An Information Systems Security Course for the Undergraduate

Information Systems Curriculum

Grace C. Steele

Vojislav Stojkovic

Computer Science Department

and

Jigish S. Zaveri

Information Sciences and Systems Department

Morgan State University

2ISECON 2003–San Diego, CA Nov 6-9 2003

Introduction

Necessary to redesign IS Curricula and introduce course in Information Systems Security to provide students required knowledge, skills, abilities to:

Remain effective in meeting needs of society and student body (Davis et al., 1997; Couger et al., 1995)

Remain current in terms of body of knowledge (lack of coverage of IS security issues in IS curriculum ~ Anderson et al, 2002)

Keep up with changes in technology and environment Provide strong foundation on which students build lifelong learning/dev Prepare students to become active learners in digital economy (..it is

responsibility of educational system, particularly at undergraduate college-university level, to prepare future IT professionals for dynamic environment of the 21st century ~ Lightfoot, 1999)

Address issues of lack of trained ISS personnel

3ISECON 2003–San Diego, CA Nov 6-9 2003

Need for a Course in IS Security in the Undergraduate IS Curriculum

IS Security course needed in IS Curriculum due to: Growth in telecommunications/networking-impact on society New technology environments (wireless, mobile, virtual) Financial losses due to lack of effective security (Anderson, 2001) Organizational, environmental trends (“current IS curricula ….not

well aligned with business needs ~ Lee et al., 1995) Most current ISS courses are at graduate level, vocational training, or

located in Computer Science or Engineering Department (www.nstissc.gov/)

Other countries have already incorporated IS security in the undergraduate curriculum core body of knowledge (Underwood et al., 1997)

4ISECON 2003–San Diego, CA Nov 6-9 2003

Developing New Curriculum

Curriculum changes in higher education due to: Changes in knowledge, technology, general environment and values

Changes reflect different practices and values of specific knowledge fields (McKeen et al, 1987)

Changes in production and application of academic knowledge Shifts in emphasis on different criteria used to evaluate

production/application of knowledge Changes in technologies New curriculum design must address stakeholders: educators,

businesses, students and public Goals and objectives of new curriculum need to be specified

5ISECON 2003–San Diego, CA Nov 6-9 2003

Development of ISS Course

Name of Course Information Systems Security

Course Number INSS XXX – Elective Dedicated elective course designed for IS seniors

Knowledge and Competency Application level – 4 (See Table 1 – next slide)

Statement of Needs Increased demand for IS security professionals in organizations

Goal Statement Graduates should be able to function in entry-level positions, have basis for

career growth

Table 1. Goal Levels, Methods of Delivery and Assessment(Davis et al, 1997)

Level Goal Methods of Delivery Methods of Assessment

1 Awareness Lecture, reading Exam (fill-in-the-blanks, multiple choice, true-false, matching, etc)

2 Literacy Lecture, reading Structured practice, homework, detailed exam

3 Concept and use thereof

Lecture, reading, case study and well-structured projects

Structured practice, homework, case analysis, detailed exam, and project performance

4 Detailed understanding, application, skilled use

Lecture, reading and well-structured projects, ill-structured projects using simulation and modeling tools 

Structured practice, homework, detailed exam, process performance using simulation and modeling tools, group research projects

5 Skilled use Student-directed project, independent research

Research project

7ISECON 2003–San Diego, CA Nov 6-9 2003

Development of ISS Course

Goals of IS Security Course: Learn about security in Microsoft/UNIX/Linux operating systems and

programming environments Learn how to attack and defend system by analyzing system for

vulnerabilities and ameliorating those problems Understand strengths and weaknesses of cryptography for security   Learn how to access and control systems, resources, data Learn basics of writing security-related programs Learn about security in networks Understand how to coordinate hardware and software to provide data

security against internal and external attacks Model systems involved through use of formal models

8ISECON 2003–San Diego, CA Nov 6-9 2003

Development of ISS Course

Learning Objectives and Outcomes Knowledge Objectives

The role and importance of security policy Network-related security threats and solutions Principles of private/public-key encryption Principles of authentication Internet Protocol security architecture (IPSEC)

Application Objectives Analyzing security protocols for weaknesses Designing/implementing authentication protocol Designing and/or implementing an encryption system

9ISECON 2003–San Diego, CA Nov 6-9 2003

Development of ISS Course

Target Student Population ISS be included in IS Deployment and Management Practices

Presentation Area – of IS’97 Curriculum Model – Level 3: IS majors only Senior, undergraduate IS majors, IS minors Students in final year of undergraduate study

Prerequisites (KSA) All required IS courses

Course Content Course Outline (See figure 1 - next slide - for the different Learning Units

in the Information Systems Security course outline)

Figure 1. Information Systems Security Course Outline

1. Introduction

·      Internet, Intranet -- Structure, growth, possibilities

·      Related subjects, overview of course

· Definition of terms/concepts in computer network and Internet security

–basic security principles (privacy, confidentiality, integrity, availability, accountability)

-access control, firewalls, biometric devices

2. Threats, Risks and Vulnerabilities

·    Viruses, worms (e.g. Trojan Horses)

·     Intrusion detection and types of attacks

·     Denial of service attacks

·     Security countermeasures

3. Data Security Policies/Admin. Security Procedural Control

·      Institution, legislation, privacy, basic policies/protocols

·      Legal and ethical issues in information systems security

4. Security models

·      Access matrix, multilevel, mandatory, discretionary models

·      Role-Based Access Control

5. Designing Secure Systems

Secure system design methodology

·          Evaluation/administration of secure systems

6. Effects of Hardware on Security

·          Modes of operation, protection rings, memory protection

7. Operating Systems Security·          Unix, Windows XP, Linux·          Hardened operating systems·          Types of OS attacks8. Network Security·          SSL, Kerberos, VPNs, Wireless systems·          Dial-up vs. dedicated Public vs. private·          Traffic analysis9. Database Security·       Authorization systems in Oracle and similar database systems. 10. Programming Language Security Programming Language security problems (e.g. buffer

overflow, pointers, arrays, etc.) Java security11. Cryptography Symmetric and public key systems, PKI Strengths (complexity, secrecy, etc.) Encryption, Key management12. Distributed Systems Security Security in .NET, Sun ONE, WebSphere, other appl servers    Security in XML and Web Services13. Information Systems Security Policies, Roles and responsibilities·          Application dependent guidance

11ISECON 2003–San Diego, CA Nov 6-9 2003

Development of ISS Course

Instructional Strategies and Testing and Evaluation of Students Cooperative learning techniques (Slavin, 1990)

Cooperative learning strategies provide positive interdependence, individual accountability and face-to-face interaction

Simulation – learning becomes meaningful when students make association between concepts and ideas (Eggen & Kauchak, 1988)

Group projects Case studies Evaluate - using structured practice, homework, detailed exams,

process performance using simulation and modeling tools, case study analysis and group research projects

12ISECON 2003–San Diego, CA Nov 6-9 2003

Implications for IS and Future Research

Changes to Curriculum and Instruction Requires investment of much resources into process Bond needs to be established between teaching/learning infrastructure

and curricula, between technology infrastructure, classroom and teaching material

Students need to be encouraged to become active learners New and more effective method of instruction need to be introduced

to produce more effective learning Students should be made part of curriculum development process -

more motivated to learn if actively involved Faculty need to be retrained, new facilities and teaching resources

needed

13ISECON 2003–San Diego, CA Nov 6-9 2003

Implementation of the ISS Course

Implementation issues Integration into current curriculum New facilities and equipment Qualified people to teach course Development and implementation of new instructional strategies Changes in internal policies and procedures Use of industry’s best practices Joint effort between academia and industry

14ISECON 2003–San Diego, CA Nov 6-9 2003

Conclusion

No consensus on what information systems security knowledge, skills and abilities to include in undergraduate IS curriculum and placement for material within the curriculum

IS curriculum needs to be updated regularly to reflect rapid changes in environment

Academia needs to work with government and industry on this issue to properly prepare students for an information economy

Students need to be encouraged and motivated to become active learners in digital economy

15ISECON 2003–San Diego, CA Nov 6-9 2003

Thanks!

The authors would like to thank the following for their support with this research:

• NASA’s NERTS project and Ms. Shirl Byron - NRTS Project Director sbyron@morgan.edu at MSU

• Dr. William Lupton, Chair, Computer Science Department, MSU • Faculty in the Department of Information Science and Systems, MSU • Carnegie Mellon University

16ISECON 2003–San Diego, CA Nov 6-9 2003

Authors’ Contact Information

1. Grace C. Steele – gsteele@morgan.edu

2. Vojislav Stojkovic – stojkovi@morgan.edu

Computer Science Department

Morgan State University

1700 E. Cold Spring Lane

Baltimore, MD 21251

3. Jigish S. Zaveri - jzaveri@jewel.morgan.edu

Information Sciences and Systems Department

Morgan State University

1700 E. Cold Spring Lane

Baltimore, MD 21251