Using anomalous data to foster conceptual change in security awareness

Users are often regarded as the weakest link in an information system. To this, information security awareness nowadays gains much attention in organizations, schools, and universities. Since the practice of safe computing involves individual perception, effective pedagogy that can deliver a proper message about security awareness is vital for information security education. This article reports an experiment conducted on 102 university students which determined if anomalous data can provoke conceptual change, and whether anomaly can affect the perception of information security of the students. With evidences found from the experiment, it is concluded that conceptual change fostered by anomalous data is an effective pedagogy for information security education. ©2009 IEEE.published_or_final_versionThe IEEE International Symposium on Intelligent Signal Processing and Communication Systems (ISPACS 2009), Kanazawa, Japan, 7-9 January 2009. In Proceedings of the IEEE ISPACS, 2009, p. 638-64

Cyber Security for Everyone: An Introductory Course for Non-Technical Majors

In this paper, we describe the need for and development of an introductory cyber security course. The course was designed for non-technical majors with the goal of increasing cyber security hygiene for an important segment of the population—college undergraduates. While the need for degree programs that focus on educating and training individuals for occupations in the ever-growing cyber security field is critically important, the need for improved cyber security hygiene from the average everyday person is of equal importance. This paper discusses the approach used, curriculum developed, results from two runs of the course, and frames the overall structure of the course using Bloom’s Taxonomy. Likewise, we discuss the benefits such a course provides to various stakeholders. Challenges and opportunities are discussed

The Professionalisation of Information Security: Perspectives of UK Practitioners

In response to the increased “cyber” threats to business, the UK and US Governments are taking steps to develop the training and professional identity of information security practitioners. The ambition of the UK Government is to drive the creation of a recognised profession, in order to attract technology graduates and others into the practice of cybersecurity. Although much has been written by state bodies and industry commentators alike on this topic, we believe this qualitative study is the first empirical academic work investigating attitudes to that professionalisation amongst information security workers. The results are contextualised using concepts from the literature in the fields of professionalisation and social topics in information security. Despite the movement to establish professional status for their industry, these practitioners showed mixed levels of support for further professionalisation, with a distinctly wary attitude towards full regulation and licensing and an explicit rejection of elitist and exclusive models of profession. Whereas the UK Government looks to establish “professional” status in order to attract entrants, such status in itself was seen to be of little import to those already working in the area. In addition there are significant tensions between managers embracing business- and human-centred security and those more interested in the technical practice of executing policy. While these tensions continue, the results suggest that state attempts artificially to catalyse the professionalisation process for this group would be precipitate. Historically such projects have risen from the front line; ambitions to move the industry in that direction might see more success by identifying and delegating control to a single regulatory body, founded and respected by the people it aims eventually to regulat

To What Extent Has Information Security Professionalism Achieved Recognition?

The practice of securing information was until recently associated strongly with securing the Information Technology systems which store and process it. As it has developed as a specialised area of work however, particularly as the critical importance of human and social factors has increasingly been recognised, it has acquired an identity separate from that of computing. The separation has been sufficient for the formation of a new, distinct occupation, with specialised credentialing bodies being established to attest to practitioners’ professional competence. This study is the first empirical academic investigation into the professionalisation of UK Information Security. It considers attitudes towards professional status, the desirability and practicality of licensing, the current standing of the occupation and its prospects for the future. The analysis draws heavily from the substantial Sociology of the Professions, both from the structural and procedural theory of profession-forming and the later critiques of motivation, class and power. Semi-structured interviews were undertaken with twenty-seven individuals comprising security analysts, managers, academics, professional bodies and the UK Government. Interviews took place between November 2012 and March 2015. Results are presented in two stages of analysis, using Actor–Network Theory as a theoretical lens. Whilst significant progress has been made towards forming a recognisable Information Security profession, its status is not yet comparable to more established peers. Aligned with US National Research Council findings but using a broader basis in professionalisation theory, the UK occupation was found to be too diffusely demarcated both internally and with respect to its bordering professions. It has yet to coalesce around distinct internal specialities with discrete qualification routes and establish the hierarchical arrangement of its major branches. Without such stratification of roles and a well-accepted claim to controlling a clearly demarcated body of knowledge, it is not possible to establish the boundaries of a graduate profession superior to any supporting para-professions, and thus position itself as requiring an advanced abstract education comparable to its peers. A rationalisation of credentials and institutions is required to produce a strong professional body which can advance the cause of the profession and properly establish and embed these roles. At present however – contrary to the tenor of much of the relevant sociology – neither the pursuit of professional status nor the exclusion of unqualified workers were found to be major motivators for current practitioners. By contrast government, the final arbiter of professional monopoly, is attempting urgently to increase the appeal of the profession to address a national skills shortfall, but is wary of direct market intervention in the form of licensing. Therefore, whilst change is rapid, significant impediments to full professional recognition remain