An Information Systems Security Course for the Undergraduate
Information Systems Curriculum
Grace C. Steele
Vojislav Stojkovic
Computer Science Department
and
Jigish S. Zaveri
Information Sciences and Systems Department
Morgan State University
2ISECON 2003–San Diego, CA Nov 6-9 2003
Introduction
Necessary to redesign IS Curricula and introduce course in Information Systems Security to provide students required knowledge, skills, abilities to:
Remain effective in meeting needs of society and student body (Davis et al., 1997; Couger et al., 1995)
Remain current in terms of body of knowledge (lack of coverage of IS security issues in IS curriculum ~ Anderson et al, 2002)
Keep up with changes in technology and environment Provide strong foundation on which students build lifelong learning/dev Prepare students to become active learners in digital economy (..it is
responsibility of educational system, particularly at undergraduate college-university level, to prepare future IT professionals for dynamic environment of the 21st century ~ Lightfoot, 1999)
Address issues of lack of trained ISS personnel
3ISECON 2003–San Diego, CA Nov 6-9 2003
Need for a Course in IS Security in the Undergraduate IS Curriculum
IS Security course needed in IS Curriculum due to: Growth in telecommunications/networking-impact on society New technology environments (wireless, mobile, virtual) Financial losses due to lack of effective security (Anderson, 2001) Organizational, environmental trends (“current IS curricula ….not
well aligned with business needs ~ Lee et al., 1995) Most current ISS courses are at graduate level, vocational training, or
located in Computer Science or Engineering Department (www.nstissc.gov/)
Other countries have already incorporated IS security in the undergraduate curriculum core body of knowledge (Underwood et al., 1997)
4ISECON 2003–San Diego, CA Nov 6-9 2003
Developing New Curriculum
Curriculum changes in higher education due to: Changes in knowledge, technology, general environment and values
Changes reflect different practices and values of specific knowledge fields (McKeen et al, 1987)
Changes in production and application of academic knowledge Shifts in emphasis on different criteria used to evaluate
production/application of knowledge Changes in technologies New curriculum design must address stakeholders: educators,
businesses, students and public Goals and objectives of new curriculum need to be specified
5ISECON 2003–San Diego, CA Nov 6-9 2003
Development of ISS Course
Name of Course Information Systems Security
Course Number INSS XXX – Elective Dedicated elective course designed for IS seniors
Knowledge and Competency Application level – 4 (See Table 1 – next slide)
Statement of Needs Increased demand for IS security professionals in organizations
Goal Statement Graduates should be able to function in entry-level positions, have basis for
career growth
Table 1. Goal Levels, Methods of Delivery and Assessment(Davis et al, 1997)
Level Goal Methods of Delivery Methods of Assessment
1 Awareness Lecture, reading Exam (fill-in-the-blanks, multiple choice, true-false, matching, etc)
2 Literacy Lecture, reading Structured practice, homework, detailed exam
3 Concept and use thereof
Lecture, reading, case study and well-structured projects
Structured practice, homework, case analysis, detailed exam, and project performance
4 Detailed understanding, application, skilled use
Lecture, reading and well-structured projects, ill-structured projects using simulation and modeling tools
Structured practice, homework, detailed exam, process performance using simulation and modeling tools, group research projects
5 Skilled use Student-directed project, independent research
Research project
7ISECON 2003–San Diego, CA Nov 6-9 2003
Development of ISS Course
Goals of IS Security Course: Learn about security in Microsoft/UNIX/Linux operating systems and
programming environments Learn how to attack and defend system by analyzing system for
vulnerabilities and ameliorating those problems Understand strengths and weaknesses of cryptography for security Learn how to access and control systems, resources, data Learn basics of writing security-related programs Learn about security in networks Understand how to coordinate hardware and software to provide data
security against internal and external attacks Model systems involved through use of formal models
8ISECON 2003–San Diego, CA Nov 6-9 2003
Development of ISS Course
Learning Objectives and Outcomes Knowledge Objectives
The role and importance of security policy Network-related security threats and solutions Principles of private/public-key encryption Principles of authentication Internet Protocol security architecture (IPSEC)
Application Objectives Analyzing security protocols for weaknesses Designing/implementing authentication protocol Designing and/or implementing an encryption system
9ISECON 2003–San Diego, CA Nov 6-9 2003
Development of ISS Course
Target Student Population ISS be included in IS Deployment and Management Practices
Presentation Area – of IS’97 Curriculum Model – Level 3: IS majors only Senior, undergraduate IS majors, IS minors Students in final year of undergraduate study
Prerequisites (KSA) All required IS courses
Course Content Course Outline (See figure 1 - next slide - for the different Learning Units
in the Information Systems Security course outline)
Figure 1. Information Systems Security Course Outline
1. Introduction
· Internet, Intranet -- Structure, growth, possibilities
· Related subjects, overview of course
· Definition of terms/concepts in computer network and Internet security
–basic security principles (privacy, confidentiality, integrity, availability, accountability)
-access control, firewalls, biometric devices
2. Threats, Risks and Vulnerabilities
· Viruses, worms (e.g. Trojan Horses)
· Intrusion detection and types of attacks
· Denial of service attacks
· Security countermeasures
3. Data Security Policies/Admin. Security Procedural Control
· Institution, legislation, privacy, basic policies/protocols
· Legal and ethical issues in information systems security
4. Security models
· Access matrix, multilevel, mandatory, discretionary models
· Role-Based Access Control
5. Designing Secure Systems
Secure system design methodology
· Evaluation/administration of secure systems
6. Effects of Hardware on Security
· Modes of operation, protection rings, memory protection
7. Operating Systems Security· Unix, Windows XP, Linux· Hardened operating systems· Types of OS attacks8. Network Security· SSL, Kerberos, VPNs, Wireless systems· Dial-up vs. dedicated Public vs. private· Traffic analysis9. Database Security· Authorization systems in Oracle and similar database systems. 10. Programming Language Security Programming Language security problems (e.g. buffer
overflow, pointers, arrays, etc.) Java security11. Cryptography Symmetric and public key systems, PKI Strengths (complexity, secrecy, etc.) Encryption, Key management12. Distributed Systems Security Security in .NET, Sun ONE, WebSphere, other appl servers Security in XML and Web Services13. Information Systems Security Policies, Roles and responsibilities· Application dependent guidance
11ISECON 2003–San Diego, CA Nov 6-9 2003
Development of ISS Course
Instructional Strategies and Testing and Evaluation of Students Cooperative learning techniques (Slavin, 1990)
Cooperative learning strategies provide positive interdependence, individual accountability and face-to-face interaction
Simulation – learning becomes meaningful when students make association between concepts and ideas (Eggen & Kauchak, 1988)
Group projects Case studies Evaluate - using structured practice, homework, detailed exams,
process performance using simulation and modeling tools, case study analysis and group research projects
12ISECON 2003–San Diego, CA Nov 6-9 2003
Implications for IS and Future Research
Changes to Curriculum and Instruction Requires investment of much resources into process Bond needs to be established between teaching/learning infrastructure
and curricula, between technology infrastructure, classroom and teaching material
Students need to be encouraged to become active learners New and more effective method of instruction need to be introduced
to produce more effective learning Students should be made part of curriculum development process -
more motivated to learn if actively involved Faculty need to be retrained, new facilities and teaching resources
needed
13ISECON 2003–San Diego, CA Nov 6-9 2003
Implementation of the ISS Course
Implementation issues Integration into current curriculum New facilities and equipment Qualified people to teach course Development and implementation of new instructional strategies Changes in internal policies and procedures Use of industry’s best practices Joint effort between academia and industry
14ISECON 2003–San Diego, CA Nov 6-9 2003
Conclusion
No consensus on what information systems security knowledge, skills and abilities to include in undergraduate IS curriculum and placement for material within the curriculum
IS curriculum needs to be updated regularly to reflect rapid changes in environment
Academia needs to work with government and industry on this issue to properly prepare students for an information economy
Students need to be encouraged and motivated to become active learners in digital economy
15ISECON 2003–San Diego, CA Nov 6-9 2003
Thanks!
The authors would like to thank the following for their support with this research:
• NASA’s NERTS project and Ms. Shirl Byron - NRTS Project Director [email protected] at MSU
• Dr. William Lupton, Chair, Computer Science Department, MSU • Faculty in the Department of Information Science and Systems, MSU • Carnegie Mellon University
16ISECON 2003–San Diego, CA Nov 6-9 2003
Authors’ Contact Information
1. Grace C. Steele – [email protected]
2. Vojislav Stojkovic – [email protected]
Computer Science Department
Morgan State University
1700 E. Cold Spring Lane
Baltimore, MD 21251
3. Jigish S. Zaveri - [email protected]
Information Sciences and Systems Department
Morgan State University
1700 E. Cold Spring Lane
Baltimore, MD 21251
Top Related