An undergraduate business information security course and laboratory

Journal of Information Systems Education, 2002 by Grimaila, Michael Russell, Kim, Inkoo

Providing students with the opportunity to interface with practicing InfoSec professionals is an important way to provide linkage between the curriculum and the corporate world. Throughout the semester, guest speakers from industry were invited to come speak to the class to provide students insight into the InfoSec professional. Students were also encouraged to attend InfoSec related forums whenever possible. For example, in April of 2002 the Center for the Management of Information Systems at TAMU sponsored a Business Information Security Forum and invited professionals from a number of companies including Texas Instruments, JC Penny, Dell, Price Waterhouse Coopers, and Deloitte & Touche to discuss their views, in an open forum setting, on the topic of Information Security. The forum provided an excellent environment for companies to share "war stories" and provided students with a better understanding of the issues surrounding information security in the corporate environment.

3.6 Final Project

The final project was designed as a vehicle for students to experience the dynamics of group learning in the corporate environment. The goal of the project was for students to develop a deeper understanding of a specific InfoSec technology area, create a presentation targeted for upper management, and to make recommendations about incorporating the technology. At the beginning of the semester, students were asked to form into groups of three and were given the task of selecting a new InfoSec technology to investigate. Each group had to conduct preliminary research and write a brief one-page proposal to the instructor about the topic they selected. Yurcik describes this "Project Approach" (Yurcik - Approaches, 2001). Upon approval, each group was required to write a report and produce a brief presentation at the end of the semester on their topic. Students were restricted on the number of slides and the amount of technical detail used in their presentation to simulate the interaction between midlevel and upper management. The use of a group project highlighted the dynamics of group learning, scheduling, resource allocation, and conflict resolution in the corporate environment. Further, students had to "sell" their security solution to the instructor, who played the role of a member of upper management who viewed security as a resource drain with no tangible value. The ability to communicate effectively is a very important attribute for any aspiring InfoSec professional to possess.

4. LABORATORY DESIGN PHILOSOPHY AND CONTENT

In order for students to learn the skills required to protect their corporate information assets, they need to gain a deeper understanding of the strengths and weaknesses of information system technologies. For this reason, we chose to incorporate a security laboratory experience into the course design.

4.1 Different Approaches

We identified two different approaches one can take when developing security exercises in a sandbox environment. The first approach is described by Hill (Hill, 2000) and Welch (Welch, 2002), and incorporates attack-defense exercises involving two opposing groups: the attackers (black hats) and the defenders (white hats). In Hill's approach, students are assigned to one of the two groups at the beginning of the semester. As the semester progresses, the two groups engage i n cyber combat with each other outside of class time while they learn about attack and defense strategies during class. In contrast, Welch's approach assigns all students to be white hats and recruits black hats from external organizations. A majority of the semester is allocated for students to team how to set up, administer, and defend a network. During this time, students learn about effective defenses by perpetrating attacks on their own systems. Finally, the semester culminated when the external attackers are allowed to attempt to compromise the student systems during a one week time period.