Professional Documents
Culture Documents
a
Institute of Computer Science, Warsaw University of Technology,
ul. Nowo-wiejska 15/19, 00-665 Warsaw, Poland, Email address:
kcabaj@elka.pw.edu.pl.;
b*
LASIGE, Faculdade de Ciências, Universidade de Lisboa, Campo
Grande, 1749-016 Lisboa, Portugal, Email address:
mddomingos@fc.ul.pt, Orcid 0000-0002-5829-2742;
c
Institute of Telecommunications, Warsaw University of Technology,
ul. Nowowiejska 15/19, 00-665 Warsaw, Poland, Email address:
zkotulsk@tele.pw.edu.pl, Orcid 0000-0002-1149-7863;
d
Departamento de Informática, and CMAFCIO - Centro de
Matemática, Aplicações Fundamentais e Investigação Operacional,
Faculdade de Ciências, Universidade de Lisboa, 1749-016 Lisboa,
Portugal, Email address: alrespicio@fc.ul.pt, Orcid 0000-0003-
2758-7035
*
LASIGE, Faculdade de Ciências, Universidade de Lisboa, Campo
Grande, 1749-016 Lisboa, Portugal. Phone number: +351 21 750
05 24, Email address: mddomingos@fc.ul.pt
© 2018. This manuscript version is made available under the Elsevier user license
http://www.elsevier.com/open-access/userlicense/1.0/
2
Abstract
As the amount of information, critical services, and interconnected computers
and 'things' in the cyberspace is steadily increasing, the number, sophistication,
and impact of cyberattacks are becoming more and more significant. In the last
decades, governmental and non-governmental organisations have become aware
of this problem. However, the existing cybersecurity workforce has not been suf-
ficient for satisfying the increasing demand for qualified cybersecurity profession-
als, and the shortfall will increase in the nextyears. Meanwhile, to address the in-
creasing demand for cybersecurity professionals, academic institutions have been
establishing cybersecurity programs, particularly, cybersecurity master programs.
This paperaims atanalysing which cybersecuritytopics are covered by existing
cybersecurity master programs of top universities and how these topics are dis-
tributedthrough courses. It starts by reviewingthe evolution and maturation ofthe
cybersecurity discipline, focusing on the ACM efforts, which include the earlyad-
dition of the Information Assurance and Security Knowledge Areas to the com-
puter science curricula and, more recently, the development of curricular recom-
mendations to support the definition of post-secondary cybersecurity programs.
These latest guidelines are used to analyse and review 21 cybersecurity master
programs, focusing on the contents of their courses, structure, admission require-
ments, duration, requirements forcompletion, and evolution.
Keywords
cybersecurity master programs; cybersecurity discipline evolution; graduate
cybersecurity education; comparative study
1 Introduction
The need for cybersecurity appeared in the early years of the digital era, when
the first mainframe computers were developed. As networked computers and sys-
tems have progressively come to dominate computing and communication plat-
forms, the volume and severity of cybercrimes have increased to an extentthatcy-
bersecurity is now an underpinning area of computer systems. Owing to the huge
impact cybercrime has in the economy and safety of organisations and countries,
the importance of cybersecurityhas grownto such alevelthat it is now considered
an independentdiscipline.
3
2 Related Work
The related work in the area of deploymentand analysis of curricula of master
programs in cybersecurity is scarce. Hence, this section surveys the literature re-
garding cybersecurity master programs as wellas undergraduate programs.
In 2013, the conclusions of the report of the workshop on cybersecurity educa-
tion and training already stated that graduates of computer science programs
4
should have taken at least one cybersecurity course (McGettrick 2013). Taking a
step forward, Harris and Patten (2015) described the strategy they used to include
emerging cybersecurity topics within the information technology program, with-
out increasing the creditrequirements. Their strategy wasto move most of the IAS
topics, which weretaught in a single advanced security course, to introductoryand
intermediate courses. This way, the advanced security course could then cover
emerging cybersecuritytopics.
The report of McGettrick (2013) also emphasized the importance of master
graduates to the cybersecurity workforce. In the same year, Chen, Maynard, and
Ahmad (2013) compared graduate security programs offered by top universities in
China and in the United States of America (USA). They concluded thatthe main
differences between the programs in these two countries are thatthe programs in
China emphasizedtelecommunications security, whereasthe programs in the USA
assigned more importance to enterprise-levelsecurity strategy, security policy, se-
curity management, and cyber law. In addition, Malhotra (2015) stressed the
growing importance of cyber risk management.
In 2014, McDuffie and Piotrowski (2014) pointed out that, despite more than
182 colleges and universities in the USA have been designated as Centers of Aca-
demic Excellence in Information Assurance Education (CAE/IAE), there are only
afew specific cybersecurity baccalaureate-leveldegree programs, andthese do not
offer consistentcurricula. Most of these colleges offer computer science programs
with some elective cybersecurity courses as a securitytrack. To overcome the lim-
itations on resources and expertise, Albert etal. (2015) reported the experience of
four universities in the University of Maine system that worked together to
achieve the designation of a National Centerof Excellence in Cybersecurity Edu-
cation and to define a multi-university program. Mew (2016) described the three-
year-long evolution of an undergraduate information security program of a small
liberalarts college. To keep the initial investment as low as possible, the program
started by using the courses of the already existing information systems program
and creating only one additional course. The interest of the students justified the
evolution through the addition of other new courses and modifications of the core
ones.
Grover, Reinicke, and Cummings (2016) analysed the Information Technology
degree programs offered by the University of North Carolina education system,
with focus on security. They pairwise compared the contents of courses in Infor-
mation Technology programs, the ACM curricula guidelines (Sahami et al. 2013),
and the requirements on the most popular certifications in security-related fields.
They aimed at assessing if IT programs metthe needs of the security field as well
as if the ACM curricula guidelines met the skill/knowledge requirements of those
certifications. Yang and Wen (2017) proposed a cybersecurity curriculum model
based onthe mostcommon core courses of 27 undergraduate cybersecurity-related
programs.
Bicak, Liu, and Murphy (2015) presented a study of adding three specialties to
the master in cybersecurity program at their university. Their objective was to
5
Table 1 - IAS KUs andtheir distribution into coretier-1 and coretier-2 hours.
Table 2 lists the other KAs through which IAS topics were distributed. These
KAs are covered with additionallecturing hours: 32 h (19.4% of total) forcoreti-
er-1 topics and 31.5 h (22% oftotal) forcoretier-2 topics.
Table 2 - KAs which address IAS topics andtheir distribution into core tier-1 and coretier-2 lec-
turing hours.
ACM IAS KUs with core-tier-1 and core- CAE-CDE core KUs
tier-2 topics
IAS/FoundationalConcepts in Security IA Fundamentals (3 core-tier-1 topics)
(5 core-tier-1 topics) Cyber Defense (1 core-tier-1 topic)
Policy, Legal, Ethics, and Compliance (1
core-tier-1 topic)
IAS/Principles of Secure Design Fundamental Security Design Principles (5
(7 core-tier-1 topics + 6 core-tier-2 topics) core-tier-1 topics + 3 core-tier-2 topics)
IAS/Defensive Programming Basic Scripting or Introductory Programming
(5 core-tier-1 topics + 2 core-tier-2 topics) (1 core-tier-1 topic)
Systems Administration (1 core-tier-2 topic)
IAS/Threatsand Attacks Cyber Threats (4 core-tier-2 topics)
(4 core-tier-2 topics)
IAS/Network Security Cyber Defense (2 core-tier-2 topics)
(4 core-tier-2 topics) Network Defense (1 core-tier-2 topic)
IAS/Cryptography Introto Cryptography (3 core-tier-2 topics)
(3 core-tier-2 topics)
By analysing this table, we conclude that the core topics of three ACM IAS
KUs aretotallycovered by the CAE-CDE KUs, whereasthe topics oftwo of them
are almost covered. However, the CAE2Y and CAE-CDE curricula do not in-
clude, in a meaningful way, the IAS/Defensive Programming KU. Indeed, despite
the factthat Basic Scripting and Programming KUs cover some of its topics, this
coverage is not sufficiently deep. This drawback can, however, be minimised
through optional KUs, which are listed in Table 4. In fact, the topics of the
IAS/Defensive Programming KU are scattered over the following optional KUs:
Secure Programming Practices, Database Management Systems, Operating Sys-
tems Theory, and Supply Chain Security.
8
Finally, Table 5 liststhe focus areas defined by NSA/DHS. Each focus area has
a set of required optional KUs. For instance, the Secure Software Development
focus area requires the following optional KUs: Algorithms, Data Structures,
Formal Methods, Secure Programming Practices, Software Assurance, Software
Security Analysis, and Vulnerability Analysis.
In 2015, the ACM Education Board recognised the urgent need to define a cy-
bersecurity curricular guidance and promoted the Joint Task Force (JTF) on Cy-
bersecurity Education, which puttogetherthe major international computing soci-
eties: Association for Computing Machinery (ACM), IEEE Computer Society
(IEEE CS), Association for Information Systems Special Interest Group on Secu-
rity (AIS SIGSEC), and International Federation for Information Processing
Technical Committee on Information Security Education (IFIP WG 11.8). In
2017, the JTF published the Cybersecurity Curricula 2017 - Curriculum Guide-
lines for Post-Secondary Degree Programs in Cybersecurity (CSEC2017) (JTF on
Cybersecurity Education, 2017a, 2017b).
The CSEC2017 defines cybersecurity as 'a computing-based discipline involv-
ing technology, people, information, and processes to enable assured operations in
the context of adversaries. It involves the creation, operation, analysis, andtesting
of secure computer systems. It is an interdisciplinary course of study, including
aspects oflaw, policy, humanfactors, ethics, andrisk management'.
The CSEC2017 defines six KAs: Data security, Software Security, System Se-
curity, Human Security, Organizational Security, and Societal Security. These
KAs are aligned with the entities to be protected: data (atrest and in transit), soft-
ware, systems, individuals, organisations, and society.
The Data Security KA is focused on achieving confidentiality of information
and on preserving data and origin integrity. Its KUs include cryptography, confi-
dentiality, and data integrity. This KA includes allthe topics (core and electives)
of two CS2013 IAS KUs: Foundational Concepts in Security and Cryptography
(as shown in Table 6). Compared with the CAE-CDE, the Data Security KA also
covers all of the topics of three of its KUs: IA Fundamentals, Introduction to
Cryptography, and Advanced Cryptography (as shown in Table 7).
The Software Security KA aims at developing and using software applications
that preserve the security properties of the information and systems they protect.
This area covers high-assurance software, secure software development, deploy-
ment, and maintenance, software reverse engineering, and malware analysis. This
KA includes almost all of the topics (core and electives) that are scattered
throughoutthree of the CS2013 IAS KUs: Principles of Secure Design, Defensive
Programming, and Secure Software Engineering (Table 6). However, it does not
mention the 'Correct usage of third-party components' and 'Effectively deploying
security updates' topics of the Defensive Programming KU. Considering CAE-
CDE KUs, the Software Security KA comprises the topics of three KUs: Funda-
mental Security Design Principles, Secure Programming Practices, and Software
Assurance (Table 7). In addition, this KA includes the topics of Exception Han-
dling, Error Handling, and Randomness.
The main goal ofthe System Security KA is to establish and maintain the secu-
rity properties of systems, including those of interconnected components. Its KUs
10
IAS/Cryptography
Software Security IAS/Principles of Secure Design
IAS/Defensive Programming
IAS/Secure Software Engineering
System Security IAS/Network Security
IAS/Digital Forensics
Human Security IAS/Security Policyand Governance
SP/Security Policies, Laws and Computer Crimes
HCI/Human Factorsand Security
Organizational Security IAS/Security Policyand Governance
SP/Security Policies, Laws and Computer Crimes
Societal Security IAS/Security Policyand Governance
SP/Security Policies, Laws and Computer Crimes
In the next section, we analyse cybersecurity master programs and howthey are
organisedtotrainthe cybersecurity workforce.
12
4.7 Evolution
To analyse the evolution of the programs, we followed three strategies: 1) we
contacted, by email, the directors of the programs and asked them to answer some
questions related to the evolution of their programs; 2) we visited the websites of
the programs between April 2017 and May 2017 and again in September 2017, to
assess recent program changes; and 3) we collected information about past ver-
sions of program webpages by querying an Internet archive
(https://archive.org/).
The inquiry was aimed at obtaining the following information: year
ofthe program creation; motivation for creatingthe program; restructurings (num-
ber, time, motivation, and scope); evolution of course contents; and the number of
students enrolled in the program. We received seven responses to our inquiries,
which formed the basis of our analysis, complemented with the information we
extracted from websites (currentand past versions).
Our analysis allows to conclude that most of these programs were created re-
cently, between 2013 and 2015, with a few exceptions, the oldest program being
originated in 2007 (Johns Hopkins University). Some programs emerged astracks
in previously existing programs in computer science or information systems (for
instance, Johns Hopkins University), whereas others were designed from scratch
20
(for instance, Charles III University of Madrid, George Mason University, Lancas-
ter University, and the Pennsylvania State University). Four directors mentioned
that the creation of their programs was motivated by the existence of significant
expertise in the field affiliated with the department. This is the case of the Infor-
mation Sciences and Technology Department at George Mason University, where
cybersecurity was always one of the main research fields. The same happened
with City, University of London. Market demand was another reason given as a
motivation for creation ofthese programs.
Two types of program revisions were identified: revisions of the courses con-
tents and revision of the program structure. The contents of courses were revised
to follow recent developments in the field, to adjust the taught material, orto re-
duce the amount of overlapping material. For instance, at the Ben-Gurion Univer-
sity ofthe Negev, onlyrevisions ofthe courses contents have been made.
Revisions of the programs structure were less substantial, such as adding or
removing elective courses, or more substantial, such as changing core courses.
A common observation for programs including elective courses is that their
catalogues were often updated every year/semester, as was the case withthe mas-
ter program offered by the Boston University, as announced on the
website. This may happen in accordance withthe catalogue of elective courses of-
fered by the department leading the program or other collaborations, which often
depends on the availability of faculty members and their sabbatical leaves. As a
new trend in cybersecurity courses, the subject Quantum Computation has
emerged, being offered as an elective course atthe Johns Hopkins University and
atthe 4TU.Federation.
At City, University of London, the program was revised in its third running
year 2016/2017 to include more security elective choices, while removing one of
the core modules. The program offered by the Pennsylvania State University, cre-
ated in 2009, already sufferedtwo revisions, and is currently in the third one, slat-
edto be effective forfall 2018.
The reasons forrestructuration were diverse: for accreditation (Lancaster Uni-
versity), to take into account feedback from the students and external examiners
(City, Universityof London), ortotake advantage of facultyresearch interestsand
expertise.
Concerning the number of students enrolled in the programs, we observed that
these numbers areratherdifferent. Nevertheless, alltherespondentdirectors stated
thatthe demand has been continuously increasing.
5 Conclusion
The increasing need for cybersecurity workforce, today, is an unavoidable
problem. In the last years, we have witnessed the evolution and maturation of the
discipline of cybersecurity, as we can perceive, for instance, by the ACM efforts
since the inclusion of the Information Assurance and Security KA into the com-
puter science curricula guidelines until the recent definition of the cybersecurity
21
As faras we know, our work is the firstthatanalyses the evolution and matura-
tion of the cybersecurity discipline (from higher education needs point of view)
and that fillsthe gap in the literature regarding the analysis of existing cybersecu-
rity master programs and their alignment with the ACM and the JTF curriculum
guidelines.
Acknowledgments
We would like to thank program directors who kindly answered our inquiry
andreviewers fortheir comments.
This work was supported by the European Commission [grant number 2014-1-
LU01-KA203-000034] and by FCT [grant numbers UID/MAT/04561/2013,
UID/CEC/00408/2013].
References
4TU.Federation (2017). Cyber Security. https://www.4tu.nl/cybsec/en/. Accessed 15 March
2017.
Albert, R. T., Bennett, C., Briggs, D., Ebben, M., Felch, H., Kokoska, D., et al. (2015). Experi-
ences with establishment of a multi-university center of academic excellence in information
assurance/cyber defense. In Proceedings of the International Conference on Security and
Management (SAM), Las Vegas.
Ben-Gurion University of the Negev (2017). M.Sc. in Information Systems Engineering with
Specialization in Cyber Space Security. http://in.bgu.ac.il/en/engn/ise/Pages/
Cyber_Space_Security_En.aspx. Accessed 15 March 2017.
Bicak, A., Liu, X. M., & Murphy, D. (2015). Cybersecurity Curriculum Development: Introduc-
ing Specialties in a Graduate Program. Information Systems Education Journal, 13(3), 99.
BU Computer Science (2017). MS in CS with a specialization in cyber security. Retrieved from
http://www.bu.edu/cs/ms-in-cs-with-a-specialization-in-cyber-security. Accessed 15 March
2017.
Centre for Secure Information Technologies (2017). Msc Applied Cyber Security.
http://www.csit.qub.ac.uk/EducationatCSIT/MSc-Applied-Cyber-Security. Accessed 15
March 2017.
Chen, H., Maynard, S. B., & Ahmad, A. (2013). A comparison of information security curricula
in China andthe USA. Proceedings of the 11th Australian Information Security Management
Conference, Perth, Australia.
Cisco (2015). Mitigating the Cybersecurity Skills Shortage Top Insights and Actions from Cisco
Security Advisory Services. http://www.cisco.com/c/dam/en/us/products/collateral
/security/cybersecurity-talent.pdf. Accessed 15 March 2017.
City, University of London (2017). Cyber Security. http://www.city.ac.uk/courses/postgraduate/
cyber-security. Accessed 15 March 2017.
Frank, H. (2016). Q1 Cybersecurity snaphot: Cyber security marketreport market sizing & pro-
jections. https://www.linkedin.com/pulse/cyber-security-snapshot-hope-frank. Accessed 15
March 2017.
growing need for cyber-
security skills. Computer Fraud & Security, vol.2017, no.2, pp.5-10.
George Mason University (2017). Applied Information Technology, Cyber Security Concentra-
tion (MS). http://masononline.gmu.edu/programs/applied-information-technology-cyber-
security-concentration-ms. Accessed 15 March 2017.
23
Grover, M., Reinicke, B., & Cummings, J. (2016). How secure is education in Information
Technology? A method for evaluating security education in IT. Information Systems Educa-
tion Journal, 14(3), 29-44.
Harris, M. A., & Patten, K. P. (2015). Using Bloom's and Webb's taxonomies to integrate emerg-
ing cybersecurity topics into a computing curriculum. Journal of Information Systems Educa-
tion, 26(3), 219-234.
Johns Hopkins (2017). Cybersecurity. https://ep.jhu.edu/programs-and-courses/programs/cyber
security. Accessed 15 March 2017.
JTF on Cybersecurity Education (2017a). Cybersecurity Curricula 2017 - Curriculum Guidelines
for Undergraduate Degree Programs in Cybersecurity. Version 0.5 Report. ACM, IEEE, AIS,
IFIP. http://www.csec2017.org. Accessed 8 September 2017.
JTF on Cybersecurity Education (2017b). Cybersecurity Curricula 2017 - Curriculum Guidelines
for Post-Secondary Degree Programs in Cybersecurity. Version 0.75 Report. ACM, IEEE,
AIS, IFIP. http://www.csec2017.org. Accessed 8 September 2017.
Lancaster University (2017). Cyber Security MSc. http://www.lancaster.ac.uk/
scc/postgraduate/taught-masters/courses/cyber-security-msc. Accessed 15 March 2017.
Malhotra, Y. (2015). Bridging Networks, Systems and Controls Frameworks for Cybersecurity
Curricula & Standards Development. NY Cyber Security & Engineering Technology Associ-
ation Conference, Oct. 22, 2015 Rochester Institute of Technology, Rosica Hall, NTID,
Rochester, New York.
McDuffie, E. L., & Piotrowski, V. P. (2014). The future of cybersecurity education. Computer,
47(8), 67-69.
McGettrick, A. (2013). Toward Curricular Guidelines for Cybersecurity: Report of a Workshop
on Cybersecurity Education and Training. ACM. http://www.acm.org/education/TowardCur
ricularGuidelinesCybersec.pdf. Accessed 15 March 2017.
McGettrick, A., Cassel, L. N., Dark, M., Hawthorne, E. K., & Impagliazzo, J. (2014). Toward
curricularguidelines forcybersecurity. In Proceedings ofthe 45th ACM technical symposium
on Computer science education (pp. 81-82). ACM.
Mew, L. (2016). The Information Security Undergraduate Curriculum: Evolution of a Small
Program. In Proceedings of the EDSIG Conference, Las Vegas, Nevada.
http://proc.iscap.info/2016/pdf/4071.pdf. Accessed 15 March 2017.
New York University (2017). Cybersecurity Online. http://engineering.nyu.edu/academics/
online/masters/cybersecurity. Accessed 15 March 2017.
Newhouse, B., Keith, S., Scribner, B., and Witte, G. (2016). NICE Cybersecurity Workforce
Framework (NCWF), National Initiative for Cybersecurity Education (NICE), Draft NIST
Special Publication 800-181. http://csrc.nist.gov/nice/framework/. Accessed 15 March 2017.
NSA/DHS (2013). National Centers of Academic Excellence in Cyber Defense: Knowledge
Units. https://www.iad.gov/NIETP/CAERequirements.cfm. Accessed 15 March 2017.
NSA/DHS (2013a). National Centers of Academic Excellence for Cyber Defense: Focus Areas.
https://www.iad.gov/NIETP/CAERequirements.cfm. Accessed 15 March 2017.
PennState (2017). Master of Professional Studies in Information Sciences - Cybersecurity and
Information Assurance. http://www.worldcampus.psu.edu/degrees-and-certificates/infor
mation-sciences-masters/overview. Accessed 15 March 2017.
QS Top Universities (2017). QS World University Rankings. https://www.topuniversities.com/
qs-world-university-rankings. Accessed 15 March 2017.
Applied Cyber Security. http://www.csit.qub.ac.uk/EducationatCSIT/
MSc-Applied-Cyber-Security/. Accessed 15 March 2017.
Randstad Technologies (2016). Cybersecurity Workforce Report: 12 Markets with High Demand
for Top Talent. https://www.randstadusa.com/corp/technologies/randstad_cybersecurity_report_
2016.pdf. Accessed 15 March 2017.
Sahami, M., Danyluk, A., Fincher, S., Fisher, K., Grossman, D., Hawthorne, E., Katz, R., Le-
Blanc, R., Reed, D., Roach, S. and Cuadros-Vargas, E. (2013). Computer Science Curricula
2013: Curriculum Guidelines for Undergraduate Degree Programs in Computer Sci-
24