Cybersecurity Curricula in European Universities Final report

Transcription

1 Observatoire des sciences et des techniques Fondazione Rosselli Cybersecurity Curricula in European Universities Final report Study commissioned by the Institute for Prospective Technological Studies Gabriel Clairet Scientific coordination Observatoire des sciences et des techniques January, 2003

2 Contributions to the study : Gabriel Clairet Coordinateur scientifique Observatoire des sciences et des techniques Operating Agent Philippe Wolf Directeur Centre de formation à la sécurité des systèmes d information Direction centrale de la sécurité des systèmes d information Secrétariat de la Défense nationale Laurence Esterle Directrice Observatoire des sciences et des techniques Martine Carisey Reviser and proof reader Observatoire des sciences et des techniques Alessandro Palmigiano Coordinatore Unita di Ricerca Diritto, Economia e Technologia Fondazione Rosselli Partner Alessandra Alaimo Ricercatrice presso la D.E.T. (researcher of D.E.T.) Fondazione Rosselli Donatella Amuso Ricercatrice presso la D.E.T. (researcher of D.E.T.) Fondazione Rosselli Marcelino Cabrera Giraldez Scientific Officer Institute for Prospective Technological Studies Joint Research Center - European Commission

3 Table of contents Context of the study 4 Organisation of the study 5 Methodology of the study 5 The general results for the six countries 7 Some observations and recommendations in conclusion of the study 11 Recommendations concerning national authorities 11 Recommendations at the European level 12 Cybersecurity curricula in universities by country 14 Belgium 14 France 17 Germany 24 Greece 31 Italy 36 United Kingdom 45 Annex 56 OST Fondazione Rosselli, Final Report, january

4 Context of the study In early 2001 the European Commission issued a communication to the Council and the European Parliament entitled "Network Security: a European Policy Approach". This communication addressed the needs for educational systems in member states to give more emphasis on courses focused on security - at all levels of education. In addition, the Joint Research Center (JRC) workshop on Cybercrime which took place in Seville in January 2001 identified future lines of European direct research to complement indirect research and national efforts on cybercrime. There was consensus that the fight against cybercrime requires new skills that can only be acquired through specific training programmes. While obtaining more and better data on cybercrime activities and developing new technologies to aid in the fight against cybercrime will be crucial in defining future skills requirements in the security field, much work remains to be done to specify the kinds and levels of skills needed. Under the broad aim of foresight on training and skills future needs for the security and the protection of personal, economic and public data in the Information Society, the Institute for Prospective Technological Studies (IPTS) has defined a set of research actions in a document of June 24 "Cybersecurity Skills and Training Needs and the Impact on Employment 1 ". The purpose of the project is to identify and analyse the future cyber-security needs for training and skills and the potential impact on employment for the three emerging domains : e-government ; e-health and e-bussiness. The second phase is devoted to the Cybersecurity curricula in European universities. This initiative is placed in the context of the increased vulnerability that widespread access, larger variety of services and ubiquitous Information Technology (IT) imply, and the resulting need for protection and security. Whilst the need of cybersecurity skills are increasing in European Information Society, the university curricula in European Union Member States encompass different levels of commitment regarding the inclusion of IT security in their curricula. The existence of specialized departments in technical and legal aspects of cybersecurity indicate that educational policies on cybersecurity vary from university to university as well as from country to country. Other indicators on these differences can be the status given to diplomas (studies leading to a BA, Master, post-master, etc.), the number of PhD thesis produced and the availability of qualified trainers in the field of Information Security. The university curricula are oriented to different needs with different emphasis on more pragmatic (e.g. legal, biometrics, etc.) or rather theoretical or basic research issues (e.g. algorithmics research in cryptography). The study attempt to explore qualitatively the activities of the academic world in support of cybersecurity training requirements. The study does not provide an exhaustive quantitative analysis allowing for comparison among available options. However, it may not be used to identify gaps or further needs in currently available training options across the heterogeneity of education systems in Member States. 1 Cybersecurity skills and training needs and the impact on employment, Seville, June 24, 2002, Joint Research Centre, Institute of Prospective Technological Studies OST Fondazione Rosselli, Final Report, january

5 Organisation of the study A study proposal has been annonced at the end of the first semester 2002 by the Institute for Prospective Technological Studies (IPTS) in collaboration with the European Science and Technology Observatory (ESTO). The «Observatoire des sciences et des techniques-ost» has presented its interest and also Fondazione Rosselli. Following the presentation of an Implementation Plan approved on October 9 and an addendum on October 31, the study coordinated by OST with Fondazione Rosselli as partner really began the third week of October. The OST was associated for the survey of France with the «Centre de formation à la sécurité des systèmes d information du Secrétariat général de la Défense». The persons associated to the projet are : the coordinator at OST, Gabriel Clairet in collaboration with Philippe Wolf of «Centre de formation à la sécurité des systèmes d information CFSSI». The Foundazione Rosselli was represented by M. Alessandro Palmigiano, from the bureau of Palerme (DET research unit in Sicily), the head quarter being located in Turin and two collaborators, Mrs. Alessandra Alaimo and Donatella Amuso. The exchange during the preparation of the survey and the report has been held with Marcelino Cabrera Giraldez, Scientific Officer of the Institute for Prospective Technology Studies (IPTS), one of the seven institutes of the Joint Research Center (JRC) of the European Commission. Methodology of the study The main objective of the study is to provide a first milestone towards a clear and comprehensive picture of the universities curricula in cybersecurity in the European Union. The Implementation Plan for the study included surveys considering public universities across six European members. The «Observatoire des sciences et des techniques» has covered the courses in University and «Grandes écoles» for France and Foundazione Rosselli the universities in Belgium, Germany, Greece, Italy and United Kingdom. The study gathers a minimum of information on the university courses. The survey format, presented in Annex, gives the details of the information selected. The main indicators are : main subjects/topics, number of hours per year, number of qualified professors, number of students registered and graduated (three year if possible, 2000 to 2002), PhDs, research centers and their domains of research; continuing courses (refreshing courses) in the departments identified in the survey. In terms of courses, the survey should identify the level of degree and the pre-requisite of degree to enter in these programs. The definition adopted in the last proposal of the European Commission has been used as a milestone to delimit the contours of the topic covered in the survey. The priority will be on the «Systems of Information Security»: «Network and information security can [thus] be understood as the ability of a network or an information system to resist, at a given level of confidence, accidental events or malicious actions that compromise the availability, OST Fondazione Rosselli, Final Report, january

6 authenticity, integrity and confidentiality of stored or transmitted data and the related services offered by or accessible via these networks and systems 2.» This definition is similar to the one adopted by the National Colloquium for Information Systems Security Education (USA) under the terms of Information Assurance : «Protection of information systems against unauthorized access to or modification of information whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats (NSTISSI 4009, August, 1997) 3». For the field or discipline considered in the study, priority has been put upon the courses related to Information Security for which the core are cryptography but not exclusively. Legal and management courses have been considered but if they were in direct relation to security management security. Cryptography imparts confidentiality, integrity and authentication to all forms of electronic communication 4. Categories of institutions and level of university degree The level of diplomas in the survey has been the yearly courses in these matters at each level of the Higher Education Institutions (Licence, Master, Doctorate) including diplomas of specialised public institutions such Public School of Engineers, Law and Management faculties involved in special courses of Information Security. Information on Continuing Education (refreshing courses) has however been included in the study when the informaton was available and delivered by the institutions identified in the survey and in relation to the core competence of information security 5. As some courses represent only a part of the degree, it has been proposed for the study to consider the number of teaching hours above 50 hours-specialized. The courses have been identified by contacting the ministry of Education and the websites of universities. A file has been filled for each course identified according the format presented in the annex. It was suggested to use the European Credit Transfer System (ECTS) but the data collected in each country survey do not allow for comparison under this credit definition. Only some institutions were able to do the conversion from their system of credit or points to the ECTS. 2 Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions, June 200, Network and Information Security: Proposal for A European Policy Approach, June 6, 2001, COM (2001) 298 Final. In English : 3 National Colloquium for Information Systems Security Education, section Concepts. Definition of Information Systems Security, See : 4 Bernard Clement, Laurent Beslay and Duncan Gilson, IPTS, Cyber-Security Issues, IPTS Report Special Issue: Aspects of Cyber- Security, Volume 57, September For instance in the UK survey, two universities delivered short courses (Royal Holloway, University of Essex). In most countries, the universities offer short courses on both technical and legal issues related to security information. OST Fondazione Rosselli, Final Report, january

7 The general results for the six countries The data of the survey The study covers six countries : Belgium, France, Germany, Greece, Italy and United-Kingdom. A survey report is presented for each country 6. The first part of the survey identifies the courses by institution, by domain/topics, by degree (undergraduate, graduate and module for certain countries), by number of hours per year. In this survey, 119 courses in the field of cybersecurity (over 50 hours/year) have been identified. Some institutions give courses at undergraduate level and graduate level. The second part aims to estimate the number of registered students, the diplomas, and the prerequisite to enter in the programs. The number of students for the year 2001 registered in theses courses is approximately 4 024, all disciplines considered. In the identified programs, the number of professors is approximately 440. In each country, the concentration of courses according to each main domains or topics is obvious, but a closer analysis of the contents of the courses would be necessary to allow for comparison. The results presented here come mainly from the short description of the courses on the universities and departments web sites. University courses, students registered, research units in cybersecurity Six countries, november 2002 University/ Institution courses (1) Student registered undergraduate or in module 2001 Total students registered 2001 (2) Reserch Units (3) Belgium 2 not applicable France Germany (module) Greece (module) Italy (module) United Kingdom (undergraduate) 195 (module) 243 (module post graduate) Total (60 %) Sources : Cybersecurity Survers OST/CFSSI and Fondazione Rosselli, November 2002 Note : the data in this table should be interpreted with caution, some of them are missing, so the total is only an estimate. (1) could include several times the same institution because of grade level. (2) the figures are approximative because data were not available for each program of courses included in the survey (3) These data included only the existing units of research linked directly to the courses surveyed. Concerning the continuing or refreshing courses in the surveyed university, the results indicate that these courses are important in the university curricula together with the longer courses. The criteria chosen to discriminate long courses from short ones are 50 hours/year. For the six countries in year 2001, (60 %) students were registered in coures by module or at undergraduate level As information security is becoming more and more important in the information society, many refreshing courses are provided in order to meet the increasing needs of skills and competences in cybersecurity. 6 The data must be interpreted with caution, because, some questionnaires were returned incomplete or the information was not available within the time-schedule of the study. The survey contains 27 distinct questions. OST Fondazione Rosselli, Final Report, january

8 This is why the surveys made in Belgium, Greece, Germany, Italy and UK include the courses/modules under 50 hours per year, which are important and diversified. Some results for these short courses are presented for five country in the annex. The survey for France does not cover these short courses. The last part of the survey is devoted to research in the higher education institutions. The objective is not to assess the quality of the on-going research but to identify the relationships, if any, between research domains and teaching programs. 89 research units were identified in a little more than a hundred universities and institutions. The figures presented in the two synthetic tables must be interpreted in the context of the respective education system. Curricula cannot be easily compared on the number of hours per year, without analysing the contents and the balance between long and short courses, domains or discipline and detailed comparaison between the contents of courses. The number of students varies between 20 and 80 by courses. The average number of hour per year and by degree level gives a more clear view of the situation. The courses by module have an average per year under 100 hour per year (Germany, Greece, Italy and UK); for the two countries with undergraduate courses, the average of hour by year is 500 hours. And the graduate level, the average hour of course per year is situated between 300 and 430 hours by year (Belgium excepted with 56 hours per year). The figures must be interpreted in the context of the respective education system. Curricula cannot be easily compared on the number of hours per year, without analysing the contents and the balance between long and short courses, domains or discipline and detailed comparaison between the contents of courses. Students per course and average hour / course, six countries Students by course Average hour per course Average hour per course undergraduate Average hour per course graduate Belgium France Germany 67 (postgraduate) 60 (module) (module) 300 Greece module Italy (undergraduate) 64 (module) 365 United Kingdom 48 (undergraduate) 40 (module) 70 (postgraduate) (module) 372 Sources : Cybersecurity Survers OST/CFSSI and Fondazione Rosselli, November 2002 Note : Only courses with comple data in the survey. The courses with 1200 hours and plus have been excluded (Italy:1 and UK: 5) In the six countries, there are many courses related to information security especially in the departments of mathematics and informatics. In some countries, new curricula provide education in topics covering the training needs not only in cryptography and networks security but also in other matters, such as legal aspects. But there are no courses on the management of security. OST Fondazione Rosselli, Final Report, january

9 In the universities where there is a concentration of competence and the existence of a research department, the courses are usually provided at the master level (graduate and over). A very small number of institutions really cover all the competence and skills required for the management of the information security, although the courses exist in the six countries and seem to meet this need. The survey does not assess the detailed programs and their adequacy to the actual and future needs in each country. Such an assessment would require more analyses and discussions with representatives of education authorities in each country and experts of the field for relevant conclusions. Belgium has reached a high level of research in the cybersecurity field, with many researchers involved in international groups 7 and a good level of dissemination of the cybersecurity issues in the university system, as shown by the large number of courses under 50 hours. The survey has pointed out the absence of both modules of more than 50 hours and research centers concerned with the legal and economic aspects of cybersecurity. France has recently put in place new specialized trainings and diplomas dealing with cyber security issues (covering computer science/mathematic fields) with four levels of diplomas (Licence, master/mastère within the écoles d ingénieurs, DESS and DEA). Most of the times, these courses are linked to research laboratories. But the number of both higher curricula and registered students are still low in cyber-security, especially in the computer science and science fields, even though the survey includes for France, compared to the other five countries more universities (19) : in legal aspects (4), management and economic intelligence (4), telecom and networks (8), security and civil protection (3), transport (1). The implementation of cyber-security courses in secondary education is under consideration. Germany has a very large spectrum of cybersecurity curricula. The research centers are involved in all the different issues related to Informaton Security not only from a scientific and technical point of view but also from a legal and management one. There is a focus on the items related to the electronic transactions (such as e-banking, e-finance). The trend is to create post graduate degrees (MSc, MBA, LL.M) connected to IT security. There is a good diffusion of the cybersecurity issues in the university system. As in the other countries, there is a large number of courses (less than 50 hours long) which are not directly related to information security and a strong focus on e-commerce matters. Greece, both in terms of courses and research centers has reached a good level. There is a very good level of dissemination of the cyber security issue in the university system, as shown by the large number of courses (less than 50 hours long) held in the Greek Universities. As in Belgium, there is no complete degree concerned with technical, economic or legal aspects of cyber security. But the existing research centers are an opportunity to create a very interdisciplinary curriculum for university education. The results for Italy show a high level of knowledge and a good level of dissemination in the university system of the cybersecurity issues as shown by the large number of courses (less than 50 hours long) held in the Italian universities on cybersecurity. In the law and economy degree there are no specific courses to address the technical issues connected with cyber security aspects. This lack of training in interdisciplinary information technology security issues is a handicap for graduate students starting a postgraduate degree. 7 For example : New European Schemes for Signatures, Integrity, and Encryption, OST Fondazione Rosselli, Final Report, january

10 The level of the information technology education in the United Kingdom (UK) is very widespread in the scientific area, where great attention is given to technical aspects. A very high level has been reached by the research centers located in the UK. The legal aspect of the information technology (IT) security field has reached a good level. The research activity is related to the new threats and impacts of the use of new technologies. However there is a need to improve the management skills in cybersecurity to meet the growing demand of all sectors private or public for managers experts in IT issues. As in France, the technical courses are not yet sufficient to qualify managers able to cope with all the management aspects of the cybersecurity issues. As a general conclusion, more expertises and discussions from different point of view are needed to assess the situation of the six countries. The number of specific courses providing education in cybersecurity is important, but there is a lack of complete and comprehensive courses in this field. One of the objective of the study is to contribute to the second workshop organized by IPTS. This workshop will give the opportunity to discuss the results of this «first milestone» of universities curricula in cybersecurity. For this purpose, the next section proposes some guidelines and recommendations for discussion. OST Fondazione Rosselli, Final Report, january

11 Some observations and recommendations in conclusion of the study These conclusions are conditioned by the survey and difficulties to obtain total information in coherence with the Implementation Plan. They are inspired by some of the conclusions and observations on the strengths and weaknesses of cybersecurity curricula in each public higher education system presented in each country report. They need to be confronted with experts in the cybersecurity field. Statement concerning the survey results The survey led in the six European countries focused exclusively - as requested - on the curricula providing a minimum of 50 hours a year modules, thus eliminating very short curricula and/or continuous education. Results show that three types of courses coexist: a) complete courses related to the core skills of system of information security for professional qualification; b) shorter courses for a general overview of security issues; c) continuous training. Continuous education aims at both refresh the knowledge of professionals and increase the awareness of other working staff on the ISS issues. The different levels in training imply an adequate approach according to the public. Recommendations concerning national authorities First, and whatever the type of training, there is a need : 1 To adopt a real interdisciplinary approach : the system of information security requires a variety of highly specialised skills, which are used in a variety of sectors and at different levels of responsibilities. This recommendation matches the conclusions of the first workshop organised by IPTS. Relying on the knowledge of the techniques used in computer sciences (program, protocols, network), efforts must also be made : 2 To foster other scientific aspects of security, certainly mathematics especially for cryptology, but also legal, commercial, management aspects; 3 And to promote the human and social sciences for a better understanding of security issues. Concerning the supply of education in Systems of Information Security (SIS) : 4 To take into account the specificity of the three types of courses: awareness, professional and technical skills, continuous education. 5 To provide basic information on the Systems of Information Security in the modules of informatics, management, law related to e-commerce, e-health, e- government. 6 To build bridges between long and specific courses and continuous education. OST Fondazione Rosselli, Final Report, january

12 Although continuous education is out of the scope of the survey, it is not quite clear what the concern of the public and the private sector is regarding the development of such education. The survey does not present a clear assessment of the situation because of a too small number of responses on this matter. However the survey conducted to the identification of a great number of courses, but under 50 hours per year, which was the indicator retained in the Implementation Plan. Nevertheless the conclusions of the first workshop in September 8 showed that e-government, e-health, e-commerce were domains which were very concerned with security issues and where awareness courses were considered as a priority in training programs. 7 To favour the mobility of students and training staff in cybersecurity. To rely on the existing research possibilities (fellowships) and on new information and communication technologies (e-learning). In the European programmes related to the information society, to favour the use of on line courses. 8 To allow students to complete their education in an industrial or research environment. 9 To facilitate access to specific fellowships with a European label on such topics. As a general conclusion, a national plan for the development of training in cybersecurity would be a way to meet the needs identified by the survey. In this respect, France, in the public sector, has set up a special center to develop the skills in cybersecurity on a permanent basis : the Institute in Information Security «Centre de formation à la sécurité des systèmes d information» (CFSSI) 9. Recommendations at the European level Three suggestions are made here to harmonize the various curricula in cybersecurity: 1 To elaborate specifications in Systems of Information Security for education and certified qualification. The specifications would specify the main elements and contents of curricula in cybersecurity. They would be established by the institutions in charge of certification, with a European label eventually. The NIST US model 10 could serve as a basis to define the requirements of academic education in cybersecurity. If such specifications had existed, they would have been of great help in this study to identify the relevant courses with objective criteria in cybersecurity Minutes of Cybersecurity Skills and Training Needs Workshop, Sevilla, September 16-17, 2002 Centre de formation à la sécurité des systèmes d information, Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub ), April 1998, on the site : National Institute of Standards and Technology; This document describes in detail what should be a good complete course in Information Systems Security. OST Fondazione Rosselli, Final Report, january

13 In this respect, the recent set up of an Internet School («Ecole de l Internet») 11 in France has pointed out the difficulties of certification of a new curricula without precise references. It would be also recommended to use as soon as possible the ECTS 12 (European Community Course Credit Transfer System) to characterize the level and duration of education in this field. Without waiting for the creation of such a label and in the follow up of the surveys of this study, 2 To build a European data base of all the courses in cybersecurity, with better criteria for their identification. This data base would cover all the EU countries and would allow complementary information concerning the candidate countries. The data base would permit to have a record of the curricula in SIS, to disseminate reliable and comprehensive information on the existing curricula in Europe, and thus to facilitate students mobility, and also contribute to obtain recognition of the qualification in SIS by employers. In order to achieve the two previous recommendations at the European level, it is necessary 3 To set up a European correspondents network, specialised in education in cybersecurity, to determine how to share the skills, how to disseminate and possibly enhance these skills among the EU countries, with a special focus on the less favoured countries and the candidate countries Décret n , 25 avril 2002 relatif à la délivrance du label «école de l internet, Journal Officiel n 98, 26 avril 2002, et rectification, Journal Officiel, n 104, 4 mai It has been difficult to use the European Community Course Credit Transfer System (ECTS) as mean of discriminate the courses with the minimum level of hours by year required to be part of the survey. OST Fondazione Rosselli, Final Report, january

14 Cybersecurity curricula in universities by country Belgium Methodology of the survey The collection of the required information was done firstly by consulting the online study programs guide of all the Belgian universities, mainly focusing on the programs of the faculties of law, engineering, applied economics and science (especially the departments of mathematics). For each area every degree level offered by the faculty has been evaluated. In the absence of a degree, master or PhD concerned with cybersecurity, the research area has been included in the relevant modules. The missing information (mainly starting date and number of students) has been requested directly from the professors, by 13 or phone. Description of Belgian Higher Education System University education provides theoretical training for managerial staff responsible for research, conception and application of knowledge. It is offered at different levels: basic academic courses and advanced academic courses 14. The basic academic courses are divided into two cycles: a first cycle of 2 or 3 years and a second cycle of 2, 3 or 4 years. The first cycle of basic academic education leads to the intermediate academic degree of candidate (kandidaat). There are no Belgian Universities offering complete degree, concerned with cybersecurity in the undergraduate or postgraduate level. There are only two modules (each with more than 50 hours courses 15 ) which address aspects of Information and Communication Systems Security. There are several other courses concerned with legal, economic and technical aspects of cybersecurity, but with less than 50 hours. Main findings of the survey The relevant universities modules in Belgium are concerned with technical/scientific aspects in particular with: Intrusion Detection courses (Séminaire de détection d intrusions) held in the Electrical Engineering and Computer Science and Development of Secure software, held in the Computer Science. These courses are both included in a undergraduate level. The main indicators Year of opening, hours, credits As shown in the following table, the two relevant courses started in 2000/2001. They give a number of study point from 4 to Only two courses match the criterium of more than 50 hours. We have sent 27 s and received 17 answers. 24 forms were fully completed and 10 forms were incomplete (lack ofinformation). E.g. teacher training, doctoral programmes and post-academic programmes. University education is divided into study years of a minimum of 1,500 and a maximum of 1,800 hours of tuition or other study activities. There are several courses (Annex 2) with less than 50 hours which address aspects and issues concerned with cybersecurity. OST Fondazione Rosselli, Final Report, january

15 Table of courses/diploma Belgium University Faculty/Department Title of the course/module Diploma Université de Liege Katholieke Universiteit Leuven Dept. of Electrical Engineering and Computer Science Computer Science Séminaire de détection d intrusions Development of Secure Software Year of opening Number of hours per year Credits 16 Professors Source : Fondazione Rosselli, University Curricula Survey, november Students There are many students in the course called Development of Secure Software, but the number of registered students for the year 2001/2002 has dropped down.. Concerning the second module, the number of registered students is low with a downward trend. Table of students Belgium University Faculty/Department Title of the course/module diploma Katholieke Universiteit Leuven Katholieke Universiteit Leuven Computer Science Electrical Engineering Development of Secure Software Cryptography and Network Security Number of student registered Number of degree/courses delivered NA NA Source : Fondazione Rosselli, University Curricula Survey, november The research centers The most important research groups are listed in the following table. COSIC and the UCL Crypto Group are among the largest research groups in Europe. The know-how of DistriNet is the basis of Ubizen, a spin-off company that specializes in secure e-business and related security services. Some faculties have a research group doing research in the field of the juridical aspects of cybersecurity, focusing in particular in the interconnected aspects of high tech and law. 16 The volume of study for each year is expressed in terms of study-points and corresponds to 60 study-points per year. One study-point corresponds to 25 to 30 hours of study. OST Fondazione Rosselli, Final Report, january

16 There is no research centers involved in business and economic aspects of IT security management. Table of research centers Belgium City Name of the research center /PhD Topics/domain of the research activity Katholieke Universiteit Leuven Computer Security and Industrial Cryptography Cryptography, Computer Security, Network Security Number of researchers Université Catholique de Louvain Crypto Group Cryptology, Smart Cards 19 Katholieke Universiteit Leuven DistriNet Distributed Systems, Software Security Université Libre de Bruxelles Cryptography and System Security Service Cryptography, Computer Security Katholieke Universiteit Leuven Faculties Universitaires Notre- Dame de la Paix à Namur Université Libre de Bruxelles Faculties Universitaires Notre- Dame de la Paix à Namur Interdisciplinary Centre for Law and Information Technology Information Technology Law 7 Research Center for Computer and Law Computer Law 5 Centre de droit de l'information et de la communication Computer Law 3 Networks and Security Network Security 2 Source : Fondazione Rosselli, University Curricula Survey, november Conclusions for Belgium Strengths High level of research: the number of research centers (offering a very large number of courses with less than 50 hours) and the contents of the research field show the high level of knowledge reached in Belgium. Level of dissemination: there is a very good level of diffusion in the university system of the cybersecurity issue, as shown by the large number of courses (with less than 50 hours ) held in the Belgian Universities 17. Weaknesses Absence of a complete degree with technical, economic or legal aspects of cybersecurity. As seen in the section concerning research centers, Belgium has all the possibilities and the capacities to create such a curriculum in university education. Absence of modules of more than 50 hours courses and research centers concerned with legal and economic aspects of cybersecurity. 17 There are several types of courses on cybersecurity, all with a different emphasis on the topic: a) Legal aspects of cybersecurity (legal value of an electronic signature, privacy regulations and cybercrime law); b) Mathematical aspects of cryptographic algorithms (discrete mathematics, number theory, finit fields and elliptic curves); c) Information security (applied cryptography, network security, computer security). The faculties of economics also teach some (less technical) courses on cybersecurity, mainly as part of the Commercial Engineering programme, such as Security of Information Systems, Auditing of Information Systems, Auditing, security, privacy and ethical problems, but there are no courses on risk management and economic aspects of cybersecurity. The most technical courses are mainly taught at the Katholieke Universiteit Leuven and Université Catholique de Louvain, because they do a lot of research on cybersecurity. OST Fondazione Rosselli, Final Report, january

17 France Methodology To identify all the courses related to the Systems of Information Security 18 (SIS), a query has been applied to the appropriate Direction of the Ministry of Education to provide a list of the existing curricula. Although the database available at the ministry does not identify the term or expression «system of security» as criteria of selection for university program 19, the representatives of the Ministry were able to identify 63 programs related to this matter 20. The programs directly related to the theme of system of security information were selected and a questionnaire was sent to 31 institutions 21. Step 1 To determine the target of the French survey, two sources were used : - the database of the Ministère de la Jeunesse, de l Éducation nationale et de la Recherche for diplomas delivered by the French universities. Using the keyword security, a list of 63 diplomas was established. - the complete Liste des écoles habilitées à délivrer un titre d ingénieur diplômé (75 pages, Bulletin officiel du ministère de l Éducation nationale et de la Recherche, n 2 du 14 mars 2002) 22 Step 2 Diplomas were used to identify the teams working in the field of cyber-security: - 29 diplomas from the university database were selected. Curricula about food security, occupational safety, safety of the goods and the people were eliminated, as being out of the scope of the study. 3 «grandes écoles» with a specialization in cyber-security were also selected. - The criteria was a minimum of 50 hours on cyber-security (in its largest acceptance). Web sites of the targeted curricula were very well documented with detailed information concerning the courses and address of the person in charge of the curriculum. Step 3 The survey format (see annex) was then sent to the correspondents by with an electronic questionnaire (in both PDF and Word format) to the persons in charge of the curriculum, with a description of the scope of the study, at the end of October, with a two weeks deadline for return. The survey was eventually completed by phone calls In english the usual term is Systems of Information Security (SIS) or Information Systems Security (ISS), the equivalent in French is «Sécurité des Systèmes d Information -SSI». See in Annex a comparison of the terms in USA and at the European Commission. Site of the «annuaire» on the web site of the Ministry, see : Ministère de l Education nationale, Sous-direction des certifications supérieures et de la professionnalisation, Bureau des formations universitaires et technologiques, DES A 10, Mme Christine Coutarel. A list of these institutions appeared in Annex France. The themes related to security of transport, food security, industrial security have been excluded of the survey Journal Officiel n 39 du 15 février 2002 page 2984 ; Arrêté du 11 janvier 2002 fixant la liste des écoles habilitées à délivrer un titre d ingénieur diplomé, NOR: MENS A OST Fondazione Rosselli, Final Report, january

18 Step 4 12 questionnaires which were in the scope of the study were returned mainly in electronic mail, one by fax. Only three curricula identified by the team-project as pertinent for the study did not answer and therefore are not included in the study : a DESS from the university of Toulon due to an error, a DEA in Toulouse due to a anti-spam software which kept rejecting the message and a DEA Algorithmique in Paris (5 students per year) dealing with cryptography as an option (co-managed by the École polytechnique, E.N.S.Ulm, E.N.S.Cachan, E.N.S.T., Universités Paris VI, Paris VII, Paris-Sud, with I.N.R.I.A.and E.N.S.T.A. and the Écoles doctorales EDITE (UPMC), Jussieu-Chevaleret, ENS-Cachan and Paris-Sud. Except for these three diplomas, the data collected give a complete view of cyber-security curricula in France in Description of French Higher Education System In France higher education is composed of (public) universities and schools of engineers named «grandes écoles». Accreditation for each programme is delivered by the Ministry of Education 23 for universities and by a special Commission 24 for the schools of engineers. In the universities, there are four levels of diplomas after high school (baccalaureate is delivered after college or «lycée»): «licence, maîtrise, diplôme d étude spécialisée DESS, diplôme étude approfondies (DEA) and master in the school of engineers or «grandes écoles». Since the adoption of the European Community Course Credit Transfer System (ECTS), these diplomas could be classified in the following way: Graduate level offered Survey Survey / answers Up to three years (Licence) Licence 4 2 Up to five Years (Master) DESS / Title of engineer/ 20 6 Above five years : 1 - Specialized Master Specialized Master/DEA 7 4 Above five years : 2 - Doctorate Doctorate Source : Survey CFSSI/OST, November Ministère de l Education nationale, Sous-direction des certifications supérieures et de la professionnalisation. 24 Ministère de l Education nationale, Direction de l enseignement supérieur, Greffe de la commission des titres d ingénieurs, Bulletin officiel N 2, 14 mars 2002, numéro hors-série, Liste des écoles habilitées à délivrer un titre d ingénieur diplômé, p Arrêté. du JO du , NOR : MENS A, RLR : : OST Fondazione Rosselli, Final Report, january

19 Results of the survey Diplomas in the cybersecurity : 4 different curricula types of diplomas are identified: Licence professionnelle Nantes : Administration et sécurité des réseaux Tours : Sécurité et Qualité en Télécommunications ; the field of these curricula is network security DESS (Diplôme d études supérieures spécialisées): Bordeaux : Codes, Cryptologie, Sécurité Informatique Grenoble : Cryptologie, Sécurité et Codage de l Information Limoges : Sécurité de l Information UT Troyes : Sécurité des Systèmes d'information Toulon : Sécurité des Systèmes d'information Paris 1 : Droit de l Internet Administration Entreprises These 6 curricula deal with what is called in France, information systems security: Two of them are specialized in cryptography and code theory. One curriculum deals with law and offers courses dedicated to the technical comprehension of the cyberworld and cyber-security. Écoles d Ingénieurs ENST Bretagne Rennes, Supélec : Mastère spécialisé en sécurité des systèmes d information ENST Paris : Mastère spécialisé en Sécurité des systèmes informatiques et des réseaux ENSI Bourges : Master of Science sécurité Informatique ENSI Bourges : Filière MRI (Maîtrise des Risques Industriels), Option Systèmes et Informatique (SI) en 3ème année Cybersecurity is a specialization course at the end of the curriculum. Although the names differ, the field covered by the Grandes Ecoles is the same (information systems security). DESS and master curricula are rather complete. For example, see the program master de Rennes in annex. DEA (Diplôme d Etudes Approfondies) Limoges : DEA de Mathématiques Toulouse : DEA Programmation, Sécurité Paris (Ecole Normale Supérieure) : DEA de cryptographie Ecole doctorale Informatique, Télécommunications, Electronique de Paris, DEA Algorithmique The pre-doctorate courses (DEA) are more mathematical and dedicated to cryptography and coding theory in computer science.number of hours per year From 400 to 500 hours except for the specialized courses at the Ecole d Ingénieur de Bourges (72 hours) and the DEA de Limoges (170 hours), if we consider the 4 different curricula (Licence, DESS, DEA, école d ingénieur). Because the diplomas are national, the number of hours is the same all over France. Number of qualified professors There are very few professors (from 2 to 3) devoted to these curricula (see table). The rest comes from other curricula (redeployment). Cyber-security courses are often under the responsibility of professors who are involved (doing research for example) in that field. OST Fondazione Rosselli, Final Report, january

20 University Grande Ecole (1) Université de Bordeaux I UFR de Mathématiques Informatique Université Joseph Fourier et INPG, Grenoble I Université de Toulon et du Var Université de Limoges Table of title course France Faculty/Department Title of the course/diploma Year of opening UFR Mathématiques (UJF), ENSIMAG et Département Télécommunications (INPG) Faculté des sciences et des techiques Faculté des Sciences et Techniques, Mathématiques- Informatique DESS Codes, Cryptologie, Sécurité Informatique (CCSI) DESS Cryptologie, Sécurité et Codage de l Information DESS Sécurité des systèmes d information DESS Sécurité de l Information Université de Nantes IUT informatique Licence professionnelle des métiers de l'informatique Option1: Développement d'applications réparties Université de Tours Université de Technologie de Troyes Université Paris-I Panthéon-Sorbonne Ecole Nationale Supérieure des Télécommunicatios Rennes, SUPELEC Ecole nationale supérieure des télécommunications, ENST, Paris Faculté de Sciences et Techniques Informatique UFR Administration des entreprises Département Réseaux et Services Multimédia Campus de Rennes ENST Ecole Nationale Filière MRI (Maîtrise des Supérieure des Ingénieurs Risques Industriels), de Bourges ENSI Université de Limoges Ecole doctorale Informatique, Télécommunications; Electronique, Paris+ Faculté des Sciences et Techniques 4 établissements, Univ. Paris VI, Paris VII, Paris Sud, ENS Licence Professionnelle Sécurité et Qualité en Télécommunications DESS Sécurité des Systèmes d'information DESS Droit de l internet Administration Entreprises Mastère Spécialisé en Sécurité des Systèmes d Information (co-délivré avec Supélec) Mastère spécialisé en Sécurité des systèmes informatiques et des réseaux Diplôme d ingénieurs Option Systèmes et Informatique (SI) en 3ème année DEA Cryptographie, Codage, Calcul Number of hours per year Credits (ECST) Professors in head count 2001/ /09/ n.d. 01/09/ (option 1) ECTS n. d (enseignants et industriels) 01/09/ n. d permanents DEA Algorithmique n.d. n. d; Source : CFSSI/OST survey, november 2002 (1) only the surveys received. (others courses have been surveyed but no answers were received, see annex for the 31 courses identified (legal, security and civil protection, intelligence management ). Number of students graduate by year Except for the ENST in Paris (1990) and the DEA in Limoges (1987), all these curricula are very recent. For 2001, an average of 20 students and a total of 163 students attended these courses. Most of the students end up with the final diploma. OST Fondazione Rosselli, Final Report, january