The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities

In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.Comment: Presented at the Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria, June 201

Multidisciplinary Game-Based Approach for Generating Student Enthusiasm for Addressing Critical Infrastructure Challenges

Building upon experiences from past course offering,1 several universities across the United States (U.S) have incorporated a critical infrastructure educational game platform as a unifying platform to integrate different disciplines to a common goal. The critical infrastructure backbones of the world provide the delivery mechanisms for energy and other utilities that provide the lifestyle we have come to expect in our society. As these critical infrastructure systems have evolved, the complexity of their integration has generated numerous challenges as a side effect of increased automation that are more pronounced as the infrastructure ages. Although still a modern technological wonder, the power grid needs a workforce that understands the complex, interdependent facets of the current grid as it evolves to a smarter grid and is pushed closer to its limits through improvements in automated measurement and control. The next generation of technology developers and operators will require an interdisciplinary understanding to reliably and securely integrate advanced communication and control technologies into the infrastructure and create systems to address the new demands of increased renewable and distributed generation, complex markets, and resilience to damaging storms and cyber attacks. Educational institutions need to accept the challenge of weaving the great diversity of contributing disciplines into the common fabric which allows specialties to effectively work together

The Scientist, 2015

https://scholarworks.sjsu.edu/scientist/1009/thumbnail.jp

Securing intellectual capital:an exploratory study in Australian universities

Purpose – To investigate the links between IC and the protection of data, information and knowledge in universities, as organizations with unique knowledge-related foci and challenges.Design/methodology/approach – We gathered insights from existing IC-related research publications to delineate key foundational aspects of IC, identify and propose links to traditional information security that impact the protection of IC. We conducted interviews with key stakeholders in Australian universities in order to validate these links.Findings – Our investigation revealed two kinds of embeddedness characterizing the organizational fabric of universities: (1) vertical and (2) horizontal, with an emphasis on the connection between these and IC-related knowledge protection within these institutions.Research implications – There is a need to acknowledge the different roles played by actors within the university, and the relevance of information security to IC-related preservation.Practical implications – Framing information security as an IC-related issue can help IT security managers communicate the need for knowledge security with executives in higher education, and secure funding to preserve and secure such IC-related knowledge, once its value is recognized.Originality/value – This is one of the first studies to explore the connections between data and information security and the three core components of IC’s knowledge security in the university context

A League of Our Own: The Future of Cyber Defense Competitions

Numerous cyber defense competitions exist today for individuals and teams to test their cyber security skills where each team has to “win or go home.” What is missing from these competitions is a league allowing head to head competitions over the course of a season, much like a sport. Teams playing several hours every week during a ten-week season have the opportunity to improve their cyber security skills. This paper provides an overview of cyber security competitions, and how a National Cyber League can greatly expand the number of and participants in these competitions at a much lower cost leveraging virtual technologies