Cyber Security Education

Introduction

     Cyber security education is paramount when considering the ubiquitous presence of technology in nearly every aspect of life. The Internet has revolutionized knowledge transfer, commerce, and communication, providing resources and information on demand (Belak, 2005). Beyond the Internet, computer networks allow administrators and users alike to interact with company resources and increase productivity. However, the Internet and computer networks also serve as a breeding ground for malicious attackers with a wealth of attack vectors, including network access, email phishing, malware, and social engineering (Vuong, 2006). Cyber security education is important for both end users and administrators to effectively mitigate the available attack surface. Curriculum in educational settings can train future technicians in network and system security to serve as the first defense against attack. Training in the corporate sector is also important, as educated users are far less likely to provide an attacker access or information that could lead to a potential compromise.

Curricular Application

     Cyber security programs at educational institutions are often unsatisfactory due to a lack of budget, equipment, and qualified instructors. Even with these resources, the focus of curriculum can vary greatly. The National Institute of Standards and Technology (NIST), in collaboration with government and educational entities, continually develop standards in Science, Technology, Engineering, and Math (STEM) disciplines. NIST has developed a strategic plan specifically targeted towards implementing a strong, standards-focused curriculum for educational institutions.

MD Governor Martin O'Malley - NICE Conference Keynote - NIST Headquarters in Gaithersburg, MD, 2011

     Concurrently, in an effort to increase cyber security awareness, EDUCAUSE/ Internet2 Higher Education Information Security Council (HEISC) conducts an annual contest calling for posters and short information security awareness videos developed by college students, for college students.  The contest, sponsored by CyberWatch and the National Cyber Security Alliance (NCSA) has proven to be a highly effective way of delivering cyber security awareness campaigns.  The website for EDUCAUSE/HEISC is intended to be a focal point of information and resources on cyber security for the higher education community.

Click the image link below to view the Cyber Security Awareness Video Contest winners.

Industry Application

     Training in cyber security reaches well beyond the walls of a classroom. Employees in the workforce need a working knowledge of cyber threats and ways to protect themselves and their employers. Malicious users can target both computer systems and people through a variety of methods.

Attack vectors can be as simple as guessing a password or finding that security restrictions on a website are not functioning. These penetrations require nothing more than a bit of guesswork, with the technology simply acting as the vehicle of access. Other times, even the guesswork can be eliminated. Employees are often "socially-engineered" to release valuable information regarding access to a company. This process can be as simple as calling an administrative assistant claiming to be from the IT department and asking for the user's credentials. Other users may give information to bogus websites after receiving spam email messages, leading to lost credentials or possibly an infected machine, which is then used by an attacker to pivot inside of a corporate network, behind the firewalls and other security measures deployed by the actual IT staff.

     Training can be difficult. Even after completing Internet security courses covering common use cases such as spam messages and social engineering, some end-users will not heed the warnings of their trainer and may literally give away the farm (if that is where they work). Emerging threats come to fruition quickly, adding to the problem of user training. The technology is evolving faster than many users can cope with, and staying ahead of the security curve for an organization can be difficult.

Certifications and Assessment

                Many companies and organizations offer certificate training programs to validate technicians have completed course work or possess some degree of competency. Depending on the training program, however, industry experts often downplay the importance of these certifications. The assessment for many of these certifications do not require the applicant to demonstrate their skill set in a live or simulated environment, and instead, simply require a passing grade on a multiple choice test with no practical experience. After being placed in an actual job situation (based on the acquired certification), many technicians under-perform compared to experienced technicians.

     Some certification programs are, however, highly regarded, such as the Cisco Certified Internetwork Expert certification test. The assessment for this test is broken into two pieces. The first step is an extensive multiple-choice test similar to other certifications. After passing the first portion of the assessment, applicants are then required to perform tasks inside of a simulated environment, where problem-solving, critical thinking and application of knowledge is required throughout an eight-hour, practical, hands-on test with human reviewers, including a face-to-face interview. The pass rate for such a test is extremely low. To date, less than 30,000 applicants have passed a CCIE certification test since the year 2000.

Conclusion

     Cyber education is a broad and far-reaching topic, and touches every person with any sort of access to technology. Even basic interactions such as sending email require training, as these systems can be leveraged by attackers to gain access into personal data or corporate secrets. Educational institutions are beginning to work together in developing standardized curriculum. Standards-based industry entities, such as NIST, pool resources from many locations to generate such standards using expertise from around the world. Through these combined efforts, training the workforce and students of today and the future will lead to a safer environment.

Works Cited

Belak, M. J. (2005). The impact of Internet usage and organizational policy upon managerial decision-making effectiveness in the public sector. ProQuest Dissertations and Theses, 108.

          EDUCAUSE/ Internet2 Higher Education Information Security Council.  (2011).  Cyber Security Awareness Video Contest           Winners.  Retrieved from http://www.youtube.com/user/SecurityVideoContest

          EDUCAUSE/ Internet2 Higher Education Information Security Council.   (2011).  [Graphic illustration cyber security awareness           2011].  Retrieved from http://www.youtube.com/user/SecurityVideoContest

Reese, B. (2012, January). Worldwide CCIE Count. Retrieved April 16, 2012, from http://www.bradreese.com/worldwide-ccie-count.htm

Vuong, A. (2006, June 7). Hacking scare: Cybercriminals pursuing profit A security expert warns of techniques used to break into computer systems of banks, businesses and even the military. Denver Post, p. 1.