Module based curriculum development
The proposed Adaptation and
Implementation builds on the Information Systems
and Internet Security (ISIS) Lab at Polytechnic University of New York (POLY),
for the development of a distributed computer security laboratory and lab
modules. The proposed project is part of our long-term plan to develop a module-based
model on computer security, which includes an array of security modules
that can be easily adapted by universities to satisfy their respective needs
and constraints. Our goal is to assist undergraduate computing programs in
integrating computer security into their curricula to meet the challenge
of the huge national demand for computer security professionals. To reach
the goal, the project has 4 main objectives (Table 1).
|a) Establish a multiple-site Distributed Computer Security
Laboratory (DCSL) across UHCL and UHD. The Lab is insulated but connected,
in the sense that, it is safely insulated from the respective campus networks
while providing a remotely connected network platform on which issues of distributed
security and related technology can be studied.
|b) Develop a module-based curricular model on computer security
to include an array of security modules that can be easily adapted by colleges
and universities to develop their own security curricula.
|c) Apply the module-based approach to adapt the courseware
developed at POLY to create two undergraduate courses: Computer Security
and Web Security, as well as short courses, workshops and integration of
lab modules to existing computing courses.
|d) Disseminate results from the project to facilitate other
universities to adopt the module-based approach and/or the insulated-but-connected
security lab model. Dissemination will include not only the usual national
channels, but also regional conferences, which typically attract participants
from smaller universities.
Table 1: Objectives of the Project
For the past decade, partly due to the widespread use of the Internet, computer
security has become a top issue in industry, academia and government. The
demand for well-trained security professionals has grown dramatically. The
integration of security into computing curricula, however, has not kept up
with this demand . There is a large discontinuity between
the demand for security professionals and the academic programs that produce
them. This deficiency deepens in undergraduate programs, where few have security
courses. A related problem is, despite the ubiquitous nature of security,
most existing computing courses lack security components. The problems are
even more serious for smaller universities where resources tend to be limited.
The NSA (National Security Agency) has designated 36 US universities as
Centers of Academic Excellence in Information Assurance Education .
Our study has indicated the overwhelming majority of those programs are
at the graduate level, with emphasis on research. For most universities in
the U.S., security education at the undergraduate level is generally inadequate.
We have identified two primary problems in the current college-level
computer security education:
Lack of a curricular model for integrating security into undergraduate
Insufficient coverage of security technology and issues in existing
computing curricula. Our preliminary study has identified 8 potential causes
of the problems (Table 2).
|| Most existing computer security curricula and programs are
at the graduate level.
|| Due to the advancement of computer security knowledge and
technology, most computing faculty, especially at the undergraduate level,
are not equipped with sufficient knowledge in computer security, and proper
training is usually not easy to obtain.
|| There exists no flexible curricular model that can be easily
adopted by smaller undergrad programs, especially those without the support
of graduate programs, to fit their needs.
|| Most undergraduate computing programs are already saturated
with various requirements, making it difficult to add new courses into existing
|| Lack of appropriately configured specialized laboratories
contributes to the difficulty of providing hands-on experience to students
in learning computer security technologies.
|| The pervasiveness of computer security in computing curriculum
makes it difficult to build a comprehensive model for teaching computer security
issues and technology.
|| Computer security is multi-disciplinary in nature, including
but not limited to disciplines such as psychology, sociology, political science,
law, computer science, computer engineering, and management .
|| Fast advancement of Internet technology has contributed to
continuous change in security-related technology, which makes the above issues
even more difficult to manage.
Table 2: Possible Causes of the Insufficient Security
Both UHCL and UHD are not exempted from the problem of inadequate undergraduate
security education. At UHCL, there exist two security courses at the graduate
level in the CS/CIS programs: CSCI5233 Computer Security, and CSCI5931 Web
Security, yet neither institution offers undergraduate computer security courses.
Furthermore, security has not been systematically integrated into existing
There are very few undergraduate computer security programs in the U.S.
We have identified and studied three of them: the North Carolina State University
(NCSU), the East Stroudsburg University of Pennsylvania (ESU), and the ISIS
Lab at Polytechnic University of NY (POLY).
The Information Security concentration at NCSU requires two courses in computer
security, plus a related technical elective and a non-technical security elective
. The Bachelor degree in Computer Security at ESU requires
five security-related courses plus an internship .
POLY has a two-course sequence in Information Systems Security: CS392 Computer
Security and CS393 Network Security. The Computer Security course covers cryptography,
capability, access controls, authentication, security models, OS security,
malicious codes, security policy formation & enforcement, and legal &
ethical aspects of security. The Network Security course includes cryptographic
authentication, firewalls, e-mail security, anonymity & privacy, Web
Security, IP Security, and intrusion detection. Together, the two courses
form a sequence that establishes a strong core for undergraduate security
education. To support the two courses, the ISIS Lab consists of heterogeneous
platforms and interconnected networks to facilitate hands-on experimentation
and information-security-related project work.
Although we would like to eventually develop a concentration or a Bachelor
degree in computer security, we feel that the ISIS Lab at POLY and the two-course
sequence fit our current needs the best. POLY is one of the Centers of Academic
Excellence in Information Assurance Education designated by the NSA and the
ISIS Lab was initiated by an NSF*-CCLI grant.
Therefore our proposed solution will be adapted from the ISIS Lab of POLY.
Professor Memon, founder of the ISIS Lab and active information security researcher
and educator, agrees to serve as the mentor of our project. He will share
courseware, insight and experience in setting up ISIS curriculum and laboratory.
He will also exchange visits with the UHCL/UHD team to facilitate the adaptation.
We propose two extensions to the ISIS model. The first is a module-based
curricular model, which will facilitate the development of an array of security
modules that enable flexible adoption and integration. The second extension
is the creation of an insulated-but-connected Distributed Computer Security
Lab (DCSL) across two campuses. The rationale and design of the curricular
model and the DCSL will be discussed in details in the following subsections.
We believe the proposed approach will address many of the causes listed
in Table 2. The approach will provide an easy-to-adopt curricular model for
undergraduate institutions and will help to eventually remove Cause A (few
undergraduate security courses and programs). Cause B (faculty development)
must be addressed by internal and external funding at each individual academic
institution, but a well-designed set of security modules covering the main
security topics will help. Our responses to the remaining causes are listed
in Table 3.
||Response & Impact
|E (lack of laboratory)
|We will establish the DCSL, not only to help UHCL/UHD
have a specialized laboratory for computer security, but to introduce a model
for designing and configuring an insulated-but-connected lab that can be adopted
by other smaller universities.
|C (no curricular model),
D (saturated curricula),
F (pervasive nature)
|We will create an array of security modules which
can be flexibly integrated into an existing program.
|G (multidisciplinary nature)
||Response: Two of the modules, Legal Issues and Ethics
and Security Systems Management, will address social and managerial issues
in security. Experts in law, ethics and management will be consulted when
the two modules are developed.
|H (fast technology advancement)
||We plan to continually update the content of the
modules to accommodate advancement and changes in computer security technology
and make the updated modules available to other colleges and universities.
Table 3: Responses and Impact
It should be noted that the proposed DCSL and the module-based curricular
model are independent. The security modules may be supported by various types
of laboratories, from whatever is available to support general programming
to whatever lab facilities are there to support the OS and Data Base courses
and, ideally, a dedicated distributed platform. Small universities can adopt
the security modules by using their existing lab support, while, if desirable,
upgrading their labs for more advanced instrumentations and/or infrastructure.
Furthermore, for many small undergraduate CS programs, it may not be possible
to offer any undergraduate security courses. For such universities, an easier
approach may be to integrate security topics into existing computing courses,
such as operating systems, databases, software engineering, etc. Our module-based
approach will help to provide such flexibility.
Our model contains an array of modules on security topics. Each module will
cover a major topic. Subject to revisions, our current design consists of
- Computer Security Intro.
- Database Security
- Malicious Programs & Secure Programming
- OS Security
- Web Security
- Network Security
- Wireless Security
- Legal Issues & Ethics
- Security Systems Management
Each module will be divided into several self-sufficient sub-modules that
address specific aspects of the module. For example, in our current design,
the Cryptography module contains six sub-modules: Cryptography overview
I & II, symmetric encryptions, asymmetric encryptions & hashing,
and cryptographic protocols I & II. Due to the ubiquitous nature of
computer security, a given sub-module may be cross-listed in several modules.
Whereas a smaller program may integrate the first one or two sub-modules
of a module into an existing course, a larger program may use all the sub-modules
to create a security course. To combat the problems of limited financial
resources and faculty expertise in smaller programs, each sub-module is
designed with the characteristics shown in
- Will be independent and cover approximately three hours of lecture.
- Has a clearly defined title, general description, goals and
- Has a collection of lecture notes, teaching guidelines, labs
and illustrative examples. The collection of illustrative examples is
especially important for smaller programs as students usually respond better
to examples than to abstract theory alone.
- Has a Web page for resource links, laboratory setup guidelines,
Table 4: Characteristics of Sub-Modules
Documentation 1 contains a sample design of modules and sub-modules. The
design will be refined using established work, such as Dark and Davis  and available work from POLY as well as IEEE, National
Colloquium for Information Systems Security Education (NCISSE), etc.
In this proposal, we plan to develop four lab modules: Malicious Programs
and Secure Programming, OS Security, Web Security, and Security Systems Management.
Two additional modules, Introduction to Computer Security and Networking Security,
will be adapted from the two courses of POLY. To complete the module-based
curricular model, we will seek additional funding in the future (e.g., the
NSF* CCLI EMD grant) to fully develop all modules.
The modules and sub-modules can be used flexibly:
(a) a sub-module can be incorporated into an existing course;
(b) sub-modules from various modules can be combined to produce a security
(c) a module itself can be offered as a special-topic short course or a
The planned activities in Table 5 demonstrate the
flexibility of this approach.
- Security modules will be integrated into selected existing courses,
such as CSCI4230 Internet Application Development and CSCI4634
Computer Systems Administration.
- The PIs at UHCL will develop two courses: Computer Security
and Web Security. § The PI at UHD will develop a new
course: Computer Security.
- We plan to offer selected short courses and/or workshops on
various security topics, such as Cryptography, Network Security Overview,
IP Security, etc.
Table 5: Development Activities and Demo of Flexible
The set of modules and sub-modules will serve as a complete basis for other
educators to refine, update and add new modules and sub-modules, in a way
similar to how open source software has been working.
Click on Modules to get the detailed information.