Awareness is a very useful mode of content delivery
in that it can ensure a minimum level of correct
practice among a wide range of people. Formal
awareness programs such as DHS Stop-Think-
Connect utilise established methods for disseminating
general knowledge such as posters, presentations and
commercials. Informal programs include any educational
activity sponsored by an organisation or group. The
practices themselves can be relatively simple, such as
secure housekeeping, phishing avoidance, or secure
passwords. The messages themselves are often boiled
down to slogans or sound bites.
Training can be formal or organised to address a
specific problem. Training is focused on the acquisition
of a particular skill. That skill can be complex, like
network administration, or secure programming. But
training is always time sensitive in that the skills being
provided can be made obsolete by change. Formal
training programs, particularly those associated with
certification, are based on commonly accepted bodies
of knowledge. The end result of a training program
is demonstrated mastery of that body of knowledge.
Ad-hoc training provides mastery of a skill that might
be required for a given application, or setting. Ad-hoc
training is often deployed as corrective action, or in
order to plug a knowledge gap in a particular instance.
it can be general. Programmatic education seeks to
field. That understanding must be comprehensive in
that the individual is capable of developing a heuristic
solution from a given set of facts. Education is not time
sensitive in that the educated individual should be
capable of applying existing knowledge by extension
to new problems. Because that capability often
requires acquisition of a large amount of knowledge,
programmatic education is decomposed into logical
elements. This collection of elements is normally called
a "curriculum". General education is not discipline
specific. It can display the same characteristics of
curriculum-based education in that it provides
comprehensive and extensible understanding. However,
general education is not directed toward mastery of a
particular field.
supported by research. Research develops knowledge
and refines practice. There are two types of research
programs. The first is practitioner-based research, aimed
at developing useful skills and techniques. The second
type of research is scientific in that it generates and
confirms the correctness of new knowledge. This type
of research can be unapplied but it is valuable because
it forms the basis for the principles of the field.
form of all of these teaching modalities is required in
all of the classic areas of society, government, industry
and academia. Because the cultures of each of these
communities are so different, the awareness, training
is an important point to keep in mind in developing
any strategy aimed at ensuring cybersecurity. That is
because content in any modality must be tailored to
the community of practice in order to be effective.
The table below shows all of the modalities we have
discussed arrayed against the 17 logical communities
of practice.
order for information system security to become a
mature discipline every cell in this table should have
some activity taking place within it or a reasonable
justification for why that is not happening. Looking
at this table it is hard not to conclude that we have
a considerable way to go before we can say that we
have gained control over the problem. It also tends to
reinforce the conclusions of the National Academy of
Science's findings, which is that the field is still immature.
Research Scientist at UDM's Center for Cyber Security and
Intelligence Studies. This Center includes the Computer
Information Systems-Information Assurance Department,
as well as the NSA Center of Academic Excellence in
Information Assurance Education. As the Co-Chair for the
DHS National Workforce Training and Education Initiative
for Software and Supply Chain Assurance, he is one of the
three Authors of the Software Assurance Common Body of
Knowledge (CBK).