"Cybersecurity Education In a Developing Nation"

ABSTRACT

The ability to prevent successful cyberattacks against a nation’s critical infrastructure depends on the availability of a skilled cyber-literate workforce, and therefore, on an educational system that can build such capabilities.

INTRODUCTION

Many recent reports of cybersecurity attacks highlight the prevalence of a wide range of malicious activity and point to the growing sophistication of cyber threats. Frameworks designed to address the cybersecurity challenges at a national level focus on the need to build cybersecurity capabilities to achieve greater cyber readiness. Accordingly, nations have designed strategies to develop essential human talent, including cybersecurity education, training, and certifications. what are the challenges that universities face to provide cybersecurity education in a developing country? How can this country enhance cybersecurity education to support national cybersecurity capabilities? Over the last decade, the country has been experiencing a transformation of its educational system. The government has implemented a regulatory framework to assess, control, and improve the quality of higher education. Universities have been standardizing and updating their academic programs to comply with government requirements. However, these efforts are focused on improving general education and are not specifically linked to education in cybersecurity methods and strategies. While some educational institutions have not even started initiatives in cybersecurity, others struggle, mainly because of a lack of instructors with the necessary skills.

LITERATURE REVIEW

(i) countries at the forefront of cybersecurity, such as the USA, Canada, the UK, and Australia incorporate cybersecurity education at every stage of academic instruction; (ii) cybersecurity education has strong ties with military and security agencies––predominantly in the USA. (iii) there is a gap in both domains of education (formal and informal), and some countries have not even started their cyber-educational development.

CURRENT CYBER SECURITY EDUCATION

ACADEMIC INSTRUCTION

Many computer science students are educated in a combination of software engineering and systems engineering. Teaching at most universities has focused on computing application development and computing networks. Often, security courses are offered during the final semesters of a student’s program. In some cases, a security course is an elective, which produces an unwanted effect because students avoid taking it during the last semester (when for example they are concerned with searching for a job). In approximate order of frequency, the topics respondents mentioned were: Generalizations of information security Security management Security in operating systems Network security (e.g., Wi-Fi) Perimeter security (e.g., firewalls) Attacks on applications (e.g., SQL injection) Auditing Legal informatics Ethical hacking Security in databases Security awareness Cryptography

PROFESSIONAL CERTIFICATIONS

no university in our sample supports training that leads to cybersecurity certifications. Access to security equipment necessary to support such initiatives was reported to be expensive.

RESEARCH

Although there had been a few research initiatives, we saw very little evidence of academic cybersecurity research.

SELF ASSESSMENT

one academic department indicates security teaching is improving, and another department at the same university thinks this is not the case, which indicates that some departments (Computer Science, Computer Networks, and Electronics Engineering) at the same universities have different levels of expectation and preparation in security

ONGOING CHANGES

FACTORS DRIVING CYBERSECURITY EDUCATION

LACK OF SECURITY SPECIALISTS

There are few educators with formal education in cybersecurity. however, some specialists are not necessarily teaching security because they are pursuing higher degrees or teaching something else. As a result of this shortage, security instruction and the supply of cybersecurity skills suffer. Cybersecurity courses cannot be incorporated into the curricula when desired, and the quality of security courses is compromised when taught by non-experts since security content is often constrained in scope and lacks integration of theory with practice.

LACK OF INTERACTION WITH THE INDUSTRY

As a result of this lack of communication, opportunities for academia-industrial partnerships and understanding of cybersecurity demand have not developed. This barrier prevents collaboration concerning technical support and research funding. Also, universities have experienced difficulties learning what the industry needs in terms of cybersecurity skills.

INSUFFICIENT UNDERSTANDING OF CYBERSECURITY DEMAND

Comprehensive knowledge about the labor market demand for cybersecurity is not available, and there are different perceptions in universities across the country. Respondents (42%) felt that today's demand for security in the business sector is very low, so they fear that creating security programs for specialists may saturate the labor market rapidly. We feel the need, but there is little demand. It is less demand for software engineers. The most visible and potential sources of cybersecurity demand are in the financial services and government.

Local demand for cybersecurity should be understood in two ways. First, institutions in the market need graduates with security knowledge incorporated into CS and CN training, which will allow them to perform their primary jobs while applying security principles. For instance, in the financial sector software engineers are familiar with secure coding, and systems engineers knowing the secure implementation of IT infrastructure is desired. Second, security knowledge at the specialization level is wanted for positions such as security engineering. Most respondents believe specialization is more feasible at the MS graduate level as opposed to the undergraduate level, but accurate knowledge about demand is necessary before this MS process can begin. While some employers are discovering that they need individuals with cybersecurity skills, especially because they have already had harmful security experiences, others do not know what they need in terms of the cybersecurity workforce. As long as the market demand for security is not clear, it will be difficult to advocate for cybersecurity academic programs, even if resources become available. Hence, employers and educators must collaborate to identify the workforce competencies needed in the workplace.

LACK OF RESOURCES

Most universities do not have a well-equipped laboratory to teach cybersecurity practice. Interviewees argued that specialized equipment suitable to teach security is very expensive, but they also recognized the availability of open-source tools to solve particular needs. Moreover, given economic limitations, the ability to temporarily incorporate specialists to teach security content is even harder. Universities cannot match business sector salaries. On a few occasions, however, a few universities have obtained specialized support—especially for seminars or talks—because some specialists had motivations other than income.

LACK OF AWARENESS

universities reported having academic programs dating from 10 years ago when cybersecurity was not a prominent issue. Nevertheless, they emphasized that this fact has recently been changing.

OTHER FACTORS

Idiosyncrasy

A tendency to simply accept cyber risk was occasionally mentioned. This is consistent with Target’s (2010) findings regarding attitudes toward risk in developing countries.

Internal university policies

Some university policies prevent improvements in cybersecurity teaching and collaboration

Image description

DISCUSSION OF FINDINGS

It has recently been suggested that no country is fully prepared to meet the cybersecurity challenge. While some developed nations with a higher level of national cybersecurity performance have already started stronger workforce and educational programs to foster such preparation, studies suggest that many less developed nations have moved slowly to develop cyber capacity. The challenges that cybersecurity education currently faces mainly involve structural capabilities (e.g., skills), community integration, the uncertainty of demand, lack of awareness, economic resources, and governance. In undergraduate programs, most security content is integrated across several courses in CS and CN, but such integration is informal since, very often, academic instruction depends on instructors’ decisions, knowledge, and security skills. Lack of coordination among faculty can foster redundancies and/or gaps in security content. Although some security courses do exist, in many cases they were reported to be incomplete in scope or depth, especially because of a lack of expertise or resources such as labs.

The results of the interviews suggest that there is a shared perception that university priorities, lack of specialists, lack of institutional flexibility, and lack of understanding of demand prevent academics from advancing cybersecurity education. In addition, introducing security content in curricula competes for resources and time allocation with other academic content inherent to CS or CN programs, which also discourages augmenting cybersecurity knowledge. although universities with the most advanced preparation have developed particular strategies to address aspects of cybersecurity (e.g., MS programs, research initiatives, and specialized security courses), substantial efforts to strengthen cybersecurity education need to be pursued nationwide. These efforts need to take into account multiple areas in which cybersecurity education evolves.

Strategies for advancing cybersecurity education

The successful improvement of cybersecurity education cannot be achieved as an isolated effort pursued only by universities. Rather a community-based effort will be required. Examination of relevant literature shows that national initiatives to advance cybersecurity education (and workforce capabilities) involve six dimensions: capacity governance, academic programs, training, certification, research and development (R&D), and cybersecurity awareness.

Relevant content must be strengthened in both approaches for formal education in undergrad programs: (i) cybersecurity content integrated across core courses of CS and CN; and (ii) security topics addressed in cybersecurity courses.