on a technology base. So, it is common sense to make certain that that technology is secure. Sadly, current data from almost any source indicates that our systems are not secure. the "Six Blind Men and the Elephant" syndrome. In that old story six blind men are asked to describe an elephant based on what they are touching. So to one it's a snake, to another a wall, and to another a tree, etcetera. In the end, "Though each was partly in the right, all were entirely wrong". We have the same problem with cybersecurity. There are established elements of the field that know how to secure the part of the technology that they touch. But until we are able to coordinate that knowledge to secure the whole elephant, we can't realistically say we are secure. Or in pragmatic terms, "partly" secure simply does not suffice. Probably the best illustration of that old adage is the U.S. National Security Agency, which was done in were set up to prevent. This is where formal education comes in. Education shapes behaviour. For that reason, education can be an extremely powerful force for ensuring correct practice. Also, it is education's historical impact on society at large that makes it the most likely place to address the need for comprehensive cybersecurity. have to be overcome. First, according to a report from the National Academies of Science, cybersecurity is an emerging discipline. Consequently, it is not clear what should be taught. Worse, all evidence points to the fact that whatever we should be teaching is cross-cutting. In essence, elements of the discipline could be taught in places as diverse as engineering, business, and law. These are different academic cultures, and cybersecurity practice is viewed differently in each. This cultural difference also raises the question of "to aggregate, or not to aggregate". If we leave the teaching of cybersecurity practice in diverse places on campus, we are not going to be able to coordinate the message, let alone evolve the field into a mature discipline. However, if we pull all of the cybersecurity education into a single place that begs the question of "where should we put it?", since engineers will not be comfortable in a law school and vice versa. to happen in order for the solution to be complete and correct. But the problem is that most present faculty members specialise in some vertical aspect of the discipline of computing. They are not going to just drop what they are teaching and start approaching things holistically. So, a new breed of professional will have to be educated. That returns us to the question of what to teach. strategy based on a comprehensive definition of the field is needed to address the problem. That strategy should ensure that the right learning experiences are provided to the right people, across the educational landscape. However, effective strategy requires understanding the status of the existing landscape. Current cybersecurity teaching encompasses three classic domains. Those are, in order of formality, Awareness, Training and Education. A fourth area is the Research activity that supports all domains. Each domain can involve systematic, curricular or programmatic schemes, as well as unsystematic, "ad- hoc" efforts. Finally, there are a range of communities of interest where security teaching and learning might apply. Those 17 settings are listed in the table at the end of this article. |