Professional Documents
Culture Documents
net/publication/332699884
CITATIONS READS
16 4,815
3 authors:
Madjid Merabti
University of Sharjah
414 PUBLICATIONS 3,628 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Sohail Abbas on 09 October 2019.
Abstract. The threat of cyber attacks continue to grow with the in-
creasing number of sophisticated and successful targeted cyber attacks
throughout the globe. To address this issue, there is a dire need for cy-
bersecurity professionals with adequate motivation and skills to prevent,
detect, respond, or even mitigate the effect of such threats. To this end,
several cybersecurity educational programs and concentrations have been
established over the past years both at the graduate and undergraduate
levels. Moreover, a number of initiatives taken by the government stan-
dard bodies in the cybersecurity domain have emerged to help in fram-
ing cybersecurity education. Due to the interdisciplinary (and sometimes
multidisciplinary) nature of cybersecurity, educational institutions face
many issues when designing a cybersecurity curriculum. In this context,
we believe that there is a desideratum to provide a big picture of the
overall efforts done so far in the direction of cybersecurity curriculum
design. In this paper, we present an overview and comparison of existing
curriculum design approaches for cybersecurity education. This survey
will help the researchers and educators to have an overview of the existing
approaches for the purpose of developing a suitable and more effective
cybersecurity curriculum in their future endeavour.
1 Introduction
In recent years, a dramatic increase in the number and sophistication of cyber
attacks targeting governments, organizations, and end-users has been observed.
In fact, the continuous emergence of new mobile devices and the wide adoption
of Internet of Things (loT), and the so-called Bring Your Own Device (BYOD)
trends, have brought many cybersecurity challenges and opened new doors to
cyber criminals to exploit vulnerabilities of these systems. In its 2015 Cyber
Threat Report, Symantec Corporation [2] reports that, as a conservative esti-
mate over half a billion personal records were lost or destroyed in 2015, there
were over one million cyber attacks against people each day, 75% of all legitimate
web sites were vulnerable to attacks in such a way as to potentially infect users,
a new form of attack was appearing roughly once every week. The recent Cyber
Security Breaches Survey from the UK government [13] reports that two thirds
of large UK businesses were hit by a cyber breach or cyber attack in the past
2
year, with one in four being hit by a breach at least once per month. The cost
of these attacks often runs into millions of pounds/euros/dollars. In short, cyber
issues pose a serious threat to everyone and to all organisations.
In this context, several attempts have been made in the existing literature
offering different kinds of proposals for security curriculums. However, in most
cases, these proposed curriculums guidelines focus only on one aspect from the
aforementioned issues. We believe that there is a dire need to provide an overview
of the overall efforts done so far in the direction of the cybersecurity curriculum
design. This will help the researchers to have a big picture of the overall efforts.
To the best of our knowledge, no previous efforts have been done on comparing
and analyzing curriculum design approaches for the cybersecurity domain. In
this paper, we present a review and comparison of the state-of-the-art curricu-
lum design approaches for cybersecurity education. Our goal is to come up with
some conclusions and answers that would help in developing a suitable and more
effective cybersecurity curriculum.
Furthermore, the authors also discussed the topics that should be considered
in a cybersecurity curriculum. The authors reviewed three main activities that
have been suggested by researchers, namely, Prepare, Defend and Act [31]. It
was proposed that these activities be grouped into three distinct phases, namely,
Prevention, Detection and Response [24]. In the Prevention activity, the au-
thors suggested to include topics, such as penetration testing, ethical hacking
and advanced persistent/evasive threats, implementation of secure software and
awareness. In the Detection activity, the authors proposed to cover intrusion
detection systems and penetration testing. As for the Response activity, topics
such as digital forensics and incident response, and auditing, as well as other
areas related to cultural and global standardization, legal issues, and awareness.
Due to the dynamic nature of cybersecurity threats and vulnerabilities, it was
also suggested to timely adjust the activities and strategies in each phase.
Ethical and legal issues related to teaching ethical hacking skills in an in-
formation security curriculum are discussed in [35]. This is due to the fact that
some students would use the acquired offensive skills in an inappropriate and
illegal ways, which might put their careers, education, and even their entire in-
formation security program at risk. As such, the authors raised the importance
of teaching students ethical hacking rules and techniques, which are fundamen-
tal in an Information Security curriculum. To this end, the authors presented a
case study that consists of implementing a comprehensive ethical hacking hands-
on lab exercises for teaching common Denial of Service (DoS) attacks, namely,
the Land, the TCP SYN (synchronization) flood, and the Teardrop attacks, in
an isolated network laboratory environment. The paper discussed also common
defense techniques for detecting DoS attacks, including Intrusion Detection Sys-
tems (IDS) and Software tools, such as Snort tool, during the hands-on lab
exercises. Through this case study, the authors presented the necessary steps
that should be taken by schools and educators to make students aware of the
consequences of any misconduct and ensure that they are responsible for their
actions. The authors also discussed the effectiveness of adding hands-on exercises
in information security education, which greatly enhances students performance
in terms of achieving program’s outcomes.
ming Concepts and Reverse Engineering and Malware Analysis. The former is
the pre-requisite for the latter. The Reverse Engineering and Malware Analysis
course was added to the curriculum because students needed more than just
learning the basics; their final projects usually involved the reverse engineering
of live malwares.
The authors in [25] emphasized on the importance and hence the inclusion of
hardware components in the curriculum of undergraduate and graduate level cy-
bersecurity programs, in both CS and IT disciplines. The author proposed a new
pedagogical model to improve cybersecurity students skill thereby introducing
8
hardware concepts and design skills in the network intrusion detection course.
After focussing on the fundamental concepts, the curriculum of the course should
highlight the main topics of the course, such as network traffic analysis, system
configuration, rule-based detection and basic hardware design and experiments.
During the course, hands-on projects were also designed to hone the students
technical skills.
A course of study specifically for Homeland Security (HS) students in the cy-
bersecurity domain was proposed in [23]. The authors pointed out that currently
information security and HS programs are largely disjoint. Which is due to the
fact that most of the information security degrees are technical in nature, their
aim is to produce tool developers; however, the HS on the other side is based
on a non-technical paradigm of applied social science curricula. The former ap-
proach does not meet the needs of HS students, who need computer security for
the social sciences. The author suggested a multidisciplinary approach, that is,
the HS programs should not only provide the opportunity for the students to
study subjects like risk management, emergency management, terrorism studies,
and infrastructure protection; but also to motivate students study information
security course in-depth.
4 Discussion
In the above discussed literature, the main question posed to the authors was
that what should a cybersecurity professional be acquainted with and what sort
of skills they must possess? The question is one but the answers were more than
one and differing in nature. One of the main reasons of the difference of opinion
is due to the interdisciplinary (and sometimes multidisciplinary) nature of cy-
bersecurity which is used in numerous roles covering many disciplines. Some of
the issues related to this question are given below.
– Mostly the proposed changes in the curriculum are in nascent state which
needs proper assessment and evaluation before and after the implementation
phase. It is evident from 1 that most of them are just proposals that have
not been applied yet.
Flipped
[28] Undergraduate Behavioral Security Given
Classroom
Improving Cybersecurity
[22] Children N.A. Proposal
Education
Ethical/Legal
[35] Undergraduate N.A. Practical
Issues
Improving Cybersecurity
[20] Undergraduate N.A. Applied
Education
Improving Cybersecurity
[15] Undergraduate N.A. Applied
Education
intended to be trained for the industry, they should be taught more techni-
cal and hands-on skill based courses whereas if the objective of the degree
is to educate the students for higher education and research, they should
be taught with courses having more depth and understanding. To our belief
such mixing will detract students who have already set their future goals
and targets, i.e. to go for higher education or industry but not both.
– One of the issues that is posed by many authors and also noted by DHS Cy-
berSkills Report [5] is that the industry usually criticizes higher education
programs and complains about the graduates being deficient in hands-on
skills in cybersecurity field. In simple words, universities educate students
while industry demands for trained graduates rather than educated ones.
Some authors addressed this issue, such as [18] by suggesting that universi-
ties should educate as well as train students in order to fill the gap between
academia and industry. We believe that mixing training with education in a
single program will not be an interesting idea. Because, if some students al-
ready set their future targets as to extend their careers in a single direction,
i.e. industry or academia not both; then they might lose interest in such
programs. A viable solution would be either to offer degrees in these two
flavours separately or to designate some of the semesters as the specialized
ones, i.e. flavouring education and training.
5 Non-Traditional Approaches
5.1 Gamification
The use of computer games in education have recently gained attention; espe-
cially in Cyber security. One of the benefits of this approach is to reduce the stress
prevailed during Cyber security exercises and to produce a fun environment to
the students. In the long run this approach may change the students habit from
tense to fun mode during carrying out real time Cyber security tasks. Some of
work done in this arena is as follows. Nagarajan et al. [27] propose a Cyber secu-
rity training game, called CyberNEXS. The game enables the users learn topics
including social engineering and phishing techniques, password management,
shielding from spamwares and malwares, etc. Another effort in this direction is
the work proposed by [21], called CyberCiege which is a game developed for edu-
cating students regarding information assurance and network security concepts.
13
The game has different scenarios ranging from basic training and awareness to
advanced network security concepts. I-SEE [1] is game based Cyber security
training that uses web-based and 3D technologies in order to promote less tech-
nical and abstract level Cyber security concepts. After learning the high level
concepts, the students may then put these concepts to carryout tasks in com-
petitive group activities. Video games are considered as good and interesting
tools for Cyber security teaching and learning. However, they are not used for
technical topics. They are used only for teaching general and less technical con-
cepts in order to promote awareness of high level issues. Mostly, video games
are preferred to be used for teaching basic education and raising Cyber security
awareness in the public.
5.2 Virtualization
Virtualization allows the creation and use of virtual environments for a phys-
ical machine, network or operating system. Virtual environments are useful as
they allow the use of different operating systems/networks on the same physical
machine. Virtualization is also particularly useful for cybersecurity teaching and
learning as it can be used to simulate different kinds of attacks without causing
damage to the host physical machine/network. Moreover, some attacks such as
man-in-the-middle, requires at least three machines for the attacker and the two
victims. This could be simulated using three VMs on a single physical machine.
SEED Labs project [10] provides a pre-built virtual machine image, which
is preconfigured to run over 30 practical cyber security labs. VLabNet [29] is a
virtual platform developed for cyber security education based on the open-source
Xen software. Tele-Lab [11] is a cloud-based platform for practical cyber security
education. This platform was enforced with security through VPN tunnel. The
Xen Worlds platform was adopted to teach information assurance classes. This
platform is based on Xen hypervisor, which supports many VMs, and where
each students uses his own VM [14]. ReSeLa [17] is a virtual platform based on
multiple VMs. The platform was introduced to give students remote access in
order to experiment with malware and ethical hacking in a secure environment.
Virtualization can be setup on a desktop machine or cloud-based infrastruc-
ture. Desktop-based virtual environments allow the use of virtual machines with
different Oss, all sharing the resources of the host machine. This allows students
to run applications that require different platforms. The main challenge with
desktop-based virtualization is the size of the VMs, which is often quite large.
Additionally, students need to have high-performance machines in order to run
multiple VMs. Also, the VMs may require special configuration such as installing
and configuring cybersecurity software/libraries, which requires additional skills
from students who need to do the configuration by themselves. To overcome these
issues, an alternative solution is to set a cloud-based virtualization environment,
which can also be accessed by the students outside the campus.
14
5.3 Competitions
Cyber security competitions are widely adopted with the aim of raising security
awareness among students and identifying the top cyber security talents. Some
of these competitions are sponsored and run by governments and companies to
help identifying candidates with best cybersecurity skills for recruitment. These
competitions are usually run through virtual environments or online. They could
be also offered in a two modes, either single-user or multiple-user.
The international Capture the Flag (iCTF) [12] is one of the most popular
ethical hacking competitions, which has reached more than thousands of stu-
dents. Several academic institutions, governments and organizations organize
such hackathons worldwide to challenge contestants with cyber security prob-
lems. The Cyber Security Challenge UK [8] is a competition supported by the UK
Government and several partnering industries to support cyber security train-
ing. The competitions consists of several single-user exercises provided through
online video games. Top-ranked contestants are selected to further compete in
multi-user challenges set by sponsors who are looking to recruit the best cy-
ber security talents. The UAE CyberQuest competition [9] is designed by the
Signals Intelligence Agency and targets school and University students to raise
awareness and identify cyber security talents. The competition is developed in
two forms: capture the flag competition for school students and cyber security
exercise for University students. Training is offered by the organizing agency to
help participants prepare for the final competition.
Although these competitions are a good way for identifying cyber security
talent, however, they are limited in terms of training new talent. Most of the
time, competitions do not offer training to the contestants, but instead students
are expected to already have enough cyber security knowledge. We believe that
training is necessary to allow students to be at the competitive level required by
these competitions.
6 Conclusion
References
1.
2. Symantec Corporation, http://www.symantec.com
3. National Training Standard for Information Sys-
tems Security (INFOSEC) Professionals (1994),
http://www.sis.pitt.edu/jjoshi/courses/IS2150/Fall11/nstissi 4011.pdf
4. National Initiative for Cybersecurity Education Strategic Plan. Build-
ing a Digital Nation (2011), http://www.cssia.org/pdf/20000168-
NationalInitiativeforCybersecurityEducationStrategicPlan.pdf
5. DHS Task Force on CyberSkills, CyberSkills Taks Force Report, D.o.H. Security,
Washington, DC. (2012)
6. International Information Systems Audit and Control Association (ISACA) (2017),
https://www.isaca.org/
7. The Fast-Growing Job With A Huge Skills Gap: Cyber Security (Forbes article)
(2017), https : //www.f orbes.com/sites/jef f kauf lin/2017/03/16/the − f ast −
growing − job − with − a − huge − skills − gap − cyber − security/#465297be5163
8. Cyber Security Challenge UK (2018), https://www.cybersecuritychallenge.org.uk/
9. CyberQuest Competition (2018), https://cyberquest.ae/en
10. SEED Labs (2018), http://www.cis.syr.edu/ wedu/seed/lab env.html
11. Tele-Lab (2018), https://hpi.de/meinel/security-tech/security-awareness/tele-lab-
it-security.html
12. The International Capture The Flag (”iCTF”) Competition (2018),
https://ictf.cs.ucsb.edu/
13. Cyber Security Breaches Survey 2017 (April 2017),
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2017
14. Anderson, B.R., Joines, A.K., Daniels, T.E.: Xen worlds: Leveraging vir-
tualization in distance education. SIGCSE Bull. 41(3), 293–297 (Jul 2009),
http://doi.acm.org/10.1145/1595496.1562967
15. Azadegan, S., O’Leary, M.: An undergraduate cyber operations curriculum in the
making: A 10+ year report. In: Intelligence and Security Informatics (ISI), 2016
IEEE Conference on. pp. 251–254. IEEE (2016)
16. Bicak, A., Liu, X.M., Murphy, D.: Cybersecurity curriculum development: Intro-
ducing specialties in a graduate program. Information Systems Education Journal
13(3), 99 (2015)
17. Carlsson, A., Gustavsson, R., Truksans, L., Balodis, M.: Remote security labs in the
cloud resela. In: 2015 IEEE Global Engineering Education Conference (EDUCON).
pp. 199–206 (March 2015)
18. Conklin, W.A., Cline, R.E., Roosa, T.: Re-engineering cybersecurity education in
the us: an analysis of the critical factors. In: System Sciences (HICSS), 2014 47th
Hawaii International Conference on. pp. 2006–2014. IEEE (2014)
19. Faily, S.: Ethical hacking assessment as a vehicle for undergraduate cyber-security
education. In: BCS 19th Annual INSPIRE Conference (2014)
20. Howles, T., Romanowski, C., Mishra, S., Raj, R.K.: A holistic, modular approach
to infuse cybersecurity into undergraduate computing degree programs. In: Annual
Symposium On Information Assurance (ASIA), Albany, NY. pp. 7–8 (2011)
21. Irvine, C.E., Thompson, M.F., Allen, K.: Cyberciege: gaming for information as-
surance. IEEE Security Privacy 3(3), 61–64 (May 2005)
22. IV, A.L.Z.: Cyber-Security Curricula for Basic Users, Thesis at NAVAL POST-
GRADUATE SCHOOL, MONTEREY, CALIFORNIA (2013)
16