"Cybersecurity Education In a Developing Nation"

ABSTRACT

The ability to prevent successful cyber attacks against a nation’s critical infrastructure depends on the availability of a skilled cyber-literate workforce, and therefore, on an educational system that can build such capabilities.

INTRODUCTION

Many recent reports of cybersecurity attacks highlight the prevalence of a wide range of malicious activity and point to the growing sophistication of cyber threats. Frameworks designed to address the cybersecurity challenge at a national level focus on the need to build cybersecurity capabilities to achieve greater cyber readiness.
Accordingly, nations have designed strategies to develop essential human talent, including cybersecurity education, training, and certifications.
what are the challenges that universities face in order to provide cybersecurity education in a developing country?
How can this country enhance cybersecurity education to support national cybersecurity capabilities?
Over the last decade,the country has been experiencing a transformation of its educational system. The government has implemented a regulatory framework to assess, control, and improve the quality of higher education. Universities have been standardizing and updating their academic programs to comply with government requirements. However, these efforts are focused on improving general education, and are not specifically linked to education in cybersecurity methods
and strategies. While some educational institutions have
not even started initiatives in cybersecurity, others struggle, mainly because of a lack of instructors with the necessary skills.

LITERATURE REVIEW

(i) countries at the forefront in cybersecurity, such as the USA, Canada, the UK, and Australia incorporate cybersecurity education at every stage of academic instruction;
(ii) cybersecurity education has strong ties with military
and security agencies––predominantly in the USA.
(iii) there is a gap in both domains of education (formal and informal), and some countries have not even started their cyber educational development.

CURRENT CYBER SECURITY EDUCATION

ACADEMIC INSTRUCTION

Many computer science students are educated in a combination of software engineering and systems engineering. Teaching at most universities has focused on computing applications development and computing networks.
Often, security courses are offered during the final semesters of a student’s program. In some cases, a security course is an elective, which produces an unwanted effect because students avoid taking it during the last semester (when for example they are concerned with searching for a job).
In approximate order of frequency, the topics respondents
mentioned were:
Generalizations of information security
Security management
Security in operating systems
Network security (e.g., Wi-Fi)
Perimeter security (e.g., firewalls)
Attacks on applications (e.g., SQL injection)
Auditing
Legal informatics
Ethical hacking
Security in databases
Security awareness
Cryptography

PROFESSIONAL CERTIFICATIONS

no university in our sample supports training that leads
to cybersecurity certifications. Access to security equipment necessary to support such initiatives was reported to be expensive.

RESEARCH

Although there had been a few research initiatives, we saw very little evidence of academic cybersecurity research.

SELF ASSESSMENT

one academic department indicates security teaching is improving, another department at the same university thinks this is not the case, which indicates that some departments
(Computer Science, Computer Networks, and Electronics Engineering) at the same universities have different levels of expectation and preparation in security

ONGOING CHANGES

FACTORS DRIVING CYBERSECURITY EDUCATION

LACK OF SECURITY SPECIALISTS

There are few educators with formal education in cybersecurity. however, some specialists are
not necessarily teaching security because they are pursuing higher degrees or teaching something else. As a result of this shortage, security instruction and supply of
cybersecurity skills suffer. Cybersecurity courses cannot be incorporated into the curricula when desired, and the quality of security courses is compromised when taught by non-experts since security content is often constrained in scope and lacks integration of theory with practice.

LACK OF INTERACTION WITH THE INDUSTRY

As a result of this lack of communication, opportunities for
academia-industrial partnerships and understanding of cybersecurity demand have not developed. This barrier prevents collaboration concerning technical support and research funding. Also, universities have experienced difficulties learning what the industry needs in terms of cybersecurity skills.

INSUFFICIENT UNDERSTANDING OF CYBERSECURITY DEMAND

Comprehensive knowledge about labor market demand for cybersecurity is not available, and there are different perceptions in universities across the country. Respondents
(42%) felt that today demand for security in the business sector is very low, so they fear that creating security programs for specialists may saturate the labor market rapidly. We feel the need, but there is little demand. It is less than demand for software engineers. Most visible and potential sources of cybersecurity demand are in
the financial services and government.

Local demand for cybersecurity should be understood in two
ways. First, institutions in the market need graduates with security knowledge incorporated into CS and CN training, which will allow them to perform their primary jobs while applying security principles. For instance, in the financial sector software engineers familiar with secure coding and systems engineers knowing secure implementation of IT infrastructure are desired [21]. Second, security know-
ledge at the specialization level is wanted for positions such as security engineer. Most respondents believe specialization is more feasible at the MS graduate level as opposed to undergraduate level, but accurate knowledge about demand is necessary before this MS process can begin.
While some employers are discovering
that they need individuals with cybersecurity skills, especially because they have already had harmful security experiences, others do not know what they need in terms of cybersecurity workforce. As long as the market demand for security is not clear, it will be difficult to advocate for cybersecurity academic programs, even if resources become available. Hence, it is essential that employers and educators collaborate to identify the workforce competencies needed in the workplace.

LACK OF RESOURCES

Most universities do not have a well-equipped laboratory to teach cybersecurity practice. Interviewees argued that specialized equipment suitable to teach security is very expensive, but they also recognized availability of open source tools to solve particular needs.
Moreover, given economic limitations, ability to temporarily incorporate specialists to teach security content is even harder. Universities cannot match business sector salaries. On a few occasions, however, a few universities have obtained specialized support—especially for seminars or talks—because some specialists had motivations other than income.

LACK OF AWARENESS

universities reported having academic programs dating
from 10 years ago, when cybersecurity was not a prominent issue. Nevertheless, they emphasized that this fact has recently been changing.

OTHER FACTORS

Idiosyncrasy

A tendency to simply accept cyber risk was occasionally mentioned. This is consistent with Target’s (2010) findings regarding attitude toward risk in developing countries.

Internal university policies

Some university policies prevent improvements in cybersecurity teaching and collaboration

DISCUSSION OF FINDINGS

It has recently been suggested that no country is fully prepared to meet the cybersecurity challenge. While some developed nations with a higher level of national cybersecurity performance have already started stronger workforce and educational programs to foster such preparation, studies suggest that many less developed nations
have moved slowly to develop cyber capacity. The challenges
that cybersecurity education currently faces mainly involve structural capabilities (e.g., skills), community integration, uncertainty of demand, lack of awareness, economic resources, and governance. In undergraduate programs, most security content is integrated
across several courses in CS and CN, but such integration is informal since, very often, academic instruction depends on instructors’ decisions, knowledge and security skills. Lack of coordination among faculty can foster redundancies and/or gaps in security content. Although some security courses do exist, in many cases they were reported to be incomplete in scope or depth, especially because of lack of expertise or resources such as labs.

The results of the interviews suggest that there is a shared perception that university priorities, lack of specialists, lack of institutional flexibility, and lack of understanding of demand prevent academics from advancing cybersecurity education. In addition, introducing security content in curricula competes for resources and time allocation with other academic content inherent to CS or CN programs, which also discourages augmenting cybersecurity knowledge.
although universities with the most advanced preparation have developed particular strategies to address aspects of cybersecurity (e.g., MS programs, research initiatives, and specialized security courses), substantial efforts to strengthen cybersecurity education need to be pursued nationwide. These efforts need to take into account multiple areas in which cybersecurity education evolves.

Strategies for advancing cybersecurity education

The successful improvement of cybersecurity education cannot be achieved as an isolated effort pursued only by universities. Rather a community-based effort will be required. Examination of relevant literature shows that national initiatives to advance cybersecurity education (and workforce capabilities) involve six dimensions: capacity governance, academic programs, training, certification, research and development (R&D), and cybersecurity awareness.

Relevant content must be strengthened in both approaches for formal education in undergrad programs: (i) cybersecurity content integrated across core courses of CS and CN; and (ii) security topics addressed in cybersecurity courses.