Asee peer logo

Defining A Curriculum Framework In Information Assurance And Security

Download Paper |


2003 Annual Conference


Nashville, Tennessee

Publication Date

June 22, 2003

Start Date

June 22, 2003

End Date

June 25, 2003



Conference Session

Current Issues in Information Technology

Page Count


Page Numbers

8.355.1 - 8.355.16

Permanent URL

Download Count


Request a correction

Paper Authors

author page

James Davis

author page

Melissa Dark

Download Paper |


In this paper, we describe a community effort to identify the common body of knowledge (CBK) for computer security curricula. Academicians and practitioners have been engaged in targeted workshops for the past two years, producing the results given here. The long-term objective for the project is to develop a curriculum framework for undergraduate and graduate programs in Information Assurance (IA). The framework includes: identification of broad areas of knowledge considered important for practicing professionals in information assurance, identification of key learning objectives for each of these areas, identification of a body of core knowledge and skills that all programs should contain, and a model curriculum including scope and sequence. The framework's development has been facilitated by workshops and working groups of leading information assurance educators. The goal is to produce document similar to the Joint IEEE Computer Society/ACM Task Force document (1) “Model Curricula for Computing” (Computer Science Volume) which will then be widely distributed for comment and dissemination. We anticipate that the framework will be used to guide the development of shared instructional materials, classroom instruction, and the assessment of individuals and programs. The focus for this paper is the design of the curriculum framework and the identification of the common body of knowledge. One of the interesting challenges is the breadth of the Information Assurance field. There is a tendency to view IA as strictly a subset of computer science, however many of the issues that professionals address require knowledge and skills drawn from traditionally non-computer disciplines. IA is truly a multidisciplinary endeavor, blending topics that span the disciplines of computer science, computer engineering, mathematics, management information systems and business, political science, and law1. Additionally, key processes used by IA professionals (e.g., vulnerability assessment) require a deep understanding of how important concepts in each of these disciplines are connected to each other. The rationale for the project is based in the need to develop a consensus on core IA skills and knowledge. The demand for Information Technology (IT) professionals stemming from turnover plus growth has been pegged in various references at around 600,000 open positions per year (3). While IT is of course broader than IA, it is generally believed that IA positions comprise a large percentage of the IT shortfall. There is an urgent need to significantly increase the number of graduates who are prepared for careers in the IA fields. A major barrier to meeting this challenge is that few Universities currently offer a comprehensive IA educational program; furthermore, sufficient numbers of experienced faculty to ramp up such an effort does not exist. In a testimony given to the US House of Representative Committee on Science (4) on February 11, 1997, Professor Eugene Spafford from Purdue University presented results from a survey he conducted indicating that there were only 12 faculty members nationwide with significant teaching and researching assignment in Information Assurance. In 2003, we are able to identify only a few score institutions offering more than a single course in network security or cryptography2. Given the growing need for graduates educated in computer security and the current lack of a capacity to meet that need, there is a premium placed on leveraging existing expertise by sharing instructional materials for core concepts. This will succeed on the scale needed only if there is an accepted IA curriculum framework in place. Fortunately, there exists a helpful body of work to build from. One of the key resources is the CNSS training standards for information assurance (2). These documents provide a set of learning objectives for training IA professionals, and can additionally become a good content map for a college courses (several Universities have mapped their graduate courses to the various CNSS standards). Additional resources include the proceedings from WECS (workshop on education in computer security), the “Green Book”3, SANS short courses, curriculum materials fromtheCOEschools,andmanyotherresources. Oneofthemajorchallengesiscoalescing existing instructional material and bringing stakeholders together in a shared vision of a model curriculum.

Davis, J., & Dark, M. (2003, June), Defining A Curriculum Framework In Information Assurance And Security Paper presented at 2003 Annual Conference, Nashville, Tennessee.

ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2003 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015