The Education of Information Security Professionals: An Analysis of Industry Needs vs Academic Curriculum in the 21st Century

摘要

This research compared the employment of the skills and attributes needed by information systems security professionals in an information systems security work environment with those taught in NSA Centers of Academic Excellence in Information Assurance Education. Using two surveys the goal of this research was to determine if the skills and attributes identified in the CISSP were employed in an information systems work environment and if these skills were taught in colleges and universities designated as NSA Centers of Academic Excellence in Information Assurance Education.The skills and attributes within the10 domains of the CISSP were identified by 23 questions contained in two surveys, one to information systems security professionals working in the field and one to information systems security faculty in NSA designated Centers of Academic Excellence in Information Assurance Education. The CISSP domains cover the following areas of information security responsibilities: 1) Access Control Systems and Methodology, 2) Telecommunications and Network Security, 3) Security Management Practices, 4) Applications and Systems Development Security, 5) Cryptography, 6) Security Architecture and Models, 7) Operations Security, 8) Business Continuity Planning and Disaster Recovery Planning, 9) Laws, Investigations, and Ethics, and 10) Physical Security. The CISSP domains were chosen as the defining criteria for the development of the operational definitions after an extensive review of literature in the field of information security.The surveys were developed over three phases: the pilot phase, the validity phase, and the reliability phase. The breakdown of the domain descriptions into questions was accomplished during the pilot survey phase. Requests for participation in the survey were e-mailed to 800 information systems security professionals and 321 information systems security faculty. There was a 67% information systems security faculty response rate and a 20% information systems security professional response rate.This research indicated that information systems security professionals working in an information systems security work environment employed or addressed the skills and attributes identified in the 10 domains of the CISSP. This research also indicated that the skills and attributes taught in the curriculum of NSA Centers of Academic Excellence in Information Assurance Education had no association with the skills and attributes employed, or addressed, by information systems security professionals in an information systems security work environment. There was one exception, Domain 4, Applications and Systems Development Security, which indicated there was an association between how the skills and attributes were employed in an information systems security work environment and were taught in NSA Centers of Academic Excellence in Information Assurance Education.The findings of this research can be used as a baseline to develop information systems security curriculum. Further research is needed to determine the differences, if any, in the skills and attributes identified in the various information security certifications, the correlation between the skills and attributes identified in each of the information security certifications, and any differences in the employment of these skills and attributes between certified and non-certified information systems security professionals.