This is the second annual edition of the Journal of the Colloquium for Information Systems Security Education (CISSE). Cybersecurity is a complex and rapidly evolving field. That fact necessitates constant study and discussion. The aims of this Journal are to provide that discussion.
The ideas contained in this Journal represent the best thinking in information assurance education as presented at the 18th annual meeting in San Diego. This edition will focus on ways to ensure a pipeline of skilled cybersecurity researchers, cybersecurity professionals and an overall capable cybersecurity workforce.
The current problem with cyber security is best illustrated by the "Six Blind Men and the Elephant" parable. In that old story six blind men are asked to describe an elephant based on what they are touching. So to one, it's a snake, another, a wall, and to another tree, etcetera. In the end, "Though each was partly in the right, all were entirely wrong". It is true that there are established elements of the field that know how to secure the part of the elephant that they touch. But until we are able to amalgamate that knowledge into a single coordinated solution we can't realistically say we are protected.
That is where formal education comes in. Education shapes behavior. For that reason, a coordinated program of education can be a powerful force for ensuring correct practice in any field. And it is education's historical impact on society that makes it the logical place to start. Nevertheless, there are a number of systemic and cultural challenges that have to be overcome before education can become the white knight that we require.
First, according to a report from the National Academies of Science, cybersecurity is an emerging discipline. Consequently, it is not really clear what ought to be taught. Worse, all evidence points to the fact that whatever we should be teaching is cross-cutting. In essence, elements of the discipline can be taught in places as diverse as engineering, business, and law.
Notwithstanding the question of what to teach there is also the question of how to change faculty behavior. It is manifestly unfair to ask people who have specialized in some aspect of the field to just drop what they have been doing for all these years and pick up a new line of teaching and research. In fact given the freedom that tenure affords, that is simply not going to happen.
So, a new breed of professional will have to be created; one with the knowledge and vision to deal with the whole problem, not just the part that happens to catch their fancy. It should be obvious that a broad-scale academic strategy has to be based on a comprehensive definition of the field. That strategy should ensure that the right learning experiences are provided to the right people, across the educational landscape.
However effective strategy requires understanding the status of the existing educational landscape, which is much more complex than people appreciate. Classic education encompasses three domains. Those are, in order of formality, Awareness, Training and Education. A fourth area is the Research activity that supports all domains. Each domain can involve systematic, curricular or programmatic schemes, as well as unsystematic, "ad-hoc" efforts.
If the aim is comprehensive cybersecurity than all of these modalities apply to all of the normal areas of society, government, industry and academia. Because the cultures of each of these communities of interest are so different, the awareness, training and education needs vary. The confusion is compounded by the fact there are no central accreditation bodies to unify the discipline. In essence, there is not a single entity that certifies the field of information assurance, or standardizes it, or even makes the sort of recommendations that educators need in order to know which authority to adopt and follow.
The articles in this Journal address ways to more effectively develop the knowledge, skills and abilities of IT workforce as well as the general user community. A digitally literate workforce is vital to our economy and to the security of our critical infrastructure. Therefore, we must find ways to prepare all of our citizens for work in the digital world. Because cyberspace represents the next frontier, that preparation has to have the same priority in our general education strategies as science, technology, engineering, mathematics, reading, writing and other critical subjects.
The contents of this Journal focus on developing and maintaining a deep pool of talented cybersecurity professionals. It will present and discuss an up-to-date set of approaches to ensuring a continuously capable workforce and it will present best practices for practical recruitment education and retention of trained cybersecurity professionals.
What you will find in this issue are nine carefully selected papers that discuss aspects of how to bring information system security education into the mainstream. They represent many avenues of thought. It is our considered opinion that this sort of wide-ranging dialogue constitutes the first steps in overcoming existing hurdles and it begins to ensure that information system security education will evolve into the mature discipline that we expect it to be.
We would not have been able to do this alone, and so we would like to acknowledge Tamara Shoemaker for her outstanding work in managing the review process, and our colleagues who served as reviewers for this issue:
Dr. M Aboutabl, Dr. D. Bhattacharya, Dr. M Bishop, M. Black, C. Calhoun, Dr. A Conklin, Dr. A Curbelo, Dr. D. Dasgupta, Dr. A. Dudley, M. Dupuis, Dr. A. Ghararian, K. Gregory, Dr. J. Hoag, Dr. S. Kaza, J. Knight, Dr. Y. Pan, Dr. T. Papageorge, Dr. R Pike, Dr. J Pittman, B.G. Raggard, Dr. D. Rowe, R. Sherman, Dr. D. Shoemaker, K. Sigler, Dr. A Siraj, Dr. P Starland, S. Sullivan, S. Travelsi, V. Werner, Dr. G. White, C. Wilson, S. Yoo, Dr. C. Yue and N. Ziring
A special thanks to our Paper Chairs, Susanne Wetzel, Dan Shoemaker and Tanya Zlateva and our Reviewers.