This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
The CPHC/(ISC)2 Cybersecurity principles and learning outcomes for computer science and IT-related degrees document from 2015 identifies five core themes:
Although the primary focus of this document is to outline how the material developed through this project can be used to target these themes, there are some broader comments on general and specialist infosec education, followed by some broader reflections on general computing and information systems education.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Each theme in the document is provided with:
In this section and the accompanying spreadsheet, we primarily concentrate on the core concepts and show how they are covered in the material from this project. In each of the sections below, we list the material against the core concepts. In the vast majority of cases, this material is aimed at generalist IT students, not specialist infosec students.
Core concepts listed are
The material provided mostly concentrates on the high-level concept of C-I-A for information nad using this for an assessment of the threats, vulnerabilities and risk associated with an information system. Throughout this should be viewed holistically — all the components, human, software and hardware along with the intended processes together.
The material emphasises some classic areas of risk, primarily database injection and cross-site scripting (XSS). These are commonly attacked in naïve applications. Buffer overflows aren’t directly covered; although still of interest for technical attackers; something like a simple break on the web front-end of a system is often easier.
The material provided places much emphasis on recognising end-users. Practical experience of projects suggests they are often forgotten, resulting in a poor UX or mismatches with existing (actual) business projects. Sometimes the users then work around these resulting in security failures. Many students will not have come across business processes such as JML (but will have been a subject of these processes in any work experience, previous/current jobs, and enrolling at a university, so should be able to call on that experience).
The “Controls” section is marked in brackets. The CPHC/(ISC)2 document expands this across physical controls, process/operational controls, logical controls, and technical controls. Most junior IT professionals will not often consider physical controls (dealt with by estates! — but mobile/agile working makes this more “exciting” as we lose much protection), and some areas such as firewalls, malware and patch processes will be specified in existing IT policies and processes. Being aware of the process/operational and technical issues are valuable, e.g., least privilege, access, authentication, authorisation. A basic understanding of the need for firewalls and when to ask for help cryptography is useful.
Emphasis in the material developed addresses classical issues of validation and sanitisation. This addresses some of the issues raised, particularly in theme 2. Comms elements (e.g., always use HTTPS with valid certificates) are “obvious” to experienced practitioners but are corners sometimes cut by unexperienced or rushed developers. The potential for virtualisation, containers and emerging risks (and benefits) of cloud deployment arise here.
The material covers several areas in moderate depth, particularly incident response and the wider organisational constraints on both IT development/deployment as well as the demands and necessary compromises with regulatory demands. A minimum strict compliance can be (relatively) easy, but sufficient due diligence is far more complex. Examples and ethical dilemmas can be easily highlighted here for generalist students.
Final year projects (and other team projects) can cover a lot of useful areas without detriment to other aspects of the project, ideally to cover
It should be clear that a large swath of the CPHC/(ISC)2 themes can be covered, albeit at a relatively cursory level.
Those with an information security aspiration could choose an infosec-relevant project — see comments below on “general vs. specialist cybersecurity / infosec curricula” for possible areas to look for ideas.
…this is not currently easily visible. However much is aligned against CyBOK…
The Cyber Security Body of Knowledge provides
[a] comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.
The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic.
This describes 21 “knowledge areas” covering a breadth of topics. YMMV.
The ACM’s Computing Curricula 2020 is a thorough document, but possibly not quite as usable as a primary source for choosing content to cover. It references other frameworks, e.g., SFIA.
Some final thoughts (from August 2022): in the current position,
the CPHC/(ISC)2 gives a good general coverage. From someone in a governance / infosec specialism, my hope for general IT practitioners I encounter is
Specialist students curricula will depend much more on the particular infosec specialism. However, regardless of choice, the areas which should directly inform any curricula decisions are
I have placed these in rough priority order for specialists. CIISec’s frameworks are currently more mature and (once through a paywall) are more accessible. They have an academic partnership programme. UKCSC’s will be more relevant as it matures as an organisation, especially if it continues on the planned route of providing some form of chartered status or accreditation. CyBOK is most useful to supplement the areas identified as interest.
Specialist students with a more practical interest may be better aligned to the CIISec/UKCSC aspects, whereas those with a theoretical/research interests might find more of use in CyBOK.
(22 Aug 2022) https://pauljerimy.com/security-certification-roadmap/ — shows the sheer volume of certifications available, albeit US focus.
I write “IT” as a shorthand here for the huge field of IT, computing, information systems, ….
For infosec people: they come from all sorts of backgrounds. (This is mentioned in the induction / career type parts of lectures.) Although there are some highly specialised roles, all infosec people need to understand how IT fits into organisations in the big picture. Again, that means that the IT is there to solve a problem for people.
Future visiting professors — I think the most useful contribution over the three years is not something easily recorded here. The conversations with students (and staff), in passing before and after lectures, are an area where different experiences count — something brought by the VPs. Other opportunities are in small group teaching, particularly for final year projects and group projects: I spent much time in conversations in tutorial classes, sometimes about the topic at hand, but often ranging much more widely. This does not scale and is something where VPs will be able to continue contributing.