On 17 June 21, the OU School of Computing and Communications in collaboration with CISSE UK, the UK chapter of the Colloquium for Information Systems Security ran its first online workshop on cyber security education.
This post offers a rough summary of the event for anyone who wasn’t able to attend. This article also shares links to accompanying resources. The structure of this post reflects the structure of the event, and offers a set of reflections and potential next steps.
The event covers two broad themes: employment and skills, and curriculum. During the second theme, the event splits into two streams: one for higher education, and another for participants who are related to CyberFirst, which covers the 11-17 age group.
One thing that I will mention is that I only managed to attend three quarters of the event, and had to leave before the final panel discussions. This said, co-presenters and delegates, have shared with me some links and themes that were raised during the final discussion session.
Introduction and Overview
Arosha Bandara and Chitra Balakrishna, from the OU, and Phil Legg from the University of West of England and CISSE opened the workshop. Chitra stated that its aim workshop was to bring together different stakeholders, to gain a common understanding of key challenges in cyber security education and to focus on curriculum, curriculum delivery, and skills development.
Phil took the opportunity to share something about CISSE UK. It aims to bring together cyber security educators across the UK, it aims to share and collaborate, and to find ways to do things better. Phil made the point that institutions are all trying to learn how things are done in the distance learning context.
After the introductions and welcome, it was time for two keynotes from colleagues from the National Cyber Security Centre (NCSC).
Keynote 1: NCSC - Cyber Growth Academia Team
Chris E introduced the NCSC, which is the National technical authority for cyber security. It has what is known as a Cyber Growth Academia Team. The NCSE has a strategy to develop skills and support education and does this by having an interest in developing graduates and apprentices. I made a note of the point that: “everyone should have access to high quality cyber security education”.
An important resource for anyone interested in this area is the Cyber Security Body of Knowledge (Cybok.org).
There was references to different pathways, such as master’s degrees, integrated master’s, bachelor’s degrees, and degree apprenticeships. Universities are also introducing combined courses, where cyber security is combined with another subject.
There are a number of NCSE certified degrees (NCSE website) and Academic Centres of Excellence in Cyber Security Education (ACEs-CSE) (NCSE website).
Themes that were important for cyber security study include: reach, availability of resources, expertise, and building for the future (sustainability). Another note I made was the point that further education (post 16 education) is producing a lot of really good people, but there are questions of what we might be able to best support them. During this event I recognised the familiar metaphor of a “leaky pipeline” regarding cyber security skills. This means that some students might not become cyber security professionals.
Returning to some of the themes of the workshop, an important question to raise (and discuss) was: is there a need to tweak the accreditation guidelines to take account of the current global pandemic? Perhaps assessments need to be adjusted and students need to be pushed and tested when materials are delivered online.
Keynote 2: NCSC - CyberFirst Team
This section keynote, presented by Patrick B, had an intriguing subtitle: cyber defence against the dark arts. This immediately begs some questions: what is meant by dark arts, and what is meant by ‘cyber defense’?
Patrick is the CyberFirst (NCSC website) school and college education lead. CyberFirst is described as “developing the UK's next generation of cyber professionals through our student bursaries, courses for 11-17 year olds and competitions”. The focus is, of course, to develop secondary school students.
A question I noted was: “What can CyberFirst and the academic eco system do for each other?” Implicit in this question is another question of how can they collaborate and more directly align with each other? A further question to ask about concerns which issues schools are asking for help with.
A challenge, of course, lies with differences. The school sector is, of course, very different to the higher education sector, and there are different education systems, partly due to different devolved education authorities. Whilst students can specialise (in cyber security themes) at post-18, it is harder for students to understand and appreciate the significance of these specialisms at an earlier level. Given that cyber security needs specialists, there is the question of how we signpost the routes to different pathways.
Keeping with the theme of difference, I also noted down the words that “we need to make our sector more inclusive”, and the point was made that there is a gender imbalance. Patrick later made the point that 94% of girls don’t study computer science GCSE. The important need to address the theme of difference was also expressed in the words: “we need more of different types of people”.
Some of the challenges were expressed by Patrick in terms of “in tray” problems: how do we make young people more cyber aware? Also, how do we help teachers with their own cyber security? And finally, how do we showcase cyber as a career and study pathway?
In terms of the first problem, how do we make young people cyber aware? I noted down the view that whilst e-safety might be covered as a subject within schools, young people don’t get formal support about cyber security. Perhaps there needs to be learning by doing to fully understand cyber hygiene, and to also convey the safe use of cyber security tools.
Regarding teachers and school staff, Patrick made the point that Ransomware is becoming an issue, and some groups of students may need support to understand “what is legal and not” in terms of computer use and misuse. Also, teachers may also need help to understand the different types of attacks that may appear within the school setting and how to respond to them.
In terms of showcasing cyber as a career and study pathway, it is important to recognise and emphasise diversity with the Cyboc. During Patrick’s talk I noted that there “are 16 different cyber security roles, as defined by cyber security council”. These roles are connected to a variety of disciplines, such as law, history (in terms of being able to carry out research), data science, computing, and mathematics.
One suggestion might be the concept of eMentoring, which could be related to the setting up clubs, cyber activities, and reaching out to industry. There was also a call for cross institution and cross discipline conversations and collaboration.
The final slide of Patrick’s presentation has the title of: “the hope”. It was hoped that this first conference would bring communities together, that it would facilitate cross institutional conversations and collaborations. There was also the point that: “we need all parts of the eco system to be pulling together, if we wish to effect change”.
After the event, a couple of resources were shared. The first is some STEM Learning Resources (stem.org.uk) This site presents some teacher guidance, activity sheets, and some links to further resources. The second link is to the National Centre for Computing Education website for resources and support (teachcomputing.org) which presents some lesson plans for key stages 1 through 4.
Introducing CISSE UK
Natalie Coull from the University of Abertay, Charles Clarke from Kingston University, and Phil Legg from the University of West of England jointly introduced CISSE UK (website), which is an abbreviation for “Colloquium for information systems security”. Charles described CISSE as national network of cyber security education professionals. CISSE UK is inspired by CISSE USA. What follows is a set of notes that were made during the CISSE presentation, and points taken from slides which were shared after the event.
Charles’s presentation had the subheading: collaborate to innovate. He introduced the CISSE vision, which was to: “to establish a culture of outstanding innovative and state of the art cyber security education (CSE) in the UK”. An important point I noted down was: can’t do everything our own, and that CISSE is a part of a rich and diverse CSE ecosystem which comprises of government (NCSE teams), industry (through stakeholders such as practioners, employees and employers), academia (students, educators, IT teams) as well as other groups such as professional associations and community organisations.
CISSE hosts events and has an impact programme. A related issue and question is: how is it possible to make a community or an organisation such as CISSE sustainable? CISSE look to encourage and extend engagement by developing .an outcomes driven membership initiative, which launches in 2021.
Events themselves are not enough; members will have ways to evidence engagement. Members will be able to quantify and evidence engagement in a way that can be recognised across government, industry and academia. Evidence may take the form of attending CISSE recognised events, publishing in the area of cyber security (which can take different forms), providing mentoring, and service on NCSE certified degree panels. There might also evidence of engagement within projects that aim to enhance cyber security employability amongst students.
I noted down a 6 point call for action: (1) more input from industry to inform and validate programme and student employability, (2) mentoring in academia, (3) CSE events, (4) CSE publication – we need people to share their publications, (5) involvement in cyber security education experienced-centred projects, and (6) recording evidence of involvement in NCSE certified degrees or impact panels.
The presentation concluded with a point about the importance of collaboration between colleagues from different institutions. If you are interested in cyber security education, you were encouraged to get in touch.
Theme 1: Employment and skills
This first theme, which was available to all delegates, was about employment and skills. Each presentation was delivered through a short 5 minute video recording, and was followed by a facilitated panel discussion, aimed at further exploring some of the themes that were highlighted by the presenters (who were also present during the presentation section).
What follows is an edited version of the abstracts that accompany the presentation. Although the words have been prepared by the presentation authors, their words have been edited for brevity, for this blog.
The first presentation was from Chaminda Hewage from Cardiff Metropolitan university. Chaminda’s presentation aimed to ask a number of important questions that relate to industrial certifications: “Can students obtain the industry certifications upon graduation? Or obtain them from elsewhere while they study for the degree? Do we need to force students through a series of certifications? Is it really necessary? Do they provide the required knowledge? Do employers expect you to graduate with industry certifications?”
Chaminda’s abstract states that “computer security degrees aim to provide the required theoretical underpinning, fundamentals and provide the required knowledge and skills to prepare the students for future employment. To this end QAA and subject specific organizations such as NCSC, BCS, CIISec and CyBok provide guidelines and best practices to achieve the essential and desirable graduate qualities”
He goes onto state that he “believe[s] that educators need to find a right balance between the theoretical concepts and industry focus[ed] content” Chaminda “would like to find the answer … [to] how much employers really value these industry certification at entry level” and holds the view that “a wider discussion should take place on this to identify the impact and issues associated with integrating certifications in cyber security degree programme[s]”
There are some clear tensions that are worthy of explanation. In his abstract, Chaminda asks whether students “need to chase endless industry certifications by different vendors?” and poses an important issue, namely that “students may be sacrificing the main ethos of higher education by following a series of vendor specific training.” He concludes with a question: “perhaps, there is no escape from industry certification due to the nature of the discipline?”
Presentation 2: An Investigation and Evaluation of Cyber Security Graduate Job Roles for Improving Students’ Employability Skills
The second presentation, by Simrandeep Kalsi, Mastaneh Davis and Nabeel Khan from Kingston, complemented Chaminda’s presentation really well. Simrandeep’s abstract emphasised the following points: “The cyber security skills in the UK labour market study conducted by the Department for Digital, Culture, Media & Sport (Gov.uk, 2021), has indicated there is an increased demand for cyber security professionals in all sectors of the industry, however, significant numbers of these job roles remain unfilled.” Further information can be found by visiting the Cyber security skills in the UK labour market 2021 publication (Gov.uk).
To further understand the situation, “an investigation was conducted into whether the experience of searching for cyber security job roles can be improved; and if the clarity, accuracy, and relevance of job search outcomes can be enhanced in a manner that proactively informs an aspiring cyber security practitioner’s career decision. Quantitative analysis was conducted on cyber related job descriptions … in order to identify the attributes that students and graduates need to develop in order to match employer needs and improve their employment prospects.”
“Results obtained from the analysis conducted on the job descriptions show that 49.8% of the job roles from the 472 analysed were for university graduates, and 6.6% also stated that they would accept candidates who have completed graduate apprenticeships. … A very surprisingly finding was that 89.4% of the job descriptions did not specify the need for experience.”
“The result of this study highlighted important key employability skills including having a positive attitude to continuous development and lifelong learning, listening skills, and the desirability of being a proactive individual, the latter potentially being a standout point amongst many recruiters. … These results are illustrated through 6 infographics, which could be of considerable value for higher education institutions for monitoring and addressing the cyber employability skills gap, and to enhance the experience of students when searching for cyber security job roles.”
In some senses, degree apprentices have the potential to bridge the gap between academic study and the development of practical skills. The third presentation of the morning, by Kay Bromley, David Parry and Steve Walker present their “initial experience with the OU’s Scottish Graduate Apprenticeship in Cyber Security, and in particular the experiences of practice tutors.”
They introduce their presentation as follows: “as well as meeting the requirements for an Open University degree, apprentices also need to demonstrate the ‘core skills’ for cyber security specified in the Skills Development Scotland/Scottish Funding Council’s framework. Practice tutors provide a link between the University and its taught curriculum, the apprentice and the employer. They meet regularly with apprentices and employers. For the Scottish apprenticeships. Students do one of four Professional Practice modules, one each year, on which the practice tutor is also a module tutor.”
The professional practice modules, which are supported by a practice tutor aim to: “help students to integrate taught material into their workplace activities; develop independent learning skills, and study specialist content not covered elsewhere in the taught curriculum.”
They also offer some reflection on the practice tutor experience on the professional practice modules. It is important to note that “the pandemic has been a major issue for employers and apprentices, generating unanticipated workload for some, slowing communications within employer organisations, or apprentices being furloughed; At introductory levels apprentices and employers have tended not to take advantage of the flexibility available to them. There is a substantial overhead in learning about the structure of the apprenticeship and how to link this to the workplace; Cyber security is a sensitive subject for employers.”
More information about the Scottish Graduate Apprenticeship in Cyber Security can be found by visiting the Apprenticeships.Scot website.
Presentation 4: Opportunities and challenges of a CyberEPQ - Making basic skills in cyber security education accessible to both adolescents and adults
The final presentation of this section was by Konstantinos Mersinas and Caroline Moeckel, who consider skills from a broader perspective, whilst also returning to the themes of education and qualifications that were addressed in the first presentation. They “have created the Extended Project Qualification (EPQ) in Cyber Security to target age groups which have received relatively less focus in cyber security education. These groups are adolescents (14 to 18 year olds) and adults, often working in the industry, but not necessarily in cyber security.”
They offer a useful summary: “The EPQ is built in line with the National Occupational Standards (NOS) and its educational materials are aligned with the Chartered Institute of Information Security (CIISec). We have designed an educational curriculum to align it with the NCSC Cyber Security Body of Knowledge (CyBOK). … Our achievements include, on the one hand, the provision of a basic set of cyber security skills and knowledge to school students to allow them to proceed with studies in higher education. In that sense, the programme acts as a bridge between GCSE Studies and a university degree. On the other hand, we provide CPD to adults and professionals in the industry who can enrich their skills and employability, and advance their careers further.”
As a qualification, the EPQ appears to be interesting. They go onto write: “We believe that our initiative is accessible to almost everyone as it does not require previous knowledge of cyber security, is financially affordable and has always been delivered fully online, supported by regular web conference calls and meetings. We firmly believe that the programme has been successful in introducing cyber security to the younger generations and providing important cyber security knowledge to adults and professionals over the last 5 years, with learners moving into related university courses or securing (entry level) employment in the area”
Employment and Skills Discussion
A short discussion session was co-chaired by Natalie Coull and Charles Clarke. They began by asking Chaminda the question: “what are the best practices?” The answer I noted was in terms of the need for discussions between certification authorities and employers. Also, academics should be involved, since there is the need to gain clarity about what to focus on.
Natalie asked all presenters whether industrial qualifications or certifications were able to successfully evidence hands on skills. A related question was: to what extent should universities be providing hands on skills, and what is the role of certification bodies in this? Put another way: will employers just take our word for it if a student has the necessary skills if they hold a particular qualification?
Charles asked another question, which was: do certifications add experience? Chitra added that it is necessary to consider the purpose of qualifications, how much are vendor driven and how much knowledge and experience driven. A point was also made that the skills landscape that is always evolving and changing.
Another point I noted was Charles’ reflection that it is important to include employers. There is also the importance and significance of industrial placements, but these are limited in numbers. A reflection was that Simrandeep’s research into the job market, should it be done continually.
The discussion moved onto the topic of pedagogy. Konstantinos suggested the role of a weekly meeting with students to discuss a current topic, which may include activities to review journals and then to reflect on what has been learnt.
A final question I noted down, that again relates to the topic of education and training, or certificate and qualification: to what extent do certificates play a role in getting through or past a HR gateway? They might well be used in this way, but it is important to consider, more broadly, the effectiveness of cyber security recruitment within organisations.
Theme 2: Curriculum
The second presentation session was split into two strands, a Higher Education Breakout, which is summarised below, and a CyberFirst Breakout (NCSE website). CyberFirst is described as “a programme of opportunities to help young people aged 11 - 17 years explore their passion for tech by introducing them to the fast paced world of cyber security”, which is supported by the NCSE and CISSE events.
The first presentation of this second theme was by Adrian Winckles, from Anglia Ruskin university. Adrian’s presentation began by introducing OWASP’s main purpose, which was to “be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.” Some further context is provided: “a common problem with many security education programmes (whether cyber or InfoSec) or even traditional computer science programmes is that they do not address application security adequately, if at all.” More information about OWASP, the Open Web Application Security Project is available through the OWASP.org website.
Adrian highlights that there is an opportunity “to pull together its wide-ranging expertise, projects, and dedicated volunteers to engage in these types of education programmes and initiatives by developing an educational strategy for undergraduate and postgraduate students. This could take the form of an open “Standard” curriculum template which can be adopted and adapted by diverse educational partners and organisations.”
Andy Reed and Christine Gardner from the School of Computing and Communications present a different perspective, focussing on an important aspect of teaching. This presentation connects the earlier discussion about whether graduates (or certificate holders) have the appropriate skills. Andy and Christine highlight that the “landscape of cyber security develops at a considerable pace, so too does need to provide adaptive teaching and learning experiences, to assist learners in developing transferable practical skills”. The development of student skills relates to the use of “various virtual learning tools and techniques”
Different tools are mentioned, such as Netlab+ from NDG and the Cisco Packet Tracer tool which is used with various OU Cisco modules. For teaching and doctorial research. Other tools were mentioned, such as NS2 and NetSim, which can be used to simulate large scale networks. Research students can share outputs from these tools their research community,
Thomas Win and Phil Legg, both from the University of West of England, shared some recent experiences of teaching cyber security: “the COVID-19 pandemic has necessitated a radical paradigm shift in cyber education and the delivery of modules therein, both in delivering lectures and practical sessions. We experimented with different means of delivery during the 2020/21 academic year and aim to share our perspectives and lessons learned as we navigated around the challenges posed to our module delivery.”
During their presentation, they mention “MS Teams to facilitate interactivity and gauge student understanding” and have used “real-world case studies in delivering subjects such as Ethical Hacking. In a session on memory-based exploits students were asked to research on the recently-discovered Google Chrome vulnerabilities. Coupled with breakout rooms on MS Teams, they were able to engage in peer-learning alongside research-informed learning.”
They shared some aspects of their pedagogy: “we also used physical hardware such as Micro:Bit devices in programming practicals. We further extended this in a trial running of online capture-the-flag exercises linked to physical IoT devices the behaviour of which can be observed over an online video call, and also offered some reflections: “we have found … the opportunity to explore and adopt a new teaching paradigm in cyber education pedagogy.”
A concluding reflection is that: “online interactions have changed how we - both staff and students - will interact in the future. What is important to recognise, is that in many cases, establishing offline connections first means that we can have more meaningful interactions when moving to online - the same is true for how student groups interact. As we move into 2021/22, we will want to ensure we keep sight of these lessons from the previous year to continue to improve cyber security education.
During Thomas’s presentation, I also noted down the points that contact time with students was more valuable, and contact time is important to understand where students are in terms of understanding the lecture materials. A tentative conclusion is that: blended learning is here to stay.
This second discussion session, which was centred around curriculum, was also chaired by Natalie Coull and Charles Clarke. Natalie opened up with a question to Andy and Christine: is it time consuming to set up the experiential learning activities?
In the OU there is a support team that manages the physical NetLabs hardware and infrastructure. In the OU context, a module team is often able to reuse an experiential design year on year. It is possible to see what students have done by asking students to share their configuration files and by reviewing live logs. A related point is that teaching also tries to draw on the student’s context.
Natalie asked Thomas about building relationships with students. A reflection was that some students may lose confidence when speaking in the classroom. It is also important to consider how to encourage students to return the classroom. Different approaches might be to create non-traditional activities such as assignment workshops, or use approaches such as gamification.
Thomas was asked a particularly challenging question: how to you engage students who don’t engage with pre-recoded videos. The answer I noted down was in terms of building or presenting incentives, such as providing an overview, or a summary, or give them a “cliff hanger”, and link recordings to assessments.
Being a cyber security tutor
The penultimate session of the day, which was about the advantages and benefits of becoming a cyber security tutor in higher education (specifically within the OU) was presented by Arosha Bandara and Ian Kennedy.
Arosha began by outlining the role of a tutor. Through distance learning, students have opportunities to study materials in their own time (but must complete important assessments by certain dates). Tutors act as a guide and facilitator, helping students to make sense of the module materials that have been prepared by module teams. In some ways, tutors adopt what some consider to be a ‘flipped classroom’ approach, where students work through materials in advance of a tutorial, which are all currently delivered online.
Tutors also provide correspondence tuition to students, which is an important aspect of distance teaching. Students are given tailored feedback and guidance, to help them to understand how to further understand module concepts, understanding and skills.
More information about the role of a tutor (including a cyber security tutor) can be found by visiting this free Badged Open Course (BOC): Being and OU Tutor in STEM: Computing and Communications (OpenLearn). There are also a series of videos, entitled Teaching on TM352: Web, Mobile and Cloud Computing (YouTube) which might be of interest to prospective OU computing tutors.
Arosha and Ian answered the important question of: who might become a tutor? Tutors have varying background. They might be academics from other institutions (HE or FE), post-doctoral researchers, or they might be practioners working in industry. The industrial experience of tutors is both welcome an important as whilst academics may have theoretical knowledge, they may lack practical experience at the “cyber security coal face”. Another perspective is that it is hard to get practical experience whilst working an academic context.
The advantages work both ways. From an industrial perspective, a practioner background is very useful to an academic community. Conversely, an academic role does give some practioner-tutors the opportunity to “dig deep” into certain topics and develop a higher level academic perspective to augment what is a very important and pragmatic approach to problem solving.
If you are interested in potentially becoming a tutor within the OU, do visit the OU tutor recruitment site and select the "Faculty of Maths, Computing & Technology". You should then be able to find a list of modules that are currently being advertised. More information about how to apply can be found through the How to Apply page. A big tip for anyone who is considering applying is: always ensure that you provide sufficient evidence to show that you meet the person spec criteria. For OU modules, there are two parts: a generic bit (which is about teaching), and a module specific bit. A suggestion is to copy all the points from each part of the person spec onto your application form, and provide at least 3 sentences of supporting evidence underneath, so everything is as clear as possible for whoever makes the recruitment decisions.
Panel discussion: how do we enhance and support diversity in cyber security?
The workshop concluded with a panel discussion that was chaired by Ian Kennedy, a cyber security lecturer from the OU. Member of the discussion panel included delegates from Deloitte, Accenture Security, and the UK Cyber Security Council.
Although I wasn’t able to attend this final session, I heard that there were discussions about how and where to embed cyber education in the school sector. After the event, I was also sent a couple of links that were highlighted within the final session. The first link has the title “Why the Seven Personae of Cyber?” (CyberEQA.org) which explores diversity of roles that can exist within the broad subject of cyber security. Relating to the importance theme of gender within cyber security, there was also a reference to the Geena Davis Institute on Gender in Media (Seejane.org)
One of the themes that really struck me was the richness of cyber security as a subject, which reflects an important link to the theme of diversity, which was emphasised by the workshop. On one hand, there are the really hard core technical bits. On the other there are other subjects that have a softer, and essential human edge to them. There are different tools that need to be understood and appreciated: there are technical tools, and there are institutional practices and policies. All these aspects are, of course, mediated through people, organisations and structures. All this suggests that cyber security professional need different skill sets, and may gravitate towards the subject from different directions.
Another theme that struck me as being significant was the importance of cyber security within schools the schools’ sector. I noted down that there was a clear difference between the importance of safety awareness and detailed cyber security education. There are clear debates that surround the extent to which it should be embedded within teaching.
I enjoyed the diversity of the presentations, and I do encourage anyone who is interested in this subject, and this event, to view the short presentation that can be accessed through this blog. I especially liked Simrandeep’s qualitative study. Cyber security is a fast moving subject, and her study represents a practical and useful snapshot of the needs of the sector at a particular point in time. It would be interesting to carry out a replication in a few years to see what had changed.
Another highlight was the summary of CISSE. UK A reflection is that collaboration and support between institutions whilst working in a fast changing sector is both important and helpful. After hearing Charles’ description of what it is, and how it works, I’m now very tempted to sign up.
Finally, it was great to see how many colleagues were interested in this event. 87 delegates attended the event, but there were over 200 registrations. Looking forwards, it would be great to run a similar event again. We have a lot to learn from each other.
Many of the words and themes presented within the blog come from a range of different sources: from the speakers, from their presentations and from their abstracts. Acknowledgements are extended to colleagues who read early versions of this blog.