Content uploaded by Corey D. Schou
Author content
All content in this area was uploaded by Corey D. Schou on Nov 18, 2015
Content may be subject to copyright.
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
64 acm Inroads 2015 June • Vol. 6 • No. 2
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
cybersecurity
education
ing and measurement while avoiding oversimplification. The re-
sults should fit both academic and industry needs and the emphasis
on breadth and depth of knowledge builds a workforce that is ver-
satile, dynamic, and resilient.
DEFINING THE SPECTRUM
Today, I am sitting in a room with a group of academic and gov-
ernment experts. The topic of the day roughly is, “What should
everyone know about {computer security}, {information assur-
ance}, {communications security}, {information security}, {cyber
something}
1
, {etc.}”? It is a quest to define a profession. For some
reason, I think I have been here before.
The first time I found myself here was in the early 1980s. They
asked me to look at some excellent work by Terry Mayfield’s team
from the Institute for Defense Analyses (IDA) [10]. Funded by a
government agency, IDA brought together a group of luminaries
to write curricular materials for computer science. Wow, these were
fantastic—everything one needed to know about security for com-
puter science. The modules included introduction to information
protection, operating systems security, network security, database
security, formal specification and verification, and risk analysis.
A man in his time plays many parts—I am an academician, an
interlocutor, a teacher, an educator, a computer security profession-
al, sometimes a nominalist, and perhaps a rapporteur of a small set
of linked events. As an academician, I am accustomed to incessant
questions; when I am on my game, I usually respond with a ques-
tion. Moreover, when being generally contrary, I tend to answer
‘or’ questions with ‘yes’ (explaining that English does not support
‘xor’). Therefore, reflecting on the question about the breadth and
depth of holistic cyber security education leaves me with more ques-
tions than answers. Breadth or depth, which is correct? The right
answer is … Yes! As educators, we should sacrifice neither.
In 1970, the Defense Science Board Report on Security Con-
trols for Computer Systems [18] predicted that:
[t]he issue of providing security controls in computer systems
will transcend the Department of Defense. Furthermore, the
computing industry will eventually have to supply computers
and systems with appropriate safeguards.
This foreshadowed emerging security needs of the information
industry. The authors already knew that computer security profes-
sionals live in bad (hostile) neighborhoods. To be effective, they must
have more than street smarts. Everyone in the profession should
know about a broad-spectrum of foundational topics and, in ad-
dition, they must have select specialized skills. In a hostile unpre-
dictable neighborhood, the last thing that professionals need is a
monoclonal approach. In biology, monoclonal approaches produce
large amounts of specific antibodies but may be too specific and may
be less likely to react appropriately across a range of species.
As we will see, the ability to respond to a broad spectrum of
events over the long term is important. It is easier if we agree upon
boundaries of this spectrum. Once we know something about the
boundaries, we may assemble contents and address teaching, learn-
PLUS ÇA CHANGE,
PLUS C’EST
LA MÊME CHOSE
Corey Schou
S
ince the late 1960s I have been involved in computer security under many names. I have been asked several
times to talk about the changes I have seen and how we have arrived in our current state. I am certain of one
thing—as cybersecurity keeps transforming,
Plus Ça Change, Plus C’est La Même Chose
. That is, the More it
Changes, the More it is the Same. Let me explain.
1
I have fundamental objections to this use of cyber in this context—it has become
a ubiquitous prefix in much the same way as prepending a lowercase letter ‘i’ to a
noun makes it somehow special or magic. The term ‘Cyber’ comes from of control or
navigation; however, has come to mean computer. What are security professionals
really securing or assuring—Information. Cyber is merely the tool or container of
the real asset—information. In the past, accountants did not have courses in ‘The
Theory and Operation of Quill Pens;’ they used the tool to accomplish the mission—
collecting, recording, systematizing, reporting, and auditing financial Information.
They have the same asset—information. After computerization, accountants have not
felt compelled to use the term ‘cyber-accounting’ except as a marketing buzzword.
2015 June • Vol. 6 • No. 2 acm Inroads 65
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
committees and meeting. The NRC answer was, “Not only do we
need an educated work force to be able to perform jobs, but we
need an educated work force that wants to know (and is) interested
in essentially expanding its own knowledge.” What we had been
thrashing was a competitiveness issue—secure systems vs. the al-
ternatives. This focus is neither breadth nor depth; it is security of
complex-systems essential to competitiveness.
More than a quarter century after beginning my quest, what
have I learned? Frequently the windmills win. More importantly,
each time I have looked at one list or another I have expanded my
knowledge about an ever-growing discipline. The most important
lesson is that the only constant seems to be change. As academi-
cians, we balance both the training, education, and longer term
needs of the discipline. As an emerging discipline, the need for
both training and education appear congruent. Each deals with a
different view of the same problem—the breadth and depth con-
tinuum is not just about content; the continuum is also about the
ability to have depth of knowledge and breadth of scope.
OCCAM’S TRAP
Breadth or depth, which is correct? The right answer is … Yes! Or-
ganizational and societal needs continually evolve. Successful orga-
nizations do not hire individuals for a static job with a fixed set of
responsibilities—they seek and develop individuals who can evolve
and change with evolving threats and needs. In a discipline as dy-
namic as computer security, employees must evolve and change
with the environment. How does the security education profes-
sion accommodate incessant fluctuation effectively? One approach
might be to define the field narrowly—prescribe some topics and
proscribe others as irrelevant. This approach meets the parsimoni-
ous solution test. It is the simplest way—create highly specialized
and highly focused experts.
Defining security education requirements narrowly may have
unintended consequences. Every time I am enticed by Occam’s Ra-
zor [9], I am cautioned by the war between Greece and Persia in
480 BC. The simplest, parsimonious, solution for Spartans was to
ensure the best soldiers in the world came from Sparta. They were
highly focused and highly trained—monoclonal. Three hundred
Spartans died at Thermopylae. They were superior warriors—they
all did things the same way; however, superior numbers and deceit
overwhelmed them. Sometimes we forget that the Spartans did
not die alone; even more Thebans and Thespians died with them.
Subsequently, they asked me to develop a broader set of materials.
A group of us built a baseline containing other basic principles such
as security literacy, law and legislation, policy, and control systems.
Being somewhat naive, I kept asking, “isn’t this sort of common
knowledge.” One of my colleagues reminded me that security really
represented specialized knowledge of the profession and should be
cataloged as such.
In the late 1980s, I can remember meetings with a dozen com-
puter scientists from around the nation. I was happy to find a young
fellow from Georgia Tech who was a natural thought leader of the
pack. In St. Louis, we filled acres of paper with notions of what the
discipline was about. Wow, I came away with something I could
use. Well, sort of—if I were teaching mathematics or computer
science, it was spot-on.
In 1986, Assistant Secretary of Defense (Communications, Com-
mand, Control, and Intelligence) Donald Latham [12] proposed a
model that both simplified and complicated my life. He added the
historical context going back to transmissions security (TRAN-
SEC) [25], communications security (COMSEC) [23] and com-
puter security (COMPUSEC) [24] and adding non-engineering
dimensions such as physical and personnel security.
Well, so much for a simple model based on engineering prin-
ciples. I learned that models beget models. In our case, Latham
[12] begat Todd and Guitian [22], which begat McCumber [14],
which begat Common Body of Knowledge (CBK) [11], which
begat NIST 800-16 [17], which begat the Committee on Na-
tional Security Systems (CNSS) [4], which begat the Maconachy
Schou and Ragsdale [13] [MSR] model used by ACM as part of
their model curriculum [2] which begat IGS …Essential Body
of Knowledge (EBK) [8] …National Initiative for Cybersecurity
Education (NICE) [16]… and so the beat goes on; it continues
unto the present day. Some of the descendants of the early work are
broad while others are deep; the only certainty is that there is little
agreement. So, whose list do we choose to ensure a viable education
model? Frankly, we need not choose—we need them all; we need
breadth and selected depth.
NEITHER BREADTH NOR DEPTH
CAN REPLACE LEARNING
When I read the 1990 National Research Council (NRC) report
on the competitiveness of the U.S. computer industry [5], it pro-
vided a different perspective on what had been going on in all the
In 1986, Assistant Secretary of Defense (Communications, Command,
Control, and Intelligence) Donald Latham proposed a model that both
simplified and complicated my life. He added the historical context
going back to transmissions security (TRANSEC), communications
security (COMSEC) and computer security (COMPUSEC) and adding
non-engineering dimensions such as physical and personnel security.
66 acm Inroads 2015 June • Vol. 6 • No. 2
Plus Ça Change, Plus C’est La Même Chose
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
cybersecurity
education
Development are easily found examples. On the other hand, courses
like Security Architecture, Budgeting, Production Management, Secure
Software Development, Testing, Policies, Access Control, etc. sound
boring. Given free choice, which do you think they will choose?
Perhaps one could do some clever marketing such as finding
“wow” names for the more mundane courses. However, even if you
were successful, human nature defeats our best plan. People seem to
like breaking things and buy into the thought that, “the only way a
system can be defended is if you know how to break one.” There is an
attractive logic to this, until one applies the thinking to another skill.
To afford my choice to be an educator, I have spent a lot of time
working with major airlines developing computational models for
flight simulation. I learned a lot. Airline pilots do not learn to fly
airplanes by learning a hundred ways to crash a plane. They learn
one highly effective way of flying and landing an aircraft and then
are challenged with a thousand variations on what can go wrong.
Teachers evaluated them on how well they keep the airplane fly-
ing and the success of the landing. Attack or Defend? The right
answer to these is … Yes! As a profession, we should realize that
the demand, outside the military, is defense; there needs to be bal-
ance—be a stupendous defender who can deal with thousands of
variations from the attacker.
Something else I learned while training pilots is that people
expect them to know the “full package.” Commercial pilots have
to have a working knowledge of contracts, international law, pneu-
matics, electronics, navigation, basic physics, engines, and the like.
Oh, by the way, they also need to know stick-and-rudder and all
the psychomotor skills. Hands on or theory or technical? The right
answer to these is … Yes! To be an effective professional, one needs
to be able to deal with cognitive, psychomotor, and affective do-
main issues sometimes simultaneously.
CERTIFICATION OF BREADTH
AND DEPTH
When discussing spectrum and boundaries earlier, we addressed
teaching, learning and measurement. As academicians, we do all
three. Do we do it right? How would one know? In some cases, the
program or faculty producing security professionals is well known;
in other cases, the university itself is sufficient. However, there are
unknown faculty, programs and universities. Academic institutions
generally view assessment and accreditation as an appropriate mea-
sure. Professional examinations and certification may be part of the
assessment process.
Certification of knowledge in the academic profession receives
validation by conferral of specific degrees. At the lower levels, the
Three hundred superior warriors were not enough. The real lesson
from Thermopylae is that diversity saved Greece. Certainly, Persia
won the battle; however, the Persians were driven out of Greece be-
cause they invested most of their resources in land warriors. Later
the same year, at the naval battle of Salamis, the Athenian navy
broke the back of the Persian attack. The lesson may be that in the
words of Heinlein, “Specialization is for insects.”
In 1956, Ross Ashby introduced the concept of requisite variety.
In his book, An Introduction to Cybernetics [1], he postulates his
Law of Requisite Variety (LRV) that has been extended by others.
A key point is that viable systems need variety of input to remain
viable. Based on LRV, I would assert that perhaps we should not
dismiss breadth. In this case, dismissing breadth reduces the ca-
pability of the system to respond to perturbations in the security
environment.
The folks from the bad neighborhood understand variety. They
constantly apply variety in their attacks on fairly static defenses.
As a profession, we should resist over overspecialization. While
defense in depth is important, defense with variety is essential to
maintaining a viable security infrastructure.
LINKING INDUSTRY AND
GOVERNMENT NEEDS TO
BREADTH VS. DEPTH DEBATE
Breadth or depth, which is correct? The right answer is … Yes!
Other questions we should ask are hands-on theory, or technical.
Attack or Defend? The right answer to these is … Yes, too.
Somewhere along the line, my economics knowledge fails me; I
recall a relationship between supply and demand. The world seems
to have a surfeit of individuals who like to attack and are willing
to do it for free. These individuals are part of the bad neighbor-
hood for the security profession. Since there is a large supply of
attackers, I would think the real demand would be for defenders.
(I recognize that the military is an exception). So, if the theoretic
demand would be for defenders, why do universities spend so much
energy on attack?
A plausible explanation is that offense sells—students become
attracted to course names that have action verbs or bellicose im-
plications—Advanced Persistent Threat Tactics, Cyber War, and Cy-
ber Attack and the ever-favorite Computer Viruses and Malware
Organizational and societal needs continually evolve. Successful
organizations do not hire individuals for a static job with a
fixed set of responsibilities—they seek and develop individuals who
can evolve and change with evolving threats and needs.
2015 June • Vol. 6 • No. 2 acm Inroads 67
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
VALUING BREADTH AND DEPTH
Assigning the value of certification offerings is by no means an easy
feat. Certification is the result of a process. The process is com-
pleted either successfully or unsuccessfully. In the case of success-
ful completion, a certificate is awarded attesting to the successful
completion of the process. This may mean that an individual has
passed a test, has attended a sequence of classes, performed some
task, worked for a number of years in a skill field, or any combi-
nation of those. Some certifications are awarded at the end of an
apprenticeship, while others are awarded after a long and intense
period of academic preparation.
Establishing the potential value of each certification means un-
derstanding the process, the integrity with which the process is
followed, and the time dependencies of the capabilities attested to.
A certification that attests an individual is competent to manage
version 1.4a of a firewall becomes obsolete when version 1.5 is re-
leased. A certification that attests an individual learned to consider
critically complex options against a set of requirements will never
be obsolete: the certification attests not to a specific technological
degrees range from two-year technical degrees to baccalaureate de-
grees. Upon completion of the baccalaureate, students may enter
master’s level work in a specific discipline. A small number of stu-
dents further specialize in their studies and research to do doctoral
level work.
So, what does one do to prove qualifications or to transition into
security related positions? Individuals increasingly look for some
certification that can be used on resumes to show worthiness.
The market has responded with a plethora of certifications with
diverse origins and objectives. Industry, government, and academia
have all contributed opinions and standards to certification milieu.
Some certifications focus on training for specific technologies or
attack strategies while others emphasize broad-based concepts.
During its ontogeny, every skilled trade has had to contend with
the issue of identifying qualified practitioners. The altruistic inter-
pretation of this process is that it serves the purpose of informing
and protecting consumers; the cynical interpretation is that is has
to do with defining and protecting turf, with some added benefits
to the consuming public.
Figure 1: Breadth or depth, which is correct? The right answer is … Yes!
68 acm Inroads 2015 June • Vol. 6 • No. 2
Plus Ça Change, Plus C’est La Même Chose
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
cybersecurity
education
the meter is defined as the length of the path traveled by light in
vacuum during a time interval of 1/299,792,458 of a second. The
goal of these changes was not only to improve the precision of the
definition, but also to change its actual length as little as possible.
The first step in establishing a standard for anything is to deter-
mine if there is an existing standard in the area identified through
trade associations, government agencies, and standards developing
organizations. (Of course, had this occurred, the metric system might
have died and we might be measuring items with barleycorns.)
It takes only a cursory examination of the information security
and information assurance literature to find that there are many
standards associated with this discipline. The plethora of standards
leads to duplication of effort and parallel standardization activities
cause confusion and drain the resources of stakeholders participat-
ing in the standards development process. In fact, there may be
no logical plural of the word standard. If there are two asserted
standards for the same element in the same dimension, only one
can be authoritative.
Certification or Not, which is correct? The right answer is …
Yes! This question actually relates to the breadth vs. depth. That is,
does the certification measure what you need and what standard
does it match?
A RECOMMENDATION ON BREADTH
Breadth or depth, which is correct? The right answer is … Yes!
We should not sacrifice depth and specialization since security is
a complex discipline; however, to have a resilient holistic educa-
tion process, participants must have breadth that affords them a
different perspective. Sure, as security professionals we need the
equivalent of Spartans, but also the Athenian navy, and Thracians,
and shepherds, and rope makers, and smiths. We need to know we
have as much variety as we can stand to ensure systems viability.
Select only on quality.
Security is a symphony. An orchestra with many players exe-
cutes it—each in his time playing many parts. The ensemble cer-
tainly has accomplished soloists—it contains many instruments
that, when played in concert, produce wonderful music. I doubt
that Ode to Joy [3] would sound so sweet were it played by a hun-
dred best bass drum soloists.
Nearly 150 years ago, John Stewart Mill made the argument for
breadth at his inauguration at St. Andrews University.
Men are men before they are lawyers, or physicians, or merchants,
or manufacturers; and if you make them capable and sensible
men, they will make themselves capable and sensible lawyers
or physicians. What professional men should carry away with
skill but to the ability to think critically about an identified prob-
lem space. Each approach has value: firewalls need management
and critical thoughts need thoughtful reasoning. Thus, there is no
easy answer to the question: “Which certification should I include
in my personnel management and development plan?” It depends.
A decade ago, Ryan [19] and I [21] discussed the valuation
of certification and detailed the importance of the application of
standards information assurance education. These essential obser-
vations continue to remain important to decision-makers.
Independent of breadth or depth of the certification, the deci-
sion criteria that informs an analysis of the value of a certification
include:
■
How long has the certification been in existence?
■
Does the certification organization’s process conform to estab-
lished standards?
■
Does the certification address the breadth your organization
needs?
■
How many people hold the certification?
■
How widely respected is the certification?
■
Does the certificate span industry boundaries?
■
Does the certification address specific products or processes deeply
enough?
■
What is the probability that five or ten years from now, the certifi-
cate will still be useful?
■
Does the certification span geographic boundaries?
Answers to each of these questions provide insight into the
value of a certificate to both the potential employee and employer.
Predicting the future is an uncertain science, but using reasoning
and a standard provides a better guess than simply stargazing.
A STANDARD FOR VALUING
BREADTH AND DEPTH
I have argued that computer security and information assurance
need to have standards [21]. To certify something, there must be
some standard as a benchmark for comparison. For example, the
meter was defined originally as one ten-millionth part of the quad-
rant of the earth. This abstract standard had to be instantiated as
a platinum bar with a rectangular cross section and polished par-
allel ends. There have been many changes in the standard—now
We should not sacrifice depth and specialization since
security is a complex discipline; however, to have a
resilient holistic education process, participants must have
breadth that affords them a different perspective.
2015 June • Vol. 6 • No. 2 acm Inroads 69
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTION
SPECIAL SECTIONSPECIAL SECTIONSPECIAL SECTION
dictionary.reference.com/browse/occam’s razor. Accessed 2015 February 1.
[10] Institute for Defense Analyses. (2015); https://www.ida.org. Accessed 2015 February 9.
[11] ISC2; https://www.isc2.org/isc2-history.aspx. Accessed 2015 February 9.
[12] Latham, D. (1986, September 30).
Annual Historical Review
; https://archive.org/stream/
CIADocuments/CIA-152_djvu.txt. Accessed 2015 February 13
[13] Maconachy, W. Victor, Corey D. Schou, Daniel Ragsdale, and Don Welch. “A model for
information assurance: An integrated approach.”
In Proceedings of the 2001 IEEE Workshop
on Information Assurance and Security
, vol. 310. New York, USA, 2001.
[14] McCumber, J. “Information Systems Security: A Comprehensive Model.”
Proceedings of
the 14th National Computer Security Conference
. National Institute of Standards and
Technology. Baltimore, MD. (1991).
[15] Mill, J. S. Inaugural Address Delivered to the University of St. Andrews, Feb. 1st, 1867; https://
archive.org/details/inauguraladdress00milluoft. Accessed 2015 April 26.
[16] National Initiative for Cybersecurity Education; http://csrc.nist.gov/nice/. Accessed 2015
February 3.
[17] Wilson, M. et al. Ed. ”NIST Special Publication 800-16. Information Technology Security
Training Requirements: A Role- and Performance-Based Model.” (Gaithersburg, MD: U.S.
Department of Commerce, 1998); http://csrc.nist.gov/publications/nistpubs/800-16/800-16.
pdf. Accessed 2015 February 5.
[18] RAND. “Security Controls for Computer Systems,” (Report of the Defense Science Board Task
Force on Computer Security), RAND, R-609-1-PR. Initially Published in January 1970 as a
classified document. Subsequently, declassified and republished October 1979; http://csrc.
nist.gov/publications/history/ware70.pdf . Accessed 2015 February 11.
[19] Ryan, J. J. C. H., and Schou, Corey D. “On Security Education, Training and Certifications.”
Information Systems Control Journal
6 (2004): 27-30.
[20] Scholarship for service (SFS). (2015); https://www.sfs.opm.gov. Accessed 2015 February
[21] Schou, Corey D. “Standards, Standards, Standards–Who has the Standards?”
Enhancing
Trust PROCEEDINGS 4th Australian Information Warfare & IT Security Conference
(2003):
303.
[22] Todd, M. A., & Guitian, C. (1989).
Computer Security Training Guidelines
. US Department of
Commerce, National Institute of Standards and Technology.
[23] Wikipedia. “Communications security”; http://en.wikipedia.org/wiki/Communications_
security. Accessed 2015 February 8.
[24] Wikipedia. “Computer security”; http://en.wikipedia.org/wiki/Computer_security. Accessed
2015 February 8.
[25] Wikipedia. “Transmission security”; http://en.wikipedia.org/wiki/Transmission_security.
Accessed 2015 February 8.
COREY SCHOU
Informatics Research Institute
Idaho State University, Box 4043, Pocatello, Idaho 83205-4043 USA
Schocore@isu.edu
DOI: 10.1145/2766455
Copyright held by owner/author. Publication rights licensed to ACM. $15.00
them from an University, is not professional knowledge, but that
which should direct the use of their professional knowledge, and
bring the light of general culture to illuminate the technicalities
of a special pursuit. Men may be competent lawyers without
general education, but it depends on general education to make
them philosophic lawyers--who demand, and are capable of
apprehending, principles, instead of merely cramming their
memory with details. And so of all other useful pursuits,
mechanical included. Education makes a man a more intelligent
shoemaker, if that be his occupation, but not by teaching him how
to make shoes; it does so by the mental exercise it gives, and the
habits it impresses. [15]
— J. S. Mill, Inaugural Address at St. Andrews
With that said, we certainly need both breadth and depth; how-
ever, in the final analysis we need a broader professorate dedicated
to developing the security profession/professionals. As a profes-
sion, we need to be more inclusive of disparate thinking.
For nearly a generation we assert we have been working on this
part of the problem; so, in my normal manner, here are some ques-
tions for us. Have we moved far enough and fast enough? Have
we addressed the right problems in the right order? Do we have
the right focus (foci)? Do we tend to build a monoclonal set of
answers? Does the system produce enough skilled technical indi-
viduals? Do we educate enough individuals who choose to address
fundamental “DARPA Hard” problems? (DARPA Hard problems
are the list of cybersecurity challenges listed as a top priority by the
Defense Advanced Research Projects Agency [7].)
None of these are ‘or’ questions. They are fundamental ques-
tions that we must address; until then, my answer is … ‘NO’.
The original thinking behind the Scholarship for Service (SFS)
[20] program was to jump-start the professorate and, incidental-
ly, to produce highly skilled security professionals for the United
States Government. The SFS program has been producing skilled
professionals but should we fail to increase both the quality and
quantity of the professorate, we shall not have met the underlying
need for an improved security education process.
Just as security must be designed in from the beginning, it must
not be an afterthought; it must be systemic—a process. Similarly,
security education is a process that we keep patching; is the process
broken? … it is up to us!
Ir
References
[1] Ashby, W.
An Introduction to Cybernetics
. (London, Chapman & Hall, 1956).
[2] Association for Computing Machinery (ACM). Information Technology 2008 Curriculum
Guidelines for Undergraduate Degree Programs in Information Technology; https://www.acm.
org/education/curricula/IT2008%20Curriculum.pdf. Accessed 2015 February 20.
[3] Beethoven, L.
Symphony No. 9: Ode to Joy
.
[4] Committee on National Security Systems; http://www.cnss.gov. Accessed 2015 February 9.
[5] Computer Science and Telecommunications Board. National Research Council. “Keeping
the U.S. Computer Industry Competitive: Defining the Agenda.” (Washington, DC: National
Academies Press, 1990).
[6] Computer Science Division. Information Technology Laboratory. “FIPS Publication 200:
Minimum Security Requirements for Federal Information and Information Systems.”
(Gaithersburg, MD: National Institute of Standards and Technology, 2006).
[7] Defense Advanced Research Projects Agency; http://www.darpa.mil/default.aspx. Accessed
2015 February 8.
[8] DHS.
Information Technology Security Essential Body of Knowledge: A Competency and
Functional Framework for IT Security Workforce Development
. Washington, D.C., Department
of Homeland Security - National Cyber Security Division. (September 2008).
[9] Dictionary.com, “Occam’s razor,” in The Free On-line Dictionary of Computing; http://
