Abstract
A novel idea for information security education created by the New York State Center for Information Forensics and Assurance (CIFA) is presented. This new approach incorporates a teaching hospital model originally developed for medical training. In this model, information security problems from industry and government are solved and abstracted into living-cases used for training and education of university students and public-sector employees. Such a model helps ensure that the curriculum stays current even as the field of information assurance continues to evolve. Solving industry problems hones research skills, while exposing students to living cases helps build context for concepts in information assurance. The success of this approach is contingent upon strong partnerships with government and private organizations that have real security issues as well as an active research program in information security that involves faculty and students. This article presents an implementation of this approach at CIFA. Development of the curriculum, observations gleaned through dissemination of the curriculum, and the infrastructure developed to support this concept are discussed. Evaluation of students has demonstrated the effectiveness of the “teaching hospital” concept and provided us with feedback to further refine its implementation.
- Azadivar, F. and Tucker, J. 2000. An engineering learning center: description, results, and lessons learned. In Proceedings of the 30th ASEE/IEEE Frontiers in Education Conference (Kansas City, MO, Oct.), IEEE Press, New York, 1-5. Google Scholar
- Bednar, A.K., Cunningham, D., Duffy, T.M., and Perry, J.D. 1998. Theory into practice: How do we link? In Constructivism and Technology of Instruction: A Conversation, T.M Duffy and D.H. Jonassen (eds.), Lawrence Erlbaum Associates, Hillsdale, NJ, 17-35.Google Scholar
- Ben-Ari, M. 1998. Constructivism in computer science education. In Proceedings of the 29th SIGCSE Technical Symposium on Computer Science Education (Atlanta, GA, Feb.), ACM Press, New York. Google Scholar
- Berlyne, D.E. 1965. Curiosity and education. In Learning and the Educational Process, J.D. Krumboltz (ed), Rand McNally, Chicago.Google Scholar
- Bishop, M. 2000. Education in information security. IEEE Concurrency. http://nob.cs.ucdavis.edu/~bishop/papers/2000-educieee/2000-educieee.pdf. Google Scholar
- Bishop, M. and Frincke, D. 2004. Joining the security education community. IEEE Security&Privacy, (Sept./Oct), 61-63. Google Scholar
- Bloom, B.S. 1956. Taxonomy Of Educational Objectives, Handbook 1: Cognitive Domain. Longmans Green, New York.Google Scholar
- Boud, D. and Feletti, G. 1991. The Challenge of Problem-Eased Learning. Kogan Page, London.Google Scholar
- Brooks, J.G. and Brooks, M.G. 1993. The Case for Constructivist Classrooms. Association for Supervision and Curriculum Development., Alexandria, VA.Google Scholar
- Conti, G., Hill, J., Lathrop, S., Alford, K., and Ragsdale, D. 2003. A comprehensive undergraduate information assurance program. In Security Education and Critical Infrastructures, 3rd Annual World Conference on Information Security Education (WISE3, Monterey, CA, June), C. Irvine and H. Armstrong (eds.) Kluwer Academic, Boston, MA, 243-260. Google Scholar
- Dark, M. and Davis, J. 2002. Report on information assurance curriculum development. Curriculum Development Workshop, CERIAS. http://www.cerias.purdue.edu/education/post_secondary_education/undergrad_and_grad/curriculum_development/information_assurance/report_info_assurance_cur_dev.pdf.Google Scholar
- Dick, W. and Carey, L. 1990. The Systematic Design Of Instruction. Harper Collins, New York.Google Scholar
- Duch, B. 1995. Problem based learning in physics: the power of students teaching students. About Teaching 47, 6-7.Google Scholar
- Duffy, T.M. and Jonassen, D.H. 1992. Constructivist and the Technology of Instruction: A Conversation. Lawrence Erlbaum Associates, Hillsdale, NJ.Google Scholar
- Gagné, R.M. 1985. Conditions of Learning, 4th ed., Holt, Rinehart and Winston, New York.Google Scholar
- Gilbert, C. 2003. Developing an integrated security training, awareness, and education program gsec practical assignment version 1.4b, SANS Institute. http://www.sans.org/rr/papers/47/1160.pdf.Google Scholar
- Goel, S., Baykal, A., and Pon, D. Botnets: the anatomy of a case. Journal of Information Systems Security (accepted).Google Scholar
- Goel, S. and Chen, V. 2005. Information security risk analysis--A matrix-based approach. In Proceedings of the Information Resource Management Association (IRMA) International Conference (San Diego, CA, May), Information Resources Management Association, Hershey, PA.Google Scholar
- Goel, S. and Pon, D. Information security risk analysis: A pedagogic model based on a teaching hospital. Accepted for publication in Tools for Teaching Computer Networking and Hardware Concepts, N. Sarkar, ed.Google Scholar
- Gordon, L.A., Loeb, M.P., Lucyshyn, W., and Richardson, R. 2004. CSI/FBI computer crime and security survey. Computer Security Institute Publications, 1-18.Google Scholar
- Hannafin, M., Land, S., and Oliver, K. 1999. Open learning environments: Foundations, methods, and models. In Instructional Design Theories and Models: A New Paradigm of Instructional Theory, Vol. II, C.M. Reigeluth, ed., Lawrence Erlbaum Associates, Hillsdale, NJ.Google Scholar
- Hoffman, L.J., Dodge, R., Rosenberg, T., and Ragsdale, D. 2003. Information assurance laboratory innovations. In Proceedings of the 7th Colloquium for Information Systems Security Education (Washington, D.C., June).Google Scholar
- Hsu, C. and Backhouse, J. 2002. Information systems security education: Redressing the balance of theory and practice. Journal of Information Systems Education 13, 3, 211-218. http://www.jise.appstate.edu/13/211.pdf.Google Scholar
- Irvine, C.E. 1999. Amplifying security education in the laboratory. In Proceedings of the IFIP TC11 WC 11.8 First Workd Conference on Information Security Education (Kista, Sweden, June), 139-146.Google Scholar
- Irvine, C.E. 2003. The SimSecurity Information Assurance Virtual Laboratory. In Selected Synopses of Paper Presentations at the IEEE Security&Privacy Symposium, Oakland, CA, May 2003. Retrieved on May 10, 2006, from www.nps.navy.mil/cs/facultypages/faculty/irvine/Publications/Publications2003/SimSecurity%20abstract_I_EEE03.pdfGoogle Scholar
- Irvine, C.E., Chin, S., and Frincke, D.A. 1998. Integrating security into the curriculum. IEEE Computer 31, 12, 25-30. Google ScholarDigital Library
- Jarz, E.M., Kainz, G.A., and Walpoth, G. 1997. Multimedia-based case studies in education: design, development, and evaluation of multimedia-based case studies. Journal of Educational Multimedia and Hypermedia 6, 1, 23-46. Google ScholarDigital Library
- Johnson, R.T. and Johnson, D.W. 1986. Action research: cooperative learning in the science classroom. Science and Children 24, 31-32.Google Scholar
- Jonassen, D.H. 1999. Designing consructivist learning environments. In Instructional Design Theories and Models: A New Paradigm of Instructional Theory, Vol. II, C.M. Reigeluth, ed. Lawrence Erlbaum Associates, Hillsdale, NJ.Google Scholar
- Jonassen, D.H. 1991. Objectivist vs. constructivist: Do we need a new philosophical paradigm? Educational Technology: Research and Development 39, 3, 5-14.Google ScholarCross Ref
- Kramer, B.A., Tucker, J., Jones, T., Beikmann, M., and Windholz, R. 2002. The engineering learning center: A model for mentored product innovation. In Proceedings of the 32nd ASEE/IEEE Frontiers in Education Conference (Boston, MA, Nov.), IEEE Computer Society Press, Los Alamitos, CA, 24-29.Google Scholar
- Kumar, K., Weiqing, S., Rana, P., Li, T., and Sekar, R. 2005. V-NetLab: A cost-effective platform to support course projects in computer security. In The 9th Annual Colloquium for Information Systems Security Education (CISSE, Atlanta, GA, June), USENIX Association, Berkeley, CA. Retrieved on May 7, 2006 from http://seclab.cs.sunysb.edu/seclab/pubs/papers/ncisse05.pdf, 1-7.Google Scholar
- Management of America, Inc. 1999. Accredited models for clinical training of physicians in medical schools that operate without a teaching hospital under the control of the university. Florida State University. http://med.fsu.edu/pdf/03_clin_training_of_phys.pdf.Google Scholar
- Mayo, J.A. 2004. Using case-based instruction to bridge the gap between theory and practice. Journal of Constructivist Psychology 17, 137-146.Google ScholarCross Ref
- Mcginnis, D.R. and Comstock, K. 2003. The implications of information assurance and security crisis on computing model curricula. Information Systems Education Journal, 1,9, 1-12.Google Scholar
- Merseth, K. 1991. The early history of case-based instruction: Insights for teacher education today. Journal of Teacher Education 42, 4, 243-249.Google ScholarCross Ref
- Moore, J.W. 1998. Education versus training. Journal of Chemical Education 75, 135.Google ScholarCross Ref
- National Security Agency. 1999. Criteria for measurement. Centers of Academic Excellence. http://www.nsa.gov/ia/academia/caeCriteria.cfm?MenuID=10.1.1.2Google Scholar
- Needham, D. 2001. A case study of case studies: Producing real world learning within the business classroom. ultiBASE Articles. http://ultibase.rmit.edu.au/Articles/nov01/needhaml.htm.Google Scholar
- Norman, G.R. and Schmidt, H.G. 1992. The psychological basis of problem-based learning: A review of the evidence. Academic Medicine 67, 9, 557-565.Google ScholarCross Ref
- Riesbeck, C.K. 1996. Case-based teaching and constructivism: Carpenters and tools. In Constructivist Learning Environments, B. G. Wilson, ed., Educational Technology Publications, Englewood Cliffs, NJ.Google Scholar
- Russell, S.J. and Norvig, P. 1995. Artificial Intelligence: Modern Approach. Prentice Hall, Upper Saddle River, NJ. Google Scholar
- Samford University. 2003. PBL background: definitions. Problem Based Learning at Samford University. http://www.samford.edu/pbl/definitions.html.Google Scholar
- Stepien, W. and Gallagher, S. 1993. Problem-based learning: As authentic as it gets. Educational Leadership, 25-28.Google Scholar
- Stepien, W.J., Gallagher, S.A., and Workman, D. 1993. Problem-based learning for traditional and interdisciplinary classrooms. Journal for the Education of the Gifted 4, 338-345.Google ScholarCross Ref
- Sudzina, M.R. 1997. Case study as a constructivist pedagogy for teaching educational psychology. Educational Psychology Review 9, 199-218.Google ScholarCross Ref
- Tomey, A.M. 2003. Learning with cases. Journal of Continuing Education in Nursing, 34, 1, 34-38.Google ScholarCross Ref
- Totten, S., Sills, T., Digby, A., and Russ, P. 1991. Cooperative Learning: A Guide to Research. Garland, NY.Google Scholar
- United States. 2003. Priority III: A national cyberspace security awareness and training program. The National Strategy to Secure Cyberspace. http://www.whitehouse.gov/pcipb/priority_3.pdf.Google Scholar
- Willis, J. 1995. A recursive, reflective instructional design model based on constructivist-interpretivist theory. Educational Technology 30, 6, 5-23.Google Scholar
- Wilson, E.G. and Cole, P. 1991. Cognitive dissonance as an instructional variable. Ohio Media Spectrum 43, 4,11-21.Google Scholar
Index Terms
- Innovative model for information assurance curriculum: A teaching hospital
Recommendations
A comprehensive undergraduate information assurance program
Security education and critical infrastructuresThis paper describes the experience of our institution in creating a comprehensive undergraduate information assurance (IA) program. An interdisciplinary approach was undertaken in order to include a larger portion of the student body and faculty and ...
Information assurance in the undergraduate curriculum
ACM-SE 43: Proceedings of the 43rd annual Southeast regional conference - Volume 1Information assurance and systems security are important topics that compel the attention of future computer scientists. Typically, undergraduate students in computer science programs today are exposed to these concepts at the end of their education in ...
Teaching information systems security courses: A hands-on approach
It has become imperative for companies, governments, and organizations to understand how to guard against hackers, outsiders, and even disgruntled employees who threaten their information security, integrity and daily business operations. To address ...
Comments