Review of 1st Annual Workshop on Education in Computer Security

by Heather Hinton, Ryerson Polytechnic University, Toronto, Canada.

The first WECS conference, sponsored by the ACM and the Naval Postgraduate School, Monterey, CA, was held in January, coincidental with the AT\&T Pro-Am Golf Tournament at Pebble Beach. We had broad international attendance, with security practitioners and educators from North America, Europe, Great Britain and the Nordic countries. Each day had a theme, covering the basics of designing and implementing an INFOSEC curriculum, covered in panel and break out sessions.

Day 1 focussed on the "Scope and Content of INFOSEC Curricula". The goal of this day was to attempt to narrow down the core materials for INFOSEC education.

Ron Ross (IDA) chaired the first panel, "Generating Demand for INFOSEC Education." The panelists are all "consumers" of INFOSEC educated students.

Derek Simmel (CERT) noted that attackers are becoming more and more sophisticated, leading to a corresponding increase in security incidents. To combat this, we need to incorporate basic information security practices and skills into the educational curriculum, at all levels (junior school through advanced university-level degrees).

Dan Faigan (The Aerospace Corporation) felt that the professional societies (ACM and IEEE) should be pro-active in this area. Specific curricula should be established, picking one or two universities to provide a complete, INFOSEC specialty (Master's level and beyond). (CS/CE/EE) students should graduate with an overview of the INFOSEC/COMPSEC areas, a rudimentary understanding of cryptography, and an exposure to security standards and networking skills (i.e., using a network, as opposed to schmoozing at the company Christmas party).

Vic Machonacy (DOD/NSA) stated that we are currently at the stages of "Awareness" (typified by assimilation of information) and "Training" (actively seeking more knowledge, using long term memory). We have not begun to move through the learning continuum into the realm of education, to "accommodation and internalization". What we need is for all employees to have an awareness of security issues, coupled with a basic security literacy. Specialists who are involved with sensitive systems need security training, in how to manage, design, implement, operate, etc. sensitive systems. The security specialists and professionals need to move to the level of security education, focusing on "things you need to know." These include laws and regulations, fundamentals of security, and technology and organizational specific security elements. Vic felt that at this level, security professionals should have some sort of professional certification. Accomplishing these goals is going to require the cooperation of industry, government and academia.

Bruce George (DOD/NSA) talked about the need for ISSE, Information Systems Security Engineering. The corresponding educational objectives include the "big picture", understanding of features versus assurance, and an understanding of cryptography and computer security. To this end, Bruce espouses and applauds the increase in tutorial tracks at INFOSEC/COMPSEC conferences.

John McCumber (Trident) focused on the risk aspect of computer security and its inclusion in the curriculum. We need to know how (and teach people) to manage risks, including the cost of countermeasures and the affect of risk management on system performance. The abundance and proliferation of tools for attacking systems means that if we are teaching current tools for defense, we are too late.

The second panel, chaired by Cynthia Irvine, explored the content of INFOSEC education.

Jim Alves-Foss, of the University of Idaho, proposed a (set of) core curricula for students following one of three different security career paths: system administrator, system developer, and security researcher. A core INFOSEC/COMPSEC curriculum, common to all three paths, will supplement career-specific courses, at both the undergraduate and graduate level. The undergraduate core includes a course each in "computer security concepts" and computer network security. At the graduate level, core courses include cryptography and the design of secure systems. These courses are intended to supplement the traditional CS courses (such as operating systems, data management, etc), in which security issues are briefly discussed.

Cynthia Irvine (Naval Postgraduate School) discussed the need for INFOSEC education of officers from many different backgrounds within the Navy. The curriculum at NPS focuses on the foundations of security, as well security planning and management; many officers, when returning to their ships, become the resident security-expert. Thus the courses at NPS make extensive use of laboratory exercises, with demonstrations and projects. At this graduate level, the computer-security track includes courses in secure system management, building secure systems, policies, models and formal methods, network security, database security, and advanced topics in computer security, all supplemented by thesis research.

Jens Lussem and Adrian Spalka (University of Bonn) discussed the need for computer security education at the high-school level. This is motivated by the extensive use of the Internet in Germany (with USD 40mil being put into the "Schulen ans Netz", Students on the Net, project). This is complicated as most high-school teachers have no education or training in computer security, yet are required to take responsibility for the secure operation of the high-school systems. Thus there is a need to educate the teachers and the students about computer security issues. At present, due to a lack of technical solutions, administrative measures are in place to regulate and control use of the Internet by students. Students are informed of prohibitions against misuse, usage is monitored for violations, and violators are sanctioned. In the meantime, there is a need for "security ergonomics", targeted at ordinary users.

Heather Hinton (Ryerson Polytechnic University/University of Toronto) talked about the general computer security (overview) course offered at the University of Toronto; this is one of the most popular graduate courses offered, illustrating the student-driven demand. This course meets one need of computer security education: general graduate-level courses. The topics introduced in this course include viruses and other juicy bits (to keep them entertained until after the drop-date for the course), operating systems security, databases and network security, encryption, protocol analysis, risk analysis and legal and ethical issues. In addition, we need to have advanced undergraduate-level courses in computer security and we also require dedicated graduate-level programmes, such as those offered by the Royal Holloway (University of London) and James Madison University.

In Belgium, there is no standardization of the CS education. Jean Ramaekers (Institute d'Informatique, Belgium) described a final semester course (in a 5-year degree programme) that has been offered since 1983, accounting for 30 hours in the entire curriculum. The main goal of this course is to think "globally" about computer security. Students learn techniques for managing security within large industrial organisations. Included in this curriculum is a discussion of the human aspects of security.

On the first afternoon, the workshop split into "break-out" groups to discuss curriculum content and prerequisites for topics and educational levels. While the majority and minority views for each break-out group are too lengthy to report, what is of interest is how most groups separated out the educational audiences.

All groups identified the need for computer security education within computer science / computer engineering, at the undergraduate and graduate levels. Several groups also went beyond this to address the education needs of different target audiences, including, by degree: Master's in Information Sciences, MBA's, Master's in Software Engineering, and other professional degrees, such as Medicine and Law, together with pre-university education. Cynthia Irvine used the analogy that "we don't teach everyone to be a brain surgeon, but we do teach children to wash their hands". In general, it was felt that some equivalent to "washing your hands" is required at the high-school and public-school levels (perhaps we should be instructing students to not take candy or diskettes from strangers).

On Day 2, the overall theme was "INFOSEC Curricula: Novel Approaches to Delivering the Product". The first panel addressed "Spicing up INFOSEC Education" and was chaired by Matt Bishop (UC Davis).

Erland Jonsson (Chalmers U. of Tech, Sweden) discussed his experiences with an undergraduate-level course, "Applied Security" (Erland snuck this course into the curriculum by assuring the administration that it would be "free", ie, additional to his regular teaching load). The major laboratory project in this course is a project in intrusion and intrusion detection. Students are let loose in a target system and told to break in using any means fair or foul. The more advanced students in this course often develop their own tools to aid in the attack, getting a real "hands-on" feel for computer security issues. Because of the adversarial nature of this course, the project must be carefully supervised by at least on "experiment leader" or supervisor.

Hilarie Orman (U. Arizona/DARPA) talked about "Furem Fur Cognoscit". Hilarie recommends engaging the students using a "Spy vs. Spy" approach. A two-part project, involving defense and offense works well to engage students and illustrate security concepts. In the first part of the project, students develop and document a secure application. Projects are then swapped and students are encouraged to attack and break the swapped applications. To help with this sort of interactive education, Hilarie's wish list includes a pedagogical security game that can be used to implement a real-time competition. Any takers and or developers?

David Oppenheimer (Princeton University) talked about his experiences implementing a fourth-year applied cryptography seminar course at Princeton. This course is of interest as it was proposed, prepared, and given, by undergraduate students to undergraduate students. Student projects made up a large part of this course. Some sample projects include a hardware encryption device, a secure online election system, and an implementation of Chaum-style digital cash. These projects were chosen by the students, reflecting their personal interests and talents. Peer review was used, so that the students could learn from each other. David offered suggestions to improve the course next time around. The biggest single improvement would be to include protocol analysis, in particular failure analysis. This was felt to be an ideal way to engage the class in discussion (and would produce good assignment topics).

Paul Olson (National Cryptologic School) discussed the use of on-line micro-courses to implement the course "Trusted System Criteria and Concepts". This course was modularized, with one topic per lesson. These lessons were made as distinct as possible, although there is a flow imposed by the prerequisites of individual modules. The tool that allowed this to work is "Information Mapping", a means of presenting information in a way "psychologically tested to be more easily processed by the human brain". An information map is produced for each "chunk" of information (for example, one information map may define "What is a Target of Evaluation"). Information is presented under the headings of Introduction, Definition, Importance, Examples, Non-Examples, and Practice. Information maps are made available on-line, so that students can access them from home/work for self-study. The instructor is available as needed (via e-mail). Pedagogically, this is a great tool for introducing concepts, allowing lectures to immediately focus on the more detailed (and usually interesting) issues.

Panel 4 addressed "Should Computer Security Education be Multi-Disciplinary", chaired by Heather Hinton. It seems that everybody agrees that it should in fact be multi-disciplinary, but no-one seemed to agree on what multi-disciplinarity actually implied.

Larry Liebrock (U. Texas at Austin/Hewlett-Packard) described the graduate seminar "System Security and Systems Auditing Building", offered in the Graduate School of Business. The focus of this course included risk analysis and identification of "knowledge assets". Current security tools are used to familiarize students with the resources that are available.

Art Duncan (Rensselaer Polytechnic Institute, New York) went one step further, stating that "all technical education should be multi- disciplinary." They should include sociological topics, as well as managerial, legal and ethical issues. In particular, a computer security course should include a section on "what are the legal and ethical implications of what I have learned in this course."

Matt Bishop (UC Davis) took the multi-displinarity of computer security in the other direction, stating that computer security must be a part of any (and all) introductory courses in programming. Focusing on the design, implementation, testing, and deployment of programmes is the basis for future education in computer security.

Dieter Gollman (Royal Holloway, University of London), described the multi-disciplinary nature of the MSc in Information Security offered at the Royal Holloway. This programme is a joint venture of the departments of Computer Science and Mathematics. In addition to the common courses in network security, cryptography, et cetera, there is an additional course in Security Management. This course is a series of lectures given by industry personnel, and includes topics such as "relating business requirements to security needs", and "regulatory controls".

Marcel Spruit (Delft U. of Tech, the Netherlands) mentioned the human and organizational aspects to the implementation of security. For example, to address the management of security and the delegation of responsibility, topics normally discussed in psychology must be introduced into the computer security curricula.

The second break-out session of the workshop addressed "potential teaching approaches and delivery methods for INFOSEC curricula." The overwhelming conclusion is that laboratories and projects are the best way to demonstrate security concepts.

Day 3 of the workshop focussed on "Organizing and Building the INFOSEC Education Infrastructure." The day began with a panel on "Preparing INFOSEC for Education in the 21st Century"

Marie Wright (Western Conn State U) pointed out that intruders are very good at organising, sharing information and collaborating. INFOSEC and COMPSEC educators should learn from this. We need to establish resources and lines of communications so that we too can collaborate and share information. Book publishers can play a role in this by publishing (useful) security textbooks and educational materials.

Deb Frincke (U. Idaho) described the distance education programme at U. Idaho. Lectures are all videotaped and mailed to distance education students. Students view the videotapes, do the related assignments, and return the tapes and completed assignments. One issue that Deb brought up surrounded the on-line (Internet) availability of educational materials for use by distance education students: what is the liability of the instructor and university if these materials are used (by a non-student) to successfully attack a system? Another issues surrounding distance education is the need to on-line simulations and intrusion detection systems to allow distant students to benefit from practical laboratories and projects.

John Cordani (James Madison U) described the MIS programme at James Madison University. This programme targets students who have full-time jobs and are not able to attend classes within the traditional 9-5 structure. John pointed out that this is the likely path of post-graduate education in the future. This issues that must be addressed with INFOSEC/COMPSEC education include the timeliness of the education, when spread out over a longer time period than a traditional 8-month/1-year Master's degree.

After all this, most participants were feeling somewhat overwhelmed. The workshop concluded with a wrap-up discussion of what we were going to do in the future. WECS'98 is already being planned. Ed Felton has set up a list-serve for COMPSEC/INFOSEC educators (to subscribe, send mail to majordomo@cs.princeton.edu). Heather Hinton is preparing a web-site to act as a respository for who is doing what in INFOSEC/COMPSEC education (for specific security courses. A preliminary URL for this page is www.ee.ryerson.ca:8080/~hhinton/compsec/security.html) This web page will contain pointers to the University, Department, and Course Home Pages (if any) of identified INFOSEC/COMPSEC courses being offered world-wide. Refer to the web page for details on how to have your courses included.