eBook - ePub
The Cybersecurity Body of Knowledge
The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity
Daniel Shoemaker, Anne Kohnke, Ken Sigler
This is a test
Share book
- 578 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
The Cybersecurity Body of Knowledge
The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity
Daniel Shoemaker, Anne Kohnke, Ken Sigler
Book details
Book preview
Table of contents
Citations
About This Book
The Cybersecurity Body of Knowledge explains the content, purpose, and use of eight knowledge areas that define the boundaries of the discipline of cybersecurity. The discussion focuses on, and is driven by, the essential concepts of each knowledge area that collectively capture the cybersecurity body of knowledge to provide a complete picture of the field.
This book is based on a brand-new and up to this point unique, global initiative, known as CSEC2017, which was created and endorsed by ACM, IEEE-CS, AIS SIGSEC, and IFIP WG 11.8. This has practical relevance to every educator in the discipline of cybersecurity. Because the specifics of this body of knowledge cannot be imparted in a single text, the authors provide the necessary comprehensive overview. In essence, this is the entry-level survey of the comprehensive field of cybersecurity. It will serve as the roadmap for individuals to later drill down into a specific area of interest.
This presentation is also explicitly designed to aid faculty members, administrators, CISOs, policy makers, and stakeholders involved with cybersecurity workforce development initiatives. The book is oriented toward practical application of a computing-based foundation, crosscutting concepts, and essential knowledge and skills of the cybersecurity discipline to meet workforce demands.
Dan Shoemaker, PhD, is full professor, senior research scientist, and program director at the University of Detroit Mercy's Center for Cyber Security and Intelligence Studies. Dan is a former chair of the Cybersecurity & Information Systems Department and has authored numerous books and journal articles focused on cybersecurity.
Anne Kohnke, PhD, is an associate professor of cybersecurity and the principle investigator of the Center for Academic Excellence in Cyber Defence at the University of Detroit Mercy. Anne's research is focused in cybersecurity, risk management, threat modeling, and mitigating attack vectors.
Ken Sigler, MS, is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. Ken's research is in the areas of software management, software assurance, and cybersecurity.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is The Cybersecurity Body of Knowledge an online PDF/ePUB?
Yes, you can access The Cybersecurity Body of Knowledge by Daniel Shoemaker, Anne Kohnke, Ken Sigler in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Foreword 1
I have great pleasure in writing this foreword. I have worked with Dan, Anne, and Ken over the past six years as this amazing team has written six books for my book collection initiative. Their newest effort, The Cybersecurity Body of Knowledge: The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity, brings together a comprehensive understanding of cybersecurity and should be on the book shelf of every professor, student, and practitioner.
Right now, the study of cybersecurity is pretty much in the eye of the beholder. This is the case because the number of interpretations about what ought to be taught is only limited by the number of personal agendas out there in the field.
Through discussion with the team, I’ve learned that every well-established discipline of scholarship and practice has gone through the process of research, extensive discussions, formation of communities of practice, and thought leadership to continually build the body of knowledge. Over time, diverse voices put forth ideas, concepts, theories, and empirical evidence to advance the thinking, and in every discipline, there comes a time when thought leadership establishes generally accepted standards based on a comprehensive view of the body of knowledge.
I believe that time has come for the discipline of cybersecurity.
Beginning with a narrow focus on computer security, the discipline has advanced tremendously and has accurately become known as a fundamentally computing-based discipline that involves people, information, technology, and processes. Additionally, as the threat environment continues to expand, due to the expanse of global cyber infrastructure, the interdisciplinary nature of the field includes aspects of ethics, law, risk management, human factors, and policy. The growing need to protect not just corporate information and intellectual property but also to maintain national security has created a demand for specialists, across a range of work roles, with the knowledge of the complexities of holistically assuring the security of systems. A vision of proficiency in cybersecurity that aligns with industry needs and involves a broad global audience of stakeholders was needed to provide stability and an understanding of the boundaries of the discipline.
The formation of the CSEC2017 Joint Task Force – involving four major international computing societies: the Association of Computing Machinery (ACM), the IEEE Computer Society (IEEE CS), the Association for Information Systems Special Interest Group on Information Security and Privacy (AIS SIGSEC), and the International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8) – came together to publish the single commonly accepted guidelines for cybersecurity curriculum (The CSEC2017 Report). The CSEC2017 Report has produced a thought model and structure in which the comprehensive discipline of cybersecurity can be understood. With this understanding, development within academic institutions and industry can prepare a wide range of programs that are grounded in fundamental principles.
This book explains the process by which the CSEC2017 was formulated, its pedigree, and then it discusses the knowledge units of each of the eight knowledge area categories of the field in detail. Upon reading this book, the reader will understand the knowledge that is required as well as a basic understanding of the application and purpose of each of these myriad elements.
I have studied the various chapters and believe the seamless flow of the content will be beneficial to all readers. The extensive use of visuals greatly improves the readability as well as supports a better understanding of the extensive number of knowledge topics that are involved. While knowledge knows no end, dissemination and sharing of knowledge are critical in today’s world. I believe this book will help form the foundation of a comprehensive and generally accepted cybersecurity body of knowledge and I congratulate the team on their work and their amazing result.
Dan Swanson
Series Editor
Foreword 2
Cybersecurity is professionalizing. As a field, it has spawned from technical disciplines where it is an increasingly difficult fit, given its increasingly interdisciplinary nature. What started as a one-size-fits-all subject, about mitigating vulnerabilities in information systems, is now expected to cover the range of topics that a Chief Information Security Officer must consider when building an approach to keeping information safe within an organization. This not only includes the technical tools but also things such as policy, procedures, awareness training, audit, compliance, law, and privacy. These subjects clearly go beyond computer science or electrical engineering where students learn to build and apply cybersecurity system components.
Add to this challenge the fact that cybersecurity is evolving quickly. No sooner is a book published than it begins to become out of date! What a challenge for academics and practitioners alike to stay current! And if cybersecurity is becoming a profession like medicine or law, how difficult it becomes to ensure that employers in different parts of the country know what knowledge is in the minds of the cybersecurity expertise they hire. These are employees they are entrusting with the very life blood of their organizations, their information. There is a reason practitioners refer to the “crown jewels” of the company when they identify their most sensitive and valuable data.
With Snowden’s and the Manning’s raising awareness of how vulnerable an organization’s information can be, how big the impacts if compromised, we need to ensure that those we hire to protect it have the knowledge, experience, integrity, and maturity to warrant trust. Hence, the effort to professionalize the field. We’re seeing the emergence of codes of conduct, internship programs, certification testing, and standard curricula—all hallmarks of a profession.
Educational standards are at the very heart of any professional discipline. We need to know what those we hire know. Using medicine as an example, we have comfort that no matter what medical school a doctor attends, the basic curriculum is the same and we have board exams and accreditations for verification. Likewise, we need to have the same for cybersecurity, a practice that, if not performed well, could cripple infrastructure, bring down cities, and even cause deaths in the case of medical devices that are increasingly relied upon, yet are exposed online.
My colleagues Daniel Shoemaker, Anne Kohnke, and Ken Sigler have been working on standardization of cybersecurity curriculum for years – first in support of the NSA’s efforts to specify what they need in a cybersecurity professional through their NIETP organization which created, working with NIST, the beginnings of educational standards and then through the various evolutions as DHS, professional organizations, certifications have made their contributions.
As the ACM has stepped up to creating cybersecurity education guidelines that invite other countries to help define them, it’s time to acknowledge the development of what is becoming a set of educational standards that cybersecurity professionals around the world are acknowledging. With their book, the authors are presenting the case for educational standards as an important part of the emerging profession of cybersecurity.
I remember not too long ago when an HR executive from a large company in my region expressed frustration that advertising for cybersecurity expertise was not enough. You need to know what subdiscipline candidates know and what knowledge base they have in their minds so you can hire appropriately. Since that conversation, NIST/NICE, NSA, DHS, and ACM have wrestled with defining the field. The author’s contribution is to synthesize this history and make the case for reliable educational standards that are the foundation of any profession.
Knowing the authors as I do, I can think of no others who could better make this case and also identify the appropriate time – now – to do so. This is an important contribution to the evolution of the cybersecurity profession to the next step – a profession like any other.
This is an exciting time to be in this field. I thank the authors for their efforts.
Barbara Endicott-Popovsky, PhD
Professor and Executive Director,
Center for Information Assurance and Cybersecurity
Center for Information Assurance and Cybersecurity
University of Washington;
Editor in Chief,
Colloquium for Information Systems Security Educators (CISSE) Journal
Colloquium for Information Systems Security Educators (CISSE) Journal
Author Biographies
Daniel Shoemaker, PhD, is full professor, senior research scientist, and program director at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan is a former chair of the Cybersecurity & Information Systems Department and has authored numerous books and journal articles focused on cybersecurity.
Anne Kohnke, PhD, is an associate professor of cybersecurity and the principle investigator of the Center for Academic Excellence in Cyber Defense at the University of Detroit Mercy. Anne’s research is focused in cybersecurity, risk management, threat modeling, and mitigating attack vectors.
Ken Sigler is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills Campus of Oakland Community College in Michigan. Ken’s research is in the areas of software management, software assurance, and cybersecurity.
Introduction
The Vital Need for Common Agreement
Every profession is built around formal agreement about the underlying knowledge of the field. This agreement serves as the point of departure for building an academic discipline. In the case of the discipline of cybersecurity, there has never been a definitive, commonly accepted standard of the critical elements of the field. The purpose of the CSEC2017 Report (referred to as CSEC2017 for the remainder of the book) is to provide an authoritative standard.
The CSEC2017 is built around the assumption that there is a responsibility to specifically articulate what constitutes the field of cybersecurity. The goal of the CSEC2017 is to detail the communal knowledge areas and their constituent knowledge elements. In service of this, the CSEC2017 states and clarifies the separate educational elements of cybersecurity and their interrelationships to each other in professional practice. Each individual knowledge area is different in its focus and aims. Therefore, these disparate knowledge requirements need to be integrated into a single strategic infrastructure that amounts to a comprehensive definition of the field. The value of a single unified definition is that it provides the depth of understanding necessary to ensure complete, in-depth solutions.
CSEC2017 focuses on the definition of a set of standard knowledge elements rather than the usual teaching and learning issues. In essence, the CSEC 2017 provides a complete conceptual structure containing every knowledge element that is considered to be germane to the study of cybersecurity. The CSEC2017 Report essentially documents and interrelates all of the necessary learning elements into a single common definition of the discipline cybersecurity and is one of the two groundbreaking aspects of this project. The other is that CSEC2017 provides a comprehensive roadmap for teaching and learning holistic cybersecurity.
The latter is important because the lack of a common understanding of the ways in which the diverse elements of the field fit together is one of the major stumbling blocks in building coherent responses to threats. Consequently, the synthesis of the details of the cybersecurity process into a single unified understanding is an invaluable asset for cybersecurity educators.
Defining the Elements of the Field of Cybersecurity: What is CSEC2017?
The CSEC2017 Joint Task Force on Cybersecurity Education (JTF) originated in September 2015 (CSEC-JTF, 2017). The CSEC2017 mission was twofold, “To initiate the processes for (1) developing undergraduate curricular guidance and (2) establish a case for the accreditation of educational programs in the cyber sciences.” (CSEC, 2017, p. 10). The recommendations in the report represent fully sanctioned, all-inclusive guidelines about the content and structure of a cybersecurity curriculum. It must be understood that these recommendations are a single conceptual framework for the field. The CSEC2017 document does NOT specify a single monolithic approach, nor is it prescriptive. Instead, the CSEC2017 body of knowledge is meant to be used either completely or in part to develop relevant courses and to modify a broad range of existing programs or course concentrations (CSEC, 2017).
The CSEC2017 delineates the boundaries of the discipline and outlines key dimensions of the curricular structure of the study of cybersecurity. Its aim is, “To develop curricular guidance that is comprehensive enough to support a wide range of program types and to develop curricular guidance that is grounded in fundamental principles that provide stability” (CSEC-JTF, 2017, p. 11). As defined in the CSEC2017, there are eight generic knowledge areas. Taken as a whole, these distinctive areas constitute a common definition of the discipline as well as the learning elements that should be involved in the delivery of an acceptable cybersecurity learning experience.
Organization of the Text
The reader will see how to create a comprehensive cybersecurity teaching program, one that embodies the commonly recognized knowledge elements deemed essential to the field. This book will explain how each of these elements fit together.
The members of the Joint Task Force of major international computing societies identified eight knowledge areas that represent the comprehensive body of knowledge for cybersecurity education (CSEC, 2017). As with any complex design process, the deployment of a fully standard curriculum can only be described through a rational and explicit framework of requirements. The detailed process for creating and deploying those requirements is what is presented in these chapters.
Chapter One: Introduction: Securing Cyberspace Is Everybody’s Business This chapter explains the general conditions under which the CSEC2017 was created. It outlines the problems with cybersecurity as we currently understand them. It also presents the background of the CSEC2017 and the role of the Learned Societies in creating it. The goal of this chapter is to give the reader an understanding of the overall strategic concerns associated with cybersecurity practice as well as provide the justification and advantages of a generally accepted common body of knowledge.
Readers will see how the lack of a unified understanding impacts everybody’s security. The readers will also understand the reas...