Practical Experimentation in Information Security Education

Practical Experimentation in Information Security Education

(A brief report from a survey) by Erland Jonsson and Lech Janczewski

n 1995 the Erasmus Bureau published a review of university programmes on Information Security [1] followed by a proposal for an Information Security curriculum [2]. This set of publications is the first systematic attempt to review the discipline and develop a universally accepted university program in the Information Security arena. However, these publications do not define the delivery methods. Therefore, during the IFIP/SEC'96 conference in Samos, Greece, the IFIP WG 11.8 discussed to what extent the information security education at university level should be supported by practical activities, demonstrations, experiments and projects.

As a result of this discussion we undertook to make a world-wide survey of existing experiments and we produced a questionnaire that was distributed widely. (E.g. see Cipher, issue 16 and 17, 1996.) Around 20 answers were received, which resulted in a paper that will be presented on IFIPSEC'97 in Copenhagen, May 14-16, 1997 (here). The paper covers the rationale behind conducting such experimentation and puts it into a context of the "action learning" approach. Some of the difficulties with practical experiments are briefly discussed. Furthermore, the paper introduces a taxonomy along three axes: degree of applicability, degree of innovation and level of generalization. All the experiments are classified according to the taxonomy so that the distribution of the experiments in the three-dimensional taxonomy could be investigated. Not surprisingly are the experiments clustered into a few areas and it could be discussed whether this is optimal from an educational point of view. Selected experiments are presented and discussed in more detail. A full report of the results from the survey will be given at the IFIP WG 11.8 working group meeting that is held the day before the main conference.

We are convinced that the survey is far from exhaustive and would like to encourage everyone to submit data of their experiments at any time. The intention is to put these experiments into a data bank that would be available to the security education community.

Erland Jonsson, email:
Department of Computer Engineering, Chalmers University of Technology

Lech J. Janczewski, email:
School of Business and Economics, The University of Auckland


[1] Gritzalis, D. (Ed), University Programmes on Information Security, Dependability and Safety, European Commission, Erasmus ICP, Projekt ICP-94(&95)-G-4016/11, Report IS-CD-3c, Athens, July. 1995.

[2] Katsikas, S., Gritzalis, D. (Eds), A Proposal for a Postgraduate Programme on Information Security, Dependability and Safety (Syllabus), Version 2.2, European Commission, Eras- mus ICP-94(&95)-G-4016/11, Report IS-CD-4a, Athens, Sept. 1995.