Panel 3: Security Education and Training (Panel Summary)
Thursday, April 4th, 2013
- Diana Burley, Associate Professor of Human and Organizational Learning, George Washington University
- Melissa Dark, Professor, Computer and Information Technology, CERIAS Fellow, Purdue University
- Allan Gray, Professor and Director, Center for Food and Agricultural Business and Land O’Lakes Chair in Food and Agribusiness, Purdue University
- Marcus K. Rogers, Professor, Computer and Information Technology, CERIAS Fellow, Purdue University
- Ray Davidson, Professor of Practice and Dean of Academic Affairs, SANS Technology Institute
Moderator: Professor Eugene Spafford, Executive Director, CERIAS
Summary by Rohit Ranchal
Current technological advances and shortage of cyber security professionals require us to focus on cyber security education. The main challenge is that how to fit the identified needs in a practical education or training program. Going by the modern trends and popularity of MOOCs (Massive Open Online Courses), it is very important to consider online and distance education for cyber security. One important requirement is to have a business model in place to structure the MOOCs because right now they are just doing information dissemination. We need a structured curriculum, which can take advantage of the freely available MOOCs.
The current trend of security problems suggests that we are moving away from the traditional problems like protocol vulnerabilities and reviewing RFCs to fix them. Most problems such as policy based vulnerabilities, social engineering etc occur at application level and end user level. So it is important to have exposure to the changing problems and understanding the associated legal and regulatory environment. Professionals need to be trained for organizational dynamics such as budgeting and investments, which are important to the business. Having awareness of bigger issues is also important along with the technical expertise.
One important thing to consider in Information Security Education is the target population. When we consider about educating everyone in the security awareness space, we focus on campaigns, reaching into k-12, educating elderly people, talking about cyber security war etc. But the instruction language is not particularly persuasive. It is very important to think about the instruction language when the target audience is masses of people.
Our current education system focuses on Professionalization. Professionalization is a social phenomenon. A cyber security professional is someone who has to deal with high levels of uncertainty and high levels of complexity. A professional can have a specific technical background or expertise or can have skills in the interdisciplinary space. The framework proposed by National Initiative for Cyber Security Education lists seven high- level job roles including some non-technical job roles as well. Cyber security professionals are not only in cyber security profession only but they are in hybrid roles in the interdisciplinary space. Thus the professionals should be educated and trained in such a way that they can carry out multiple tasks in their hybrid roles. Professionalization could also mean credentialing, education/degree, codes of ethics, certification, training, apprenticeship, etc. Professionalization can be debated in terms of various aspects such as applied vs theoretical knowledge, concepts vs technologies, vocational training vs degree education, immediate needs vs future needs, generalists vs specialists etc. We need to consider all these aspects. The underlying point is that Professionalization induces a change in behavior. An important way to achieve that is through apprenticeship and mentoring. Apprenticeship and mentoring is strictly followed in some other professions on the completion of degree to acquire the practical training and on successful completion, the person is considered a professional. We need to bring back apprenticeship and mentoring in the security education curriculum. But things in security space are changing so rapidly that no matter how much education is given, the professionals will have to deal with high level of uncertainty and complexity. One way to ensure this is to have people who are excited about the profession and are willing to constantly learn and enjoy it. Professionalization should not be considered as something where one can arrive like an end-point. The obvious question is that how to find such people.
Some institutes like SANS Technology Institute and (ISC)2 focus to address this problem through certification. But how can we measure if the certifications have any real value? It depends upon the training, knowledge and experience that goes into the certification. There are many different types of certifications from weekend certifications to highly specialized certifications. Another thing to consider is that certification implies that a professional has some valuable knowledge today but doesn’t say anything about tomorrow when the threats, situations and environment change. There is a shortfall of individuals at present but how can we ensure that our education system can balance that need for today with the need for professionals who are able to learn, analyze and synthesize challenges of tomorrow that are not yet known.
If we look at other professions, many of them require licensing. Professionals in such professions have to renew their licensing to stay active with the current technologies and skills. Another difference is that the cyber security professionals don’t have the same liability if something goes wrong e.g. a system gets hacked, as compared to some other professions for e.g. if a bridge falls down, then you can talk to the civil engineer. Consider if we have all the security jobs require a certification and an organization hires a professional without certification for building a system that gets broken then there can be terrible consequences such as lawsuits. Also you have to consider that building a system requires system designers, developers and users. Its not easy to declare someone liable. The liability model is not appropriate at present but we should move in that direction.
An important concern while education and training security professionals is that how to prevent them from turning bad such as ethical hackers becoming unethical hackers. The argument is that there is a high risk in case of information dissemination only but with education that risk is lowered. The goal of education is not just to give knowledge but to provide the context, the morality, the ethics and to teach that there are consequences to actions. Education is a socialization and culturization process that induces the change in behavior. The education curriculums should be designed in such a way that the mentor can effectively measure that change in the behavior.
While addressing the education problem, it is important to understand that the governments tend to be reactionary and focus on present problems rather than being visionary so it is very important for the universities and industries to be visionary and drive the education and training that focuses on the future and not past.