The study of information security is an emerging discipline ... - CiteSeerX

A delivery model for an Information Security curriculum Dan Shoemaker University of Detroit Mercy [email protected]

Julia Bawol Ford Motor Company [email protected]

Antonio Drommi University of Detroit Mercy [email protected]

Gregory Schymik Harman Becker Automotive Systems [email protected]

Abstract This paper details the origin and content of a nationally accepted standard for a university curriculum in information security education. And it offers specific recommendations regarding the proper teaching and learning modalities for the fifteen common knowledge elements embodied in it. These recommendations are based on the cognitive and affective requirements of each element. This can serve as a model for designing a delivery system that fits the precise needs of students and the particular institution. Keywords: Information Systems Education, Training, Security Education, Knowledge, Security Curriculum, Pedagogy, Cognitive, Affective Introduction Information security is an emerging field in information systems education. Although the concept was introduced as far back as 1975 (Saltzer and Schroeder, 1975), it has been a continuing theme throughout the 1980s and 1990s (Nugent, 1982), (Higgins, 1989), (Bishop, 1993), (Irvine, Chin, and Frinke, 1998), (Spafford 1998), and Bishop 1999) to cite a few. Nevertheless, the notion of a dedicated study was more of an interesting side-show rather than a main tent attraction until the events of recent history put it into the center ring. And accordingly, since 2001 the interest in teaching and learning about information security has taken-off. As evidence, the National Security Agency (NSA), through the National INFOSEC Education and Training Program (NIETP), identifies fifty universities that conform to

their standard for acceptable programs in this area. Criteria for that determination are derived from recommendations of the National Security Telecommunications and Information System Security Committee (NSTISSC). These provide a yardstick that can be used to judge whether the content of programs aimed at preparing information systems security professionals is adequate (NSTISSI 4011, June 20, 1994). Two years ago there were 22 such NSTISSC university programs. However, in the period following 9/11 twenty eight more have been added (NSA, 30 May 2003). In addition, the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University cites four others that are not on the NSTISSC list (CERIAS cites eleven altogether), bringing the total accredited institutions in the U.S. to 54 (CERIAS, 2003). Since there are close to 4,000 institutions of higher education in the United States (NCES, 2002), this is not a particularly impressive percentage (1.3%) until one considers the fact that four years ago a mere one tenth of one percent of US universities offered recognized programs in information security. In that respect this represents amazing progress (NSA, May 1999). The Problem The problem is that there is no commonly accepted understanding of what the study of information security entails and commensurately there is no clear idea about what a proper information security education program should encompass. Spafford put his finger squarely on the reason in 1998. Rather than being a separate study, information security draws from a number of other academic domains. These include: computer science, computer architecture, forensics, cryptography, knowledge and information theory, business, mathematics, military science, law and ethics, software engineering, statistics and all things having to do with the Internet (Spafford, 1998). As a consequence there is a need to integrate the relevant knowledge elements from each of these fields into a unified understanding of what constitutes the discipline. Otherwise we are left building our foundation on metaphorical “shifting sands”. There are numerous unofficial frameworks that might serve this purpose. But there is only one recognized national standard. That is the NSTISSI 4011-4015 series (NSA, 2000). These were evolved from a NIST guideline (SP 500-172, 1989) that both rationalized the purpose as well as itemized the training needs of federal government personnel who worked on sensitive computer systems. The focal point of SP 500-172 is a Training Matrix, which aligns five subjects; (1) security basics, (2) security planning and management, (3) computer security policies and procedures, (4) contingency planning and (5) system lifecycle management, to the requirements of various audiences. These included; Executives, Program and Functional Managers, Security and Audit staff, ADP Management and Operations staff, and End Users. This guideline was updated in April of 1998 (as NIST 800-16) to create a Knowledge/Skills/Activities structure that was embodied into a generic IT Security Body of Knowledge. That BOK integrates the topics, concepts and subjects from a range of authoritative sources including OMB A-130, Security of Automated

Information Resources, OMB 90-08, Security Planning and the generally accepted security practices outlined in NIST 800-12 and NIST 800-14. As such it would seem ideal as a source of advice for IT educators except for the fact that 800-16 is focused on the practical training needs of the government. And as a consequence the detailed learning objectives and behavioral outcomes are appropriate to federal job classifications rather than the learning needs of college students. Thus there was still a need for a standard model that defines the curricular requirements for institutions of higher education. That is the role of NSTISSI 4011 (June, 1994), which is the basic educational reference framework of the National Information Education and Training Program. NSTISSI 4011 fulfills the educational mandate of the National Training Program for Information Security Professionals (NSTISSD – 501, November, 1992)., as well as the Presidents Commission on Critical Infrastructure Protection (PDD –63, May, 1998) and the National Policy for the Security of National Security Telecommunications and Information Systems (NSD – 42 , 1990) . It defines a fundamental body of knowledge for information security education programs. It has seven major categories. These encompass everything from security basics to material like cryptography. Table one list the specified knowledge areas within that standard (NSTISSI 4011, 1994). Table One Knowledge Areas within an Information Security Curriculum A. TELECOMMUNICATIONS BASICS • Introduce the evolution of modern telecommunications systems • Describe vehicles of transmission. B. AUTOMATED INFORMATION SYSTEMS (AIS) BASICS • • •

Present the terminology of AIS. Describe the AIS environment Provide an overview of hardware, software, firmware components of AIS, to be integrated with information systems security aspects/behaviors discussed later. C. SECURITY BASICS •

Introduce a comprehensive model of IS security that addresses critical characteristics of information, information states and security measures D. NSTISS BASICS •

Describe components of NSTISS including national policy, national threats/vulnerabilities, countermeasures, risk management, system lifecycle management, trust, modes of operation, roles of organizational units E. SYSTEM OPERATING ENVIRONMENT • Outline organization specific AIS and telecommunications systems. • Describe organizational “control points“ for purchase and maintenance of Agency AIS and telecommunications systems • Describe organization AIS and telecommunications security policies F NSTISS PLANNING AND MANAGEMENT • Present performance measures employed in designing security measures and programs. • Introduce generic security planning guidelines/documents. G. NSTISS POLICIES AND PROCEDURES •

List and describe specific technology, policy and educational solutions for NSTISS

•

List and describe elements of vulnerability and threat that exist in AIS with corresponding protection measures.

These seven subject areas are enlarged and elaborated through 296 subtopics, which can be factored into 15 academic content areas, or themes. Delivered as a coherent and integrated set of learning objectives, the understanding that these provide satisfies the aims and requirements of the NIETP as well as implicitly ensures a comprehensive mastery of the field: 1. Security policy formulation 2. Security infrastructure development 3. Security education and awareness 4. Information and IT asset identification and tracking 5. Business continuity management 6. Legal and regulatory compliance 7. Ensuring security is built into the development process 8. Personnel security 9. Physical security 10. Access control 11. Operational security and OPSEC 12. Network security and cryptography 13. Application and system software security 14. Risk assessment and audit processes 15. Ethics From a content standpoint the actual substance of the material can vary within any of these topic areas as long as the purpose of each is met. That is, community college curricula will deliver this subject in a different way than Carnegie I institutions. Nevertheless all of these topics must be explored and integrated into a common understanding in order for the curricular coverage to be considered to be complete. This raises pedagogical issues along two axes, cognitive and affective. First the content elements in this model are diverse so they are going to require different teaching methods. For instance, teaching subject matter as technical as cryptography is going to require a different approach then what will be required to communicate something as abstract as security policy. Second, since this is a general model student interests and capabilities are going to vary widely. That is, cryptography is a proper topic for both community college and graduate students. However, given what both of these types of students will bring to the table it is unlikely that the content of a section on cryptography at Henry Ford Community College is going to look anything like the one delivered at the Naval Postgraduate School, even though both are recognized as excellent institutions of their type. The concerns raised by the potentially diverse skill set and background of the learner community are both recognized and well discussed in NIST 800-16 and NISTISSI 4011. However both of these only provide learning and behavioral outcome recommendations. They do not recommend delivery models. It is understandable that the federal government would not want to dictate pedagogical method to ordinary

institutions of higher education. However the lack of a recommended approach makes it hard for faculty transitioning into information security from fields, such as IS, or accounting, to understand how to teach it properly. To further complicate the problem the elements that have been integrated into the body of knowledge are actually derived from a range of other disciplines. This can be a problem for people with a strong orientation toward one component. For instance, because the divergent types of thinking required, people who are particularly adept in computer science might find it hard to assimilate necessary ideas from a traditionally unrelated field like military strategy. Which can limit the result of the learning experience, since mastery of the body of knowledge requires coherent understanding of all of the elements of the field. Therefore the remainder of this short paper presents and discusses the elements of the NSTISSI knowledge elements from the perspective of the delivery considerations that a typical university faculty member might want to know about. A Model Approach to Teaching Information Security According to Drummond (2002), all teaching and learning situations involve three domains the cognitive, affective and methodological. These dimensions apply to the process of teaching information security as much as they do to the teaching of any other subject. Cognitive - Logically, one way to differentiate a knowledge element is by the thinking that is required to process it. Thus its teaching requirements can be described in terms of the types of intrinsic cognitive processes that are called out (Chandler et al., 1998). As a consequence, it should be possible to assign an ideal delivery method for any aspect of information security education by simply referencing it to the requirements implicit in its particular cognitive profile. The cognitive elements we employed in our description are derived from Bloom (Bloom, 1956) however we arrayed them into practical categories from which behavioral observations of performance can be made. Figure One Continuum of Thinking Applied to Information Security Know

Adapt

Apply

Design

Integrate

Evaluate

Knowledge is a basic learning function. It requires rote memorization of discrete bits of information. Adaptation requires a bit more thinking. It involves the ability to comprehend acquired knowledge in order to restate it from a personal perspective. Application invokes abstract thinking. It requires the appropriate use of knowledge in a range of contexts. Design implies mastery of ideas. It takes concepts and evolves optimum responses to situations as they arise. Integration generates new knowledge from current ideas. Evaluation involves true mastery of the body of knowledge. That is the individual is able to globally assess and form critical judgments about the contents of the field in order to guide it in new directions.

Affective - In addition to the cognitive requirements we felt that we had to factor in perceptual set. It is a given that one size does not fit all when it comes to education. Thus, the learning requirements and abilities of individuals will vary based on the experiences that are motivating them. Consequently, because information security is a concern that extends end-to-end throughout a wide spectrum of educational situations, any proper model of the teaching and learning process has to integrate a variety of perspectives. The continuum we evolved to describe the affective dimension is presented in Figure Two. Figure Two Continuum of Affective Requirements Interest

Study

Practice

Supervision

Leadership

Interest describes the broad category of people who are learning for the sake of personal enrichment rather than for some particular aim. These people can be assumed to want to get a broad perspective with an evident personal application. They should not be expected to have background in any of the elements of the field. Study on the other hand implies focused acquisition of a coherent set of knowledge components. This implies requirements for a greater level of detail as well as some preparatory background or pre-requisite courses. For example a basic network class might be a predecessor to the study of network security. Practice implies that the learning is translated into some real-world purpose that is beneficial to the individual, organization or society. This requires knowledge of the application domain as well as mastery of the concepts. In a higher education setting this can only be provided through a practicum or co-op experience. Supervision centers on managing and directing groups of people in the fulfillment of an aim. It is more global than study because it invokes an understanding of human behavior. Therefore it is hard to duplicate as a learning process in a higher education setting except through carefully controlled cooperative education, or lab experiences that involve role playing and case work. Finally, Leadership applies to the few people who are interested in and capable of providing direction to the field itself. This is not normally an academic pursuit. However, the sort of thinking that goes into doctoral dissertations and advanced independent research outside of the classroom is also called out here and so it is probably possible to provide Leadership situations for a few advanced students. Instructional Method - We chose four potential teaching environments. These have all been thoroughly discussed throughout the literature but the best summary is in Yurcik and Doss (2000). In order of their apparent conventional popularity these are (primary references used to describe these categories are in parenthesis): 1. Lectures and faculty mentoring (Bishop, 1993) 2. Hands on lab work (Chandler et al., 1998) 3. Cooperative learning with group work and exercises (Stahl, 1994) 4. Tutorial (CBT) models including web enabled training (Bonk, 2001)

The first of these methods is arguably the dominant pedagogy in higher education, straight lecture with outside mentoring (LEC). Three different objects are involved in this process. The first is the “sender”, who is responsible for delivering the information. The next is the “receiver”, who internalizes that information and the third is the data or the “substance” block. That is the encapsulated learning material that the “sender” communicating to the “receiver”. The objective in this strategy is to persuade the “receiver” to acquire, analyze, re-use, synthesize, and validate the “substance”. In most cases the receivers are passive beneficiaries of the communications of the sender in a many-to-many relationship and the substance itself normally embodies multiple learning objectives. The relationship can be expressed as the following.

1 m m RECEIVER

SENDER

1 m m

CONTENTLEARNING OBJECTIVES

This approach is particularly useful for introducing and explaining concepts and ideas. It is not a particularly effective way to internalize the details. That is the role of next method, hands-on leaning through lab exercises (LAB). This is a behavioral learning approach rather than a purely passive listening one. The learner acquires the knowledge by interacting with and/or altering the state of the machine. Immediate feedback is the key learning enabler. Lab work is more active and self-motivated in the sense that the student performs the physical tasks necessary to enhance his or her learning. Thus it is the best way to cement detailed learning outcomes in the sense that it reinforces a personal understanding of the particulars of a concept. The disadvantage of this approach is that without contextual points of reference it can often foster a very narrow and limited understanding. The next method is cooperative learning (COL), which is normally characterized by group work. In cooperative learning settings the group is presented with a case study. Their goal is to identify the proper course of action and then perform it successfully. The primary aim is to reinforce socialization and interdependence. Cooperative learning allows students to learn about the affective elements of the discipline such as individual accountability, improved critical thinking, and social skills. The dynamics of team work are the point of the learning experience rather than the acquisition of discrete knowledge elements. In that respect it is vital that students maintain open lines of communication as well as understand their own personal roles and requirements during the process. This requires considerable on-on-one or group interaction and mentoring from the teacher. Cooperative learning is an excellent way for students to learn about things that are necessary to formulate individual and personal behavioral strategies. However, it is almost impossible to present new ideas or acquire detailed knowledge in this milieu.

A tutorial or computer-based training (CBT) approach embodies aspects of all of these traditional methods. At its core CBT involves one student and one machine. That machine can be hooked to the Internet, or to a CD ROM. The point is that the student interacts with the “canned” elements of a mechanism. Ideally, this fulfills the aims of a lecture based approach in that content is provided to the student, analyzed and synthesized. However, because of the behavioral and feedback elements of that interaction this also reinforces the detailed acquisition of knowledge. And finally, because of the communication capabilities of the Internet it is also possible to perform really impressive group work exercises which reinforce the affective elements. The beauty of a CBT is that it can all be done at the desktop. CBTs are often the approach of choice for adult learners because they are relatively time- efficient and they allow the maximum educational experience. The problem with CBTs is in the asynchronous aspect of the delivery. Since the content is usually pushed to the learner by remote control at no formally scheduled time there is the risk that the learner will not be engaged by the process. Therefore there has to be the opportunity for faculty interaction and control, or the learner has to be very well motivated for this to be a successful mode of presentation. Teaching Approaches for Information Security This table assigns a cognitive and affective range to each of the NSTISSI elements. The intention is to suggest factors that might be considered in the development of an overall teaching strategy for information security. ELEMENT Security Policy

Teaching Method LEC, COL

Cognitive Domains Integrate - Evaluate

Affective Domains Supervision-Leadership

Security policy invokes the higher domains of thinking. It is a supervisory/leadership function. Therefore it lends itself to lecture and cooperative learning. Given the abstract issues and the interaction needs, it does not lend itself to a lab, or CBT based approach. ELEMENT Infrastructure

Teaching Method LAB, COL

Cognitive Domains Design

Affective Domains Practice-Supervision

Infrastructure formulates policy into procedure. It involves design work. Infrastructure can be introduced in lecture but the learning uptake is best when the student can experience the concept through practice. Thus it lends itself well to lab or cooperative learning. This could incorporate CBTs. ELEMENT Awareness

Teaching Method LEC, CBT

Cognitive Domains Know - Adapt

Affective Domains Interest-Study

Awareness is built on interest and comprehension. Since the outcome of this element is literacy, lecture and CBT tutorials provide the best return on investment

ELEMENT Asset Tracking

Teaching Method LAB, COL

Cognitive Domains

Affective Domains

Design

Practice-Supervise

Concepts can be introduced in lecture but because it requires formulation of asset baselines, tracking is a true design activity. Therefore delivery mixes lab with cooperative learning. This can be easily supported by CBTs. ELEMENT Continuity

Teaching Method LEC/CBT, COL

Cognitive Domains

Affective Domains

Application-Integration

Supervise-Leadership

Contingency planning and management is a critical strategic function that involves application and integration of ideas. Execution invokes supervision and leadership. Principles are best communicated through lecture and/or CBT. However a true understanding of the process can only be achieved through cooperative learning. ELEMENT

Teaching Method

Compliance

LEC/CBT, COL

Cognitive Domains Know – Apply


This requires memorization (of laws) so the learning ranges from knowledge through practice, the intention is to ensure compliance. The best approach is the same mix of lecture and CBT learning (to reinforce the principles) as was recommended for compliance. Cooperative learning is required to convey understanding of the process. ELEMENT Teaching Method Cognitive Domains Affective Domains Development

LEC, LAB, COL

Know - Apply

Supervision-Leadership

Development process security is a practice based activity that utilizes the three lowest levels of the knowledge hierarchy. As such the use of lecture and lab exercises is an ideal approach. The actual development process requires teamwork so cooperative learning can be used to foster understanding at that level. ELEMENT Personnel


Cognitive Domains Apply-Design

Affective Domains Application-Supervision

Personnel security embodies professional practice and design functions. It is best delivered through a mix of lecture and cooperative learning. CBTs can be used to support this but the connections have to be made by discussion. ELEMENT Physical


Cognitive Domains Know-Integrate

Affective Domains Interest-Supervision

The many nuances of this element run from simple knowledge/interest up to systems at the supervisory level. Lecture and CBT can be used to communicate this domain. But because of the complexity it is best internalized using a cooperative education approach.

ELEMENT Access Control

Teaching Method LEC, LAB/COL

Cognitive Domains Know – Design

Affective Domains Practice- Supervision

Elements of access control are best introduced through lecture. But the only way to properly understand it is through cooperative learning lab work. ELEMENT OPSEC

Teaching Method LEC, LAB, COL

Cognitive Domains Apply-Design


There are many nuances to operational security. It is a design activity applied at the practice and supervisory levels. Basic ideas are best communicated in lecture. However the understanding comes from cooperative learning and lab work experiences. ELEMENT NETSEC

Teaching Method LAB, LEC/CBT

Cognitive Domains Know-Design


Network security and cryptography is the most involved technical activity. Therefore it necessitates extensive hands-on and cooperative learning. The recommendations of Bishop as well as Rubin (Rubin, 1997) indicate that this requires intensive lab work with some highly focused lectures or CBTs. ELEMENT Software

Teaching Method LEC, LAB

Cognitive Domains Know-Design

Affective Domains Practice Supervision

Application and system software security is another highly involved technical activity. The knowledge level learning is best provided in a lab setting however the basic concepts are probably best delivered via a lecture/CBT approach. ELEMENT Risk Assessment


Cognitive Domains

Affective Domains

Apply – Design

Practice-Supervision

Risk assessment and audit is primarily in the domain of business and accounting. Therefore the traditional delivery models apply. Lectures and cooperative learning experiences can best help students acquire necessary concepts. ELEMENT Ethics


Cognitive Domains Know-Evaluate

Affective Domains Interest-Leadership

The traditional mechanisms for delivering ethical and legal content probably work the best. Lectures and cooperative learning are almost the only way to help the student internalize their own personal ethical frame of reference.

Summary The profession of information security needs academically prepared individuals who have mastered the entire body of knowledge, not just a piece of it. Information security curricula must effectively represent the entire range of topics, not just those that fit within the comfort zone of the particular program that offers the study. This paper has presented the origin and content of the NSTISSI 4011 standard, which is a national basis for defining the field. It has also presented specific educational approaches to the fifteen common knowledge elements embodied in it. These recommendations are based on the cognitive and affective requirements of each element. It can serve as a model for designing a delivery system that fits the precise needs of students and the particular institution. As long as the general purpose of each topic is fulfilled, the detailed content within each of these knowledge elements is meant to be tailored to the exact situation. This is offered strictly for discussion and feedback. References Bishop, Matt, What Do We Mean by "Computer Security Education"? Keynote Address 22nd National Information Systems Security Conference, 1999 Bishop, Matt, Teaching Computer Security, International Symposium on Computer Security, 1993 Bonk, Curt, Online teaching in an Online World, Indiana University, 2001 Chandler, Paul, Graham Cooper, Edwina Pollock & Sharon Tindall-Ford, Applying Cognitive Psychology Principles to Education and Training, School of Education Studies University of New South Wales, 1998 Drummond, T, A Brief Summary of Best Practices in Teaching, North Seattle Community College, website http://northonline.sccd.ctc.edu, accessed 2003 Higgins, J, Information Security as a Topic in Undergraduate Education of Computer Scientists, Twelfth National Computer Security Conference, pp. 553-557, 1989 Irvine, Cynthia E., Shiu-Kai Chin, and Deborah Frinke, Integrating Security into the Curriculum, IEEE Computer, pp. 25-30. Dec. 1998 Neugent, William, A University Course in Computer Security, Security Audit and Control Review, Vol. 1, No. 2, pp. 17-33, Spring 1982 Rubin, Aviel, An Experience Teaching a Graduate Course in Cryptography, Cryptologia, April 1997 Saltzer, Jerome H. and Michael D. Schroeder, The Protection of Information in Computer Systems, Communications of the ACM 17, 7 July 1974 Spafford, Eugene F., Teaching the Big Picture of INFOSEC, 2nd Colloquium for Information System Security Education, James Madison University, June 1998 Stahl, Robert J, The Essential Elements of Cooperative Learning in the Classroom. ERIC Digest, 1994 Yurcik, William and David Doss, Information Security Educational Initiatives to Protect E-Commerce and Critical National Infrastructures, Information Systems Education Conference (ISECON). Philadelphia, PA., 2000