Since 2014, the William and Flora Hewlett Foundation Cyber Initiative has allocated grants to support interdisciplinary cybersecurity education at universities across the United States, as part of a broader goal to develop a field of cyber policy experts and institutions that can “anticipate, analyze, and address [cybersecurity] risks thoughtfully and systematically.” This paper presents a comparative study of the interdisciplinary cybersecurity education landscape to guide educational institutions in developing and creating cybersecurity programs. We compiled publicly available information about a selection of 17 interdisciplinary cybersecurity degree programs, with a focus on masters programs offered by Hewlett grantees. We then supplemented our data collection with two focus group meetings with representatives from the programs studied, as well as from recent Hewlett grantees.
Programs in the study depicted a range of models for interdisciplinary cybersecurity education and a variety of approaches for cultivating diverse and interdisciplinary thinking in the field. These models include dual-degree programs and curriculum requirements that span multiple schools and disciplines, and that are designed to foster cross-disciplinary thinking and develop student competency in both technical and policy-oriented domains.
The study revealed a variety of important insights for university leaders to consider as they create or evolve their interdisciplinary cybersecurity programs:
- A need to bridge technical and policy approaches: While subject-matter focus and curriculum depth vary across programs studied, all programs offer (and nearly all require) coursework spanning both policy and technical cybersecurity topics. Focus group participants underscored the importance of educating cybersecurity students with a holistic understanding of cybersecurity: a “tech-informed” approach to cybersecurity policy, and awareness of legal and policy evolution impacting day-to-day management and development of technology. In addition, in many programs, between a quarter to one-half of courses offered are not cybersecurity-specific classes, underscoring the inherently interdisciplinary nature of cybersecurity and its relevance across the span of human experience.
- Teaching programming through a security lens: Computer programming requirements and approaches vary by school and degree. Bridge courses help expand accessibility into the cybersecurity domain for students with non-computer science backgrounds, and can introduce programming through a cybersecurity lens to avoid security pitfalls often encountered in generic programming courses, such as when students learn to design for expected use without accounting for malicious or other unintended behavior. Some focus group participants endorsed starting with a networking approach to technical curricula, emphasizing the connections between systems and components and teaching programming as needed, rather than starting with programming as the entry to technical coursework.
- Hands-on learning opportunities promote real-world skills: Hands-on experiential learning opportunities, such as capstone projects, practicum courses, clinics, internships, and case studies based on actual cyber incidents, law, and global political events, help students engage in interdisciplinary problem solving. Cybersecurity clinics in particular attract and train multidisciplinary security practitioners by shifting focus from protecting assets to defending people.
- Programs should be globally scoped and teach students to apply foundational concepts in new contexts: To maintain relevance in the notoriously fast-evolving and globally connected field of cybersecurity, programs need to enhance US-centric cyber policy analysis with international cybersecurity perspectives, and adopt a planned strategy for curriculum revision that leads students to practice applying foundational principles and persistent cybersecurity skills (e.g., basic cryptographic math, landmark legal cases and incidents, and skills in policy analysis, development, and writing) to evolving technical and societal contexts. Proactively and transparently framing this balance to students as a benefit to their own career longevity helps to counter bias against subject material from beyond the current news cycle.
- A need for more policy in cybersecurity curriculum frameworks: A variety of frameworks have been developed to guide the design of academic degree programs by organizing cybersecurity into a comprehensive schema of topics and categories. These frameworks tend to address cybersecurity policy topics sparingly relative to technical cybersecurity topics. Legal aspects of cybersecurity, cybersecurity’s role in foreign policy and global affairs, and cyber risk management are three broad realms under the umbrella of cybersecurity policy that are required or offered in almost all of the programs we studied, and warrant coverage in greater detail in curriculum frameworks. The majority of programs studied also offer at least one course covering privacy, cyber crime, and cyber ethics. More comprehensive definition of these sub-domains of cybersecurity policy, and acknowledgment of interdisciplinary cybersecurity degrees in accreditation and recognition programs, would help move the field of interdisciplinary cybersecurity policy from niche to mainstream.
Views: 0
