RUNNING HEAD: CYBER SECURITY K-12 EDUCATION BECAUSE EDUCATION IS

PROTECTION

Cyber Security K-12 Education Because Education is Protection

Suzanne Zainea

Central Michigan University

CYBER SECURITY K-12 EDUCATION

In February, a United States research group published their statistics on cyber hacking.

Three hacks per minute are astonishing but they also estimated over 30 million hacks per day

(NextGov, 2017) (Hackmageddon, 2017). Cyber security is an ever-growing threat to us

personally and to the global economy. Who is being targeted? Hackmageddon reported,

business/industry, The U.S. Government, educational institutions, healthcare databases and the

United States Military are the top targets. The only prevention is cybersecurity.

What is cyber security? The National Initiative for Cybersecurity Education (NICCE)

Workforce Framework defines cybersecurity as The activity or process, ability or capability, or

state whereby information and communications systems and the information contained therein

are protected from and/or defended against damage, unauthorized use or modification, or

exploitation (NICCE, 2017).

Policy Report

Hackers take our information and thus, take our control. They steal our identities, break

into our banking systems, hack medical devices, transportation modes and even threaten our

national security. Are you concerned? If you are not concerned, let us take a look and the link

for the NORSE Attack Map (NORSE Attack). This map illustrates the rank in order of attack

origin, type and target. The filter will also display the IP Addresses of attack and the display of

each country being attacked. Other satellite cybersecurity breach maps include Kaspersky, Check

Point and Fire Eye. Cyber hacks are the most critical threat our nation is facing; the problem

grows each year with more cybersecurity breaches reported continuously. The hackers are

becoming more sophisticated and their reach is covering the globe (CyberHeist, Sjouwerman,

2016).
CYBER SECURITY K-12 EDUCATION

How does this happen? We have many questions surrounding cybersecurity. First, we

must understand code. Computer coding is the language that makes the computer operate. More

or less it is lines of text that perform an operation or a function. When these lines of text or code

are altered, copied or stolen, unknowingly or unwillingly, a cybersecurity hack occurs. If we only

we understood coding then we can prevent hacking. Though acquired knowledge of coding and

hacking we can protect our futures, and ourselves but we must prepare now! Our changing world

demands are in need of a just in time training program.

Current Policy

Recent Legislation

A bill in 2002 was brought forth for the education of cybersecurity technology under the

directive of the Homeland Security Act, and was approved by the House at that time. The bill

recognized the need for cyber education through the Educational at Workforce Initiative. As

recent as February 7, 2017 an amendment to this bill called forth by Shelia Jackson Lee, of

Texas, which included research of K-12 science and technology education board of Advisors to

make new recommendations regarding a K-12 curriculum to initiate guidelines for future

technology curriculum. The new curriculum is to include K-12 cybersecurity by the 2017-2018

school year (Summary: H.R.935 115th Congress (2017).

Equity and Diversity

This bill also includes federal funding for guest speakers, curriculum materials and

funding for low income school districts and minorities specifically mentioned primarily;

African-American, American Indian, Latino and Asian heritage districts.

CYBER SECURITY K-12 EDUCATION

Implementation has NOT yet been decided. But the issue is current, the issue is now and

a call to action has begun with the new implementation of H.R. 935. The next steps will be to

form an advisory committee for the formation of glicks, duties, tasks and outcomes. Then

formulate K-12 curriculum based on the outcomes of the advisory committee(s). Prepare funding

thought the federal government, as promised in the bill, and though grants. Train administrators

educators and presenters before implementation, which may take years.

Research

Policy Players In Action

There are currently several grass roots groups, small interest groups of people working in

conjunction for the same outcome. grass roots. I was paying close attention because I was

speaking next, but more importantly, because we grassroots grant makers both ask and are asked

that question regularly, and what we hear varies tremendously. But the best quote from

Richardson is, A grassroots organization is a seed that grows. (Richardson, 2015)

This is exactly what had happened in K-12 cyber security. Many grass root groups have

formed across the United States to ask for more education to be taught in our schools for

cybersecurity. However, the group NICE has emerged as a leader, bringing this issue before the

courts last year through the Department of Homeland Security and the Department of Defense.

NICE has developed a possible Strategic Plan: for Early STEM Strategies from which a K-12

curriculum could be derived. The diagram found on the following page depicts the arms of

NICE and their primary objective. By involving NICE the policy process for change ran

through the courts at a rapid pace, bypassing many political pathways a mandated curriculum
CYBER SECURITY K-12 EDUCATION

would typically take. It is time for the state and local agencies to catch up and that is now

underway.

NICE Model

Their Primary Objective

Help the cybersecurity workforce to partner with local schools, thus providing content

Mr. Robin, Montana, Williams is the Chief Operating /Information/Security/Risk

Officer & Cyber Evangelist at Cyber World Institute, based in Las Vegas, Nevada - Information

Technology and Services and is currently part of Cyber World Institute, with operations in

Nevada and Michigan, and is previously associated with California State University, University

of Nevada-Las Vegas, College of Southern Nevada, Texas A&M, San Bernardino, ISACA, the

United State Department of Homeland Security and the Office of the Director of National

Intelligence. In a recent cyber clip interview Mr. Williams stated,

Our current education and training methods are

primarily knowledge-based delivery models, little to no skill-

based training and assessment occurs in the education, training,

and certification phases because they rarely leverage each other.

CYBER SECURITY K-12 EDUCATION

Skill and ability development has been left to the employer causing

a significant expenditure in time and resources. According, to a

2016 Intel Security and Center for Strategic and International

Studies survey only 1 in 4 organizations feel that recent

graduates from existing academic and certification programs

are fully prepared to execute given tasks. Because current

models do not address the three components require to perform a

given task: knowledge, skills, and abilities. (Williams, March 29,

2017).

Policy Recommendations for Change

I am proposing three educational solutions through a K-12 cybersecurity curriculum

implementation to help solve this current and growing problem. The Federal Government has

already decided to provide funding for awareness and resources regarding cybersecurity

education. We know that this is important because we all want and need to be safe on the Internet

and we want our information to be safe on the Internet.

1. K-12 Cybersecurity Awareness As an addition to current computer curriculum

Proposing a K-12 cyber hacking curriculum implementation within the school setting, as

part of computer classes already in place is one solution. We teach children as young as pre-
CYBER SECURITY K-12 EDUCATION

school about stranger danger. Yet, the stranger may be sitting on the other side of his electronic

device. Through curriculum policy changes in the K-12 setting, we could better equip our

students by teaching them safe Internet practices. The Stop-Think-and-Connect program, for

safety on the Internet was used this year, successfully, across the United States for voluntary

participating schools through NICE. The National Cyber Security Alliance Group has provided

ideas for topics of instruction for elementary cybersecurity ideas.

2A. Coding - Middle School Implementation and High School

At the middle school level we can begin teaching beginning programming and coding

through lessons in SCRATCH, https://scratch.mit.edu/, (MIT, Media Lab, n.d.) HTML hyper text

mark up language and simple BASIC Programming. Simple dBase applications could be taught

in the middle school curriculum and the manipulation of dBase would give the student an

understanding of how the dBase operates. Access usually comes with the Microsoft Office

package and is easily available and relatively low in cost. Safety on the Internet would continue

in a more sophisticated curriculum.

Cyber World Institute has been a forerunner in cyber security education and certification

of the Department of Defense. Although most of their interest lies in the postsecondary level

they did touch upon the idea of a K-12 cybersecurity curriculum. Cyber World does express a

deep interest in a K-12 cybersecurity curriculum and had this to offer during a personal

interview with President, Linda Montgomery. An excellent idea! We should start exposing our

American children to programming as soon as possible. We are so far behind the Chinese and
CYBER SECURITY K-12 EDUCATION

the Russians in this regard. They have cyber schools set up for children who learn to code as

young as middle school (Montgomery, February 19, 2017).

In a recent article the United Kingdom announced that they would be introducing

cybersecurity and hacking prevention courses to keep up with the China and Russia. The article

continues that children between the ages of 14-18 will be taught hacking and cybersecurity

(Dearden, 2017).
Can you imagine what they can do by the time they are in high school? It is not only

necessary but also imperative that we catch up. I love the idea of introducing programming

technology through Scratch. The children think that they are playing a game and dont even

realizing that they are learning how to use and manipulate code. They can also learn HTML at

this age (Montgomery, February 19, 2017).

As the students enter high school we would begin to teach higher level programming

languages such as C, Java, Java Script and Python, to name a few. The intrinsic idea is that as the

student learns to code and the process of coding he/she will then be able to understand the

mechanics of the cyber hack and thus, cybersecurity. At the local level we could propose a pilot

district to spearhead the curriculum. This proposed solution might require implementation

mandated at the state level. On a larger scale at the Federal level our nation would benefit by

producing true cybersecurity skills to all cyber users. In the long run we would create the first

cyber secure generation of technology users.

High School age curriculum advocates in the political and the educational arena are

interested in cybersecurity. At the October 2015 North American Cyber Security Conference,

Governor John Bel Edwards joking said, Either we are producing a state of fantastic

programmers or maybe a state of little hackers. Those opposed to teaching programming at

CYBER SECURITY K-12 EDUCATION

lower levels are concerned about the responsibility of children that may become cyber hackers

in an unethical manner. That is a possibility, however ethical usage of a computer would be part

of the cyber security curriculum.

2B. Vocational Technical Education Centers. Through Vocational Technical Centers and the

IT (Information Technology) curriculum a student could advance toward earning one of the top

5 Information Security Certifications while still a high school student. Included is a list of

certifications below. The first two are feasible, the third would be much too costly for schools

and the third group would require many years of study beyond the scope of high school

(Montgomery, February 19, 2017).

CYBERSECURITY CERTIFICATIONS

Feasible at the High School Vocational Education Level

CompTIA Security+
CEH: Certified Ethical Hacker

Too costly for High Schools ($10,000 per student)

GSEC: SANS GIAC Security Essentials.

Requiring Higher Education

CISSP: Certified Information Systems Security
Professional.
CISM: Certified Information Security Manager. (Both of
these require 5 years working experience to be certified.)
(Cyberheist, 2017).

A better track for high school would be A+ to Net+ to Sec+ to CEH to a specialty area

such as forensics, incident response, etc. Focus on the beginning/novice certs at the high school
CYBER SECURITY K-12 EDUCATION

Vocational Technical level, as this is applicable to a senior entering IT at the entry level

(Montgomery, February 19).

Vocational Technical Centers provide high school students the opportunity to acquire

skills that will result in their employment. The core purpose of the role of education at the

Vocational Technical Center is job training. What are the projections for the future job market

for cyber security certified student? The (United State Bureau of Labor Statistics, 2015)

estimate and 18% increase in the need for cybersecurity workers. This is one of the fastest

growing technical areas with a much higher than average growth rate.

The annual income for cyber security specialist is also comfortable salary. INFOSEC

Institute reports that the average payout to a Certified Ethical Hacker is $71,000 per year.

Remember, this is the lowest certification offered in cybersecurity. This school also offers

Ethical Boot Camps. The Boot Camps will provide intense training. 40 hours of instruction

concluding with a test for certification (Training Camp CEG v9 Boot Camp, 2017).

This career is in very high demand and the pay would be very enticing for high school

students. This program would fulfill the increase demand for cybersecurity workers in the

workforce, security our cyber user information while training our students at the same time for

gainful employment. In Michigan the programming language can take the place of the

requirement for foreign language. A topic many foreign language advocates do not like.

However, we can easily see that the employability and the need for security argument can be

made to offset this argument.

CYBER SECURITY K-12 EDUCATION

10

In the state of Michigan, Mr. Thomas Knight, is overseeing the development of

curriculum for a CTE (Career Technical Education) program, The Office of Career and

Technical Education would like to announce the addition of a new CTE program for

Cybersecurity. The new CTE program will operate under the CIP code and title of 11.1003

Computer and Information Systems Security/Information Assurance. (Knight, April 11, 2017).

Little change would be needed to implement this curriculum in the Vocational Technical

arena, since the equipment is already in place. The original implementation would be more

expensive at the planning and development stage than at the maintenance and updating stage.

3. Coalition of Business and Industry with Parent Interest Groups

A consideration for a solution was the implementation of a K-12 cybersecurity

curriculum taught by business and industry, parent groups and community leaders, such as

police.

This final policy change was disregarded after research and interview were conducted

based on the findings and opinion that when business and industry implement a program within

the school system interest fades and programs do not have a great overall follow through. But

with a strong community commitment and an excellent advisory committee that remains in

contact long term, this problem can be resolved. Several reasons exist for this outcome such as

lack of ongoing interest, changes in business owners, financial cuts and overall changes in values

(Fowler, 2013).

Recommendation for Policy Change

CYBER SECURITY K-12 EDUCATION

11

We should implement artful planning even though this topic has arisen out of discourse.

Fowler states discourse in education is expressed in a powerful language that links the issue to

deeply held value, hope, fears, and aspirations. Emotional words and expressions, including

assertions that the issue has a bearing of key national priorities such as military security and

economic growth (Fowler, 2013). The fear, hope and aspirations for a safe cyber world for the

United States are certainly the driving force behind the push for cybersecurity K-12 policy.

From my research and interviews, I have concluded that the best avenue for advancing

the K-12 cybersecurity curriculum is twofold. First, we must begin very young and the

elementary level to teach generalized safety on the Internet practices. Therefore K-12 awareness

must be a continual theme though out the curriculum. Second, programming should be

implemented at the middle school grades until high school graduation.

My final and strongest recommendation for policy change, is to expand the current

information technology programming career paths at the vocational technical centers and offer

certifications in CompTIA Security+ and CEH: Certified Ethical Hacker. We will see changes

soon and produce the first globally competitively safe, tech savvy, cyber secure aware United

States citizens.

Reference:
CYBER SECURITY K-12 EDUCATION

12

Department of Homeland Security. (2017). NICCS glossary. National initiative for cybersecurity

careers and studies. Washington D.C: U.S. Retrieved from https://niccs.us-

cert.gov/glossary

Deardon, L. (2017). British teenagers to be taught 'cyber curriculum' to defend UK against threat.

The Independent Magazine. Retrieved from https://www.msn.com/en-

gb/news/uknews/british-teenagers-to-be-taught-cyber-curriculum-to-defend-uk-against-

threat-of-hacking-attacks/ar-AAmPzZ2?li=BBoPRmx

Deruy, E. (2016). A plan to teach every child computer science. The Atlantic Monthly Group.

Retrieved from https://www.theatlantic.com/education/archive/2016/10/a-plan-to-teach-

every-child-computer-science/504587/

Education and the Workforce; Science, Space, and Technology; Homeland Security, 2017 H.R.,

H.R. 935, 112tg Cong (2002), Amended, Cybersecurity and Infrastructure Protection

(2017)

Fowler, F. (2013). Policy studies for educational leaders (4th ed). (pp. 137-138, 159) New Jersey:

Pearson.

Fung, B. (2013). How many cyber attacks hit the United States last year? NextGov. Retrieved

from http://www.nextgov.com/voices/brian-fung/6868/

MIT Media Lab. (n.d.). Scratch online creativity lab. Lifelong Kindergarten Group. Retrieved

from https://scratch.mit.edu/about
CYBER SECURITY K-12 EDUCATION

13

National cyber security alliance brings new learning resources to K-12 classrooms. (2011).

Wireless News. Retrieved from http://

proquest.com.cmich.idm.oclc.org/docview/898820291?accountid=10181

Passeri, P. (2017). Insider threat protection. Hackmageddon. Retrieved from

http://www.hackmageddon.com/category/security/cyber-attacks-statistics/

Richardson, J. (2015). Characteristics that grassroots groups share. Grassroots Grantmakers.

Retrieved from www. grassrootsgrantmakers.org

Sjouwerman, S. (2017). Security awareness cyber attack maps. Fortiguard. Retrieved

https://blog.knowbe4.com/ cyber-attack-maps...accurate-or-just-eye-candy

Training Camp CEG v9 Boot Camp. (2017). Knowledge Key Associations. Retrieved from

http://www.trainingcamp.com/global/training/ec-council-courses,aspx.

United States Department of Labor Statistics. (2015). Retrieved from

http://www.bls.gov/oes/current/oes151122.htm