Spafford Information Security Article

Download PDF

Gene Spafford on IT Security Education

While infosec profession has grown dramatically, the formal curriculum in college education still needs improvement. (Part of the What Happens Next security predictions series.)

» Comments

By Dr. Gene Spafford

November 17, 2008CSO — The majority of programs at colleges and universities around the country are certainly doing a good job of training people to go into positions in IT. In fact, we have a greater demand among employers for students than we have students to fill positions. That said, there are some areas where we lack students who graduate with the right amount of expertise and focus. IT security and cyber forensics are areas where we have a critical need for workers in the field.

Computer science has been undergoing a transition over the last few years in academia. We've gone from teaching fundamentals for construction and systems to focusing more on all the places where computing can make a difference. The transition has been more to concepts at higher levels, with languages and graphics and network computation, than we saw five years ago. Before, computer science was focused more on program solutions around individual host computers and only some distributed computation. Now we are seeing more and more with large scale networks, cloud computing, Google apps, just to name a few. The field is shifting in that direction.

The security implications of these things are not known, or are being dismissed. The companies pushing these solutions are more interested in the business case than in the possible negatives. For instance, there are some interesting issues related to privacy of information that is stored and calculated remotely -- companies that have access to that data may be able to use it in marketing, which means more profit for them. They aren't motivated to find new ways to protect it.

Universities don't often have a financial interest in a particular technology. Thus, they are often in a better position to compare technologies, find flaws, look at unusual extensions, and otherwise explore the issues.

There are now areas of specialization that need more concentration at the machine level -- lower level network protocol, assembly language and analysis. But these areas are not part of the core curriculum anymore and often not even offered as electives because so few students are interested in these machines-level areas. Interest waned because for many schools, the kinds of employers that court students, that pay the most, and where student interest lies, require that higher level skill set. If you are Google, Yahoo, Amazon or Ebay, you want students that can do high-level, network-level programming and handle web-design issues. This creates a problem for students who need lower-level knowledge as a specialization area. If someone is going into a field that needs to do real-time control in aircraft, or needs to do forensic analysis of malware for criminal activity, they need a very different skill set.

Infosec principles, in general, are not in the regular IT curriculum and a reasonable core curriculum for infosecurity has yet to be determined. Some places, such as Purdue, offer courses in secure programming, but they are electives. A very few places have formally integrated the material into coursework. However, until curricular material is widely available, coverage will be spotty.

Many of the programming flaws that are common are actually taught against in almost every curriculum. For example, every text and course I know about for beginning programming teaches to avoid buffer overflows -- if it is possible in the language being used in the course. Problems arise because students don't pay attention sufficiently, because they are pressed for time and avoid the necessary safeguards, they switch languages to something where they have not been trained, or they end up in environments where productivity is stressed more than quality.

There are security problems that are more subtle than programming flaws. Concentrating on those, rather than on the bigger picture, means that in a few years we are likely to have a different list of common problems.

One criticism I hear from some companies is that students don't come out with enough understanding of problem solving for real world situations. They have really good book knowledge, but not enough understanding of practical application. As a field, we are continuing to evolve. It appears that producing a well-rounded graduate who really knows both the field and practical application would probably take six years. So we are seeing more students go back for masters degrees now to pick up that additional knowledge.

- As told to Joan Goodchild



Related Articles

Global Technology Policy Newsletter – March 2017
ACM PUBLIC POLICY HIGHLIGHTS ACM provides independent, nonpartisan, and technology-neutral research and resources to policy leaders, stakeholders, and the public about public policy issues, as drawn from the deep technical expertise of the computing community. Apply for the new A ...Read More

  • (Posted on 12-Mar-17)
  • ACM Joint Task Force on Cybersecurity Education Grabs Spotlight at U.S. Congressional Hearing
    The ACM Joint Task Force on Cybersecurity Education seized the spotlight during a congressional hearing on “Strengthening U.S. Cybersecurity Capabilities” on Capitol Hill on February 14, 2017. The hearing before the House Science, Space, and Technology Subcommittee on ...Read More

  • (Posted on 18-Feb-17)
  • Global Technology Policy Newsletter – February 2017
    ACM PUBLIC POLICY HIGHLIGHTS ACM seeks to educate policymakers, the computing community, and the public about policies that will that foster and accelerate innovations in computing, computing education, and related disciplines in ways that benefit society. ACM Statement on U.S. E ...Read More

  • (Posted on 12-Feb-17)
  • ACM Sponsors Data Sciences Education Roundtable at the U.S. National Academies of Sciences
    ACM is sponsoring a new 3-year initiative by the National Academy of Sciences on data science postsecondary education. A series of roundtable discussions will bring together representatives from academia, industry, funding agencies, and professional societies to explore the trans ...Read More

  • (Posted on 17-Jan-17)
  • Global Technology Policy Update – December 2016
    ACM PUBLIC POLICY HIGHLIGHTS Cybersecurity Education and Research in Europe – The ACM Europe Policy Committee released a policy white paper “Advancing Cybersecurity Education and Research in Europe.” Committee Chair Fabrizio Gagliardi recently presented the find ...Read More

  • (Posted on 12-Dec-16)
  • Global Technology Policy Update – October 2016
    ACM PUBLIC POLICY HIGHLIGHTS Computer Science Education and Research in Europe – ACM Europe Policy Committee members will be attending the European Computer Science Summit in Budapest, Hungary on October 24-26, which features programs on the challenges and opportunities in ...Read More

  • (Posted on 09-Oct-16)