From the Editors

Cybersecurity Education
in Universities

A n educated workforce is essential to

building trustworthy systems. Yet,
issues about what should be taught and how
Another impediment to cybersecurity
curriculum development is that research uni-
versities do not place a high value on peda-
are being ignored by many of the university gogy when it comes to making tenure and
faculty who teach cybersecurity courses—a promotion decisions or dispensing other
problematic situation. rewards to faculty. Consequently, cybersecu-
Absent an accepted authority on cyber- rity researchers are not incentivized to write
security education at the university level, it textbooks or survey articles, even though this
is difficult for faculty to affect cybersecurity activity is a form of research because it leads
education beyond their home institutions. to discovery of new categorizations and unifi-
For sure, professional societies (such as ACM cation of ideas. The Saltzer-Schroeder article
and IEEE) are concerned with defining uni- had an enormous impact on the field by offer-
versity curriculum, but they are not accepted ing a set of generalizations rather than specific Fred B. Schneider
by faculty members as being authorities on technical solutions.1 We need to incentivize Associate Editor in Chief
cybersecurity curriculum, in part, because researchers to undertake this kind of think-
top technical researchers are typically not ing and writing—­something that requires a
involved in the discussions. Curriculum devel- change in values.
opment suffers without input from the full Even if university teaching were informed
spectrum of faculty members—the absence by surveys and textbooks by top researchers,
of leading technical thinkers means that top- there is a debate about what should be taught
ics needed to prepare students for adopting to future software developers (and, for that
new trends and directions are unlikely to be matter, to future researchers). Some see the
incorporated into a curriculum. The curricu- role of university cybersecurity courses as
lum also suffers when we ignore people from teaching adversarial thinking, so that system
industry and government, who have experi- builders can view system designs through
ence with real systems, users, and attackers; the same lens attackers do. Others believe
and their input is largely absent from these these courses should focus on principles and
university curriculum initiatives, too. abstractions that bring discipline to the art of
Several conferences and workshops do building secure systems. Courses in which
have cybersecurity education as their focus, adversarial thinking is central are quite differ-
so you might hope that they could serve as ent from those organized around principles
an organizing authority. The representation at and abstractions.
these meetings, however, is light on practitio- Case studies are prevalent in cybersecurity
ners from industry and government, and it is courses that teach adversarial thinking. Stu-
also largely disjoint from the attendees at our dents are taught about specific attacks, which
leading technical conferences. We could elim- often requires spending time on idiosyncratic
inate this disconnect by coalescing several implementation details (though attack taxon-
of our conferences into a single community- omies exist and might also be covered). Some
wide annual meeting. A conference with such students are able to generalize from this mate-
a wide view of cybersecurity also would help rial, and they develop an intuition for iden-
overcome today’s trend of creating special- tifying assumptions that can be violated to
ized workshops and conferences that, unfor- achieve some goal—the essence of any attack.
tunately, is further fracturing the research Other students, who don’t make the leap from
community and impeding discussion about specific attacks to adversarial thinking, are
broader matters, like curriculum. not well served. George Santayana’s thinking

1540-7993/13/$31.00 © 2013 IEEE Copublished by the IEEE Computer and Reliability Societies July/August 2013 3
From the Editors

(“Those who cannot remember the adversarial thinking from studying these more-mature subjects suc-
past are condemned to repeat it”) cybersecurity abstractions and prin- ceed in combining the two views.
ignores the reality that fundamen- ciples, because these ideas concern Adversarial thinking can be seen as
tally new kinds of attacks are con- defenses against attacks. That would the very essence of game theory. In
stantly developed and fielded, so suggest organizing our cybersecu- it, actions by each player are com-
only knowing about (and defend- rity courses around abstractions pletely specified; for cybersecurity
ing against) known attacks is insuf- and principles. and safety-critical systems, identi-
ficient. Finally, as with most things, Note that the relationship fying possible player actions is part
expertise in disassembling some and—in some cases—tension of the central challenge.
class of artifacts does not imply between synthesis and analysis of Can adversarial thinking for
facility with building new artifacts cyber­security also is present when cybersecurity even be taught, or is
from scratch. teaching students about safety- it an innate skill that only some can
A class organized around cyber- critical systems, where starting develop? The answer, which is nei-
security abstractions and principles off from abstract properties can ther known nor aggressively being
might well employ case studies miss important details (such as sought by those who study cyber-
of extant systems, but mastery in sources of harm and opportuni- security education, seems central
using the abstractions and prin- ties for mitigation) but relying on to the development of an effec-
ciples comes only from the design specific hazards risks overlook- tive cybersecurity course. In the
and implementation of new sys- ing other hazards and makes for a meantime, debate about how best
tems. Evaluating those new sys- weak safety case. Yet, there is little to teach cybersecurity is limited
tems, however, requires facility with of the same tension visible when to recounting anecdotes about our
adversarial thinking. You might teaching about national security or collective classroom experiences.
argue that a student could learn military engagements; somehow, Generalization from anecdotes is a
risky business.

PURPOSE: The IEEE Computer Society is the world’s largest association of computing professionals and is the
T he evolution of a university-
level cybersecurity curricu-
lum is being stunted by the culture
leading provider of technical information in the field. Visit our website at www.computer.org. and values in universities as well
OMBUDSMAN: Email [email protected]. as by our ignorance. Change is
Next Board Meeting: 17–18 November 2013, Ray Kahn; Director, Products & Services: Evan needed on all of these fronts. The
New Brunswick, NJ, USA Butterfield; Director, Sales & Marketing: Chris Jensen failure of faculty to take action
COMPUTER SOCIETY OFFICES leaves a door open to others who
Washington, D.C.: 2001 L St., Ste. 700, Washington,
EXECUTIVE COMMITTEE
D.C. 20036-4928 will. And those outsiders are wait-
President: David Alan Grier
President-Elect: Dejan S. Milojicic; Past President: John
Phone: +1 202 371 0101 • Fax: +1 202 728 9614
Email: [email protected]
ing—not only does the private
W. Walz; VP, Standards Activities: Charlene (“Chuck”)
J. Walrad; Secretary: David S. Ebert; Treasurer: Paul K.
Los Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, sector offer cybersecurity train-
CA 90720 • Phone: +1 714 821 8380 • Email: help@
Joannou; VP, Educational Activities: Jean-Luc Gaudiot; computer.org ing that could easily encroach,
VP, Member & Geographic Activities: Elizabeth L. Burd
(2nd VP); VP, Publications: Tom M. Conte (1st VP); VP,
Membership & Publication Orders
Phone: +1 800 272 6657 • Fax: +1 714 821 4641 •
but governments (such as the US
Professional Activities: Donald F. Shafer; VP, Technical
& Conference Activities: Paul R. Croll; 2013 IEEE
Email: [email protected] National Initiative for Cyberse-
Asia/Pacific: Watanabe Building, 1-4-2 Minami-
Director & Delegate Division VIII: Roger U. Fujii; 2013 Aoyama, Minato-ku, Tokyo 107-0062, Japan • Phone: curity Careers and Studies; www.
IEEE Director & Delegate Division V: James W. Moore;
2013 IEEE Director-Elect & Delegate Division V: Susan
+81 3 3408 3118 • Fax: +81 3 3408 3553 • Email:
[email protected]
niccs.us-cert.gov) show a growing
K. (Kathy) Land interest in cybersecurity education
IEEE BOARD OF DIRECTORS
BOARD OF GOVERNORS President: Peter W. Staecker; President-Elect: at all levels.
Term Expiring 2013: Pierre Bourque, Dennis J. Frailey, Roberto de Marca; Past President: Gordon W.
Atsuhiro Goto, André Ivanov, Dejan S. Milojicic, Paolo Day; Secretary: Marko Delimar; Treasurer: John T.
Montuschi, Jane Chu Prey, Charlene (“Chuck”) J. Walrad
Term Expiring 2014: Jose Ignacio Castillo Velazquez,
Barr; Director & President, IEEE-USA: Marc T. Apter; Reference
Director & President, Standards Association: Karen
David. S. Ebert, Hakan Erdogmus, Gargi Keeni, Fabrizio Bartleson; Director & VP, Educational Activities: 1. J.H. Saltzer and M.D. Schroeder,
Lombardi, Hironori Kasahara, Arnold N. Pears Michael R. Lightner; Director & VP, Membership and
Term Expiring 2015: Ann DeMarle, Cecilia Metra, Geographic Activities: Ralph M. Ford; Director & VP,
“The Protection of Information in
Nita Patel, Diomidis Spinellis, Phillip Laplante, Jean-Luc
Gaudiot, Stefano Zanero
Publication Services and Products: Gianluca Setti; Computer Systems,” Proc. IEEE,
Director & VP, Technical Activities: Robert E. Hebner;
Director & Delegate Division V: James W. Moore; vol. 63, no. 9, 1975, pp. 1278–1308.
EXECUTIVE STAFF
Director & Delegate Division VIII: Roger U. Fujii
Executive Director: Angela R. Burgess; Associate
Executive Director & Director, Governance: Anne
Marie Kelly; Director, Finance & Accounting: John Selected CS articles and columns
Miller; Director, Information Technology & Services: revised 25 June 2013 are also available for free at
http://ComputingNow.computer.org.

4 IEEE Security & Privacy July/August 2013