Creating the Cybersecurity Renaissance ManExpanding IT Security Education Beyond the Technical
"We should be developing a new breed of multidisciplinary cybersecurity experts educated in the areas of people, such as psychology and organizational behavior and processes, such as management, business process and the law," says Anita D'Amico, a PhD psychologist who is director of the Secure Decisions division of Applied Visions, a maker of cyber-situational awareness software.
Security practitioners traditionally have been trained rather than educated, D'Amico says, with an emphasis on specifics applications, tools and techniques rather than gaining an understanding of the principles and behaviors that inform cyber security. It's a point others endorse.
"There is a need for multidisciplinary courses that introduce important matters relating to management, law, policy, human behavior, and the international dimensions of cybersecurity," says Seymour Goodman, professor of international affairs and computing at Georgia Institute of Technology. "Only a small number of universities have serious courses of this kind. They should be designed with the intention of facilitating export to many institutions since few have faculty in positions to work on these aspects at this time."
D'Amico says those training future cybersecurity professionals need to understand why perceptions of security risk does not match reality. "Risk perception is critical to helping us understand how to motivate secure behavior, make better decisions and create policies that discourage destructive or invasive behavior through real consequences," she says.
Cornell University Computer Science Professor Fred Schneider envisions a cybersecurity professional degree that not only would cover technical subjects - computer security principles, distributed systems and networking, systems reliability, software engineering, cryptography and - user interfaces and human factors - but non-technical ones such as cyber-law (intellectual property, communications and privacy law), ethics, economics of computing and networking, business strategy and human relations, including the management of people.
Schneider proffers a multidiscipline undergraduate program for system trustworthiness, which he says would be analogous to pre-law or pre-med, with courses offered from various academic departments.
"This broad education would enable a cybersecurity professional to use all conceivable technical and policy tools for achieving trustworthiness," Schneider says. "It would also ensure that solutions could be evaluated in a broader societal context, so that risk-management and trade-offs between different social values - such as privacy versus accountability - can be contemplated."
The comments from D'Amico, Goodman and Schneider come from testimony they submitted to the House Committee on Science and Technology's Subcommittee on Research and Science Education. Here are related stories based on their testimony: