Professional Documents
Culture Documents
2007
There are a wide range of jobs that have different KSA’s IS 2010.1 Foundations of Information Systems
that are involved in cybersecurity. Some have lower IS 2010.2 Data and Information Management
required levels of knowledge and skills, while others IS 2010.3 Enterprise Architecture
have more advanced levels. This means that one-size IS 2010.4 IS Project Management
does not fit all, with respect to jobs, KSAs, or IS 2010.5 IT Infrastructure
education/training pipelines to develop talent. IS 2010.6 Systems Analysis &Design
Much like the medical profession, there is a need for IS 2010.7 IS Strategy, Management, and Acquisition
doctors, nurses and technicians. In each of these major
classes, there are separate types or specializations: The program document lists specific learning
pediatricians, surgeons, podiatrists, RNs, LVNs, LPNs, objectives for each of the above courses. While
etc. Patients that require specific types of care dictate the institutions have leeway in how they adapt this material
professionals needed; no one substitutes a gynecologist into their programs, the above material provides a
for a neurosurgeon. Thinking all graduates of all reasonable foundational basis upon which any
programs are interchangeable can be as bad in institution specific specialization can be undertaken. For
information security as any other specialized profession. instance if a program adds programming classes, then it
can produce web developers, programmers, etc.
3. Curricula For a foundational curriculum, such as IS, this
method of documentation works well. Arguably the
basics are covered by this approach, and although
Accreditation is important to colleges and detractors have stated that security, or ethics, or other
universities as the stamp of accreditation is seen as a elements are not given their proper perspective. The
measure of quality and a means of demonstrating that response from members of the committee that created
graduates meet educational requirements associated the curriculum has always been – “it can be built inside
with many jobs. [11] Accreditation of University-wide this framework”. This is a reasonable expectation for a
programs is done in the US via six different regional foundational curriculum with built in flexibility. For a
accrediting bodies. This level of accreditation typically curriculum with multiple diverse options, such as
covers the bachelor’s degrees being issued and ensures information security, the “all-in-one” approach will not
that the degree meets a minimum number of hours and work well. The diversity of information security as an
specific content levels to ensure quality and uniformity. academic topic, as well as its reliance upon and IT/IS
Accreditation of programs to specific degree program foundation, has been documented in several studies. [15,
objectives is a separate effort, with this effort being 16] The development of a single foundational
more focused on the specific content of the degree and curriculum that can meet all major requirements is not a
how the degree program is managed. possibility for a field as diverse as information security.
In the case of accreditation of programs, one of the Information security is a field that has both breadth
first considerations revolves around the issue of focus of and complexity. Security can be impacted by virtually
the program. Programs are accredited to meet a any and all technologies employed in the enterprise; as
standard. In the case of information systems, the most well as actions by people in the enterprise, whether
common standard is the IS 2010 Curriculum standard, governed by procedure or not. This makes the domain
promulgated by ACM and IEEE-CS. [12] There are of study very large and one with lots of detail. If a person
numerous other related computer science standards, is involved in securing operating systems, they first need
including ones for software assurance, computer advanced knowledge on the operating system, how it
science, and computer engineering, however there is not works and where vulnerabilities have occurred. The
a specific one for information security. [13, 14] This is level of detail is significant, making it extremely rare for
one of the issues that the current effort being led by NSA someone to be good at both Windows and Linux.
is attempting to rectify, to produce a de-facto base set of Success in educational programs can be viewed from
information security standard curricula. a variety of aspects. Student success can be examined
The IS 2010 Curriculum is designed around a series from either successful completion of program, or career
of outcome objectives and fundamental resource progression upon graduation point of view. Since
elements such as laboratories and instructors. A set of successful completion typically precedes the career
seven proposed courses is outlined, demonstrating a aspect, this paper will focus on that aspect in its analysis.
path to operationalize the material into a manageable As students self-select their educational paths, and
form for delivery across a wide range of undergraduate outcomes do weigh in their decisions, student success is
programs. [12] There is flexibility built in so that the an important issue of an institution is going to have a
material can be morphed into existing programs to thriving program. Cybersecurity classes will not have
enable ready adoption. The seven courses are:
2008
throngs of students enrolling and then washing out like Each of these topics is still high level enough to have
biology and chemistry programs are famous for in several knowledge and skill elements defined.
higher education. For students to embark on the The KU program is a key component of the Centers
challenging program of study, they need to perceive the of Academic Excellence in Information Assurance
usefulness of the program, and this is typically done Education (CAEIAE) program. The CAEIAE program
through job placement history. This makes alignment is designed to recognize schools that offer security
of program objectives and hiring firm’s requirements a programs that meet a certain minimal level of coverage.
factor in student success. Student success is also One of strengths of the KU based program is its ability
influenced by creating a learning community where they to recognize schools that have differing programs. The
can belong to a larger group with similar goals and program is designed around a core component of KUs
objectives. The inclusion of student groups and other with additional KUs that act as specializations. This
forms of community act to increase student success and aligns with the industry demands for a broad spectrum
are important to a successful program. of different worker capabilities.
The overall structure of an academic program will be
4. New NSA driven model built around a set of core KUs, with institutions then
picking additional optional KUs to build out a program
around their own specific themes. By grouping KUs
At the time of this paper, the new NSA curriculum around themes, institutions can specialize their offerings
based model for determining CAEIAE status is still around specific job areas, incident responses,
under development, and the final outcome may indeed operations, digital forensics, etc. This flexibility
look slightly different. The methodology being provides a much better ability to match education
employed to date to build the model has been one that offerings to industry needs than previous approaches to
has been highly inclusive of academic and industry alignment.
involvement. Numerous workshops have been hosted
across the country to facilitate academic involvement in Core Knowledge Units - 2 Year degrees
the development of the criteria. The new criteria is based
x Basic Data Analysis
around a concept of a knowledge unit (KU). A KU is a
x Basic Scripting or Introductory Programming
midlevel grouping of knowledge and skill in an area of
cybersecurity. Examples of KU’s include, networking x Cyber Defense
concepts, introduction to cryptography, information x Cyber Threats
security fundamentals and basic scripting. Some KU’s x IA Fundamentals / Security First Principles
are comprised of more detailed elements than others, but x Intro to Cryptography
each is geared towards introductory knowledge and x Introduction to Digital Logic
skills around a central topic. x IT Systems Components
Within a given KU, a series of topics are covered. At x Networking Concepts
the time of the drafting of this paper, not all KU’s have x Policy, Legal, Ethics, and Compliance
been completely detailed, nor have knowledge and skill x System Administration
components been defined for each topic in the KU. One
of the issues faced in cybersecurity is the ever advancing Core Knowledge Units – 4 Year degrees (2Y Core
nature of technology. What was new yesterday, is old Knowledge Units plus)
today, then something newer, and typically not even on x Database Management Systems
the radar of most, arises and demands security attention. x Human Machine Interface
This occurs for both technology and the attacks against x Network Defense
it. An example of the topics for the KU networking x Networking Technology and Protocols
concepts includes: x Operating Systems Concepts
x Probability and Statistics
x Overview of Networking (OSI Model) x Programming
x Network Media
x Network architectures (LANs, WANs) Individual KUs are not the same level as courses and
x Network Devices (Routers, Switches, VPNs, a single course can meet elements from multiple KUs.
Firewalls) The challenge is in determining what needs to be in
x Network Services courses to have a complete education and the KUs
provide a mechanism for managing this complex task.
x Network Protocols (TCP/IP, HTTP, DNS, SMTP)
The use of specialty areas, which are comprised of
x Network Topologies
groupings of different KU’s, works towards overcoming
x Overview of Network Security Issues the challenge of aligning education to job requirements.
2009
Job titles, requirements and details vary all over the learning designed to be more comprehensive and
map, but they do tend to fall into groupings; forensics, achievable.
incident response, etc. By driving the education
programs to specialize in an area, this enhances the 6. Analysis of Gaps
ability for students to maximize their education against
job opportunities upon graduation. One of the biggest current gaps in alignment between
education and industry is a complaint that graduates do
5. Aligning Objectives not have sufficient hands-on skill sets to make them
ready to perform jobs. Highly noted in the recent DHS
One of the missing elements from both the curricula CyberSkills Report, one proposed remedy is the
models and to a degree the KU model is the use of tightening up of criteria associated with NSA/DHS
outcome objectives to guide student learning. Whether certifications, so that programs will respond with more
called learning objectives, or outcome objectives, the hands-on content. [19] This issue of hands-on
result on the student learning process is dependent upon experience has been a long standing criticism of many
the quality of the objective, not how it is labeled. [17] higher education programs. The central theme of this
When examining security and IT objectives, the Mager issue is training versus education. Training tends to be
model of condition, behavior and standard is well suited. oriented towards the how and is focused on the current
[18] These objectives can be then structured like the technology and methods. Teaching a student to develop
topics in a class, from general to specific. General: and implement specific firewall rules on a Cisco router
Given a computer and vulnerability scanner, the student is training. Education tends to focus on the why, the
will be able to identify the vulnerabilities. More theory and mechanisms behind the material. Teaching
specific: Given a computer and a vulnerability scanner, a student about firewall rules, how they are used to
the student will be able to identify the specific implement a perimeter defense, their strengths and
vulnerabilities on the computer, correct them and rerun weaknesses, this is the role of education.
of the vulnerability scanner to demonstrate that the Industry wants workers to arrive ready to work day
system no longer shows the vulnerabilities. You can one, on their equipment, configured as they have
even create highly specific ones such as Students will be configured it, and able to immediately add to the team
able to configure Snort rules to detect a SSH login from strength. Industry also expects their workers to have the
outside the corporate network. knowledge (read education) that they can adapt to
For learning outcomes to be effective at guiding technology changes and continue to contribute as
student learning, there are several traits needed. They systems, equipment and processes change. Although
need to provide an intuitive, student-friendly and many refer to this as an “or” proposition (you can be
transparent framework for guiding the learning process. educated, or you can be trained) the reality is that
When learning outcomes emphasize a broad overview industry needs this to be an “and” relationship. It is
with a top-down design approach to a more detailed important that students learn the theory, the why, as well
specification, this results in key areas of learning being as how to implement it on current equipment, the how.
emphasized, making it easier for students to navigate The relationship of training to education is illustrated in
toward key concepts and issues in a complex Figure 1.
environment. By making the important elements more
evident, the student is guided towards a pathway of
2010
Figure1 also illustrates a pipeline from community progression. This serves as a possible example that a
colleges through doctoral programs associated with proper mix of training and education can be achieved.
information security. This figure illustrates several Hands-on programs increase self-efficacy on the part
things. First, there are several different degree of students and research has shown that this is an
program levels that will provide information security important element in building student success. These
workers to industry. This is important as the field are important lessons to be learned from a student
needs a wide range of workers with differing skillsets. success point of view and warrant the consideration of
The figure shows the higher training component of activities such as these directly in a program rather
community college programs, which goes towards the than optionally on the side.
“we need workers now” issues facing many firms and We also have seen cases where some of the “best
government agencies. Ensuring that the education and brightest” jumped ship early in the education
pipeline dovetails with industry needs will enhance pipeline, lured by good starting salaries, but then
student opportunities at the end of their education. became trapped in dead-end jobs because they don’t
This will strengthen programs in many ways including have the necessary education to move up the corporate
increasing the factors that support student success. career ladder. In spite of the immediate need for well-
The current practice of accredited university trained people, the industry as a whole might be better
education is typically grounded in theory, and has less served by not eating the seed corn, as the best and
room for training opportunities. Students that take all brightest should be encouraged to go as far up the
the hands-on courses at a community college have education ladder as possible. This is how we will truly
troubles applying most of their work towards a 4 year advance new ideas and innovations. Aligning student
degree, should they choose to go further with their achievement and potential to ensure student success is
education. This creates a wall for students allured by an important programmatic element. Virtually all
the immediate job prospects of the technical hands-on students, each with their own abilities and background
operator training found in community college will enter the Figure 1 pipeline on the left. How far
programs. This also creates a long term issue for the they progress through the pipeline is a result of many
industry, as it creates a class of workers without the factors. Because of the multitude of different jobs in
skills to move forward in a career in information cybersecurity, it is important to realize that the
security. These students will never possess the objective is not to move all students as far through the
university degrees or understand all of the theory pipeline as possible. A more optimal outcome will be
behind the driving forces in the industry. to move students as far as possible based on each
Students self-select their education programs; student’s ability, something easily measured with
which university, which major, which classes success indicators such as GPA. Identifying the best
(electives) and which professor (when there are paths for individual students, based on their abilities,
options). This too can have adverse effects, as will increase student success and help the entire
students will self-select based on self-desired items program to grow and thrive.
such as “cool classes”, easy grades, etc., instead of As for all programs, we need to determine the
focusing on the quality of education with respect to correct mix of theory and practice. Information
future opportunity. The result is the education system security classes without hands-on exercises, dealing
with its gaps in desired outputs as being experienced with the operationalization of the theory and concepts
today. There is a strong desire on the part of students from lectures, have little place in our field. There are
to take classes such as pen-testing, as the allure of the few, if any jobs, for those who cannot do some of the
topic and the opportunity to “hack” and the ability to security tasks. Students need the ability to implement,
put it on a resume. This, in turn, drives professors to as well as the ability to understand. Simply
build these classes to meet a “market demand” in their memorizing things from Google will not produce the
programs. In today’s economic times, “butts in seats” level of worker that is needed. We must move classes
is a measure most programs monitor and report to their up the Bloom’s Taxonomy and a proper
administration. implementation of the elements of the KU based
Students that have participated in the National program being developed by the NSA can go a long
Collegiate Cyber Defense Competition (CCDC) have way toward this objective. Even the course structures
demonstrated a high employability value, with from the accrediting standards are useable, as
members of teams that compete in the National Finals instructors are given significant leeway within the
all receiving serious job offers from the biggest names structures to incorporate material of their own
in the industry. Team members after 5 years of choosing.
employment have demonstrated solid career
2011
Objectives can be the guide that assists students in because it is too new and not on the list yet, or because
navigating the material in the pursuit of learning the there isn’t room in the curriculum because of other
essential elements with respect to developing useful items an employer doesn’t care about but needed to
ability through the course of study. This places the maintain program recognition. There is an easy fix,
responsibility of aligning the objectives to create a set a percentage, such as 90%, and expect programs to
bridge between material and job needs upon the course cover at least 90% of the listed elements. This provides
designer and instructor. This level of essential detail flexibility and also will dramatically reduce criticism
is missing from the curricula and KU models of specific individual program elements as they will
described and needs to be addressed if a program is not all be required. Again, making things more
going to produce graduates that can assume roles in achievable and credible will enhance student success
the security field without additional post-graduation and assist in industry acceptance.
training. The role of the government in building a successful
Examining all the options, it is recommended that cybersecurity education system goes beyond just
the course structures accreditation provides be re- detailing a list of technical elements that need to be
engineered to include the KU material, including covered. Creating a program with the level of
hands-on laboratory exercises. In every class, there flexibility to allow institutions to dovetail technical
should be a conscious decision about the ratio of program elements, with programmatic elements that
training vs. education, ensuring all levels of students build student success and meet industry needs will
get sufficient levels of each. Actual demonstrations of strengthen the outcomes of the programs.
the classroom material in operational settings, such as Acknowledging the need for more than just a set of
the CCDC exercises or internships, should be highly technical outcomes will not be enough. Any
encouraged. Practice makes perfect and a lot of government recognition program designed to assist in
practice is needed by all participants at all levels. cybersecurity education needs to pay more than just lip
Using the KU’s as a list of essential elements, that fit service to the complete set of elements that drive
into the curricula (class) container scheme is relatively student success and outcomes. Providing resources, in
easy. The missing element is the development of the terms of funding, time and materials, across the entire
learning objectives at several levels, from course, to spectrum of an educational program is needed to
lecture, to assignment, that enable students to navigate create a new profession of highly skilled workers. We
the complex subject matter of security and IT. are not suggesting more regulation, but are suggesting
The KU effort is a great first step toward providing that addressing student success factors as well as
a framework for educators to align information industry accepted outcomes are needed to achieve the
security programs with industry needs. But as already goals associated with creating a professional
discussed, this is not a single dimension issue, security cybersecurity workforce.
has many different dimensions, with divergent needs.
This means that the information security training and 7. Future work
education environment serves a family of needs, and
without the basis of solid learning outcomes, these The shift to a KU based cybersecurity education
needs are still poorly defined. Much work needs to be platform is just beginning, with many of the details
done in defining the learning objectives across the still not determined as of this paper. As the industry
KUs so that the landscape can be navigated and shifts to this new paradigm, it remains to be
consumed by students in a productive fashion. determined whether the new criteria alone will make
Another missing element of the KU based system enough of a skills based shift to move the industry
is the determination of appropriate coverage of where it needs to go. The addition of student success
material. In the past, programs such as the CAEIAE factors into the design of a new curriculum will result
program have operated on a 100% or nothing basis. in better assimilation of the material as shown in other
You either possessed ever element to a desired degree education areas where these techniques are used. To
or you did not obtain recognition. This concept works fulfill the objective of producing the best trained and
when the list of elements is fairly limited, but in the educated cyberskills workforce possible, the inclusion
current KU system, the list has grown tremendously. of elements such as student success factors into the
This creates a situation that is currently being debated final education model will assist in achieving the
across secondary school systems across the country – object. The exact roles, levels of these factors and best
do we teach what needs to be learned, or do we teach method to employ them needs further study to
to the test. In an ideal world, these are the same, but in optimize the results.
a dynamic world such as cybersecurity, this can lead
to programs not teaching what employers want, either
2012
8. References 10. K.A. Ericsson et al., The Cambridge
Handbook of Expertise and Expert
Performance. 2006: Cambridge
1. Choudhury, V., A. Lopez, and D.
Univ. Press.
Arthur, "Issues and Opinions - IT
11. Saulnier, B. and B. White, IS 2010
Careers Camp: An Early Intervention
and ABET Accreditation: An Analysis
Strategy to Increase IS Enrollments".
of ABET-Accredited Information
Information Systems Research.
Systems Programs. Journal of
21(1): p. 1-14.
Information Systems Education,
2. Noland, K., GAO: Federal
2011. 22(4): p. 347-354.
Cyberspace Incidents Up 680% Over
12. Association for Computing
5 Years, in ExecutiveGov. 2012,
Machinery (ACM), A.f.I.S.A., IS
ExecutiveGov.
2010 Curriculum Guidelines for
3. Vijayan, J., Demand for IT security
Undergraduate Degree Programs in
experts outstrips supply, in
Information Systems. 2010,
ComputerWorld. 2013.
Association for Computing
4. NIST, National Initiative for
Machinery (ACM) and Association
Cybersecurity Education Strategic
for Information Systems (AIS).
Plan, National Institute of Standards
13. ACM and IEEE Computer Society,
and Technology (NIST), Editor.
CS 2008: Curriculum Guidelines for
2012, NIST: Washington, DC. p. 26.
Undergraduate Degree Programs in
5. Attaway, A.N., et al., An Approach to
Computer Science. 2008, IEEE/ACM
Meeting AACSB Assurance of
Joint Task Force on Computing
Learning Standards in an IS Core
Curricula.
Course. Journal of Information
14. IEEE Computer Society and ACM.,
Systems Education, 2011. 22(4): p.
CE 2004: Curriculum Guidelines for
355-366.
Undergraduate Degree Programs in
6. AACSB International, Eligibility
Computer Engineering. 2004,
Procedures and Accreditation
IEEE/ACM Joint Task Force on
Standards for Business Accreditation.
Computing Curricula.
2006, The Association to Advance
15. Rowe, D.C., B.M. Lunt, and J.J.
Collegiate Schools of Business.
Ekstrom, The role of cyber-security in
7. ABET. Criteria for Accrediting
information technology education, in
Computing Programs, 2013 - 2014.
Proceedings of the 2011 conference
2013 [Last; Available from:
on Information technology education.
http://www.abet.org/DisplayTemplat
2011, ACM: West Point, New York,
es/DocsHandbook.aspx?id=3148.
USA. p. 113-122.
8. Benbasat, I. and R.W. Zmud, The
16. Ma, J. and J.V. Nickerson, Hands-on,
identity crisis within the IS discipline:
simulated, and remote laboratories:
Defining and communicating the
A comparative literature review.
discipline's core properties. MIS
ACM Comput. Surv., 2006. 38(3): p.
quarterly, 2003: p. 183-194.
7.
9. Assante, M.J. and D.H. Tobey,
17. Harden, R.M., Learning outcomes
Enhancing the Cybersecurity
and instructional objectives: is there
Workforce, in IT Pro. 2011, IEEE
a difference? Medical Teacher, 2002.
Computer Society.
24(2): p. 151-155.
2013
18. Mager, R.F., Preparing instructional
objectives. 1962.
19. DHS Task Force on CyberSkills,
CyberSkills Taks Force Report,
D.o.H. Security, Editor. 2012:
Washington, DC. p. 1-41.
2014