Cybersecurity Curricula in European Universities Final report

Transcription

1 Observatoire des sciences et des techniques Fondazione Rosselli Cybersecurity Curricula in European Universities Final report Study commissioned by the Institute for Prospective Technological Studies Gabriel Clairet Scientific coordination Observatoire des sciences et des techniques January, 2003

2 Contributions to the study : Gabriel Clairet Coordinateur scientifique Observatoire des sciences et des techniques Operating Agent Philippe Wolf Directeur Centre de formation à la sécurité des systèmes d information Direction centrale de la sécurité des systèmes d information Secrétariat de la Défense nationale Laurence Esterle Directrice Observatoire des sciences et des techniques Martine Carisey Reviser and proof reader Observatoire des sciences et des techniques Alessandro Palmigiano Coordinatore Unita di Ricerca Diritto, Economia e Technologia Fondazione Rosselli Partner Alessandra Alaimo Ricercatrice presso la D.E.T. (researcher of D.E.T.) Fondazione Rosselli Donatella Amuso Ricercatrice presso la D.E.T. (researcher of D.E.T.) Fondazione Rosselli Marcelino Cabrera Giraldez Scientific Officer Institute for Prospective Technological Studies Joint Research Center - European Commission

3 Table of contents Context of the study 4 Organisation of the study 5 Methodology of the study 5 The general results for the six countries 7 Some observations and recommendations in conclusion of the study 11 Recommendations concerning national authorities 11 Recommendations at the European level 12 Cybersecurity curricula in universities by country 14 Belgium 14 France 17 Germany 24 Greece 31 Italy 36 United Kingdom 45 Annex 56 OST Fondazione Rosselli, Final Report, january

4 Context of the study In early 2001 the European Commission issued a communication to the Council and the European Parliament entitled "Network Security: a European Policy Approach". This communication addressed the needs for educational systems in member states to give more emphasis on courses focused on security - at all levels of education. In addition, the Joint Research Center (JRC) workshop on Cybercrime which took place in Seville in January 2001 identified future lines of European direct research to complement indirect research and national efforts on cybercrime. There was consensus that the fight against cybercrime requires new skills that can only be acquired through specific training programmes. While obtaining more and better data on cybercrime activities and developing new technologies to aid in the fight against cybercrime will be crucial in defining future skills requirements in the security field, much work remains to be done to specify the kinds and levels of skills needed. Under the broad aim of foresight on training and skills future needs for the security and the protection of personal, economic and public data in the Information Society, the Institute for Prospective Technological Studies (IPTS) has defined a set of research actions in a document of June 24 "Cybersecurity Skills and Training Needs and the Impact on Employment 1 ". The purpose of the project is to identify and analyse the future cyber-security needs for training and skills and the potential impact on employment for the three emerging domains : e-government ; e-health and e-bussiness. The second phase is devoted to the Cybersecurity curricula in European universities. This initiative is placed in the context of the increased vulnerability that widespread access, larger variety of services and ubiquitous Information Technology (IT) imply, and the resulting need for protection and security. Whilst the need of cybersecurity skills are increasing in European Information Society, the university curricula in European Union Member States encompass different levels of commitment regarding the inclusion of IT security in their curricula. The existence of specialized departments in technical and legal aspects of cybersecurity indicate that educational policies on cybersecurity vary from university to university as well as from country to country. Other indicators on these differences can be the status given to diplomas (studies leading to a BA, Master, post-master, etc.), the number of PhD thesis produced and the availability of qualified trainers in the field of Information Security. The university curricula are oriented to different needs with different emphasis on more pragmatic (e.g. legal, biometrics, etc.) or rather theoretical or basic research issues (e.g. algorithmics research in cryptography). The study attempt to explore qualitatively the activities of the academic world in support of cybersecurity training requirements. The study does not provide an exhaustive quantitative analysis allowing for comparison among available options. However, it may not be used to identify gaps or further needs in currently available training options across the heterogeneity of education systems in Member States. 1 Cybersecurity skills and training needs and the impact on employment, Seville, June 24, 2002, Joint Research Centre, Institute of Prospective Technological Studies OST Fondazione Rosselli, Final Report, january

5 Organisation of the study A study proposal has been annonced at the end of the first semester 2002 by the Institute for Prospective Technological Studies (IPTS) in collaboration with the European Science and Technology Observatory (ESTO). The «Observatoire des sciences et des techniques-ost» has presented its interest and also Fondazione Rosselli. Following the presentation of an Implementation Plan approved on October 9 and an addendum on October 31, the study coordinated by OST with Fondazione Rosselli as partner really began the third week of October. The OST was associated for the survey of France with the «Centre de formation à la sécurité des systèmes d information du Secrétariat général de la Défense». The persons associated to the projet are : the coordinator at OST, Gabriel Clairet in collaboration with Philippe Wolf of «Centre de formation à la sécurité des systèmes d information CFSSI». The Foundazione Rosselli was represented by M. Alessandro Palmigiano, from the bureau of Palerme (DET research unit in Sicily), the head quarter being located in Turin and two collaborators, Mrs. Alessandra Alaimo and Donatella Amuso. The exchange during the preparation of the survey and the report has been held with Marcelino Cabrera Giraldez, Scientific Officer of the Institute for Prospective Technology Studies (IPTS), one of the seven institutes of the Joint Research Center (JRC) of the European Commission. Methodology of the study The main objective of the study is to provide a first milestone towards a clear and comprehensive picture of the universities curricula in cybersecurity in the European Union. The Implementation Plan for the study included surveys considering public universities across six European members. The «Observatoire des sciences et des techniques» has covered the courses in University and «Grandes écoles» for France and Foundazione Rosselli the universities in Belgium, Germany, Greece, Italy and United Kingdom. The study gathers a minimum of information on the university courses. The survey format, presented in Annex, gives the details of the information selected. The main indicators are : main subjects/topics, number of hours per year, number of qualified professors, number of students registered and graduated (three year if possible, 2000 to 2002), PhDs, research centers and their domains of research; continuing courses (refreshing courses) in the departments identified in the survey. In terms of courses, the survey should identify the level of degree and the pre-requisite of degree to enter in these programs. The definition adopted in the last proposal of the European Commission has been used as a milestone to delimit the contours of the topic covered in the survey. The priority will be on the «Systems of Information Security»: «Network and information security can [thus] be understood as the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, OST Fondazione Rosselli, Final Report, january

6 authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems 2.» This definition is similar to the one adopted by the National Colloquium for Information Systems Security Education (USA) under the terms of Information Assurance : «Protection of information systems against unauthorized access to or modification of information whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats (NSTISSI 4009, August, 1997) 3». For the field or discipline considered in the study, priority has been put upon the courses related to Information Security for which the core are cryptography but not exclusively. Legal and management courses have been considered but if they were in direct relation to security management security. Cryptography imparts confidentiality, integrity and authentication to all forms of electronic communication 4. Categories of institutions and level of university degree The level of diplomas in the survey has been the yearly courses in these matters at each level of the Higher Education Institutions (Licence, Master, Doctorate) including diplomas of specialised public institutions such Public School of Engineers, Law and Management faculties involved in special courses of Information Security. Information on Continuing Education (refreshing courses) has however been included in the study when the informaton was available and delivered by the institutions identified in the survey and in relation to the core competence of information security 5. As some courses represent only a part of the degree, it has been proposed for the study to consider the number of teaching hours above 50 hours-specialized. The courses have been identified by contacting the ministry of Education and the websites of universities. A file has been filled for each course identified according the format presented in the annex. It was suggested to use the European Credit Transfer System (ECTS) but the data collected in each country survey do not allow for comparison under this credit definition. Only some institutions were able to do the conversion from their system of credit or points to the ECTS. 2 Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions, June 200, Network and Information Security: Proposal for A European Policy Approach, June 6, 2001, COM (2001) 298 Final. In English : 3 National Colloquium for Information Systems Security Education, section Concepts. Definition of Information Systems Security, See : 4 Bernard Clement, Laurent Beslay and Duncan Gilson, IPTS, Cyber-Security Issues, IPTS Report Special Issue: Aspects of Cyber- Security, Volume 57, September For instance in the UK survey, two universities delivered short courses (Royal Holloway, University of Essex). In most countries, the universities offer short courses on both technical and legal issues related to security information. OST Fondazione Rosselli, Final Report, january

7 The general results for the six countries The data of the survey The study covers six countries : Belgium, France, Germany, Greece, Italy and United-Kingdom. A survey report is presented for each country 6. The first part of the survey identifies the courses by institution, by domain/topics, by degree (undergraduate, graduate and module for certain countries), by number of hours per year. In this survey, 119 courses in the field of cybersecurity (over 50 hours/year) have been identified. Some institutions give courses at undergraduate level and graduate level. The second part aims to estimate the number of registered students, the diplomas, and the prerequisite to enter in the programs. The number of students for the year 2001 registered in theses courses is approximately 4 024, all disciplines considered. In the identified programs, the number of professors is approximately 440. In each country, the concentration of courses according to each main domains or topics is obvious, but a closer analysis of the contents of the courses would be necessary to allow for comparison. The results presented here come mainly from the short description of the courses on the universities and departments web sites. University courses, students registered, research units in cybersecurity Six countries, november 2002 University/ Institution courses (1) Student registered undergraduate or in module 2001 Total students registered 2001 (2) Reserch Units (3) Belgium 2 not applicable France Germany (module) Greece (module) Italy (module) United Kingdom (undergraduate) 195 (module) 243 (module post graduate) Total (60 %) Sources : Cybersecurity Survers OST/CFSSI and Fondazione Rosselli, November 2002 Note : the data in this table should be interpreted with caution, some of them are missing, so the total is only an estimate. (1) could include several times the same institution because of grade level. (2) the figures are approximative because data were not available for each program of courses included in the survey (3) These data included only the existing units of research linked directly to the courses surveyed. Concerning the continuing or refreshing courses in the surveyed university, the results indicate that these courses are important in the university curricula together with the longer courses. The criteria chosen to discriminate long courses from short ones are 50 hours/year. For the six countries in year 2001, (60 %) students were registered in coures by module or at undergraduate level As information security is becoming more and more important in the information society, many refreshing courses are provided in order to meet the increasing needs of skills and competences in cybersecurity. 6 The data must be interpreted with caution, because, some questionnaires were returned incomplete or the information was not available within the time-schedule of the study. The survey contains 27 distinct questions. OST Fondazione Rosselli, Final Report, january

8 This is why the surveys made in Belgium, Greece, Germany, Italy and UK include the courses/modules under 50 hours per year, which are important and diversified. Some results for these short courses are presented for five country in the annex. The survey for France does not cover these short courses. The last part of the survey is devoted to research in the higher education institutions. The objective is not to assess the quality of the on-going research but to identify the relationships, if any, between research domains and teaching programs. 89 research units were identified in a little more than a hundred universities and institutions. The figures presented in the two synthetic tables must be interpreted in the context of the respective education system. Curricula cannot be easily compared on the number of hours per year, without analysing the contents and the balance between long and short courses, domains or discipline and detailed comparaison between the contents of courses. The number of students varies between 20 and 80 by courses. The average number of hour per year and by degree level gives a more clear view of the situation. The courses by module have an average per year under 100 hour per year (Germany, Greece, Italy and UK); for the two countries with undergraduate courses, the average of hour by year is 500 hours. And the graduate level, the average hour of course per year is situated between 300 and 430 hours by year (Belgium excepted with 56 hours per year). The figures must be interpreted in the context of the respective education system. Curricula cannot be easily compared on the number of hours per year, without analysing the contents and the balance between long and short courses, domains or discipline and detailed comparaison between the contents of courses. Students per course and average hour / course, six countries Students by course Average hour per course Average hour per course undergraduate Average hour per course graduate Belgium France Germany 67 (postgraduate) 60 (module) (module) 300 Greece module Italy (undergraduate) 64 (module) 365 United Kingdom 48 (undergraduate) 40 (module) 70 (postgraduate) (module) 372 Sources : Cybersecurity Survers OST/CFSSI and Fondazione Rosselli, November 2002 Note : Only courses with comple data in the survey. The courses with 1200 hours and plus have been excluded (Italy:1 and UK: 5) In the six countries, there are many courses related to information security especially in the departments of mathematics and informatics. In some countries, new curricula provide education in topics covering the training needs not only in cryptography and networks security but also in other matters, such as legal aspects. But there are no courses on the management of security. OST Fondazione Rosselli, Final Report, january

9 In the universities where there is a concentration of competence and the existence of a research department, the courses are usually provided at the master level (graduate and over). A very small number of institutions really cover all the competence and skills required for the management of the information security, although the courses exist in the six countries and seem to meet this need. The survey does not assess the detailed programs and their adequacy to the actual and future needs in each country. Such an assessment would require more analyses and discussions with representatives of education authorities in each country and experts of the field for relevant conclusions. Belgium has reached a high level of research in the cybersecurity field, with many researchers involved in international groups 7 and a good level of dissemination of the cybersecurity issues in the university system, as shown by the large number of courses under 50 hours. The survey has pointed out the absence of both modules of more than 50 hours and research centers concerned with the legal and economic aspects of cybersecurity. France has recently put in place new specialized trainings and diplomas dealing with cyber security issues (covering computer science/mathematic fields) with four levels of diplomas (Licence, master/mastère within the écoles d ingénieurs, DESS and DEA). Most of the times, these courses are linked to research laboratories. But the number of both higher curricula and registered students are still low in cyber-security, especially in the computer science and science fields, even though the survey includes for France, compared to the other five countries more universities (19) : in legal aspects (4), management and economic intelligence (4), telecom and networks (8), security and civil protection (3), transport (1). The implementation of cyber-security courses in secondary education is under consideration. Germany has a very large spectrum of cybersecurity curricula. The research centers are involved in all the different issues related to Informaton Security not only from a scientific and technical point of view but also from a legal and management one. There is a focus on the items related to the electronic transactions (such as e-banking, e-finance). The trend is to create post graduate degrees (MSc, MBA, LL.M) connected to IT security. There is a good diffusion of the cybersecurity issues in the university system. As in the other countries, there is a large number of courses (less than 50 hours long) which are not directly related to information security and a strong focus on e-commerce matters. Greece, both in terms of courses and research centers has reached a good level. There is a very good level of dissemination of the cyber security issue in the university system, as shown by the large number of courses (less than 50 hours long) held in the Greek Universities. As in Belgium, there is no complete degree concerned with technical, economic or legal aspects of cyber security. But the existing research centers are an opportunity to create a very interdisciplinary curriculum for university education. The results for Italy show a high level of knowledge and a good level of dissemination in the university system of the cybersecurity issues as shown by the large number of courses (less than 50 hours long) held in the Italian universities on cybersecurity. In the law and economy degree there are no specific courses to address the technical issues connected with cyber security aspects. This lack of training in interdisciplinary information technology security issues is a handicap for graduate students starting a postgraduate degree. 7 For example : New European Schemes for Signatures, Integrity, and Encryption, OST Fondazione Rosselli, Final Report, january

10 The level of the information technology education in the United Kingdom (UK) is very widespread in the scientific area, where great attention is given to technical aspects. A very high level has been reached by the research centers located in the UK. The legal aspect of the information technology (IT) security field has reached a good level. The research activity is related to the new threats and impacts of the use of new technologies. However there is a need to improve the management skills in cybersecurity to meet the growing demand of all sectors private or public for managers experts in IT issues. As in France, the technical courses are not yet sufficient to qualify managers able to cope with all the management aspects of the cybersecurity issues. As a general conclusion, more expertises and discussions from different point of view are needed to assess the situation of the six countries. The number of specific courses providing education in cybersecurity is important, but there is a lack of complete and comprehensive courses in this field. One of the objective of the study is to contribute to the second workshop organized by IPTS. This workshop will give the opportunity to discuss the results of this «first milestone» of universities curricula in cybersecurity. For this purpose, the next section proposes some guidelines and recommendations for discussion. OST Fondazione Rosselli, Final Report, january

11 Some observations and recommendations in conclusion of the study These conclusions are conditioned by the survey and difficulties to obtain total information in coherence with the Implementation Plan. They are inspired by some of the conclusions and observations on the strengths and weaknesses of cybersecurity curricula in each public higher education system presented in each country report. They need to be confronted with experts in the cybersecurity field. Statement concerning the survey results The survey led in the six European countries focused exclusively - as requested - on the curricula providing a minimum of 50 hours a year modules, thus eliminating very short curricula and/or continuous education. Results show that three types of courses coexist: a) complete courses related to the core skills of system of information security for professional qualification; b) shorter courses for a general overview of security issues; c) continuous training. Continuous education aims at both refresh the knowledge of professionals and increase the awareness of other working staff on the ISS issues. The different levels in training imply an adequate approach according to the public. Recommendations concerning national authorities First, and whatever the type of training, there is a need : 1 To adopt a real interdisciplinary approach : the system of information security requires a variety of highly specialised skills, which are used in a variety of sectors and at different levels of responsibilities. This recommendation matches the conclusions of the first workshop organised by IPTS. Relying on the knowledge of the techniques used in computer sciences (program, protocols, network), efforts must also be made : 2 To foster other scientific aspects of security, certainly mathematics especially for cryptology, but also legal, commercial, management aspects; 3 And to promote the human and social sciences for a better understanding of security issues. Concerning the supply of education in Systems of Information Security (SIS) : 4 To take into account the specificity of the three types of courses: awareness, professional and technical skills, continuous education. 5 To provide basic information on the Systems of Information Security in the modules of informatics, management, law related to e-commerce, e-health, e- government. 6 To build bridges between long and specific courses and continuous education. OST Fondazione Rosselli, Final Report, january

12 Although continuous education is out of the scope of the survey, it is not quite clear what the concern of the public and the private sector is regarding the development of such education. The survey does not present a clear assessment of the situation because of a too small number of responses on this matter. However the survey conducted to the identification of a great number of courses, but under 50 hours per year, which was the indicator retained in the Implementation Plan. Nevertheless the conclusions of the first workshop in September 8 showed that e-government, e-health, e-commerce were domains which were very concerned with security issues and where awareness courses were considered as a priority in training programs. 7 To favour the mobility of students and training staff in cybersecurity. To rely on the existing research possibilities (fellowships) and on new information and communication technologies (e-learning). In the European programmes related to the information society, to favour the use of on line courses. 8 To allow students to complete their education in an industrial or research environment. 9 To facilitate access to specific fellowships with a European label on such topics. As a general conclusion, a national plan for the development of training in cybersecurity would be a way to meet the needs identified by the survey. In this respect, France, in the public sector, has set up a special center to develop the skills in cybersecurity on a permanent basis : the Institute in Information Security «Centre de formation à la sécurité des systèmes d information» (CFSSI) 9. Recommendations at the European level Three suggestions are made here to harmonize the various curricula in cybersecurity: 1 To elaborate specifications in Systems of Information Security for education and certified qualification. The specifications would specify the main elements and contents of curricula in cybersecurity. They would be established by the institutions in charge of certification, with a European label eventually. The NIST US model 10 could serve as a basis to define the requirements of academic education in cybersecurity. If such specifications had existed, they would have been of great help in this study to identify the relevant courses with objective criteria in cybersecurity Minutes of Cybersecurity Skills and Training Needs Workshop, Sevilla, September 16-17, 2002 Centre de formation à la sécurité des systèmes d information, Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub ), April 1998, on the site : National Institute of Standards and Technology; This document describes in detail what should be a good complete course in Information Systems Security. OST Fondazione Rosselli, Final Report, january

13 In this respect, the recent set up of an Internet School («Ecole de l Internet») 11 in France has pointed out the difficulties of certification of a new curricula without precise references. It would be also recommended to use as soon as possible the ECTS 12 (European Community Course Credit Transfer System) to characterize the level and duration of education in this field. Without waiting for the creation of such a label and in the follow up of the surveys of this study, 2 To build a European data base of all the courses in cybersecurity, with better criteria for their identification. This data base would cover all the EU countries and would allow complementary information concerning the candidate countries. The data base would permit to have a record of the curricula in SIS, to disseminate reliable and comprehensive information on the existing curricula in Europe, and thus to facilitate students mobility, and also contribute to obtain recognition of the qualification in SIS by employers. In order to achieve the two previous recommendations at the European level, it is necessary 3 To set up a European correspondents network, specialised in education in cybersecurity, to determine how to share the skills, how to disseminate and possibly enhance these skills among the EU countries, with a special focus on the less favoured countries and the candidate countries Décret n , 25 avril 2002 relatif à la délivrance du label «école de l internet, Journal Officiel n 98, 26 avril 2002, et rectification, Journal Officiel, n 104, 4 mai It has been difficult to use the European Community Course Credit Transfer System (ECTS) as mean of discriminate the courses with the minimum level of hours by year required to be part of the survey. OST Fondazione Rosselli, Final Report, january

14 Cybersecurity curricula in universities by country Belgium Methodology of the survey The collection of the required information was done firstly by consulting the online study programs guide of all the Belgian universities, mainly focusing on the programs of the faculties of law, engineering, applied economics and science (especially the departments of mathematics). For each area every degree level offered by the faculty has been evaluated. In the absence of a degree, master or PhD concerned with cybersecurity, the research area has been included in the relevant modules. The missing information (mainly starting date and number of students) has been requested directly from the professors, by 13 or phone. Description of Belgian Higher Education System University education provides theoretical training for managerial staff responsible for research, conception and application of knowledge. It is offered at different levels: basic academic courses and advanced academic courses 14. The basic academic courses are divided into two cycles: a first cycle of 2 or 3 years and a second cycle of 2, 3 or 4 years. The first cycle of basic academic education leads to the intermediate academic degree of candidate (kandidaat). There are no Belgian Universities offering complete degree, concerned with cybersecurity in the undergraduate or postgraduate level. There are only two modules (each with more than 50 hours courses 15 ) which address aspects of Information and Communication Systems Security. There are several other courses concerned with legal, economic and technical aspects of cybersecurity, but with less than 50 hours. Main findings of the survey The relevant universities modules in Belgium are concerned with technical/scientific aspects in particular with: Intrusion Detection courses (Séminaire de détection d intrusions) held in the Electrical Engineering and Computer Science and Development of Secure software, held in the Computer Science. These courses are both included in a undergraduate level. The main indicators Year of opening, hours, credits As shown in the following table, the two relevant courses started in 2000/2001. They give a number of study point from 4 to Only two courses match the criterium of more than 50 hours. We have sent 27 s and received 17 answers. 24 forms were fully completed and 10 forms were incomplete (lack ofinformation). E.g. teacher training, doctoral programmes and post-academic programmes. University education is divided into study years of a minimum of 1,500 and a maximum of 1,800 hours of tuition or other study activities. There are several courses (Annex 2) with less than 50 hours which address aspects and issues concerned with cybersecurity. OST Fondazione Rosselli, Final Report, january

15 Table of courses/diploma Belgium University Faculty/Department Title of the course/module Diploma Université de Liege Katholieke Universiteit Leuven Dept. of Electrical Engineering and Computer Science Computer Science Séminaire de détection d intrusions Development of Secure Software Year of opening Number of hours per year Credits 16 Professors Source : Fondazione Rosselli, University Curricula Survey, november Students There are many students in the course called Development of Secure Software, but the number of registered students for the year 2001/2002 has dropped down.. Concerning the second module, the number of registered students is low with a downward trend. Table of students Belgium University Faculty/Department Title of the course/module diploma Katholieke Universiteit Leuven Katholieke Universiteit Leuven Computer Science Electrical Engineering Development of Secure Software Cryptography and Network Security Number of student registered Number of degree/courses delivered NA NA Source : Fondazione Rosselli, University Curricula Survey, november The research centers The most important research groups are listed in the following table. COSIC and the UCL Crypto Group are among the largest research groups in Europe. The know-how of DistriNet is the basis of Ubizen, a spin-off company that specializes in secure e-business and related security services. Some faculties have a research group doing research in the field of the juridical aspects of cybersecurity, focusing in particular in the interconnected aspects of high tech and law. 16 The volume of study for each year is expressed in terms of study-points and corresponds to 60 study-points per year. One study-point corresponds to 25 to 30 hours of study. OST Fondazione Rosselli, Final Report, january

16 There is no research centers involved in business and economic aspects of IT security management. Table of research centers Belgium City Name of the research center /PhD Topics/domain of the research activity Katholieke Universiteit Leuven Computer Security and Industrial Cryptography Cryptography, Computer Security, Network Security Number of researchers Université Catholique de Louvain Crypto Group Cryptology, Smart Cards 19 Katholieke Universiteit Leuven DistriNet Distributed Systems, Software Security Université Libre de Bruxelles Cryptography and System Security Service Cryptography, Computer Security Katholieke Universiteit Leuven Faculties Universitaires Notre- Dame de la Paix à Namur Université Libre de Bruxelles Faculties Universitaires Notre- Dame de la Paix à Namur Interdisciplinary Centre for Law and Information Technology Information Technology Law 7 Research Center for Computer and Law Computer Law 5 Centre de droit de l'information et de la communication Computer Law 3 Networks and Security Network Security 2 Source : Fondazione Rosselli, University Curricula Survey, november Conclusions for Belgium Strengths High level of research: the number of research centers (offering a very large number of courses with less than 50 hours) and the contents of the research field show the high level of knowledge reached in Belgium. Level of dissemination: there is a very good level of diffusion in the university system of the cybersecurity issue, as shown by the large number of courses (with less than 50 hours ) held in the Belgian Universities 17. Weaknesses Absence of a complete degree with technical, economic or legal aspects of cybersecurity. As seen in the section concerning research centers, Belgium has all the possibilities and the capacities to create such a curriculum in university education. Absence of modules of more than 50 hours courses and research centers concerned with legal and economic aspects of cybersecurity. 17 There are several types of courses on cybersecurity, all with a different emphasis on the topic: a) Legal aspects of cybersecurity (legal value of an electronic signature, privacy regulations and cybercrime law); b) Mathematical aspects of cryptographic algorithms (discrete mathematics, number theory, finit fields and elliptic curves); c) Information security (applied cryptography, network security, computer security). The faculties of economics also teach some (less technical) courses on cybersecurity, mainly as part of the Commercial Engineering programme, such as Security of Information Systems, Auditing of Information Systems, Auditing, security, privacy and ethical problems, but there are no courses on risk management and economic aspects of cybersecurity. The most technical courses are mainly taught at the Katholieke Universiteit Leuven and Université Catholique de Louvain, because they do a lot of research on cybersecurity. OST Fondazione Rosselli, Final Report, january

17 France Methodology To identify all the courses related to the Systems of Information Security 18 (SIS), a query has been applied to the appropriate Direction of the Ministry of Education to provide a list of the existing curricula. Although the database available at the ministry does not identify the term or expression «system of security» as criteria of selection for university program 19, the representatives of the Ministry were able to identify 63 programs related to this matter 20. The programs directly related to the theme of system of security information were selected and a questionnaire was sent to 31 institutions 21. Step 1 To determine the target of the French survey, two sources were used : - the database of the Ministère de la Jeunesse, de l Éducation nationale et de la Recherche for diplomas delivered by the French universities. Using the keyword security, a list of 63 diplomas was established. - the complete Liste des écoles habilitées à délivrer un titre d ingénieur diplômé (75 pages, Bulletin officiel du ministère de l Éducation nationale et de la Recherche, n 2 du 14 mars 2002) 22 Step 2 Diplomas were used to identify the teams working in the field of cyber-security: - 29 diplomas from the university database were selected. Curricula about food security, occupational safety, safety of the goods and the people were eliminated, as being out of the scope of the study. 3 «grandes écoles» with a specialization in cyber-security were also selected. - The criteria was a minimum of 50 hours on cyber-security (in its largest acceptance). Web sites of the targeted curricula were very well documented with detailed information concerning the courses and address of the person in charge of the curriculum. Step 3 The survey format (see annex) was then sent to the correspondents by with an electronic questionnaire (in both PDF and Word format) to the persons in charge of the curriculum, with a description of the scope of the study, at the end of October, with a two weeks deadline for return. The survey was eventually completed by phone calls In english the usual term is Systems of Information Security (SIS) or Information Systems Security (ISS), the equivalent in French is «Sécurité des Systèmes d Information -SSI». See in Annex a comparison of the terms in USA and at the European Commission. Site of the «annuaire» on the web site of the Ministry, see : Ministère de l Education nationale, Sous-direction des certifications supérieures et de la professionnalisation, Bureau des formations universitaires et technologiques, DES A 10, Mme Christine Coutarel. A list of these institutions appeared in Annex France. The themes related to security of transport, food security, industrial security have been excluded of the survey Journal Officiel n 39 du 15 février 2002 page 2984 ; Arrêté du 11 janvier 2002 fixant la liste des écoles habilitées à délivrer un titre d ingénieur diplomé, NOR: MENS A OST Fondazione Rosselli, Final Report, january

18 Step 4 12 questionnaires which were in the scope of the study were returned mainly in electronic mail, one by fax. Only three curricula identified by the team-project as pertinent for the study did not answer and therefore are not included in the study : a DESS from the university of Toulon due to an error, a DEA in Toulouse due to a anti-spam software which kept rejecting the message and a DEA Algorithmique in Paris (5 students per year) dealing with cryptography as an option (co-managed by the École polytechnique, E.N.S.Ulm, E.N.S.Cachan, E.N.S.T., Universités Paris VI, Paris VII, Paris-Sud, with I.N.R.I.A.and E.N.S.T.A. and the Écoles doctorales EDITE (UPMC), Jussieu-Chevaleret, ENS-Cachan and Paris-Sud. Except for these three diplomas, the data collected give a complete view of cyber-security curricula in France in Description of French Higher Education System In France higher education is composed of (public) universities and schools of engineers named «grandes écoles». Accreditation for each programme is delivered by the Ministry of Education 23 for universities and by a special Commission 24 for the schools of engineers. In the universities, there are four levels of diplomas after high school (baccalaureate is delivered after college or «lycée»): «licence, maîtrise, diplôme d étude spécialisée DESS, diplôme étude approfondies (DEA) and master in the school of engineers or «grandes écoles». Since the adoption of the European Community Course Credit Transfer System (ECTS), these diplomas could be classified in the following way: Graduate level offered Survey Survey / answers Up to three years (Licence) Licence 4 2 Up to five Years (Master) DESS / Title of engineer/ 20 6 Above five years : 1 - Specialized Master Specialized Master/DEA 7 4 Above five years : 2 - Doctorate Doctorate Source : Survey CFSSI/OST, November Ministère de l Education nationale, Sous-direction des certifications supérieures et de la professionnalisation. 24 Ministère de l Education nationale, Direction de l enseignement supérieur, Greffe de la commission des titres d ingénieurs, Bulletin officiel N 2, 14 mars 2002, numéro hors-série, Liste des écoles habilitées à délivrer un titre d ingénieur diplômé, p Arrêté. du JO du , NOR : MENS A, RLR : : OST Fondazione Rosselli, Final Report, january

19 Results of the survey Diplomas in the cybersecurity : 4 different curricula types of diplomas are identified: Licence professionnelle Nantes : Administration et sécurité des réseaux Tours : Sécurité et Qualité en Télécommunications ; the field of these curricula is network security DESS (Diplôme d études supérieures spécialisées): Bordeaux : Codes, Cryptologie, Sécurité Informatique Grenoble : Cryptologie, Sécurité et Codage de l Information Limoges : Sécurité de l Information UT Troyes : Sécurité des Systèmes d'information Toulon : Sécurité des Systèmes d'information Paris 1 : Droit de l Internet Administration Entreprises These 6 curricula deal with what is called in France, information systems security: Two of them are specialized in cryptography and code theory. One curriculum deals with law and offers courses dedicated to the technical comprehension of the cyberworld and cyber-security. Écoles d Ingénieurs ENST Bretagne Rennes, Supélec : Mastère spécialisé en sécurité des systèmes d information ENST Paris : Mastère spécialisé en Sécurité des systèmes informatiques et des réseaux ENSI Bourges : Master of Science sécurité Informatique ENSI Bourges : Filière MRI (Maîtrise des Risques Industriels), Option Systèmes et Informatique (SI) en 3ème année Cybersecurity is a specialization course at the end of the curriculum. Although the names differ, the field covered by the Grandes Ecoles is the same (information systems security). DESS and master curricula are rather complete. For example, see the program master de Rennes in annex. DEA (Diplôme d Etudes Approfondies) Limoges : DEA de Mathématiques Toulouse : DEA Programmation, Sécurité Paris (Ecole Normale Supérieure) : DEA de cryptographie Ecole doctorale Informatique, Télécommunications, Electronique de Paris, DEA Algorithmique The pre-doctorate courses (DEA) are more mathematical and dedicated to cryptography and coding theory in computer science.number of hours per year From 400 to 500 hours except for the specialized courses at the Ecole d Ingénieur de Bourges (72 hours) and the DEA de Limoges (170 hours), if we consider the 4 different curricula (Licence, DESS, DEA, école d ingénieur). Because the diplomas are national, the number of hours is the same all over France. Number of qualified professors There are very few professors (from 2 to 3) devoted to these curricula (see table). The rest comes from other curricula (redeployment). Cyber-security courses are often under the responsibility of professors who are involved (doing research for example) in that field. OST Fondazione Rosselli, Final Report, january

20 University Grande Ecole (1) Université de Bordeaux I UFR de Mathématiques Informatique Université Joseph Fourier et INPG, Grenoble I Université de Toulon et du Var Université de Limoges Table of title course France Faculty/Department Title of the course/diploma Year of opening UFR Mathématiques (UJF), ENSIMAG et Département Télécommunications (INPG) Faculté des sciences et des techiques Faculté des Sciences et Techniques, Mathématiques- Informatique DESS Codes, Cryptologie, Sécurité Informatique (CCSI) DESS Cryptologie, Sécurité et Codage de l Information DESS Sécurité des systèmes d information DESS Sécurité de l Information Université de Nantes IUT informatique Licence professionnelle des métiers de l'informatique Option1: Développement d'applications réparties Université de Tours Université de Technologie de Troyes Université Paris-I Panthéon-Sorbonne Ecole Nationale Supérieure des Télécommunicatios Rennes, SUPELEC Ecole nationale supérieure des télécommunications, ENST, Paris Faculté de Sciences et Techniques Informatique UFR Administration des entreprises Département Réseaux et Services Multimédia Campus de Rennes ENST Ecole Nationale Filière MRI (Maîtrise des Supérieure des Ingénieurs Risques Industriels), de Bourges ENSI Université de Limoges Ecole doctorale Informatique, Télécommunications; Electronique, Paris+ Faculté des Sciences et Techniques 4 établissements, Univ. Paris VI, Paris VII, Paris Sud, ENS Licence Professionnelle Sécurité et Qualité en Télécommunications DESS Sécurité des Systèmes d'information DESS Droit de l internet Administration Entreprises Mastère Spécialisé en Sécurité des Systèmes d Information (co-délivré avec Supélec) Mastère spécialisé en Sécurité des systèmes informatiques et des réseaux Diplôme d ingénieurs Option Systèmes et Informatique (SI) en 3ème année DEA Cryptographie, Codage, Calcul Number of hours per year Credits (ECST) Professors in head count 2001/ /09/ n.d. 01/09/ (option 1) ECTS n. d (enseignants et industriels) 01/09/ n. d permanents DEA Algorithmique n.d. n. d; Source : CFSSI/OST survey, november 2002 (1) only the surveys received. (others courses have been surveyed but no answers were received, see annex for the 31 courses identified (legal, security and civil protection, intelligence management ). Number of students graduate by year Except for the ENST in Paris (1990) and the DEA in Limoges (1987), all these curricula are very recent. For 2001, an average of 20 students and a total of 163 students attended these courses. Most of the students end up with the final diploma. OST Fondazione Rosselli, Final Report, january

21 PhDs on cybersecurity (number in the institution) Only one response was exploitable: 5 PhDs in Limoges. There are some PhDs from the DEA algorithmique (2 or 3 per year) and some at Ecole polytechnique and INRIA, but they are outside of the scope of the survey. Skills requirements Skills requirements (pre-requisite degree) to access to this degree (technology, legal, economy...) Except for the DESS Droit de l Internet, required field is mathematics or/and computer science. The DESS Droit de l Internet is open to law and political science profiles. Table of students France University / School Faculty or Department unit Title of diploma Student 2001 Université de Bordeaux UFR de Mathématiques Informatique Université Joseph Fourier et INPG, Grenoble Université de Toulon et du Var Université de Limoges Université de Nantes Université de Tours Université de Technologie de Troyes Université Paris-I Panthéon-Sorbonne Ecole Nationale Supérieure des Télécommunications de Bretagne, RENNES, ENST BRETAGNE, SUPELEC Ecole nationale supérieure des télécommunications, ENST Ecole Nationale Supérieure des Ingénieurs de Bourges ENSI Université de Limoges UFR Mathématiques (UJF), ENSIMAG et Département Télécommunications (INPG) Faculté des sciences et des techiques Faculté des Sciences et Techniques, Mathématiques- Informatique IUT informatique, Option1: Développement d'applications réparties Option2: Administration et sécurité des réseaux Faculté de Sciences et Techniques Informatique UFR Administration des entreprises Département Réseaux et Services Multimédia ENST Bretagne, Campus de Rennes Filière MRI (Maîtrise des Risques Industriels) Option Systèmes et Informatique (SI) en 3ème année Faculté des Sciences et Techniques Source : CFSSI/OST survey, november 2002 (1) year 2002 not available DESS Codes, Cryptologie, Sécurité Informatique (CCSI) DESS Cryptologie, Sécurité et Codage de l Information DESS Sécurité des systèmes d information Student 2002 Diplomas 2000 diplômes 2001 (1) n.d. 15 n.d. n.d. n.d. DESS Sécurité de l Information n.d. Licence professionnelle des métiers de l'informatique Licence Professionnelle Sécurité et Qualité en Télécommunications DESS Sécurité des Systèmes d'information DESS Droit de l internet Administration Entreprises Mastère Spécialisé en Sécurité des Systèmes d Information (co-délivré avec Supélec) Mastère spécialisé en Sécurité des systèmes informatiques et des réseaux n. d Diplôme d ingénieurs en cours DEA Cryptographie, Codage, Calcul OST Fondazione Rosselli, Final Report, january

22 Devoted departments in related research 6/11 institutions (for which an electronic survey has been received) have a department of related research, mainly in mathematics/cryptography. The research teams are very small (7 or less researchers). Table of research centers - France University/City (2) Name of the research center Topics/domain of the research activity Université de Bordeaux I Laboratoire A2X Algorithmique en théorie des nombres Codes correcteurs d erreurs Number of researchers 7 GRENOBLE Institut Fourier : laboratoire de Mathématiques UJF/CNRS Cryptologie, aspects relations internationales. 4 Université de LIMOGES LACO UMR CNRS 6090 Cryptologie et codage 10 (5 Doctorat/Ph D) Université de TOURS M. Georges Constantinescu Sécurité des Système d informations, Management des Risques 1 Ecole d'ingénieur : RENNES ENST BRETAGNE, SUPELEC ARMOR, projet de recherche commun à l IRISA et au département RSM de l ENST Bretagne Sécurité des réseaux : - sécurité des réseaux à haut débit - détection d intrusion 4 Ecole d'ingénieur : PARIS, ENST Département Informatique et réseaux Sécurité des systèmes d information, Sécurité des réseaux (sans fil, réseaux sdhoc,..), polotique de sécurité, Cryptologie N. D Ecole Normale supérieure, Paris (1) Département d informatique Complexité et cryptographie Goupe de recherche en complexité Théorie des réseaux et et cryptographie 25 communications 7 Source : CFSSI/OST survey, november 2002 (1) no answer to the survey, information from the website. (2) this list of unit of research is incomplete. See annex of institution for France. Continuing education In terms of continuing education, most of the institution offer refreshing courses or a training in entreprise or public organisation for a period of a minimum of 12 weeks to a maximum of 24 weeks. And it exists an association since 1984 Club de la sécurité des systémes d information français 26 to stimulate the exchanges of experiences, the analysis of the state of art of systems of information security, promote the information security and the integration of courses in the education system. Industries profiles of employed graduates Except for DEA: engineer-consultant in security technologies, Engineer of research. Person in charge of information systems, computer administrators of systems and networks, persons in charge of computer security. Particular techniques as the smart card are quoted. The DEAs are specialized in the training of future researchers in cryptography and computer security (public or semi-public research) Département d informatique, Ecole normale supérieure Paris, informations on the page of director : Club de la sécurité des systèmes d information français : OST Fondazione Rosselli, Final Report, january

23 European Credit Transfer System The average is of 60 ECTS/year. Conclusions of the survey for France Strengths of the French Higher Education System in cybersecurity During the period , there were few curricula in cyber security (three DEA and a mastère at ENST, Paris). Recently, new specialized trainings and diplomas dealing with this subject have been set up. There are currently four levels of diplomas (Licence, master/mastère within the écoles d ingénieurs, DESS and DEA) with a good coverage of the cyber security issues, in higher education institutions all over France. These curricula (except for a curriculum focusing on the legal environment of the Internet) cover the computer science/mathematics field, with coherent and comprehensive courses. After the completion of these courses and related practical training, students are considered as experts in the field and face no employment difficulties. The majority of these curricula are linked to the research centers in the field and some are also providing continuous training. Information on the different Web sites is complete and very well documented. There is, nevertheless, a need for a unique web site presenting all the French curricula on the subject. This web site will be set up after this study. One of the last accredited program in Rennes the «mastère sécurité des systèmes d information (SSI) +» associates two Grandes écoles with the expertise of a company (AQL) implied in cyber-security (evaluation and expertise). Weaknesses The number of French higher curricula in cyber-security remains weak, and so is the number of registered students. There are many possible explanations for this situation: lack of qualified teachers, lack of academic recognition of cyber-security (note that cyber-security as such is not a keyword for consultation of HEI diplomas) pre-requisite in computer science and/or mathematics, The existing courses in cyber-security are often due to personal initiative of teaching staff. Higher education in computer science and telecommunications do not address cyber-security issues mainly because of the lack of qualified teachers. The number of courses devoted to these subjects and the associated techniques (in particular cryptology) is therefore low Less technical curricula dealing mainly with economic intelligence and defense matters or law have been excluded of the study. The introduction of cyber-security courses in secondary education is under consideration (such as for example cyber-ethics in civic education, data-processing threats in computer practice, theory of numbers for cryptology in mathematics classes, etc.). French cyber-security curricula should be set up in close relationships with other European curricula and networks. Note that there are very few foreign students who attend French courses on cyber security. OST Fondazione Rosselli, Final Report, january

24 Germany 1) Science (computer science, mathematics, engineering): State of the art: The IT education in the scientific area is more widespread than in the other covered areas. The relevant modules are run by the faculty of mathematics and computer science, and not all of them fulfil one of the main indicators used, namely the number of hours. Moreover there are some degree courses which are totally focused on all the aspects of the IT security 27. The relevant areas are: a) Data access: the main topic is cryptology which combines cryptography, cryptoanalysis and theory of codification 28. The modules related to the mentioned issues only involve strictly technical issues, supplying a complete knowledge in the cryptographic area. Generally speaking, these modules are longer than 50 hours, and provide students both with a description of the methods of encryption, decryption, and their use in the communications protocols, and with a knowledge on the decryption of messages and the analysis of cryptographycs protocols by unauthorised listeners. b) Data protection /e-commerce: security of data, IT security, security in the communication networks, dependability and vulnerability, hackers viruses and worms. The modules related to these aspects of the IT security are not compulsory but optional. Issues are taught in seminars whose length is shorter than 50 hours. In some cases, they also provide for some legal aspects such as computer crime legislation, and some management aspects concerning the IT relevant incidents in organisations and enterprises, security and safety issues and policies. Finally they all concern the protection of data stored into the internet, the protection of networks and the technical aspects related to e-commerce and the threats to its security. Interesting are the Diplom-ingenieur in IT security 29 and the Master on Information Engineering 30. The former is a postgraduate degree in engineering with a specialisation in IT security and aims to educate specialists for the security of information technology. It is opened to the graduates of the faculties of electrical and information engineering, mathematics, economics, law and medicine, and it provides for a variety of modules related to cryptography, its foundations and applications, technical data security in communication networks and network security. The latter aims to provide a practical education in data and content management as well as profound understanding of underlying theoretical concepts and strategies enabling the students to deal with transmission, exchange, indexing, coding, authentication and concept analysis of information. It provides for a variety of modules concerning cryptography, coding and networks. Education needs: what should be improved is the variety of modules and courses offered, and their lengths. Students should be provided with a more specific and deeper knowledge in the area of data protection and security, and network security. Moreover more legal and management information should be supplied in order to allow students to have a more global See the the Diplom-ingenieur in IT security run by the Ruhr University of Bochum. Munich, Cryptogrphy, Mannheim, Cryptography, Mains, Cryptology and cryptography, Kiel, Cryptography. Ruhr University of Bochum, opened in the academic years 2000/2001. University of Osnabruck together with the University of Twente in the Netherlands. OST Fondazione Rosselli, Final Report, january

25 understanding in the area of IT security, thus creating more interdisciplinary courses. Finally it would be necessary to open new postgraduate degree courses entirely specialised in the area of IT security 31. 2) Management/business: State of the art: Most of the modules taught in the management/business faculties concern the e-commerce in all its aspects, including all the security issues, such as digital signature, data protection, e-payments, privacy, e-business, hacking and security in general. Modules last from 30 to about 64 hours, and are all optional. There are just a few modules/courses related to the information flows and its management and to the IT management policies such as the evaluation of the amount of investment for the IT security within the enterprises 32. They cover issues such as security information, management of strategic information, security risk management, law and regulation of information security, even if the relevant modules are not compulsory. These courses teach the way of dealing with sensitive data. At the postgraduate level there are some specialised courses related to e-commerce and IT security 33. They all concern the different aspects of e-business, including the IT security issues, the e-commerce and the management of IT, and some of them offer an international program in the interdisciplinary field of technology and management. They teach how to manage High Tech and prepare students for future leadership positions in enterprises. Education needs: It is necessary to increase the number of modules and courses and to extend the teaching concerning the IT security in order to provide students with the knowledge generally required by enterprises. In particular it is necessary to focus on some areas where the IT education is lacking. Furthermore enterprises more often require personnel who is able to understand their IT security needs and who has the capacity of deciding how to improve them. It means that managers should also have a technical knowledge which enable them to understand and evaluate the technical faults existing in the IT security organisation. 3) Law: State of the art: Universities provide, at the undergraduate level, for some optional modules which relate to digital signatures, internet law in general, data protection in relation to contracts concluded through the internet, internet security and cyberlaw, problems created by the e-business. Some of these modules are also involved on cybercrime. Generally speaking modules are run for no more than 30 hours. There are some modules which have an increasing level of closer examination 34 : they start with general concepts connected with computer science law, and little by little introduce new concepts, thus giving an overview of topics such as IT systems architecture, databases security, systems management of IT projects In fact, as it has already been explained in the part concerning the German education system, only recently postgraduate courses have been opened thus standardizing the German systems with the emerging trend in Europe. See the University of Herdecke where there is a module called "Institute controlling und Information Management; the University of Saarbruecken where there are a Bachelor and a Master in Information systems; Univerity of Ilmenau where there is a Diplom in Business Informatics. See the University of Cologne where there is an MBA in Global management, and the consortium of the two Universities of Munich which run a Master in Digital Technology and Management. E.g., University of Munich, Faculty of Law, Computer Science Law. Universities also provide for some modules which give a general technical knowledge on the use of computers, the creation of databases and juridical informatics, but which are not involved in any IT security issues. OST Fondazione Rosselli, Final Report, january

26 Among the postgraduate courses the one which seems to be interesting is the LL.M in European Informatics study program 36 which concerns the protection and the security of data, the e-business and the cybercrime. It also requires students to spend some time in a laboratory where they study the application of law to the new technologies. It aims to improve the knowledge in the field of the juridical informatics. This is a very good example of combination of two different and strategic disciplines related to IT security: Law and High Tech. Education needs: It is necessary, also in this case, to increase the number of modules and courses and their lengths, and to supply a more technical knowledge in order to allow students to have a more general overview of all the issues related to IT security. The courses should aim to supply students with those knowledge which will enable them to understand in general all the problems related to the application of new technologies, and in particular when and how a cybercrime occurs, how data can be accessed, how a digital signatures can be forged, which are the limits and the risks of e-transactions and e-payments, and which are the best solutions that can be adopted by the legislative body in order to afford and limit the risks created by the new technologies. The main indicators Year of opening, hours, credits. All the courses have been opened between the late '90 and the last two years. In particular the postgraduate degrees have recently been created thus standardizing the German systems with the emerging trend in Europe. Table of courses/diploma - Germany University Faculty/Department Title of the course/modulediploma University of Illmenau University of Saarbruechen University of Bochum University of Hannover University of Munchen University of Saarbruechen Economic Computer Science Faculty of Economics Dept Electronics & Informatics Undergraduate Diplom Management of Strategic Information Bachelor of Information System (3 years) Postgraduate Diplom in Information Technique Security Dept of Computer Science European Legal Informatics Study Program Center for Digital Technology and Management Faculty of Economics Digitaland Tecnology Manager Master in Information System (3 years) Year of opening NA Number of hours per year 9 semesters (including 1 for Thesis) Credits Professors NA semester 183 NA semesters (including 1 for Thesis) NA NA NA NA NA 36 University of Hannover. OST Fondazione Rosselli, Final Report, january

27 Modules University of Munchen University of Mannheim University of Ilmenau University of Koeln University of Kiel University of Mainz University of Haachen University of Kaiserlauten University of Magdeburg University of Kiel University of Leipzig University of Kiel University of Koeln Institute of Mathematics Einfuhrung in die Kryptographie Computer Science Criptography Inst. Wirtschafts informatik Dep. Wirtshafts Informatik Computer Science and applied Math. Mathematics Computer scinece school IV Rechts Informatik und Medienrecht NA Internet security in head count Criptography in head count Criptology and Criptography Security in communications network lab NA lab NA 1 Lehrstuhl Fur Marketing International e-business Inst. Fur Verteilte Systeme Data security Osteuropaisches Recht Recht der neuen medien Inst. Jugendschutz und Strafrecht der Medien Dep. Informatics and Informatic engeeniring Global e-management MBA Medien und Wirtschaft Strafrecht Netz Werksicherheit Internet security Source : Fondazione Rosselli, University Curricula Survey, november It has not been possible to indicate the number of students who passed the exams of all the analysed modules, but only for some of them. Table of students - Germany University Faculty/Department Title of the course/module/ diploma Undergraduate Ilmenau Inst. Wirtschafts informatik Rechts Informatik und Medienrecht University of Saarbruechen Faculty of Economics Bachelor of Information System (3 years) University of Bochum Dept Electronics & Informatics Postgraduate Diplom in Information Technique Security University of Hannover Dept of Computer Science European Legal Informatics Study Program University of Munchen Center for Digital Technology and Management Digitaland Tecnology Manager University of Saarbruechen Faculty of Economics Master in Information System (3 years) Number of student registered Number of degree/courses delivered 2 2 NA NA NA NA OST Fondazione Rosselli, Final Report, january

28 Modules University of Munchen Institute of Mathematics Einfuhrung in die Kryptographie NA University of Mannheim Computer Science Criptography NA 200 NA NA University of Ilmenau Inst. Wirtschafts informatik Rechts Informatik und Medienrecht 2 2 NA NA University of Koeln Dep. Wirtshafts Informatik Internet security NA NA University of Kiel Computer Science and applied Math. Criptography NA NA University of Mainz Mathematics Criptology and Criptography NA NA University of Haachen Computer science school IV Security in communications network University of Kaiserlauten Lehrstuhl Fur Marketing International e-business NA NA University of Magdeburg Inst. Fur Verteilte Systeme Data security NA NA University of Kiel Osteuropaisches Recht Recht der neuen medien NA NA University of Leipzig Inst. Jugendschutz und Strafrecht der Medien Medien und Wirtschaft Strafrecht NA NA University of Kiel University of Koeln Dep. Informatics and Informatic engeeniring Global e-management MBA Netz Werksicherheit NA NA Internet security NA 381 NA NA Source : Fondazione Rosselli, University Curricula Survey, november German research centres In Germany there are many research centres widespread in all the territory. Many of them focus their attention on the internet law in general, and in particular on issues concerning the aspects of the information technology in the legal systems, both with reference to the German law, the International law and the Community law. The main topics concern the law on data protection and on data security, and cybercrime. Some of them are connected with other European universities and carry out research projects in collaboration with them. Interesting seems to be the Institute of Computer Science Law in Saarbruchen where researchers focus their attention also on cyber banking law. The analysis has showed that there is a great number of law research centers (more than in the other countries). That means that an increasing attention is paid to the legal problems, risks and threats created by the new technologies. Each school of computing has at least one research centre which is involved in the security of data. The main topics concern internet governance and cryptography, computer communications security, complexity theory, risks for security and security mechanisms in internet. Also the management area is the object of some research projects which relate to the controlling of information systems, digital technology and management, cyberlaw and e-business problems. In particular, also in this case, researchers are in some cases involved in E-banking 37 and E-finance 38 An interesting aspect of the research organisation in Germany is that, differently from other European countries, research projects involve also students University of Frankfurt, E-commerce Institute. University of Koblenz, E-commerce Institute. OST Fondazione Rosselli, Final Report, january

29 City/University University of Mannheim Table of research centers - Germany Name of the research center /PhD Theoretical Information science and Technology Dept Topics/domain of the research activity Cryptography, Cryptography, Computer and Communication Security, E- commerce designs for anonymous transactions University of Magdeburg System Sharing Institute Security and protection of data in Internet University of Koeln University of Rostock University of University of Haachen University of Ilmenau Department Wirtschetsinformatik Computer Science Technical Institute Computer Science School IV Fachgebiet Informations Management Informations Systems Controlling, IT Controlling Transmission Systems and E-commerce security Anonymity Protocols, Intrusion Detection Informations Management, Information Security Number of researchers 3 researchers 2 assistants 1 technician 1 professor 8 assistants 7 research students 2 researchers 5 assisstants 1 researcher 16 assistants University of Kaiserlauten Fachbereich I/MST Security Aspects in Web 2/3 University of Munchen E-Lab Digital Technology and Management University of Koblenz E-commerce Institute E-business, E-finance, Internet and Law 20 NA NA 2 researcher 9 assistants University of Koeln WHU Insitute E-business, e-contracts 1 researcher 8 assistants University of Freiburg Dep Softech Freiburg Applications of Formal Methods to IT Security, Computer Security University of Muenster Witten / Herdecke Institut Fur Wirtschafts Informatik und Interorganizations Systeme Lehrstuhl Controlling und Informations Management Organizational Management For Inter-firm Network Orchestrations Controllings Informations Systeme 7 University of Frankfurt E- commerce Institute E- commerce E-banking 1 research 9 assistants University of Berlin Informatik und Gesellschaft Internet Governance, Cryptography University of Berlin DAI Lab Security of Computers in theory and praxis focused on agents, Security & Safety, Improve JIAC NA NA 5 4 University of Saarbrucken Institute of Computer Science Law Institut Rechtsinformatik EDW Security, Internet Law, Ciberbanking Law, Data Protection 2 researcher 36 research student University of Muenster Computer Science, Telecommunications Media Law Research Institute Institut Fur Information Data Protection, Internet Security, Digital Signature 1 researcher 27 research students OST Fondazione Rosselli, Final Report, january

30 University of Darmstadt University of Hamburg Multimedia Communication lab Software Technology System Institute Security Information, Protocols, IT Mechanisms, Network Security Architechtures E-commerce software, Distribuited Systems Security University of Muenster ITM Legal Questions in the German network of research: Data Protection and Liability Law University of Munchen University of Hannover Computer Science Law Research Center Institut Rechtsinformatik Institut Fur Rechtsinformatik Data protection, cyber cryme, digital signature Electronic Transactions, Informatic Tecniques effects in Civil Law, Data Protection Law 1 professor 11 researchers 2 researchers 6 assistants 11 research students 1 research teacher 14 research assistants 14 research students 6 researchers 3 assistants 2 research teachers 5 researchers Source : Fondazione Rosselli, University Curricula Survey, november Conclusions for the survey of Germany The areas where there has been a great development in the IT security knowledge are: Research and Scientific degrees. The research centers are involved in all the different issues related to IT Security not only from a scientific and technical point of view but also from a legal and management one. In fact, as it has already been underlined, there are many research centers in the Law Schools and in the Business / Management departments, where the attention is also focused on the items related to the electronic transactions (like e-banking, e- finance). Improvement: there is a general trend of creating post graduate degrees (MSc, MBA, LL.M) some of which are specifically connected to IT security. Level of spread: there is a good diffusion in the university system of the cybersecurity issues: it can be demonstrated also by the large number of courses (less than 50 hours long) held in the German universities (see in annex). OST Fondazione Rosselli, Final Report, january

31 Greece Methodology The collection of the required information was done firstly by contacting the Ministry of National Education and Religious Affairs, which supplied a list of Greek universities. Universities were then contacted either by using their web sites, faculty/department of economics/business management, engineering, law, mathematics and computer science, and or directly by phone. For each area every degree level offered by the faculty has been evaluated. In the absence of a degree, master or PhD concerned with Cybersecurity, the research area has been included in the relevant modules. The information has been required and collected 39 by phone/ /fax, and eventually confirmed by direct contact. 40 Greek Higher Education System For the admission to a university undergraduate degree, candidates must first obtain a college like certificate (called Lykeio degree) and then take the general entrance examinations 41. In most faculties, courses last a total of eight semesters 42 (four years) and 10 semesters in the Polytechnic Schools (five years). To access to Technological Education Institutes (TEI) 43, candidates must have completed a 12 year general education and also take the general entrance examinations. Courses cover a period of six or seven teaching semesters, and one semester of practical training. 44 Concerning the post graduate degree, the MSc are 2 years long and the duration of the PhD is not standard. There is no complete degree related to cybersecurity at the undergraduate or postgraduate level in Greek universities. There are only a few undergraduate and postgraduate modules which address some aspects of Information and Communication Systems Security, with more than 50 hours 45. The main education in cyber security in terms of modules is concentrated in the undergraduate level. All the courses have, but a few exceptions, a technical content, focusing on computer science, engineering, mathematics both in theoretical (algorithmic for cryptography, coding theory) and practical aspects (applied cryptography, authentication codes, etc.) Total number of ed forms: 53 ; Returned forms: 46 ; No response: 7; Relevant forms (more than 50 hours courses): 6. With the help of a correspondent in Greece. The number of entrants is restricted throughout the range of higher education (numerus clausus). Each semester includes 14 full weeks for teaching. TEI are clearly different from the universities - in terms of role, graduates orientation, subject matter and degrees -. In particular, they provide theoretical and practical education suited to the application of scientific, technical, artistic or other knowledge and professional skills. The duration of each teaching semester is 15 weeks, each week includes teaching hours. In order to graduate, a student is required a) to have successfully completed all the courses, b) to have prepared his degree assignment, the grade of which is taken into account when determining the grade of the degree, and c) to have successfully completed practical training in the relevant profession. There are several courses (Annex 1) less than 50 hours long which address aspects and issues concerned with cyber security. However there are several undergraduate and postgraduate courses which address some aspects of Information and Communication Systems Security, for example :Principles of Law and Data Protection; Information & Communication Systems Security; Information & Communication Systems Reliability; Network Security; Information Systems Auditing; Applied Cryptography OST Fondazione Rosselli, Final Report, january

32 Main findings The relevant universities curricula in Greece are concerned with the following strategic areas: Technical/scientific aspects: a) Data secure access / exchange in the web; b) Data integrity/protection -Authentication issues Law and regulation of Information security In more details: 1) Technical/scientific aspects State of the art : a) Data secure access / exchange: in this area the main themes treated are the security of computational and communication system 47, network security 48. Threats and security objectives. Physical Security. Data Security. Cryptography and Cryptanalysis. Presentation of security problems, firewalls, traditional cryptography, algorithms of secret keys and public key cryptography. b) Data integrity / protection - Authentication issues: in this area the most important course is concerned with threats and security objectives, such as Data Security, Cryptography and Cryptanalysis, Security role of the subsystems of an Information System (hardware, software, operating system, communications, etc.), Privacy and data protection legislation, Protection of proprietary software 49. Education needs: the area of technical issues is not well developed in terms of courses of more than 50 hours. 2) Law and regulation of Information security State of the art: the relevant course held in Greece 50 is mainly oriented towards training in private law, with particular attention to the following issues: digital signatures (regulatory framework and legal issues); communications privacy protection in the Information Society; Privacy and personal data protection in the Information Society. Some courses, but less than 50 hours, are dealing with Criminal Law in the Information Society. The very important aspect is that the course is held in a degree held in the department of Information and Communication System. Privacy Protection: OECD and EU Directives. Education needs: The issues concerning criminal aspects and cyber crimes are not well developed in terms of courses more than 50 hours long Computer science, University of Ioannina. Network security, University of Aegean, Samos. Information system security, Athens University of Economic and Business. 50 Introduction to Law and Privacy, University of the Aegean, School of Science. OST Fondazione Rosselli, Final Report, january

33 The main indicators Year of opening, hours, credits. As shown in the following table, Cybersecurity in Greek university training has started generally in , except for a theoretical course, Information Systems Security. Furthermore some courses are not held on a regular basis each year (e.g. at the University of Ioannina). All the courses have (more or less) a common indicator of credits in relation with the teaching hours. Table of courses/diploma - Greece University Faculty/Department Title of the course/module diploma University of the Aegean Information & Communication Systems University of the Aegean Information & Communication Systems University of the Aegean Information & Communication Systems University of the Aegean Information & Communication Systems Athens University of Economics and Business University of Ioannina Information School of Natural Sciences Computer Science Modules Information & Communication Systems Security Introduction to Law and Privacy Legal and Technical Environment in the Information Society Year of opening Number of hours per year Credits 51 Professors Network Security Information Systems Security Source : Fondazione Rosselli, University Curricula Survey, november Computer Science ECTS credits are a numerical value (between 1 and 60) allocated to course units to describe the student's workload required to complete them. It is based on a full student workload and not limited to contact hours only. In ECTS, 60 credits represent the workload of an academic year of study and normally 30 credits for a semester and 20 credits for a term. It is important to indicate that no special courses are set up for ECTS purposes, but that all ECTS courses are mainstream courses of the participating institutions, as followed by home students under normal regulations. It is up to the participating institutions to subdivide the credits for the different courses. ECTS credits should be allocated to all course units available, compulsory or elective courses. Credits can also be allocated to project work and thesis where the units are an integral part of the degree program. Credits are awarded only when the course has been completed and all required examinations have been successfully taken. OST Fondazione Rosselli, Final Report, january

34 Students The number of student cannot be commented because of the absence of significant information. Table of students - Greece University Faculty/Department Title of the course/module/ diploma Number of student registered Number of degree/courses delivered Modules University of the Aegean Information & Communication Systems Information & Communication Systems Security 80 NA University of the Aegean Information & Communication Systems Introduction to Law and Privacy University of the Aegean Information & Communication Systems Legal and Technical Environment in the Information Society 97 Summer class - - University of the Aegean Information & Communication Systems Network Security 40 NA - - Athens University of Economics and Business Information Information Systems Security 90 NA - - University of Ioannina School of Natural Sciences Computer Science Computer Science not open for this year Source : Fondazione Rosselli, University Curricula Survey, november The research centers The most important research centers in Greece are involved in technical research fields. The University of the Aegean has been active in research and education in the area of Information and Communication Systems Security since 1988, initially through the Mathematics and later through the Information and Communication Systems Engineering 52. There is also the Joint Research Group on Information & Communication Systems Security 53, an inter-university group comprising faculty members and researchers of the University of the Aegean and the Dept. of Informatics of the Athens University of Economics & Business 54. They are involved in interdisciplinary research field, Applied Cryptography, Information Security, Security Risk Management, Law and Regulation of Information Security OST Fondazione Rosselli, Final Report, january

35 Table of research centers - Greece University/City University of Aegean Samos University of Aegean Samos University of Thessaloniki Athens University of Economics and Business Name of the research center /PhD Information Systems Security Lab. Joint Research Group (Consortium with Athens University of Economic and Business) Electrical & Computer Engineering Information Systems and Data Bases Lab. Topics/domain of the research activity Number of researchers Information and Communication Systems Engineering 10 Risk Analysis Reviews, Firewalls Technology, Secure Healthcare Information Systems, Incident Reporting Schemes Education and Training on Information Security, Privacy Issues, Secure Applications over the Internet, Information Systems Security Policies, Development of Security Standards Intrusion Detection Expert Systems Person Identity Verification Information Systems Security NA Demokritos University of Thrace Electrical and Computer Engineering Cryptography NA Source : Fondazione Rosselli, University Curricula Survey, november Conclusions of the survey for Greece Strengths Level of high tech: both the courses and the research centers show the high level of knowledge reached in Greece. Level of dissemination: there is a very good level of dissemination of the cyber security issue in the university system, as shown by the large number of courses (less than 50 hours long) held in the Greek Universities. It is important to note that most courses less than 50 hours are held in the Athens University of Economics and Business. Weaknesses Absence of complete degree concerned with technical, economic or legal aspects of cyber security. As seen in the section concerning research centers, Greece has all the possibilities and the capacities to create a very interdisciplinary curriculum for university education. The Information and Communication System Security of the University of the Aegean will held a two year course, which will lead to an MSc degree. Technical issues in general and less legal and economic issues will be addressed. This course is in the process of formal approval by the Ministry of Education. OST Fondazione Rosselli, Final Report, january

36 Italy Methodology The collection of the required information was done firstly by contacting MIUR (Ministry of school and university) which supplied a complete list of public universities in Italy. Contacting the universities 55 was done by web sites, faculty/department of economics/business management, engineering, law, mathematics and computer science, and contacting directly the institute by phone. For each area every degree level 56 offered by the faculty has been evaluated. The requested 57 information has been supplied by the president of the degree. In the absence of a degree, master or PhD concerned with Cybersecurity, the research area has been included in the relevant modules (programmes). The information has been collected by phone/ directly from the professors 58. Italian Higher Education System Italian university studies are organized in 3 cycles. The first cycle consists of undergraduate studies, "Degree courses". General access requirement is the Italian high school qualification. First degree courses last 3 years. The second cycle consists of graduate studies including: a) " Specific Degree Courses ; b) "Specialization courses" - 1 st level; c) "University masters" - 1 st level. The third cycle consists of postgraduate studies that include: a) PhD - Research doctorate programs); b) "Specialization courses" - 2 nd level; c) University master degree courses - 2 nd level. In terms of concentration on a degree level, the courses concerned with cybersecurity, out of a total of 29 relevant findings (in terms of courses/diploma) are distributed as follows: Complete degree: 11 Undergraduate : 4 (64 %) Postgraduate : 7 (36 %) Modules: 18 Undergraduate: 9 (50 %) Graduate degree: 5 (28 %) Both 59 : 4 (22 %) It shows that the main education in cybersecurity in terms of modules is concentrated in the undergraduate level. All the courses, but a few exceptions, have a technical contain, focusing on computer science, engineering, mathematics both in theoretical (algorithmic for cryptography, coding theory) and practical aspects (applied cryptography, authentication codes, etc.) In Italy there are more than 70 universities. All the universities have a web site. See the following paragraph: Italian education system. Main indicators are in the survey forms. The forms have been ed. Total number of form ed: 85; form filled: 42, relevant form (concerning courses more than 50 hours long): 27; negative answers: 19 (in this case the courses/modules are not relevant because of the contents and the numbers of hours). The courses are open to students both of undergraduate and graduate courses. OST Fondazione Rosselli, Final Report, january

37 The main training in a complete degree is concentrated in a postgraduate formation, which is, in most cases, interdisciplinary. The masters normally include the three fundamental components of Information Security: knowledge and management of technologies, economic issues and legal implications. Main findings The universities curricula in Italian universities are concerned with the following strategic areas: - Information security management strategies - Technical/scientific aspects: a) Data secure access / exchange in the web b) Data integrity/protection -Authentication issues c) Protection of privacy - Law and regulation of Information security 1) Information security management strategies State of the art: the relevant courses 60 aim at developing the specific competence needed for the protection and the improvement of the informatics and information data, of public and private organizations. The structure of the courses, in most cases masters, shows the importance of connecting and uniting the three fundamental components of Information Security: knowledge and management of technologies (products for IT security), economic issues (risk analysis to assess the required level of investments in security adapted to the needs of the enterprises, the definition of decision making process, managing ICT security development processes in enterprises, business approach to data communication and computer networks), legal implications (cyber crime, user rights/liabilities). Education needs: the economic/management aspects of cybersecurity issues are not well developed. While the problem of risks connected to the management of sensitive data is dealt with in the master degrees, in the undergraduate degrees in Economics, but a few exceptions, there are no modules involved in these issues. These results show that the culture of ensuring an education concerning the economic and business management of information and sensitive data is not widespread in undergraduate economics courses. There is a need for modules both in undergraduate and graduate courses, to address the strategic importance, in a competitive area, of data security. It is necessary, for example, to understand the appropriate level of the investments required to balance the risk of loss of data. 2) Technical/scientific aspects State of the art a) Data secure access / exchange in the web: in this area the main themes treated are network level security, cryptographic system for authentication, authorization, integrity, security in network services and protocols, Internet and web applications Advanced course in Information Security Management (Milan), Master in Law Economics and IT (Camerino), Master in information and Communications management (Torino); the modules Managing ICT security (Catania) and Networks problems (Bergamo). Security technology in the web (Ferrara), Computer Networks Architecture (Perugia), Elaborating system: security (Torino). OST Fondazione Rosselli, Final Report, january

38 b) Data integrity / protection - Authentication issues: in this area the most developed courses are concerned with cryptography 62. Cryptographic systems contribute to make users data processing more secure. Public key cryptography, also known as asymmetric cryptography, allows individuals who do not know each other to use two different (asymmetric) but related keys both to encrypt the data they are exchanging and to guarantee data integrity. Courses are also focused on other issues such as means of securing authentication of authorized users (use of smart cards, biometric identification 63 ) and security of networks and distributed computer systems 64. c) Protection of privacy: peer to peer 65 technology for data exchange can ensure the protection of data privacy and therefore facilitate essential data exchange. The protection of personal data is one of the most important aspects in the field of law and regulation. Education needs: the area of technical issues (concerned with computer science, engineering, mathematics both in theoretical (algorithmic for cryptography, coding theory) and practical aspects (applied cryptography, authentication codes, etc) is well developed. The modules which belong to this area of practice are very widespread, and they are often held in the master degrees. In most cases professors work in important research centers, such as the Network System Research Unit, Cefriel 66 in Milan, or the BioLab 67 in Bologna. This allows for continuous updating and comparison with the European and the global scenario. 3) Law and regulation of Information security State of the art: the courses held in Italy have, in most cases, offer education in private law, in order to satisfy the needs of e-commerce activity: current regulation on protection of personal data and data bases, (Ec and national regulation), e-contracts: "b to b" and "b to c", digital and electronic signature. About criminal law: forensics (proceedings to identify unauthorized access, or not related users, e.g. hackers), hackers, computer crimes and liabilities. The modules of Computer Science Law (both theory and laboratory) held in Rome, in the faculty of engineering, and the module of Computer Science held in Reggio Calabria in the faculty of Law, are very good example of interdisciplinary (law + high tech) actions. Education needs: Although all undergraduate degrees in law have a module called juridical information technologies, only a few of them are really involved in specific issues related to IT security. The relevant modules (because of the number of hours and their topics) are more focused on civil and private laws, rather than on the criminal aspects concerning cyber crimes. Anybody concerned with computer crimes regulation has to know how to identify "a computer crime" and must have a high level of technical knowledge on the management of the informatics world. In this aspect, the MSc. in Computer Science Law and New Technologies Law, which is related to the forensics issues, is a very good master degree Communication system geometry: coding theory and cryptography (Potenza), Block codes and cryptography (Torino), Computational algebra (Torino). Security (Bologna), Information Theory and coding (Siena - Torino), BioLab (Bologna). Computer Science (Pisa), Computer Science (Reggio Calabria) Elaborating information systems: security (Genoa), Network security (Milan). OST Fondazione Rosselli, Final Report, january

39 The main indicators Year of opening, hours, credits. As shown in the following table, cybersecurity themes in university education, has started generally in The exceptions are represented by a few theoretical courses, e.g. computational algebra or coding theory or block codes and cryptography. A Master (High School Managing ICT security development processes in enterprises) is going to be activated in There is no common indicator in terms of hours both in graduate and in undergraduate courses, but in all the Master there is the same number of credits. The Masters offer both a theoretical (the most important) and a practical course. Table of courses/diploma - Italy University Faculty/Department Title of the course/module diploma Messina Milano, seat of Crema Computer science and telecommunication engineering Year of opening Undergraduate course Computer science and telecommunication degree Number of hours per year Credits 68 Professors in head count Faculty of sciences Technologies for IT N.A. Como Faculty of sciences Information Science and Technology in head count Rome Mathematics Laurea in Mathematics in head count Bologna Cirfid/University of Bologna Postgraduate courses Master in Computer Science Law and New Technology law Camerino Interdisciplinary Master Law Economics and IT Catania Engineering High School Managing ICT security development processes in enterprises Milan Milan DSI Information Science Department Cefriel + Business School of Politecnico of Milano (comprising lab + stages) 60 The course will begin in 2003 ICT Security NA Advanced course in Information Security Management project work This course is going to be accredited by Politecnico (in 2003) Pisa Informatics PhD Computer Science Torino Interdisciplinary Master in Information and Communication Management Modules Bergamo Economics Networks problems Bologna Computer Science Security Ferrara Engineering Security technology in the web Genoa Computer Science Elaborating System information in head count In Italy, 1 credit corresponds to 25 hours of work (including home work and training) OST Fondazione Rosselli, Final Report, january

40 Milan Engineering Network security Perugia Dept. Mathematics & Computer Science Computer Networks Architecture lab in head count Pisa Informatics Computer Science in head count Potenza Reggio Calabria Faculty of sciences (mathematics, fisics, natural) Communication system geometry: coding theory and cryptography in head count Law Computer Science Rome Law Computer science Law in head count Rome Engineering Computer science Law lab 3 1 Siena Engineering Information Theory and coding Torino Torino Torino Electronic engineering electronic and computer science Electronic engineering in head count Block codes and cryptography Elaborating system: security Information theory and coding Torino Mathematics Computational algebra Trento Informatics Informatics security Urbino Law Computer science law Source : Fondazione Rosselli, University Curricula Survey, november OST Fondazione Rosselli, Final Report, january

41 Students The number of students in the Postgraduate degree cannot be interpreted as such because most courses have started too recently to allow for an analysis of trend or qualification. Concerning the single modules there is a steady trend with no increasing number. As the course becomes more technical and specialized, the number of students decreases (e.g.: Information theory and coding, Computational algebra, Communication system geometry: coding theory and cryptography). Table of students - Italy University Faculty/Department Title of the course/module diploma Number of student registered Number of degree/courses delivered Messina Computer science and telecommunication engineering Undergraduate Computer science and telecommunication degree Available in 2004 Milano, seat of Crema Faculty of sciences Technologies for IT Como Faculty of sciences Information Science and Technology Availabl e in Rome Mathematics Laurea in Mathematics Bologna Cirfid/University of Bologna Postgraduate Master in Computer Science Law and New Technology law Camerino Interdisciplinary Master Law Economics and Information Technology Como Faculty of sciences Master in Information Science and Technology Milan Milan DSI Information Science Department Cefriel + Business School of Politecnico of Milano 30 Not yet available 38 To be delivere d in To be delivere d in To be delivere d in 2003 ICT Security Advanced course in Information Security Management To be delivere d in 2003 Pisa Informatics PhD Computer Science Torino Interdisciplinary Master in Information and Communication Management OST Fondazione Rosselli, Final Report, january

42 Modules Bergamo Mathematics Networks problems 15 0 Bologna Computer Science Security Catania Engineering Managing ICT security The course is going to start in 2003 Ferrara Engineering Security technology in the web Genoa Computer Science Elaborating System information Na Na Na Na Milan Engineering Network security Perugia Dept. Mathematics & Computer Science Computer Networks Architecture Pisa Informatics Computer Science 100 Na 40 Na Pisa Informatics PhD Computer Science Potenza Faculty of sciences (mathematics, fisics, natural) Communication system geometry: coding theory and cryptography Reggio Calabria Law Computer Science 50 Na 35 Na Rome Law Computer science Law Rome Engineering Computer science Law Siena Engineering Information Theory and coding Torino Torino Torino Block codes and cryptography electronic and computer science Electronic engineering Block codes and cryptography Elaborating system: security Information theory and coding Torino Mathematics Computational algebra Trento Informatics Informatics security Urbino Law Computer science law Source : Fondazione Rosselli, University Curricula Survey, november The research centers The important research centers in Italy are involved in technical and scientific aspects of Information Technology security such as cryptography, user identification; vulnerability detection of applications and system services; security in databases; system security and electronic/digital signature. In Italy there is one of the most important research center in Europe, involved in research projects concerning biometrics: the BioLab, which is one of the most important research center in Europe, works on fingerprint processing, matching and classification, fingerprint applications (e-commerce); face localization and recognition; hand geometry. In the field of law and regulation of Information Security there is one research center specialized in Forensics (proceedings against unauthorized access, or not related users, e.g. hackers), protection of privacy. This research center focuses on the regulation issues and technical aspects of cybersecurity and cybercrime: (law + high tech). OST Fondazione Rosselli, Final Report, january

43 There is no research center involved in the study of economic aspect of data security management. Table of research center - Italy City/University Name of the research center /PhD Topics/domain of the research activity Number of researcher s University of Ancona Information System Information System design, cooperative distributed information system University of Bologna BioLab Report and research on fingerprint processing fingerprint matching fingerprint classification, fingerprint application (e-commerce); face localization and recognition; hand geometry and dermatogliphycs. University of Bologna Cirfid Forensics (proceedings against unauthorized access, or not related users, e.g. hackers), protection of privacy. University of Bologna Dept. computer science Cryptography, user identification: password, smart cards, biometric, security means, virus detection, firewalls University of Catania Dept of computer science and telecommunication engineering Information technology security 2 University of Ferrara Faculty of Engineering Information technology security University of Genoa private law Law and regulation of Information Security 2 University of Messina Dept of mathematics Information Technology security, use of security techniques in developing distributed applications 2 University of Milan University of Milan Polytechnic of Milan Cert-it Computer Emergency Research Team Italy Network System Research Unit Cefriel DEI Dept of Information and electronic Vulnerability Detection of applications and system services, to the development of tools for secure communications, and to the study of new encryption algorithms. Information Technology security: security in peer to peer networking, in fourth generation network systems Networking security: VA, IDS, Peer to peer, UMTS 3 University of Perugia High performance computing Lab Security in network services and protocols, Internet and web application University of Pisa Computer science Dept Intrusion detection; Network management, Security policy, Risk assessment University of BasilicataPotenza University of Reggio Calabria Dept. of mathematics Cryptology, coding theory 4 DIMET - Dipartimento Informatica Matematica Elettronica Trasporti Information System, Databases, Security in databases, Logic for access control representation. University of Rome "3" Computer science Lab Information Technology Security, Law and regulation of information security Polytechnic of Torino Dept of Electronics Cryptology, Coding Theory and discrete mathematics 1 University of Torino Dept. Informatics Information Technology Security, System security and electronic/digital signature University of Torino Dept of mathematics Mathematical methods for cryptography 1 University of Trento DIT Dept of Information and Communication Technology Source : Fondazione Rosselli, University Curricula Survey, november Inter alia: Information Technology Security, Cryptology OST Fondazione Rosselli, Final Report, january

44 Conclusions of the survey for Italy Strengths Level of high tech: both the courses and the research centers show the high level of knowledge reached in Italy. Level of dissemination: there is a good diffusion in the university system of the cybersecurity issues: as shown by the large number of courses (less than 50 hours long) held in the Italian universities. Weaknesses Interdisciplinary: in the technological and scientific degrees (excepting the undergraduate courses) there is no course with economics and legal issues. In the law and economy degree there are no specific courses to address the technical issues connected with cyber security aspects. This lack of training in interdisciplinary ITC security issues is a handicap for a graduate student starting a postgraduate degree. OST Fondazione Rosselli, Final Report, january

45 United Kingdom Methodology The first contacts necessary for the collection of the requested information have been established with both the education and skills and the Universities and colleges admission services, UCAS 69, which supplied a complete list of all the UK public universities, their websites, and their general contact details 70. Once we had all this information we went on checking each university website, and looking for the single sites of each department working in the area covered, namely law, mathematics, computer science, engineering, economics/management, evaluating every single course or module found. Contacts have been established, first by s 71 which explained the object and the importance of our research, indicated the IPTS and the JRC websites 72, and required professors to fill in the attached form. Because of the few answers received, many phone calls have been made, and new s have been sent. The required information has been finally supplied by those professors who showed their interest for the research both by , or by filling in the form on the phone. United Kingdom Higher Education System In UK higher education is divided into two levels: the undergraduate level and the postgraduate level. First degree courses are mainly full time and usually last three years. However there are some four years courses. In most institution there is the Bachelor of Science (BSc) which in most cases provides for some modules related to IT security. Special qualifications are awarded for bachelor degrees in engineering (Beng) and education (Bed). These undergraduate degrees offer a variety of modules which have been the object of our research at the undergraduate level. Just a very few undergraduate courses are totally related to the IT security. Postgraduate programmes are those leading to higher degrees, diplomas and certificates or master degrees, and they usually require a first degree in a subject related to the proposed course as an entry qualification. They usually take one year full time and two years part-time, and they are made up of different modules which last a few hours. Attention has been focused on these master degrees as a whole and their modules have been taken into consideration only in those few cases where their length was more than 50 hours. The most relevant courses/modules related to IT security are run at the postgraduate level where there are many masters involved in e-commerce, internet and network security. Main findings The UK universities curricula on IT security can be divided into three main area: Law Science (computer science, engineering and mathematics) Data secure access/ exchange in the web Data integrity/protection In UK there are about 110 Public Universities. More than 500 s have been sent, and just a few had a reply. The purpose was to show how important our research was. OST Fondazione Rosselli, Final Report, january

46 1) Law Protection of privacy/ data communication Management/economics/business State of the art: the current law education in UK does not provide for a variety of modules or courses related to the legal aspects of IT security. There are just a few undergraduate modules, the majority of which do not fulfill one of the requirements, namely the number of hours. In fact they are less than 50 hours long. More attention is paid at the postgraduate level where there are a few LL.M courses (Master of Laws) recently introduced related to IT issues such as data protection, privacy, cryptography, hacking, electronic finance and electronic commerce, and in some cases also cybercrime. One of the Universities which has focused its activity on the cybercrime issues is the University of Leeds, whose law school opened in 2002 a new LL.M in cyberlaw related to cybercrime, cybertrade, cyberprivacy, security, data protection, online transactions, identity and security and privacy. It can be considered to be a good example of IT security education in the field of law because it unifies the two main aspects necessary for a deep knowledge in cybercrime, namely High Tech and law. Education needs: It would be necessary not only to provide for a greater number of modules and courses focused on the legal aspects of IT security, but also to increase the number of hours of education of those modules already taught, in order to give students the possibility to improve their knowledge in this field and to spend more time in discussing the related issues with professors and experts. Moreover a basic technical knowledge should be ensured in order to allow students to better understand the threats to IT security and to identify what a cybercrime is and when it occurs. 2) Science (computer science, engineering and mathematics) State of the art: The scientific area is the one where the education related to IT security is more widespread, even if, also in this case, many modules are short, and more attention is paid at the postgraduate level. Moreover it has been found out that some modules taught at the undergraduate level provide for a general knowledge concerning the use of computers, internet and their effects, and are only in part related to IT security issues which are discussed in a few hours. Of great relevance are the two postgraduate courses run by the Holloway University in London which started in 1992 and in 1999, the MSc in Information Security and the MSc in Secure Electronic Commerce, both of which are strictly related to IT security and are opened to students who have an undergraduate degree in the relevant discipline including computer science, electronics, information systems, mathematics and, only for the MSc in Secure Electronic Commerce, also business, economics and management. a) Data secure access/ exchange in the web: The main topics discussed are those concerning internet security in general, and in particular interception, interruption, denial of service, network protocols and authentication protocols, firewalls. Students will learn how to develop a professional approach to the issues related to computer system security. These courses aim also to provide an understanding of what vulnerability is and which methods are available to protect and manage IT security. OST Fondazione Rosselli, Final Report, january

47 b) Data integrity/protection: The relevant issues are related to encryption and cryptography. They give an explanation on how to encrypt and decrypt data along with knowledge of the strengths, weakness and area of applicability of cryptographic methods, and how to select and apply various encryption methods and security protocols, within a business environment. c)protection of privacy/ data communication: Digital signature and message digest are the objects of many modules and courses connected to IT security. They are studied not only from a strict technical point of view. In fact in some cases also some legal aspects, such as computer misuse and forensic, and management issues, such as internet security policies and security management, are taken into consideration. In fact in some courses the starting point is from the business prospective, and aims to understand the needs, and the legal aspects that affect electronic trading. Universities are little by little understanding the importance of a good education on IT security, and consequently some of them have recently opened 73, or are about to open 74, entire courses related to Internet technologies and security. Moreover the increase of the number of students in many cases shows their desire to obtain a high info security qualification in order to satisfy the demand of industries for skilled personnel in this area. In addition to the undergraduate and postgraduate courses, universities also provide, in some cases, for a variety of refresher courses for those who already work in the field of IT security. They are focused on the main aspects of cybersecurity, thus allowing for a continuous updating and development knowledge. Education needs: This area of education is well developed. What could be improved may be the supplying of a deeper knowledge in the legal and management fields, so that those who take their degrees will have not only a technical knowledge but also a more general view of the various security aspects. It means to create new courses which are entirely focused on IT security and which provide for a range of modules both concerning the various security technologies, and involved in the understanding of legal and management issues. 3) Management/economics/business State of the art: Attention is paid, especially at the postgraduate level, to issues such as e- commerce, security, privacy and ethics. These courses aim to give an overview of the role of e-commerce within the business world in order to assist companies to exploit it. It is necessary to underline that there are some courses which are run in collaboration with computing schools. They are opened to both students with an undergraduate degree in computer science, information systems or mathematics, and students with an undergraduate degree in economics or management, and they give a good overview of the IT security 75. Some other courses provide, within their programmes, for some issues related to the use of computers within an enterprise, but are not involved on IT security. Education needs: The management area needs an increase of courses related to the management of information and sensitive data in order to give students the management skills necessary for appreciating the implication and processes of e-commerce in the business area, University of Paisley, dep. of information and communication technologies, BSc in internet technologies. University of Portsmouth, computer systems and software engineering, BSc in internet security. The University of Napier, school of computing, is programming to open a new MSc in Security in the near future. See for example the MSc in Secure Electronic Commerce run by the Holloway University, London, or the module called Security of information systems run by the University of Napier, Edinburgh. OST Fondazione Rosselli, Final Report, january

48 to allow them to have a deeper knowledge on the e-commerce transactions, and to understand their risks and limits. New programmes should be designed in order to help the gap of a global shortage of managers in companies. It would be also necessary to provide for a range of courses/modules which learn how to evaluate, according to the size and the organization of the companies, the amount of investments for IT security, and which deal with information flows both within an organization and between organizations. Main indicators Year of opening, number of hours and credits : The main indicators used to carry out the research have been the year of opening of the course/module, the number of hours of education, the number of students who attended and passed it in the academic years 2001 and 2002, and, in relation to the research centres, the topics covered by the research activity and the number of researchers. The following table shows that the most parts of courses/modules related to IT security have been opened between the late 90 and the last two years, and some new courses/modules will be available from next year. Table of courses/diploma United Kingdom University Faculty/Departme nt Title of the course/module diploma Year of opening Number of hours per year Credits 76 Professors Paisley Information & Communication Technologies BSc in Internet Technologies Lincoln Computing BSc in computing (internet systems) Portsmouth Computer systems and software engineering Undergraduate - Degrees per year 7.5 points on Cybersecurity hours per week BSc in internet security 2003 NA NA NA Undergraduate - Modules Durham Law Computer law 1997/8 200 NA NA Napier (Edinburgh) Lampeter (Wales) Lampeter (Wales) Queen Margaret London (Greenwich) Newcastle School of computing Information technology dep. Information technology dep. Management/Econ omics School of computing and mathematical sciences School of Computing Security of information systems NA ,/7.5 ECTS 1 Information society 1993/4 100 NA 2 IT cyberspace NA 1 Electronic Commerce E-commerce and internet security The IT Professional in Today s Society (2 parts) ECTS 2 76 The amount of credit achieved is related to the amount of learning. In higher education the credit framework recognises the widespread agreement that ten hours of learning activity (including assessment) leads to the award of one credit. It is understood that this calculation is an approximation and depends on academic judgement. That judgement is guided by the identification of learning outcomes that are to be achieved during the learning. OST Fondazione Rosselli, Final Report, january

49 Newcastle School of Computing Computer Systems and Networks 2003 About St. Andrews Computer Science Data Encoding 1994 More than 50 NA 2 Aberystwyth (Wales) Oxford Teesside Bristol Bristol Compute science Computing laboratory Computing and Mathematics Dep. of computer science Dep. of computer science Internet service administration 2002/3 100 (only 10 related to IT security) NA 4 Computer science 2003 About 60 NA NA Computer Security NA Cryptography NA 59 NA 2 Information security NA 60 NA 2 Postgraduate - Degrees Anglia Polytechnic Universty (Chelmsford) Computer science MSc in computer networking 2003 NA NA NA Derby Paisley Computing & Technology Information & Communication Technologies MSc in Computer Networks NA 2 PhD/MSc in Advanced Computer Systems Development/ Information Systems Development pts on Cybersecurity 43 Newcastle Royal Holloway Royal Holloway Staffordshire School of Computing Information Security Group Information Security Group School of Computing MSc in Computer Security MSc in Information Security MSc in Secure Electronic Commerce MSc in Electronic Commerce Leeds Business school MBA in infomration management Lampster (Wales) Staffordshire Sunderland Information technology dep. School of Computing Computing and Technology Loughborough Computer Science MSc in Multimedia & Internet Computing Queen Mary Queen Mary Queen Mary Queen Mary Electronic Engineering Electronic Engineering Electronic Engineering Electronic Engineering full time, 2002 part time 300 NA 10 MA in e-commerce NA 6 MSc in E-Commerce 1999 Last over 2 years and there are 10 to 20 hours a week 15 Over 100 MSc in E-Commerce CAST NA 1999 Between 300 and 360 MSc in Internet Computing for coursework MSc in Telecommunications MSc in E-Commerce Engineering MSc in Internet Computing in the Business for coursework for coursework for coursework NA 2 professors, 21 academic teaching staffmmm NA 20 NA 20 NA 20 NA 20 OST Fondazione Rosselli, Final Report, january

50 Glamoran (Pontypridd) Surrey (Guildford) Glamoran (Pontypridd) School of computing computing School of computing Environment MSc in computer systems security M NA MSc in internet computing NA NA MSc in information security and computer crime York Computer science MSc in software engineering M NA Aberdeen Business school MSc in e-business NA 7 Nottingham Essex (Colchester) School of computer science and information technology MS in IT About 1987 From 300 to 400 Law LL.M in e-commerce dissertation Leeds Law LL.M in cyberlaw: Information technology, law and society NA Hertfordshire Law LL.M in E-Commerce 1998 About 250 (25 for each module) Napier (Edinburgh) School of computing York Computer science The internet: telematic design & construction York Computer science Security of computer systems London (Queen Mary College) Postgraduate - Modules NA 5 Advanced security NA NA (only 10 related to IT security) NA NA 2 Law Internet law 1997 Between 130 and 175 Aberdeen Business school E-business programme (online) Aberdeen London (Greenwich) Science and Engineering School of computing and information systems NA NA 2/ ECTS 7 Security and Privacy NA 1 E-commerce and internet security NA 9 Bristol Computer science Cryptography NA 50 NA NA Bristol Computer science Information security NA 60 NA NA Source : Fondazione Rosselli, University Curricula Survey, november Number of Students Generally speaking the number of students who attend courses or modules related to IT security has increased thus showing a growing interest for this field of activity. In some cases, however, it has not been possible to indicate the number of diploma delivered in 2002 because students still have to pass their final exams. OST Fondazione Rosselli, Final Report, january

51 Table of students - United Kingdom University Faculty/Departmen t Title of the course/module Diploma Number of student registered Number of degree/corses delivered Undergraduate - Degrees Paisley Information & Communication Technologies BSc in Internet Technologies Lincoln Computing BSc<in computing (inrternet systems) NA Undergraduate - Modules Durham Law Computer law 45 Not run 45 Not run Napier (Edinburgh) School of computing Security of information systems 26 NA 26 NA Lampeter (Wales) Lampeter (Wales) London (Greenwich) Aberytwyth (Wales) Information technology dep. Information technology dep. School of computing and mathematical sciences computer science Information society NA IT cyberspace NA E-commerce and internet security Internet services administration NA About 400 NA NA NA 43 NA NA St. Andrews Computer Science Data Encoding 10 NA 10 NA Newcastle Teesside Bristol Bristol Derby Paisley Newcastle Royal Holloway Royal Holloway School of Computing Computing and Mathematics Dep. Of computer science Dep. Of computer science Computing & Technology Information & Communication Technologies School of Computing Information Security Group Information Security Group The IT Professional in Today s Society NA 126 NA NA Computer Security NA NA Cryptography NA 100 MSc 30PHd Information security NA 100 MSc 30PHd Postgraduate - Degrees NA NA 200 per year 200 per year MSc in Computer Networks About 500 About 500 NA About 1/3 of total PhD/MSc in Advanced Computer Systems Development/ Information Systems Development NA MSc in Computer Security NA MSc in Information Security NA MSc in Secure Electronic Commerce Leeds Business school MBA in infomration management Lampster (Wales) Staffordshire Information technology dep. School of Computing NA full time; 10 part time 21 NA MA in e-commerce NA MSc in Electronic Commerce OST Fondazione Rosselli, Final Report, january

52 Sunderland Queen Margaret Computing and Technology Management/Econo mic MSc in E-Commerce NA MBA in Electronic Commerce NA 35 NA NA Queen Mary Queen Mary Queen Mary Queen Mary Electronic Engineering Electronic Engineering Electronic Engineering Electronic Engineering MSc in Internet Computing About 10 About 30 NA NA MSc in Telecommunications MSc in E-Commerce Engineering MSc in Internet Computing in the Business Environment Loughborough Computer Science MSc in Multimedia & Internet Computing Glamoran (Pontypridd) School of computing MSc in computer systems security Surrey (Guildford) computing Glamoran (Pontypridd) School of computing MSc in information security and computer crime York Computer science MSc in software engineering About 10 About 30 NA NA About 10 About 30 NA NA About 10 About 30 NA NA MSc in internet computing NA 15 NA NA Aberdeen Business school MSc in e-commerce Nottingham School of computer science and information technology MS in IT NA NA Essex (Colchester) Law LL.M in E-commerce NA 26 NA NA Leeds Law LL.M in cyberlaw until 2003 Hertfordshire Law LL.M in E-Commerce Postgraduate - Modules Napier (Edinburgh) School of computing Advanced security York Computer science The internet: Telematic design & construction York Computer science Security of computer systems NA NA NA London (Greenwich) School of computing and mathematical sciences E-commerce and internet security NA About 400 NA NA Queen Mary Law Internet law % NA Aberdeen Business school E-business programme (online) Aberdeen Computing Science Security and Privacy NA Source : Fondazione Rosselli, University Curricula Survey, november OST Fondazione Rosselli, Final Report, january

53 Research activity in UK Great emphasis is given to the research activity, and many research centres cooperate with the most important companies in the field of IT, or take part in European research projects. The most part of these centres focus their attention to issues such as cryptography 77, network management, risk analysis and management, computer communication security, concurrency 78, smart card security, dependability and anonimity, safeguard and firewalls. All of them are connected to those schools of computing which provide for master degrees related to IT security. A few research centres are involved in the legal aspects concerning privacy, digital rights management, digital signatures, cybercrime, internet related frauds and theft of electronic services. Therefore they focus on issues relating to the impact of information technology both on law and on the legal world, and aim also to provide a body of knowledge about deceptions. Finally there is also a research centre 79 whose activity aims to study the impact of IT technologies on business focusing on the e-commerce and the information systems security in small and medium enterprises. The number of researchers involved show that research in all the aspects of IT security is quite widespread and all these centres are considered to be the most effective way of concentrating academic knowledge, practitioner know-how and computing skills There is a specific cryptography and information security group in Bristol. Many other research groups carry out research projects on cryptography. See the centre for software aspects of concurrency systems at the University of Surrey, Guildford. IT, University of Wales, Lampeter, OST Fondazione Rosselli, Final Report, january

54 University Name of the research center /PhD Table of research centres United Kingdom Topics/domain of the research activity Number of researchers Lampeter, Wales IT department E-commerce security, on-line purchases 2 Plymouth Network research group Information systems security; network management 12 researchers; 13 research students York Secure network Security 21 Cambridge Security group Security; cryptography; electronic commerce; privacy and freedom issues 32 Bradford Telecommunication research centre Cryptography and computer communication security 2 Greenwich (London) Information system research group Spreadsheet integrity 2 Derby Computing Division Digital Economy, Organizational Change, Risk Management, Enterprise, Cyber Law Paisley Bristol Applied Computational Intelligence Research Unit Cryptography and Information Security Group Fraud Detection, Data Mining 3 Elliptic Curve Cryptography, Public Key Infrastructure, Provable Security, Cryptography on small computing devices, General Computational Number Theory, Quantum Algorithms for problems in CNT, Legal and Public policy issues related to information security and cryptography 6 12 researchers, 3 research students, 1 visiting industrial research fellow Loughborough Anis Architectures Research Center Cryptography 9 researchers and 2 research students Sunderland Center for Electronic Commerce Level of security in e-commerce, and web sites, security mechanisms to promote privacy, confidence and trust, data collection and distribution 10 Surrey (Guildford) Centre for software aspects of concurrency systems Concurrency 6 researchers and 2 PhD students Surrey (Guildford) Dep. of computing Authentication 2 Royal Holloway (London) Information Security Group Cryptology, network security, computer security, security protocols, distributed systems security, risk analysis and management, security management, mobile telecommunications security, biometrics, smartcard security, e-payment security More than 50 (13 full-time academics, 5 research assistants, more than 30 PhD students) Newcastle Research group Dependability / Anonimity 5 / 6 people Staffordshire School of Computing Information Technology, Security, Mobile 3 communications Oxford The Concurrency Research Group Concurrency 7 teachers; 5 students; 30 other members Oxford Mathematical Institute Cryptography and Complexity About 3 / 4 researchers Leeds Cyberlaw research unit, centre for criminal justice studies Cyber rights and cyber liberties; internet related frauds and deceptions in the UK; theft of electronic services Nottingham Dep. of computer and science cryptology 2 Lampster IT dep. E-commerce, small medium enterprises security, impact of IT technology on business Queen Mary (London) Queen Mary (London) Electronic Engineering dep Safeguard; secure VPNs with integral distributed firewall functionality in the area of security law Digital signature and certification services 2 Durham Centre for law and computing Electronic commerce; privacy and data protection honorary fellows Bristol Center for IT and Law Privacy, Digital Rights Managements, Cybercrime, E- Commerce 3 Source : Fondazione Rosselli, University Curricula Survey, november OST Fondazione Rosselli, Final Report, january

55 Continuing education or refresher courses Some UK Universities offer workers in the IT field some refresher courses in order to allow them to improve their knowledge in this field and to keep current. In fact security education requires a continuous updating since there is a very rapid development of practises and technologies. The table (in annex of UK) refers to two Universities where great attention is given to the education of IT personnel, and indicates a number of short courses where both technical, legal issues and principal of security management are discussed. Conclusions of the survey for UK Strengths The level of the IT education in UK is very widespread in the scientific area, where great attention is given to technical aspects, and where a very high level has been reached by the research activity in the various research centers existing in the UK territory. Moreover it has been underlined that many courses run by the computing schools involve also legal and management aspects, thus allowing students to have a more complete knowledge and understanding, and some of them are opened also to students with an undergraduate degree in economics and management. The legal area has reached a good level of education on the IT security field, and also the research activity has showed to be interested in the issues related to the new threats and implication deriving by the use of the new technologies. Weaknesses The IT education should be improved in the management area in order to create more skilled students who will be able to satisfy the enterprises demand for managers experts in IT issues. In fact the courses run in cooperation with the schools of computing are not sufficient for creating a new generation of managers able to face all the management problems created by the new technologies, since the knowledge provided for by these courses is more focused on technical aspects. Therefore it is necessary to open new courses strictly related to the management of information and sensitive data, to the evaluation of the amount of investment necessary on IT security and to the information flows. Finally a more technical knowledge should be provided for law students on the one hand, and more legal issues should be taught in the degrees run by schools of computer on the other hand. OST Fondazione Rosselli, Final Report, january

56 Annex OST Fondazione Rosselli, Final Report, january

57 1 Survey format The Higher Education Institution (HEI) Type of institution : University and other HEI City Postal Code Country Web site Survey format (One file by formation identified) Courses and Diplomas (for example : mathematics, informatics/computer science, law, management, economy, engineering ) Topics/domain of the course in which is taught Cybersecurity : Specify : Identification of the unit in the Institution : for example : Department/Faculty/School/Institute Its web site if available Graduate level offered Up to three years (Licence) Up to five Years (Master) Above five years : 1 - Specialized Master Above five years : 2 - Doctorate Course / Diploma Title of the course / diploma Year of opening Number of hours by year of formation Equivalent of European Credit Transfer System (1) Number of professors in full time count Number of professors in head count Institution in charge of Accreditation Pre-requisite level of education to enter in the formation identified above High school Undergraduate (up to three year) Graduate level (up to five year) Above (above five year) Or professional skills recognised, specify OST Fondazione Rosselli, Final Report, january

58 Registration and diplomas Number of students registered by courses Number of degree/diplomas delivered Interdisciplinary and training Is this course/diploma interdisciplinary Yes : No : Training period outside the institution compulsory : Yes : No : If yes, duration of this training in number of weeks Continuing Education or Refresh Courses Existence of continuing Education or refresh courses in the Institution in the field of Network and Information Security or Cybersecurity Yes : No : If yes, precise the number of hours (by year) Research activities in Information System Security in the Institution Is there research activities linked to this formation in the institution Yes : No : If yes : Identification of the name of the departments/laboratories WEB Address of these research units if available Topics of research related For example :: Information Technology Security, Cryptology, Law, Management, Economy,, Risk Management, Law and Regulations of Information Security Number of researchers in these topics in year 2002 (optional) Optional Profiles of jobs occupied by your graduates or professionals trained: Profiles of sector of activities in which are employed graduates or professionals trained by the institution in Cybersecurity Optional Volontary comments on the training identified (1) The European Community Course Credit Transfer System (ECTS), was developed by the Commission of the European Communities in order to provide common procedures to guarantee academic recognition of studies abroad. It provides a way of measuring and comparing learning achievements, and transferring them from one institution to another. For instance, in the French Education system, 300 teaching hours are equivalent +/- to 60 European Credit Transfer System (ECTS). Or 60 ECTS credits represent the workload of a year of study ; normally 30 credits are given for a semester and 20 credits for a term. See : OST Fondazione Rosselli, Final Report, january

59 2 Annex by country France List of the 31 institutions included in the survey SURVEY ANSWER 1 UNIVERSITY / INSTITUTION DIPLOMA TITLE WEB SITE 1 NANTES LICENCE PROFESS. LES METIERS DE L'INFORMATIQUE option 1 : Développement d application réparties option 2 : Administration et sécurité des réseaux 1 TOURS / IUT de Blois LICENCE PROFESS. SECURITE ET QUALITE EN TELECOMMUNICATION LP/Detail-acad/Nantes.html PARIS XIII LICENCE PROFESS. RESEAUX ET TELECOMMUNICATIONS s/formiutv.htm TOULOUSE II LICENCE PROFESS. RESEAUX MOBILES ET SECURITE 1 BORDEAUX I DESS CODES, CRYPTOLOGIE ET SECURITE INFORMATIQUE 1 GRENOBLE I DESS CRYPTOLOGIE, SECURITE ET CODAGE DE L'INFORMATION 1 LIMOGES DESS MATHEMATIQUE INFORMATIQUE ET SECURITE DE L'INFORMATION LYON III DESS DROIT ET POLITIQUE DE LA SECURITE MARNE LA VALLEE DESS INFORMATION ET SECURITE _alternance/infosecu.htm METZ DESS SECURITE DES SYSTEMES D'INFORMATION ET DE COMMUNICATION NICE DESS DEFENSE ET SECURITE NICE DESS SECURITE, DEFENSE, INTELLIGENCE ECONOMIQUE NICE DESS POLICE, SECURITE ET DROITS FONDAMENTAUX DE LA PERSONNE PARIS V DESS INGENIERIE DE LA SECURITE : ANALYSE, PREVENTION, CONSEIL, GESTION TOULON DESS SECURITE DES SYSTEMES D'INFORMATION TOULOUSE I DESS POLITIQUE ET ADMINISTRATION DE LA DEFENSE ET DE LA SECURITE INTERNATIONALE ata2=a m n.d.. TOULOUSE I DESS SECURITE, POLICE ET SOCIETE mation3.html TOULOUSE II DESS CITOYENNETE, VIOLENCE, SECURITE : LES ENJEUX DE LA PRISE DU RISQUE n. d.. 1 UT TROYES DESS SECURITE DES SYSTEMES D'INFORMATION VERSAILLES SAINT QUENTIN EN YVELINES DESS SECURITE DES TRANSPORTS l OST Fondazione Rosselli, Final Report, january

60 1 Université PARIS 1 Panthéon Sorbonne DESS Droit de l'internet - Administration, Entreprises U.E.R 01 Droit Administration et Secteurs publics ml 1 RENNES, ENST BRETAGNE, cogéré avec SUPELEC Mastère Spécialisé Sécurité des Systèmes d'information s/ssi/index.fr.html 1 PARIS - ENST Mastère Spécialisé Sécurité des Systèmes informatiques et des réseaux BOURGES ENSI Master of Science Sécurité Informatique 1 LIMOGES DEA Cryptographie, Codage, Calcul l'école normale supérieure de Paris, l'école normale supérieure de Cachan, les Universités de Paris VI, Paris VII, Paris XI, l'e.n.s.t. et l'école polytechnique DEA Algorithmique A/Brochure2000/ TOULOUSE 3 DEA Programmation et systèmes UNIVERSITE MEDITERRANNEE DEA Informatique PARIS 12 DEA Informatique : sûreté et sécurité GRENOBLE DEA Sécurité Internationale et Défense m Université Paris Sud Centre Scientifique d'orsay Université Paris I - Panthéon Sorbonne en partenariat avec l'inria et avec SupElec DEA Information, Interaction, Intelligence Sources : Survey CFSSI :OST, November 2002 and Ministère de l Education nationale Notes : This list of courses does not pretend to be exhaustive in considering the scope of the study. For the masters, this list does not give the specialised programs in economic intelligence where some courses on cybersecurity are delivered. For instance the master in economics, scientific, technical intelligence of the Group ESEEI : http This list does not inventory the units of research activities in the institution The survey takes in account only the results of the survey for research. activities specially for domains other that computer science. Description of the Master program of Rennes : Cours (7mois) Module h «Formation de base en informatique et réseaux» Module 2 9 h «Introduction à la sécurité de systèmes d'information» Module 3 35 h «Théorie de la sécurité des systèmes d'information» Module 4 9 h «Disponibilité et sûreté de fonctionnement» Module 5 18 h «Cryptographie» Module 6 54 h «Ingénierie de la cryptographie / cryptosystèmes» Module 7 33 h «Critères d'évaluation / Audits / Certification» Module h «Sécurité informatique» Module 9 25 h «Audits / Analyses techniques» Module h «Méthodes formelles pour la sécurité» Module h «Canaux cachés» Module 12 9 h «Sécurité des e-services» OST Fondazione Rosselli, Final Report, january

61 Belgium Table of courses/diploma less than 50 hours long - Belgium University Faculty/Department Title of the course/module diploma Year of opening Number of hours per year Credits 80 Professors Katholieke Universiteit Leuven Université Libre de Bruxelles Katholieke Universiteit Leuven Katholieke Universiteit Leuven Mathematics Faculty of Law Electrical Engineering Computer Science Discrete Mathematics NA Droit et éthique de l'informatique Cryptography and Network Security Security of Networks and Computer Infrastructure NA 45 NA Royal Military Academy Informatics Networks and Security NA 1 Katholieke Universiteit Leuven Katholieke Universiteit Leuven Katholieke Universiteit Leuven Vrije Universiteit Brussel Vrije Universiteit Brussel Université Libre de Bruxelles Université Libre de Bruxelles Université Libre de Bruxelles Université Catholique de Louvain Université de Mons Hainaut Université de Mons Hainaut Faculties Universitaires Notre-Dame de la Paix à Namur Faculties Universitaires Notre-Dame de la Paix à Namur Université de Liege Universiteit Gent Electrical Engineering Biometrics System Concepts Faculty of Law Computer Law Faculty of Law Faculty of Applied Economics Faculty of Law Informatics Faculty of Law Mathematics Mathematics Institute of Informatics Institute of Informatics Information Technology Law Auditing of Information Systems Juridical Aspects of Informatics Sécurité des systèmes informatiques Droit etethique del'informatique NA Structures discrètes NA 30 NA 1 Théorie des nombres NA Cryptographie et sécurité des systèmes d'information Sécurité des systèmes informatiques NA Faculty of Law Droit de l informatique Computer Science Electrical Engineering and Computer Science Computer Science Sécurité et fiabilité des systèmes informatiques Cryptographie informatique Special Problems Concerning Computer Science NA One belgian study point corresponds to 25/30 hours of work for the student. OST Fondazione Rosselli, Final Report, january

62 Université Catholique de Louvain Faculté Polytechnique de Mons Faculties Universitaires Notre-Dame de la Paix à Namur Faculties Universitaires Notre-Dame de la Paix à Namur Katholieke Universiteit Leuven Vrije Universiteit Brussel Universiteit Antwerpen Université Libre de Bruxelles Université Catholique de Louvain Université Catholique de Louvain Faculties Universitaires Notre-Dame de la Paix à Namur Mathematics Informatics Computer Science Cryptographie Information System Administration and Security Sécurité informatique NA 1 Faculty of Law Droit de l informatique NA 18 NA 1 Electrical Engineering Mathematics Faculty of Applied Economics Informatics Electrical Engineering Mathematics Computer Science Methods of Cryptanalysis NA 1 Cryptographie Security of Information Systems Cryptologie et sécurité des moyens multimédia Cryptologie et sécurité des moyens multimédia Problèmes d'arithmétique et de cryptographie Sécurité des systèmes informatiques Source : Fondazione Rosselli, University Curricula Survey, november Table of courses/students less than 50 hours long Belgium University Faculty/Department Title of the course/module diploma Katholieke Universiteit Leuven Université Libre de Bruxelles Katholieke Universiteit Leuven Katholieke Universiteit Leuven Mathematics Faculty of Law Electrical Engineering Computer Science Number of student registered Number of degree/courses delivered Discrete Mathematics Droit et éthique de l'informatique Cryptography and Network Security Security of Networks and Computer Infrastructure NA Royal Military Academy Informatics Networks and Security Katholieke Universiteit Leuven Katholieke Universiteit Leuven Katholieke Universiteit Leuven Vrije Universiteit Brussel Electrical Engineering Biometrics System Concepts NA Faculty of Law Computer Law Faculty of Law Faculty of Applied Economics Information Technology Law Auditing of Information Systems NA NA OST Fondazione Rosselli, Final Report, january

63 Vrije Universiteit Brussel Université Libre de Bruxelles Université Libre de Bruxelles Université Libre de Bruxelles Université Catholique de Louvain Université de Mons Hainaut Université de Mons Hainaut Faculties Universitaires Notre-Dame de la Paix à Namur Faculties Universitaires Notre-Dame de la Paix à Namur Université de Liege Universiteit Gent Université Catholique de Louvain Faculté Polytechnique de Mons Faculties Universitaires Notre-Dame de la Paix à Namur Faculties Universitaires Notre-Dame de la Paix à Namur Katholieke Universiteit Leuven Vrije Universiteit Brussel Universiteit Antwerpen Université Libre de Bruxelles Université Catholique de Louvain Université Catholique de Louvain Faculties Universitaires Notre-Dame de la Paix à Namur Faculty of Law Informatics Faculty of Law Mathematics Mathematics Institute of Informatics Institute of Informatics Juridical Aspects of Informatics Sécurité des systèmes informatiques Droit etethique del'informatique Structures discrètes Théorie des nombres Cryptographie et sécurité des systèmes d'information Sécurité des systèmes informatiques Faculty of Law Droit de l informatique Computer Science Electrical Engineering and Computer Science Computer Science Mathematics Informatics Computer Science Sécurité et fiabilité des systèmes informatiques Cryptographie informatique Special Problems Concerning Computer Science Cryptographie Information System Administration and Security Sécurité informatique Faculty of Law Droit de l informatique Electrical Engineering Mathematics Faculty of Applied Economics Informatics Electrical Engineering Mathematics Computer Science Methods of Cryptanalysis - NA - NA Cryptographie 3 NA 3 NA Security of Information Systems Cryptologie et sécurité des moyens multimédia Cryptologie et sécurité des moyens multimédia Problèmes d'arithmétique et de cryptographie Sécurité des systèmes informatiques Source : Fondazione Rosselli, University Curricula Survey, november OST Fondazione Rosselli, Final Report, january

64 Germany Table of courses/diploma less than 50 hours long - Germany University Faculty/Department Title of the course/module/ diploma Frankfurt University Institute Lehrstuhl Fur E- Commerce Koeln University Tecnical University Hamburg Global e Management MBA Institute Software Technology System Year of opening Number of hours per year Credits Professors E-Commerce NA 48 NA 1 Internet Sicherheit NA 48 NA NA E-Commerce NA 48 NA 1 Marburg University Informatik Mathematik Kriptologie NA 42 NA 1 Hannover University Saarbrucken University Institute Fur Rechtsinformatik Institute Fur Rechsinformatik European Legal Informatics Study Programme Datenschutz Recht und Internetrecht und Medienstrafrecht NA NA NA 30 NA 1 Osnabruck University Medien Recht Faculty Medien Recht NA 30 NA NA Munchen University Munchen University Munchen University Mainz University Burgerliches recht und medienrecht Burgerliches recht und medienrecht Burgerliches recht und medienrecht Deutsches Medien Recht Faculty Seminar in Computer Recht Seminar zum datenschutz recht Cyber Law Aktulle Probleme des E- Business Deutsches Medien Recht Magdeburg University Inst. Fur Verteilte Sisteme Kriptographilhe verfarhen in die informationssicherhei t Leipzig University Institute Informatik Datenschutz und datensicherheit Trier University Muenster University Tecnic University Darmstad Tecnical University Heil Bronn Organisation und strategiches management Lehrstul Wirtschafts Informatik und Interorganisation systeme Institute Multimedia Communication Faculty of Economics NA 30 NA 1 NA 30 NA 1 NA 30 NA 1 NA 30 NA NA NA 30 NA 1 NA 30 NA 1 E-Business NA 30 NA 1 Einfuhrung in die wirtschafts informatik Sicherheit in verteilten multimedia systemen und anwendungen Electronic Business Datensicherheit, Kryptographie, Zahlung systeme Freiburg University Institute fur informatik Algorithms for internet application Hannover University Witten / Herdecke Universitat Faculty of Legal Informatic Institute Controlling und Informations Management Master Legal Informatic Study Programme NA 30 NA 2 NA 30 NA 1 NA 30 NA 1 NA 30 NA NA NA Controlling NA 30 NA 1 OST Fondazione Rosselli, Final Report, january

65 Rostock University Berlin Tecnical University Institute fur Informations und Telekomunication Dienste Dept. Electrical Engineering Telecommunication Network Datensicherhet NA 30 NA 1 Netz werk sicherheit NA 30 NA 1 Kaiserlauten Tec. University Clausthal University Fachschaft Digitalen Medien Abt. Wintschaftsmfermalih Intellectual Property Cyberlaw and Copyright NA 30 NA NA NA NA 30 NA 1 Braunschweig University Abt. Allyemenè BWL NA NA 30 NA 1 Muenster University Kaiserlauten Tec. University Kaiserlauten Tec. University Kassel University Inst. Fur Informations telekommunikations und medienrecht Inst. Fur Informations telekommunikations und medienrecht NA 30 NA 1 Diplom Digitalen Medien Datensicherheit NA 30 NA NA Management Electronic Business NA Department Mathematics and Informatics Kryptographie NA 30 NA NA Table of courses/students less than 50hours long Germany University Faculty/Department Title of the course/modulediplo ma Frankfurt University Institute Lehrstuhl Fur E- Commerce Koeln University Tecnical University Hamburg Global e Management MBA Institute Software Technology System Number of student registered Number of degree/courses delivered E-Commerce Internet Sicherheit E-Commerce Marburg University Informatik Mathematik Kriptologie Hannover University Saarbrucken University Institute Fur Rechtsinformatik Institute Fur Rechsinformatik European Legal Informatics Study Programme Datenschutz Recht und Internetrecht und Medienstrafrecht Osnabruck University Medien Recht Faculty Medien Recht Munchen University Munchen University Munchen University Mainz University Burgerliches recht und medienrecht Burgerliches recht und medienrecht Burgerliches recht und medienrecht Deutsches Medien Recht Faculty Seminar in Computer Recht Seminar zum datenschutz recht Cyber Law Aktulle Probleme des E- Business Deutsches Medien Recht OST Fondazione Rosselli, Final Report, january

66 Magdeburg University Inst. Fur Verteilte Sisteme Kriptographilhe verfarhen in die informationssicherhei t Leipzig University Institute Informatik Datenschutz und datensicherheit Trier University Muenster University Tecnic University Darmstad Tecnical University Heil Bronn Organisation und strategiches management Lehrstul Wirtschafts Informatik und Interorganisation systeme Institute Multimedia Communication Faculty of Economics E-Business Einfuhrung in die wirtschafts informatik Sicherheit in verteilten multimedia systemen und anwendungen Electronic Business Datensicherheit, Kryptographie, Zahlung systeme Freiburg University Institute fur informatik Algorithms for internet application Hannover University Witten / Herdecke Universitat Rostock University Berlin Tecnical University Faculty of Legal Informatic Institute Controlling und Informations Management Institute fur Informations und Telekomunication Dienste Dept. Electrical Engineering Telecommunication Network Master Legal Informatic Study Programme Controlling Datensicherhet Netz werk sicherheit Kaiserlauten Tec. University Clausthal University Fachschaft Digitalen Medien Abt. Wintschaftsmfermalih Intellectual Property Cyberlaw and Copyright NA Braunschweig University Abt. Allyemenè BWL NA Muenster University Kaiserlauten Tec. University Kaiserlauten Tec. University Kassel University Inst. Fur Informations telekommunikations und medienrecht Inst. Fur Informations telekommunikations und medienrecht Diplom Digitalen Medien Datensicherheit Management Electronic Business Department Mathematics and Informatics Source : Fondazione Rosselli, University Curricula Survey, november Kryptographie OST Fondazione Rosselli, Final Report, january

67 Greece Table of courses/diploma less than 50 hours long - Greece University Faculty/Department Title of the course/module/ diploma Year of opening Number of hours per year Credits Professors University of the Aegean Information & Communication Systems Applied Cryptography University of the Aegean Information & Communication Systems Information Systems Auditing University of the Aegean School of Sciences - Mathematics Encoding NA NA 4 NA University of the Aegean School of Sciences - Mathematics University of the Aegean Information & Communication Systems Aristotle University of Thessaloniki Aristotle University of Thessaloniki Aristotle University of Thessaloniki Athens University of Economics and Business Athens University of Economics and Business Athens University of Economics and Business Athens University of Economics and Business Electrical & Computer Engineering Electrical & Computer Engineering Information and Communication Systems Security NA NA 4 Network Security Information Systems Security Security of Medical Informatics NA 39 NA 2 NA 22 NA 2 Informatics Network Security NA NA 4 NA Business Administration Security of Computer Based Information Systems Informatics Applied Cryptography NA 2 Information Information Computer and Network Security Information Systems Security Management NA NA 2 University of Crete Mathematics Cryptography NA NA 4 NA 1 University of Crete Applied Mathematics Information & Coding Theory University of Crete Applied Mathematics Cryptography University of Crete Applied Mathematics Encoding University of Crete Computer Science Information & Coding Theory University of Crete Computer Science Legal Issues on Informatics & Communications NA NA NA 2 NA NA NA 1 Demokritos University of Thrace Demokritos University of Thrace Demokritos University of Thrace Electrical and Computer Engineering Electrical and Computer Engineering Electrical and Computer Engineering Information and Coding Theory Coding Fault Correction NA NA 3 NA NA NA 3 NA Cryptography Demokritos University Electronics and Information and Coding NA NA 3 NA OST Fondazione Rosselli, Final Report, january

68 of Thrace National Kapodistrian Univ. of Athens National Kapodistrian Univ. of Athens National Kapodistrian University of Athens Information System Technology Informatics and Communications Informatics and Communications Informatics and Communications Theory Cryptography Information Theory and Coding Security of Computer Systems University of Patras Mathematics Information Systems Security and Cryptography University of Piraeus Informatics Data and Coding Theory University of Piraeus Informatics Information Systems Security NA NA NA 2 NA NA NA 1 NA NA NA 1 University of Piraeus Technology Education Information Security NA NA NA 1 Technical University of Crete Electronic and Computer Engineering Information and Coding Theory NA NA 4 NA University of Macedonia Applied Informatics Cryptography NA NA NA 2 University of Macedonia Applied Informatics Information Systems Security Source : Fondazione Rosselli, University Curricula Survey, november NA OST Fondazione Rosselli, Final Report, january

69 Italy Table of courses/diploma less than 50 hours long Italy University Faculty/Department Title of the course/module diploma Year of opening Number of hours per year Credits 81 Professors Verona Faculty of mathematics fisics and natural sciences Security and crypthography Venezia School of Informatics Security NA in head count Pisa Computer science Algorithmics for Intenet and web Brescia Camerino Economy- Department of quantitative methods Dept of Mathematics and Computer Science Network and communications: economic and management of information and Communication Codes and Cryptography Lecce Engineering EC law of Informatics Genoa Law Computer Law NA NA 6 1 Venice Computer Science Web Protocols NA NA 6 1 Venice Computer Science E-Commerce NA NA 6 1 Torino Computer Science Data transmission Protocols Politecnico of Torino Computer Science Law and security in telecommunication & web transmission Source : Fondazione Rosselli, University Curricula Survey, november Verona Table of courses/students less than 50 hours long Italy University Faculty/Department Title of the course/module/diplom a Faculty of mathematics fisics and natural sciences Security and crypthography NA NA in head count NA NA 3 1 Number of student registered Number of degree/courses delivered Venezia School of Informatics Security Pisa Computer science Algorithmics for Intenet and web Brescia Economy- Department of quantitative methods Network and communications: economic and management of information and Communication 120 (only for licence) 178 (licence+ specialisti c degree) NA NA One italian credit corresponds to 25 hours of work for the student. OST Fondazione Rosselli, Final Report, january

70 Camerino Dept of Mathematics and Computer Science Codes and Cryptography Lecce Engineering EC law of Informatics Genoa Law Computer Law Venice Computer Science Web Protocols Venice Computer Science E-Commerce Torino Computer Science Data transmission Protocols Politecnico of Torino Computer Science Law and security in telecommunication & web transmission Source : Fondazione Rosselli, University Curricula Survey, november OST Fondazione Rosselli, Final Report, january

71 United Kingdom Table of courses/diploma less than 50 hours long - UK University Faculty/Department Title of the course/module/diploma Year of opening Number of hours per year Credits Professors University of Leeds Business School E-busibess (MBA in Information Management) NA NA University of Bath Computer Science Networking Loughborough University Computer Science E-Commerce security NA 1 University of Manchester Institute of Sciences & Yechnology Computation Dept University of Surrey Computing Safety & security in distributed systems University of Nottinghamn Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway School of Computer Science & Information Technology Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Electronic Commerce NA 1 Computer Security and Criptology Computer Crime (MSc in Secure E-Commerce) Advanced Cryptography (MSc in Secure E- Commerce) Current developments in secure electronic commerce (MSc in Secure E- Commerce) Legal & regulatory aspects of e-commerce (MSc in IS) Database security (MSc in IS) Secure e-commerce: infrastructures & standards (MSc in IS) Secure e-commerce & other applications commerce (MSc in IS) Standards & evaluation criteria (MSc in IS) Computer Security: Operating Systems (MSc in IS) Network security (MSc in IS) An introduction to Cryptography & security mechanism (MSc in IS) NA (24+10 lab) NA NA NA NA NA NA NA NA NA NA NA 1 Security Management NA 2 OST Fondazione Rosselli, Final Report, january

72 University of London (MSc in IS) University of Oxford Computer Science Lab Security NA 1 University of Glasgow Computer science Security and cryptography NA 1 Loughborough University Computer Science Networks & Internet NA 30 NA 1 University of Leeds Law E-commerce: law & policy (Master) NA 2 University of Leeds Law Cibercrimes (Master) NA 3 University of Leeds Law Ciberlaw: information technology, law and society Univerity of Aberystwyth University of Wales, Swansea Univerity of Aberystwyth Dept of Cimputer Science Dep. Of computer science Dept of Cimputer Science The Internet: Archtecture and Operation NA NA 4+1 Internet computing NA 1 Implementing the Information Society University of Leeds Law E-commerce: law & policy (Licence) NA 20 NA NA 2 University of Leeds Law Cibercrimes (licence) NA 3 University of Leeds Law Ciberlaw: information technology, law and society University of Liverpool Computer science dep. Technologies foe e- commerce University of Napier (Edinburgh) School of computing Computer networks and distributed systems University of Surrey Human Science Internet for Business Economist (MBA in Business Economics & Computing) University of Oxford Computer Science Lab Complexity & Cryptography University of Saint Lincoln University of Bath Dept of Computing Dept of Computer Science BSc Computing (Internet Systems) Source : Fondazione Rosselli, University Curricula Survey, november NA 3 NA NA NA 36 NA 1 NA 20 NA NA NA Networking 1997 NA Table of courses/students less than 50 hours long UK University Faculty/Department Title of the course/module diploma University of Leeds Business School E-busibess (MBA in Information Management) Number of student registered Number of degree/courses delivered University of Bath Computer Science Networking Loughborough University University of Manchester Computer Science E-Commerce security Institute of Sciences & Yechnology Computation Dept University of Surrey Computing Safety & security in distributed systems University of Nottinghamn School of Computer Science & Information Technology Electronic Commerce NA Computer Security and Criptology % NA OST Fondazione Rosselli, Final Report, january

73 Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Royal Halloway University of London Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Dept of Information Secutity Computer Crime (MSc in Secure E-Commerce) Advanced Cryptography (MSc in Secure E-Commerce) Current developments in secure electronic commerce (MSc in Secure E-Commerce) Legal & regulatory aspects of e-commerce (MSc in IS) NA NA NA Na Database security (MSc in IS) Secure e-commerce: infrastructures & standards (MSc in IS) Secure e-commerce & other applications commerce (MSc in IS) Standards & evaluation criteria (MSc in IS) Computer Security: Operating Systems (MSc in IS) Network security (MSc in IS) An introduction to Cryptography & security mechanism (MSc in IS) Security Management (MSc in IS) University of Oxford Computer Science Lab Security NA University of Glasgow Computer science Security and cryptography NA NA Loughborough University Computer Science Networks & Internet % NA University of Leeds Law E-commerce: law & policy (Master) NA University of Leeds Law Cibercrimes (Master) NA University of Leeds Law Ciberlaw: information technology, law and society Univerity of Aberystwyth University of Wales, Swansea Univerity of Aberystwyth Dept of Cimputer Science Dep. Of computer science Dept of Cimputer Science The Internet: Archtecture and Operation NA Internet computing 60 NA 48 NA Implementing the Information Society University of Leeds Law E-commerce: law & policy (Licence) NA NA NA University of Leeds Law Cibercrimes (licence) NA University of Leeds Law Ciberlaw: information technology, law and society NA OST Fondazione Rosselli, Final Report, january

74 University of Liverpool Computer science dep. Technologies foe e-commerce University of Napier (Edinburgh) School of computing Computer networks and distributed systems University of Surrey Human Science Internet for Business Economist (MBA in Business Economics & Computing) University of Oxford Computer Science Lab Complexity & Cryptography NA NA University of Saint Lincoln University of Bath Dept of Computing Dept of Computer Science BSc Computing (Internet Systems) Networking Table of refreshing courses UK University City Faculty/Dept Title of the course in which is insert Title of the module Toopics of the module Days Royal Halloway London Egham Computing Science Computing Science Diploma for workers Web security Typical architecture & points of attack within Web applications; Secure programming rules, codes authentication 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Security in Windows NT & Windows 2000 Security professionals, auditors, NT administrators, NT security administrtors 2 Royal Halloway London Egham Computing Science Computing Science Diploma for workers UNIX Security Securing UNIX file system & applications; Unix kernel security; attacks/defence; how to secure UNIX Network security 2 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Security in smart Card Technology Typs of attacs made in smart cards and solutions; security features 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Security - Application to architecture Host computer security; access control; monitoring and audit, confidentiality & integrity; network security 3 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Popular cryptographic Algorithmics & hoe they work Internal structure of DES; El- Gamal algorithmics, stream chiper & other algorithmics 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers PKI & digital signature Key systems; overview of publc key certificates 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Network security Metwork security in IS structure, security for single workgroup LANS, security interconnection to public networks; security in distrubuted systems 2 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Internet and firewalls security Internet security issues, types of firewalls; how to select and specufy a firewall 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Designing security architecture Overview of security architecture standard; developing & implementing a PK Infrastructure 2 OST Fondazione Rosselli, Final Report, january

75 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Information security Law Relevant legislation to cybersecurity; regulation of investigatory powers act 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Information warfare Hackers & terrorism; information broker; sponsored attacks; war dialling 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Data protection and privacy Data protection act; Conention on human rights & privacy issues; 1 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Cyber crime Denial of service attacks; malicious programs; computer privacy; hacking tools; www attacks 2 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Managing Information Security Discipline of IS; principle of security management organisation; Information Security Law; 3 Royal Halloway London Egham Computing Science Computing Science Diploma for workers Cryptography Background of cryptography; algorithmics; public key cryptography; key management 2 University of Essex Colcheste r Dept. of computer Science - Public Key Encription Integrity & availability, Digital signatures; secure oneway algorithmics 2 University of Essex Colcheste r Dept. of computer Science - Protocols, Firewalls and the future Peer to peer Protocolos; Secure electronic transaction; firewall architecture; Encryption 2 University of Essex Colcheste r Dept. of computer Science - Models of threats, Security requirements, Symmetrical Encription Issues of confidentiality; Symmetric encription algorithmics; current algorithmics 2 Source : Fondazione Rosselli, University Curricula Survey, november OST Fondazione Rosselli, Final Report, january

76 4 References on cybersecurity courses in Higher Education System of USA On the web site : Introduction to the Centers of Academic Excellence in Information Assurance Education Program Program Information The National Security Agency issued press releases on 11 May 1999, 14 April 2000, 22 March 2001, and 8 March 2002 announcing the results of the annual offerings of the Centers of Academic Excellence in InformationAssurance Education Program. Thirty-six universities have been designated as Centers of Academic Excellence ininformation Assurance Education. The Centers of Academic Excellence in Information Assurance (IA) Education Program is an outreach effort designed and operated by the National Security Agency (NSA) in the spirit of Presidential Decision Directive 63 (PDD 63), the Clinton Administration's Policy on Critical Infrastructure Protection, May The program goal is to reduce vulnerability in our National Information Infrastructure by promoting higher education in information assurance, and producing a growing number of professionals with IA expertise in various disciplines. Authorities The program operates under authority of National Security Decision Directive 42, National Policy for the Security of National Security Systems, July 1990, and Public Law , The Computer Security Act of Definition Information Assurance (IA) concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999) Program Benefits Benefits to Academia: Colleges and universities designated as Centers of Academic Excellence in Information Assurance Education will receive formal recognition from the United States Government, along with the associated prestige and opportunities for publicity. This recognition will be in the form of an official Government certificate. Centers of Academic Excellence in Information Assurance Education are eligible to apply for scholarships and grants through both the federal and Defense Information Assurance Scholarship Programs. Designation as a Center does not carry a commitment for funding from the National Security Agency. Benefits to the Nation: The National Security Agency, and other Federal Departments and Agencies: the program is intended to assist in meeting national demand for a cadre of professionals with information assurance expertise in various disciplines. These professionals will enter the workforce better equipped to meet challenges facing our national information infrastructure. Centers of Academic Excellence in Information Assurance Education may become focal points for recruiting individuals with information assurance expertise. The Centers may also create a climate and foci to encourage independent research in critical information assurance areas. References National Security Agency: National Information Systems Security Education and Training Program: Committee on National Security Systems: National Colloquium on Information Systems Security Education: The Clinton Administration's Policy on Critical Infrastructure Protection: Defense Information Assurance Scholarship Program Federal Scholarship for Service Program OST Fondazione Rosselli, Final Report, january

77 For additional information contact the National Information Systems Security Education and Training Office at NSA Designates Centers of Academic Excellence in Information Assurance Education The National Security Agency issued press releases on 11 May 1999, 14 April 2000, 22 March 2001, and 8 March 2002 announcing the results of the annual offerings of the Centers of Excellence in Information Assurance Education Program. Thirty-six universities have been designated as Centers of Academic Excellence in Information Assurance under the program. NSA granted the designations following a rigorous review of university applications against published criteria based on training standards established by the National Security Telecommunications and Information Systems Security Committee (NSTISSC). NSA's establishment of this program was spurred by the growing demand for professionals with Information Assurance expertise in various disciplines. The Centers for Academic Excellence may become focal points for recruiting and may create a climate to encourage independent research in Information Assurance. The 36 universities designated as Centers of Academic Excellence in Information Assurance Education are: Air Force Institute of Technology, Carnegie Mellon University, Drexel University, Florida State University, George Mason University George Washington University,, Georgia Institute of Technology, Idaho State University Indiana University of Pennsylvania Information Resources Management College of the National Defense University Iowa State University James Madison University Mississippi State University, Naval Postgraduate School New Mexico Tech North Carolina State University Northeastern University, Norwich University Polytechnic Purdue University, Stanford University State University of New York, Buffalo State University of New York,, Stony Brook Syracuse University Towson University, University of California at Davis University of Idaho University of Illinois at Urbana-Champaign, University of Maryland, Baltimore County University of Maryland, University College, University of Nebraska at Omaha University of North Carolina, Charlotte, University of Texas, San Antonio University of Tulsa U.S. Military Academy, West Point, West Virginia University Each year, newly designated Centers of Academic Excellence in Information Assurance Education are recognized in a formal presentation at the annual Conference of the National Colloquium for Information Systems Security Education. The colloquium conference provides a forum for key officials in government, industry, and academia to focus on current and emerging requirements in Information Assurance education, and to encourage the development and expansion of curricula at graduate and undergraduate levels. Colloquium information is available at OST Fondazione Rosselli, Final Report, january

78 5 References Institute for Propective Technological Studies (IPTS), Minutes, Cybersecurity Skills and Training Needs Workshop, september, 30/09/02, 5 pages Cybersecurity skills and training needs, Background paper for workshop, September 16/17, 2002, prepared by Mike Hendry and Mike McCurry; consultants ; september 2002, 37 P. Cybersecurity skills and training needs, Interim report Pierre-Luc Réfalo, Sécuriser l entreprise connectée, Editions d organisations, Paris, Jacques Stern, La science du secret, Editions Odile Jacob, Paris 1998, Chap. 4 : Vers un droit de la confidentialité, pp Bernard Clement, Laurent Belay et Duncan Gilson, Questions de cybersécurité, IPTS report, vol 57. Club de la Sécurité des Systémes d Information Français, Les études du CLUSIF, Décembre 2002, 30 p.. Club de la Sécurité des Systémes d Information Français, Etudes et statistiques sur la sinistralité informatique en France, Année 2001, mai 2002, 48 p. National Institute of Standards and Technology (NIST), Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec, Pub ), April Séminaire Protéger l information sensible et stratétique, Sciences politiques Paris, Formation continue, juin 2002, organisé en collaboration avec le DESS «gestion de l information dans l entreprise» de l Institut politique de Paris. Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions, june 2001 Network and Information Security: Proposal for A European Policy Approach English version or pdf Format Italian version Sicurezza delle reti e sicurezza dell'informazione: proposta di un approccio strategico europeo French Version Sécurité des réseaux et de l information : Proposition pour une approche politique européenne Extracts of this proposal on definitions : What is network and information security Networks are systems on which data are stored, processed and through which they circulate. They are composed of transmission components (cables, wireless links, satellites, routers, gateways, switches etc) OST Fondazione Rosselli, Final Report, january

79 and support services (domain name system including the root servers, caller identification service, authentication services, etc). Attached to networks is an increasingly wide range of applications ( delivery systems, browsers, etc.) and terminal equipment (telephone set, host computers, PCs, mobile phones, personal organisers, domestic appliances, industrial machines, etc.). The generic security requirements of networks and information systems can be considered to consist of the following interrelated characteristics: i) Availability means that data is accessible and services are operational, despite possible disruptive events such as power supply cuts, natural disasters, accidents or attacks. This is particularly vital in contexts where communication network failures can cause breakdowns in other critical networks such as air transport or power supply. ii) Authentication is the confirmation of an asserted identity of users or entities. Proper authentication methods are needed for many applications and services such as concluding a contract online, controlling access to certain data and services (e.g. for teleworkers) and authentication of websites (e.g. for Internet banks). Authentication must also include the possibility for anonymity, as many services do not need the identity of the user, but only reliable confirmation of certain criteria (so-called anonymous credentials) such as the ability to pay. iii) Integrity is the confirmation that data which has been sent, received, or stored are complete and unchanged. This is particularly important in relation to authentication for the conclusion of contracts or where data accuracy is critical (medical data, industrial design, etc.). iv) Confidentiality is the protection of communications or stored data against interception and reading by unauthorised persons. It is particularly needed for the transmission of sensitive data and is one of the requirements to address privacy concerns of users of communication networks. All events which threaten security need to be covered, not just those with malicious intent. From a user s point of view, threats such as environmental incidents or human errors which disrupt the network are potentially as costly as malicious attacks. Network and information security can thus be understood as the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems. Some other important directives from European Commission which could have impact on regulations and subjects covered in the courses collected for the survey : Proposal for acouncil FRAMEWORK DECISION on attacks against information systems, Brussels, , COM(2002) 173 final, 2002/0086 (CN) Directive 2002/58/CE du Parlement européen et du Conseil du 12 juillet 2002 concernant le traitement des données à caractère personnel et la protection de la vie privée dans le secteur des communications électroniques (directive vie privée et communications électroniques), Journal Officiel, L e année, 31 juillet Other important documents on security are the directive on electronic signatures (1999/93/EC) and the communication on trust and security in electronic communication (COM 97/0503). see Official Journal of European Communities, Directive 2002/21/EC of the European Parliament and the Council of 7 March 2002 on a common regulatory framework for electronic communication networks an Services, , EN, L 108/33 DÉCISION DE LA COMMISSION du [ ] instituant le Groupe des régulateurs européens dans le domaine des réseaux et services de communications (Document présentant de l'intérêt pour l'eee), (2002/2874/CE) OST Fondazione Rosselli, Final Report, january

80 European Commssion IPTS on Cybersecurity Report of two seminars of IPTS : Data protection Standardisation, november 1999 Cybercrime, january 11/12, 2002 on the site above, section Activities, and Worhshop. OST Fondazione Rosselli, Final Report, january