- Doug Jacobson and Julie A. Rursch
At least we’re consistent. When it comes to information security in industry or education, we are not taking a holistic approach. Information security is a bolt-on feature. (See our recent column, “The bolt-on information security trend needs to end.”
Business executives on down to the IT staff continue to treat security as a separate issue, handled by IT specialists. Rarely do software or system engineers approach the design of a product with the intent to include security from the start.
It is no different in security education: we don’t educate our computer engineers and computer scientists to take a holistic approach to security. We teach information security in a separate class or, if students are lucky, classes; and these courses are usually electives. Is it any wonder when these individuals leave our hallowed halls to enter the workforce, they treat information security in the same vein?
Why do we do such a poor job in information security education? It is the approach we take to teaching computer engineering, software engineering and computer science. We design a curriculum to help students learn to use logic. That part is good. We have them take sciences and math to learn about the physical world, as well as the ordered reasoning needed to complete advanced math courses. Students must also take the humanities to make them well-rounded individuals with a cursory understanding of the world outside of “geekdom.”
But, when we teach our primary courses, those which set our students apart from others in their knowledge base, we don’t take a holistic approach to their education. We start students in introductory courses that break things into small pieces, which are easier for them relate to and understand. Good for us, we help them get started. But, it’s in the second through fourth years of undergraduate education in computer engineering, software engineering and computer science that it falls apart.
The field is so vast and we have so many different areas to specialize in, we allow students to focus on the details of a language, building hardware, or learning algorithms. We silo information security, instead of incorporating it into every class we teach. As educators, we spend a lot of time focusing on getting students to cover all the basics. We treat security in any area as a topic that is added on at the end of the semester, if we have time; we don’t allocate a lot of time in lectures or in labs on it.
In our software classes, we focus on getting students to program and to learn the aspects of the language. Seldom do we ask them to consider security and rarely, are their programs graded on it. Why else would things like buffer overflows and SQL injections work? Even error or data input checking is a task relegated to the end of the semester, when topics fly by fast and furious so we can “get the material covered.” With our cursory approach to these important topics, is it any wonder that students pay little attention to them?
Security across the Curriculum
Some students specialize in information assurance or information security as part of their majors, and they need specific courses that focus on security topics. But, for the general computer student population, we need to take a more holistic approach to teaching security: it needs to be part of every course and included from the first day.
In this way, we believe that we could take a page from our colleagues in the English department, who have over the course of the past 10 years or so, pushed through a concept of “writing across the curriculum.” The point these faculty made was that English 101 and 102, or their equivalents at various universities, had historically been taught as the two basic courses that every freshman endured. And, then the computer engineering, computer science, and software engineering students could forget about writing.
That, as we all know, is not true. Technical reports, as well as documentation, are an essential part of work in the computing field. At many major universities, computer science students are now required to take additional English courses that occur throughout their four-year career and complement their technical courses. In one example, the technical instructor provides the content, but the English faculty member helps the students write concise summaries and complete the final report for the course.
We believe “security across the curriculum” would be a wiser approach for information security education. It would incorporate security as a topic from the beginning of every course, and we would continue to refer to it as we teach students about the basic concepts in each course. This would then carry over to their work as design engineers or programmers. When sitting down to work on a new project, we always start at the beginning and lay out the landscape. We should include security as part of the design plan. And, the security of the project should be considered at every revision and stage.
So, let’s change the kind of consistency that information security education is known for. We need to endorse “security across the curriculum” in which students learn in every course how important security is to a project. If we teach students to take a holistic approach, it will only follow that they can take this same perspective when they reach the business world.
About the authors
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.
Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to firstname.lastname@example.org.