Abstract – The blackout during the summer of 2003 proved that our critical infrastructures, e.g., power grid, are vulnerable! According to experts in the Department of Homeland Security (DHS), the likelihood of a blended attack---physical and cyber—on our nation is relatively high. This paper makes the case for educators and curriculum developers to broaden current Information Assurance –focused curriculum, concepts and pedagogies to include” Infrastructure Assurance.” This paper will do this by: (1) describing and discussing the notion of convergence theory--the next attack will be a blended attack of physical and cyber dimensions; (2) identifying the components that comprise the U.S Critical Infrastructure;(3) discussing the notion of “Infrastructure Assurance” and its role in current Information Assurance curriculum; and (4) using a regional water supply system scenario, provide a framework for developing a Critical Infrastructure Protection (CIP) strategy framework and pedagogically integrating Infrastructure Assurance into existing Information Assurance curriculum.

Abstract – Over the course of two and a half years, students at the University of Texas at Austin have developed a network and security research group that combines presentations, classes, and projects to produce highly skilled student researchers in a very short period of time. Their program exists independent of any official curriculum and is designed to combine self-motivated students’ desire to learn with an environment that allows them to exercise on that knowledge. This paper details the evolution and current structure of the group. It is intended for educators and students interested in creating similar organizations.

Abstract – This paper describes the methodology, implementation and results from the formation and execution of an undergraduate information assurance student group. In February 2001, our institution formed a student chapter of the Association for Computing Machinery’s Special Interest Group for Security, Audit and Control (ACM-SIGSAC) due to extensive interest by the student body in computer security and information assurance, as well as an awareness of the critical need by the faculty. This was the first information assurance student chapter formed out of the more than 600 ACM student organizations worldwide. The chapter was formed with an interdisciplinary approach in order to include a larger portion of the student body and thus influence a larger audience. This approach proved successful. Over the past three years, the group has grown from an idea to a vibrant organization of approximately 600 students. We believe that we have struck a chord with the students that merits examination. The primary goal of this paper is to provide a descriptive resource to educators who wish to implement a student information assurance group. It includes the purpose and methodology behind the formation of the group, our successes and failures, our lessons learned, and potential future directions.

Abstract: The main thesis of this paper is that Information Systems Security Engineering (ISSE) should be an essential element of introductory Systems Engineering (SE) courses. Based on a small informal survey, ISSE concepts seem not to be included in SE introductory courses. This paper, therefore, makes the argument that security learning objectives need to be integrated into the initial stages of teaching SE students. In the process of exploring whether SE students are properly exposed to ISSE, this paper reviews a current introductory SE course description and its learning objectives, provides sample security learning objectives, reviews the IEEE SE model, and finally suggests the Information Assurance Technical Framework (IATF) as one way of including security into SE models.

Abstract – Despite an urgent need to protect information in computer systems critical to business and government, the inadequacy of many security products combined with overmarketing and overstated claims leaves information managers with nowhere to turn. Cyber security education is needed to provide a population of individuals who can make sound choices for the operation and acquisition of information protection. A prerequisite is an adequate population of educators. We describe workshops intended to help educators new to the area of Information Assurance. The multiple objectives are: to identify key foundational topics to educators, to teach lessons learned regarding topics difficult to convey to students, and to create a sense of community among Information Assurance educators.

Abstract: Information security education includes many topics, some technical and some managerial. One topic that is central to all of these is that of information security policy. Before policy can become the centerpiece of information security education, a coherent model that can encompass the broad range of the topic is needed. In addition to the essential elements of policy, students also need to be exposed to the best practices for managing information security policy. Once a teaching model for policy is selected, faculty can use lectures, project assignments and lab exercises to reinforce student learning.

Abstract—Within the last two decades, Federal agencies have been directed to engage in large-scale change efforts to develop and implement IT security programs that protect organizational assets. These efforts have been guided by regulations such the Federal Information Security Management Act (FISMA) and Office of Management and Budget Circular A-130, Appendix III, each of which specify that programs must be designed and executed immediately. All too often, program development efforts focus on compliance with these regulations and do not take action that supports changing cultural values. This paper advocates Federal agencies taking an approach to program development that reaches beyond compliance and enables cultural change. In doing so, this paper discusses how individual behavior change and organization-wide cultural change occur. Finally, the paper provides a step-by-step process for establishing a communications element within the IT security program to enable lasting change.

Abstract – All too often colleges and universities are viewed in the security community as weak links that are easily exploited by those intent on causing harm or disruption to networks connected to the Internet. As such, they are often viewed as Internet pariahs, outcasts on the Internet not conforming to the accepted rules of behavior in terms of securing their infrastructures. This does not have to be the case, however, and colleges and universities can actually become community leaders in security. This paper discusses how an academic institution can take a prominent role in the community through leadership in a community cyber security exercise. The paper describes the Dark Screen exercise conducted in San Antonio, Texas and the university’s role in conducting this and other exercises.

Abstract - At the 7th Annual CISSE conference, 2003, a case study was presented regarding adding information assurance to the curriculum of a small private university in the Pacific Northwest with only a moderate budget and without hiring additional permanent faculty. In this paper, we continue to describe the evolution of that curriculum, this time describing the challenges of finding the best way to teach computer forensics, a cross-discipline subject that requires not only technical expertise, but an understanding of the relevant legal and evidence-collecting guidelines that govern a computer forensics investigation. This paper discusses strategies used to design a computer forensics course that combines all of the necessary elements in a way that actively engages students in their own learning. Using resources available within the community and building the course around a business game, the school was able to launch an enthusiastically received course. Central to the curriculum, the business game allowed students to learn while simulating a real world criminal investigation culminating in an actual courtroom where students used the products of their investigations to testify as "expert witnesses." The original stimulus to create this course came from an NSA Center of Excellence (University of Idaho) sponsored Computer Forensics Workshop that encouraged universities with an information assurance track to introduce courses in Computer Forensics. The lessons learned from this effort could prove useful to other universities contemplating similar attempts.

Abstract – Teaching computer science at the university level presents areas of potential conflict with computer services and their responsibility for delivering a secure network environment. This conflict is particularly evident in the case of computer security study where the use of courserelated tools may violate Acceptable Use Policies (AUPs) for the university network. Computer Science departments need to be accountable to the university community at large for the tools of instruction in these classes – particularly tools that will violate policies, such as key loggers, password cracking tools or vulnerability assessment software – and need to take measures to isolate those students, control the classroom activity and coordinate with computing services staff to preserve the integrity of the University computer network.