Archives

Information security is a topic of frequent discussion within the larger community of information systems (IS) and information technology (IT). The high cost of information security breaches heightens the importance of information security within all levels of an organization. However, despite this reality a need exists for qualified information security professionals to fill these important roles within organizations. This paper presents a competency based approach to information security education. Competency based education provides a mechanism to allow individuals to obtain an education within a particular field not by completing a certain number of seat hours, but instead by demonstrating competency in the required subject matter.

Rule development for Snort, which is one of the most popular network intrusion detection systems, is a critical skill to detect ever emerging new cyber attacks. This paper describes a Snort lab that helps students to learn Snort rules effectively. For beginners, it is difficult to determine if a rule is correctly written without being able to test them in a realistic setting. The uniqueness of this hands-on learning lab is that it allows students learn how to write Snort rules by testing and debugging their rules against the live network traffic replay. The lab requires students to learn and apply various features of Snort rules to successfully detect the intrusions. The intrusion traffic packets are real captures that were downloaded from various sources on the Internet.

This paper presents the results of the National C3 Baseline Study conducted with 1569 educators and 94 technology coordinators from a web-based instrument. Educators and local education agency (LEA) technology coordinators/directors also responded to an open-ended survey question. Additionally, qualitative data were collected by group and individual interviews. The purpose of the survey was to explore the nature of Cyberethics, Cybersafety and Cyber- security (C3) educational awareness policies, initiatives, curriculum and practices currently taking place in the U.S.

The vulnerability of users to social engineering is well known, however very few techniques have been developed to successfully mitigate the threats users unwittingly expose our infrastructure to. Annual training and awareness campaigns have done little keep users vigilant against the many forms social engineering, especially phishing emails. Phishing is regarded as one of the most effective social engineering attacks. In this paper we describe an effort to increase the awareness of users through a campaign of training, policies, and assessment.

To address criticism of higher education pedagogy, scenario-based learning (SBL) is presented. Principles and learning methodologies from experiential learning theory are reviewed.The authors present practical methodology for a sample scenario incorporating scenario based learning.

Colleges and universities that teach Information Assurance (IA) skills are beginning to address the ethical issues associated with this academic discipline. There is a potential that IA skills might be misused to commit criminal or terrorist acts. Schools are beginning to consider the financial and ethical liabilities of their students misusing the technical, business, and legal skills that they learned at that school. One dilemma facing educators is whether a student with a criminal background will revert to criminal behavior and use their newly acquired IA skills for illegitimate purposes. Having criminals with the same knowledge and skills as the professionals investigating their illicit activities will seriously complicate solving these crimes.

Service learning enables students to provide real service to the community as part of their learning/educational experience. Service learning can take many forms in security, including maturity assessment, security planning, awareness training, product research, product evaluation, and facilities or procedural audit. These projects help students learn to communicate with non-technical staff, apply security training, obtain experience in a real world environment, develop professional documentation, and contribute to their neighborhood. This paper describes the benefits and challenges the author has experienced for each type, but also discusses tools that can help security instructors in implementing service learning in their security courses.

Each year hackers exploit hundreds of vulnerabilities in software, yet the same vulnerabilities continue to appear in code, over and over again, and many educational institutions continue to teach programming as they always have. Companies, such as Microsoft, have found it necessary to conduct secure coding training classes to make up for the absence of the subject in college-level curriculum. Reasons for this lack are many, but our research is motivated by one major barrier: instructor lack of time to convert existing, well-developed curriculum to include secure coding concepts. To address this issue, we have developed an approach that applies the 4+1 Views software re-engineering technique to transform source code that does not incorporate any security concepts, into source code that can defend against attacks.

It is of increasing importance that we incorporate security and cryptology in both the undergraduate and graduate curriculums. This paper introduces cryptology in the framework of general cybersecurity and advocates that it is an appropriate mechanism for introducing security issues into the classroom at all level of the curriculum. A practical free software package called CrypTool which can be a major asset in any attempt to teach cryptology to a range of student audiences is presented. Applications and classroom experiences using CrypTool are discussed along with some student feedback.

Many computer security programs supplement their courses by providing labs to fortify concepts being taught, however, often these labs are taught in isolation and do not allow students to see the complexity of integrating a systems of systems architecture. The “seams” of these security systems are where deep learning happens and where attacks slip through. This paper discusses a capstone course designed to help students integrate security systems with all of its interconnecting parts and see the importance of putting these pieces together securely.