar. Schneier on Security, 15 Jan, 2005. http://www.schneier.com/crypto-gram-0501.html#10 (Last Accessed: May 30, 2011).Google Scholar
- Schneier, B., North Korea Cyberattacks. Schneier on Security, July 13, 2009. http://www.schneier.com/blog/archives/2009/07/north_korean_cy.html (Last Accessed: May 30, 2011).Google Scholar
- Committee on Science and Technology, Planning for the Future of Cyber Attack Attribution. U.S. House of Representatives, Washington DC, 2010. http://epic.org/privacy/cybersecurity/EPIC_HouseSci_Testimony_2010-07--15.pdf (Last Accessed: May 30, 2011).Google Scholar
- Crews, C. W., Cybersecurity Theater vs. The Real Thing. Wayne Crewes, Forbes, Mar 16, 2011. http://blogs.forbes.com/firewall/2010/07/08/sew-cyberwar-rhetoric-reap-the-nsas-big-brother/ (Last Accessed: May 31, 2011).Google Scholar
- Souza, P. d., Rowe, D. C., Ali, A., et al., Cyber Dawn: Libya. Cyber Security Forum Initiative (CSFI), May 2011.Google Scholar
- Falliere, N., Murchu, L. O. and Chien, E., W32.Stuxnet Dossier. Symantec, February 2011.Google Scholar
- Rashid, F., Siemens, DHS Ask Researcher to Cancel SCADA Vulnerabilities. eWeek, May 19, 2011. http://securitywatch.eweek.com/scada/siemens_dhs_ask_researcher_to_cancel_scada_vulnerabilities_talk.html (Last Accessed: May 30, 2011).Google Scholar
- Mills, E., SCADA hack talk canceled after U.S., Siemens request. CNET, May 18, 2011. http://news.cnet.com/8301--27080_3--20064112--245.html (Last Accessed: May 30, 2011).Google Scholar
- Posposil, R., The Next Y2K, Utilities IT, 2000.Google Scholar
- Naedele, M., Dzung, D. and Stanimirov, M., Network Security for Substation Automation Systems, Lecture Notes In Computer Science, Vol 2187, pp 25--34, 2001. Google ScholarDigital Library
- Riptech, Understanding SCADA System Security Vulnerabilities. Riptech Inc, 2001.Google Scholar
- Kroll, Global Fraud Report. Kroll Consulting, USA, Fall 2010.Google Scholar
- NSTC, Federal Plan for Cyber Security and Information Assurance Research and Development. National Science and Technology Council, Washington DC, 2006. http://www.au.af.mil/au/awc/awcgate/nitrd/fed_plan_csia_rese.pdf (Last Accessed: May 30, 2011).Google Scholar
- NSPD-54, Cyber Security and Monitoring. National Security Presidential Directive 54, 8 Jan 2008.Google Scholar
- HSPD-23, Cyber Security and Monitoring. Homeland Security Presidential Directive 23, 8 Jan 2008.Google Scholar
- NSC, Comprehensive National Cybersecurity Initiative (CNCI). National Security Council, http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative (Last Accessed: May 30, 2011).Google Scholar
- US-DHS, A Roadmap for Cybersecurity Research. US Department of Homeland Security, 2009.Google Scholar
- IRC, Hard Problem List. INFOSEC Research Council (IRC), 2005.Google Scholar
- Sommer, P. and Brown, I., Reducing Systemic Cybersecurity Risk. Organization for Economic Co-Operation and Development (OECD), 2011.Google Scholar
- Sterling, B., The Advanced Persistent Threat Attack. Wired, Jan 30, 2010. http://www.wired.com/beyond_the_beyond/2010/01/the-advanced-persistent-threat-attack/ (Last Accessed: May 30, 2011).Google Scholar
- ISO, Guidelines for Cybersecurity. International Standards Organization. 2011. http://www.iso27001security.com/html/27032.html.Google Scholar
- Hoffman, S., Lack of Cybersecurity Talent Could Leave U.S. Vulnerable: Study. The Channel Wire, CRN, July 22, 2009. http://www.crn.com/blogs-op-ed/the-channel-wire/218600240/lack-of-cybersecurity-talent-could-leave-u-s-vulnerable-study.htm (Last Accessed: May 30, 2011).Google Scholar
- Cacas, M., Feds Say Cybersecurity Staffing Needs to Double by 2015. Armed Forces Communications and Electronics Association (AFCEA), May 11, 2011. http://www.afcea.org/signal/articles/templates/SIGNAL_Article_Template.asp?articleid=2615&zoneid=280 (Last Accessed: May 30, 2011).Google Scholar
- Auoub, R., The 2011 (ISC)2 Global Information Security Workforce Study. (ISC)2, 2011.Google Scholar
- Tucci, L., Fewer Security Breaches Blamed on Human Error. TechTarget, Sept 19, 2007. http://searchcio.techtarget.com/news/1273058/Fewer-security-breaches-blamed-on-human-error (Last Accessed: 30 May 2011).Google Scholar
- Dark, M., Security Education, Training, and Awareness from a Human Performance Technology Point of View, Readings and Case Studies in the Management of Information Security, 2007.Google Scholar
- Savage, M., Malicious Attacks Behind More Data Security Breaches than Human Error. TechTarget, Jan 11, 2010. http://searchfinancialsecurity.techtarget.com/news/1378614/Malicious-attacks-behind-more-data-security-breaches-than-human-error (Last Accessed: May 30, 2011).Google Scholar
- ITRC, Identity Theft Resource Center 2009 Breach List. Identity Theft Resource Center, June 1, 2010.Google Scholar
- Christey, S., Martin, B., Brown, M., et al., 2010 CWE/SANS Top 25 Most Dangerous Software Errors v1.08. CWE, 2010.Google Scholar
- Lam, J., Top 25 series - Rank 1 - Cross Site Scripting. SANS Software Security, SANS, Feb 22, 2010. http://software-security.sans.org/blog/2010/02/22/top-25-series-rank-1-cross-site-scripting/ (Last Accessed: June 2, 2011).Google Scholar
- Crowley, E., Information System Security Curricula Development. In Proceedings of the CITC4 '03: 4th Conference on Information Technology Curriculum, (Lafayette, Indiana, USA), ACM, 2003. Google ScholarDigital Library
- Dark, M. and Davis, J., A Curriculum Framework for the Emerging Discipline of Information Assurance. In Proceedings of the American Society of Engineering Education North Midwest Conference, (North Midwest), ASEE, 2003.Google Scholar
- Spafford, E., Teaching the Big Picture of INFOSEC. In Proceedings of the 2nd National Colloquium for Information Systems Security Education (NCISSE), (James Madison University, VA), 1998.Google Scholar
- YouTube, Think Outside the Box. Mooresetx2, 2007. http://www.youtube.com/watch?v=C1yYB85ArHE (Last Accessed: 30 May, 2011).Google Scholar
- White, G. and Nordstrom, G., Security Across the Curriculum: Using Computer Security to Teach Computer Science Principles. In Proceedings of the National Information Systems Security Conference, NISSC, 1996.Google Scholar
- Dark, M. J., Epstein, R., Morales, L., et al., A Framework for Information Security Ethics. In Proceedings of the 10th Colloquium for Information Systems Security Education (Adelphi, MD), June 5--8, 2006.Google Scholar
- Irvine, C. E., Chin, S.-k. and Frincke, D. A., Integrating Security into the Curriculum, IEEE Computer, Vol 31, Iss. 12, pp 25--30, 1998. Google ScholarDigital Library
- Trimmer, K., Schou, C. and Parker, K., Enforcing Early Implementation of Information Assurance Precepts Throughout the Design Phase, Journal of Informations Education Research (SIG-ED JIER), Vol 9, Iss. 1, 2007.Google Scholar
- Hentea, M., Dhillon, H. S. and Dhillon, M., Toward Changes in Information Security Education, Journal of Information Technology Education, Vol 5, pp 221--223, 2006.Google ScholarCross Ref
- Dark, M. J., Ekstrom, J. J. and Lunt, B. M., Integrating Information Assurance and Security into IT Education: A Look at the Model Curriculum and Emerging Practice, Journal of Information Technology Education, Vol 5, pp 389--403, 2006.Google ScholarCross Ref
- Null, L., Integrating Security Across the Computer Science Curriculum, Journal of Computer Sciences in Colleges, Vol 19, Iss. 5, pp 170--178, 2004. Google ScholarDigital Library
- Shoemaker, D., Bawol, J., Drommi, A., et al., A Delivery Model for an Information Security Curriculum. In Proceedings of the Third Security Conference, (Las Vegas, Nevada, USA), Information Institute, 2004.Google Scholar
- NSTISS, National Training Standard for Information Systems Security (INFOSEC) Professionals. Committee on National Security Systems (CNSS), 1994. http://www.cnss.gov/Assets/pdf/nstissi_4011.pdf.Google Scholar
- Ekstrom, J. J. and Lunt, B. M., Education at the Seams: Preparing Students to Stich Systems Together; Curriculum and Issues for 4-Year IT Programs. In Proceedings of the CITC4 '03 4th Conference on Information Technology Curriculum, (New York, NY, USA), ACM, 2003. Google ScholarDigital Library
- Lunt, B. M. and Ekstrom, J. J., The IT Model Curriculum: A Status Update, SIGITE '08 Proceedings of the 9th ACM SIGITE Conference on Information Technology Education, 2008. Google ScholarDigital Library
- Ockham's Razor. Encyclopaedia Britannica. 2011. http://www.britannica.com/EBchecked/topic/424706/Ockhams-razor (Last Accessed: May 30, 2011).Google Scholar
- Stohr-Hunt, P. M., An Analysis of Frequency of Hands-On Experience and Science Achievement, Journal of Research in Science Teaching, Vol 33, Iss. 1, pp 101--109, 1996.Google ScholarCross Ref
- Nersessian, N. J., Conceptual change in science and in science education, Synthese, Vol 80, Iss. 1, pp 163--183, 1989.Google ScholarCross Ref
- Ma, J. and Nickerson, J. V., Hands-on, simulated, and remote laboratories: A comparative literature review, ACM Computing Surveys, Vol 38, Iss. 3, pp 7, 2006. Google ScholarDigital Library
- Dittrich, D., On Developing Tomorrow's "Cyber Warriors". In Proceedings of the 12th Colloquium for Information Systems Security Education (Dallas, Texas, USA), June 2--4, 2008.Google Scholar
- White, G. B. and Williams, D., Collegiate Cyber Defense Competitions. In Proceedings of the Ninth Colloquium for Information Systems Security Education (Atlanta, Georgia), The ISSA Journal, October 2005.Google Scholar
- White, G. B. and Williams, D., The National Collegiate Cyber Defense Competition. In Proceedings of the Tenth Colloquium for Information Systems Security Education (Baltimore, MD), June 2006.Google Scholar
- Goldstein, A. and Bucciero, D., The Dartmouth Cyber Security Initiative: Faculty, Staff, and Students Work Together, IEEE Security and Privacy, Vol 7, Iss. 6, pp 57--59, 2009. Google ScholarDigital Library
- White, G. B. and DiCenso, D. J., Information Sharing Needs for National Security. In Proceedings of the System Sciences, 2005. HICSS '05. The 38th Annual Hawaii International Conference on, 03-06 Jan. 2005. Google ScholarDigital Library
- Sandhu, R., Krishnan, R. and White, G. B., Towards Secure Information Sharing models for community Cyber Security. In Proceedings of the Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), 2010 6th International Conference on, 9--12 Oct. 2010.Google ScholarDigital Library
- Lah, K., Sony Loses Billions Amid Consumer Rage. CNN, May 26, 2011. http://www.cnn.com/video/?/video/business/2011/05/26/lah.japan.sony.woes.cnn (Last Accessed: June 2, 2011).Google Scholar
- Aamoth, D., New Sony Hack Claims Over a Million User Passwords. Time, June 2, 2011. http://techland.time.com/2011/06/02/new-sony-hack-claims-one-million-user-passwords/ (Last Accessed: June 2, 2011).Google Scholar
- BBC, US defence firm Lockheed Martin hit by cyber-attack. British Broadcasting Corporation, May 30, 2011. http://www.bbc.co.uk/news/world-us-canada-13587785 (Last Accessed: May 30, 2011).Google Scholar
- Harrison, K. and White, G., An Empirical Study on the Effectiveness of Common Security Measures. In Proceedings of the 43rd Hawaii International Conference on System Sciences (Hawaii, USA), IEEE Computer Society. Google ScholarDigital Library
Index Terms
- The role of cyber-security in information technology education
Recommendations
Cyber Education: A Multi-Level, Multi-Discipline Approach
SIGITE '15: Proceedings of the 16th Annual Conference on Information Technology EducationThe purpose of this paper is to contribute to the emerging dialogue on the direction, content, and techniques involved in cyber education. The principle contributions of this work include a discussion on the definition of cyber and then a description of ...
An assessment framework for identifying information technology programs
SIGITE '11: Proceedings of the 2011 conference on Information technology educationWhat is an IT Bachelor program and how can one be identified? In recent years, specific IT programs have arisen in the US to fill an industry need not directly provided for by other computing disciplines. IT programs are growing in number and influence ...
Career transition antecedents in the information technology area
The more organizations invest in information technology IT, the more the concern with IT personnel management has increased, namely the hiring, training and retaining of IT professionals needed to deal with such investments. In this context, two issues ...
Comments