Teaching Cybersecurity
A
Handbook for Teaching the Cybersecurity Body of Knowledge in a Conventional Classroom
Daniel Shoemaker, Ken Sigler, and Tamara Shoemaker
First edition published 2023 by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742
and by CRC Press
4 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN
CRC Press is an imprint of Taylor & Francis Group, LLC
© 2023 Daniel Shoemaker, Ken Sigler and Tamara Shoemaker
Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are not available on CCC please contact mpkbookspermissions@tandf.co.uk
Trademark notice : Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe.
Library of Congress Cataloging-in-Publication Data
Names: Shoemaker, Dan, author. | Sigler, Kenneth, author. | Shoemaker, Tamara, (Cyber security expert), author.
Title: Teaching cybersecurity : a handbook for teaching the cybersecurity body of knowledge in a conventional classroom / Daniel Shoemaker, Ken Sigler, and Tamara Shoemaker.
Description: First edition. | Boca Raton, FL : CRC Press, 2023. | Series: Security, Audit and Leadership Series | Includes bibliographical references.
Identifiers: LCCN 2022038672 (print) | LCCN 2022038673 (ebook) | ISBN 9781032034089 (hbk) | ISBN 9781032034096 (pbk) | ISBN 9781003187172 (ebk)
Subjects: LCSH: Computer networks--Security measures--Study and teaching. | Internet--Security measures--Study and teaching.
Classification: LCC TK5105.59 S56 2023 (print) | LCC TK5105.59 (ebook) | DDC 005.8071--dc23/eng/20221018
LC record available at https://lccn.loc.gov/2022038672
LC ebook record available at https://lccn.loc.gov/2022038673
ISBN: 978-1-032-03408-9 (hbk)
ISBN: 978-1-032-03409-6 (pbk)
ISBN: 978-1-003-18717-2 (ebk)
DOI: 10.1201/9781003187172
Typeset in Caslon by KnowledgeWorks Global Ltd.
Foreword
Courage is fear in action! Cybersecurity education needs a whole lot of courage! But the security of our digital world requires that we have to act now!
Cybersecurity is all about protecting our digital world. We are woefully short of cybersecurity professionals with a gap of almost 600,000 based on www.cyberseek.org (March 2022). That number keeps growing; it has nearly doubled in four years. As a nation, we are hopeful of transitioning professionals in computer-related fields to cybersecurity, and we should also be educating the next generation of digital world defenders. Cybersecurity education does not fit into the traditional middle school or high school models. Yet, it is so important that it needs to find a way to be included in as many educational settings as possible.
I see myself as a cybersecurity “champion” who keeps pushing to get our classes and cyber teams’ resources, support, and permissions. This book is for cybersecurity teachers – I challenge you to take on the mantle of cybersecurity champion at your school and in your community.
Cyber champions need to have a sharable vision of what is possible, be willing to keep knocking on doors until you get a few to open, ensure that students are safe and school resources are appropriately protected and spread the news far and wide. Who is the best person
for such a champion? There is no stereotype; every community, school district, and school is unique. But, starting at the top with the school district leadership or school principal helps give new program legs. Parents can also really make things happen especially if you advocate for your child who is just starting at a school. The longer a parent can support a school, the better the long-term prognosis. Teachers can also make things happen, as in my case.
Champions need to have a different “elevator” pitch for each group they are trying to persuade school leadership, parents, and students. When my district superintendent practiced what I call “leadership by walking around,” he popped into my classroom. I showed him the cyberseek.org website, and he was swift to understand that my prog ram was offering his graduates jobs and promised me whatever support I needed. In the past three years, four of our graduates have been hired to be cybersecurity professionals based on their high school experience – Dr. Scambray was right!
For the teacher who reads this book, the first thing to realize is that you know more about cybersecurity than anyone else on campus. Even if you knew nothing and were voluntold to teach a cyber class, your interest in and experience with technology are great starting points. You and your students will be learning a lot. I explained how guinea pigs were often used to experiment with various things, and then I stated that each was a guinea pig and that I was the head guinea pig. Some days were going to be exceptional, while others would not be nearly as effective. That is okay and expected when you explore a new field of education.
Other cybersecurity teachers created a faint cybersecurity education path, so you do not have to blaze your pathway. I was on two brand new ships during my twenty-one years as a Sailor. In both cases, we never tried to create anything ourselves. In a similar vein, you will find other teachers who will help. I am certainly happy to share all of my teaching experiences and most of my competition tips. (Troy Cyber’s secret sauce that has created multiple national cybersecurity champions will remain a secret.)
I have taught high school since 2005 in California. So I am very familiar with the California education requirements for high school students; most states have similar standards. It is impractical to expect that we will somehow add cybersecurity as yet another graduation
requirement. Education tends to be a zero-sum game; a class needs to be dropped if you add a course. But there are still ways to include cybersecurity as an option for some students. We need to be innovative and find areas where we can:
1. Incorporate cybersecurity lessons into existing lessons.
2. Create electives for students to experience cybersecurity first hand.
3. Start after-school cybersecurity programs like CyberPatriot.
4. Offer summer cybersecurity camps.
5. Look for new ideas based on lessons learned for all of these options.
Does this sound too ambitious? We are doing all of these at Troy High School in Fullerton, California. None of these happened quickly; they are the result of twelve years of good intentions, missteps, having myself and students acting as guinea pigs as we tried different curricula, ideas, labs to find what worked and what did not.
We started with five students in 2010 and found that they liked learning about cybersecurity, and soon others wanted to join in. In 2015, we offered our local middle school the opportunity to have some of their students join us after school for our twice-weekly cyber practice. In September, what started as five 7th and 8th grades, we became twenty by December. Our school leadership took notice when I gave them an update. Certainly, seeing a middle schooler in a high school classroom is already a success story; they see the “next level” of education. But these students were learning about hardening Windows and Linux computers, a skill usually reserved for upper-division college students in the mid-2010s. These thirteen- and fourteen-year-olds enjoyed learning from high school students and were not intimidated. In addition, I noticed that a higher percentage of females came from middle school; this is another huge reason to offer cybersecurity education at the middle school level.
Troy High School decided to offer a pathway for the 2016–2017 school year. It is time to transform other schools into Troy-like. It is not about the number of students. What matters is passion and quality of instruction and allowing ALL students to see if “Cyber is their thing.”
The Troy model treats cyber as a sport. We have try-outs, summer camps, regular weekly practices, team rosters, varsity letters, letter jackets, end-of-season banquet, inclusion in the school’s morning announcements, a page in the yearbook, and our national achievements painted outside of our classroom. Many of these things made sense, but others were inspired by our students, parents, and vision. I challenge others to follow our lead!
Thank you to Dan and Tamara Shoemaker and Ken Sigler for this book that I hope will inspire a brand-new group of cybersecurity educators and give you the courage to open those closed doors.
Allen Stubblefield
Cybersecurity and IT teacher, Troy High School, Fullerton, California
Head Cybersecurity Coach, Troy Cyber, Fullerton, California
Authors
Daniel Shoemaker, PhD, is a distinguished visitor of the IEEE, full professor, senior research scientist, and program director at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan is a former chair of the Cybersecurity and Information Systems Department and has authored numerous books and journal articles focused on cybersecurity.
Ken Sigler is a faculty member of the Computer Information Systems (CIS) program and Chair of Curriculum Instruction at Oakland Community College in Michigan. Ken’s research is in the areas of software management, software assurance, cybersecurity management and cybersecurity education in which he has published several books and articles.
Tamara Shoemaker is Director for Cyber Security and Intelligence Studies at the University of Detroit Mercy. She spearheaded the development of two university department’s community outreach and development strategy, CIS (cybersecurity programs) and the criminal justice (CJ and intelligence analysis). Tamara coordinates projects with government entities, academic organizations, industry and law enforcement agencies locally, nationally and internationally.
Glossary
Cyberecurity Terms You Are Likely to Encounter
Access control: the process of granting or denying a request to obtain information, or related services.
Access control mechanism: a measure designed to detect and deny unauthorized access and permit authorized access.
Adversary: any individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Attack: any attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.
Attack method: the manner or technique an adversary uses to attack information or a system.
Attack surface: the access points by which an adversary can enter a system to cause harm.
Attacker: the individual, group, organization, or government that executes an attack.
Authentication: the process of verifying the identity or other attributes of an entity.
Authorization: a process of determining whether a subject is allowed to have the specified types of access to a particular resource.
Availability: the property of being accessible and usable upon demand.
Ciphertext: data or information in its encrypted form.
Computer forensics: the actions taken to defend against unauthorized activity within computer networks.
Confidentiality: a condition where information is not disclosed to users, processes, or devices unless they have been authorized to access the information.
Cryptography: the use of mathematical techniques to provide security services.
Cybersecurity: an activity or process whereby systems and information are protected from and/or defended against damage, unauthorized use or modification, or exploitation.
Data integrity: the property that data is complete, intact, and trusted and has not been modified or destroyed in an unauthorized or accidental manner.
Data mining: a process or technique used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.
Denial of service: an attack that prevents or impairs the authorized use of system. resources or services.
Digital forensics: the processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.
Digital signature: a value computed with a cryptographic process and then appended to a data object, thereby digitally signing the data.
Distributed denial of service: a technique that uses numerous systems to perform a simultaneous attack.
Encryption: the process of transforming plaintext into ciphertext.
Exploit: a technique to breach the security of a network or system in violation of security policy.
Exposure: the condition of being unprotected, thereby allowing access to an attacker.
Firewall: a capability to limit network traffic between networks and/ or information systems.
Identity and access management: the methods and processes used to manage subjects and their authentication and authorizations to access specific objects.
Incident: a occurrence that results in adverse consequences that may require action to mitigate.
Incident response: the activities that address the short-term, direct effects of an incident.
Information assurance: measures that protect and defend information and information systems.
Information technology: any equipment or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.
Insider threat: a person or group of persons within an organization who pose a potential risk due to trusted access.
Integrity: the property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.
Intrusion: the act of bypassing the security mechanisms of a network or information system.
Intrusion detection: techniques for analyzing networks and information systems to determine if a security breach or security violation has occurred.
Malicious code: programming intended to perform an unauthorized function that will have adverse impact on the confidentiality, integrity, or availability of an information system.
Malware: software that harms the operation of a system by performing an unauthorized function.
Mitigation: the application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.
Non-repudiation: a cryptographic method to prevent an individual or entity from falsely denying a computerized action that was taken.
Object: a discreet information system-related entity containing or receiving information.
Password: a string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.
Penetration testing: a method where testers search for vulnerabilities and then try to attack them in order to test its access management and resilience.
Phishing: a digital form of social engineering to deceive individuals into providing sensitive information.
Privacy: the assurance that the confidentiality of, and access to, certain information about an entity is protected.
Public key infrastructure: a framework consisting of standards and services to enable secure, encrypted communication and authentication over potentially insecure networks.
Response: activities that address the short-term, direct effects of an incident, and may also support short-term recovery.
Risk: the potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, based on the likelihood that a particular threat will exploit a particular vulnerability
Risk analysis: systematic assessment of the components and characteristics of risk.
Risk assessment: the product or process which collects information and assigns values to risks.
Risk management: the process of identifying, analyzing, assessing, and communicating risk.
Software assurance: the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle.
Spoofing: faking the sending address of a transmission to gain unauthorized access.
Supply chain risk management: the process of assessing supply chain risk and controlling it to an acceptable level of risk investment.
Systems development: the action of moving a system through the various phases of the development lifecycle.
Test and evaluation: conduct of tests to evaluate compliance with specifications and requirements and validation of technical, functional, and performance characteristics.
Threat: a circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact operations, or assets.
Threat actor: an agent of threat.
Threat analysis: detailed evaluation of the characteristics of individual threats.
Threat assessment: a process of identifying or evaluating entities, actions, or occurrences, that have or indicate the potential to harm life, information, operations, and/or property.
Virus: a computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer.
Vulnerability: a characteristic or specific weakness that renders an organization or asset open to exploitation by a given threat or susceptible to a given hazard.
Weakness: a defect or imperfection in software code, design, architecture, or deployment that, under proper conditions, could become a vulnerability or contribute to the introduction of vulnerabilities.
Worm: a self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
K-12 Resources
Bandit Waregame (Game) http://overthewire.org/wargames/bandit/ “Reverse Engineering for Beginners” free book http://beginners.re/
Capture the Flag Competitions
https://github.com/isislab/Project-Ideas/wiki/ Capture-The-Flag-Competitions
Capture the Flag Events https://ctftime.org/
Capture the Flag Field Guide https://trailofbits.github.io/ctf/ Capture the Flag Practice List http://captf.com/practice-ctf/ Cipher Tools http://rumkin.com/tools/cipher/ Clip Training – Social Engineering (Lesson 1) The Art of Deception https://www.youtube.com/watch?v=xn9hH1BckPE
Code https://code.org/ Code Combat (Game) https://codecombat.com/ Coursera https://www.coursera.org/ Cyber Aces – Free online security courses http://www.cyberaces.org/ CyberPatriot https://www.uscyberpatriot.org/ Day of Cyber http://www.nsadayofcyber.com/ Empowering Educators to Teach Cyber – Free Cyber Curriculum https://cyber.org/
Full Stack Python – Web Application Security
https://www.fullstackpython.com/webapplication-security.html iKeepSafe – Online Privacy Training http://ikeepsafe.org/
Kahoot https://getkahoot.com/ Khan Academy – Caesar Cipher https://www.youtube.com/watch?v=sMOZf4GN 3oc&feature=youtu.be
Khan Academy – The Internet: Cybersecurity and Crime https://www.youtube.com/ watch?v=5k24We8pED8
Media Smarts Educational Games http://mediasmarts.ca/digital-media-literacy/ educational-games
Metasploit Unleashed – Free Online Security Training https://www.offensive-security.com/ metasploit-unleashed/ MIT App Inventor http://appinventor.mit.edu/explore/ NOVALABS Cybersecurity Lab (Game) https://www.pbs.org/wgbh/nova/labs/lab/cyber/
Open Source Cyber Security Learning https://www.cybrary.it/
OWASP AppSec Tutorial Series – teaches application security https://www.owasp.org/index.php/ OWASP_Appsec_Tutorial_Series
Penetration Testing https://pentesterlab.com/ Pentest Class – Reverse Engineering 1 https://www.youtube.com/ watch?v=cATBah30jk0 Raspberry Pi https://www.raspberrypi.org/ Reverse Engineering Resources https://pewpewthespells.com/re.html
Scratch Programming Activities https://scratch.mit.edu/
TekDefense – TekTip ep1 –Basic Dynamic Malware Analysis
https://www.youtube.com/ watch?v=2YQ2KqZ4gbo
The OSI Model Animation https://www.youtube.com/ watch?v=-6Uoku-M6oY
The OSI Model’s Seven Layers Defined and Function Explained https://support.microsoft.com/en-us/kb/103884
Top 10 Secure Coding Practices
https://www.securecoding.cert.org/confluence/ display/seccode/Top+10+Secure+Coding+ Practices
Unix/Linux Command Reference https://files.fosswire.com/2007/08/fwunixref.pdf
Wireshark Tutorial for Beginners 2015
https://www.youtube.com/watch?v=TkCSr30UojM
CSEC 2017: https://cybered.acm.org/
Teaching Cybersecurity
Introduction: We Need to Know What to Teach
I’m a teacher, just like you are. And so I know that the first requirement for any course is its subject matter. That’s the reason why I wrote this book. Its contents are based on the ACM/IEEE common body of knowledge for cybersecurity which was created and sanctioned by the organizations that have customarily dictated curricular content for the computing fields. Those societies usually focus on their specific areas of interest. However, they will occasionally come together to publish cross-disciplinary recommendations for a topic of vital mutual interest. That is the case here.
Over the past decade, it has become clear that the things that ought to be taught in a cybersecurity class are more or less in the eye of the beholder. So the societies created a single universally recognized field concept. Its official title is “Cybersecurity Curricula 2017, Curricular Volume.” But it is colloquially called CSEC2017. The CSEC2017 aims to serve as “The leading resource for comprehensive cybersecurity curricular content for global academic institutions seeking to develop a broad range of cybersecurity offerings at the post-secondary level ” (CSEC 2017 Mission Statement). That vision is what motivates this book.
The Things You Will Learn by Reading This
The mastery of course content is the first requirement for competent teaching. CSEC2017 provides that knowledge. It was specifically designed for higher education and the profession. Thus, this book gives you, the teacher, a complete and easy-to-follow discussion of the CSEC’s topics. We’ve packaged it so that a senior high school and junior high school teacher can easily understand it.
Hence, unlike the more heavyweight professional books, our focus is strictly on the various ways that the body of knowledge can be delivered within a conventional secondary school classroom. As a result, there will be no deep dives into the gory details of any topic. Instead, we will emphasize practical ways to ensure that your students can understand and relate to the field’s diverse facets. We also provide model delivery suggestions that will help you facilitate that understanding. In that respect, then, this book is a simple, comprehensive teacher’s handbook for the field of cybersecurity, with all of its topics packaged for practical teaching purposes at the secondary level.
Because we expect you, the teacher, to have little or no background in cybersecurity or even in computing as a whole, we have sought to keep the presentation as down-to-earth and relatable as possible. Consequently, all of this material will be presented through an end-to-end story that will call out the practical issues as you might view them from your classroom. The aim is to help an inexperienced reader see how the field’s contents fit together within a real-world application. So, this offers a general understanding of the commonly accepted body of knowledge without any unnecessary in-depth details or technical jargon. It also provides easy-to-apply teaching suggestions for each of the areas. Teaching materials will include illustrations, examples, exercises, and shared resources for each topic.
Advantages of This Book
This book offers the most authoritative content possible, not just the opinions of individual “experts.” The role of the governing societies for the profession is well-established. Thus, these recommendations are authoritative. However, the book’s distinctiveness lies in our specific intent to provide you, the traditional classroom teacher, with all
of the knowledge and tools you will need to deliver a comprehensive course in cybersecurity. In that respect, then, the contents of this book should be viewed as the map that traditional K-12 districts can use to lay out a complete course on that topic. The book itself is holistic because it covers the entire formal body of knowledge. However, individual classroom teachers will be given sufficient guidance to help them fit their particular situation into the overall perspective.
Table of Contents
Chapter 1: Tom and Lucy Meet the Doc – this is a short introduction and orientation to why a common body of knowledge is essential. The arrival of the computer societies on the scene and their role is explained. We also introduce our three intrepid explorers: Tom, who teaches a high school computer course, Lucy, who does the same thing at the junior high level, and the Doc, an odd old fellow who appears to have just wandered in to advise them. At the end of this chapter, you will understand why a comprehensive body of knowledge for cybersecurity is essential, and you will know why it is vital to get it into your classroom.
Chapter 2 : Knowledge Area One – Data Security – all of the succeeding eight chapters will have the same format. Knowledge units and topics will be laid out and discussed by our three adventurers. The Data Security knowledge area focuses on every aspect of data protection. Thus, the discussion will center on access control, data protection through encryption, and database security.
Chapter 3: Knowledge Area Two – Software Security – the software security knowledge area focuses on the development and use of the software. Consequently, the discussion will center on secure software development, implementation, testing, patching, and the ethics of software operation and use.
Chapter 4 : Knowledge Area Three-Component Security – the component security knowledge area focuses on the components integrated into larger systems. Thus, the discussion will center on the various aspects of system component security.
Chapter 5: Knowledge Area Four – Connection Security – the connection security knowledge area focuses on the interconnections between components, including physical and logical connectors. This is the traditional network security area. So, the discussion will center on the curricular elements of teaching networking and types of transmission and connection attacks.
Chapter 6 : Knowledge Area Five – System Security – the system security knowledge area focuses on recommendations regarding a holistic approach to security policy and access control. Along with that, we will discuss system monitoring and recovery.
Chapter 7: Knowledge Area Six – Human Security – the human security knowledge area focuses on human behavior related to cybersecurity. There will be discussions about how to teach identity management, social engineering, awareness and understanding, and personal data privacy and security. This is one of the areas that are pioneering additions to the body of knowledge.
Chapter 8: Knowledge Area Seven – Organizational Security –the organizational security knowledge area focuses on how organizations protect themselves from cybersecurity threats, as well as the management of risk. Consequently, the discussion will center on the traditional areas of strategy, organizational risk management, governance and policy, laws, ethics, and compliance.
Chapter 9: Knowledge Area Eight – Societal Security – the societal security knowledge area focuses on aspects of cybersecurity that broadly impact society as a whole, such as cybercrime, law, ethics, policy, privacy, and their relation to each other. This is another groundbreaking area in the model.
Our aim in all this is to help you connect the dots between the contents of the cybersecurity body of knowledge and your teaching strategies.
W hy you S hould R ead Thi S B ook
This book provides advice and guidance you will need to teach cybersecurity in a grade 7–12 classroom. The problem is that cybersecurity is a new field, and understandably, there are conflicting ideas about how to teach it. That’s why it is so important to base your teaching on a commonly accepted body of knowledge. That common body of knowledge is titled CSEC2017 Curriculum Guidelines for PostSecondary Degree Programs. The CSEC is called that because its recommendations were initially created for post-secondary education. However, the CSEC successfully itemize the generic principles for the field. Therefore, it can be a reliable basis for building a cybersecurity course. This is good news for grade 7–12 educators because those principles can support the teaching of cybersecurity at their level.
The CSEC gets its legitimacy from the fact that it was developed under the auspices of the three professional organizations that formally oversee computing: The Association for Computer Machinery (ACM), the Institute of Electrical and Electronic Engineers (IEEE), and the Association for Information Systems (IAS). These groups sponsor the academic fields of computer science, software engineering, and business information systems. They occasionally come together as a body-of-the-whole to develop and disseminate recommendations about topics of significant interest to the profession. The CSEC is one of the two documents of that type. It expresses the profession’s consensus view of the appropriate contents for cybersecurity, and as a result, the CSEC provides a substantive basis for building a curriculum.
Even so, we have to pause for a minute here to make an important distinction. In practice, the National Institute of Standards and Technology’s Cybersecurity Workforce Framework (NICE) offers a set of commonly accepted recommendations about the requirements
for cybersecurity work. In that respect, it dictates the “what,” while CSEC supplies the “why.” The distinction between “what” and “why” is important because teachers want to ensure their students’ real-world success with the instruction they provide. So, those are the “what.” But it is also essential to understand how those skills apply in practice. That is the “why.” A fully informed person understands both things in tandem, so knowing both the CSEC and the NICE Framework is crucial.
Each chapter in this book will present one of the eight knowledge areas of the CSEC. The goal is to complete a basic understanding of the field, not dive into the details. That will come later in the educational process. We aim to give you a comprehensive look at all of the fundamental concepts that comprise the discipline of cybersecurity. Thus, this book is the first step in a long voyage to mastering the realm of cybersecurity.
How We Plan to Present This?
Cybersecurity is far too broad a field to encompass in a single text. Therefore, this book will provide a practical overview of the essential elements of the field without getting into the nuts-and-bolts of each of the CSEC’s knowledge areas. That detail is for later learning. Instead, we will summarize each knowledge area using a simple, understandable conversation. In the interaction of the characters, we hope to provide a roadmap for readers that will let them build a personal understanding of the body of knowledge and decide how to adapt its concepts to their particular instructional needs.
The unique aspect of this book is that the eight content areas are illustrated and discussed in an easy-to-read story. The story itself will be kept generic, without specifics or technical jargon. More pertinently, we will provide several easy-to-administer exercises for each knowledge area. It should be understood that, as a disciplinary model, the CSEC comprises a unified framework, one that fully embodies all of the elements of the field. However, individual teachers will be given sufficient guidance to decide where to add their specialized interests into the course – for instance, personal interests such as coding, networks, or even ethics.
It is important to note that this book is not a conventional textbook. The discussion of the subject matter occurs entirely within a story, which we hope will entertain and help you see how you can apply the CSEC in a particular situation. The story follows a typical process for structuring a new course in a real-world education setting. The narrative will be told through the eyes of two familiar educators, both of whom are classroom teachers in a traditional school district. Our heroes have just been handed the unwelcome assignment of creating a brand-new course in cybersecurity for their district’s high school and junior high students. An expert in cybersecurity education will help in their efforts along the way. He will provide the general context, guidance, and occasional comic relief.
Our little tale will illustrate the everyday things that people might need to consider in building a course in cybersecurity at the secondary school level. It will also introduce the fundamental knowledge units that an average teacher needs to incorporate to be complete. This general understanding will ensure that your students are aware of all the aspects of cybersecurity. Finally, the reader will see how our heroes delve into the diverse elements of the body of knowledge and see them wrestle with the current problems the field faces. By the end of this book, the reader will understand how to teach cybersecurity properly. In addition, you will know about the common pitfalls that a person might face in designing a genuinely complete course in cybersecurity.
But First: An Overview of the Contents of the CSEC
There are five explicitly technical areas in the CSEC body of knowledge. These traditional areas are (1) Data Security, (2) Software Security, (3) Component Security, (4) Connection Security, and (5) System Security. The Data Security knowledge area entails data protection topics centered on cryptography, digital forensics, and the assurance of data integrity. Software Security comprises the traditional lifecycle of software. That chapter will cover security requirements, security design, testing, configuring, and patching software. Component Security focuses on the design, procurement, testing, analysis, and maintenance of sub-components of larger systems. It also introduces the knotty issue of supply chain security. The Connection Security knowledge area involves the familiar topics of traditional
