Professional Documents
Culture Documents
13(3)
Helen Armstrong
Nimal Jayaratna
School of Information Systems
Curtin University of Technology
GPO Box U1987, Perth
Western Australia 6845
H.Armstrong@curtin.edu.au N.Jayaratna@curtin.edu.au
ABSTRACT
This paper presents the structure and content of a series of a postgraduate curriculum in Internet Security
Management developed and presented jointly by the Schools of Information Systems and Computer Science at
Curtin University of Technology in Western Australia. The integration of generic skills (including problem
solving, risk and project management, change management and research methods) with specialist security
knowledge and practical project courses is also discussed.
249
Journal of Information Systems Education, Vol. 13(3)
Many consider information security to be a technical thinking and innovative thinking. The latter requires
issue. However, the mind-sets that generate security the information security professional to undertake
problems and criminal activities are not necessarily paradigm shifts in their reasoning roles.
technical in nature. The guiding forces that act on a
security professional are adherence to law, Another generic skill that is required by the
professional code of conduct, commitment to ethical information security professional is the ability to
principles, care handle communication and interpersonal issues. Not
only do they need to develop skills in people
Figure 1: Guiding Forces in Security Domain management but also to learn to manage change.
Change involves multi-dimensions of mind-sets,
procedures, policies, behavior and communication.
250
Journal of Information Systems Education, Vol. 13(3)
amounts of data. To secure this data, and the Table 1: Offerings within the Internet Security
infrastructure on which it resides and moves, requires Management program
specific technical skills in the security of networks and
communications, databases, operating systems, Program Credits Duration
Internet, electronic commerce, computer crime and (Full-time)
cyberwarfare, and computer forensics (see Figure 2). Postgraduate Diploma in 200 1 year
ISM
Master of ISM 300 1.5 years
The final category of skills is practical. Information Master of Commerce 400 2 years
security is a practical discipline. The solutions that are (ISM)
constructed using generic and specialist skills need to
be effective in practice. They also have to be
integrated in practice. The third stage of the education graduate certificate or graduate diploma in a
program is to ensure that students are able to integrate computing related field in order to gain entry.
their knowledge and achieve effective results within a
practical domain. To achieve this aim students will The program consists of three articulated degrees - a
work on practical case studies developed jointly with postgraduate diploma in Internet Security
industry. Outside organizations will be involved to management, a professional Masters of Internet
create realistic settings for which students will be Security Management, and a Master of Commerce
required to design secure networks and environments (Internet Security Management). The structure and
and test them. Students will then be required to write content of the three programs is illustrated in Appendix
up a project report showing not only how they A.
understood the construction and implementation of
solutions but also what abstract lessons they learned 3.1 Postgraduate Diploma in Internet Security
from the project. Management
This program is designed for students with a degree in
The latter abstract learning is more advanced than a computing-related discipline who wish to enhance
Bloom’s (1956) taxonomy and Kolb’s (1984) skills and knowledge in the design and management of
experiential learning. The learning theory is more Internet security and electronic commerce in business
aligned to the "double loop" learning model (Argyris organisations. The program consists of eight courses
1982, Argyris & Schon 1974), however the vertical of study each carrying 25 credits, totalling 200 credit
abstraction of the notions, concepts, lessons will be points. The program can be seen in the first column in
advanced using the NIMSAD framework (Jayaratna, Appendix A; and the courses studied include project
1994). This framework requires evaluation of lessons and risk management, change management,
along three dimensions: the situation; use of tools, information security management, network and
techniques, models, concepts, methods and communications security, encryption and software
methodology; as well as critical self-reflection using security, plus two optional courses chosen from those
"mental construct" elements at three time periods – listed. The postgraduate diploma program can be
before, during and after intervention. The most completed in one year (two semesters) of full-time
important abstraction is the discovery of self and the study or two years of part-time study.
assessment of further learning needs.
3.2 Master of Internet Security Management
The program thus aims to develop postgraduates with This program is a professional masters degree
the conceptual and intellectual power to adapt their containing a total of twelve courses of study. It is
acquired knowledge and skills into their future designed for computing professionals who wish to take
working environments. The design of the program leadership roles in Internet security management.
structure incorporates a generic component, specialist Students need a computing-related degree plus a
component on security and a practical component in minimum of two-years relevant industry experience to
which the previously learned material are brought enter this program.
together as instruments for guiding practice (see
Figure 2). The second column in Appendix A gives details of this
program. The first eight courses of the Master of
3. STRUCTURE OF THE PROGRAM Internet Security Management are the same as the
Postgraduate Diploma program. The core courses
The series of Internet Security Management (ISM) included in this program are project and risk
programs are offered at three postgraduate levels, management, information security management,
postgraduate diploma, professional masters, and problem solving, change management, network and
masters by coursework (see Table 1). communications security, encryption and software
security, database security, computer forensics,
All courses within the program require a Bachelor distributed computing security, plus a double course
degree in a computing related discipline as an entry security project or two optional courses chosen from
requirement. Students with a degree in a non- the list in Appendix A. This professional masters
computing discipline are required to complete a program can be completed in eighteen months (three
semesters) of full-time study or three years of part-time
study.
251
Journal of Information Systems Education, Vol. 13(3)
252
Journal of Information Systems Education, Vol. 13(3)
cryptography, network security, electronic commerce of one year duration had an entry level of a honours
security, computer forensics or information warfare. degree.
Many of the programs investigated concentrated on
information or computer security, particularly the The new Internet Security Management programs
technical aspects. In these programs courses in designed by Curtin University appear consistent in
network security, cryptography, electronic commerce duration and entry requirements to programs offered
security and security management seem common by other universities. The technical content also
inclusions. For instance, the Master in Computer appears to be similar, particularly in the areas of
Science at James Mason University appears to be network security, electronic commerce security and
quite technical in focus with a concentration on cryptography. The uniqueness of the proposed
network security and cryptography (JMU, 2002) to programs at Curtin University is the holistic design of
the exclusion of courses on electronic commerce the program to integrate technical, management and
security, risk and security management. Conversely, practical security skills together with generic skills in
the Masters in Information Technology Security problem solving and change management. The joint
offered by the University of Westminster (WMIN, venture between the Schools of Information Systems
2002) appears to place less emphasis on the technical and Computer Science has enabled a unique
security areas. integration of security skills and knowledge across the
disciplines.
Very few universities offer courses in computer
forensics. This could be because it is resource hungry 7. CONCLUSION
and requires specialist expertise to teach. However,
Cranfield University (2002) offers a course with a The design of the new programs in Internet Security
specialization in Forensic Computing, incorporating Management is complete, and commencement is
courses in electronic crime, law and courtroom skills, planned at the beginning of 2003. The programs
investigations and several forensic areas. As described above have attempted to meet the need for
cybercrime continues to rise it seems logical that security graduates who have the ability to
demand for knowledge and experience in computer conceptualise, are problem solvers, are technically
forensics will rise, particularly in relation to networks proficient, and have practical experience in applying
and the Internet. the security knowledge and skills in an information
security and Internet security context. The program
The study of crime appears frequently, however the also provides three levels of qualification in the
law and legal issues appears in only some of the Internet security management field with direct
programs studied. An understanding of the law from articulation between the courses.
a local as well as international perspective should be
an integral part of any program on security, The mix of generic skills, and specialist knowledge
particularly in global networked environments. and skills, and practical project courses are planned to
develop a well-rounded graduate, one who has the
Considerations of risk appear as a separate course in ability to solve problems in the Internet security
only a few programs, although the study of risk is arena. The practical application of theory via the
implied in many other courses included, such as project courses will assist students to consolidate their
assurance and security issues. Database security was learning by actually doing and then reflecting upon
found in only a small number of programs. This was that learning process. Students will also gain
surprising, as the majority of larger computer systems confidence in their ability to apply knowledge and
and web sites utilise database management systems. skills to problem situations.
253
Journal of Information Systems Education, Vol. 13(3)
AUTHOR BIOGRAPHIES
254
Journal of Information Systems Education, Vol. 13(3)
Appendix A: Structure of the Postgraduate Diploma and Masters Programs in Internet Security
Management
255
Journal of Information Systems Education, Vol. 13(3)
256
Journal of Information Systems Education, Vol. 13(3)
257
Journal of Information Systems Education, Vol. 13(3)
258