Over the past 20 years I have witnessed the progression of computer security defenses as they reacted to the ever-increasing volume and sophistication of attacks. Emphasis on defensive approaches often focuses on purely technology-based solutions (i.e. first firewall). Today’s attackers are not just exploiting software vulnerabilities, but more and more human vulnerabilities. Unlike software vulnerabilities, many of these human “bugs” cannot be simply patched with a download from the Internet; they require formal security awareness and education to mitigate. It has long been recognized there is an urgent need to improve security education and the security community needs to begin educating a broader audience than just those who work in technology.
The primary method for educating the general public about cybersecurity has been to construct “Top 10” security lists. This approach is neither effective nor sufficient as it is poor pedagogical practice to believe that students -- or anyone for that matter -- can remember, understand and apply knowledge when the educator provides them with nothing more than a single-page, bullet-point list of security tasks to perform. Top 10 lists communicate a false sense of security to their readers as they imply that security can be achieved simply by following these broad steps. What happens -- and it will happen, often -- when a student is presented with a situation not covered by a bullet point?
Formal computer security education is the key to combating the risks and vulnerabilities intrinsic to the Information Age. Each day, people are inundated with alerts and pop-ups informing them about patch updates, antivirus signatures, and firewall exceptions, but they lack the proper education or vocabulary to make value-based decisions regarding the benefits and consequences of taking specific action on these items. What a formal pedagogical approach to practical computer security education provides is the context and knowledge for students to apply computer security best practices when faced with a novel situation and the ability to be proactive, not reactive, in the face of new threats.
About Douglas Jacobson
TITLE: Professor Electrical and Computer Engineering, Director ISU Information Assurance Center
COMPANY: Iowa State University
- Credentials: Ph.D, computer engineering; Certified Forensic Computer Examiner, IEEE Fellow
- In 2000, led the creation of the Information Assurance Center at Iowa State University, which offers one of the largest and oldest information assurance degree programs in the country.
- Oversees the Internet-Scale Event and Attack Generation Environment (ISEAGE), which is dedicated to creating a virtual Internet for research, design and testing of new cyber defense mechanisms as well as analysis of cyberattacks.
- Pioneer in developing security educational programs at all levels -- high school, undergraduate, and graduate.
- Created computer security summer camp for high schoolers, which led to the first high school Cyber Defense Competition in 2006.
- Developed a new course designed to teach basic computer security concepts to non-IT people.
Computer security education shouldn’t be exclusive to technical audiences. If abstracted correctly, practical security education can be made accessible to readers with minimal technical backgrounds. We all perform the same basic routines on our computers and on the Internet each day. During an average day, people use passwords, connect to the Internet on an unsecure wireless connection, share media via external devices, surf the Web, click on hyperlinks, share information via social networking, and much more. Each of these actions involves a potential risk and can result in malicious consequences, many of which the average person is unaware.
At Iowa State University, we have designed a one-credit, half-semester course entitled “Introduction to Computer Security Literacy” to address this very shortcoming. The purpose of the course is to educate students of all backgrounds and IT experience levels about the inherent risks of using computers and the Internet. It is our belief that the knowledge acquired by students in this course will be immediately applicable and serve students long after they leave the university.
This course differs from past approaches as it puts security in the context of the user and benefits from the formal education setting of the university. Over the eight-week period the course is offered, students are able to internalize the information they have learned and reflect on key concepts. Students are told the real test for the course is not in the classroom, but when they leave the classroom and begin to interact with information technology -- this is where the real application of knowledge occurs. They come back to class weeks later with questions that increase their understanding, have explored their computing environments in the context of security, and read, write, and talk about security on a regular basis.
Society’s collective security depends on every user being security-aware and exhibiting thoughtful discipline over his or her personal information and computing resources. It has long been recognized by security experts that the user is in fact the weakest link in the security chain and technical measures alone cannot and will not solve current cybersecurity threats. So why not target the weakest link and address it in a formal educational environment?
Having presented on the topic of practical computer security to age groups ranging from elementary school children to senior citizens and everywhere in between, I can attest there is both a desire to learn and a need to provide practical computer security education to each of these respective groups (K-12, college, corporations, general public). As educators and computer security practitioners, the task of providing computer users with the opportunity to become knowledgeable about the malicious side of the Internet falls squarely upon our shoulders. Computer security literacy is not only the next step in computer security defense; it may be one of the most important steps we can take. I encourage the security profession to reach out to the public and help make it security literate.
The Security 7 Awards recognize the efforts, achievements and contributions of practitioners in the financial services/banking, telecommunications, manufacturing, retail, government/public sector/non-profit, education and health care/pharmaceutical industries. Click here to learn more about the Security 7 Awards and to see a list of all the winners.