Cyber Security Education
eBook - ePub

Cyber Security Education

Principles and Policies

  1. 226 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Cyber Security Education

Principles and Policies

Book details
Book preview
Table of contents
Citations

About This Book

This book investigates the goals and policy aspects of cyber security education in the light of escalating technical, social and geopolitical challenges.

The past ten years have seen a tectonic shift in the significance of cyber security education. Once the preserve of small groups of dedicated educators and industry professionals, the subject is now on the frontlines of geopolitical confrontation and business strategy. Global shortages of talent have created pressures on corporate and national policy for workforce development. Cyber Security Education offers an updated approach to the subject as we enter the next decade of technological disruption and political threats. The contributors include scholars and education practitioners from leading research and education centres in Europe, North America and Australia. This book provides essential reference points for education policy on the new social terrain of security in cyberspace and aims to reposition global debates on what education for security in cyberspace can and should mean.

This book will be of interest to students of cyber security, cyber education, international security and public policy generally, as well as practitioners and policy-makers.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Cyber Security Education by Greg Austin in PDF and/or ePUB format, as well as other popular books in Politics & International Relations & National Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Routledge
Year
2020
ISBN
9781000168020
Edition
1
Topic
Politics & International Relations
Subtopic
National Security
Index
Politics & International Relations

1

History and philosophy of cyber security education

William J. Caelli
More than 50 years ago, in October 1967, the US Defense Science Board set up a Task Force to examine and recommend appropriate computer security safeguards that would protect classified information in multi-access, resource-sharing computer systems. The study, led by Dr Willis Ware, was published initially as a government document in a classified version in 1970 (DSB 1970) and then declassified several years later.1 This ground-breaking report, still amazingly relevant, heralded the start of study into what we now call cyber security. Moreover, it ushered in a recognition of the overall need for training, education and further research and development activities in the area, including research into cyber security education practice. The 1960s and 1970s, however, should be regarded as the two decades when cyber security education was largely confined to “in-house” resources in both the private and governmental sectors, especially in the latter for defence and intelligence entities.
However, ICT vendors to military/intelligence entities, government, and business did play a major role in the internal provision of education and training in the area, such as IBM’s courses on the RACF access control system for its OS/360 mainframe system and defence-related courses in cryptology. The question internationally was a simple one of whether or not open universities had the human/academic and laboratory/technical resources and the will to provide that education, even as the ICT industry became commoditised. By the 1980s, traditional tertiary education had at last entered the arena. This included universities in Europe, the United States and Australia. Change was rapid and various associations/groups dedicated to cyber security education also formed globally, such as Working Group 11.8 of IFIP, the International Federation for Information Processing.
This chapter provides some personal reflections based on decades of engagement as an academic researcher and educator in this field. The sweep of change has been broad: from the formation of the US National Colloquium for Information Systems Security Education (NCISSE); the involvement of commercial bodies, ICT suppliers, and not-for-profit enterprises with partial to full dedication to cyber security education, such as (ISC)2, ISACA, SANS Institute, the US Cybercorps/Scholarship for Service (SFS) and the programme for Centers of Academic Excellence (CAE) in cyber security.
The main philosophical questions to be considered include:
  • just how “industry certification”, both supplier and broad arena providers, is considered and accepted against formal academic/university/tertiary qualifications
  • the role of government in fostering and supporting cyber security education and training at all levels, including scholarship programmes
  • acquiring and retaining teachers and researchers in the area by public universities
  • to what extent open universities can or should participate in classified cyber security education programmes, including cyber operations, cyber warfare/terrorism studies
  • the role that open and free, or low cost, on-line courses play and their acceptance as sufficient qualification for professional practice in cyber security
  • what lessons can we learn from at least the past 30 years or more of accelerated cyber security education efforts?
  • how does cyber security education relate to today’s IT environment of outsourcing, open, local and hybrid “cloud” computing and the global influence of the largest corporations: FAANG (Facebook, Amazon, Apple, Netflix, Google), or the “Frightful Five” (Amazon, Apple, Facebook, Microsoft and Alphabet-Google) (Manjoo 2017).

Departure points in three countries

In the United States, the first known course in computer security at an open and public university appears to be that created and delivered by Professor Lance Hoffman in 1970. He went on later to establish a computer security education programme at George Washington University (GWU) in Washington, DC, in 1977 (Hoffman 2017). The Cyber Security and Privacy Research Institute (CSPRI) was later formed at GWU in 1993, with Professor Hoffman as its founding director. Interestingly, CSPRI appears to have had a varied history resulting in its “relaunch” in 2016 (CSPRI 2017).
COAST (Computer Operations, Audit and Security Technologies) was officially commenced in 1991 (CERIAS 2017a), formed out of a small research group in the Computer Sciences Department at Purdue University, West Lafayette, Indiana. It appears to have rapidly grown over the next six years, to become what it says was in 1997 the “largest research group in computing security in the country, reaching a peak research budget of over one million dollars per year”. COAST was absorbed into the Center for Education and Research in Information Assurance and Security (CERIAS) in 1999. CERIAS has claimed a premium position in education and research in cyber security: “one of the world’s leading centers for research and education in areas of information security” through its multidisciplinary approach “ranging from purely technical issues (e.g., intrusion detection, network security, etc.) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them”. As of 2017, the research conducted through CERIAS includes faculty from six different colleges and 20+ departments across campus (CERIAS 2017b).
In Australia, in July 1998, the Faculty of Information Technology at the Queensland Institute of Technology (QIT)2 established the Information Security Research Centre (ISRC) to provide a consultancy, training, research and development service to industry, government and commerce in the areas of data and computer security, in addition to more traditional tertiary level education and training services (FIT 1989). The ISRC was formed as a joint venture between industry and FIT. The ISRC developed its educational role by offering research Master’s and PhD programmes as well as by teaching specialist subjects for postgraduate course work and some undergraduate students (QUT 1991). It was merged into the Information Security Institute (ISI) in the mid-2000s but the ISI was later disbanded. The main problems appeared to be lack of financial support from entities external to the university itself as well as the availability of appropriate academic staff. By 2017, cyber security was no longer mentioned as a “research strength” by QUT’s Science and Engineering Faculty (QUT 2017a) or its Institute for Future Environments (IFE) (QUT 2017b).
In the United Kingdom, the Information Security Group (ISG) was founded at Royal Holloway University in 1990, to “pioneer cyber security education, research and industry engagement” (RH 2017). It created the world’s first Master’s programme in information security (Martin 2013). In 2017, ISG claimed to have “hundreds of post-graduate students, undergraduate teaching and world class academic staff” and to maintain a “Systems Security Lab” which “uses multi-disciplinary techniques to perform industry-relevant research on systems and software security”. This is still one of the oldest continuing cyber security education and research centres in the world and is today acknowledged as a leader in the field.

US cyber security education: workforce or profession?

From 13–18 November 2017, the US National Institute of Standards and Technology (NIST) of the US Department of Commerce designated a special week of activity related to careers in cyber security, described as follows: “The National Cyber Security Career Awareness Week is a celebration to focus local, regional, and national interest to inspire, educate and engage children through adults to pursue careers in cyber security” (NIST 2017a). This week of activities aimed to show the broad range of careers possible in the now critical cyber security realm, a discipline perceived as vital to the security of individuals, enterprises, both public and private, and the nation as a whole. The diversity is captured in Figure 1.1, from the documents of the US National Initiative for Cyber Security Education (NICE), itself under NIST. It immediately indicates a broad base for education and training, ranging from legal and investigatory matters to computer science and engineering to data and telecommunications systems to mathematics. This follows the 12 July 2016 publication by the US Office of Management and Budget (OMB) and Office of Personnel Management (OPM) of the first ever US “Federal Cyber Security Workforce Strategy” (Donovan et al. 2016).
Figure 1.1 NIST/NICE Cybersecurity Workforce Framework, 2017
However, in education and training terms:
For any discipline to be regarded as a professional undertaking by which its members may be treated as true ‘professionals’ in a specific area, practitioners must clearly understand that discipline’s history as well as the place and significance of that history in current practice as well as its relevance to available technologies and artifacts at the time.
(Caelli et al. 2013)
Such respect for and understanding of the history and broad philosophy of any discipline are obvious in many other fields from medicine to physics and more. In the United States, prior to the formation of NICE, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems”, dated 5 July 1990. On 16 October 2001, President George W. Bush signed Executive Order 13231, Critical Infrastructure Protection in the Information Age, redesignating the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS). This entity, still operating, sets out a series of standards related to cyber security for the US Government, including several related to required education and training. For example, document CNSSI-4014, entitled “National Information Assurance Training Standard for Information Systems Security Officers” was issued in 2004 and claims to describe “the process used to aid in the systematic development of training to serve as the first line of defense in Information Assurance (IA).” This document lays out a series of essential curricula for cyber security education as follows:
  • Information Systems Security (INFOSEC) Professionals NSTISSI 4011
  • Senior Systems Managers CNSS 4012
  • Senior Systems Administrators CNSS 4013A
  • System Certifiers NSTISSI 4015
  • Risk Analyst CNSS 4016A.
A diagram from the Defense Science Board report of 1970 mentioned above, reproduced as Figure 1.2, illustrates the areas of interest in relation to cyber security which has remarkable relevance even today. It gives an indication of the type and depth of topics to be included in any cyber security education process and thus the levels of expertise needed by any teacher.
Figure 1.2 Security controls for computer systems: 1970 view
As prescient as it was, the 1970 graphic does not capture the added complexity that has emerged in the field of cyber security in the last 25 years following the advent and development of both the Internet and the “World Wide Web”, as well as mobile devices and other radical technologies. These changes have added new burdens for all countries in framing cyber security education and training, particularly for their defence and public sectors. The United States has been in the lead on many of the technologies and has also therefore been forced into a leading position on security education. The field of cyber security has massively changed over this period as the usually isolated computer systems of both enterprises and individuals alike became connected to a global “information super-highway”, the Internet, and the “personal computer” and then “smart phone” revolutions rapidly emerged.
In summary, cyber security education and training have had a mixed history over the past 50 years with the majority of entities involved being related to defence/intelligence/government support or to specific product demands in the ICT private sector. A broad education philosophy has only recently arisen whereby publicly funded tertiary institutions appear to “go it alone” in financially supporting cyber security education and research even if not supported by the number of various private sector and government/defence programmes. This contrasts with the situation for more classical disciplines, e.g. medicine, law, science, etc. where financial resources external to a university may be vital for research but basic undergraduate and postgraduate education programmes are funded through university resources, often involving student fees. There is recent evidence demonstrating that “market demand” for cyber security education may have had an influence on universities, particularly in Australia, to separately support such activity on the basis of current and projected student numbers, particularly over the next 5–10 years.
Terminology for the field of cyber security has changed over time but the term “information assurance” has probably proved the most ...

Table of contents

  1. Cover
  2. Half Title
  3. Series Page
  4. Title Page
  5. Copyright Page
  6. Table of Contents
  7. List of illustrations
  8. List of contributors
  9. Acknowledgements
  10. Abbreviations
  11. Introduction
  12. 1. History and philosophy of cyber security education
  13. 2. Mastering the cyber security skills crisis
  14. 3. Beyond awareness: Reflections on meeting the inter-disciplinary cyber skills demand
  15. 4. Educating future multidisciplinary cyber security teams
  16. 5. What the profession of cyber security needs to know and do
  17. 6. Creating social cyber value as the broader goal
  18. 7. Education for cyber disaster response and resilience
  19. 8. New kinds of leadership skills for winning peace in the Fourth Industrial Revolution
  20. 9. Tackling the cyber skills gap: A survey of UK initiatives
  21. 10. Holistic cyber education
  22. 11. Five years of cyber security education reform in China
  23. 12. Future research on the cyber security skills shortage
  24. 13. Twelve dilemmas of reform in cyber security education
  25. Index