Information Security Education

Abstract Information technology (IT) has permeated all aspects of human endeavor and has come to redefine our approaches to both private and public organization. The activities performed by network administrator and security staff are increasing coupled with daily cyber-attacks. As a result, information security officers need to have up-to-date education at all time. Even the intricacies of information warfare and the ability of an organization to provide security for its assets is now heavily dependent on the effort of that organization to take advantage of the offerings of IT. The diploma and degree programs offered by most of the higher institutions are limited in terms of skill and knowledge and the employers expectations are not met (Hentea & Dhillon, 2006). As a result, employers are forced to employ people with different certificates incurring more expenses on training personnel. Therefore the urgent need arise to evaluate the information security education worldwide and identify curricula resources for improving the educational system for a better improvement.

Information Security Education Information Security Education The lack of qualified personnel is one of the most common factors of failure of users of

information technology (IT) to ensure the security of their assets and information (Furnell & Clarke, 2005). High-quality information security curriculum is very important at the educational institute (Irvine, Chin, & Fruickle, 1998). The academic program has been designed to provide basically theoretical backgrounds and ways of solving problems that are common in the information security sectors while the professional and vendor certification certify competency and skills (Hentea & Dhillon, 2006). Most establishments now employ IT professional based on academics qualifications, professional, and vendor-specific certification (Hentea & Dhillon, 2006). Professional certifications cover very narrow and specific areas while academic qualifications cover a wider area of knowledge and skills. A wide gap exists between the acquired skills by the fresh graduates from the various institutions and expectation of the employers, this gap is being filled by the professional and vendor-specific certification (Hentea & Dhillon, 2006). As a result, necessity arises to evaluate the quality of the academic information programs and ensure that graduates acquired the expected skill by the industrial sector. Collaborative Learning Model Collaborative learning is method of learning whereby two or more people learn together, it is an approach involving joint intellectual effort by both the teacher and students (Smith & MacGregor, 1992). Collaborative learning model makes learning to be more efficient and faster, pool varying knowledge and expertise so that a particular task is able to be accomplished, assess critically what is produced to improve its quality, permit contrasting viewpoints to be developed, set up cooperative links, and develop skills of communication (Hartley, 1976). With the collaborative learning model, learners can articulate their own learning needs and goals. And as a self learning method, each person learns personal needs and discuss with learners (Callaghana, Wattsa, McCullougha, & Moreaub, 2009). The group works at a level of independence appropriate to their developed high competencies in their education program. Multiple approaches to solving problems are discovered from various experiences (Callaghana, Wattsa, McCullougha, & Moreaub, 2009).

Information Security Education Information Security Education in US The National Security Telecommunications, Information Systems Security Committee

(NSTISSC) and the National Institute of Standards and Technology (NIST) as well as many others are responsible for the setting up of procedures for training and education (Hentea & Dhillon, 2006) as shown in Table 1. The ISO 17799 Information Security Management standard of year 2000 and 2002 contains the necessary requirements for Information security education and training. All government organizations are to develop and implement their education, training, and awareness plans for national security systems as directed by the NSTISSC (Hentea & Dhillon, 2006). Table 1: Skill categories and number of Universities certified. ________________________________________________________________________ NSTISSI Standard (Year) Skill level Number of universities certified ________________________________________________________________________ 4011 (1994) 4012 (1997) 4014 (1997) 4015 (2000) 4016 (in preparation) 4017 (in preparation) INFOSEC Professionals Designated Approving Authority Information Systems Security Officers Systems Certifiers Risk Analyst System Security Engineer 53 19 12 7 0 0

The diploma and degree programs offered by most of the higher institutions are not adequate in terms of skill and knowledge and the employers expectations are not met. As a result employers are forced to employ people with different certificates incurring more expenses on training personnel. An urgent need arise to evaluate the information security education worldwide and identify curricula resources for improving the educational system for a better improvement (Hentea & Dhillon, 2006). Amazing to note, that there is no university certified on skills like system security engineer and risk analyst which are very important to many organizations as shown in Table 1.

Information Security Education Table 2: Summary of Information Security Assurance (ISA) Programs ________________________________________________________________________ Degree/Certification and/or ISA Program Number of Universities ________________________________________________________________________ PhD with Concentration in Information Assurance (IA) 7 MS with Concentration in IA BS with Concentration in IA Certificate Programs Research Centers /Institutes Advanced Laboratories Partnerships between Schools Scholarship Offerings in IA Specialized Seminars/Workshops Online Course Offerings 30 22 22 29 15 9 19 13 5

________________________________________________________________________

Methods Deployed to Educate Staff Currently, I work with the Energy Commission of Nigeria (ECN) established in 1988, with the mandate of strategic planning and co-ordination of National Policies in energy related matters (About ECN, n.d). The commission advises the government on the funding of energy research, development, production and distribution. The IT department known as Energy Information System (EIS) is responsible for gathering, analyzing and disseminating information relating to energy, developing and managing of the National Energy Databank (Establishment of the E.C.N, n.d). The interview question is; What methods are deployed in the organization to educate staff on information security? The answers are as follows: Vendor Specific Certification The commission uses some of the following methods to educate the staff on information security. In 2005, the commission courtesy of the current Chief Execute Officer CEO embarked on massive

Information Security Education 5 training of staff in the IT department on vendor specific certification like Microsoft Certification Professional (MCP), Network+, A+ and short courses on cyber security. The head of the IT department also pointed out that since the training, the department has being responsible for the training and creating of awareness programs on information security among the staff. The trainings are aimed at producing computer security professionals among the staff as stated in (Cicalese, DeWitt, & Martin, 2005). Information security and file management The users form the largest audience and the most important group of people assist in reducing security errors and vulnerabilities (Wilson & Hash, 2003). User are the employees of the commission, the target of this security awareness. Areas covers includes; disk drives, folders and files manipulations, opening and saving new document using password encryption and searching for lost documents. Personally owned systems and software use at work, software license restriction issues, supported or allowed software on organization systems, access control issues, and IT policy. Other areas cover includes desktop security use of screensavers, restricting visitors view of information on screen, and protection of confidential information until they are destroyed Viruses, worms, Trojan horses, and other malicious codes This sub topic covers virus characteristics and preventions, antivirus application protection, protection from viruses, worms, Trojan horses, and other malicious code, scanning and updating antivirus programs. In July 2008, Slovenske novice reported that three Slovenes suspected were arrested for creating dangerous computer virus which had infected over 13 million computers in over 750 major companies and at least 40 banks in the US (Three Slovenes suspected of creating "most dangerous computer virus", 2010). Internet and cyber security The training gives awareness on internet and cyber security using various methods of offensive and defensive information warfare. Areas covered include; handing unknown e-mail attachments, safety web usage, spam, social engineering, shoulder surfing. Secure transmission of sensitive and confidential information over the internet using virtual private network VPN and other computer security, ECN ICT Policy Strategy The commission uses ECN ICT policy as strategies in transforming the teaching and learning of

Information Security Education 6 information security and risk among the staff. As part of the efforts in achieving its mandates, the commission uses ICT infrastructure as a tool to achieve its statutory mandate and objectives. The policy is used as a tool to develop adequate and proficient capacity in the use of ICT among the employee. The policy document contains a set of policies governing the use of ICT facilities at the commission including personal computers , laptops, PDAs, tablets and other portable devices, all software and office systems, all communications facilities and any other hardware or software capable of storing any form of data or connecting to the Commission network. All staff, temporary or permanent, in any role, and elected Commissioner are required to indicate their acceptance of the provisions of these policies in order to have access to any of the facilities mentioned above. The document is to be treated as an extension to financial regulations and standing orders, and non-compliance with them may result in disciplinary action being taken against the offender. It is therefore the responsibility of every member of staff to adhere to the policy. The content of the policy are security policy, acceptable use policy, change management policy, new systems policy, portable device policy and remote/mobile working policy. Personal Self-Development in IT The commission encourages personal self-development in IT related areas among the employees. Staffs are permitted by the organization to use the commissions ICT infrastructures for their personal learning development. The establishment permits and encourages pursue online or part time academic qualification leading to diploma and degree, as a step towards the training and development of its IT staffs. The IT department of the commission from frequently considers the effectiveness of the teaching and learning of information security and risks among the staff. The content of IT curriculum is reviewed on regular basis. The training model is grouped into technical and non- technical. The technical knowledge comprises of technical security control, database security, programming and design (Smith, Kritzinger, Oosthuisen, & Von Solms, 2005). This is influenced by the need of the commissions, new development in IT such as e-commerce, multimedia, wireless application, intelligent information technologies, safety and security, software assurance, knowledge management, fault- tolerance and survivability (Hentea & Dhillon, 2006).

Information Security Education Theoretical and Practical Approach

The theoretical aspect of information security is linked with a practical section such that the individual acquires the ability to put theories into practice (Hsu & Backhouse, 2002). The participants also learn how to develop safety measures on cyber-attacks, information security management, and cyber space control (Hentea & Dhillon, 2006). Newer viruses, worms, spam attack, denial of service attacks and unauthorized intrusion are detected every day (Hentea & Dhillon, 2006). The commission uses the latest software and hardware as a method of updating and maintaining its training program on information security and risks. Conclusion Collaborative learning is one of the most effective educational approaches used in educating staff. Based on the interview conducted with the head of the EIS department, it shows that the commission lacks staff with professional qualifications in information security certification like CISSP, SSCP, CISA and GISEC. Information security is considered as matter of serious concern through the enforcement of the ECN ICT policies and various in-house training programs conducted. Unlike security specialization discussed in (Furnell & Clarke, 2005), the commission encourages the informal education among the employee. Master apprentice relationship method whereby an older staff trains the new staff in the organization is used by the commission. The method is indeed a very effective and useful method of teaching important security issues in the commission.

Information Security Education References About ECN. (n.d). Retrieved from

http://www.energy.gov.ng/index.php?option=com_content&task=section&id=4&Itemid=27 Callaghana, D., Wattsa, W. E., McCullougha, D. L., & Moreaub, J. T. (2009). The experience of two practice education models: Collaborative learning unit and preceptorship . Retrieved from http://www.sciencedirect.com.proxy1.ncu.edu/science?_ob=MImg&_imagekey=B6WNW4TRHC6H-11&_cdi=6973&_user=7629509&_pii=S1471595308000991&_orig=search&_coverDate=07%2F 31%2F2009&_sk=999909995&view=c&wchp=dGLbVtbzSkzS&md5=1ad27d6dac7a83ffd5441479c381f57e&ie= Cicalese, C., DeWitt, J., & Martin, C. D. (2005). Ethics across the computer science curriculum. Proceedings of 43rd ACM Southeast Conference. Kennesaw. Dornseif, M., Gartner, T., Mink, M., & Pimenidis, A. (2005). Teaching data security at university degree level. In N. Milovslaskaya & H. Armstrong (Eds.). Proceedings of the IFIP TC11 WG 11.8, Fourth World Conference Information Security Education (WISE4), 213-222. Moscow. Establishment of the E.C.N. (n.d). Retrieved from http://www.energy.gov.ng/index.php?option=com_content&task=view&id=5&Itemid=6 Furnell, S., & Clarke, N. (2005). Organizational security culture: Embedding security wareness, Education and Training. Proceedings of the IFIP TC11 WG 11.8,Fourth World Conference Information Security Education (WISE4), 22-35. Moscow. Hartley, J. R. (1976). Managing models of collaborative learning. Retrieved from http://www.sciencedirect.com.proxy1.ncu.edu/science?_ob=MImg&_imagekey=B6VCJ3VW1PFN-K2&_cdi=5956&_user=7629509&_pii=0360131595000860&_orig=search&_coverDate=04%2F3 0%2F1996&_sk=999739998&view=c&wchp=dGLzVzzzSkWb&md5=c59a494dd30072e3c40e1038488c72f3&ie=/

Information Security Education 9 Heimerl, J. L., & Voight, H. (2005). Measurement: The foundation of security program design and management. Computer Security Journal, 1-20. Hentea, M. (2007). Intelligent system for information security management Architecture and design issues. Retrieved from http://proceedings.informingscience.org/InSITE2007/IISITv4p029043Hent387.pdf Hentea, M., & Dhillon, H. S. (2006). Towards changes in information security education. Journal of Information Security Education. Retrieved from http://jite.org/documents/Vol5/v5p221233Hentea148.pdf Hsu, C., & Backhouse, J. (2002). Information systems security education: Redressing the balance of theory and practice. Journal of Information Systems Education, 13(3), 211-218. Irvine, C., Chin, S. K., & Fruickle, D. (1998). Integrating security into the curriculum. Computer, 31(12), 25-30. Smith, B. L., & MacGregor, J. T. (1992). What is collaborative learning? Retrieved from http://learningcommons.evergreen.edu/pdf/collab.pdf Smith, E., Kritzinger, E., Oosthuisen, H. J., & Von Solms, S. H. (2005). Information security education: Bridging the gap between academic institutions and industry. In N. Milovslaskaya & H. Armstrong (Eds.) . Proceedings of the IFIP TC11 WG 11.8, Fourth World Conference Information Security Education (WISE4), 45-55. Moscow. Three Slovenes suspected of creating "most dangerous computer virus". (2010). Retrieved from http://proquest.umi.com.proxy1.ncu.edu/pqdlink?Ver=1&Exp=07-222015&FMT=7&DID=2087742851&RQT=309