How To Train On Information Security

Transcription

1 Stimulating Software Security Education at Community Colleges Through Training Workshops Akbar Siami Namin Computer Science Department Texas Tech University Lubbock, TX, USA Fethi A. Inan College of Education Texas Tech University Lubbock, TX, USA Rattikorn Hewett Computer Science Department Texas Tech University Lubbock, TX, USA Abstract We report our experience with training instructors and faculty scholars from two and four-year colleges in the software and information security related areas. The purpose of offering the workshop was to provide training for faculty and instructors who had less opportunity to learn about the state-ofthe-art in software and information security research and education. The one-week long training in software security exposed the faculty and instructors to various aspects of cyber security research and practices. The workshop organizers have collected a rich set of data such as training sessions logs, questionnaires, interviews, and knowledge acquired for the purpose of conducting quantitative and qualitative analyses. We report the structure and theme of the training sessions on software and information security, delivery methodology, and feedbacks received from the faculty and instructors, who participated in the training sessions. Keywords Cybersecurity; faculty development, training workshop I. INTRODUCTION It is reported that the United States needs to produce far more IT graduates and in particular students with Information Assurance (IA) capabilities [1]. Hoffman et al. [2] note that maintaining and protecting software systems and sensitive data require a proper and systematic education in information warfare. Not only educational institutions but also corporations must adopt the best practices and integrate cybersecurity practices and exercises into their curriculum, organizations and workflows. A survey published by the Information Security Magazine reports that U.S. colleges and Universities are ranked among the poorest protected against cyber-attacks. Information assurance related areas such as operating system, information and data, network and Internet security are amongst the most important topics in security education [3]. In addition to these areas, we need also to include application and software security as an integral part of these predominant and important concepts. The needs for cyber security professionals in all aspects of education and business as well as homeland security and warfare demonstrate a clear demand for effective development of education and training programs with its grand intention to produce high quality and well-prepared workforce capable of protecting critical infrastructure. Raising the awareness against cyber crimes and educating prevention techniques against potential cyber-attacks are important to the national defense and homeland security. The U.S. economic infrastructure, such as power and water plants, heavily depend on computing systems such as SCADA (Supervisor Control And Data Acquisition). The SCADA-based smart grids are vulnerable to many threats and are the potential targets for attackers. The importance of securing computer networks motivates this project with its target in preparing the future workforce needed for protecting the U.S. critical infrastructure against malicious eavesdroppers. For instance, network intrusion attempts occur approximately 250,000 per hour, i.e. 6 million times per day, according to the U.S. Government and Department of Defense [4]. In particular, financial transactions and payment card data are highly vulnerable to cyber-attacks [5]. According to CWE/SANS and OWASP (Open Web Application Security Project), SQL (i.e., top 10 web application vulnerability) and OS code injections, i.e. insertion of a SQL query or OS command via the input data from the client to the application, are among the top 25 most dangerous software errors that can lead to serious vulnerabilities in software. The objectives of training the software related workforce is to build more secure software systems and thus prevent adversaries from obtaining or tampering critical data. The preparation of future cyber security professionals and workforce primarily depends on the availability of cybersecurity instructional courses as well as certifications and degree programs offered by higher education institutions. However, insufficient professional development specifically designed for faculty and instructors, who can create, develop, and integrate recent advancements of cybersecurity curriculum with hands-on experience, have been an escalating concern. Along with technological advances, cybersecurity is experiencing an explosion in growth with new and more complex threats, techniques, and applications. In order to achieve effective cybersecurity programs, instructors should be exposed to the recent advancement and the latest technology, skills, and confidence to effectively design and implement cybersecurity instructional lessons and course modules. Instructors, who are well prepared to cybersecurity education, are more likely to engage in security related teaching practices as compared to those who are less exposed to these kinds of activities. We report our experience with designing, recruiting, and implementing training workshops on software and information security for the faculty scholars and instructors, who teach at two and four-year colleges across the southwest region of the United States. More specifically, we report our observations regarding the satisfaction level that the workshop participants reported. The paper provides an extensive investigation and

2 assessment of the overall effectiveness of software security training program on participating faculty s learning, knowledge, satisfaction, and confidence. Throughout this paper, we refer to the faculty scholars and instructors who participated in our workshop as participants. In addition to stimulating and promoting cyber security research and education through training workshops, we are also interested in learning about the impact, effectiveness, and the knowledge the participants gained through traditional training workshops. In other words, we are interested in understanding about the learning outcomes and impact of the workshop and whether the traditional training through workshops can address the nationwide needs in security experts. There were several questions that motivated us to pursue the idea of offering training workshops: What were the learning outcomes for participating faculty after attending the training workshop on software and information security? Did participants gain more knowledge as the result of the training? Were the participants satisfied with the delivery methods and contents presented? Did the participants feel that they were competent enough to design and offer similar courses in software and information security in their home departments and institutions? The paper is structured as followings: The importance of teaching security related concepts is emphasized in Section II. The experience with curriculum design is discussed in Section III. Section IV reviews the experiences and education challenges with two and four-year colleges. We sketch the goals of the training workshop in Section V. The methodology employed for implementing the training workshop is presented in Section VI. Section VII reports the evaluation of the project. The valuable lessons learned through offering the training workshop is listed in Section VIII. Section IX concludes this paper. II. SOFTWARE SECURITY EDUCATION Educational institutes have critical and key roles in supplying the needed workforce for the nation s needs. The digital world, where we all live in, needs reliable technologies to facilitate daily businesses. It is important that the educational institutes take into account the paradigmatic shift that adjusts the existing stress from students as customers to the society as customers and thus feel more responsible for addressing the needs for highly prepared security experts. Taylor et al. [6] argue that computer security and its education is often overlooked in undergraduate degree programs. The educators are in common agreement and believe that undergraduate students must be engaged in security related areas earlier in their programs and courses such as CS0 and CS1 courses. Frazier et al. [7] propose designing and integrating security modules in both undergraduate and graduate levels and integrating software safety systems into the Computer Science program. More specifically, Frazier et al. suggest encompassing operating system security, software security testing, code review, risk and threat analysis, and database security into the CS programs, where the course module includes lecture materials, in class demonstrations as well as hands-on assignments. Taylor et al. [8] aim to review the previous recommendations regarding the security concepts covered in Computer Science education, and highlight the significance and key role of proper and realistic tests and hands-on experiences when teaching secure coding and programming. They [8] address the four myths as widely discussed and argued when teaching secure programming and coding practices: There are no rooms in the curriculum for a course in secure programming. The students taking more advanced classes often focus on class materials and not on the programming styles. There is a gap between theory and what has being taught in classrooms and practices. If students learn how to write secure programs, the state of software and system security will dramatically improve. Academic institutions are hierarchical educationally. The teaching strategies and ideas are being developed through different ways. However, it is important to remember there may exist no best way. We know what to do and how to do it. However, often instructors do not know how to teach secure programming. The Summit on Education in Secure Software, jointly sponsored by the National Science Foundation and Education and Human Resources (EHR), aims at developing a comprehensive agenda focusing on the formidable challenges of secure software education [9]. To meet the goals, the summit has three major objectives: to take into account the ideas and opinions of all cyber security stakeholders from academia, government, industry, certification and training institutions on teaching secure programming; to implement the ideas and opinions discussed by the cybersecurity stakeholders to create or improve existing teaching methods; to outline and observe the quality of education and to enable it to reach a broader audience, and shape inclusive agenda for secure software education that have objectives for dissimilar viewers, teaching methods, resources needed, and problems that are predicted to rise. Despite its importance roles, security concepts are less discussed in most Computer Science and Software Engineering textbooks often written briefly and primarily for the undergraduate level. It is crucial to include fundamental security concepts and techniques early in the undergraduate program and more specifically into software engineering courses [10]. III. DEVELOPING AND INTEGRATING CYBERSECURITY CURRICULUM Curriculum and course development is a practice to understand and address the student needs through designing course modules and assessing the learning outcomes. According to Conklin [11], a typical set of information security courses includes security principles, cryptography, digital forensics,

3 (a) Gender distribution. (b) Career status. Fig. 1. Gender distribution and career status of the participants attending the training workshop. network security, application security, e-commerce security, policy and law, authentication and biometrics, and intrusion detection. Consistent with Conklin, Davis and Dark describe the common body of knowledge for computer security curricula in which four focus areas are identified as cryptography, secure computing systems, network security, and management [12]. Research on cybersecurity education shows that the current practice of cybersecurity education is unsatisfactory and needs substantial improvement to meet the required standards [13], [14], [15], [16], [17], [18], [19]. As a step forwards improving security education, Taylor and Azadegan propose using security checklists and scorecards in teaching students to develop secure code [20]. Furthermore, Taylor and Azadegan [21] present a platform for a security across the curriculum effort and integrating security curriculum into the core courses. IV. EXPERIENCES WITH TWO- AND FOUR-YEAR INSTITUTIONS Perez et al. [22] investigated two- and four-year institutions and observed that the challenges known to the research intensive educational institutions in teaching security related courses were common with these teaching institutes. Associate degree programs in information assurance, usually offered by community and technical colleges, play a key role in educating IA technicians, practitioners, and professionals in the United States. Perez et al. further claim that the large variation in the type of degree programs at community and colleges is primarily due to two factors: a) the absence of a set of curricular guidelines around which institutions can build their programs, and b) the lack of a clear understanding of the needs of the employers of the graduates of these programs. Perez et al. further suggest that developing closer and more functional relationships is needed to make progress on the articulation challenges. As a project supported by National Science Foundation, the ACM committee for Computing Educational Community Colleges ( has conducted the strategic summit on the Computing Education Challenges at Community Colleges and observed that active collaborations were often missing, which are required among the various sectors of education including two- and four-year colleges and universities. Moreover, the unique characteristics of computing education in community colleges required approaches and solutions specifically tailored to address their needs [23]. V. GOALS OF THE CYBER SECURITY TRAINING WORKSHOP The training workshops aim at building a capacity for cyber security and thus introducing an educational model to be adopted by other geographical regions and academic institutions. The grant goals of this workshop are three-fold: 1) Offer summer professional development workshop on security related areas with its focus on software and information security for community college instructors and further assist them in developing and enhancing their own security-related course modules and curricula; 2) Design a series of follow-up activities for the participating community college instructors and mentor them for the objective of transferring the knowledge they have acquired through the training sessions to their home departments; 3) Evaluate the proposed project towards assessing its impact on capacity building of cybersecurity professionals across the southwest region and assess its applicability to similar faculty development program with the intention of introducing it as an education model to build a capacity of software and information security scholars; This two-year faculty development project aims to increase the number of higher education instructors who can design, develop, and teach courses pertinent to software and information security related areas. The workshop also provides opportunities for faculty to update and learn various themes of cybersecurity issues related. VI. SOFTWARE SECURITY TRAINING WORKSHOP We report the workshop and sessions structure, recruitment procedure, delivery methods, and data collection methodology. A. Recruitment and Participants The workshop organizers identified over 50 community colleges along with the two and four-year Universities located across the southwest region of the United States. The faculty members and instructors from these institutions were directly contacted and invited to apply for attending the training workshop. In the end, 27 faculty and instructors filled out the online application form and applied for the training workshop.

4 The applicants had a very diverse background. Figure 1(a) demonstrates the gender distribution of the applicants. Figure 1(b) demonstrates the applicants appointments and career status at their home institutes. The applicants were part/full-time instructors with majority holding professorship positions at their home institutes. The bar-chart given in Figure 2(a) demonstrates the ethnical background of the applicants with majority being white. Furthermore, the bar-chart given in Figure 2(b) illustrates the highest degrees the applicants institutions offer. The workshop organizers selected 16 applicants for the final program. The selection criteria were developed and designed in accordance with the primary goal of the workshop in promoting software and information security education across the southwest region. B. Training Sessions and Delivery Format The one-week long workshop was organized into themes and sessions related to software and information security. Each topic was organized into four sessions. The topics and sessions were delivered by faculty with expertise in Computer Science and Electrical Engineering. Each theme concluded with a class activity where the participants developed a course syllabus and an application plan with the intention of integrating the topics and course modules presented in each theme into their own curriculum at their home institute. Tables I and II list the topics that were presented in software security and information security training themes. C. Data Collection In the beginning of the workshop, an information session was delivered. The participants, who were willing to participate in the questionnaires, were asked to enter a pseudonym when completing surveys and forms for pre/post evaluation instruments. To gather participants knowledge and skill level of curriculum development related to software security courses, a pre-test survey was administrated in the beginning of each theme. In the survey, participants were requested to provide a self-report indicating their prior knowledge in software and information security using a 5-point scale for various course modules. Similarly, the project investigators and trainers collected participants knowledge and skill level of curriculum development related to software security courses and topics in the end of the theme and assessed the overall satisfaction/evaluation of the whole theme. An application plan was also distributed among the participants to indicate whether they had any intention or plan to transfer the knowledge gained through the workshop to their home institutions. TABLE I. Session One Basic Concepts Session Two Advanced Topics Session Three Research Trends TABLE II. Session One Basic Concepts Session Two Advanced Topic I Session Three Advanced Topics II TRAINING SESSIONS FOR SOFTWARE SECURITY THEME. 1. The Root and Cost of Software Failure 2. Characteristics of Good Requirements (e.g. Security Requirements) 3. Characteristics of Secure Software 4. Secure Software Development Life Cycle Phase I. Security guidelines, rules, and regulations, Phase II. Security requirements, Phase III. Architectural and design reviews/threats modeling, Phase VI. Secure coding, Phase V. Black/white box testing, Phase IV. Determine exploitability 5. Hands-on Experience and Case Studies on Vulnerabilities (e.g. Buffer Overflow Attacks, SQL Injection Attacks, Cross- Site Scripting, Cookie Tampering, etc.) 1. Secure and Resilient Software Development (Attack pattern and Surface, Software security practice, System Design and Threats Categorizations and Ranking) 2. Security Testing basic processes and steps 3. Security testing vs. traditional software testing 4. Static Analysis (Bug findings, Style Checking, Type Checking, Security Vulnerability) 5. Application Security Principles and Practices (use positive security models, fail security, run with least privilege, keep security simple, detect intrusions, security test infrastructure, security test services, establish secure default) 6. Misuse and attack use case modeling 7. Threats and Risk modeling 8. Security design patterns 1. Risk-based Software Security 2. Metrics and Models for Security Maturity 3. Vulnerability management 4. Environment hardening 5. SAMM: Software Assurance Maturity Model 6. Building Security in Maturity Model (BSIMM) 7. BSI Software Security Framework 8. Penetration Testing 9. Web Applications and Session Attacks 10. Security engineering 11. Attack Graphs 12. Model-based Risk Quantification (Risk quantification, Estimated Exposure Degrees, Component Dependency Graph, Estimated Component Vulnerability, Likelihood Estimate, Severity Analysis). TRAINING SESSIONS FOR INFORMATION AND DATA SECURITY THEME. 1. Basic Network Security 2. Basic Cryptography 3. Conventional Cryptography 4. Cryptography - Type of Attacks 5. Shift Cipher 6. Substitution Cipher 7. Permutation Cipher 8. Hill Cipher 1. Stream Cipher 2. Autokey Cipher 3. Data Encryption Standard (DES) 4. DES Modes and Triple DES 5. Advanced Encryption Standard (AES) 1. Public Key Infrastructure (PKI) 2. Hash Functions 3. MD5 and SHA Hash Functions 4. Information Authentication - Digital Signature 5. Message Authentication Code 6. Key Distributions and Exchange VII. EVALUATION An education expert, the second author of this paper, designed and conducted the evaluation procedure of the workshop. The chief purpose of the evaluation was to assess whether traditional training workshops were affective in stimulating the participants interest in designing security related courses at their home institutes. A. The Evaluation Purpose and During the training workshop, the participants were requested to complete an anonymous survey and take part in one-to-one interviews with the project evaluator regarding their experience with the program. The major goal of the evaluation was to determine the degree of effectiveness of the traditional training workshop as well as the participants satisfaction. The

5 (a) Ethnics. (b) Highest degree. Fig. 2. The highest degree and ethnical background of the workshop applicants. project s impact on participants learning outcomes was also of salient interest. The workshop evaluation was structured around the following major questions: 1) How the workshop has influenced the participants learning outcomes? 2) Do the participants know more about software and information security as a result of the training workshop? 3) Are the participants more confident in their security knowledge after the workshop? 4) How significant is the impact of the training workshop on the participants interest? B. Pre/Post Sample Tests Tables III and IV list the set of questions that were asked from the participants at the beginning and end of the training sessions. Our data showed that the participants performed 50% better on the post-test questions after attending the training sessions. C. Data Collection Instruments The workshop organizers utilized a variety of data collection instruments and strategies (e.g. session logs, questionnaires, interviews, pre/post tests) in order to collect quantitative and qualitative data. The assessment metrics developed were as followings: Knowledge, a 5-point likert scaling metric to record the participants prior and post knowledge related to the materials presented in each session. Confidence, a 5-point scaling metric to measure the participants confidence for designing, developing, and offering similar software security courses at their home institutes. Workshop Impact, A 3-point scaling metric to assess the participants opinion about the project s impact on their interests, knowledge, and confidence with security related topics. In addition to questionnaires, a series of one-to-one interviews were also conducted to have a better insight of the participants reflections and experiences with the training workshop. TABLE III. Pre-Test Post-Test TABLE IV. Pre-Test Post-Test PRE AND POST TESTS FOR SOFTWARE SECURITY THEME. How does software fail? What is vulnerability? Give a short description of Confidentiality, Integrity, and Availability. Describe functional and non-functional requirements. List five examples of non-functional requirements. What is misuse use case? What is Secure Development Life Cycle (SDLC)? What is a threat model? What is security design review? List five cyber threats. How vulnerabilities get into all software? What are design and implementation vulnerabilities? List three security features that should be implemented when designing a banking system. Give a short description of how threats are ranked. What is attack surface? Give a short description of Physical Security, Network Security, Host Security, and Data Security. What is user positive security model? What is the elevated privilege attack? List five security practices that need to be considered when designing software. List two design phase recommendation for addressing the security of software. What is attack use case? What is penetration testing? How vulnerabilities get into all software? What are design and implementation vulnerabilities? What could affect the size of attack surface? What is risk-based security testing? PRE AND POST TESTS FOR INFORMATION AND DATA SECURITY THEME. What is buffer overrun? What are cookies and what is cookie tampering? What is integer overflow? What is SQL injection attack? What is symmetric key? Describe Caesar cipher. What is block cipher? What is cross-site scripting attack? What is input validation? What is session attack? Give a short description of integrity and availability. What is Public Key Infrastructure (PKI)? What is stream cipher? What is the use of one-way hash functions in cryptography? D. Project Impact on Participant Outcomes We report the project impact based on the assessment metrics we developed.

6 TABLE V. KNOWLEDGE GAINED: PAIRED t-test RESULTS WITH 16 PARTICIPANTS (N=16). Pre-Workshop Post-Workshop t p Effect Theme Mean SD Mean SD Value Value Size Information and Data Security Software Security Average Knowledge Gained. The pre/post-tests scores and the result of the survey were used to assess whether the participants gained any additional knowledge through attending the training sessions. Applying the paired statistical t-tests, we observed that the post security knowledge of the participants was significantly improved after attending workshop. Table V lists the results of the paired t-tests. Furthermore, a follow up examination indicated that participants knowledge gains were significant. Effect sizes were high, i.e. 0.81, showing that the significant differences were meaningful. Confidence Improvement. The significance of confidence improvement was analyzed by comparing the participants pre/post confidence scores. The results of the paired statistical t-tests indicated that participants confidence significantly had an increase after attending the training workshop. Table VI reports the confidence level of the participants before and after attending the training workshop. As Table VI indicates the effect sizes are high ranging from 0.69 to 0.82 indicating that the differences were significant and meaningful. The Project Impact. The overall effectiveness of the training workshop was assessed by the three measurements that asked participants to rate the workshop s impact on their interest. Table VII reports the participants opinion regarding the workshop s impact on their knowledge. The results showed that about two-thirds of the participants strongly agreed the workshop made a significant impact on their knowledge, confidence, and interests. VIII. LESSONS LEARNED The evaluation data indicated that the training workshop stimulated the participants knowledge, confidence, and interest pertinent to software and information security. While conducting surveys and questionnaires we learned that the training workshop could be further improved in order to address its goals better. A. Peer-to-Peer Interaction The participants expressed their satisfaction regarding meeting peers and building a network and community of scholars, who share common interests. Many of the participants have already started contacting their peers for the purpose of collaboration and sharing experiences. The participants showed their interest in learning more about their peers and their experiences in a more formal approach. Designing and implementing relevant activities for formal peer interaction and networking before, during, and after the workshop, where the participants can share their experiences, would promote better networking, collaborations, and participant satisfaction. B. Building A Learning Community While the training workshop offered an opportunity where the participants could interact directly with their peers, the continuous interactions and its sustainability were also a salient factor. Building a learning community where participants could establish connections and/or enhance already existing collaborations is very crucial for successful implementation of the workshop and its goals. A well designed online platform would allow participants to build a community of practitioners and scholars and a place for exchanging ideas, products, course modules, and lesson examples. C. Tailoring Contents to Participants Needs Although the evaluation data demonstrated the participants satisfaction with the course materials presented in each session, the participants showed their interest in some course modules more than some other parts. For instance, the course module on cryptography was very exciting for some participants but not very interesting for some others. Some participants even expressed their concerns and frustration with the difficulty level of the content and materials presented in the training sessions. With respect to the feedback the workshop organizers received, it seems it would be better to conduct a preliminary assessment and gather information about the participants interest in each related topic so that the workshop and its content could be tailored to the participants needs and thus improve the relevance and usefulness of the workshop. IX. CONCLUSION The results suggest that cybersecurity and in particular software security training program promoted participating faculty s knowledge, confidence, and interest in a positive direction. However, several strategies can be integrated in future training offerings to improve participants learning and their future activities to engage in design, development and implementation of software security courses and programs. Nonetheless, the training workshop demonstrated that it is possible to support current software security education programs at the community college level to produce both immediate graduates to fill everincreasing vacancies, and future student cadres for higher education programs that develop administrators and scientists in the field. ACKNOWLEDGMENT This project has been supported by National Science Foundation under grant award DUE-SFS to Texas Tech University. REFERENCES [1] C. Nickell, L. C. Prez, B. Oldfield, J. B. A. Gencer, E. Hawthorne, K. Klee, and A. L. S. Wetzel, Towards information assurance (ia) curricular guidelines, in In Proceedings of the 2010 ITiCSE working group reports, 2010.

7 TABLE VI. CONFIDENCE LEVEL: PAIRED t-test WITH 16 PARTICIPANTS (N=16). Pre-Workshop Post-Workshop t p Effect Description Mean SD Mean SD Value Value Size I feel confident that I can successfully teach a cybersecurity course I feel confident that I can create curriculum materials for a cybersecurity course I feel confident that I can apply the information presented in the workshop to my teaching NA I feel confident that I have the necessary knowledge and skills to design a new cybersecurity course I feel confident that I can help students when they have difficulty with cybersecurity related topics Average TABLE VII. WORKSHOP IMPACT ON PARTICIPANTS INTERESTS, KNOWLEDGE, AND CONFIDENCE. Strongly Disagree Disagree Neutral Agree Strongly Agree I am more interested to teach cybersecurity as a result of the training I am more confident in my cybersecurity knowledge as a result of the training I know more about cybersecurity as a result of the training [2] L. J. Hoffman, T. Rosenberg, R. Dodge, and D. Ragsdale, Exploring a national cybersecurity exercise for universities, IEEE Security and Privacy, vol. 3, no. 5, pp , [3] M. Dark, A profile of information security training needs on university campuses, in In EduCause Mid-Atlantic Regional Conference Proceedings, Baltimore, MD, 2001, pp [4] United state computer emergency readiness team (us-cert), August [5] Global security statistics and trends (trustware), [6] B. Taylor, H. Hochheiser, S. Azadegan, and M. O Leary, Crosssite security integration: Preliminary experiences across curricula and institutions, in Proceedings of the 13th Colloquium for Information Systems Security Education, Seattle, WA, June [7] A. Frazier, X. Yuan, Y. Li, and S. Hudson, Course modules for software security, in Proceedings of the 12th Colloquium for Information Systems Security Education, [8] B. Taylor, M. Bishop, E. Hawthorne, and K. Nance, Teaching secure coding: The myths and the realities, in Proceeding of the 44th ACM Technical Symposium on Computer Science Education, ser. SIGCSE 13. New York, NY, USA: ACM, 2013, pp [9] D. L. Burley and M. Bishop, Summit on education in secure software, The George Washington University and University of California, Davis, Tech. Rep. GW-CSPRI and UCD-CSE , [10] A. Wang, Security testing in software engineering courses, in 34th Annual Frontiers in Education, October [11] W. Conklin, The design of an information security practicum course, in Proceedings of the 2007 International Academy for Information Management - (SIGED pre-icis), Montreal, Canada, December [12] M. Dark and J. Davis, Defining a curriculum framework in information assurance and security, in Proceedings of the 2003 American Society for Engineering Education Annual Conference and Exposition, Nashville, TN, 2003, pp [13] S. Cooper, C. Nickell, L. C. Pérez, B. Oldfield, J. Brynielsson, A. G. Gökce, E. K. Hawthorne, K. J. Klee, A. Lawrence, and S. Wetzel, Towards information assurance (ia) curricular guidelines, in Proceedings of the 2010 ITiCSE working group reports, ser. ITiCSE-WGR 10. New York, NY, USA: ACM, 2010, pp [14] B. Taylor, S. Kaza, S. Azadegan, M. O Leary, and C. Turner, Injecting security in the curriculum experiences in effective dissemination and assessment design, in Proceedings of the 14th Colloquium for Information Systems Security Education, Baltimore, MD, [15] M. Dark and M. Bishop, Evaluating the efficacy of software security curriculum exercises, in Faculty Workshop on Secure Software Development, Orlando, FL, [16] M. Dark and J. Davis, Report on information assurance curriculum development, in Colloquium for Information Systems Security Education Proceedings, Redmond, WA, 2002, pp [17] J. Ekstrom, M. Dark, and B. Lunt, Implementation of information assurance and security in existing it curricula, in Proceedings of the American Society for Engineering Education, Chicago, IL, 2006, pp [18] B. Bogolea and K. Wijekumar, Information security curriculum creation: a case study, in Proceedings of the 1st annual conference on Information security curriculum development, ser. InfoSecCD 04. New York, NY, USA: ACM, 2004, pp [19] M. Dark, J. Ekstrom, and B. Lund, Integration of information assurance and security into the it2005 model curriculum, in Proceedings of the ACM SIGITE 2005 Conference, Newark, NJ, 2005, pp [20] B. Taylor and S. Azadegan, Using security checklists and scorecards in cs curriculum, in Proceedings of the 11th Colloquium for Information Systems Security Education, Boston, Massachusetts, June [21], Threading secure coding principles and risk analysis into the undergraduate computer science and information systems curriculum, in Proceedings of the 3rd annual conference on Information security curriculum development, ser. InfoSecCD 06. New York, NY, USA: ACM, 2006, pp [22] L. C. Pérez, S. Cooper, E. K. Hawthorne, S. Wetzel, J. Brynielsson, A. G. Gökce, J. Impagliazzo, Y. Khmelevsky, K. Klee, M. Leary, A. Philips, N. Pohlmann, B. Taylor, and S. Upadhyaya, Information assurance education in two- and four-year institutions, in Proceedings of the 16th annual conference reports on Innovation and technology in computer science education - working group reports, ser. ITiCSE-WGR 11. New York, NY, USA: ACM, 2011, pp [23] E. K. Hawthorne, K. J. Klee, and R. D. Campbell, Findings from an acm strategic summit on computing education in community colleges, in ITiCSE, 2011, p. 373.