thatthegoals,methods,andevaluationtechniquesofinformationandcomputersecurityare Moscow,ID83844

Transcription

1 AnInformationSecurityEducationInitiativefor DepartmentofElectricaland ComputerEngineering Syracuse,NY13224 SyracuseUniversity Shiu-KaiChin EngineeringandComputerScience DepartmentofComputerScience DeborahFrincke NavalPostgraduateSchool StudiesandResearch CenterforINFOSEC Monterey,CA93943 CynthiaIrvine theundergraduateandgraduatelevels.itsfocusisontheneedforsucheducation,thedesired educationaloutcomes,andhowtheoutcomesmaybeassessed.abasicthesisofthispaperis Thispaperputsforwardacaseforaneducationalinitiativeininformationsecurityatboth UniversityofIdaho thatthegoals,methods,andevaluationtechniquesofinformationandcomputersecurityare Moscow,ID83844 consistentwithandsupportiveofthestatedgoalsofengineeringeducationandthegrowing movementforoutcomes-basedassessmentinhighereducation. Abstract Networkedcomputingandinformationretrievalareconsideredbymanytobecrucialtothewellbeingofthenation'sinformationinfrastructure[14].Theinformationinfrastructureincludessuch databases,networkprotocols,schedulingandroutingalgorithms,distributedhardware,andconcurraphy'sroleinsecuringtheinformationsociety,[40]. computingandelectroniccommerce.theseapplicationsrelyonacollectionofswitchingsystems, rentsoftware.thesesystemsmustworkcorrectlyandeconomicallywithguaranteesofperformance, availabilityofservice,safety,andsecurity. calledthe\informationsecurityproblem"bythenationalresearchcouncilinitsbook,cryptog- Theincreasinguse,relianceupon,andvulnerabilityoftheselarge-scaleinformationsystemsis Today'sinformationagerequiresU.S.businessestocompeteonaworldwidebasis,sharingsensitiveinformationwithappropriatepartieswhileprotectingthatinformationagainstcompetitors, vandals,suppliers,customers,andforeigngovernments.privatelaw-abidingcitizensdislikethe easewithwhichpersonaltelephonecallscanbetapped,especiallythosecarriedoncellularor cordlesstelephones.elementsoftheu.s.civilianinfrastructuresuchasthebankingsystem,the electricpowergrid,thepublicswitchedtelecommunicationsnetwork,andtheairtraccontrol 1WhyInformationSecurityEducationisNeeded diverseandcomplexapplicationsastelecommunications,airtraccontrol,healthcare,mobile 1

2 computingingeneral."intherushtoeldnewproductsandservices,developershaveoftenignored securityasafundamentalsystemrequirement. [29]is:\Theadvancesincomputersecurityhavenotbeenabletokeeppacewiththechangesin TheDefenseScienceBoardputsitmorebluntlyinitsNovember1996report,Reportofthe OneofthemajorproblemsconfrontingthesecuritycommunitycitedbyPeegerandCooper haveahighpriority. systemarecentraltosomanydimensionsofmodernlifethatprotectingtheseelementsmust DefenseScienceBoardTaskForceonInformationWarfare{Defense(IW-D)[7]: satisfysecurityrequirements.fortunately,a\theoryofcomputersecurity"[8]hasemergedthat TherealityisthatthevulnerabilityoftheDepartmentofDefense{andofthenation{to oensiveinformationwarfareattackislargelyaself-createdproblem.programbyprogram, economicsectorbyeconomicsector,wehavebasedcriticalfunctionsoninadequatelyprotected sucienttoenforcethepolicy,andassurancethatthemechanismsdoenforcethepolicy.its hasthreecomponents:apreciselyarticulatedsecuritypolicydescribingthemangement,protection,anddistributionofsensitiveinformationbyanorganization,asetoffunctionalmechanisms Thechallengeistodesign,developanddeploycomplexsystemswithcondenceintheirabilityto industryhassoldgloballymuchofthegenerictechnologythatcanbeusedtostrikethesetargets. telecomputingservices.inaggregate,wehavecreatedatarget-richenvironmentandtheu.s. implicationsarethat: ford[42]: Currently,fewresourcesarebeingappliedtoeducatingsecurityprofessionals,asnotedbySpaf- toachieveacoherentsecurityarchitecture,securitymustbeconsideredfromtheoutsetand competenceindesignforsecuritypolicyenforcement,testingforsecurity,andassessmentof notasanafterthought;and securitymustbepartoftheeducationofsystemimplementors. Ourstudentsandsoon-to-bestudentswillbedesigningourinformationtechnologiesofthe puterscienceprofessionalseducatedincomputersecuritynotedbyspaord[42],thecommission andrespondingtoattacksoncriticalinfrastructures"isanconcern.toremedythelackofcom- systemsareaprimarycommissionobjectiveand\educationonmethodsofreducingvulnerabilities tection[27].strategiesforsecurityagainstcomputer-basedattacksoninformationandcomputer ExecutiveOrder13010establishedaPresidentialCommissiononCriticalInfrastructurePro- future.weareendangeringthemandourselvesbecausethemajorityofthemwillreceiveno hasrecommended[28]signicanteortstofosterprogramsproducinggraduatesininformationand trainingininformationsecurity. computersecurity. TheaboveneedforeducationisechoedbytheDefenseScienceBoard.Itrecommends: workingwiththenationalsciencefoundationto\developeducationalprogramsforcurriculumdevelopmentattheundergraduateandgraduatelevelsinresilientsystemdesignpractices,"and 2

3 speaking,engineeringisfundamentallyaboutassuringresultsusingtechniquesbasedonscientic principles.thegoalistoengineersecuresystemsabinitiowithassuranceratherthantodiscover providestudentswithanunderstandingofthefoundationalconceptsofcomputersecurity?the thatwhatwehavebuiltisinadequate.docurrentengineeringandcomputersciencecurricula Tosatisfytheaboveeducationalgoalswemustmovetoacultureofengineering.Broadly makingthe\requiredskillsetmuchbroaderanddeeperineducationallevel[for]computer answeris\no."computersecuritydiersfromotherengineeringapproachesinthatthesystem scientists,networkengineers,electronicsengineers,businessprocessengineers." mustbeimplementedsuchthatsecuritypolicyenforcementtakesplaceeveninthepresenceof maliciouscode.atthe1996ieeesymposiumonsecurityandprivacy,schell[39]notedthatin thecontextofasubvertedsystemalackofsecuritymaynotbeevident. increasethelikelihoodthatournextgenerationofinformationtechnologyworkerswillhavethe tions,applicationofbestimplementationpractices,assessment,andcertication.whenlookingat backgroundtheyneedtodesignanddevelopsystemswhichareengineeredtobereliableandsecure {thattheyaredesignedtoprotectinformationinthefaceofmalicioussoftware[8]. curriculumdevelopment,analogousnotionshold.theseeducationalnotionsinclude: Bymovingtoacultureofengineeringwhichincludesappropriateknowledgeofsecurity,wecan Thesecuritycommunityhaslongembracedtheconceptsofrequirements,policies,specica- identicationofspeciceducationaloutcomesandskills; identicationofeducationalcriteriaforselectionofeducationaloutcomes; designofcoursesandcurriculatomeettheidentiedoutcomes; assessmentresultstoimproveeducationalprocessesisfullyembracedbyboththeaccreditation BoardforEngineeringandTechnology(ABET)foraccreditingallengineeringprogramsinthe Thetechniqueofidentifyingspeciceducationalgoals,assessingtheresults,andusingthese assessingtheactualoutcomes;and utilizingfeedbackfromassessmenttoimprovecurriculaandcourses. designingmeansofassessmenttoevaluatethesatisfactionofoutcomes; educationalgoalsofinformationsecuritywithinthecontextofengineeringandabetaccreditationisappropriate.electricalandcomputerengineers,andcomputerscientists,manyofwhom deploymentofmuchoftheinformationinfrastructure.theirknowledgeandunderstandingofthe areeducatedwithincollegesofengineering,areresponsibleforthedesign,implementation,and principlesunderlyingandtheengineeringtechniquesusedtoconstructsecuresystemsisessen- US[12],andbytheAmericanSocietyforEngineeringEducation(ASEE),[13].Examiningthe Section6. selecttheeducationaloutcomesinsection3.section3relatestheeducationalgoalsofsecurity tialfortheprotectionofsystemsfromthesmallesttothelargestandatalllevelsofcivilianand computerscienceandcomputerengineeringeducation. andengineeringandcomputersciencewithinacommonframework.section4outlinesproposed assessmentcriteria.section5discussescomputersecurityeducationprograms.conclusionsarein governmententerprise.thispaperprovidesaframeworkforintegratinginformationsecurityinto Theremainderofthispaperisorganizedasfollows.Section2discussesthecriteriausedto 3

4 2CriteriaforSelectingEducationalOutcomes edgeandskillsappropriatetoeachroleinthe\informationsociety"mustbeidentied.thereisa Itisinsucientandimpracticaltosayeverybodyneedstoknoweverythingaboutsecurity.Knowl- healthcare,highereducation,etc.thefocushereisontechnicaleducationincomputerandnetworksecurity.theoverarchingcriteriaforselectingeducationaloutcomesforinformationsecurity are: theeducationaloutcomesmustaddresssecurityneedsconsistent withthesecuritychallengesencounteredbygraduatesintheirpro- needfortechnicalliteracyamongdecisionmakerswithinenterprises,government,militarydefense, associatedsecurityconcerns.theserolesare: Irvinein\ChallengesinComputerSecurityEducation,"[20],identiestenrolesorjobtitleswith thespeciceducationaloutcomesforsecurityinagiveneducational fessionalroles,and 1.thegeneralpopulation; programmustbeconsistentwiththeeducationalcontextandlarger 2.corporateinformationprofessionals; outcomesofthespecicprogram. 3.computerprofessionals; 4.systemadministrators; 5.computersecurityemergencyresponseteam(CERT)members; 10.securityresearchers. 8.systemcertiers; 9.legalprofessionalsandlawenforcement;and 7.systemarchitects; 6.securesoftwareandhardwaredevelopers; areprimarilyconcernedwiththeeducationofsoftwareandhardwaredevelopers,systemarchitects, systemcertiers,certmembers,andsecurityresearchers.fortheseroles,irvine[20]identies educationalneedsforeachasfollows: Oftheabovetenroles,programsofelectricalandcomputerengineeringandcomputerscience Softwareandhardwaredevelopers,whendevelopingnewcomponents,shouldknowhowto securitypolicies. objectivesandhowsoftwarecanleveragehardwaretoproducesystemsabletoenforcespecic buildsecurityintoproducts.theyshouldunderstandhowhardwarecansupportsecurity 4

5 Systemarchitectsmustknowhowdierentsecuritymechanismswithinthesystemworktogether;aawedcomponentcanobviateallotherprotectionfeatures.Theymustunderstand includingthoseofsecurity. Systemcertiersmustknowhowtoinspectthedesignandimplementationofsystemsto overallrequirementsandmustbeabletodesignasystemthatmeetsavarietyofobligations, CERTmembersmustknowhowawsinexistingsystemsmakethosesystemsvulnerableto policies.theymustunderstandthepropertiesoftheunderlyinghardwareaswellasthe policyenforcementmechanism.rigorousapproachestoawanalysisandtheexposureof softwareandmustbeabletoanalyzetheevidencethathighlevelpolicyismappedtothe systemelementsvulnerabletoclandestineexploitationarerequired. determinethelevelofcondencetobeascribedtothosesystems'abilitytoenforcesecurity Securityresearcherspushthetechnologicalenvelope.Theymustunderstandtheinterplay externalthreats.theymustunderstandbothhardwareandsoftwarefactorsthatcontribute tothecreationofsystemawsandvulnerabilities,andgeneralizesolutionsacrosspotentially largesetsofservicesandproducts. enceprograms?thecomputingsciencesaccreditationboard(csab)criteriaforcurriculum betweensecurityandothersystempropertiessuchasfaulttoleranceandreal-timeconstraints. Criteria2000[12]. sciencecurriculum[9].table1belowliststheskillsetspeciedbyabetinitsreport,engineering assessmentemphasizestheimportanceofthescienticmethodasakeyconceptwithinacomputer Howwelldothesegoalsmatchwiththeevaluationcriteriaforengineeringandcomputersci- Theyshouldhaveadeepunderstandingofcomputerscienceandthescienticfoundationsof Comparingthesecurityskillsneededby1)softwareandhardwaredevelopers,2)systemarchitects,3)systemcertiers,4)CERTmembersand5)researchers,withtheABETcriteriarevealsa anabilitytodesignandconductexperiments,aswellastoanalyzeandinterpretdata; anabilitytodesignasystem,component,orprocesstomeetdesiredneeds; anabilitytoapplyknowledgeofmathematics,science,andengineering; computersecurity,andhavesignicantspecializedknowledgeintheirareaofresearch. closematchinthefollowingareas: Additionally,thebroaderareasof anabilitytoidentify,formulate,andsolveengineeringproblems anabilitytousethetechniques,skills,andmodernengineeringtoolsnecessaryforengineering anabilitytocommunicateeectively. anunderstandingofprofessionalandethicalresponsibility; thebroadeducationnecessarytounderstandtheimpactofengineeringsolutionsinaglobal practice;and andsocietalcontext;and 5

6 Engineeringprogramsmustdemonstratethattheirgraduateshave Criterion3.ProgramOutcomesandAssessment 2.anabilitytodesignandconductexperiments,aswellastoanalyzeandinterpret 3.anabilitytodesignasystem,component,orprocesstomeetdesiredneeds 1.anabilitytoapplyknowledgeofmathematics,science,andengineering Table1:ABETEvaluationCriteriaforEngineeringPrograms 5.anabilitytoidentify,formulate,andsolveengineeringproblems 4.anabilitytofunctiononmulti-disciplinaryteam(CERT)members 8.thebroadeducationnecessarytounderstandtheimpactofengineeringsolutionsinaglobalandsocietalcontext 6.anunderstandingofprofessionalandethicalresponsibility 7.anabilitytocommunicateeectively data 10.aknowledgeofcontemporaryissues 11.anabilitytousethetechniques,skills,andmodernengineeringtoolsnecessary 9.arecognitionoftheneedfor,andanabilitytoengageinlife-longlearning providemeaningfulconnectionstotheotherrolesidentiedbyirvinein[20]. Section3renestheconnectionsbetweensecurityandengineeringeducationgoalswithina aknowledgeofcontemporaryissues forengineeringpractice. InSection2wejuxtaposedtheeducationalgoalsofengineeringandcomputerscienceagainstthe commonframework. 3EducationalOutcomes educationalneedsintheareaofsecurityforvarioussocietalroles.inthissectionwewillrelatethe twoinmoredetailsothattheeducationalgoalsofsecurityforhardwareandsoftwaredevelopers, Third,eacheldhasstandards.Fourth,eacheldhasnotionsofevaluationandassessment.Finally, interest.second,eacheldhassystematicwaysofthinkingandanalysisforarrivingatsolutions. engineering,andcomputerscienceareconcernedwithsolvingproblemsintheirrespectiveeldsof eachwithinacommonframeworkofcriticalthinkingwhichisappliedacrossvirtuallyalluniversity systemarchitects,systemcertiers,certmembers,andpotentialresearchersaremetwithinthe frameworkofengineeringandcomputerscienceprograms.todoso,wewillexaminethegoalsof usedbyotherdisciplinestosecurityasscienceandengineering. securityeducationtobroadereducationalobjectivesandallowsustoadaptassessmenttechniques workingwithinacommonframeworksharedbymanyotherdisciplinesallowsustorelategoalsfor disciplines. InSection3.1wedescribeaframeworkforcriticalthinking.Section3.2relatesthedisciplines Whyexaminebothgoalswithinaframeworkofcriticalthinking?First,thedisciplinesofsecurity, ofsecurity,engineering,andcomputersciencewithinthatframework.section3.3examineshow 6

7 securityandengineeringonthebasisofpublishedcriteriaandgoals. welltherelationshipbetweensecurityandengineeringmeetstheeducationalgoalsofinformation TheimportanceofcriticalthinkingasahigherorderframeworkisidentiedbyformerSecretary oflabor,robertreichinhisbook,theworkofnations,[31].reichputsforthfourskillsin particular:1)abstraction,2)systemthinking,3)experimentationandtesting,and4)collaboration. 3.1AFrameworkforCriticalThinking PaulandWillsenin[33]summarizeReich'slistofskillsasfollows: 1.CommandofAbstractions 2.ThinkingWithinSystems Thecapacityforabstraction{fordiscoveringpatternsandmeanings{is,ofcourse,the 3.TestingIdeas veryessenceofsymbolicanalysis,inwhichrealitymustbesimpliedsothatitcanbe understoodandmanipulatedinnewways:::(pp.229{230) beenselected,whytheyareimportant,howtheywerededuced,andhowtheymightbe theproblemarisesandhowitisconnectedtootherproblems.(p.231) contradicted.thestudentlearnstoexaminerealityfrommanyangles,indierentlights, Theeducationofthesymbolicanalystemphasizessystemthinking.Ratherthanteach interpretation.thestudentistaughttogetbehindthedata{toaskwhycertainfactshave Insteadofemphasizingthetransmissionofinformation,thefocusisonjudgmentand studentshowtosolveaproblemthatispresentedtothem,theyaretaughttoexaminewhy 4.LearningtoCollaborateandCommunicate andthustovisualizenewpossibilitiesandchoices.thesymbolic-analyticmindistrained tobeskeptical,curious,andcreative.(p.230) describedbydianehalpern[17]as: ThelistofskillsidentiedbyReichistheessenceofcriticalthinking.Criticalthinkingis theuseofthosecognitiveskillsorstrategiesthatincreasetheprobabilityofadesirableoutcome. credittoothers.theyalsolearntonegotiate{toexplaintheirownneeds,todiscernwhat ndanswers.theylearnhowtoseekandacceptcriticismfrompeers,solicithelp,andgive othersneedandviewthingsfromothers'perspectives.(p.233) Studentslearntoarticulate,clarify,andthenrestateforoneanotherhowtheyidentifyand asaseriesofquestions: RichardPaulandJaneWillsenin[34]reneHalpern'sdenitiontoanindividual'spointofview Itis:::purposeful,reasoned,andgoaldirected{thekindofthinkinginvolvedinsolving problems,formulatinginferences,calculatinglikelihoods,andmakingdecisionswhenthethinker isusingskillsthatarethoughtfulandeectivefortheparticularcontextandtypeofthinking task. 7

8 WhatprecisequestionamItryingtoanswer? WithinwhatpointofviewamIthinking? Whatisthepurposeofmythinking? Whatwouldtheconsequencesbe,ifIputmythoughtintoaction? WhatamItakingforgranted,whatassumptionsamImaking? IfIaccepttheconclusions,whataretheimplications? Whatconceptsorideasarecentraltomythinking? HowamIinterpretingthatinformation? WhatconclusionsamIcomingto? WhatinformationamIusing? frameworkofpaulandnosich,[32]: Theframeworkweusetodescribesecurityandengineeringisbasedonthecriticalthinking 2.Whatarethequestionsatissue,orproblemstobesolved? 5.Whataretheconceptualdimensionsofreasoning? 4.Whataretheempiricaldimensionsofreasoninginthediscipline? 3.Whatarethediscipline'spointsofview,orframesofreference? 1.Whatisthediscipline'spurpose,goal,orend? neering,andrelatethetwodisciplineswithintheframework. 6.Whatassumptionsaremadebythediscipline? 3.2RelatingSecurity,Engineering,andComputerScienceWithinaFramework Usingtheaboveframework,wecananswerthequestionsastheypertaintosecurityandengi- 8.Whatinferencescanbemadedrawinguponthediscipline? 7.Howisthedisciplineusedtodrawimplicationsandconsequences? designedtobebothcontinuouslyeectiveinenforcingpolicyandresistanttomalicioussoftware: InGoalsforSecurityEducation[19]andNPSCISR:SixYearsofExperience[21],Irvinedescribes topicschosentoillustrateandenforcethenotion[4]thatcertaincomponentsofthesystemmustbe ofcriticalthinking 8

9 securitypolicymodels formalmethodsappliedtosystemspecication,development,and hardwareandsoftwareprotectionmechanisms securesystemdesign,implementationandtesting databasesecurity moderncryptography analysis cryptographicprotocols PeegerandCooperin[29]listvebroadclassicationsofsecurityconcepts. coherentnetworksecurityarchitectures auditing identicationandauthentication keymanagementandkeydistribution 1.Policy{understandingthreatsfromwhichinformationrequiresprotectiontoinsurecondentiality,integrity,andavailability. toaccessandaectsystemresources. 3.Identicationandauthorization{associatingtheactivitiesoftheexecutingcomputerwith 2.Privilege{creatingmechanismstodistinguishandcontroltheabilityofactivesystementities engineeringandsciencecurricula,weusetheframeworkasshownintable2.sections3.2.1through Theaboveareamixtureoftechniques,goals,andproperties.Torelatethemtocomputer 5.Audit{thecreationoftracesandtheirinterpretation. 4.Correctness{withprovidingassurancethatthehardware,software,andsystemsforsecurity policyenforcementarenotsusceptibletotamperingorbypass. individualusers,whomaybeheldaccountablefortheactivitiesundertakenontheirbehalf Purpose,Goal,orEnd 3.2.8summarizetheelementsofeachdisciplinewithintheframework.Educationaloutcomesare processeswhichmeetadesiredendorrequirement.amajorgoalofsecurityistodevelopcomputingsystemsthatcanensuresecuritypolicyenforcementinthepresenceofmalicioussoftware andabusiveuserbehavior.hencethegoalmayencompasspolicyobjectivesforinformationcondentiality,integrity,andavailability.inaddition,thesystemmustprovideamechanismtoholdits listedforeachelement. Majorgoalsincomputerengineeringandcomputerscienceistoconstructcomputersystemsor 9

10 Elements Purpose,goal,orend.Developsecuritypolicybasedon Questionsorproblemstobesolved.Howaresecuritypropertiesde- Table2:SecurityandEngineeringinaCriticalFramework assuranceofcorrectandcontinuoussecuritypolicyenforcement.constructcomputersystemsor threats.buildsystemproviding scribedinthecontextofanau- tomatedsystem?howarese- curitypropertiesengineeredinto systems?whatassurancecanprocessestomeetadesiredend tiesdoinfactexistintheim- plementationandthattheyare tamper-resistant? Whatarethestructuresofhard- beprovidedthattheseproper-orrequirement. framesofreference.architects,softwaredesigners, Pointsofviewand ware,software,andsubsystem componentswhichsatisfythe properties?whatisthemeans systems,securesubsystems,securenetworkinganddistributedarethedesignandimplementa- computing,databases,etc. sors,operatingsystems,compil- ers,databases,etc. hardwaredesigners. Variousapplications:proces- Architects,softwaredesigners, tionveriedandtested? hardwaredesigners. Variousapplications:operatingofconstruction?Bywhatmeans sionsofreasoning.principlesofconstructionand Empiricaldimensions ofreasoning. Conceptualdimen-analysis.Informationtheory, discretemathematics,cryptographytheory,formalprotocols, formallogics,formalmethods, ematics,linearsystemstheory, Principlesofconstructionand niteautomata,discretemath- logic,declarativeprogramming, object-orienteddesign. analysis.switchingtheory,- measurements. Experiments.Penetrationtestoratorydemonstrations,systeogy,covertchannelanalysis,labing,awhypothesismethodol- administrationissues,problems incommercialsystems. Experiments.Laboratory demonstrations,prototypes, simulation,testing,performance object-modeldesign. Assumptionsmade.Components,services, Implicationsandconsequences. Inferences. Auditingandtraceanalysis.Intrusiondetection.Failsecurtribution.Congurationman- functions,andpropertiesfor Useracceptability.Trusteddisagement.Cost.Ethics. Easeofmaintenance.Ethics. ysis.easeofmanufacture.cost. Components,services, functions,andpropertiesfor reference. eachlevelofdesignandframeof Riskanalysis.Maintenance. ication. operation.systemtestandver-systemtestandverication. Risk,safety,andreliabilityanal- Faultdetection.Errordetection. eachlevelofdesignandframeof reference. 10

11 usersaccountablefortheiractionsthroughidenticationandauthentication,andaudit.finally, usersmusthavecondencethattheirinformationwill,infact,beprotectedwithinthesystem. EducationalOutcomes Abilitytoclearlystatethepurposeofarequirement,itssignicance,anditsachievabilitytureofcomponentshavethepropertieswhicharerequired?Thisquestionisaskedatalllevelsof 3.2.2QuestionsorProblemstobeSolved Thefundamentalcharacteristicofengineeringistheabilitytoanswerthequestion,doesthisstruc- Abilitytodeterminetheconsistencyofrequirementsandpurposes. aresystemsofhardwareandsoftware. design,fromthelevelwherecomponentsaretransistors,tothelevelwherecomponentsthemselves mentpermitstheprecisearticulationofsecurityrequirementsanddemonstratesthefeasibilityof combinationwiththedevelopmentofhighlevelsecurityarchitecturesandtheirstep-wiserene- mappingstoprovideachainofevidencethattheimplementationdoescorrespondtopolicy,in maliciouscode?theuseofformalsecuritypolicymodels,formalspecications,andassurance temoperation.thequestionateachlevelofdesignis,doesthisstructureofcomponentsmap toamechanismforsecuritypolicyenforcementforwhichwehavecondenceinthepresenceof condentiality,integrity,andavailability,areformulatedaspropertiesthatmustholdduringsys- Insystemdesign,manypropertiesmustbesatised.Securityrequirements,brokendownto arealimplementation. EducationalOutcomes Abilitytoclearlyformulatequestionsofsignicancerelativetothe Abilitytoclearlyandpreciselystatetheproblemtobesolvedand overallpurpose. ofrolesandapplications.thetechnicalrolesinsecuritywereidentiedinsection2assystem 3.2.3PointsofViewandFramesofReference Thepointsofviewandframesofreferenceforbothsecurityandengineeringaregiveninterms Abilitytodeterminefeasibilityofproblemsolution. howitcanbedecomposed. describingacombinationofcomputerandnetworksecuritymechanismstoinsureacoherentsystem mainlybythecomponents,functions,services,andmeansofreasoningavailabletoeach. thetrustworthinessofthesystemsecurityocer,aparticularinstruction-setarchitectureand designers.theseroleshavemeaninginbothengineeringandsecurity.theserolesarecharacterized fortheenforcementofpolicy.whenbuildingasecuresystem,thedesignersmaytakeasaxioms hardwareplatforms,andoperatingsystems.securityconcernsatthearchitecturelevelmayentail architects,softwareandhardwaredevelopers,systemcertiers,certmembers,andhardware Forexample,systemarchitectsassumeascomponentsparticularnetworks,networkservices, 11

12 concernedwiththeeectiveuseofhardwaremechanismstosupporttheseobjectives.thehardware designerwillattempttoconstructdevicesthatsubstantivelysupportprotectionobjectiveswhile admittingawidevarietyofsoftwareimplementations.ahardwaredesignermayassumeaparticular celllibrary,memoryorganization,instruction-set,etc.securityconcernsmayfocusoncorrectness. insureprocessisolationandtheprotectionoftheoperatingsystem.thesoftwaredeveloperwillbe programminglanguage.usinghardwareandsoftware,itispossibletoconstructasystemto signicantapplicationareasforbothengineeringandsecurity. Systemelementssuchasprocessors,operatingsystems,compilers,databases,networks,etc.,are EducationalOutcomes Abilitytodesignandanalyzesolutionstomeetrequirementsand Abilitytounderstandtheimpactactionsinonelevelorviewpoint Abilitytotrade-oseveralrequirementsfromdierentviewpoints specicationsatmultipleslevelsofabstractionandwithseveral haveonotherlevelsorviewpoints. viewpoints. instrumentingsystems,measuringtheirperformance,andbytestingandsimulation. Theempiricaldimensionisconcernedwithexperimentsandwiththeresultsattainedon\real" 3.2.4EmpiricalDimensionsofReasoning systems.inengineering,empiricalresultsareobtainedonthe\labbench"bybuildingprototypes, Alloftheaboveempiricalmethodsareapplicabletosecurity.Functionalinterfacetesting, inordertoachievethemaximumbenet. analysesbasedontheflawhypothesismethodology[47]conducted.analysesareconductedand userconvenienceandsystemeciency.techniquesforassessingthevulnerabilityofsystemsmay maybeexaminedforaws[41],covertchannelsanalyzed[24,49],andsystematicpenetration beusedtoexaminerealsystemsforrealaws. prototypesystemsarebuiltandexaminedforsecurityaws,suchasvulnerabilityto\real"attacks. Performanceissuesmayalsobeexaminedbybalancingexpecteddecreasesinvulnerabilityversus unitandmoduletestingareallpartofthedevelopmentprocessforasecuresystem[26].hardware internalengineeringtestsofselectedsubsystems,systemgenerationandrecoverytests,aswellas EducationalOutcomes Abilitytoconstructexperimentsorprototypestodemonstrate Theconceptualdimensionsofreasoningdenethediscipline.Incomputerengineeringandscience, 3.2.5ConceptualDimensionsofReasoning Abilitytoobserve,collect,analyze,andinterpretdatafromexperiments. somepurposeorfacilitatesomemeaningfulexploration. conceptsformtheprinciplesofconstructionandanalysis. thefundamentaltheoreticalconceptsarebasedonmathematics,logic,andphysics.thetheoretical 12

13 positionofsignalsandonsuperposition.thisgivesrisetotheclassicaltreatmentsofnetworks, controls,andcommunicationstheory. programmingandobject-orienteddesigndependontypetheory. tionallogic,predicatecalculus,discretemathematics,andnite-statemachinetheory.functional ware,securityalsoincludestheoreticalconceptstosupportthedevelopmentanduseofcryptography Inelectricalandcomputerengineering,linearsystemstheoryisbasedonthesinusoidalcom- andtheuseofformalmethodsforvericationandcovertchannelanalysis.themeansforanalysis andcryptographicfunctions;cryptographicprotocols;formalpolicymodels;formalspecication; isbasedondiscretemathematics,informationtheoryandmathematicallogic{suchasstandard Theconstructionofcomputerhardwareandtoalesserextentsoftware,isbasedonproposi- predicatecalculus,modallogic,andspecializedbelieflogics. Inadditiontoapplyingstandardmathematicalfoundationsforconstructinghardwareandsoftment: EducationalOutcomes Foreachlevelofdesignabstraction,application,andforeachrequire- Clearunderstandingofthemathematical,logical,andphysicalconceptswhichformtheanalyticalbasisandprinciplesofconstruction. Theassumptionswhicharemadebyeachdisciplinearebasedonthecomponents,services,and 3.2.6AssumptionsMade Abilitytoapplyanalyticalconceptsandprinciplesofconstruction totheanalysisandconstructionofrealsystems. levelsofabstractionaredenedbytheseassumptionsaswellastheparticularrulesofcomposition usedforforcreatingstructuresofcomponents.forexample,designersofauthenticationprotocols assumethepresenceofencryptionfunctionsofsuitablestrength.designersofsoftwareassumethe correctnessofthehardwareplatformsupportingtheinstruction-setarchitecture.securesystem designersmayassumethatthesystemsecurityocer/administratoristrustworthyandthatthe propertiesassumedtobeavailableforeachlevelofdesignandframeofreference.designlevelsand compiler,placedundercongurationmanagement,doesnotcontainarticestocreatetrapdoors. ingassumptionsmadebyeachsetofconcerns.inconsistentassumptionsarecausedbymismatches indesignlevels,framesofreference,orapplications. Ameanstocheckconsistencybetweensecurityandengineeringconcernsistochecktheunderlyment: EducationalOutcomes Foreachlevelofdesignabstraction,application,andforeachrequire- Abilitytoclearlystateassumptionsbeingmade. Abilitytojustifytheassumptionsbeingmade. Abilitytochecktheconsistencyofassumptionsbeingmade. 13

14 Inbothengineeringandsecurity,theimplicationsandconsequencesofdesigndecisionsandsystem behaviorshavetheirimpacton: 3.2.7ImplicationsandConsequences Riskanalysis; Cost; Easeofmanufacture; riencedandsuccessfulsystemarchitectsanddesignersndthiscorrectbalancebasedonexperience, framework.thecorrectbalancingofconsequencesissometimestermedas\businesssense."expe- Thedeterminationofimplicationsandconsequencesreliesonallthepreviouselementsofthe Ethicalconsiderations. Reliability;and Easeofmaintenance; followingcriteriaintable1: empiricalreasoning,andconceptualreasoningcoupledwithadeepunderstandingoftheintended purposeorgoal. Determiningtheethicalconsequencesofcomputeruseiscomplex[5]butmaybebasedonthe Anunderstandingofprofessionalandethicalresponsibility; Aknowledgeofcontemporaryissues. Thebroadeducationnecessarytounderstandtheimpactofengineeringsolutionsinaglobal andsocietalcontext;and EducationalOutcomes Abilitytoanticipateandclearlystatewithprecisionandaccuracy systems.inferenceswhicharemadeincludethedeterminationof: 3.2.8Inferences TheelementsofSections3.2.1through3.2.7areusedtoinferconclusionsaboutsecurityand Abilitytojudgethelikelihoodofconsequences. thepositiveandnegativeconsequences. Theaboveareconcernswhicharecommontobothsecurityandengineering. Detectionofandprovingabusivebehaviorbasedonprolingandauditdata. SystematicpenetrationtestingandtheFlawHypothesisMethodology[47];and Failsecureandsecuresystemrecovery; 14

15 EducationalOutcomes 3.3AretheFrameworkandOutcomesSatisfactory? Abilitytojustifyconclusions. Abilitytodrawconclusionswhicharerelevantandconsistent. Abilitytodrawcorrectinferencesbasedonprinciples,observations, OnewaytoevaluatetheadequacyoftheframeworkandoutcomesdescribedinSections3.2.1 concepts,anddata. computersecurityexpertsandaccreditationcriteriaforelectricalandcomputerengineering.we through3.2.8istocompareittostatedrequirementsforinformationsecurityeducationmadeby examinetheproposededucationalframeworkagainsttheremarksmadebyemployersinthecomputersecurityeldatthe1996ieeesymposiumonsecurityandprivacy[39,6],the1997acm andcomputerengineeringproposedbytheieee. mationsystemssecurityeducation[23],andagainsttheaccreditationrequirementsforelectrical WorkshoponEducationinComputerSecurity[44],andthe1997NationalColloquiumforInfor- 2.RogerSchell,SeniorDevelopmentManagerforInformationSecurity,NetwareSystemsGroup, 1.BillMurray,SeniorVicePresident,DeloitteandTouchsaid[23]: Novell,Inc.[39]askedforindividualswho: Canthinkcritically. Understandfundamentalcomputerscienceconcepts;and \Computerscienceeducationwithrespecttosecurityneedsrigor,disciplineandsound engineeringvalues." 3.JimSchindler,InformationSecurityProgramManageratHewlettPackardhasdescribed 4.JohnKauza,VicePresidentforSecurity,ATT,providedhislistofskillsandcorecompetencies securityprofessionalsasindividualswhoareabletoadaptandbuildsecuresystemsinaworld ofchangingtechnology,changingcomputerparadigmsandchangingsecurityrequirements [39]. asfollows,[23]: 5.SteveBarnett,oftheNationalSecurityAgency,[6]madethefollowingpoints: Technicalcomputerscienceknowledge;and Ethics; Securitysolutionsmustbesoughtinthecontextofchangingtechnology. Securityorientation; Focusonthesupportiveskillsinotherclassesincluding: Operational/practicalexpertisetothinkandapplytoindustry. 15

16 Securityrequiresacomprehensivesystemsapproachandstudentsmust Complementformalapproachestosecuritywithpracticalexamplesandapplications. {Beabletodesigntomeetthoserequirements; {Beabletostatesecurityrequirements; {architectureanddesign;and {hardware,software,andprotocolsforsystemsandnetworks. 6.DanielFaigin,oftheAerospaceCorporation'sTrustedComputerSystemsDepartment,which isinvolvedintesting,securityresearch,andsystemevaluations,described: BasicSkills {Beabletotestdesignsandimplementations;and {Beabletoimplementthedesigncorrectly; {Fundamentalunderstandingofsoftwareengineeringtechniques; {Beabletomanagesystemcongurationandmaintenance. Supplementalskills {Familiaritywithsecuresystemevaluationcriteria;and {Experiencewith {Goodcommunicationskills; {Understandingaspecicareasuchas:operatingsystemdesignandarchitecture,information systemssecurity,networks,ordatabaseapplications;and Giventheabovelist,werespondtothemainpointsofeachasfollows. 1.Examiningthesepoints,items1,2,3,4,5,and6,allspecifythatsecurityisnotanisolated Hardware, disciplinebutpartofthelargercontextofengineeringandcomputerscience.theframework Formalmathematicallogic, relatesengineeringandsecuritywithineachelementoftheframeworkwhichcoverstop-level Variouslanguagesandoperatingsystems. Testingandtestingmethodologies,and 2.Kauzaspeciesthatethicsbepartofsecurityeducation.Thisisalsopartofengineeringeducationandispartofthecommonframeworkunderimplicationsandconsequences.However, goals,design,implementation,analysis,andtesting. 3.Kauza,Faigin,andSchindlerrequireoperationalexpertiseapplicabletoindustry.Thisis itisnoteworthythataconclusionemergingfromthe1997wecs[18]wasthatinformation thattheappropriatevenueforsocial,legalandethicalissuesassociatedwithcomputingmay responsibilityshouldbetaughtwellbeforestudentsenterinstitutionsofhighereducationand 4.Theremainingpointsdealwithspecicconcernsoverlinkingsecuritytoseveralengineering beprogramdependent. coveredwithintheframeworkunderempiricaldimensionsofreasoning. tion.theproposedframeworkcoversrequirementsthroughtestingandvalidation.barnett's activitiesspanningrequirements,specication,design,implementation,testing,andvalida- pleafortheorytoinformpracticeandpracticetoinformtheoryisreectedinboththe conceptualandempiricaldimensionsofreasoning. 16

17 Table3:AccreditationCriteriaforElectricalandComputerEngineering SubmittedbytheInstituteofElectricalandElectronicsEngineers,Incorporated ProposedProgramCriteriaforElectrical,Computer,and SimilarlyNamedEngineeringPrograms Criterion3inthreeormoreareasofelectricaland/orcomputerengineeringasappropriatetotheprogramnameandobjectives.Graduatesmustdemonstrateknowledge Theseprogramcriteriaapplytoengineeringprogramswhichincludeelectrical,electronic,computer,orsimilarmodiersintheirtitles. Curriculum Programsmustdemonstratethattheirgraduateshaveachievedtheoutcomeslistedin January16,1997(Revised2/5/97,2/21/97,3/4/97,3/8/97) ofprobabilityandstatistics,includingapplicationsappropriatetotheprogramname andobjectives.graduatesmustdemonstrateknowledgeofmathematicsthroughdifferentialandintegralcalculus,basicscience,andengineeringsciencenecessaryto mathematics,typicallyincludingdierentialequations,linearalgebra,andcomplex themodierelectricalinthetitlemustalsodemonstratetheknowledgeofadvanced variables.graduatesofprogramscontainingthemodiercomputerinthetitlemust analyzeanddesigncomplexdevicesandsystemscontaininghardwareandsoftware alsodemonstrateknowledgeofdiscretemathematics. componentsandappropriatetoprogramobjectives.graduatesofprogramscontaining TheaccreditationcriteriaforelectricalandcomputerengineeringprogramsproposedbytheIEEE isshownintable3.theyrefertocriterion3containedintable1.programsmustdemonstrate 5.Schellsynthesizedtherequirementsbyaskingforengineersandscientistswhoarecapableof thatgraduateshave: Howwelldoestheproposedframeworkmeettheaccreditationrequirementsforengineering? ofcriticalthinkingdirectlyaddressesthishigherorderrequirement. thinkingcriticallyaboutsecuritywithinsystems,asopposedtotechnicianswhoaremerely knowledgeableofsecuritytechniques.placingsecurityandengineeringwithinaframework AchievedtheoutcomeslistedinCriterion3inthreeormoreareasofelectricaland/orcomputerengineering; Alloftheaboveitemsarecontainedwithintheproposedframework.Ifproperattentionisplaced Knowledgeofdiscretemathematics. Knowledgeandapplicationofmathematicsandengineeringsciencenecessarytoanalyzeand totheelementofpointsofviewandframesofreference,multipledesignlevelsandapplicationswill beaddressed. designcomplexdevicesandsystemscontaininghardwareandsoftware;and 17

18 respectivefunctionalandassurancerequirements.(seetable4fromgasser[16]).forconsumers, Assessmentofsystemsisanacceptedpracticebythesecuritycommunity.Forexample,theTrusted ComputerSystemEvaluationCriteria(TCSEC)[25]describesevensystemratingclassesandtheir awthatwouldresultinacatastrophicfailuretoenforcesecuritypolicy.theobjectiveistoassess 4AssessingtheResults theratingsprovideanindependenttechnicalassessmentofthelikelihoodthatasystemcontainsa systemsbasedontheirbehaviors,capabilities,anddegreeofcondenceintheimplementation. ClassTitle A1VeriedDesign B3SecurityDomainsReferencemonitor(securitykernel),\highlyresistant Table4:TrustedSystemEvaluationCriteriaRatings B2Structured demonstration. covertchannelanalysis,informalcodecorrespondence topenetration." KeyFeatures Formaltop-levelspecicationandverication,formal B1LabeledSecurityPro- C2ControlledAccess C1Discretionary SecurityProtectionDiscretionaryaccesscontrols,protectionagainstaccidentsamongcooperatingusers. Mandatoryaccesscontrols,securitylabeling,removal Individualaccountability,extensiveauditing,add-on packages. orientedarchitecture,\relativelyresistanttopenetra- tion." ofsecurity-relatedaws. Formalmodel,covertchannelsconstrained,security- mostofwhichtraditionallyassessedlower-orderskillssuchasrecall.rather,thechallengeistosee ifstudentsareableto\thinklikeanengineerorthinklikeacomputersecurityspecialist." whetherstudentshavelearnedandifso,howmuch?thisisnotmerelytheadministrationoftests, Theproblemfacedbyeducatorsishowtoassessthecapabilitiesofstudents.Howdowejudge Onemeasureofasuccessfulcurriculumiswhenthereiscompellingevidencethatstudentswho DMinimalProtectionUnrated. gathereddependsonanswerstoquestionssuchas: completeacurriculumhaveachievedthespeciededucationaloutcomes.thetypeofevidence Educationalassessmentisimportantbecauseitaddressesquality.Arestudentsinfactlearning? Whatarethestandardsusedtojudgequality? Whataretheunderlyingprincipleswhichareimportant? Whataresomebehaviorsorindicatorswhichcharacterizetheoutcomes? Whatarethedesirededucationaloutcomes? Dograduatesinfactpossesstherequiredskills?Assessmentisbasedonthecultureofevidence, 18

19 muchasthetcsecusescoherentgroupingsoffunctionalpropertiesandassuranceevidenceto makeitsassessments.ajusticationforassessmentisfoundinlearningthroughassessment:a ResourceGuideforHigherEducation,[2]: acompellingpublicstakeineducation.aseducators,wehavearesponsibilitytothepublics Throughassessment,educatorsmeetresponsibilitiestostudentsandtothepublic.Thereis (AAHE)[2]whichapplytothispaperare: ThefourprinciplesofassessmentputforthbytheAmericanAssociationforHigherEducation mation;ourdeeperobligation{toourselves,ourstudentsandsociety{istoimprove.those towhomeducatorsareaccountablehavecorrespondingobligationtosupportsuchattemptsat improvement. meetgoalsandexpectations.butthatresponsibilitygoesbeyondthereportingofsuchinfor- thatsupportordependonustoprovideinformationaboutthewaysinwhichourstudents 1.Theassessmentofstudentlearningbeginswitheducationalvalues. 2.Assessmentismosteectivewhenitreectsanunderstandingoflearningasmultidimensional, 3.Assessmentworksbestwhentheprogramsitseekstoimprovehaveclear,explicitlystated integrated,andrevealedinperformanceovertime. thevaluescitedbyreich[31]assupportedbytheskillsof1)abstraction,2)systemthinking, 3)experimentationandtesting,and4)collaborationandcommunication,areelementsofthe Theframeworkandoutcomesareconsistentwithandsupportiveoftheaboveprinciples.First, 4.Assessmentrequiresattentiontooutcomesbutalsoandequallytotheexperiencesthatlead tothoseoutcomes. purposes. sequencesofcoursesthroughacurriculumoverseveralyearsandnotbyasinglecourseinone spanalldesignlevelsandlinktheorytopractice.theoutcomesarelikelytobeachievedbyseveral frameworkandarelistedasspeciceducationaloutcomesinseveralelements. mutuallysupporttheoutcomes. Theelementsoftheframeworkidentifycommongroundbetweenengineeringandsecuritywhich security. semester.theframeworkprovidesameanstolinkthevariouselementsacrossengineeringand Third,theframeworkandoutcomeshavetheexplicitpurposeoflinkingengineeringandsecurity. Second,theframeworkandoutcomesarespreadoverseveralviewpointsandactivitieswhich outcomes.theoryandpracticearecontainedasarelow-levelandhigh-leveldesignandanalysis. Fourth,theframeworkidentiesavarietyofexperiencesandactivitiesasmeansformeetingthe ImprovingCoursesandCurriculainHigherEducation,[11]. Tables6and7areexcerptedfrom[32]asexamples.Theremainingsixarefoundin[32]. andnosichin[32]providehigh-levelexamplesforeachoftheeightelementsoftheframework. used,theuseofcriticalthinkingasahigher-orderorganizingframeworkallowsforthespecialization ofassessmenttoolsforcriticalthinkingtothecriticalframeworkforengineeringandsecurity.paul MoredetailoncurriculadevelopmentandassessmentcanbefoundinDiamond'sDesigningand Whileitisbeyondthescopeofthispapertodevelopthepreciseassessmentinstrumentstobe 19

20 1.Theassessmentofstudentlearningbeginswitheducationalvalues. Table5:APartialListingofAssessmentPrinciplesfromAAHE questionsabouteducationalmissionandvaluesareskippedover,assessment Assessmentisnotanendinitselfbutavehicleforeducationalimprovement.Its shoulddrivenotonlywhatwechoosetoassessbutalsohowwedoso.where eectivepractice,then,beginswithandenactsavisionofthekindsoflearning wemostvalueforstudentsandstrivetohelpthemachieve.educationalvalues PrinciplesofGoodPracticeforAssessingStudentLearning threatenstobeanexerciseinmeasuringwhat'seasy,ratherthanaprocessof DevelopedundertheauspicesoftheAAHEAssessmentForum,December Assessmentismosteectivewhenitreectsanunderstandingof manceovertime.learningisacomplexprocess.itentailsnotonlywhat studentsknowbutwhattheycandowithwhattheyknow;itinvolvesnotonly improvingwhatwereallycareabout. learningasmultidimensional,integrated,andrevealedinperfor- 3.Assessmentworksbestwhentheprogramsitseekstoimprovehave knowledgeandabilitiesbutvalues,attitudes,andhabitsofmindthataect bothacademicsuccessandperformancebeyondtheclassroom.assessment shouldreecttheseunderstandingsbyemployingadiversearrayofmethods, revealchange,growth,andincreasingdegreesofintegration.suchanapproach includingthosethatcallforactualperformance,usingthemovertimesoasto clear,explicitlystatedpurposes.assessmentisagoal-orientedprocess. aimsforamorecompleteandaccuratepictureoflearning,andthereforermer basesforimprovingourstudents'educationalexperience. 4.Assessmentrequiresattentiontooutcomesbutalsoandequallyto pushesacampustowardsclarityaboutwheretoaimandwhatstandardsto apply;assessmentalsopromptsattentiontowhereandhowprogramgoalswill forassessmentthatisfocusedanduseful. tionsinprogramandcoursedesign,andfromknowledgeofstudents'owngoals. Whereprogrampurposeslackspecicityoragreement,assessmentasaprocess Itentailscomparingeducationalperformancewitheducationalpurposesand theexperiencesthatleadtothoseoutcomes.informationaboutoutcomesisofhighimportance;wherestudents\endup"mattersgreatly.butto outcomes.assessmentcanhelpusunderstandwhichstudentslearnbestunder aboutthecurricula,teaching,andkindofstudenteortthatleadtoparticular improveoutcomes,weneedtoknowaboutstudentexperiencealongtheway{ oftheirlearning. whatconditions;withsuchknowledgecomesthecapacitytoimprovethewhole betaughtandlearned.clear,shared,implementablegoalsarethecornerstone expectations{thosederivedfromtheinstitution'smission,fromfacultyinten- 20

21 Table6:AssessingtheQuestionatIssueorCentralProblem,fromPaul FundamentalStandards:1)ClarityofQuestion,2)SignicanceofQuestion,3) Principle:Tosettleaquestionyoumustunderstandwhatitrequires FlawedQuestions:1)Unclear,2)Insignicant,3)NotAnswerable,4)Irrelevant Answerability,4)Relevance tosettlesomequestion,solvesomeproblem) (Allreasoningisanattempttoguresomethingout, areclearabouttheques- canre-expressaquestionin avarietyofways tiontheyaretryingtoset- tle GoodReasoners: BadReasoners: areoftenunclearaboutthe kindofquestiontheyare expressquestionsvaguely andndthemdicultto asking FeedbacktoStudents: reformulate issue. (-)Themainquestionatissueisnevermadeclear. (+)Youdidagoodjobof clarifyingthequestionat (-)Youneedtoreformulate yourquestioninacoupleof canbreakaquestioninto waystorecognizethecomplexityofit. sub-questions areunabletobreakdown thequestionstheyareask-formulateyourquestioniing (+)Ilikethewayyoure- dierentways.ithelpsthe youwouldbreakitdown solveyourmainproblemif analyzingthemainquestionintosub-questions. (-)Itwouldbeeasierto (+)Youdoagoodjobof readerseeitfromdierent somewhat. pointsofview. havesensitivitytothekind distinguishquestionsthey ofquestiontheyareasking routinelydistinguishquestionsofdierenttypappropriatelytothequestionstheyask asking, confusequestionsofdierenttypes,oftenrespondin- kindofquestionstheyare havelittlesensitivitytothesuesseparatefromtheso- cialones. keepingtheeconomicis- one. (+)Youdoagoodjobof (-)Youareconfusingalegalquestionwithamoral cananswerfromquestions theycan't trytoanswerquestions toanswer theyarenotinaposition(+)youwerecorrectin leavingthatquestionunanswered,andinrecognizingwhatextrainformation youwouldneedtoanswer 21 thequestion

22 Table7:AssessingInferenceandConclusion,fromPaul FailureofInferencesandConclusions:1)Unclear,2)Unjustied,3)Supercial,4) FundamentalStandards:1)ClarityofInferences,2)JustiabilityofInferences,3) ProfundityofConclusions,4)ReasonabilityofConclusions,5)Consistencyof Unreasonable,5)Contradictory conclusionsandgivemeaningtodata) (Allreasoningcontainsinferencesbywhichwedraw Inference&Conclusion GoodReasoners: makeinferencesthatare clearandprecise Principle:Reasoningcanonlybeassoundastheinferencesitmakesandconclusionsitcomesto BadReasoners: oftenmakeinferencesthat areunclear FeedbacktoStudents: thatfollowfromtheevidenceorreasonspresentedoftenmakeinferencesthat donotfollowfromtheevidenceorreasonspresented(-)theconclusionyou (-)Itisnotclearwhatyour mainconclusionis. baseyourmainconclusion on. (+)Yourreasoningisvery clearandeasytofollow. usuallymakeinferences aredeepratherthansuper- cial oftenmakeinferencesthat oftenmakeinferencesthat aresupercial (+)Yourcentralconclusioniswell-thought-out cometodoesnotfollow andgoesrighttotheheart oftheissue. ingevidenceandgoodrea- sons. fromthereasonspresented. (-)Yourconclusionisjus- (+)Youjustifyyourcontied,butitseemssupercialgiventheproblemclusionwellwithsupport- oftenmakeinferencesor makeinferencesorcometo conclusionsthatareconsistentwitheachother cometoconclusionsthat arereasonable oftenmakeinferencesor cometoconclusionsthat areunreasonable arecontradictory. (-)Itisunreasonabletoinferaperson'spersonality (-)Theconclusionsyou dicttheconclusionsthat cometointherstpartof yourpaperseemtocontra- youcometoattheend. fromoneaction. 22

23 withoutanextensiveapprenticeshipintheeld.(wenotethatcautionshouldbeexercisedwhen studyasmallcollectionofbooksandpapersandbecomeacompetentinstructorinthisarea Cryptographyandtheuseofcryptographicprotocolsisappealingasasingle-coursetopic.Many 15,22].Cryptographyanditsuseinsecurecommunicationprotocolsisanimportantaspectof networksecurityandsecuredistributedarchitectures.itisstraightforwardforanindividualto booksandtextsareavailableforteachingcryptographyandnetworksecurity,e.g.[45,37,43, 5DiscussionofSecurityEducationPrograms signicantexpertise[1,36,38].) attemptingtobecomeapractitioner.thedesignofgoodprotocolsandcryptosystemsrequires Theframeworkdescribedinthispaperprovidesablueprintforachievinganinformationsecurity andmanyotherfundamentalareasofcomputerscienceandengineering,see[10,30,46,35,3]. educationwithanappropriatelybroadscope. anunderstandingoffoundationalaspectsofoperatingsystems,softwareengineering,modeling, computerandnetworksecurity;aprogramconnedtocryptographyandcryptographicprotocols, befollowedtosuccessfullybuildsecuresystems.designingandbuildingsecuresystemsinvolves willbeinsucienttoconveytostudentsthefoundationalconceptsanddesignprinciplesthatmust Despiteitsappeal,cryptographyanditsapplicationisonlyonepartofanoverallapproachto receivemoreattentionintheeducationofengineersandcomputerscientists.securityconceptsare curriculachargedwiththeeducationofthemajorityofsystemdesignersandimplementors.some fundamentaloneswhichapplytoalllevelsofsystemdesignandapplication.assuch,technically demandsthatmoreresilient,reliable,andsecuresystemsbebuiltanddeployed.theseissuesmust meaningfulwaysmustbesoughttointegratesecurityintotheengineeringandcomputerscience 6Conclusions undergraduateprogramswilloerspecializedcoursesincomputersecurityandgraduateprograms canprovideadvancedsecuritycoursescomplementedbyresearch.thesefocussedcoursesand Theincreasinguse,relianceupon,andvulnerabilityofcurrentlarge-scaleinformationsystems majorityofstudents.acompoundingfactorwillbetheinabilityofmanyprogramstoaddone securitycurriculaisolatedfromthoseofengineeringandcomputerscience.areasonableapproach istointegratesecurityconcernsintechnicallymeaningfulwaysintoengineeringandcomputer ormoresecuritycoursestoalreadyovercrowdedcurricula.itisunreasonabletocreateseparate sciencecurricula. programswillbeattractivetoonlyasubsetofthestudentpopulation;theydonotreachthevast thedisciplinesofsecurityandcomputerengineeringandscience. closelyrelatedtocomputerengineeringandscience.asmanyofthegoals,concepts,andmeans ofreasoningaresimilar,itseemsbothdesirableandpracticaltoincorporateelementsofeachinto UsingthecriticalframeworkofSection3,thetechnicalaspectsofsecurityarefoundtobe approachhastheadvantageofviewingsecurityasanimportantapplicationandpropertywhichis introductorycoursesonoperatingsystems,databases,softwareengineering,andnetworks[48].this ofacurriculumintowhichsecurityhasbeenintegratedbyexplicitlyinjectingsecuritytopicsinto engineeringandscienceintegratedwithsecurity.theairforceacademyprovidesanexample anintegralpartofcomputerengineeringandscience.atinstitutionswherethisisnotimmediately Ideally,coursematerialintheformoftextbooksandlaboratoryexampleswouldhavecomputer 23

24 accreditedusingoutcomes-basedassessment,institutionswhichwishtodistinguishthemselvesby science.theframeworkandoutcomes-basedassessmentcanbeusedtoensurecoherenceand coverageofsecurityskillswithinanengineeringcurriculum.asengineeringprogramsarenow possible,security-relatedsupplementscanbeaddedtoeachcategoryincomputerengineeringand eorts. References virtueofhavinganinformationsecurityfocuscandosoandberecognizedandaccreditedfortheir [1]MartinAbadiandRogerNeedham.PrudentEngineeringPracticeforCryptographicProtocols. InIEEESymposiumonResearchinSecurityandPrivacy,pages122{136,Oakland,CA,May [4]JamesP.Anderson.ComputerSecurityTechnologyPlanningStudy.TechnicalReportESD- [3]EdwardAmoroso.FundamentalsofComputerSecurityTechnology.PrenticeHallPublishing, [2]AmericanAssociationforHigherEducationAssessmentForum.LearningThroughAssessmement:AResourceGuideforHigherEducation,1997. [5]SarahBaase.AGiftofFire:Social,Legal,andEthicalIssuesinComputing.PrenticeHall, [6]SteveBarnett.ComputerSecurityTrainingandEducation:ANeedsAnalysis.InProceedings Englewood-Clis,NJ,1997. oftheieeesymposiumonsecurityandprivacy,pages26{27,losalamitos,ca,may1996. availableasvol.i,ditcad vol.ii,ditcad ). TR-73-51,AirForceElectronicSystemsDivision,HanscomAFB,Bedford,MA,1972.(Also EnglewoodClis,NJ,1994. [7]DefenseScienceBoard.ReportoftheDefenseScienceBoardTaskForceonInformation [8]D.L.BrinkleyandR.R.Schell.ConceptsandTerminologyforComputerSecurity.InAbrams, IEEEComputerSocietyPress. Warfare{Defense(IW-D).Technicalreport,OceoftheSecretaryofDefense,November [10]DorothyE.Denning.CryptographyandDataSecurity.AddisonWesleyPublishing,Reading, [9]ComputerScienceAccreditationCommission(CSAC).CriteriaforAccreditingProgramsin ComputerScienceintheUnitedStates. URLhttp:// Jajodia,andPodell,editors,InformationSecurity:AnIntegratedCollectionofEssays,pages MA, {97.IEEEComputerSocietyPress,LosAlamitos,CA,1995. [11]RobertM.Diamond.DesigningandImprovingCoursesandCurriculainHigherEducation. Jossey-Bass,SanFrancisco,

25 [14]NationalCoordinationOceforHPCC.CommitteeonInformationandCommunications [13]EngineeringDeansCouncil,CorporateRoundtable,AmericanSocietyforEngineeringEducation.EngineeringEducationforaChangingWorld,October1994nology.EngineeringCriteria2000,forreviewandcomment{secondedition. [12]EngineeringAccreditationCommissionofTheAccreditationBoardforEngineeringandTech- (CIC)StrategicImplementationPlan. URLhttp:// [17]DianeF.Halpern.ThoughtandKnowledge:AnIntroductiontoCriticalThinking.Lawrence [18]HeatherHinton.ReviewofFirstAnnualWorkshoponEducationinComputerSecurity. [15]WarwickFord.ComputerCommunicationsSecurity.PrenticeHallPublishing,Englewood [16]MorrieGasser.BuildingaSecureComputerSystem.VanNostrandReinhold,NewYork,1988. EarlbaumAssociates,NewJersey,thirdedition,1996. Clis,NJ,1994. [19]CynthiaE.Irvine.GoalsforComputerSecurityEducation.InProceedingsoftheIEEE URLhttp:// ElectronicCIPHER,Issue21,March1997. [21]CynthiaE.Irvine,DanielF.Warren,andPaulC.Clark.TheNPSCISRGraduateProgramin [20]CynthiaE.Irvine.ChallengesinComputerSecurityEducation.IEEESoftware,pages110{ INFOSEC:SixYearsofExperience.InProceedingsofthe20thNationalInformationSystems ComputerSocietyPress. 111,September/October1997. SymposiumonSecurityandPrivacy,pages24{25,LosAlamitos,CA,May1996.IEEE [23]JohnKauza.IndustrialPerspectiveonINFOSECEducationRequirements.InProceedingsof [22]CharlieKaufman,RadiaPerlman,andMikeSpeciner.NetworkSecurity,PrivateCommunicationinaPublicWorld.PrenticeHallPublishing,EnglewoodClis,NJ,1995. SecurityConference,pages22{30,Baltimore,MD,October1997. InstituteofTechnology,Linthicum,MD,April23{ thenationalcolloquiumforinformationsystemssecurityeducation,pages76{80,maritime [24]RichardKemmerer.SharedResourceMatricsMethodolgy:APracticalApproachtoIdentifyingCovertChannels.ACMTransactionsonComputerSystems,3(1):256{277,August1983uationCriteria,December1985.DoD STD. URLhttp:// [25]NationalComputerSecurityCenter.DepartmentofDefenseTrustedComputerSystemEval- [26]NationalComputerSecurityCenter.FinalEvaluationReportofGeminiComputers,IncorporatedGeminiTrustedNetworkProcessor,Version1.01,28June1995. [27]PresidentoftheUnitedStates.Executiveorder13010,1997.

26 [30]CharlesP.Peeger.SecurityinComputing,SecondEdition.PrenticeHall,Inc.,Englewood [29]CharlesPeegerandDeborahCooper.SecurityandPrivacy:PromisingAdvances.IEEE [28]PresidentalCommissiononCriticalInfrastructureProtection.Reportsummary,criticalfoundations,thinkingdierently. Clis,NJ,1996. Software,pages27{32,September/October1997. URLhttp:// [32]RichardPaulandGeraldM.Nosich.UsingIntellectualStandardstoAssessStudentReasoning. [31]RobertReich.TheWorkofNations.Vintage,NewYork,NY,1992. [33]RichardPaulandJaneWillsen.AcceleratingChange,theComplexityofProblems,andthe InJaneWillsenandA.J.A.Binker,editors,CriticalThinking:howtopreparestudentsfora [34]RichardPaulandJaneWillsen.CriticalThinking:IdentifyingtheTargets.InJaneWillsen preparestudentsforarapidlychangingworld,pages1{16.foundationforcriticalthinking, rapidlychangingworld,pages153{164.foundationforcriticalthinking, QualityofOurThinking.InJaneWillsenandA.J.A.Binker,editors,CriticalThinking:howto [36]BruceSchneier.WhyCryptographyIsHarderThanItLooks. [35]DeborahRussellandG.T.Gangemi.ComputerSecurityBasics.O'ReillyandAssociates,Inc., world,pages17{36.foundationforcriticalthinking,1995. anda.j.a.binker,editors,criticalthinking:howtopreparestudentsforarapidlychanging [37]BruceSchneier.AppliedCryptograhpy.JohnWileyandSons,NewYork,NY,1996. [38]BruceSchneier.Cryptography,Security,andtheFuture.Comm.A.C.M,40(1),January1997. URLhttp:// Sebastopol,CA,1991. [41]OlinSibert,PhillipA.Porras,andRobertLindell.TheIntel80x86ProcessorArchitecture: [40]ComputerScienceandNationalResearchCouncilTelecommunicationsBoard.Cryptography's [39]ChristophL.SchubaandMaryEllenZurko.IEEECSSymposiumonSecurityandPrivacy, PitfallsforSecureSystems.InProceedings1995IEEESymposiumonSecurityandPrivacy, RoleinSecuringtheInformationSociety.NationalAcademyPress,1996. URLhttp:// ElectronicCIPHER,Issue15,1June1996. [42]EugeneH.Spaord.TestimoneybeforetheUnitedStatesHouseofRepresentatives'SubcommitteeonTechnology,ComputerandNetworkSecurity. pages211{222,oakland,ca,may1995.ieeecomputersocietypress. URLhttp:// 26

27 [45]DouglasR.Stinson.CryptographyTheoryandPractice.CRCPress,NewYork,NY,1995. [46]RitaSummers.SecureComputing.McGrawHill,NewYork,NY,1997. [43]WilliamStallings.NetworkandInternetworkSecurityPrincipalsandPractice.PrenticeHall [44]ChristineStevensandDanielFaigin.PositionStatementandPresentationfortheFirstACM Publishing,EnglewoodClis,NJ,1995. [47]ClarkWeissman.PenetrationTesting.Technicalreport,NavalResearchLaboratory,January 1995.NRLTechnicalMemorandum5540:082A. WorkshoponEducationinComputerSecurity.Monterey,CA,January1997. [49]J.C.Wray.Ananalysisofcoverttimingchannels.InProceedings1991IEEESymposiumon [48]GregoryWhiteandGregoryNordstrom.SecurityAcrosstheCurriculum:UsingComputer SecuritytoTeachComputerSciencePrinciples.InProceedingofthe19thNationalInformation ResearchinSecurityandPrivacy,pages2{7.IEEEComputerSocietyPress,1991. SystemsSecurityConference,pages483{488,Baltimore,MD,October