on a technology base. So, it is
common sense to make certain
that that technology is secure.
Sadly, current data from almost
any source indicates that our
systems are not secure.
the "Six Blind Men and the Elephant" syndrome. In
that old story six blind men are asked to describe
an elephant based on what they are touching. So to
one it's a snake, to another a wall, and to another a
tree, etcetera. In the end, "Though each was partly in
the right, all were entirely wrong". We have the same
problem with cybersecurity. There are established
elements of the field that know how to secure the
part of the technology that they touch. But until we
are able to coordinate that knowledge to secure the
whole elephant, we can't realistically say we are secure.
Or in pragmatic terms, "partly" secure simply does not
suffice. Probably the best illustration of that old adage
is the U.S. National Security Agency, which was done in
were set up to prevent. This is where formal education
comes in. Education shapes behaviour. For that reason,
education can be an extremely powerful force for
ensuring correct practice. Also, it is education's historical
impact on society at large that makes it the most
likely place to address the need for comprehensive
cybersecurity.
have to be overcome. First, according to a report from
the National Academies of Science, cybersecurity is an
emerging discipline. Consequently, it is not clear what
should be taught. Worse, all evidence points to the fact
that whatever we should be teaching is cross-cutting.
In essence, elements of the discipline could be taught
in places as diverse as engineering, business, and law.
These are different academic cultures, and cybersecurity
practice is viewed differently in each. This cultural
difference also raises the question of "to aggregate,
or not to aggregate". If we leave the teaching of
cybersecurity practice in diverse places on campus, we
are not going to be able to coordinate the message, let
alone evolve the field into a mature discipline. However,
if we pull all of the cybersecurity education into a single
place that begs the question of "where should we put
it?", since engineers will not be comfortable in a law
school and vice versa.
to happen in order for the solution to be complete and
correct. But the problem is that most present faculty
members specialise in some vertical aspect of the
discipline of computing. They are not going to just drop
what they are teaching and start approaching things
holistically. So, a new breed of professional will have to
be educated. That returns us to the question of what
to teach.
strategy based on a comprehensive definition of the
field is needed to address the problem. That strategy
should ensure that the right learning experiences are
provided to the right people, across the educational
landscape. However, effective strategy requires
understanding the status of the existing landscape.
Current cybersecurity teaching encompasses three
classic domains. Those are, in order of formality,
Awareness, Training and Education. A fourth area
is the Research activity that supports all domains.
Each domain can involve systematic, curricular or
programmatic schemes, as well as unsystematic, "ad-
hoc" efforts. Finally, there are a range of communities
of interest where security teaching and learning might
apply. Those 17 settings are listed in the table at the end
of this article.