Archives

The US National Security Agency (NSA) established a program in Information Assurance education in 1999 that established Centers for Academic Excellence in Information Assurance Education (CAEIAE). While designated a success by the government, the program has been criticized over the years by program participants as less than optimal. In this paper, we review the program and identify the most serious problems. We then suggest possible solutions to these problems in order to improve the program so that it represents true excellence in IA education.

In this paper we introduce a framework that provides a model for describing security measures and their relative effectiveness as well as importance. This model enhances computer security training and educational curriculum by providing experimental data and analysis to educators and students. Business environments will benefit from this model by enabling more cost effective allocation of scarce IT and security resources. Additional benefits include but are not limited to better development of operating systems, applications, and user interfaces.

In this paper, we present a new pedagogical tool called AEGIS for educating college students about the importance of patch and vulnerability management. The tool is designed and developed in a bottom-up fashion by a group of eight students in accordance with the NIST patch and vulnerability management guidelines. Experience gained while devising various subcomponents of AEGIS could provide students with the much needed hands-on practical training in security and system administration curricula. Lastly, the possibility of using AEGIS as an educational tool to teach and assist day-to-day users with patch and vulnerability management is explored.

This paper discusses the need to develop a common understanding of a curriculum which prepares students to practice in the field of Information Assurance (IA). A study of public documents, congressional hearings, published papers and conference presentations regarding the state of cyber security in America was conducted to discover commonality regarding cyber security education and training. The document review discovered, within academia, information assurance education is not consistently approached; there is a lack of definition and corresponding need for specificity regarding information assurance curriculum. Furthermore, a nearly decade long government call to action for academia to produce increasing numbers of information assurance professionals may not have come to full fruition.

United States (U.S.) government agencies and defense contractors are the target of extremely complex foreign state-sponsored cyber attacks referred to as the “advanced persistent threat.” These attacks are intended to steal sensitive information, such as national defense, research and development, and personal information. While the techniques for information gathering to determine targets (both information assets and people) may be complex, a common method used for infiltrating networks is simple social engineering. Technical controls may be used to tighten access controls but are not the total solution. Changing employee behavior through security awareness is required.

The number of tertiary institutions gaining recognition as a Center of Academic Excellence in Information Assurance has increased steadily since its inception. Although there is some debate on the desirability to align ‘university education’ with training standards and certifications, such recognition provides a baseline of skills and knowledge upon which the information security industry may rely. The task of developing IA curriculum to meet the needs of the standards compliance is a detailed and time- consuming task, with much duplication of effort across educational bodies. This paper presents the idea of using lab exercises to meet the needs of the CNSS standards, which form the basis of the CAEIA requirements and at the same time provide a meaningful and interesting learning experiences for the students.

While the emphasis on computer security education within specialized courses is easy to justify and achieve, it is much more challenging to introduce these concepts across the computer science curriculum to begin to “change the culture” of computer science students in order to create a foundational appreciation for and understanding of computer security issues. This paper describes some techniques that have been applied in early computer science programming courses at the University of Alaska Fairbanks to facilitate computer security education among beginning programming students through the use of computer security-focused programming assignments. This provides a mechanism for strengthening computer security skills within the scope of the traditional course content to foster an awareness of information assurance concepts.

The Maryland Alliance for Information Security Assurance (MAISA) is a consortium of 15 community colleges, colleges, and universities led by Towson University. By working collaboratively, we have been able to strengthen our information assurance education programs. We present our consortium, and describe some of our current projects and the effects that they have had on our information assurance education programs.

Despite its clear and growing importance, computer security education is often relegated to a secondary role in undergraduate curricula. Exposure to computer security concerns is often limited to specialized courses and tracks that reach only a small percentage of students, often late in their academic careers. Effective security education approaches must engage more students earlier in their education.These techniques must be adaptable to fit the needs of differing educational institutions and student bodies. Our earlier work with checklist-based security lab modules in CS0 and CS1 provides a basis for a model that can be applied throughout the undergraduate curriculum and at a wide range of institutions.

This paper provided an example for the development of an interdisciplinary Information Technology (IT) Auditing curriculum by mapping the CNSSI /NSTISSI standards with the prevailing ISACA IT Auditing Model Curriculum. IT Auditing involves assisting public or private organizations in ensuring that their information technologies and business systems are adequately protected and controlled. Consequently, IT Auditing professionals need to have a solid grounding in information technology, information assurance, auditing process, as well as regulatory and compliance frameworks. Through our standard mapping processes, we were able to discover the discrepancies between IA and Auditing and proceeded to redesign our current IA curriculum.