An Information Systems Security Course for the Undergraduate Information Systems Curriculum

1
An Information Systems Security Course for the
Undergraduate Information Systems Curriculum

• Grace C. Steele
• Vojislav Stojkovic
• Computer Science Department
• and
• Jigish S. Zaveri
• Information Sciences and Systems Department
• Morgan State University

2
Introduction

• Necessary to redesign IS Curricula and introduce
  course in Information Systems Security to provide
  students required knowledge, skills, abilities
  to
• Remain effective in meeting needs of society and
  student body (Davis et al., 1997 Couger et al.,
  1995)
• Remain current in terms of body of knowledge
  (lack of coverage of IS security issues in IS
  curriculum Anderson et al, 2002)
• Keep up with changes in technology and
  environment
• Provide strong foundation on which students build
  lifelong learning/dev
• Prepare students to become active learners in
  digital economy (..it is responsibility of
  educational system, particularly at undergraduate
  college-university level, to prepare future IT
  professionals for dynamic environment of the 21st
  century Lightfoot, 1999)
• Address issues of lack of trained ISS personnel

3
Need for a Course in IS Security in
the Undergraduate IS Curriculum

• IS Security course needed in IS Curriculum due
  to
• Growth in telecommunications/networking-impact on
  society
• New technology environments (wireless, mobile,
  virtual)
• Financial losses due to lack of effective
  security (Anderson, 2001)
• Organizational, environmental trends (current IS
  curricula .not well aligned with business needs
  Lee et al., 1995)
• Most current ISS courses are at graduate level,
  vocational training, or located in Computer
  Science or Engineering Department
  (www.nstissc.gov/)
• Other countries have already incorporated IS
  security in the undergraduate curriculum core
  body of knowledge (Underwood et al., 1997)

4
Developing New Curriculum

• Curriculum changes in higher education due to
• Changes in knowledge, technology, general
  environment and values
• Changes reflect different practices and values of
  specific knowledge fields (McKeen et al, 1987)
• Changes in production and application of academic
  knowledge
• Shifts in emphasis on different criteria used to
  evaluate production/application of knowledge
• Changes in technologies
• New curriculum design must address stakeholders
  educators, businesses, students and public
• Goals and objectives of new curriculum need to be
  specified

5
Development of ISS Course

• Name of Course
• Information Systems Security
• Course Number
• INSS XXX Elective
• Dedicated elective course designed for IS seniors
• Knowledge and Competency
• Application level 4 (See Table 1 next slide)
• Statement of Needs
• Increased demand for IS security professionals in
  organizations
• Goal Statement
• Graduates should be able to function in
  entry-level positions, have basis for career
  growth

6
Table 1. Goal Levels, Methods of Delivery and
Assessment(Davis et al, 1997)
7
Development of ISS Course

• Goals of IS Security Course
• Learn about security in Microsoft/UNIX/Linux
  operating systems and programming environments
• Learn how to attack and defend system by
  analyzing system for vulnerabilities and
  ameliorating those problems
• Understand strengths and weaknesses of
  cryptography for security  
• Learn how to access and control systems,
  resources, data
• Learn basics of writing security-related programs
• Learn about security in networks
• Understand how to coordinate hardware and
  software to provide data security against
  internal and external attacks
• Model systems involved through use of formal
  models

8
Development of ISS Course

• Learning Objectives and Outcomes
• Knowledge Objectives
• The role and importance of security policy
• Network-related security threats and solutions
• Principles of private/public-key encryption
• Principles of authentication
• Internet Protocol security architecture (IPSEC)
• Application Objectives
• Analyzing security protocols for weaknesses
• Designing/implementing authentication protocol
• Designing and/or implementing an encryption system

9
Development of ISS Course

• Target Student Population
• ISS be included in IS Deployment and Management
  Practices Presentation Area of IS97 Curriculum
  Model Level 3 IS majors only
• Senior, undergraduate IS majors, IS minors
• Students in final year of undergraduate study
• Prerequisites (KSA)
• All required IS courses
• Course Content
• Course Outline (See figure 1 - next slide - for
  the different Learning Units in the Information
  Systems Security course outline)

10
Figure 1. Information Systems Security Course
Outline

• 1. Introduction
•       Internet, Intranet -- Structure,
  growth, possibilities
•       Related subjects, overview of course
• Definition of terms/concepts in computer
  network and Internet security
• basic security principles (privacy,
  confidentiality, integrity, availability,
  accountability)
• -access control, firewalls, biometric devices
• 2. Threats, Risks and Vulnerabilities
•     Viruses, worms (e.g. Trojan Horses)
•      Intrusion detection and types of attacks
•      Denial of service attacks
•      Security countermeasures
• 3. Data Security Policies/Admin. Security
  Procedural Control
•       Institution, legislation, privacy,
  basic policies/protocols
•       Legal and ethical issues in information
  systems security
• 4. Security models
•       Access matrix, multilevel, mandatory,
  discretionary models
•       Role-Based Access Control
• 5. Designing Secure Systems
• Secure system design methodology

• 7. Operating Systems Security
•           Unix, Windows XP, Linux
•           Hardened operating systems
•           Types of OS attacks
• 8. Network Security
•           SSL, Kerberos, VPNs, Wireless systems
•           Dial-up vs. dedicated
• Public vs. private
•           Traffic analysis
• 9. Database Security
•        Authorization systems in Oracle and
  similar database systems.
• 10. Programming Language Security
• Programming Language security
  problems (e.g. buffer overflow, pointers, arrays,
  etc.)
• Java security
• 11. Cryptography
• Symmetric and public key systems,
  PKI
• Strengths (complexity, secrecy,
  etc.)
• Encryption, Key management
• 12. Distributed Systems Security

11
Development of ISS Course

• Instructional Strategies and Testing and
  Evaluation of Students
• Cooperative learning techniques (Slavin, 1990)
• Cooperative learning strategies provide positive
  interdependence, individual accountability and
  face-to-face interaction
• Simulation learning becomes meaningful when
  students make association between concepts and
  ideas (Eggen Kauchak, 1988)
• Group projects
• Case studies
• Evaluate - using structured practice, homework,
  detailed exams, process performance using
  simulation and modeling tools, case study
  analysis and group research projects

12
Implications for IS and Future Research

• Changes to Curriculum and Instruction
• Requires investment of much resources into
  process
• Bond needs to be established between
  teaching/learning infrastructure and curricula,
  between technology infrastructure, classroom and
  teaching material
• Students need to be encouraged to become active
  learners
• New and more effective method of instruction need
  to be introduced to produce more effective
  learning
• Students should be made part of curriculum
  development process - more motivated to learn if
  actively involved
• Faculty need to be retrained, new facilities and
  teaching resources needed

13
Implementation of the ISS Course

• Implementation issues
• Integration into current curriculum
• New facilities and equipment
• Qualified people to teach course
• Development and implementation of new
  instructional strategies
• Changes in internal policies and procedures
• Use of industrys best practices
• Joint effort between academia and industry

14
Conclusion

• No consensus on what information systems security
  knowledge, skills and abilities to include in
  undergraduate IS curriculum and placement for
  material within the curriculum
• IS curriculum needs to be updated regularly to
  reflect rapid changes in environment
• Academia needs to work with government and
  industry on this issue to properly prepare
  students for an information economy
• Students need to be encouraged and motivated to
  become active learners in digital economy

15
Thanks!

• The authors would like to thank the following for
  their support with this research
• NASAs NERTS project and Ms. Shirl Byron - NRTS
  Project Director sbyron_at_morgan.edu at MSU
• Dr. William Lupton, Chair, Computer Science
  Department, MSU
• Faculty in the Department of Information Science
  and Systems, MSU
• Carnegie Mellon University

16
Authors Contact Information

• Grace C. Steele gsteele_at_morgan.edu
• Vojislav Stojkovic stojkovi_at_morgan.edu
• Computer Science Department
• Morgan State University
• 1700 E. Cold Spring Lane
• Baltimore, MD 21251
• Jigish S. Zaveri - jzaveri_at_jewel.morgan.edu
• Information Sciences and Systems Department
• Morgan State University
• 1700 E. Cold Spring Lane
• Baltimore, MD 21251