OU blog

Personal Blogs

Christopher Douce

CISSE Cyber Security Education and Employability Forum: November 2022

Visible to anyone in the world
Edited by Christopher Douce, Monday, 21 Nov 2022, 15:48

On 16 November 2022 I participated an online Cyber Security Education and Employability Forum, which was hosted by CISSE, the UK chapter of the Colloquium for Information Systems Security, and facilitated in collaboration with colleagues from the University of Roehampton School of Arts and Digital Industries and the OU School of Computing and Communications.

The forum was described as “an opportunity to share your knowledge and experience with the cyber education community, and to informally network with colleagues in other institutions who are involved with cyber security learning, teaching and employability.”

Since the event was not recorded, this blog aims to present a summary of what was discussed within the event. It is broadly intended for the 40 delegates who attended the session, but it might be of interest to anyone who may have an interest in cyber security. In some ways, this event follows on from an earlier CISSE Cyber Security Education Workshop that took place in 2021. This blog can also be viewed alongside other OU cyber security blogs.

The event began with an introduction by Charles Clarke, from the University of Roehampton.

Cyber Springboard

The first session was presented by Alex Collins, who presents a tool called Cyber Springboard. Clicking on this link takes you to a page which clearly summarises the aim of Cyber Springboard, which is to help students to “build and evidence the skills to get a job in cyber security”. The site also presents “activities and ideas for you to get curious about to build fluency in cyber skills”. 

Alex told us that he sits on certification panels, and his work on Cyber Springboard comes from 20 years of working in industry.

Alex made some important points that were reflected throughout the session. He emphasised that cyber is more than pen testing (penetration testing), more than forensics, and more than risk management; a career in ‘cyber’ is more than one of those things. An interesting reflection is that each of these areas have different stereotypes, in terms of the type of work that is performed within each area. The point is clear: cyber is broad. There are 21 Knowledge areas within the cyber security body of knowledge, the CyBOK; it’s a broad area. 

Cyber Springboard enables users to find what they like and don’t like. I made a note that there are 301 cards and activities which are connected to the CyBok knowledge areas. When registered, users can tick off cards. Each card contributes to a shape of a cyber knowledge profile, which can be shared on a personal profile or a CV. The next steps are to consider courses and pathways, developing improvements to the structure of Cyber Springboard, and increasing Cybok coverage.

Alex was asked an interesting question about how it is possible to move to cyber security. The question was answered in terms of building practical skills, finding time to learn what you enjoy, and evidence what you have achieved. An important point was: demonstrate enthusiasm. Also, consider providing a Github link on your CV. Sharing something will give you something to talk about in an interview.

Routes into cyber education: discussion and sharing

Next up was an informal session by Phil Hackett and myself, facilitated by Charles Clarke. The aim of the session was to discuss routes into cyber security teaching through a discussion, and sharing of resources.

One of the themes to emerge from this session was the notion of transitions. Phil began as an OU student, and then became a computing teacher at a secondary school. From there, he had ‘crossed the floor’ to work within the university, where he is involved with modules such as M269 Algorithms, data structures and computability.

My own story is a bit different. I moved from the university sector (where I carried out some research which was about the practice of computer programming), to industry, and back again. One thing that Phil and I have in common is that we’re both tutors; he teaches on M269, and I tutor on a Java module that has the title M250 Object-oriented Java Programming. Another commonality is that we have both had to deal with different types of cyber security incident. These incidents connect to the importance of having knowledge of controls and technical knowledge.

One thing that is common to transitions is the importance of evidence, and having a story; points which relate nicely to Alex’s presentation about Cyber Springboard. In terms of moving from industry to academia, one thing that we didn’t have time to share was a short Badged Open Course, which helps potential applicants understand more about the role of an OU tutor: Being an OU tutor in STEM. Anyone completing this course will be providing evidence that they understand what it means to be a distance learning tutor.

Another point that I think I made was about the important contributions industrial professionals can make to teaching. Importantly, and significantly, their industrial experience can help to make module materials come alive.

I made a note of two questions that were asked. The first question was about how to gain access to internships. Some thoughts were: make sure you have a good LinkedIn profile, know what you’re interested in, and don’t be afraid to be cheeky. What I mean by this is: don’t be afraid to get in touch with people and companies.

The second question was an interesting and challenging question: is it really necessary to have strong publication record if you want to be in academia? There are different roles within academia, and different institutions have different requirements. The short answer is: no, it isn’t really necessary, but you may have to choose where to apply to, and what you wish to do. Just like with cyber jobs, evidencing experience is really important. I’ll conclude by saying that becoming an OU tutor is a really great way to evidence your cyber teaching skills, and is a great way to join academia.

CyberFirst

The penultimate session was by Patrick from CyberFirst which is a part of the UK Government National Cyber Security Centre.

CyberFirst aims to “identify and nurture a diverse range of talented young people into a cyber security career”. As well as providing activities to “inspire and encourage students from all backgrounds to consider a career in cyber security”. CyberFirst also offers bursaries to undergraduates and degree apprenticeship students. (As an aside, the OU also offers cyber security analyst digital technology solutions degree apprenticeships for employers who want to support the development of their workforce).

For those working within the schools sector, CyberFirst is divided into a number of UK regions. CyberFirst is “working on ways to build a diverse and sufficient talent pipeline into the cyber sector (in all its forms) no matter what students have studied before”. Linking to the earlier presentations, some related questions are: how do we get people to use Alex’s tools, and how do we encourage students to study cyber security (and related subjects) at the OU?

An important point Patrick made was that “every job is a tech job” and that “our skills gap is pretty much everyone in the UK” given that technology is so interwoven into our lives. There are some fundamental issues that need to be address, such as 80% of cyber security employees are male. It is important to address how to increase the diversity in the sector.

In earlier presentations about cyber security, the ‘leaky skills’ pipeline was highlighted. In this presentation, Patrick offered a brief summary that explains this. If computer science was the only gateway subject into cyber security, it would begin with 300k students going through KS1 through 4. Looking towards the secondary sector, 12% of students study computer science, and only 9% of those are girls. Overall, only 2.5% of students then move on to study computer science at A level.

One way to begin to address diversity is to make people aware of the different career structure that makes up cyber security (which, again, connects to the earlier Cyber Springboard presentation). This of course, links to the earlier question posed in the last session: how do learners get to have a go ‘at some stuff’ to find what they’re good at?

Faced with these challenges, Patrick suggested that it might be instructive to look to other domains to see what they do, such as sport and medicine. A question is: how do you find out what things people are good at? In terms of sport, the answer might be to let people have a go at something and then coach and train people to their full potential. For medicine, give students the time to make informed choices and after they’ve tried different things, only then do learners move into specialism.

A rhetorical question was: what do we do in the security cyber space? How might a “sports model” be applied to cyber? There is a diversity of people, and many of them have not studied computer science. There are non-techies with a little cyber awareness, techies with limited cyber awareness, and techies with a genuine interest in cyber.

Patrick shared an idea of a talent pipeline, which begins with scale and diversity, moved onto learners and people making their own decisions about the subject, engagement and learning, and then directed activity which leads into employment, roles and responsibility.

Towards the end of this session, there was a reference to something called the CISSE UK problem book, which is intended to help educators not just in terms of education and teaching, but also for outreach and engagement.

In the question answer, I noted down two questions. The first question was: “does a degree title matter? How important is the label?” His response was: “we don’t mind the degree title, but it’s more about what the degree enables you to do. Your degree may well help you into the next step; knowing things about yourself is important”. A further point was: it is really important do show and demonstrate passion in an interview. 

The second question was about experience: “as a post-graduate student now doing a part-time masters’ in computer science with cybersecurity, what sort of work experience can I gain whilst doing this degree and where would I look for these opportunities?” In the context of the OU, and other universities there are the career services, which students should feel free to consult. Also, if you want to move into cyber it is possible to do your own thing to build evidence and demonstrate capability. Look to see if there’s some open source projects you can get involved with. Find a way to build a narrative that you can take to potential employers. As was mentioned earlier, consider adding a link to a GitHub repository on your CV, to give yourself something to talk about during interviews.

Academia and industry certifications aligned: An Open University case study

The final presentation of the day was by Lee Campbell from the OU. Lee is the module chair of TM359 Systems Penetration Testing which is due to be presented for the first time in February 2023. TM359 is a part of the OU BSc (Honours) Cyber Security. Lee takes us through a set of slides which presents the background context and much of the rationale for the module.

Why create a penetration testing module?

Business have a skills gap; they need more people with cyber security skills. Plus cyber security issues is a UK government tier 1 threat to national security. Also, students have been requesting a penetration testing module, and there is a need to complete the OU cyber security qualification. 

A really interesting aspect of both cyber security and pen testing is that they cover so many different areas of computing, such as programming, databases, and networking (which are all aspects which have been studied, in one form or another, during earlier modules).

OU options to build a pen test module

There are two key choices: build something in house, or outsource. One key need was to create (or to find) a technical environment that would be used by 600 students that would be separated from the OU technical environment. There are, always challenges; these were the resources that were available and the time.

The key considerations (or requirements) that I noted down from Lee’s presentation were costs, student access, the need for a web-based solution (to avoid the use of virtual machines), ease of integration with university education systems, and scalability. In light of all these considerations, a decision was made to look around to find a solution from an external supplier.

Lee made a point about education philosophy: both education and training is needed “to develop and adapt to society’s needs”. As an aside, training is about how to do things, whereas education is about when and why to do things. Any solution must amalgamate both perspectives.

Why align with a certification body?

If the decision is to outsource, which provider should the university go with? Lee highlighted a number of certifications that relate to pen testing and ethical hacking, such as CompTIA PenTest+, CPSA, Offensive OSCP, and Certified Ethical Hacker (CEH). There are also a number of laboratory tools, such as HackTheBox, TryHackMe and NDG Netlab+.

In the end, the Certified Ethical Hacker (CEH) from EC-Council was chosen, which is one of the leading certification bodies and is one of the top 10 certifications that relate to the subject.

There are a lot of CEH resources. There are up to 20 modules, and each module relates to a subject area. Each module has a dedicated video that presents an overview. There are eBooks, and a browser based lab called iLabs. There is also something called the CyberQ platform where students can carry out a pentest.

Integrating the new module

The TM359 module has integrated many of these resources over 31 weeks of study to enable the materials to be delivered through the OU VLE. Significantly, TM359 covers most of the areas in Cybok 1.1. Also, efforts have clearly been made to ensure the module is clearly about education rather than training.

Students study a module per week. Every week begins with an introductory video, and there are additional materials and tools to help students to make notes. There are five blocks. Block 1 is an introduction to the module and the subject; block 2 concerns reconnaissance, scanning and enumeration; block 3 is about system hacking, gaining, maintaining access and clearing tracks; block 4 concerns stakeholder engagement and automation; block 5 covers countermeasures and mitigation.

Question and Answer session

I made a note of three questions. 

The first question relates to the challenges that accompany using a vendor certification within an undergraduate programme. Lee emphasised that the materials explain important concepts and it is hoped and expected that there is a good balance between developing technical understanding and academic learning. A further reflection from this question is that the OU already has substantial experience of linking academic study and appropriate vendor qualification through its connection with Cisco, through the modules TM257 Cisco networking (CCNA) part 1 and TM357 Cisco networking (CCNA) part 2.

A follow up question relates to how the module team deals with iterations or changes. The university has a formal process following the launch of any module. Some of the changes occur through the vendor, and there are clear benefits in using a web-based platform in the sense that the extent that changes can be managed.

The final question was more of a comment. Rather than seeking an industrial provider, one alternative may have been to facilitate a greater level of collaboration with other higher education institutions to facilitate sharing of resources. A challenge that had to be faced was, of course, timescales. A further reflection is that the CISSE community may well have a role to play in facilitating the understanding of needs for cyber security educators.

Plenary discussion and next steps

During the forum, through a link shared in text chat, participants were encouraged to share something about their background and to say something about priorities for the community. Students made up the biggest group, with 19 participants. The other participants were academics, tutors, or members of government.

The priorities were ranked as follows: 

  1. How can we ensure students get access to work experience?
  2. How can we improve the quality of learning resources in academia?
  3. How do we get more cyber security lecturers in academia?
  4. What are the alternatives to placements and internships?
  5. Alternatives to CVs?
  6. What should be in a cyber education problem book?
  7. How can job descriptions be improved?
  8. The significance of cyber learning hubs between institutions

Regarding the first point, academics have a responsibility to speak with the careers teams or department, to make sure they are fully aware of the diversity of cyber security roles. 

Another important priority, which reflected earlier discussions, is the need to increase gender diversity within cyber security. This led to a discussion about the lack of women computer science teachers. Some accompanying questions were: why is this the case? Also, what can we do to change that? One reflection concerned the language used in job descriptions is an issue. For example, adverts which contain references to “rock star developers” might be attractive to one group, and not another.

The final point I noted down was about cyber security recruitment. Here is the final paraphrased question which I think was presented by Patrick: “how do we get recruiters to engage with the person, rather than asking the technical questions that need to be asked?”.

Perhaps the answer is to take the technical questions out of the interview, leaving space and time for the important question of: which aspect of cyber security do you feel you are best suited to?

Reflections

What was significant about this event was the practical focus of some of the questions that were asked, and also how each of the sessions linked to each other. A key question was: how do I go about gaining practical cyber security experience? There are different ways to answer this: network to gain contacts, be bold when it comes to asking about opportunities, seek advice from your university’s career service (if this is an option open to you), and try to find ways to develop and demonstrate your skills on your own terms.

The lack of gender diversity was a theme that emerged a number of times. Within the OU there is a plan to setup a new OU Women in STEM conference. Linked to this is the importance of role models and teachers which was mentioned by one of the speakers.

The biggest take away point that I took away from this event also related to diversity, diversity of roles that exist within cyber security. Looking to future CISSE sessions, it will be interesting to learn how this aspect of diversity can be expressed and embedded within the ‘problem book’ that the community is working on.

Acknowledgements

This blog post has morphed from a set of notes I made whilst attending the forum. Subsequently, many of the words presented within this blog come from each of the speakers, who all gave fabulous presentations. The idea for running this event came from Charles, who proposed themes, managed the registrations and worked through all the idiosyncrasies of MS Teams to make for a successful event. Thanks are also extended to Charles for his excellent proofreading. Finally, Jill Shaw helped with some of the technology admin on the day.

Permalink Add your comment
Share post
Christopher Douce

Access to cyber security day

Visible to anyone in the world
Edited by Christopher Douce, Saturday, 19 Nov 2022, 14:01

On 9 November 2022, I attended an online webinar that was entitled: the real reason for the cyber skills shortage. The webinar was a part of larger event facilitated by CREST International that was about access to cyber security. 

The event was presented by Matt Lawrence, Head of Defensive Security from an organisation called JUMPSEC.  What follows is a set of notes that I’ve made during the session, which have been roughly edited together.

This blog can be viewed alongside other OU blogs that relate to the subject of cyber security.

The real reason for the cyber skills shortage

A point I noted down was that the “skills shortage cannot be solved by bringing more people into the industry. Instead, we have to work smarter and treat current industry professionals better”. Cyber security seeing significant expansion, which means that many organisations are feeling the strain. This expression of concern was reflected in a slide that contained the words “the root of the problem is not the availability of incoming candidates, but the ability to retain skilled and experienced employees”. 

Some striking numbers were shared: the cyber security workforce shrank by 65k people and 1 in 3 cyber security professionals looking to change their role; clearly this is highly unsustainable. (I should add that I don’t know about the source of these numbers). Further comments were made, such as unhealthy working environments, and the unsustainability of operating models which relies on manual analysis of security events and alerts, and organisations going through acquisitions, which puts strain on security controls.

An earlier point that was mentioned that is worth emphasising was that no certification programme is a substitute of hands-on experience.

How do we deal with the skills shortage? I noted down the words: “sustainability is key; compromise is inevitable.” I also noted down “we can’t predict timing and severity” of attacks and events. Professionals “must prepare for the worst, and be ready”.

How are cyber threats evolving?  There were interesting points about ransomware, the practical inadequacy of cyber insurance, gaps of existing control gaps, or lapsing of expected controls. There will always be mistakes: users will accidentally respond to phising emails and there can be inadvertent lapses in permissions; the basics can go wrong. Put another way, “it is the fundamentals that really matter; this goes for organisations and people”. Significantly, applying more technology isn’t necessarily a solution: “before you invest in new security technology, are you making best use of what you already have”. Matt shared a compelling metaphor: don’t make your cyber security haystack bigger by getting more tech.

Paraphrasing some key points about challenges: responders (to cyber events) may have little or no network visibility, and not be able to respond due to a lack of preparations and too may assumptions. Within an organisation there may be “technical debt”, which is a metaphor I have not heard before. Technical debt (Wikipedia), essentially, means shortcuts. In terms of cyber security, this might mean that services might being adequately patched, or infrastructure might be misconfigured. From an organisational perspective, different employees may have misaligned expectations, there may be few checks and balances, and little understanding of threat and available attack paths.

A further slide summarised some of these challenges that were emphasised in the webinar. Some key points include: cyber security operating models may lead to monitoring approaches that are not fit for purpose, and this may lead to the focus on cyber products (which is a technical fix), which may then in turn lead to other issues, such as a potential lack of accountability.

Principles

How do we deal with all this? There are, of course, no immediate or simple answer. A set of principles were shared, which appear to share knowledge and experience.

  1. Augment people with technology. Don’t consider fancy solutions
  2. Be pragmatic and detect what matters (most relevant to the organisation).
  3. Respond on the front foot. Planning, what are the opportunities to respond.
  4. Avoid dependency to enable progress. A security provider is only as good as the organisation they are protecting.
  5. Be visible and transparent. Evidence of services performing as intended.
  6. Be flexible and adaptive.
  7. Embed continuous improvement. Small steps are better than big leaps.

Reflections

I learnt quite a few things through this seminar, and it certainly got me thinking.

Over the last few years, partly due to lots of changes within the OU, I’ve started to become fascinated about organisations, particularly in terms of how they are structured and how they work. The most important element within any organisation is, of course, people. When it comes to cyber security people are, in my view, the most important element. It is people who respond to cyber security incidents, and it is people who setup and maintain controls.

Some of the points mentioned within the webinar reminded me of previous study of a module that goes by the code M889 Information and Data Security. This module has become M811 Information security, which helps students to think about controls, checks, and balances. This subject can also be found within the OU’s undergraduate cyber security named degree, within the module TM311 Information Security.

Acknowledgements

A big acknowledgement goes to the webinar speaker, Matt. I don’t know Matt; I’ve never met him. I also have no connection with either CREST International, who facilitated a series of workshops and events during the day. The really interesting topics highlighted here comes from the event. Where possible, I’ve tried to quote directly. Apologies for any misrepresentations or getting the wrong end of any sticks. 

Finally, I found out about this event through an email that was circulated to the school. I have no idea who sent it, so I have no idea who to thank. So, whoever you are, thanks for sending it through! 

Permalink Add your comment
Share post
Christopher Douce

Cyber Security Education Workshop ‘21

Visible to anyone in the world
Edited by Christopher Douce, Thursday, 22 Jul 2021, 18:12

On 17 June 21, the OU School of Computing and Communications in collaboration with CISSE UK, the UK chapter of the Colloquium for Information Systems Security ran its first online workshop on cyber security education. 

This post offers a rough summary of the event for anyone who wasn’t able to attend. This article also shares links to accompanying resources. The structure of this post reflects the structure of the event, and offers a set of reflections and potential next steps.

The event covers two broad themes: employment and skills, and curriculum. During the second theme, the event splits into two streams: one for higher education, and another for participants who are related to CyberFirst, which covers the 11-17 age group.

One thing that I will mention is that I only managed to attend three quarters of the event, and had to leave before the final panel discussions. This said, co-presenters and delegates, have shared with me some links and themes that were raised during the final discussion session.

Introduction and Overview

Arosha Bandara and Chitra Balakrishna, from the OU, and Phil Legg from the University of West of England and CISSE opened the workshop. Chitra stated that its aim workshop was to bring together different stakeholders, to gain a common understanding of key challenges in cyber security education and to focus on curriculum, curriculum delivery, and skills development.

Phil took the opportunity to share something about CISSE UK. It aims to bring together cyber security educators across the UK, it aims to share and collaborate, and to find ways to do things better. Phil made the point that institutions are all trying to learn how things are done in the distance learning context.

After the introductions and welcome, it was time for two keynotes from colleagues from the National Cyber Security Centre (NCSC).  

Keynote 1: NCSC - Cyber Growth Academia Team

Chris E introduced the NCSC, which is the National technical authority for cyber security. It has what is known as a Cyber Growth Academia Team. The NCSE has a strategy to develop skills and support education and does this by having an interest in developing graduates and apprentices. I made a note of the point that: “everyone should have access to high quality cyber security education”.

An important resource for anyone interested in this area is the Cyber Security Body of Knowledge (Cybok.org).

There was references to different pathways, such as master’s degrees, integrated master’s, bachelor’s degrees, and degree apprenticeships. Universities are also introducing combined courses, where cyber security is combined with another subject. 

There are a number of NCSE certified degrees (NCSE website) and Academic Centres of Excellence in Cyber Security Education (ACEs-CSE) (NCSE website).

Themes that were important for cyber security study include: reach, availability of resources, expertise, and building for the future (sustainability). Another note I made was the point that further education (post 16 education) is producing a lot of really good people, but there are questions of what we might be able to best support them. During this event I recognised the familiar metaphor of a “leaky pipeline” regarding cyber security skills. This means that some students might not become cyber security professionals.

Returning to some of the themes of the workshop, an important question to raise (and discuss) was: is there a need to tweak the accreditation guidelines to take account of the current global pandemic? Perhaps assessments need to be adjusted and students need to be pushed and tested when materials are delivered online.

Keynote 2: NCSC - CyberFirst Team

This section keynote, presented by Patrick B, had an intriguing subtitle: cyber defence against the dark arts. This immediately begs some questions: what is meant by dark arts, and what is meant by ‘cyber defense’? 

Patrick is the CyberFirst (NCSC website) school and college education lead. CyberFirst is described as “developing the UK's next generation of cyber professionals through our student bursaries, courses for 11-17 year olds and competitions”. The focus is, of course, to develop secondary school students.

A question I noted was: “What can CyberFirst and the academic eco system do for each other?” Implicit in this question is another question of how can they collaborate and more directly align with each other? A further question to ask about concerns which issues schools are asking for help with.

A challenge, of course, lies with differences. The school sector is, of course, very different to the higher education sector, and there are different education systems, partly due to different devolved education authorities. Whilst students can specialise (in cyber security themes) at post-18, it is harder for students to understand and appreciate the significance of these specialisms at an earlier level. Given that cyber security needs specialists, there is the question of how we signpost the routes to different pathways.

Keeping with the theme of difference, I also noted down the words that “we need to make our sector more inclusive”, and the point was made that there is a gender imbalance. Patrick later made the point that 94% of girls don’t study computer science GCSE. The important need to address the theme of difference was also expressed in the words: “we need more of different types of people”.

Some of the challenges were expressed by Patrick in terms of “in tray” problems: how do we make young people more cyber aware? Also, how do we help teachers with their own cyber security? And finally, how do we showcase cyber as a career and study pathway?

In terms of the first problem, how do we make young people cyber aware? I noted down the view that whilst e-safety might be covered as a subject within schools, young people don’t get formal support about cyber security. Perhaps there needs to be learning by doing to fully understand cyber hygiene, and to also convey the safe use of cyber security tools.

Regarding teachers and school staff, Patrick made the point that Ransomware is becoming an issue, and some groups of students may need support to understand “what is legal and not” in terms of computer use and misuse. Also, teachers may also need help to understand the different types of attacks that may appear within the school setting and how to respond to them.

In terms of showcasing cyber as a career and study pathway, it is important to recognise and emphasise diversity with the Cyboc. During Patrick’s talk I noted that there “are 16 different cyber security roles, as defined by cyber security council”.  These roles are connected to a variety of disciplines, such as law, history (in terms of being able to carry out research), data science, computing, and mathematics.

One suggestion might be the concept of eMentoring, which could be related to the setting up clubs, cyber activities, and reaching out to industry. There was also a call for cross institution and cross discipline conversations and collaboration.

The final slide of Patrick’s presentation has the title of: “the hope”. It was hoped that this first conference would bring communities together, that it would facilitate cross institutional conversations and collaborations. There was also the point that: “we need all parts of the eco system to be pulling together, if we wish to effect change”.

After the event, a couple of resources were shared. The first is some STEM Learning Resources (stem.org.uk) This site presents some teacher guidance, activity sheets, and some links to further resources. The second link is to the National Centre for Computing Education website for resources and support (teachcomputing.org) which presents some lesson plans for key stages 1 through 4.

Introducing CISSE UK

Natalie Coull from the University of Abertay, Charles Clarke from Kingston University, and Phil Legg from the University of West of England jointly introduced CISSE UK (website), which is an abbreviation for “Colloquium for information systems security”. Charles described CISSE as national network of cyber security education professionals. CISSE UK is inspired by CISSE USA. What follows is a set of notes that were made during the CISSE presentation, and points taken from slides which were shared after the event.

Charles’s presentation had the subheading: collaborate to innovate. He introduced the CISSE vision, which was to: “to establish a culture of outstanding innovative and state of the art cyber security education (CSE) in the UK”. An important point I noted down was: can’t do everything our own, and that CISSE is a part of a rich and diverse CSE ecosystem which comprises of government (NCSE teams), industry (through stakeholders such as practioners, employees and employers), academia (students, educators, IT teams) as well as other groups such as professional associations and community organisations.

CISSE hosts events and has an impact programme. A related issue and question is: how is it possible to make a community or an organisation such as CISSE sustainable? CISSE look to encourage and extend engagement by developing .an outcomes driven membership initiative, which launches in 2021. 

Events themselves are not enough; members will have ways to evidence engagement. Members will be able to quantify and evidence engagement in a way that can be recognised across government, industry and academia. Evidence may take the form of attending CISSE recognised events, publishing in the area of cyber security (which can take different forms), providing mentoring, and service on NCSE certified degree panels. There might also evidence of engagement within projects that aim to enhance cyber security employability amongst students.

I noted down a 6 point call for action: (1) more input from industry to inform and validate programme and student employability, (2) mentoring in academia, (3) CSE events, (4) CSE publication – we need people to share their publications, (5) involvement in cyber security education experienced-centred projects, and (6) recording evidence of involvement in NCSE certified degrees or impact panels.

The presentation concluded with a point about the importance of collaboration between colleagues from different institutions. If you are interested in cyber security education, you were encouraged to get in touch.

Theme 1: Employment and skills

This first theme, which was available to all delegates, was about employment and skills. Each presentation was delivered through a short 5 minute video recording, and was followed by a facilitated panel discussion, aimed at further exploring some of the themes that were highlighted by the presenters (who were also present during the presentation section).

What follows is an edited version of the abstracts that accompany the presentation. Although the words have been prepared by the presentation authors, their words have been edited for brevity, for this blog. 

Presentation 1: Do we need industry certifications within Computer Security Degrees?

The first presentation was from Chaminda Hewage from Cardiff Metropolitan university. Chaminda’s presentation aimed to ask a number of important questions that relate to industrial certifications: “Can students obtain the industry certifications upon graduation? Or obtain them from elsewhere while they study for the degree? Do we need to force students through a series of certifications? Is it really necessary? Do they provide the required knowledge? Do employers expect you to graduate with industry certifications?”

Chaminda’s abstract states that “computer security degrees aim to provide the required theoretical underpinning, fundamentals and provide the required knowledge and skills to prepare the students for future employment. To this end QAA and subject specific organizations such as NCSC, BCS, CIISec and CyBok provide guidelines and best practices to achieve the essential and desirable graduate qualities”

He goes onto state that he “believe[s] that educators need to find a right balance between the theoretical concepts and industry focus[ed] content” Chaminda “would like to find the answer … [to]  how much employers really value these industry certification at entry level” and holds the view that “a wider discussion should take place on this to identify the impact and issues associated with integrating certifications in cyber security degree programme[s]”

There are some clear tensions that are worthy of explanation. In his abstract, Chaminda asks whether students “need to chase endless industry certifications by different vendors?” and poses an important issue, namely that “students may be sacrificing the main ethos of higher education by following a series of vendor specific training.” He concludes with a question: “perhaps, there is no escape from industry certification due to the nature of the discipline?”

Presentation 2: An Investigation and Evaluation of Cyber Security Graduate Job Roles for Improving Students’ Employability Skills

The second presentation, by Simrandeep Kalsi, Mastaneh Davis and Nabeel Khan from Kingston, complemented Chaminda’s presentation really well. Simrandeep’s abstract emphasised the following points: “The cyber security skills in the UK labour market study conducted by the Department for Digital, Culture, Media & Sport (Gov.uk, 2021), has indicated there is an increased demand for cyber security professionals in all sectors of the industry, however, significant numbers of these job roles remain unfilled.” Further information can be found by visiting the Cyber security skills in the UK labour market 2021 publication (Gov.uk).

To further understand the situation, “an investigation was conducted into whether the experience of searching for cyber security job roles can be improved; and if the clarity, accuracy, and relevance of job search outcomes can be enhanced in a manner that proactively informs an aspiring cyber security practitioner’s career decision. Quantitative analysis was conducted on cyber related job descriptions … in order to identify the attributes that students and graduates need to develop in order to match employer needs and improve their employment prospects.”

 “Results obtained from the analysis conducted on the job descriptions show that 49.8% of the job roles from the 472 analysed were for university graduates, and 6.6% also stated that they would accept candidates who have completed graduate apprenticeships. … A very surprisingly finding was that 89.4% of the job descriptions did not specify the need for experience.”

“The result of this study highlighted important key employability skills including having a positive attitude to continuous development and lifelong learning, listening skills, and the desirability of being a proactive individual, the latter potentially being a standout point amongst many recruiters. … These results are illustrated through 6 infographics, which could be of considerable value for higher education institutions for monitoring and addressing the cyber employability skills gap, and to enhance the experience of students when searching for cyber security job roles.”

Presentation 3: Cybersecurity apprentices – practice makes perfect? 

In some senses, degree apprentices have the potential to bridge the gap between academic study and the development of practical skills. The third presentation of the morning, by Kay Bromley, David Parry and Steve Walker present their “initial experience with the OU’s Scottish Graduate Apprenticeship in Cyber Security, and in particular the experiences of practice tutors.”

They introduce their presentation as follows: “as well as meeting the requirements for an Open University degree, apprentices also need to demonstrate the ‘core skills’ for cyber security specified in the Skills Development Scotland/Scottish Funding Council’s framework. Practice tutors provide a link between the University and its taught curriculum, the apprentice and the employer. They meet regularly with apprentices and employers. For the Scottish apprenticeships. Students do one of four Professional Practice modules, one each year, on which the practice tutor is also a module tutor.”

The professional practice modules, which are supported by a practice tutor aim to: “help students to integrate taught material into their workplace activities; develop independent learning skills, and study specialist content not covered elsewhere in the taught curriculum.”

They also offer some reflection on the practice tutor experience on the professional practice modules. It is important to note that “the pandemic has been a major issue for employers and apprentices, generating unanticipated workload for some, slowing communications within employer organisations, or apprentices being furloughed; At introductory levels apprentices and employers have tended not to take advantage of the flexibility available to them. There is a substantial overhead in learning about the structure of the apprenticeship and how to link this to the workplace; Cyber security is a sensitive subject for employers.”

More information about the Scottish Graduate Apprenticeship in Cyber Security can be found by visiting the Apprenticeships.Scot website.

Presentation 4: Opportunities and challenges of a CyberEPQ - Making basic skills in cyber security education accessible to both adolescents and adults

The final presentation of this section was by Konstantinos Mersinas and Caroline Moeckel, who consider skills from a broader perspective, whilst also returning to the themes of education and qualifications that were addressed in the first presentation. They “have created the Extended Project Qualification (EPQ) in Cyber Security to target age groups which have received relatively less focus in cyber security education. These groups are adolescents (14 to 18 year olds) and adults, often working in the industry, but not necessarily in cyber security.”

They offer a useful summary: “The EPQ is built in line with the National Occupational Standards (NOS) and its educational materials are aligned with the Chartered Institute of Information Security (CIISec). We have designed an educational curriculum to align it with the NCSC Cyber Security Body of Knowledge (CyBOK). … Our achievements include, on the one hand, the provision of a basic set of cyber security skills and knowledge to school students to allow them to proceed with studies in higher education. In that sense, the programme acts as a bridge between GCSE Studies and a university degree. On the other hand, we provide CPD to adults and professionals in the industry who can enrich their skills and employability, and advance their careers further.”

As a qualification, the EPQ appears to be interesting. They go onto write: “We believe that our initiative is accessible to almost everyone as it does not require previous knowledge of cyber security, is financially affordable and has always been delivered fully online, supported by regular web conference calls and meetings. We firmly believe that the programme has been successful in introducing cyber security to the younger generations and providing important cyber security knowledge to adults and professionals over the last 5 years, with learners moving into related university courses or securing (entry level) employment in the area”

Employment and Skills Discussion

A short discussion session was co-chaired by Natalie Coull and Charles Clarke. They began by asking Chaminda the question: “what are the best practices?” The answer I noted was in terms of the need for discussions between certification authorities and employers. Also, academics should be involved, since there is the need to gain clarity about what to focus on. 

Natalie asked all presenters whether industrial qualifications or certifications were able to successfully evidence hands on skills. A related question was: to what extent should universities be providing hands on skills, and what is the role of certification bodies in this? Put another way: will employers just take our word for it if a student has the necessary skills if they hold a particular qualification?

Charles asked another question, which was: do certifications add experience? Chitra added that it is necessary to consider the purpose of qualifications, how much are vendor driven and how much knowledge and experience driven. A point was also made that the skills landscape that is always evolving and changing.

Another point I noted was Charles’ reflection that it is important to include employers. There is also the importance and significance of industrial placements, but these are limited in numbers. A reflection was that Simrandeep’s research into the job market, should it be done continually.

The discussion moved onto the topic of pedagogy. Konstantinos suggested the role of a weekly meeting with students to discuss a current topic, which may include activities to review journals and then to reflect on what has been learnt. 

A final question I noted down, that again relates to the topic of education and training, or certificate and qualification: to what extent do certificates play a role in getting through or past a HR gateway? They might well be used in this way, but it is important to consider, more broadly, the effectiveness of cyber security recruitment within organisations.

Theme 2: Curriculum

The second presentation session was split into two strands, a Higher Education Breakout, which is summarised below, and a CyberFirst Breakout (NCSE website). CyberFirst is described as “a programme of opportunities to help young people aged 11 - 17 years explore their passion for tech by introducing them to the fast paced world of cyber security”, which is supported by the NCSE and CISSE events. 

Presentation 5: OWASP Open Application Security Curriculum Project

The first presentation of this second theme was by Adrian Winckles, from Anglia Ruskin university. Adrian’s presentation began by introducing OWASP’s main purpose, which was to “be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.” Some further context is provided: “a common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all.” More information about OWASP, the Open Web Application Security Project is available through the OWASP.org website.

Adrian highlights that there is an opportunity “to pull together its wide-ranging expertise, projects, and dedicated volunteers to engage in these types of education programmes and initiatives by developing an educational strategy for undergraduate and postgraduate students. This could take the form of an open “Standard” curriculum template which can be adopted and adapted by diverse educational partners and organisations.”

Presentation 6: Enhancing the Cyber Security Curriculum Through Experiential Learning

Andy Reed and Christine Gardner from the School of Computing and Communications present a different perspective, focussing on an important aspect of teaching. This presentation connects the earlier discussion about whether graduates (or certificate holders) have the appropriate skills. Andy and Christine highlight that the “landscape of cyber security develops at a considerable pace, so too does need to provide adaptive teaching and learning experiences, to assist learners in developing transferable practical skills”. The development of student skills relates to the use of “various virtual learning tools and techniques”

Different tools are mentioned, such as Netlab+ from NDG and the Cisco Packet Tracer tool which is used with various OU Cisco modules. For teaching and doctorial research. Other tools were mentioned, such as NS2 and NetSim, which can be used to simulate large scale networks. Research students can share outputs from these tools their research community, 

Presentation 7: Cyber Education during Pandemic: Approaches and Lessons Learned

Thomas Win and Phil Legg, both from the University of West of England, shared some recent experiences of teaching cyber security: “the COVID-19 pandemic has necessitated a radical paradigm shift in cyber education and the delivery of modules therein, both in delivering lectures and practical sessions. We experimented with different means of delivery during the 2020/21 academic year and aim to share our perspectives and lessons learned as we navigated around the challenges posed to our module delivery.”

During their presentation, they mention “MS Teams to facilitate interactivity and gauge student understanding” and have used “real-world case studies in delivering subjects such as Ethical Hacking. In a session on memory-based exploits students were asked to research on the recently-discovered Google Chrome vulnerabilities. Coupled with breakout rooms on MS Teams, they were able to engage in peer-learning alongside research-informed learning.”

They shared some aspects of their pedagogy: “we also used physical hardware such as Micro:Bit devices in programming practicals. We further extended this in a trial running of online capture-the-flag exercises linked to physical IoT devices the behaviour of which can be observed over an online video call, and also offered some reflections: “we have found … the opportunity to explore and adopt a new teaching paradigm in cyber education pedagogy.”

A concluding reflection is that: “online interactions have changed how we - both staff and students - will interact in the future. What is important to recognise, is that in many cases, establishing offline connections first means that we can have more meaningful interactions when moving to online - the same is true for how student groups interact. As we move into 2021/22, we will want to ensure we keep sight of these lessons from the previous year to continue to improve cyber security education.

During Thomas’s presentation, I also noted down the points that contact time with students was more valuable, and contact time is important to understand where students are in terms of understanding the lecture materials. A tentative conclusion is that: blended learning is here to stay.

Curriculum Discussion

This second discussion session, which was centred around curriculum, was also chaired by Natalie Coull and Charles Clarke. Natalie opened up with a question to Andy and Christine: is it time consuming to set up the experiential learning activities? 

In the OU there is a support team that manages the physical NetLabs hardware and infrastructure. In the OU context, a module team is often able to reuse an experiential design year on year. It is possible to see what students have done by asking students to share their configuration files and by reviewing live logs. A related point is that teaching also tries to draw on the student’s context.

Natalie asked Thomas about building relationships with students. A reflection was that some students may lose confidence when speaking in the classroom. It is also important to consider how to encourage students to return the classroom. Different approaches might be to create non-traditional activities such as assignment workshops, or use approaches such as gamification.

Thomas was asked a particularly challenging question: how to you engage students who don’t engage with pre-recoded videos. The answer I noted down was in terms of building or presenting incentives, such as providing an overview, or a summary, or give them a “cliff hanger”, and link recordings to assessments. 

Being a cyber security tutor

The penultimate session of the day, which was about the advantages and benefits of becoming a cyber security tutor in higher education (specifically within the OU) was presented by Arosha Bandara and Ian Kennedy.

Arosha began by outlining the role of a tutor. Through distance learning, students have opportunities to study materials in their own time (but must complete important assessments by certain dates). Tutors act as a guide and facilitator, helping students to make sense of the module materials that have been prepared by module teams. In some ways, tutors adopt what some consider to be a ‘flipped classroom’ approach, where students work through materials in advance of a tutorial, which are all currently delivered online. 

Tutors also provide correspondence tuition to students, which is an important aspect of distance teaching. Students are given tailored feedback and guidance, to help them to understand how to further understand module concepts, understanding and skills.

More information about the role of a tutor (including a cyber security tutor) can be found by visiting this free Badged Open Course (BOC): Being and OU Tutor in STEM: Computing and Communications (OpenLearn). There are also a series of videos, entitled Teaching on TM352: Web, Mobile and Cloud Computing (YouTube) which might be of interest to prospective OU computing tutors.

Arosha and Ian answered the important question of: who might become a tutor? Tutors have varying background. They might be academics from other institutions (HE or FE), post-doctoral researchers, or they might be practioners working in industry. The industrial experience of tutors is both welcome an important as whilst academics may have theoretical knowledge, they may lack practical experience at the “cyber security coal face”. Another perspective is that it is hard to get practical experience whilst working an academic context.

The advantages work both ways. From an industrial perspective, a practioner background is very useful to an academic community. Conversely, an academic role does give some practioner-tutors the opportunity to “dig deep” into certain topics and develop a higher level academic perspective to augment what is a very important and pragmatic approach to problem solving.

If you are interested in potentially becoming a tutor within the OU, do visit the OU tutor recruitment site and select the "Faculty of Maths, Computing & Technology". You should then be able to find a list of modules that are currently being advertised. More information about how to apply can be found through the How to Apply page. A big tip for anyone who is considering applying is: always ensure that you provide sufficient evidence to show that you meet the person spec criteria. For OU modules, there are two parts: a generic bit (which is about teaching), and a module specific bit. A suggestion is to copy all the points from each part of the person spec onto your application form, and provide at least 3 sentences of supporting evidence underneath, so everything is as clear as possible for whoever makes the recruitment decisions.

Panel discussion: how do we enhance and support diversity in cyber security? 

The workshop concluded with a panel discussion that was chaired by Ian Kennedy, a cyber security lecturer from the OU. Member of the discussion panel included delegates from Deloitte, Accenture Security, and the UK Cyber Security Council.

Although I wasn’t able to attend this final session, I heard that there were discussions about how and where to embed cyber education in the school sector. After the event, I was also sent a couple of links that were highlighted within the final session. The first link has the title “Why the Seven Personae of Cyber?” (CyberEQA.org) which explores diversity of roles that can exist within the broad subject of cyber security. Relating to the importance theme of gender within cyber security, there was also a reference to the Geena Davis Institute on Gender in Media (Seejane.org)

Reflections

One of the themes that really struck me was the richness of cyber security as a subject, which reflects an important link to the theme of diversity, which was emphasised by the workshop. On one hand, there are the really hard core technical bits. On the other there are other subjects that have a softer, and essential human edge to them. There are different tools that need to be understood and appreciated: there are technical tools, and there are institutional practices and policies. All these aspects are, of course, mediated through people, organisations and structures. All this suggests that cyber security professional need different skill sets, and may gravitate towards the subject from different directions.

Another theme that struck me as being significant was the importance of cyber security within schools the schools’ sector. I noted down that there was a clear difference between the importance of safety awareness and detailed cyber security education. There are clear debates that surround the extent to which it should be embedded within teaching.

I enjoyed the diversity of the presentations, and I do encourage anyone who is interested in this subject, and this event, to view the short presentation that can be accessed through this blog. I especially liked Simrandeep’s qualitative study. Cyber security is a fast moving subject, and her study represents a practical and useful snapshot of the needs of the sector at a particular point in time.  It would be interesting to carry out a replication in a few years to see what had changed.

Another highlight was the summary of CISSE. UK A reflection is that collaboration and support between institutions whilst working in a fast changing sector is both important and helpful. After hearing Charles’ description of what it is, and how it works, I’m now very tempted to sign up. 

Finally, it was great to see how many colleagues were interested in this event. 87 delegates attended the event, but there were over 200 registrations. Looking forwards, it would be great to run a similar event again. We have a lot to learn from each other.

Acknowledgements

Many of the words and themes presented within the blog come from a range of different sources: from the speakers, from their presentations and from their abstracts. Acknowledgements are extended to colleagues who read early versions of this blog.

Permalink Add your comment
Share post
Christopher Douce

Cyber security resources

Visible to anyone in the world
Edited by Christopher Douce, Tuesday, 12 Dec 2017, 16:26

There is a considerable amount of interest in the subject of cyber security. It seems as if a day doesn’t go by without a new story about a worrying data breach or a hack attack. New terms such as phishing has entered in the lexicon and we regularly hear references to topics such as encryption and malware. 

Cyber security is currently a hot topic within government (GOV.UK policy website) and the university is investing in cyber security teaching in the School of Computing and Communications.

With the possibility of new modules (and perhaps qualifications) on the horizon, an important question is: what can associate lecturers do to be prepared for new cyber security modules? This blog post is to summarise a set of resources that might be useful. This post is, of course, unapologetically OU centric and there, are of course, many other resources or books out there. If you do know of other resources that might be helpful, do feel free to add a comment below.

Cyber security MOOC

The OU, in collaboration with FutureLearn runs a MOOC (massive open online course) entitled Introduction to Cyber Security (FutureLearn). This is particularly interesting, since the course description states that ‘it has been developed by The Open University with support from the UK Government’s National Cyber Security Programme’.  It is presented as a ‘double accredited course’, described as a GCHQ certified training course, accredited by the Institute of Information Security Professionals (IISP).

The MOOC addresses a range of relevant topics, such as: threats, authentication (access control, passwords, two-factor authentication), malware (types of malware, attack vectors, preventing infection), cryptography, network security (firewalls, virtual private networks, intrusion detection/prevention), cyber security laws, recovering from attacks and managing risks.

Postgraduate modules

One of the great things about being a tutor is that tutors can study many OU modules as a part of their continuing professional development. If you’re interested in cyber security, tutors can choose to study two different postgraduate modules that are linked to the subject of cyber security.

The first module is called M811 Information security. M811 is relating to IT governance and management (which reflects the focus of the postgraduate programme). Here is the key part of the description: ‘In this online module, you’ll explore the professional and technical skills necessary to understand, document, manage and implement strategic and operational aspects of your organisation's information security. You’ll study topics in information security risk assessment and management, as well as professionalism, home information security, and information security research.’

Regarding M811, an important point is that it isn’t a technical module: instead, it focuses on the socio-technical and organisational issues which reflects the notion that cyber security is just not about technology: it is about people too.

The second module is called M812 Digital forensics. M812 is different to M811, since it is a lot more technical. It is described as follows: ‘This online module will help you understand how to conduct investigations to correctly gather, analyse and present digital evidence to both business and legal audiences. You will also learn how to find tools to locate and analyse digital evidence on a variety of devices, including mobile phones, and how to keep up to date with changing technologies, laws and regulations in digital forensics.’

The connection with law is particularly important and useful. It introduces learners to different aspects of legislation that relate to data and cyber security. It is technical in the sense that students are required to carry out an analysis of a digital image (data downloaded from a digital device) and write a detailed report. An interesting aspect of the module is that students (acting as digital forensic examiners) will take play in a short role play activity where they present evidence to a tutor who plays the role of a court barrister.

OpenLearn: Badged Open Courses

As well as FutureLearn, the university has OpenLearn, which offers BOCs (rather than MOOCs). A BOC is a Badged Open Course. There are three BOCs that relate to cyber security.

The most recent BOC is called Introduction to cybersecurity: say safe online (OpenLearn). The course is described as follows: ‘[it will] help you to understand online security and start to protect your digital life, whether at home or work. You will learn how to recognise the threats that could harm you online and the steps you can take to reduce the chances that they will happen to you.’ The learning outcomes are: ‘start to protect your digital life, recognise threats to your online safety, take steps to reduce the risk of online threats, understand concepts including malware, viruses and trojans, consider network security, cryptography and identity theft’.

OpenLearn also contains BOCs made from sections from M811 and M812; you can even use these BOCs to get a feel for what kinds of materials are presented in either of these modules. 

The Information security BOC (OpenLearn) is described as follows: ‘... information has become the life blood of the modern world. Given its importance, modern organisations aren’t always as careful as they could be with it. . . . In this free coursey ou’ll explore what it is about information that makes it so valuable.’ Again, the emphasis is on people and organisations, rather than technology. 

The Digital forensics BOC (OpenLearn), being derived from M812, is descried as follows: ‘Digital forensics, is an introduction to computer forensics and investigation, and will give you an overview of forensic science in general, including how it works in practice. It will introduce you to the world of digital forensics, that is, applying forensic science to the digital artefacts that we create every day through our interactions with computers, mobile phones and the unseen objects around us that encompass the so-called ‘internet of things’.

There are of course, loads of other Science, Maths and Technology BOCs available.

Other resources

FutureLearn is, of course, one of many MOOC providers. Three other providers are called EdX, Udacity and Coursera.  

At the time of writing EdX runs a MOOC called Cybersecurity fundamentals, which was 8 weeks in length (with an average of 6-8 hrs per week), and Coursera, that relates to usability security (which can be considered to be an intersection between interaction design and cyber security).


Acknowlegements: Many thanks to Sharon Dawes for providing the inspiration and motivation behind the writing of this blog, and for also sending me links to a number of related cyber security resources.

Permalink Add your comment
Share post

This blog might contain posts that are only visible to logged-in users, or where only logged-in users can comment. If you have an account on the system, please log in for full access.

Total visits to this blog: 1976911