Educating and Training Students Not in the Direct Pipeline 27

There are several reasons to provide cyber security education for all students, beyond just those considering cyber security as a profession. The first is simply to raise awareness of the

28

students about cyber security issues, as a complement to and extension of educating “The Public” (see following section). While educating “The Public” tends to be somewhat ad hoc and uneven, educating students a bit more formally can assure more organized and complete coverage of the most important cyber security topics appropriate to specific grade levels. A second reason to provide cyber security education to all students, is to seed other professions with people familiar with cyber security concepts. A great variety of professions beyond cyber security itself will need professionals with at least a basic understanding of cyber security. Professions as disparate as engineering, law, business, finance, public policy, international relations, and others encounter situations requiring knowledge of cyber security beyond what may be taught to “The Public.” Students preparing for many different professions can benefit from cyber security modules, elective courses, or perhaps cyber security minors. A third reason for providing cyber security education for all students is to increase students’ awareness of cyber security as a possible profession, perhaps in combination with another discipline. Ideally there will be pathways to the cyber security profession even for those students making career decisions relatively late in their undergraduate programs.

Means of reaching students outside the cyber security pipeline include short modules that can be injected into various courses (not just computer science or computer engineering), and development of elective courses in cyber security. At least one of the experts we interviewed suggested that high schools should consider modules focused on cyber security as additions to Advanced Placement courses not only in Computer Science (where enrollment may be low), but also in Mathematics and Statistics courses where there are growing numbers of high-performing students. These students may have the aptitude for studying cyber security in college either as a major or as a minor in combination with another discipline. Still others have suggested development of modules for much more elementary courses in a variety of disciplines including the social sciences, cognitive sciences, and management science. It is important to observe that a good education in cyber security, whether for general audiences or specialists, needs to be much broader than just an education in technical subjects. Intel sponsors the development of modules for various STEM topics including cyber security. Recent examples include modules developed for the Youth Stem Network in San Jose and Girls Stem Network in Silicon Valley. An important aspect of these projects is collaboration with the NSF for testing and evaluating the effectiveness of the modules, and collaboration with community organizations and families of the students.

At the college level, cyber security modules have been designed as drop-ins for a variety of technical and non-technical courses (see discussion in Section 4.1.3). The National Science Foundation has sponsored the development of “Security Injections” by Towson University (see Security Injections @ Towson). The injections follow a template consisting of background on the topic, lab or homework assignments, a security checklist consisting of a well-defined set of procedures for identifying the security issue, and discussion questions. Modules cover topics

29

such as buffer overflow, integer overflow, input validation, and risk analysis, and are geared as injects to Computer Science 1 and 2 courses.

Note that there are many modules being developed for specialists and for practical training, but the modules we have in mind include those for the general student.

With any new materials, testing and certification is critical. Such testing is best done by a formal evaluator with educational evaluation experience who interviews both teachers and students before and at several stages after the module is used. It is important to identify in advance those hypotheses the evaluator is testing or desirable outcomes that the module is designed to achieve. At CCICADA and at the Center for Discrete Mathematics and Theoretical Computer Science (DIMACS), which is where CCICADA sits and which was founded as a National Science Foundation “science and technology center,” we test modules by bringing them into the classroom, have a professional evaluator with educational evaluation experience conduct teacher and student evaluations, and have the evaluator interview both teachers and students before and at several stages after the module is used. We ensure that changes are made in the module based on these evaluations and also based upon comments of subject matter experts and educational experts. We are strong believers in modules and in particular in modules that are tested and evaluated by both SMEs and educational experts.

Besides security modules, colleges offer introductory cyber security courses and cyber security electives. As noted above, the military academies require all first year students to take an introductory course that focuses on cyber security, no matter what major the student is pursuing. The academies also offer a number of cyber security electives that are open to other majors, e.g. cryptography, ethics, cyber law, cyber politics, cyber physical systems, etc. Some of these courses are multi-disciplinary in nature and can be taught by faculty in various departments. Spidalieri (2013) analyzed the extent to which the top Master’s-level graduate programs in business (MBA), Public Administration (MPA), Public Policy (MPP), International Relations (IR), Law (MLL), Criminal Justice, and Healthcare Management expose students to cyber security. She analyzed whether each school offered a core course in information technology that included a section on cyber security, whether similar elective courses were offered, whether students had the opportunity to enroll in elective information technology and cyber security courses offered in other departments, and whether occasional conferences or seminars on cyber security were given. Using a scale of 0 to 4 to compare programs, Spidalieri found that no program at any school scored a 4, while numerous schools offered programs scoring below 2, meaning that even top programs in these fields offered rather limited opportunities for their students to learn about cyber security. This is an area where work is needed to develop materials (modules being a prime candidate) to make these courses more relevant to cyber security.

30

In this section we have emphasized education for students in existing programs. However, contextual, on-the-job learning is a key component of cyber security and is centrally related to day to day operations in the cyber security role. This can be done through internships, cyber security warnings such as those provided by federal and state agencies, and regular training modules. More on this topic, especially on the importance of internships, is in Sections 4.1.2, 4.2.5 and 4.4.3.