ACM Joint Task Force to Develop Global Cybersecurity ... · model. Stakeholders were invited to...

Report:ACMJointTaskForceSurveytoDevelopGlobalCybersecurityCurricularGuidelines http://csec2017.org October2016

ACMJointTaskForcetoDevelopGlobalCybersecurityCurricularGuidelinesSurveyReport–October2016

INTRODUCTION

TheACMJointTaskForceonCybersecurityEducation(JTF)launchedinSeptember2015todevelopthefirstsetofglobalcurricularguidelinesincybersecurityeducation.Cybersecurityisdefinedhereas:

“Acomputing-baseddisciplineinvolvingtechnology,people,information,andprocessestoenableassuredoperations.Itinvolvesthecreation,operation,analysis,andtestingofsecurecomputersystems.Itisaninterdisciplinarycourseofstudy,includingaspectsoflaw,policy,humanfactors,ethics,andriskmanagementinthecontextofadversaries.”

TheJTFisacollaborationbetweenmajorinternationalcomputingsocieties:AssociationforComputingMachinery(ACM),IEEEComputerSociety(IEEECS),AssociationforInformationSystemsSpecialInterestGrouponSecurity(AISSIGSEC),andInternationalFederationforInformationProcessingTechnicalCommitteeonInformationSecurityEducation(IFIPWG11.8).TheJTFgrewoutofthefoundationaleffortsoftheCyberEducationProject(CEP).Afterayearofcommunityengagementanddevelopmentalwork,theJTFlaunchedasurveyinSeptember2016tosolicitbroadinputontheproposedcurricularthoughtmodel.Stakeholderswereinvitedtoparticipateinthesurveythroughdirectinvitations,announcementsinpubliceducationalandscientificforums,socialmediaoutreachviatheJTFwebsiteandLinkedIn,andinvitationssentthroughthedistributionlistsofparticipatingprofessionalassociations.Thisreportsummarizesthe229completedsurveyresponsesreceivedduringthesurveyperiodofSeptember16–October3,2016.

RESPONDENTDEMOGRAPHICS

Gender:Approximately71%(162)ofrespondentsweremale,26%(60)werefemale,andsixrespondentsdidnotindicategender.

Geographicdistribution:Nearly88%(201)ofsurveyrespondentsreportedtheUnitedStatesastheirprimaryworklocation.Theremaining22%ofsurveyrespondentsweredistributedasfollows1:Australia(6),Norway(3),Italy(2),SouthAfrica(2),andSweden(2);withonecompletedsurveyfromeachofthefollowingcountries:Bulgaria,Canada,China,HongKong,India,Netherlands,NewZealand,Portugal,Qatar,Singapore,Slovenia,Spain,andThailand. 1Thenumberofrespondentspercountryisshownintheparentheses.

Thechartsbelowprovideadditionalinformationonthebackgroundofsurveyrespondents.

*Respondentswerepermittedtoselectallapplicablestakeholdergroups.

250 210

4623 15

StakeholderCommunity*

Doctorate Masters Bachelors Associates NoResponse

HighestDegreeAMained

^Degreefieldsrepresentalldegreelevels(doctorate,masters,bachelors,andassociates).

Manyrespondentsreportedholdingmultiplecertifications.Themostfrequentlyheldcertificationsincluded:theCertifiedInformationSystemsSecurityProfessional(CISSP),Security+,CertifiedEthicalHacker(CEH),CertifiedInformationAuditor(CISA),CertifiedInformationSecurityManager(CISM),RiskandInformationSystemControl(RISC),ComputerHackingForensicInvestigator,CiscoCertifiedNetworkAssociate,andMicrosoftCertifiedSystemsEngineer.Certificationsheldbythreeorfewerrespondents

010203040506070

14 122

12 133 3 3 7

DegreeFields^

10152025303540

12 116 5 4 4 4

CerOficaOonsHeld

includedCertifiedCyberForensicsProfessional,ProjectManagementProfessional,CiscoCertifiedNetworkAssociate(Security),orCertifiedCouldSecurityProfessional.Ofthe229respondents,31reportedthattheydidnotholdasecurity-relatedcertification.

FEEDBACKONTHEPROPOSEDTHOUGHTMODEL

SurveyparticipantswereaskedtoprovidefeedbackontheJTFcurricularthoughtmodel.ThecurricularthoughtmodelwaspresentedasamodificationofU.S.NationalResearchCouncilNextGenerationScienceStandards(nextgenscience.org).Surveyrespondentswereaskedtocommentspecificallyon(1)thegraphicalrepresentationand(2)thefourstructuralelementsofthethoughtmodel:CoreIdeas,FocusAreas,Practices,andCross-CuttingConceptsforcybersecurityeducation.

• CoreIdeasareknowledgeareasordomains;• FocusAreasaredifferentprofessionalpracticecontexts;• Practicesarethecombinationofknowledgeandskillsthatculminateinto

competencywhenconnectedwithaparticularfocusarea;and• Cross-CuttingConceptsbridgecoreideaspracticeandfocusareas.

Feedbackoneachcomponentisprovidedbelow.

(1)GraphicalRepresentation

Surveyrespondentswereaskedtoconsidertheproposedgraphicandrespondtothe3questionslistedinthetablebelow.

StronglyAgree

Agree Neutral Disagree StronglyDisagree

Q1-TheabovegraphicclearlycommunicatesthatengagingincybersecurityinvestigationrequiresnotonlyskillbutalsoknowledgethatisspecifictoeachPractice

47(20.5%)

81(35.4%)

31(13.5%)

53(23.1%)

17(7.4%)

Q2--TheabovegraphicclearlycommunicatesthatCross-CuttingConceptsbridgeCoreIdeas,Practices,andFocusAreas.

72(31.4%)

91(39.7%)

23(10%)

33(14.4%)

10(4.4%)

Q3--TheabovegraphicclearlycommunicatesthatCoreIdeashavethepowertofocuscybersecuritycurriculum,instructionandassessments.

31(13.5%)

67(29.3%)

53(23.1%)

55(24%)

23(10%)

Asindicatedbytheresponsestoeachquestion,surveyrespondentsweregenerallyfavorableaboutthegraphic.However,asummaryofthe73commentsofferedasrespondentnarratives,suggestseveralareasforimprovement:

• IncludespecificPracticeAreasandrevisethegraphictoshowthatmultiplepracticeareasexist.

• Expandthedefinitionofeachofthemodelelementsandclarifythedistinctionbetweenthem.

• Alignthegraphicalrepresentationandthemodelmoretightly.Thecurrentrepresentationisnotintuitiveoreasilyunderstoodwithoutthemodel.

• Simplifythediagram.

(2)StructuralElementsoftheThoughtModel

Summaryfeedbackoneachthefourstructuralelementsofthethoughtmodel:CoreIdeas,FocusAreas,Practices,andCross-CuttingConceptsforcybersecurityeducation;isprovidedbelow.

CoreIdeas

CoreIdeasaredefinedasknowledgeareasordomains.SurveyrespondentswereaskedtoreviewtheCoreIdeaslistedbelowand(A)indicateifeachlistedCoreIdeashouldbeincludedinthecurricularvolume;(B)suggestanychangestothedefinitionoftheCoreIdeaandrecommendtheadditionofCoreIdeasnotcurrentlyincluded.

CoreIdeas:

1. InformationSecurity[Includes:informationconfidentiality,dataintegrity,availability,cryptographyandcryptanalysis]

2. SoftwareSecurity[Includes:securesoftwareengineering,softwarereverseengineering,malwareanalysis]

3. SystemSecurity[Includes:availability,authentication,accesscontrols,securesystemsdesign,computernetworkdefenseandCNA/penetrationtesting,reverseengineering(hardware),cyberphysicalsystems,digitalforensics,supplychainmtg]

4. UsableSecurity[Includes:identitymanagement,socialengineering,socialnetworks,human-computerinteraction]

5. OrganizationalSecurity[Includes:riskmanagement,missionassurance,disasterrecovery,businesscontinuity,securityevaluations/compliance,organizationalbehavior,intelligence,economics]

6. SocietalSecurity[Includes:cybercrime,cyberlaw,ethics,policy,privacy,intellectualproperty,professionalresponsibility,globalsocietalimpacts]

A.PercentageofrespondentsaffirmingCoreIdea

(B)SummaryCommentsontheCoreIdeas

SurveyrespondentsmadeseveralrecommendationsregardingthelistofCoreIdeas.TherecommendationssummarizedbelowreflectthethemesforeachCoreIdea.

InformationSecurity

• Reconsidertheinclusionofcryptographyandcryptanalysis.ThesetopicsshouldberemovedasCoreIdeasandinsteadincludedastopicsforspecificgroups.

• ProvideamorethoroughrationaleforthesetofCoreIdeasincludedinthemodel.Astheyarepresented,thebreadthoftopicsdoesnotprovidesufficientcurricularfocus.

• Includetopicsofprivacyauthenticationandnon-repudiation.Ifthesetopicsareaddressedintheexistingcategories,clarifytheirplacement.

SoftwareSecurity

• Manyofthetopicsincludedinthecategoryarespecializedandmightnotberelevantfortheallportionsofthebroadaudiencetobeservedbythisdocument.Giventhis,shouldthetopicsherebere-classified.

• Reconsidertheinclusionoftopicsthatseemmorerelatedtopractice.Forexample,malwareanalysisandreverseengineeringmightbemoreappropriatelyclassifiedasapracticeratherthanacoreidea.

• Provideastrongerreferenceto,andconsiderrelabelingthiscategoryas,thesecuritysoftwaredevelopmentlifecycle.

70%75%80%85%90%95%

100% 96%

82%87% 86%

RespondentsAffirmingCoreIdea

SystemSecurity

• Severaltopics,whileimportantforsomespecializedareas,arenotrelevantforthebroadaudiencetobeservedbythisdocument.Forinstance,CNA,digitalforensics,andsupplychainmanagementshouldnotbelistedasCoreIdeas.

• Reconsidertheinclusionoftopicsthatseemmorerelatedtopractice.Forexample,hardwarereverseengineeringshouldberemoved.

UsableSecurity

• Identitymanagementisacriticaltopicrelatedtoaccesscontrolbutismisplacedinthiscategory.MoveittoOrganizationalSecurity.

• Considerrelabelingthiscategory.Isthethemehere‘user’or‘humanfactors’security?Ifso,considerusingoneoftheselabelstoclarifythemeaningof‘usable’security.

• Manyoftheideasincludedinthiscategoryaretightlycoupledwithpractice.ThiscontentmaybemisclassifiedasaCoreIdea.

OrganizationalSecurity

• Thetopicsincludedinthiscategoryareimportantbutreconsiderwhetherornottheyhavethesamelevelofimportanceastheothercategories.

• Riskmanagementisacriticaltopicbuttheothercontentincludedinthiscategorymaynotbeasimportant.Forexample,iseconomicsimportanttoincludehere.

• Critical,butmissing,topicsincluderesilienceandphysicalsecurity.Thesetopicsshouldbeadded.

SocietalSecurity

• Thetopicsincludedinthiscategoryareimportantbutreconsiderwhetherornottheyhavethesamelevelofimportanceastheothercategories.Privacyistheonlyexceptiontothiscomment.

• Thecategoryisextremelybroad.Identifythespecifictopicstobeincludedhere.

FocusAreas

FocusAreasaredefinedasdifferentprofessionalpracticecontexts.SurveyrespondentswereaskedtoreviewtheFocusAreaslistedbelowand(A)indicateifeachlistedFocusAreashouldbeincludedinthecurricularvolume;(B)suggestanychangestothedefinitionoftheFocusAreaandrecommendtheadditionofFocusAreasnotcurrentlyincluded.

FocusAreas:

1. SecurityandRiskManagement[Includes:Security,Risk,Compliance,Law,Regulations,andBusinessContinuity]

2. CommunicationandNetworkSecurity[Includes:DesigningandProtectingNetworkSecurity]

3. IdentityandAccessManagement[Includes:ControllingAccessandManagingIdentity]

4. SecurityAssessmentandTesting[Includes:Designing,Performing,andAnalyzingSecurityTesting]

5. AssetSecurity[Includes:ProtectingSecurityofAssets]

6. SecurityEngineering[Includes:EngineeringandManagementofSecurity]

7. SecurityOperations[Includes:FoundationalConcepts,Investigations,IncidentManagement,andDisasterRecovery]

8. SoftwareDevelopmentSecurity[Includes:Understanding,Applying,andEnforcingSoftwareSecurity]

(A)PercentageofrespondentsaffirmingFocusArea

0%20%40%60%80%

100%93% 94% 91% 92%

71% 75%91% 88%

RespondentsAffirmingFocusArea

(B)SummaryCommentsontheFocusAreas

SurveyrespondentsmadeseveralrecommendationsregardingthelistofFocusAreas.TherecommendationssummarizedbelowreflectthethemesforeachFocusArea.

SecurityandRiskManagement

• Changethelabelofthiscategoryto“Governance,Risk,andCompliance”inordertohighlighttheimportanceofeachofthesetopics.

• Reconsidertheinclusionofbusinesscontinuity.Whileitisanimportanttopic,isitappropriatelycategorizedhere?

• Addaudittothiscategory.

CommunicationandNetworkSecurity

• ThecontentofthisFocusAreashouldbereclassifiedasaCoreIdea.• Clarifythedefinitionofthecategoryandmorepreciselydescribethecontent.

IdentityandAccessManagement

• ThecontentofthisFocusAreaisimportant,butmaybetoonarrowlydefinedtostandasaseparatecategory.

SecurityAssessmentandTesting

• Thiscategoryshouldincludecertificationandaudit.• Whileimportanttopics,thiscategoryistoonarrowandshouldbecombinedwith

anotherfocusarea.

AssetSecurity

• Clarifythedefinitionofassets(e.g.digital/physical/information)inthiscategory.• Whileimportanttopics,thiscategoryistoonarrowandshouldbecombinedwith

anotherfocusarea.

SecurityEngineering

• Clarifythedefinitionofsecurityengineeringasafocusarea.• Excludemanagementfromthiscategory.

SecurityOperations

• Clarifythefoundationconceptstobeincludedinthiscategory.• Respondentsaffirmedtheimportanceofthiscontentwithinthiscategorybut

wereconflictedaboutwhetherthecategorywastoobroadlyortoonarrowlydefined.

SoftwareDevelopmentSecurity

• Clarifyhowthiscategorydiffersfromsecurityengineeringandfromsecurityoperations.Shouldthecategoriesbecombined?

OtherComments

• Additionaltopicstoinclude:incidentmanagement,ethics,socialengineering,physicalsecurity,andpolicy.

• Howweretheseareasdetermined?ConsiderusingtheNISTFrameworkandleveragingthecategories:Identify,Protect,Detect,Respond,andRecover.

• Severaloverlappingareasofmanagementshouldbeincluded.

Practice

PracticesarethecombinationofknowledgeandskillsthatculminateintoprofessionalcompetencywhenconnectedwithaparticularFocusArea.Surveyrespondentswereaskedtoconsiderthelistofreferencesbelowand(A)indicateifthepracticesderivedfromthosesourcesshouldbeincludedinthecybersecuritycurricularvolume;and(B)suggestanyadditionalsourcestoinclude.

Practice:

• NationalCybersecurityWorkforceframework–NICE

• NSACenterofAcademicExcellence,KnowledgeUnits-NSAKU

• (ISC)2CertifiedInformationSystemsSecurityProfessional–CISSP

• ACMComputerScienceCurricula2013-CS2013

• ACM/IEEEInformationTechnologyCurriculum2017-IT2017

• SkillsFrameworkfortheInformationAge–SFIA

• InstituteforInformationSecurityProfessionalsFramework2.0-IISP2.0

(A)PercentageofrespondentsaffirmingPracticeReference

(B)SummaryCommentsonPracticeReferences

• Donotleantoheavilyonanyofthesereferences.Therelativequalityandvalueofvariousreferenceswasmixedandmanyrespondentsnotedthatrelevancewilldependontheaudience.

• ThereferencesareheavilyUS-centric.Addadditionalglobalreferencepoints.

• Articulatehowtheinclusionofthesepracticereferencesalignswiththepurposeofthecurricularvolume.Thereferenceshavemanyoverlappingconceptsandtheinclusionofmultipleframeworkswillbeconfusing.Asignificantcontributionofthisvolumewouldbetoprovideaguidetooverlappingpracticesinthese,andotherframeworks.

• Cautiouslydistinguishbetweeneducationandtraining–developingskillsversusunderstandingconcepts.

• Academicinstitutionsofvaryingtypescontinuetostruggleintheprocessofmappingtheircurriculatoanyofthesereferences.Guidanceonthisprocesswouldbevaluabletotheaudienceofthiscurricularvolume–notinghowever,thatthevalueofeachreferenceisdependentuponthespecificaudience.

Cross-CuttingConcepts

Cross-CuttingConceptsbridgecoreideas,practicesandfocusareas.SurveyrespondentswereaskedtoreviewtheCross-CuttingConceptslistedbelowand(A)indicateifeach

0%10%20%30%40%50%60%70%80%90%

NICE CAEKUs CISSP ACMCS2013

ACMIT2017

SFIA IISP

85% 81%76%

68%75%

RespondentsAffirmingPracOceReference

listedCross-CuttingConceptsshouldbeincludedinthecurricularvolume;(B)suggestanychangestothedefinitionoftheCross-CuttingConceptsandrecommendtheadditionofCross-CuttingConceptsnotcurrentlyincluded.

Cross-CuttingConcepts:

1. AdversarialThinking

2. Risk

3. Confidentiality

4. Integrity

5. Availability

6. Accesscontrol

(A)PercentageofrespondentsaffirmingCross-CuttingConcept

(B)SummaryCommentsonCross-CuttingConcepts

SurveyrespondentsmadeseveralrecommendationsregardingthelistofCross-CuttingConcepts.TherecommendationssummarizedbelowreflectthethemesforeachCross-CuttingConcepts.

84%86%88%90%92%94%96%

95%92% 92%

89% 88%

RespondentsAffirmingCross-CuYngConcepts

AdversarialThinking

• Clarifythedefinitionofadversarialthinking.Basedonthedefinition,thisconceptcouldbefoundationaloritcouldbemoreorientedtowardattacker/offensivethinking.

• Clarifythedefinitionofrisk.IsthisconceptrelatedtoITmanagementorconsideredmorebroadlywithabusiness/organizationalfocus?

Confidentiality

• Theconceptislistedascross-cuttingandasaCoreIdea.Clarifythedistinctionandthedefinitionoftheterm.

Integrity

Availability

Accesscontrol

• Accesscontrolisnotatthesamelevelofimportanceastheothercross-cuttingconcepts.

• Clarifythedefinitionofaccesscontrol.Isitmorethanamechanismoratechnology?

OverallComments

• Clarifythedefinitionofcross-cuttingconcepts.Whatistheunderlyingprinciplethatguidesthecontentofthissection?Istheintenttoprovidefoundationalknowledgeorcross-cuttingideas?Rethinktheleveloftheconceptsandthebreadthoftopicsincludedinthecategory.

• Consideraddingethics,privacy,non-repudiationandhuman-factors/people-orientedideas.

SummaryCommentsontheThoughtModel

Generalfeedbackonthethoughtmodelprovidedadditionalinsightforthedevelopmentprocess.Summarycommentsinclude:

• Clarifytheintendedaudienceofthecurricularvolume.• Clarifythedefinitionsanddistinguishbetweentheelements.• Provideadditionalinformationonthecontentofeachofthecategories.

• Simplifythemodel.• Providealogicalplacementforemergingtopics.

Thisreportprovidesanoverviewofthefeedbackreceivedfromthestakeholdersurveyonthedevelopmentofthefirstsetofglobalcybersecuritycurricularguidelines.TheJointTaskForcecontinuestoreviewandincorporatethedetailedfeedbackintothedevelopmentprocess.

ThefirstdraftoftheCybersecurityCurricularVolumewillbereleasedtothepublicinlate2016.Communityengagementopportunitieswillbecontinuouslyupdatedonthecsec2017.orgwebsiteandcommunitymembersarewelcometoprovidespecificfeedbacktotheJTFviathatwebsiteatanytime.

TheJointTaskForcewillholdaSpecialSessionattheACMSIGCSEMeeting,March8-11,2017inSeattle,WashingtonUSAtodiscussthedraftdocument.Detailsonthespecifictimeandlocationofthespecialsessionareforthcoming.Pleaseplantoattend.

ACM Joint Task Force to Develop Global Cybersecurity ... · model. Stakeholders were invited to...

Documents

Invitations to Mathematics - CEMCcemc.math.uwaterloo.ca/resources/invitations-to-math/Patterns... · Invitations to Mathematics Investigations in Patterns and Algebra “What’s

Party Invitations - Hammermill...Paper for Life. ® Party Invitations Creatively Designed Party Invitations These templates include birthday invitations and designs that you can use

Cinderella Invitations Fill in the invitations, then print ... · Cinderella Invitations Fill in the invitations, then print and cut them out. Send them in A7-sized envelopes and

Invitations to Bid

Invitations to Mathematics - CEMCcemc.math.uwaterloo.ca/.../invitations-to-math/Geometry-Grade5.pdf · Invitations to Mathematics Investigations in Geometry: “We’re in Great Shape”

Enigma Invitations

Invitations to Mathematics - CEMCcemc.math.uwaterloo.ca/.../invitations-to-math/NumberSense-Grade5.pdf · Invitations to Mathematics ... • explore the Dewey Decimal system used

ACM 05 ACM 06 ACM 07 ACM 08 New Document Number ACM 003 ACM 004 ACM 005 ACM 006 ACM 007 ACM 008 3.5. Updated List of Cosmetic Accredited Laboratories The list of accredited testing

APO Invitations

Alan's Invitations Wedding Invitations Fall 2010

Invitations to Mathematics - cemc.math.uwaterloo.cacemc.math.uwaterloo.ca/resources/invitations-to-math/Geometry... · Invitations to Mathematics Investigations in Geometry: “Net

Wedding Invitations Ideas - Personalized Your Wedding & Engagement Invitations

7Y invitations

Invitations to Mathematics - CEMCcemc.math.uwaterloo.ca/resources/invitations-to-math/Probability... · Invitations to Mathematics ... Page 4 Overview Grade 6: Probability in Action

Les invitations invitations

Pocketfold wedding invitations

kkg invitations

Medieval invitations

Three Invitations Luke 14:16-24 Three Invitations “Come to me”

Iran Invitations