acm joint task force to develop global cybersecurity ... · model. stakeholders were invited to...

Report:ACMJointTaskForceSurveytoDevelopGlobalCybersecurityCurricularGuidelines http://csec2017.org October2016

1

ACMJointTaskForcetoDevelopGlobalCybersecurityCurricularGuidelinesSurveyReport–October2016

INTRODUCTION

TheACMJointTaskForceonCybersecurityEducation(JTF)launchedinSeptember2015todevelopthefirstsetofglobalcurricularguidelinesincybersecurityeducation.Cybersecurityisdefinedhereas:

“Acomputing-baseddisciplineinvolvingtechnology,people,information,andprocessestoenableassuredoperations.Itinvolvesthecreation,operation,analysis,andtestingofsecurecomputersystems.Itisaninterdisciplinarycourseofstudy,includingaspectsoflaw,policy,humanfactors,ethics,andriskmanagementinthecontextofadversaries.”

TheJTFisacollaborationbetweenmajorinternationalcomputingsocieties:AssociationforComputingMachinery(ACM),IEEEComputerSociety(IEEECS),AssociationforInformationSystemsSpecialInterestGrouponSecurity(AISSIGSEC),andInternationalFederationforInformationProcessingTechnicalCommitteeonInformationSecurityEducation(IFIPWG11.8).TheJTFgrewoutofthefoundationaleffortsoftheCyberEducationProject(CEP).Afterayearofcommunityengagementanddevelopmentalwork,theJTFlaunchedasurveyinSeptember2016tosolicitbroadinputontheproposedcurricularthoughtmodel.Stakeholderswereinvitedtoparticipateinthesurveythroughdirectinvitations,announcementsinpubliceducationalandscientificforums,socialmediaoutreachviatheJTFwebsiteandLinkedIn,andinvitationssentthroughthedistributionlistsofparticipatingprofessionalassociations.Thisreportsummarizesthe229completedsurveyresponsesreceivedduringthesurveyperiodofSeptember16–October3,2016.

RESPONDENTDEMOGRAPHICS

Gender:Approximately71%(162)ofrespondentsweremale,26%(60)werefemale,andsixrespondentsdidnotindicategender.

Geographicdistribution:Nearly88%(201)ofsurveyrespondentsreportedtheUnitedStatesastheirprimaryworklocation.Theremaining22%ofsurveyrespondentsweredistributedasfollows1:Australia(6),Norway(3),Italy(2),SouthAfrica(2),andSweden(2);withonecompletedsurveyfromeachofthefollowingcountries:Bulgaria,Canada,China,HongKong,India,Netherlands,NewZealand,Portugal,Qatar,Singapore,Slovenia,Spain,andThailand. 1Thenumberofrespondentspercountryisshownintheparentheses.


2

Thechartsbelowprovideadditionalinformationonthebackgroundofsurveyrespondents.

*Respondentswerepermittedtoselectallapplicablestakeholdergroups.

0

50

100

150

200

250 210

3919

4623 15

StakeholderCommunity*

0

20

40

60

80

100

120

140

160

Doctorate Masters Bachelors Associates NoResponse

154

60

8 2 5

HighestDegreeAMained


3

^Degreefieldsrepresentalldegreelevels(doctorate,masters,bachelors,andassociates).

Manyrespondentsreportedholdingmultiplecertifications.Themostfrequentlyheldcertificationsincluded:theCertifiedInformationSystemsSecurityProfessional(CISSP),Security+,CertifiedEthicalHacker(CEH),CertifiedInformationAuditor(CISA),CertifiedInformationSecurityManager(CISM),RiskandInformationSystemControl(RISC),ComputerHackingForensicInvestigator,CiscoCertifiedNetworkAssociate,andMicrosoftCertifiedSystemsEngineer.Certificationsheldbythreeorfewerrespondents

010203040506070

15

70

123

14 122

12 82

12 133 3 3 7

DegreeFields^

05

10152025303540

3832

12 116 5 4 4 4

CerOficaOonsHeld


4

includedCertifiedCyberForensicsProfessional,ProjectManagementProfessional,CiscoCertifiedNetworkAssociate(Security),orCertifiedCouldSecurityProfessional.Ofthe229respondents,31reportedthattheydidnotholdasecurity-relatedcertification.

FEEDBACKONTHEPROPOSEDTHOUGHTMODEL

SurveyparticipantswereaskedtoprovidefeedbackontheJTFcurricularthoughtmodel.ThecurricularthoughtmodelwaspresentedasamodificationofU.S.NationalResearchCouncilNextGenerationScienceStandards(nextgenscience.org).Surveyrespondentswereaskedtocommentspecificallyon(1)thegraphicalrepresentationand(2)thefourstructuralelementsofthethoughtmodel:CoreIdeas,FocusAreas,Practices,andCross-CuttingConceptsforcybersecurityeducation.

• CoreIdeasareknowledgeareasordomains;• FocusAreasaredifferentprofessionalpracticecontexts;• Practicesarethecombinationofknowledgeandskillsthatculminateinto

competencywhenconnectedwithaparticularfocusarea;and• Cross-CuttingConceptsbridgecoreideaspracticeandfocusareas.

Feedbackoneachcomponentisprovidedbelow.

(1)GraphicalRepresentation

Surveyrespondentswereaskedtoconsidertheproposedgraphicandrespondtothe3questionslistedinthetablebelow.


5

StronglyAgree

Agree Neutral Disagree StronglyDisagree

Q1-TheabovegraphicclearlycommunicatesthatengagingincybersecurityinvestigationrequiresnotonlyskillbutalsoknowledgethatisspecifictoeachPractice

47(20.5%)

81(35.4%)

31(13.5%)

53(23.1%)

17(7.4%)

Q2--TheabovegraphicclearlycommunicatesthatCross-CuttingConceptsbridgeCoreIdeas,Practices,andFocusAreas.

72(31.4%)

91(39.7%)

23(10%)

33(14.4%)

10(4.4%)

Q3--TheabovegraphicclearlycommunicatesthatCoreIdeashavethepowertofocuscybersecuritycurriculum,instructionandassessments.

31(13.5%)

67(29.3%)

53(23.1%)

55(24%)

23(10%)

Asindicatedbytheresponsestoeachquestion,surveyrespondentsweregenerallyfavorableaboutthegraphic.However,asummaryofthe73commentsofferedasrespondentnarratives,suggestseveralareasforimprovement:

• IncludespecificPracticeAreasandrevisethegraphictoshowthatmultiplepracticeareasexist.

• Expandthedefinitionofeachofthemodelelementsandclarifythedistinctionbetweenthem.

• Alignthegraphicalrepresentationandthemodelmoretightly.Thecurrentrepresentationisnotintuitiveoreasilyunderstoodwithoutthemodel.

• Simplifythediagram.


6

(2)StructuralElementsoftheThoughtModel

Summaryfeedbackoneachthefourstructuralelementsofthethoughtmodel:CoreIdeas,FocusAreas,Practices,andCross-CuttingConceptsforcybersecurityeducation;isprovidedbelow.

CoreIdeas

CoreIdeasaredefinedasknowledgeareasordomains.SurveyrespondentswereaskedtoreviewtheCoreIdeaslistedbelowand(A)indicateifeachlistedCoreIdeashouldbeincludedinthecurricularvolume;(B)suggestanychangestothedefinitionoftheCoreIdeaandrecommendtheadditionofCoreIdeasnotcurrentlyincluded.

CoreIdeas:

1. InformationSecurity[Includes:informationconfidentiality,dataintegrity,availability,cryptographyandcryptanalysis]

2. SoftwareSecurity[Includes:securesoftwareengineering,softwarereverseengineering,malwareanalysis]

3. SystemSecurity[Includes:availability,authentication,accesscontrols,securesystemsdesign,computernetworkdefenseandCNA/penetrationtesting,reverseengineering(hardware),cyberphysicalsystems,digitalforensics,supplychainmtg]

4. UsableSecurity[Includes:identitymanagement,socialengineering,socialnetworks,human-computerinteraction]

5. OrganizationalSecurity[Includes:riskmanagement,missionassurance,disasterrecovery,businesscontinuity,securityevaluations/compliance,organizationalbehavior,intelligence,economics]

6. SocietalSecurity[Includes:cybercrime,cyberlaw,ethics,policy,privacy,intellectualproperty,professionalresponsibility,globalsocietalimpacts]


7

A.PercentageofrespondentsaffirmingCoreIdea

(B)SummaryCommentsontheCoreIdeas

SurveyrespondentsmadeseveralrecommendationsregardingthelistofCoreIdeas.TherecommendationssummarizedbelowreflectthethemesforeachCoreIdea.

InformationSecurity

• Reconsidertheinclusionofcryptographyandcryptanalysis.ThesetopicsshouldberemovedasCoreIdeasandinsteadincludedastopicsforspecificgroups.

• ProvideamorethoroughrationaleforthesetofCoreIdeasincludedinthemodel.Astheyarepresented,thebreadthoftopicsdoesnotprovidesufficientcurricularfocus.

• Includetopicsofprivacyauthenticationandnon-repudiation.Ifthesetopicsareaddressedintheexistingcategories,clarifytheirplacement.

SoftwareSecurity

• Manyofthetopicsincludedinthecategoryarespecializedandmightnotberelevantfortheallportionsofthebroadaudiencetobeservedbythisdocument.Giventhis,shouldthetopicsherebere-classified.

• Reconsidertheinclusionoftopicsthatseemmorerelatedtopractice.Forexample,malwareanalysisandreverseengineeringmightbemoreappropriatelyclassifiedasapracticeratherthanacoreidea.

• Provideastrongerreferenceto,andconsiderrelabelingthiscategoryas,thesecuritysoftwaredevelopmentlifecycle.

70%75%80%85%90%95%

100% 96%

87%

96%

82%87% 86%

RespondentsAffirmingCoreIdea


8

SystemSecurity

• Severaltopics,whileimportantforsomespecializedareas,arenotrelevantforthebroadaudiencetobeservedbythisdocument.Forinstance,CNA,digitalforensics,andsupplychainmanagementshouldnotbelistedasCoreIdeas.

• Reconsidertheinclusionoftopicsthatseemmorerelatedtopractice.Forexample,hardwarereverseengineeringshouldberemoved.

UsableSecurity

• Identitymanagementisacriticaltopicrelatedtoaccesscontrolbutismisplacedinthiscategory.MoveittoOrganizationalSecurity.

• Considerrelabelingthiscategory.Isthethemehere‘user’or‘humanfactors’security?Ifso,considerusingoneoftheselabelstoclarifythemeaningof‘usable’security.

• Manyoftheideasincludedinthiscategoryaretightlycoupledwithpractice.ThiscontentmaybemisclassifiedasaCoreIdea.

OrganizationalSecurity

• Thetopicsincludedinthiscategoryareimportantbutreconsiderwhetherornottheyhavethesamelevelofimportanceastheothercategories.

• Riskmanagementisacriticaltopicbuttheothercontentincludedinthiscategorymaynotbeasimportant.Forexample,iseconomicsimportanttoincludehere.

• Critical,butmissing,topicsincluderesilienceandphysicalsecurity.Thesetopicsshouldbeadded.

SocietalSecurity

• Thetopicsincludedinthiscategoryareimportantbutreconsiderwhetherornottheyhavethesamelevelofimportanceastheothercategories.Privacyistheonlyexceptiontothiscomment.

• Thecategoryisextremelybroad.Identifythespecifictopicstobeincludedhere.

FocusAreas

FocusAreasaredefinedasdifferentprofessionalpracticecontexts.SurveyrespondentswereaskedtoreviewtheFocusAreaslistedbelowand(A)indicateifeachlistedFocusAreashouldbeincludedinthecurricularvolume;(B)suggestanychangestothedefinitionoftheFocusAreaandrecommendtheadditionofFocusAreasnotcurrentlyincluded.


9

FocusAreas:

1. SecurityandRiskManagement[Includes:Security,Risk,Compliance,Law,Regulations,andBusinessContinuity]

2. CommunicationandNetworkSecurity[Includes:DesigningandProtectingNetworkSecurity]

3. IdentityandAccessManagement[Includes:ControllingAccessandManagingIdentity]

4. SecurityAssessmentandTesting[Includes:Designing,Performing,andAnalyzingSecurityTesting]

5. AssetSecurity[Includes:ProtectingSecurityofAssets]

6. SecurityEngineering[Includes:EngineeringandManagementofSecurity]

7. SecurityOperations[Includes:FoundationalConcepts,Investigations,IncidentManagement,andDisasterRecovery]

8. SoftwareDevelopmentSecurity[Includes:Understanding,Applying,andEnforcingSoftwareSecurity]

(A)PercentageofrespondentsaffirmingFocusArea

0%20%40%60%80%

100%93% 94% 91% 92%

71% 75%91% 88%

RespondentsAffirmingFocusArea


10

(B)SummaryCommentsontheFocusAreas

SurveyrespondentsmadeseveralrecommendationsregardingthelistofFocusAreas.TherecommendationssummarizedbelowreflectthethemesforeachFocusArea.

SecurityandRiskManagement

• Changethelabelofthiscategoryto“Governance,Risk,andCompliance”inordertohighlighttheimportanceofeachofthesetopics.

• Reconsidertheinclusionofbusinesscontinuity.Whileitisanimportanttopic,isitappropriatelycategorizedhere?

• Addaudittothiscategory.

CommunicationandNetworkSecurity

• ThecontentofthisFocusAreashouldbereclassifiedasaCoreIdea.• Clarifythedefinitionofthecategoryandmorepreciselydescribethecontent.

IdentityandAccessManagement

• ThecontentofthisFocusAreaisimportant,butmaybetoonarrowlydefinedtostandasaseparatecategory.

SecurityAssessmentandTesting

• Thiscategoryshouldincludecertificationandaudit.• Whileimportanttopics,thiscategoryistoonarrowandshouldbecombinedwith

anotherfocusarea.

AssetSecurity

• Clarifythedefinitionofassets(e.g.digital/physical/information)inthiscategory.• Whileimportanttopics,thiscategoryistoonarrowandshouldbecombinedwith

anotherfocusarea.

SecurityEngineering

• Clarifythedefinitionofsecurityengineeringasafocusarea.• Excludemanagementfromthiscategory.

SecurityOperations

• Clarifythefoundationconceptstobeincludedinthiscategory.• Respondentsaffirmedtheimportanceofthiscontentwithinthiscategorybut

wereconflictedaboutwhetherthecategorywastoobroadlyortoonarrowlydefined.

SoftwareDevelopmentSecurity

• Clarifyhowthiscategorydiffersfromsecurityengineeringandfromsecurityoperations.Shouldthecategoriesbecombined?


11

OtherComments

• Additionaltopicstoinclude:incidentmanagement,ethics,socialengineering,physicalsecurity,andpolicy.

• Howweretheseareasdetermined?ConsiderusingtheNISTFrameworkandleveragingthecategories:Identify,Protect,Detect,Respond,andRecover.

• Severaloverlappingareasofmanagementshouldbeincluded.

Practice

PracticesarethecombinationofknowledgeandskillsthatculminateintoprofessionalcompetencywhenconnectedwithaparticularFocusArea.Surveyrespondentswereaskedtoconsiderthelistofreferencesbelowand(A)indicateifthepracticesderivedfromthosesourcesshouldbeincludedinthecybersecuritycurricularvolume;and(B)suggestanyadditionalsourcestoinclude.

Practice:

• NationalCybersecurityWorkforceframework–NICE

• NSACenterofAcademicExcellence,KnowledgeUnits-NSAKU

• (ISC)2CertifiedInformationSystemsSecurityProfessional–CISSP

• ACMComputerScienceCurricula2013-CS2013

• ACM/IEEEInformationTechnologyCurriculum2017-IT2017

• SkillsFrameworkfortheInformationAge–SFIA

• InstituteforInformationSecurityProfessionalsFramework2.0-IISP2.0


12

(A)PercentageofrespondentsaffirmingPracticeReference

(B)SummaryCommentsonPracticeReferences

• Donotleantoheavilyonanyofthesereferences.Therelativequalityandvalueofvariousreferenceswasmixedandmanyrespondentsnotedthatrelevancewilldependontheaudience.

• ThereferencesareheavilyUS-centric.Addadditionalglobalreferencepoints.

• Articulatehowtheinclusionofthesepracticereferencesalignswiththepurposeofthecurricularvolume.Thereferenceshavemanyoverlappingconceptsandtheinclusionofmultipleframeworkswillbeconfusing.Asignificantcontributionofthisvolumewouldbetoprovideaguidetooverlappingpracticesinthese,andotherframeworks.

• Cautiouslydistinguishbetweeneducationandtraining–developingskillsversusunderstandingconcepts.

• Academicinstitutionsofvaryingtypescontinuetostruggleintheprocessofmappingtheircurriculatoanyofthesereferences.Guidanceonthisprocesswouldbevaluabletotheaudienceofthiscurricularvolume–notinghowever,thatthevalueofeachreferenceisdependentuponthespecificaudience.

Cross-CuttingConcepts

Cross-CuttingConceptsbridgecoreideas,practicesandfocusareas.SurveyrespondentswereaskedtoreviewtheCross-CuttingConceptslistedbelowand(A)indicateifeach

0%10%20%30%40%50%60%70%80%90%

NICE CAEKUs CISSP ACMCS2013

ACMIT2017

SFIA IISP

85% 81%76%

68%75%

41%

61%

RespondentsAffirmingPracOceReference


13

listedCross-CuttingConceptsshouldbeincludedinthecurricularvolume;(B)suggestanychangestothedefinitionoftheCross-CuttingConceptsandrecommendtheadditionofCross-CuttingConceptsnotcurrentlyincluded.

Cross-CuttingConcepts:

1. AdversarialThinking

2. Risk

3. Confidentiality

4. Integrity

5. Availability

6. Accesscontrol

(A)PercentageofrespondentsaffirmingCross-CuttingConcept

(B)SummaryCommentsonCross-CuttingConcepts

SurveyrespondentsmadeseveralrecommendationsregardingthelistofCross-CuttingConcepts.TherecommendationssummarizedbelowreflectthethemesforeachCross-CuttingConcepts.

84%86%88%90%92%94%96%

89%

95%92% 92%

89% 88%

RespondentsAffirmingCross-CuYngConcepts


14

AdversarialThinking

• Clarifythedefinitionofadversarialthinking.Basedonthedefinition,thisconceptcouldbefoundationaloritcouldbemoreorientedtowardattacker/offensivethinking.

Risk

• Clarifythedefinitionofrisk.IsthisconceptrelatedtoITmanagementorconsideredmorebroadlywithabusiness/organizationalfocus?

Confidentiality

• Theconceptislistedascross-cuttingandasaCoreIdea.Clarifythedistinctionandthedefinitionoftheterm.

Integrity


Availability


Accesscontrol

• Accesscontrolisnotatthesamelevelofimportanceastheothercross-cuttingconcepts.

• Clarifythedefinitionofaccesscontrol.Isitmorethanamechanismoratechnology?

OverallComments

• Clarifythedefinitionofcross-cuttingconcepts.Whatistheunderlyingprinciplethatguidesthecontentofthissection?Istheintenttoprovidefoundationalknowledgeorcross-cuttingideas?Rethinktheleveloftheconceptsandthebreadthoftopicsincludedinthecategory.

• Consideraddingethics,privacy,non-repudiationandhuman-factors/people-orientedideas.

SummaryCommentsontheThoughtModel

Generalfeedbackonthethoughtmodelprovidedadditionalinsightforthedevelopmentprocess.Summarycommentsinclude:

• Clarifytheintendedaudienceofthecurricularvolume.• Clarifythedefinitionsanddistinguishbetweentheelements.• Provideadditionalinformationonthecontentofeachofthecategories.


15

• Simplifythemodel.• Providealogicalplacementforemergingtopics.

Thisreportprovidesanoverviewofthefeedbackreceivedfromthestakeholdersurveyonthedevelopmentofthefirstsetofglobalcybersecuritycurricularguidelines.TheJointTaskForcecontinuestoreviewandincorporatethedetailedfeedbackintothedevelopmentprocess.

ThefirstdraftoftheCybersecurityCurricularVolumewillbereleasedtothepublicinlate2016.Communityengagementopportunitieswillbecontinuouslyupdatedonthecsec2017.orgwebsiteandcommunitymembersarewelcometoprovidespecificfeedbacktotheJTFviathatwebsiteatanytime.

TheJointTaskForcewillholdaSpecialSessionattheACMSIGCSEMeeting,March8-11,2017inSeattle,WashingtonUSAtodiscussthedraftdocument.Detailsonthespecifictimeandlocationofthespecialsessionareforthcoming.Pleaseplantoattend.

acm joint task force to develop global cybersecurity ... · model. stakeholders were invited to...

Documents