An undergraduate business information security course and laboratory

Journal of Information Systems Education, 2002 by Grimaila, Michael Russell, Kim, Inkoo

ABSTRACT

In an environment of growing security threats, it is essential to raise the awareness and capabilities of business students entering the workforce to mitigate threats to the enterprise. In this paper, the authors present their experience in the design, implementation, and teaching of a foundation undergraduate business information security course with laboratory components using security tools. The authors identify key resources consulted in the development of the curriculum and discuss various teaching methods and their effectiveness in offering the course for the first time.

Keywords: Information security management education, information system security pedagogy.

1. INTRODUCTION

Information Security (InfoSec) is a unique field of study in that it i s rapidly c hanging; i t requires knowledge i n diverse subject areas including engineering, ethics, law, management, policy, and social sciences; and it can be impacted (both positively and negatively) by the actions of everyone in the enterprise. A key question is how to deliver effective InfoSec education to undergraduate business students. The purpose of this paper is to document our efforts to address this question through the development of a new undergraduate InfoSec course.

2. MOTIVATION

Corporate responsibility dictates the need to protect the enterprise against harm from competitors, criminals, hackers and other security threats (CSI/FBI, 2002). As a result, there is an increasing demand for InfoSec professionals. Texas A&M University (TAMU) has placed a high priority on the development of Information Assurance and Security (IAS) curriculum and research programs across all departments within the university to address this critical need. There are two primary thrusts of the educational component of this program: 1) to develop undergraduate and graduate foundation courses in IAS, and 2) to develop specialization courses in each of the departments to facilitate the creation of an interdisciplinary IAS certificate at the Master's and Ph.D. level. The course development discussed in this paper addresses the first element through the development of a foundation undergraduate IAS course targeted towards MIS undergraduate students.

3. COURSE DESIGN PHILOSOPHY AND CONTENT

The diversity of knowledge that is required to effectively practice business information security is enormous. It requires that the practitioner be well versed in a number of different technical, social, and political skills (Irvine, 1998). Since InfoSec technology is rapidly evolving, it is essential that the individual not only be grounded in the basics of the technology, but also be capable of continually learning about new developments in the field, which can occur daily. Further, one must also appreciate the importance of security policy development, implementation, and awareness in the overall success of a security program (Miller, 1997). Finally, there are political ramifications when implementing security programs. Students must be aware of these political issues in order to be successful when dealing with management, other organizational units, and end users.

The authors recognize it is not possible to teach students everything they need to know about InfoSec in a single semester course. However, we believe that we can provide a foundation course that provides basic knowledge and experiences and fosters the ability of the individual student to continue to grow and develop their InfoSec skill set.

3.1 Target Audience

When developing a curriculum, it is essential to consider the existing skill sets and needs of the target audience. Ideally, all InfoSec practitioners should be familiar with: 1) research, development, and application of technical principles (know how to make); 2) application of industry accepted techniques and practices (know how to use); and 3) non-technical aspects such as policy development, resource allocation, and risk assessment and management (know how to manage). While engineers focus on the first element and system administrators on the second, an effective business InfoSec manager should be more familiar with the third element. Barnett (Barnett, 1996) identifies the need for different InfoSec education and training based upon the particular role an individual plays. He describes two categories of security related jobs: One that deals with pragmatic and operational issues (operational computer security), and the other that provides technical solutions through research and development (computer security technology). Based upon this categorization, our students more properly belong to the first group, although the division is not absolute. Barnett also identifies the benefit of providing dedicated courses for non-technical majors in InfoSec.

3.2 Reference Materials

The authors consulted a wide variety of sources during the development of this course. In this section, we will discuss only the most relevant reference materials that guided our curriculum development.

In 1992, the International Information Security Foundation (12 SF) formed a committee to develop and promulgate generally accepted system security principles (I SF, 2002). The committee produced a summary document known as the Generally Accepted System Security Principles (GASSP) that identified a core set of "best practice" InfoSec principles that were collected from practicing InfoSec professionals. The GASSP further divided the principles hierarchically from high-level Pervasive Principles (PPs), through mid-level Broad Functional Principles (BFPs), to low-level Detailed Principles (DPs). We drew upon the PPs and BFPs as a set of core principles to highlight in the course.