12.09.2009

One last post before I hit the hay and try to finish my current Kindle read.

The more time I spend in the classroom as an Adjunct Professor at Colorado Technical University teaching security courses for those seeking degrees in various security disciplines, the more I realize that the vast majority of higher education students are receiving no computer security or information security training.  I am absolutely convinced that there should be a requirement that the vast majority of undergraduate students should have at least two computer/information security courses; one in their first semester of their first year and one in their final semester of their final year.  By the way, these are not IT or CompSci students I’m talking about.

These students have majors in business, accounting, education, health care, law, criminal justice, administration, languages, political science, biology, chemistry, etc.  The reason being?  Nearly every one of these people will interact with a system that process or contains HR data, customer information, patient data, company trade secrets and a multitude of other types of information.  These are among the people that reply to emails from Sgt Ralph Brek “with the United Nations troop in Afghanistan, on war against terrorism” (the latest phishing scam that’s shown up in my inbox) with all of the information that he’s requesting.

These are the same people who would very likely answer specific, targeted questions about the company for which they work if asked by an otherwise well meaning person.  These are the people who would give up essential information that might otherwise be thought to be benign.  But it’s not wholly their fault, I’ve a philosophy that those “stupid users” we hear so much about from IT and security staff only do what they are allowed to do, in the environment they are allowed to do it with the knowledge or training they are given.  They are as much a victim in many cases as the organization whose information was just compromised.

This education would serve two purposes, first it would provide the institution the ability to train the students on the proper use of school assets by talking about real world issues that affect both the student and the institution (phishing, malware, etc.) and it would also prepare the graduating student for life after college as they enter the job market.  However, I realize that many higher ed institutions will say, “Well, that’s not our responsibility” but they have this two year “general education” program that students go through to learn to write, spell, speak and interact, do they not?  What’s the difference between a humanities class as a freshman for an accounting major and what I’m proposing above?

This train of thought for me has come from years of seeing classes, books, manuals and certifications geared toward the student or professional who wants to work in an information security discipline and not so much to the users or customers that the information security professional serves.  It seems to me that part of this is backwards.

Filed Under Uncategorized 

Comments

  1. Jon Amato on 12.09.2009

    I’ve always asked myself – “how screwed would we be if phishing emails were written by English majors with backgrounds in corporate communications?”

  2. Will Gragido on 12.09.2009

    Great post. I think they should have this type of training as well. In many ways this is more necessary to your points, than people can imagine.

Leave a Reply