Paul Grace
Aston University
6th December, 2019
These past few months at Aston University we have welcomed the first cohort onto a new undergraduate degree programme in cybersecurity[1]; and we as educators will learn with them, as we shape our new curriculum and module content to meet their learning objectives and career aspirations. Speaking with them individually about their choice of degree, some of them are driven by a strong interest in all things security, for others it is the promise of a buoyant job market for cybersecurity professionals.
Clearly there is a demand for specialised degree programmes in cybersecurity. We are witnessing a global shortage of cybersecurity skills. Current estimates forecast 1.8 million unfilled cybersecurity jobs by 2022[2]. Cybercrime is on the rise and threatens a digital apocalypse. Damage caused by attackers is likely to hit $6 trillion annually by 2021[3]. The accuracy and impact of these projections may be open for debate, or simply dismissed as scaremongering, but it is clear the landscape is changing. An ongoing digital transformation is putting digital infrastructure into the fabric of everyday life—yet this makes more things for attackers to target. We need people with the skills to push back this tide of attacks to ensure we can all safely enjoy the benefits of a digital world.
Ensuring that everyone understands how to protect themselves and the organisations they work for will go a long way to fighting back. But we also need enough professionals in the workplace with the right cybersecurity skills to protect against cyber threats. This is a key target of the UK government cybersecurity skills strategy[4]. From a higher education perspective this poses the questions: what knowledge and skills should be taught on a specialised cybersecurity degree? What is an appropriate body of knowledge for a cybersecurity graduate? These aren’t particularly new questions, and a number of initiatives have already been considered for the cybersecurity body of knowledge:
The ACM Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity[5]aims to “develop comprehensive and flexible curricular guidance in cybersecurity education that will support future program development and associated educational efforts at the post-secondary level”. The key characteristics of the programme are: i) a computing based foundation, ii) a body of knowledge capturing essential knowledge and skills, iii) cultivating an adversarial mind-set, and iv) emphasis on ethical conduct and professional responsibilities. In terms of knowledge, there are eight key areas: data security, software security, component security, connection security, system security, human security, organisational security and societal security.
The NICE (National Initiative for Cybersecurity Education) Cybersecurity Workforce Framework[6] is a US government initiative to describe cybersecurity skills and align them with professional roles. For example, for an Information Systems Security Manager one of the many knowledge items is “Knowledge of risk management processes (e.g., methods for assessing and mitigating risk)”, and one of their skills is “creating policies that reflect system security objectives”. Hence, this tool can be used to evaluate if the educational activities meet the demands of the workplace.
The CISSP Common Body of Knowledge (CBK)[7] is central to the CISSP certification programme and identifies a peer-developed compendium of what a competent cybersecurity professional must know.
The Cyber Security Body of Knowledge[8] (CyBOK) is a UK research project that organises the generally recognised knowledge on cybersecurity that exists in textbooks, research articles and security standards. This supports learning pathways through the jungle of information. There are five central categories for cyber security learning: i) Human, Organisational and Regulatory Aspects, ii) attacks and defences, iii) systems security, iv) software security, and v) infrastructure security.
These initiatives cover common ground but demonstrate the need for cybersecurity graduates to have a broad knowledge-base. The NIST framework describes over 50 professional job roles; and while a more narrow degree programme could target specific roles in depth e.g. degrees in ethical hacking and digital forensics—a broad cybersecurity programme leaves more flexibility for the student to find the areas of cybersecurity they are most interested in.
Here at Aston our own degree programme was developed independently of these initiatives, and largely driven by consultation with an employer advisory panel (made up of cybersecurity experts and professionals). However, we can reflect upon similar outcomes in our curriculum as we also target breadth of cybersecurity knowledge and skills. Going beyond the knowledge base, we also seek to produce graduates with strong soft skills to increase their employability. A mandatory placement year in industry gives work experience in cyber security roles, and a yearlong team-based security engineering project aims to replicate working situations where soft skills can be nurtured. The ACM curricula recommends a computing-based foundation, and our first year covers a traditional first year computer science programme where we teach modules in programming, computer systems, and mathematics for computer science. But alongside this we provide a yearlong module “security thinking and fundamentals” which is designed to give a shallow introduction to the cybersecurity body of knowledge.
We can also reflect that there are new areas of study not considered in these knowledge bases e.g. security of machine learning systems. This is an important reminder that cybersecurity is a dynamic field that demands up-to-date skills. Degree programmes must be flexible, and indeed it is likely that in three years when our current cohort embark on their final year the optional modules available to them will embrace the emerging trends.
Paul Grace, Senior Lecturer in cybersecurity at Aston University, is working with Cranfield University colleagues within the Centre for Innovation in Learning and Education (CILE). The joint virtual centre aims to develop new knowledge in innovative education, business-engaged educational design and innovative delivery modes in undergraduate provision within UK Higher Education. Through joint research, the sharing of best practice and the design of innovative education pathways, Aston and Cranfield Universities are supporting the proposed development of a new model STEM-focused university in Milton Keynes.
This blog has been produced for the Centre for Innovation and Learning in Education, a Catalyst OfS funded project.
[1] https://www2.aston.ac.uk/study/courses/cybersecurity-bsc
[2] https://www.isc2.org/News-and-Events/Press-Room/Posts/2017/06/07/2017-06-07-Workforce-Shortage
[3] https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
[4] https://www.gov.uk/government/publications/cyber-security-skills-strategy/initial-national-cyber-security-skills-strategy-increasing-the-uks-cyber-security-capability-a-call-for-views-executive-summary
[6] https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework
[7] https://www.isc2.org/Certifications/CBK