Awareness is a very useful mode of content delivery in that it can ensure a minimum level of correct practice among a wide range of people. Formal awareness programs such as DHS Stop-Think- Connect utilise established methods for disseminating general knowledge such as posters, presentations and commercials. Informal programs include any educational activity sponsored by an organisation or group. The practices themselves can be relatively simple, such as secure housekeeping, phishing avoidance, or secure passwords. The messages themselves are often boiled down to slogans or sound bites. Training can be formal or organised to address a specific problem. Training is focused on the acquisition of a particular skill. That skill can be complex, like network administration, or secure programming. But training is always time sensitive in that the skills being provided can be made obsolete by change. Formal training programs, particularly those associated with certification, are based on commonly accepted bodies of knowledge. The end result of a training program is demonstrated mastery of that body of knowledge. Ad-hoc training provides mastery of a skill that might be required for a given application, or setting. Ad-hoc training is often deployed as corrective action, or in order to plug a knowledge gap in a particular instance. it can be general. Programmatic education seeks to field. That understanding must be comprehensive in that the individual is capable of developing a heuristic solution from a given set of facts. Education is not time sensitive in that the educated individual should be capable of applying existing knowledge by extension to new problems. Because that capability often requires acquisition of a large amount of knowledge, programmatic education is decomposed into logical elements. This collection of elements is normally called a "curriculum". General education is not discipline specific. It can display the same characteristics of curriculum-based education in that it provides comprehensive and extensible understanding. However, general education is not directed toward mastery of a particular field. supported by research. Research develops knowledge and refines practice. There are two types of research programs. The first is practitioner-based research, aimed at developing useful skills and techniques. The second type of research is scientific in that it generates and confirms the correctness of new knowledge. This type of research can be unapplied but it is valuable because it forms the basis for the principles of the field. form of all of these teaching modalities is required in all of the classic areas of society, government, industry and academia. Because the cultures of each of these communities are so different, the awareness, training is an important point to keep in mind in developing any strategy aimed at ensuring cybersecurity. That is because content in any modality must be tailored to the community of practice in order to be effective. The table below shows all of the modalities we have discussed arrayed against the 17 logical communities of practice. order for information system security to become a mature discipline every cell in this table should have some activity taking place within it or a reasonable justification for why that is not happening. Looking at this table it is hard not to conclude that we have a considerable way to go before we can say that we have gained control over the problem. It also tends to reinforce the conclusions of the National Academy of Science's findings, which is that the field is still immature. Research Scientist at UDM's Center for Cyber Security and Intelligence Studies. This Center includes the Computer Information Systems-Information Assurance Department, as well as the NSA Center of Academic Excellence in Information Assurance Education. As the Co-Chair for the DHS National Workforce Training and Education Initiative for Software and Supply Chain Assurance, he is one of the three Authors of the Software Assurance Common Body of Knowledge (CBK). |