Abstract. This paper presents a proposal for a working group session on the role of industry training and professional certification in information security education at the tertiary level. The main question posed is Does industry training and professional certification have a place in university information security courses? If so, What industry training and professional accreditation courses are appropriate? and What is the place of these in academic courses and why? The discussion will centre on three areas: first, the nature of the linkage between industry requirements and academic offerings at university, and secondly the relevance of industry training and professional certification, and thirdly, the role industry training and certification should play in information security university courses.

Abstract. In this paper, we discuss the scientific method and how it can be applied to computer security experiments. We reiterate a number of general scientific principles, such as falsifiable hypotheses, scientific controls, reproducible results, and data quality.

Abstract: There are aspects of what we teach that pervade and tie together the discipline, aspects whose understanding identifies the IA professional.  Yet, it seems that these pervasive themes cannot be taught, they can only be learned by repeated experience with them.  For example, the use of abstraction and models to prescribe, describe and predict system behavior is difficult to teach except by repeated experience.  Once comprehended by the student, it transforms their outlook on the discipline, integrating multiple previously learned pieces of knowledge.  Together with other pervasive themes, it identifies the student as a member of the profession.  Pervasive themes can be characterized (Meyer[2003]) as transformative (change how students think), irreversible (once understood, are never forgotten), integrative (provide a framework for understanding previous concepts), bounded (serve as discipline boundaries in that understanding them identifies someone as a member of the discipline), troublesome (are difficult to learn).  In addition to cognitive elements (knowledge and intellectual skills), many pervasive themes have affective elements, educational objectives that treat values and attitudes.  In IA education, the objective is more than to be able to specify a security policy when so directed.  At the least, an IA professional should initiate consideration of security in any system development process.  And more than this, the IA professional should become a role model for others in the integration of security concerns into all aspects of system development.  This workshop asks the questions:  what are the pervasive themes of IA education, what are their affective components, how can values and attitudes appropriate for IA professionals be taught, and how can those affective components be assessed.

Abstract: Email communication is growing as a main method for individuals and organizations to communicate. Sadly, this is also an emerging means of conducting crime in the cyber world, e.g. identity theft, virus attacks etc. The need for improving awareness to these threats amongst employees is evident in media reports. Information security is as much a people issue as a technology one. This paper presents a description and results of an email awareness experiment that was performed amongst staff from a South African university. It is shown how management can use these results to focus and improve ICT awareness.

Abstract. Training, certification and accreditation are concepts that are used in almost all aspects of professional life. This paper reviews current initiatives in Forensic Computing training and certification in Australia and the effect of this on National Accreditation processes.

Abstract. This paper presents a vulnerability analysis course especially developed for practitioners and experiences gained from it. The described course is a compact three days course initially aimed to educate practitioners in the process of finding security weaknesses in their own products. After giving an overview of the course, the paper presents results from two different types of course evaluations. One evaluation was done on-site at the last day of the course, while the other was made 3-18 months after the participants had finished the course. Conclusions drawn from it with regard to recommended content for vulnerability analysis courses for practitioners are also provided.

Abstract. Cyber Defense Exercises (CDX) continue to gain appreciation in the context of information security education. Primarily conducted in academic environments, the call for CDX is beginning to breach that boundary. Existing models are challenged by cost, agility, legality, and scope. This paper presents a model that addresses these challenges through a CDX service provider model.

Abstract. Knowledge of mathematical foundations of Cryptography is of paramount importance for students wanting to succeed in graduate degree programs in Computer Science with concentration in security. Cryptography, a relatively new field, has yet to establish a core set of topics and the optimal sequence of their presentation to prepare students for a career in the field of IT security. This paper presents syllabi of two courses on public and private key cryptography offered to continuing education students at Boston University.

Abstract. Modern university studies cater to large groups of students with considerable variation in background knowledge. This creates problems when designing viable practical exercises, not least for the subject of IT Security. We address these problems by creating a study environment within which students have the freedom to design and execute their own exercises. We suggest and test ideas for providing sufficient motivation and structure for student activity while minimizing the need and cost for staff intervention.

Abstract. This paper discusses how learning material in the form of computer games in the area of ICT security affect ICT security usage. The findings from a conducted user-study show that computer games can be efficient learning environments when using security tools in terms of accessibility, safety, and speed. By replicating an earlier usability study, in which the participants utilized security tools to send and receive encrypted emails, the practical consequences of learning via a Game-Based Instruction were evaluated; the findings show that none of the participants who were given the chosen computer game as an instruction before the actual assignment did make any serious error when applying their security knowledge in contrast to the participants who did not receive any instruction in forehand. They also finished the assignment faster than the corresponding participants. To be able to evaluate the "practical knowledge" acquired, a model for Vital Security Functions was created that allows for comparison of security usage between high-level security applications.

Abstract. In WISE 4, Armstrong [1] presented a multidisciplinary view in computer forensics education. The view was primarily focusing solely on the education of computer forensics students, which was indeed along the lines of multi-disciplinarily. However, this view does not involve integration between the different disciplines. In this paper, the scope of the approach is extended in order to allow a two- or three-way relationship between the disciplines of Computing, Psychology and Law and thus create an interdisciplinary perspective. It is shown how the study material was integrated and developed to suit the three disciplines.

Abstract. There exists a disconnect between the expectations of students of information security and the requirements imposed on their mathematical abilities and maturity at both the M.Sc. and Ph.D. levels. In this paper we discuss efforts at Gjøvik University College, Norway, to bridge this gap on one hand by providing a targeted curriculum component intended to provide the necessary mathematical tools for conducting research at the doctoral level. On the other hand we are critically examining the curricular dependencies and requirements at the M.Sc. level where two factors are becoming evident. First, not all students at this level have adequate mathematical backgrounds to be able to profit fully from the program even though they may meet all formal prerequisites. Second, there may exist areas where the depth and rigor of the mathematical foundations currently in place in the curriculum is not be strictly necessary. Both of these factors can impede access and subsequent success of graduate programs and must therefore be addressed carefully with the aim of striking a balance between these competing objectives.

Abstract. It could be argued that the academic perspective of computer forensic practitioner requirements reflecting the thinking world (and is based on scientific methods) does not accurately reflect those requirements considered important by some people universities would desire as students, the computer forensic practitioners. This paper presents an analysis of data collected from full time practitioners representing three perspectives; military, law enforcement, and forensic scientist. It also examines the needs of practitioners and compares these with academic contributions intended to meet these needs.

Abstract. The paper presents an overview of the Computer and Network Security course offered through distance education division as part of the online degree program. Topics presented in the online format are compared with those presented in a traditional curriculum in the face-to-face format. The pros and cons of each of the formats are discussed. Unique to the online course are weekly discussion topics that require each student’s participation and the follow- ups to postings of other students. A distinguishing aspect of the online course is a three week based case study assignment exploring a practical security framework encountered in real companies.

Abstract. Electronic voting systems are widely used in elections. This paper describes using an e-voting system as the basis for a project in an undergraduate computer security class. The goal of the project was to teach the students how to use the Flaw Hypothesis Methodology to perform a penetration study.

Abstract. Most traditional software development methodologies do not explicitly include a standardized method for incorporating information security into their life cycles. It is argued that security considerations should provide input into every phase of the Software Development Life Cycle (SDLC), from requirements gathering to design, implementation, testing and deployment. Therefore, to build more secure software applications, an improved software development process is required. The Secure Software Development Model (SecSDM), as described in this paper, is based on many of the recommendations provided by relevant international standards and best practices, for example, the ISO 7498-2 (1989) standard which addresses the underlying security services and mechanisms that form an integral part of the model.

Abstract. This paper presents a model for use by students and supervisors embarking upon higher degrees by research with specific application to information security. The model details a set of questions to be asked in preparing for the research in order to ensure a well planned and cohesive research project and written thesis.

Abstract. This paper describes a course in computer security for advanced undergraduate students in computer science and software engineering. The aim of the course is to give the student a thorough grounding in the principles and practice of cryptography and secure network protocols, and in the application of these to the development of e-commerce applications. An important part of the learning process is an assignment in which the student develops soft ware for a specified e-commerce application. The paper describes a number of these assignments that have been run over the past several years, and reflects on the lessons learned.

Abstract. On the basis of analysis of the Standard of the Central Bank of Russia “Ensuring Information Security for Organizations of Banking system of the Russian Federation. Basic principles.” there have been defined the qualification requirements for the specialists with higher education in the field of information security who could be claimed for work in the banking sphere.

Abstract. Academic institutions educate future Information Security and Critical Infrastructure Protection (ISCIP) professionals, offering expedient and broad knowledge of the field. As industry often demands higher productivity and stronger specialization, several organizations (academic, governmental, industrial) considered the use of a Common Body of Knowledge (CBK), to serve as a tool that appropriately groups together the essential knowledge of this field. In this paper, we review the content of current ISCIP curricula, we define the necessary skills of an ISCIP Professional - as indicated and suggested by the industry - and form a multidisciplinary CBK of the ISCIP field.