This book investigates the goals and policy aspects of cyber security education in the light of escalating technical, social and geopolitical challenges.
The past ten years have seen a tectonic shift in the significance of cyber security education. Once the preserve of small groups of dedicated educators and industry professionals, the subject is now on the frontlines of geopolitical confrontation and business strategy. Global shortages of talent have created pressures on corporate and national policy for workforce development. Cyber Security Education offers an updated approach to the subject as we enter the next decade of technological disruption and political threats. The contributors include scholars and education practitioners from leading research and education centres in Europe, North America and Australia. This book provides essential reference points for education policy on the new social terrain of security in cyberspace and aims to reposition global debates on what education for security in cyberspace can and should mean.
This book will be of interest to students of cyber security, cyber education, international security and public policy generally, as well as practitioners and policy-makers.
Frequently asked questions
Simply head over to the account section in settings and click on âCancel Subscriptionâ - itâs as simple as that. After you cancel, your membership will stay active for the remainder of the time youâve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Cyber Security Education by Greg Austin in PDF and/or ePUB format, as well as other popular books in Politics & International Relations & National Security. We have over one million books available in our catalogue for you to explore.
History and philosophy of cyber security education
William J. Caelli
More than 50 years ago, in October 1967, the US Defense Science Board set up a Task Force to examine and recommend appropriate computer security safeguards that would protect classified information in multi-access, resource-sharing computer systems. The study, led by Dr Willis Ware, was published initially as a government document in a classified version in 1970 (DSB 1970) and then declassified several years later.1 This ground-breaking report, still amazingly relevant, heralded the start of study into what we now call cyber security. Moreover, it ushered in a recognition of the overall need for training, education and further research and development activities in the area, including research into cyber security education practice. The 1960s and 1970s, however, should be regarded as the two decades when cyber security education was largely confined to âin-houseâ resources in both the private and governmental sectors, especially in the latter for defence and intelligence entities.
However, ICT vendors to military/intelligence entities, government, and business did play a major role in the internal provision of education and training in the area, such as IBMâs courses on the RACF access control system for its OS/360 mainframe system and defence-related courses in cryptology. The question internationally was a simple one of whether or not open universities had the human/academic and laboratory/technical resources and the will to provide that education, even as the ICT industry became commoditised. By the 1980s, traditional tertiary education had at last entered the arena. This included universities in Europe, the United States and Australia. Change was rapid and various associations/groups dedicated to cyber security education also formed globally, such as Working Group 11.8 of IFIP, the International Federation for Information Processing.
This chapter provides some personal reflections based on decades of engagement as an academic researcher and educator in this field. The sweep of change has been broad: from the formation of the US National Colloquium for Information Systems Security Education (NCISSE); the involvement of commercial bodies, ICT suppliers, and not-for-profit enterprises with partial to full dedication to cyber security education, such as (ISC)2, ISACA, SANS Institute, the US Cybercorps/Scholarship for Service (SFS) and the programme for Centers of Academic Excellence (CAE) in cyber security.
The main philosophical questions to be considered include:
just how âindustry certificationâ, both supplier and broad arena providers, is considered and accepted against formal academic/university/tertiary qualifications
the role of government in fostering and supporting cyber security education and training at all levels, including scholarship programmes
acquiring and retaining teachers and researchers in the area by public universities
to what extent open universities can or should participate in classified cyber security education programmes, including cyber operations, cyber warfare/terrorism studies
the role that open and free, or low cost, on-line courses play and their acceptance as sufficient qualification for professional practice in cyber security
what lessons can we learn from at least the past 30 years or more of accelerated cyber security education efforts?
how does cyber security education relate to todayâs IT environment of outsourcing, open, local and hybrid âcloudâ computing and the global influence of the largest corporations: FAANG (Facebook, Amazon, Apple, Netflix, Google), or the âFrightful Fiveâ (Amazon, Apple, Facebook, Microsoft and Alphabet-Google) (Manjoo 2017).
Departure points in three countries
In the United States, the first known course in computer security at an open and public university appears to be that created and delivered by Professor Lance Hoffman in 1970. He went on later to establish a computer security education programme at George Washington University (GWU) in Washington, DC, in 1977 (Hoffman 2017). The Cyber Security and Privacy Research Institute (CSPRI) was later formed at GWU in 1993, with Professor Hoffman as its founding director. Interestingly, CSPRI appears to have had a varied history resulting in its ârelaunchâ in 2016 (CSPRI 2017).
COAST (Computer Operations, Audit and Security Technologies) was officially commenced in 1991 (CERIAS 2017a), formed out of a small research group in the Computer Sciences Department at Purdue University, West Lafayette, Indiana. It appears to have rapidly grown over the next six years, to become what it says was in 1997 the âlargest research group in computing security in the country, reaching a peak research budget of over one million dollars per yearâ. COAST was absorbed into the Center for Education and Research in Information Assurance and Security (CERIAS) in 1999. CERIAS has claimed a premium position in education and research in cyber security: âone of the worldâs leading centers for research and education in areas of information securityâ through its multidisciplinary approach âranging from purely technical issues (e.g., intrusion detection, network security, etc.) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among themâ. As of 2017, the research conducted through CERIAS includes faculty from six different colleges and 20+ departments across campus (CERIAS 2017b).
In Australia, in July 1998, the Faculty of Information Technology at the Queensland Institute of Technology (QIT)2 established the Information Security Research Centre (ISRC) to provide a consultancy, training, research and development service to industry, government and commerce in the areas of data and computer security, in addition to more traditional tertiary level education and training services (FIT 1989). The ISRC was formed as a joint venture between industry and FIT. The ISRC developed its educational role by offering research Masterâs and PhD programmes as well as by teaching specialist subjects for postgraduate course work and some undergraduate students (QUT 1991). It was merged into the Information Security Institute (ISI) in the mid-2000s but the ISI was later disbanded. The main problems appeared to be lack of financial support from entities external to the university itself as well as the availability of appropriate academic staff. By 2017, cyber security was no longer mentioned as a âresearch strengthâ by QUTâs Science and Engineering Faculty (QUT 2017a) or its Institute for Future Environments (IFE) (QUT 2017b).
In the United Kingdom, the Information Security Group (ISG) was founded at Royal Holloway University in 1990, to âpioneer cyber security education, research and industry engagementâ (RH 2017). It created the worldâs first Masterâs programme in information security (Martin 2013). In 2017, ISG claimed to have âhundreds of post-graduate students, undergraduate teaching and world class academic staffâ and to maintain a âSystems Security Labâ which âuses multi-disciplinary techniques to perform industry-relevant research on systems and software securityâ. This is still one of the oldest continuing cyber security education and research centres in the world and is today acknowledged as a leader in the field.
US cyber security education: workforce or profession?
From 13â18 November 2017, the US National Institute of Standards and Technology (NIST) of the US Department of Commerce designated a special week of activity related to careers in cyber security, described as follows: âThe National Cyber Security Career Awareness Week is a celebration to focus local, regional, and national interest to inspire, educate and engage children through adults to pursue careers in cyber securityâ (NIST 2017a). This week of activities aimed to show the broad range of careers possible in the now critical cyber security realm, a discipline perceived as vital to the security of individuals, enterprises, both public and private, and the nation as a whole. The diversity is captured in Figure 1.1, from the documents of the US National Initiative for Cyber Security Education (NICE), itself under NIST. It immediately indicates a broad base for education and training, ranging from legal and investigatory matters to computer science and engineering to data and telecommunications systems to mathematics. This follows the 12 July 2016 publication by the US Office of Management and Budget (OMB) and Office of Personnel Management (OPM) of the first ever US âFederal Cyber Security Workforce Strategyâ (Donovan et al. 2016).
However, in education and training terms:
For any discipline to be regarded as a professional undertaking by which its members may be treated as true âprofessionalsâ in a specific area, practitioners must clearly understand that disciplineâs history as well as the place and significance of that history in current practice as well as its relevance to available technologies and artifacts at the time.
(Caelli et al. 2013)
Such respect for and understanding of the history and broad philosophy of any discipline are obvious in many other fields from medicine to physics and more. In the United States, prior to the formation of NICE, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established under National Security Directive 42, âNational Policy for the Security of National Security Telecommunications and Information Systemsâ, dated 5 July 1990. On 16 October 2001, President George W. Bush signed Executive Order 13231, Critical Infrastructure Protection in the Information Age, redesignating the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS). This entity, still operating, sets out a series of standards related to cyber security for the US Government, including several related to required education and training. For example, document CNSSI-4014, entitled âNational Information Assurance Training Standard for Information Systems Security Officersâ was issued in 2004 and claims to describe âthe process used to aid in the systematic development of training to serve as the first line of defense in Information Assurance (IA).â This document lays out a series of essential curricula for cyber security education as follows:
Information Systems Security (INFOSEC) Professionals NSTISSI 4011
Senior Systems Managers CNSS 4012
Senior Systems Administrators CNSS 4013A
System Certifiers NSTISSI 4015
Risk Analyst CNSS 4016A.
A diagram from the Defense Science Board report of 1970 mentioned above, reproduced as Figure 1.2, illustrates the areas of interest in relation to cyber security which has remarkable relevance even today. It gives an indication of the type and depth of topics to be included in any cyber security education process and thus the levels of expertise needed by any teacher.
As prescient as it was, the 1970 graphic does not capture the added complexity that has emerged in the field of cyber security in the last 25 years following the advent and development of both the Internet and the âWorld Wide Webâ, as well as mobile devices and other radical technologies. These changes have added new burdens for all countries in framing cyber security education and training, particularly for their defence and public sectors. The United States has been in the lead on many of the technologies and has also therefore been forced into a leading position on security education. The field of cyber security has massively changed over this period as the usually isolated computer systems of both enterprises and individuals alike became connected to a global âinformation super-highwayâ, the Internet, and the âpersonal computerâ and then âsmart phoneâ revolutions rapidly emerged.
In summary, cyber security education and training have had a mixed history over the past 50 years with the majority of entities involved being related to defence/intelligence/government support or to specific product demands in the ICT private sector. A broad education philosophy has only recently arisen whereby publicly funded tertiary institutions appear to âgo it aloneâ in financially supporting cyber security education and research even if not supported by the number of various private sector and government/defence programmes. This contrasts with the situation for more classical disciplines, e.g. medicine, law, science, etc. where financial resources external to a university may be vital for research but basic undergraduate and postgraduate education programmes are funded through university resources, often involving student fees. There is recent evidence demonstrating that âmarket demandâ for cyber security education may have had an influence on universities, particularly in Australia, to separately support such activity on the basis of current and projected student numbers, particularly over the next 5â10 years.
Terminology for the field of cyber security has changed over time but the term âinformation assuranceâ has probably proved the most ...
Table of contents
Cover
Half Title
Series Page
Title Page
Copyright Page
Table of Contents
List of illustrations
List of contributors
Acknowledgements
Abbreviations
Introduction
1. History and philosophy of cyber security education
2. Mastering the cyber security skills crisis
3. Beyond awareness: Reflections on meeting the inter-disciplinary cyber skills demand
4. Educating future multidisciplinary cyber security teams
5. What the profession of cyber security needs to know and do
6. Creating social cyber value as the broader goal
7. Education for cyber disaster response and resilience
8. New kinds of leadership skills for winning peace in the Fourth Industrial Revolution
9. Tackling the cyber skills gap: A survey of UK initiatives
10. Holistic cyber education
11. Five years of cyber security education reform in China
12. Future research on the cyber security skills shortage
13. Twelve dilemmas of reform in cyber security education