An Information Systems Security Course for the Undergraduate Information Systems Curriculum

1. An Information Systems Security Course for the Undergraduate Information Systems Curriculum Grace C. Steele Vojislav Stojkovic Computer Science Department and Jigish S. Zaveri Information Sciences and Systems Department Morgan State University

2. Introduction • Necessary to redesign IS Curricula and introduce course in Information Systems Security to provide students required knowledge, skills, abilities to: • Remain effective in meeting needs of society and student body (Davis et al., 1997; Couger et al., 1995) • Remain current in terms of body of knowledge (lack of coverage of IS security issues in IS curriculum ~ Anderson et al, 2002) • Keep up with changes in technology and environment • Provide strong foundation on which students build lifelong learning/dev • Prepare students to become active learners in digital economy (..it is responsibility of educational system, particularly at undergraduate college-university level, to prepare future IT professionals for dynamic environment of the 21st century ~ Lightfoot, 1999) • Address issues of lack of trained ISS personnel 2

3. Need for a Course in IS Security in the Undergraduate IS Curriculum • IS Security course needed in IS Curriculum due to: • Growth in telecommunications/networking-impact on society • New technology environments (wireless, mobile, virtual) • Financial losses due to lack of effective security (Anderson, 2001) • Organizational, environmental trends (“current IS curricula ….not well aligned with business needs ~ Lee et al., 1995) • Most current ISS courses are at graduate level, vocational training, or located in Computer Science or Engineering Department (www.nstissc.gov/) • Other countries have already incorporated IS security in the undergraduate curriculum core body of knowledge (Underwood et al., 1997) 3

4. Developing New Curriculum • Curriculum changes in higher education due to: • Changes in knowledge, technology, general environment and values • Changes reflect different practices and values of specific knowledge fields (McKeen et al, 1987) • Changes in production and application of academic knowledge • Shifts in emphasis on different criteria used to evaluate production/application of knowledge • Changes in technologies • New curriculum design must address stakeholders: educators, businesses, students and public • Goals and objectives of new curriculum need to be specified 4

5. Development of ISS Course • Name of Course • Information Systems Security • Course Number • INSS XXX – Elective • Dedicated elective course designed for IS seniors • Knowledge and Competency • Application level – 4 (See Table 1 – next slide) • Statement of Needs • Increased demand for IS security professionals in organizations • Goal Statement • Graduates should be able to function in entry-level positions, have basis for career growth 5

6. Level Goal Methods of Delivery Methods of Assessment 1 Awareness Lecture, reading Exam (fill-in-the-blanks, multiple choice, true-false, matching, etc) 2 Literacy Lecture, reading Structured practice, homework, detailed exam 3 Concept and use thereof Lecture, reading, case study and well-structured projects Structured practice, homework, case analysis, detailed exam, and project performance 4 Detailed understanding, application, skilled use Lecture, reading and well-structured projects, ill-structured projects using simulation and modeling tools Structured practice, homework, detailed exam, process performance using simulation and modeling tools, group research projects 5 Skilled use Student-directed project, independent research Research project Table 1. Goal Levels, Methods of Delivery and Assessment(Davis et al, 1997)

7. Development of ISS Course • Goals of IS Security Course: • Learn about security in Microsoft/UNIX/Linux operating systems and programming environments • Learn how to attack and defend system by analyzing system for vulnerabilities and ameliorating those problems • Understand strengths and weaknesses of cryptography for security • Learn how to access and control systems, resources, data • Learn basics of writing security-related programs • Learn about security in networks • Understand how to coordinate hardware and software to provide data security against internal and external attacks • Model systems involved through use of formal models 7

8. Development of ISS Course • Learning Objectives and Outcomes • Knowledge Objectives • The role and importance of security policy • Network-related security threats and solutions • Principles of private/public-key encryption • Principles of authentication • Internet Protocol security architecture (IPSEC) • Application Objectives • Analyzing security protocols for weaknesses • Designing/implementing authentication protocol • Designing and/or implementing an encryption system 8

9. Development of ISS Course • Target Student Population • ISS be included in IS Deployment and Management Practices Presentation Area – of IS’97 Curriculum Model – Level 3: IS majors only • Senior, undergraduate IS majors, IS minors • Students in final year of undergraduate study • Prerequisites (KSA) • All required IS courses • Course Content • Course Outline (See figure 1 - next slide - for the different Learning Units in the Information Systems Security course outline) 9

10. 1. Introduction ·      Internet, Intranet -- Structure, growth, possibilities ·      Related subjects, overview of course · Definition of terms/concepts in computer network and Internet security –basic security principles (privacy, confidentiality, integrity, availability, accountability) -access control, firewalls, biometric devices 2. Threats, Risks and Vulnerabilities ·    Viruses, worms (e.g. Trojan Horses) ·     Intrusion detection and types of attacks ·     Denial of service attacks ·     Security countermeasures 3. Data Security Policies/Admin. Security Procedural Control ·      Institution, legislation, privacy, basic policies/protocols ·      Legal and ethical issues in information systems security 4. Security models ·      Access matrix, multilevel, mandatory, discretionary models ·      Role-Based Access Control 5. Designing Secure Systems Secure system design methodology ·          Evaluation/administration of secure systems 6. Effects of Hardware on Security ·          Modes of operation, protection rings, memory protection 7. Operating Systems Security ·          Unix, Windows XP, Linux ·          Hardened operating systems ·          Types of OS attacks 8. Network Security ·          SSL, Kerberos, VPNs, Wireless systems ·          Dial-up vs. dedicated Public vs. private ·          Traffic analysis 9. Database Security ·       Authorization systems in Oracle and similar database systems. 10. Programming Language Security Programming Language security problems (e.g. buffer overflow, pointers, arrays, etc.) Java security 11. Cryptography Symmetric and public key systems, PKI Strengths (complexity, secrecy, etc.) Encryption, Key management 12. Distributed Systems Security Security in .NET, Sun ONE, WebSphere, other appl servers     Security in XML and Web Services 13. Information Systems Security Policies, Roles and responsibilities ·          Application dependent guidance Figure 1. Information Systems Security Course Outline

11. Development of ISS Course • Instructional Strategies and Testing and Evaluation of Students • Cooperative learning techniques (Slavin, 1990) • Cooperative learning strategies provide positive interdependence, individual accountability and face-to-face interaction • Simulation – learning becomes meaningful when students make association between concepts and ideas (Eggen & Kauchak, 1988) • Group projects • Case studies • Evaluate - using structured practice, homework, detailed exams, process performance using simulation and modeling tools, case study analysis and group research projects 11

12. Implications for IS and Future Research • Changes to Curriculum and Instruction • Requires investment of much resources into process • Bond needs to be established between teaching/learning infrastructure and curricula, between technology infrastructure, classroom and teaching material • Students need to be encouraged to become active learners • New and more effective method of instruction need to be introduced to produce more effective learning • Students should be made part of curriculum development process - more motivated to learn if actively involved • Faculty need to be retrained, new facilities and teaching resources needed 12

13. Implementation of the ISS Course • Implementation issues • Integration into current curriculum • New facilities and equipment • Qualified people to teach course • Development and implementation of new instructional strategies • Changes in internal policies and procedures • Use of industry’s best practices • Joint effort between academia and industry 13

14. Conclusion • No consensus on what information systems security knowledge, skills and abilities to include in undergraduate IS curriculum and placement for material within the curriculum • IS curriculum needs to be updated regularly to reflect rapid changes in environment • Academia needs to work with government and industry on this issue to properly prepare students for an information economy • Students need to be encouraged and motivated to become active learners in digital economy 14

15. Thanks! • The authors would like to thank the following for their support with this research: • NASA’s NERTS project and Ms. Shirl Byron - NRTS Project Director sbyron@morgan.edu at MSU • Dr. William Lupton, Chair, Computer Science Department, MSU • Faculty in the Department of Information Science and Systems, MSU • Carnegie Mellon University 15

16. Authors’ Contact Information • Grace C. Steele – gsteele@morgan.edu • Vojislav Stojkovic – stojkovi@morgan.edu Computer Science Department Morgan State University 1700 E. Cold Spring Lane Baltimore, MD 21251 • Jigish S. Zaveri - jzaveri@jewel.morgan.edu Information Sciences and Systems Department Morgan State University 1700 E. Cold Spring Lane Baltimore, MD 21251 16