Every field of study has its challenges, and cybersecurity education faces a big one: how can educators can share detailed curricula around things like malware and cyberattacks without serving up a potential recipe book for those with ill intent?
Sensitive information shared with the wrong people in the classroom (physical or online) can fuel a malicious actor’s own educational learning curve. That’s obviously something to be avoided, but cybersecurity educators and their students still need to find a way to study concepts and use cases at the level of granularity sufficient for the real-world jobs they’re training for.
Related: Is your cybersecurity program on track?
Let’s take a closer look at how to strike the right balance in cybersecurity education.
Keeping black hats out of the classroom
The increasingly online and globally-connected nature of cybersecurity education is bringing more people to the field. That’s a good thing, but it requires a renewed focus on vetting curricula and understanding students’ interests and goals. The more we can do this, the more we guard against misuse of coursework by potential threat actors.
Look at the typical cyber-security practitioner’s capabilities — from risk analysis and cloud security, to intrusion detection and malware analysis. Those same skills can be reverse engineered for use by a threat actor. Indeed, “thinking like a black hat” is prominent on the list of preferred skill sets for a cybersecurity pro.
Unfortunately, this symmetry of skill sets between white hats and black hats makes it hard to decide exactly what to teach, and to whom. Complicating matters, there are few outward signs to distinguish between the two. Bad Spock had a beard; Venom and Spider-Man look nothing alike; but in cybersecurity education–the line between teacher’s pet and tomorrow’s threat is far more nuanced–even invisible.
Strategies to safeguard cybersecurity education and curricula
I should stress that the vast majority of students have legitimate career goals. But we need a stronger spotlight on cybersecurity education to ensure we’re educating students in ways that don’t feed the knowledge base of our enemies.
Perhaps the most well-known example of this is the flight training the 911 hijackers received in the United States and the increased scrutiny of flight school applicants that followed. This is a powerful, but not perfect, analogy — leaving the question of how fully we can apply this same diligence to cybersecurity education.
Related: How do you handle cybersecurity threats?
Far more people learn to be cybersecurity pros than pilots, and the reasons are more varied. That said, you can still glean clues about intent. Maybe there’s an inordinate interest in understanding malware, without a similar level of curiosity about programming or other basic skills. There could be behavioral patterns–suspicious travel, perhaps–that raise concern. Obviously, the huge caveat here is to gain more visibility into the student population, without crossing the line into demographic profiling or unfair exclusion.
Program-wide strategies like this should be supplemented with curriculum-specific efforts to calibrate the level of access to the sensitivity of the information being taught. Think of it as a Privileged Access Management-style approach to education: For instance, your course on basic programming skills may be open to all. But your seminar on protecting operational technology is open only to those who receive temporary security clearances and are learning on-site at a secure facility.
Just as with Privileged Access Management, however, too many security road-blocks can slow down the speed of business–the speed of education–something we can scarcely afford amid a yawning cybersecurity talent gap that’s on track to reach 3.5 million unfilled positions by 2021.
Actionable tips for striking the right balance
With all of this in mind, let’s look at a few actionable steps we can all take to balance security and open access to cybersecurity education and for judging when and where certain cybersecurity topics might enhance security.
Get a security audit specific to educational settings
There’s no shortage of firms dedicated to performing security audits for companies of all types. With minimal adjustments, educators can leverage such services for a security audit of how their operation handles curricula, student enrollment, learning environments, and related parts of the educational infrastructure and programming. Also, it’s quite possible to find security pros willing to help at reduced rates or even on a pro-bono basis, given the industry’s overall support for cybersecurity education to remedy a severe talent gap.
Adopt “Traffic Light Protocols” to categorize the sensitivity of curriculum content
Schools and programs are increasingly modeling their evaluations after government Traffic Light Protocols— taxonomies for categorizing what to share and what to keep under wraps. For example, “green” topics might simply be general historical accounts about previous attacks; “amber” topics may include company-specific network topology and IP address information; and “red” topics could be vulnerability analyses that, if released externally, would provide an attacker with an easy route of breaching perimeter network defenses.
Designate a curriculum security ombudsman
It doesn’t necessarily need to be a full time job, but somebody in the organization should be well-versed in the security issues we’ve been discussing and should be tasked with the role of vetting curriculum topics and teaching methods accordingly. This person could serve as a “standards and practices” resource for colleagues–both for existing educational offerings, as well as for emerging coursework and teaching methodologies. By embedding this ombudsman role into the organizational structure, you get a more effective, consistent, and proactive approach to curriculum security issues.
Use gamification incentives to model and reward good curriculum security
Gamification is a powerful motivator for human behavior in all kinds of settings, ranging from fleet safety, to medical research, to counterespionage. We can use the same tactics in cybersecurity education to set goals around security practices, and then reward those who achieve those goals. This can apply to both educators and students–with goals ranging from basic cyber hygiene to curriculum optimization and reporting potential issues or vulnerabilities for remediation.
Ideally, cybersecurity educators should use all the strategies we’ve discussed to construct curricula for just the right balance between sharing insights. The ultimate goal is to build the best curriculum possible, without turning it into a “how to” manual for those who would use these insights for malicious acts.