The global economy rests on an information base. So the one logical imperative is that that information ought to be secure. Sadly, that is not the case. Instead according to the National Institute of Standards and Technology (NIST) the failure to secure information costs the U.S. Economy over sixty billion dollars a year. This disconcertingly straightforward summary of the situation raises one obvious question, "given the critical importance of information and the fact that our way of life depends on it, why haven't we done a better job of protecting it?"
Admittedly the assurance of our information resources is a complex task and the actual resources themselves exist mainly in the virtual universe. Consider how hard it would be for physical security professions to protect a product that can't be seen and which is subject to instant change based on the whim of the consumers of that information. At the same time, the technology itself changes so fast that most information security workers have to run just to stay in place. Not to mention the users of that information themselves, who when given a choice between "easily and conveniently available" or "rigorously protected" will always pick what's behind door number one. Add to that the fact that it is hard to systematically assure the reliability of something you can't see and you get an idea what kind of problems the industry faces.
Nevertheless, there has also been a lot of talk over the past twenty years about well-defined and disciplined information security processes. So we must have some idea about how to do things right. Apparently we have just have not been able to get that knowledge embedded far enough into the consciousness of the industry and the public to make a dent in the problem. That is where formal education comes in. Education shapes society. That effect should be obvious given the fact that we spend our formative years sitting together in common classrooms. In fact, no matter what will happen to us for the rest of our lives, it is guaranteed that we will spend our early years in a learning environment. And so school is the one place that we all share. It is also the one experience that we have where the express purpose is to shape our future behavior in society. For that reason, education can be an extremely powerful force for societal change. And it is that potential influence that also makes the education process the likeliest candidate to do something about the problems of information protection.
The solution isn't as simple as it seems. There are two major hurdles that prevent us from just rolling out information security content in every classroom and waiting for the good practice to start. First, information system security assurance is an emerging field. Consequently, it is not exactly clear what we should be teaching. The chief problem is finding the right scope. All evidence points to the fact that the body of knowledge for information system security is cross-cutting. What that means is that element of the discipline could legitimately be taught in everything from engineering, through business and public policy, to law schools.
These are very different places indeed, and so there are cultural overtones to the practical question of who ought to be teaching information security and where it should be taught. That cultural difference also raises the question of "to aggregate, or not to aggregate". If we leave the teaching of information security practice as it currently sits, in many diverse places on campus, we are not going to be able to coordinate that teaching, let alone evolve the field into a mature discipline. However, if we pull all of the information systems security education into a single discipline that begs the question of "which traditional place on campus should we locate it in?", since engineers are not going to like working in a law school and vice versa. Moreover, because the body of knowledge is so relatively immature it is unlikely that anybody on any university's current faculty will really have much authoritative background in the discipline. That's assuming we could say precisely what knowledge the discipline ought to be composed of.
Notwithstanding the matter of what to teach there is also the question of how to change faculty behavior. it is manifestly unfair to ask people who have specialized in some aspect of the field to just drop what they have been doing for all these years and pick up a new line of teaching and research. In fact given the freedom that tenure affords, that is simply not going to happen. So, it is probably safe to assume that we are going to have to wait for a new breed of faculty member to come along before we are going to make much progress on that front.
The lack of agreement about what constitutes the body of knowledge and the lack of specifically qualified faculty is compounded by the fact there are no central accreditation bodies to unify the discipline. In essence, there is not a single entity that certifies the field of information assurance, or standardizes it, or even makes the sort of recommendations that educators need in order to develop curricula. The problem is that we have several entities that purport to hold the keys to the kingdom. So an educator who wants to "do the right thing" is faced with the dilemma of which authority to adopt and follow. That kind of confusion ensures that until somebody authoritative takes ownership of the field we educators are going to be left with "best guess" - and that is no way to build a curriculum.
What you will read in the rest of this issue are eight papers that discuss how to bring information system security education into the mainstream. They represent many avenues of thought, which have been shared in the international community of educators about this critical topic. It is our considered opinion that this sort of wide-ranging dialogue constitutes the first steps in overcoming existing hurdles and it begins to ensure that information system security education will evolve into the mature discipline that we expect it to be.
We would not have been able to do this alone, and so we would like to acknowledge Tamara Shoemaker for her outstanding work in managing the review process and the production of this Proceeding, and our colleagues who served as reviewers for this issue:
Jeananne Boyce, Art Conklin, Ron Dodge, Barbara Endicott-Popovsky, Drew Hamilton, Herbert J Mattord, Yen-Hung Hu, Yin Pan, Paul Schembari, Remzi Seker, Bruce Waugh, Michael E Whitman and Tanya Zlateva