Empirical Evidence for a Descriptive Model of Principles of Information Security Course

The purpose of this study is to examine the nature and content of the rapidly evolving undergraduate Principles of Information/Cybersecurity course which has been attracting an ever-growing attention in the computing discipline, for the past decade. More specifically, it is to provide an impetus for the design of standardized principles of Information/Cybersecurity course. To achieve this, a survey of colleges and universities that offer the course was conducted. Several schools of engineering and business, in universities and colleges across several countries were surveyed to generate necessary data. Effort was made to direct the questionnaire only to Computer Information System (CIS), Computer Science (CS), Management Information System (MIS), Information System (IS) and other computer-related departments. The study instrument consisted of two main parts: one part addressed the institutional demographic information, while the other focused on the relevant elements of the course. There are sixty-two (62) questionnaire items covering areas such as demographics, perception of the course, course content and coverage, teaching preferences, method of delivery and course technology deployed, assigned textbooks and associated resources, learner support, course assessments, as well as the licensure-based certifications. Several themes emerged from the data analysis: (a) the principles course is an integral part of most cybersecurity programs; (b) majority of the courses examined, stress both strong technical and hands-on skills; (c) encourage vendor-neutral certifications as a course exit characteristic; and (d) an end-of-course class project, remains a standard requirement for successful course completion. Overall, the study makes it clear that cybersecurity is a multilateral discipline, and refuses to be confined by context and content. It is envisaged that the results of this study would turn out to be instructive for all practical purposes. We expect it to be one of the most definitive descriptive models of such a cardinal course, and help to guide and actually, shape the decisions of universities and academic programs focusing on information/cyber security in the updating and upgrading their curricula, most especially, the foundational principles course in light of new findings that are herein articulated.


Introduction
Offering Cybersecurity courses in colleges and universities across the globe has become an increasingly popular phenomenon and trend in the last decade. Uncountable Colleges and Universities have joined the bandwagon of offering and teaching Cybersecurity courses. This shift in curriculum has become the cynosure of the computing discipline redesign in this day and age [1]. A synoptic review of a typical, and contemporary Information security Principles course appears to have been designed to address widely varied and divergent cybersecurity topics and issues. In fact, a cursory inspection of a sample of the courses' syllabi shows that the course content and coverage vary as widely as the departments in which the courses are taught. It is safe to assert that there is neither rhyme nor rhythm as to what is taught and how the course is taught at this time. The need for the standardization of the course cannot therefore, be overemphasized, and such a need led to this study. Elements of the benchmark for the Principles of Cybersecurity course, as far as we know, have not been properly established. In fact, Schneider [2] and Santos [3] show that there are no benchmarks for much of Information Security courses, and the Principles of Information/Cybersecurity is not an exception. Although there is substantial curriculum-based MIS/CS research in the discipline, pedagogical research in Cybersecurity is relatively sparse. As a modest start and within recent years, some of the institutions represented in the study sample have moved towards standardizing their course offering through the establishment of the Principles of Cybersecurity course in accordance with the requirements of vendor-based and other vendor-neutral certification dictates. Also, within recent years, various computing and related programs are moving towards standardizing these courses in accordance with individual regular college-accreditation and program-certification requirements. There have been concerted efforts by course instructors to cover as much as possible of contemporary cybersecurity topics. For the most part, they focus on cybersecurity foundations, risks analysis and management-identification, assessment and control, cryptography, human aspects of cybersecurity to include policy, education, training and awareness-incidence response, disaster recovery, business continuity. Other areas include Virtual Private Networks (VPNs), Intrusion Detection and Prevention Systems and more specific topics such as This study investigated the structure of Principles of Information Security courses with a view of identifying commonalities and overlaps in course content and as well as the inherent variance. Questions that are germane and addressed include whether there currently exists a benchmark Principles of Information Security course and what constitutes the primary intellectual substance of such a course? Other questions are: 1) Is there a benchmark Principles of Cybersecurity course? 2) What is the intellectual substance of such a course? 3) How have theory and laboratory work been integrated into the course to present a logical whole? By identifying a common core and overlaps of the subject matter, we hope to have provided a basis for streamlining the process that could serve as a vehicle for the eventual standardization of the course. More specifically, the purpose of the study which is many and varied, primarily are: to help fulfill the need for the establishment of benchmarks and standards for the Principles of Cybersecurity course, to fill the cybersecurity curriculum content deficit, and to achieve the need for the establishment of benchmarks and standards of Principles of Information Security course.
For background, this research draws from published works in the area of standardizing curricula and course content in the Cybersecurity domain which so far, and as pointed out by Fischer [4] has been sparse. However, there are few known reported studies in the information/cybersecurity extant literature that have dealt with relevant curriculum questions. Even among the published works, much focus has been directed at non-content aspects, course outcomes and exit course requirements expected of students. More pointedly, Schneider [2] remarked that "an educated computer security workforce is essential for building trustworthy systems. Yet, issues about what should be taught and how, are being ignored by many of the University faculty who teach cybersecurity courses-a problematic situation." Nonetheless, as part of an evolving science that draws on the established framework and published research, the study still builds upon the scanty literature that exists.
Moreover, for a relatively long time now, researchers such as Fischer [4], Alli et al. [5], and Ayoub [6] have expressed their dissatisfaction and indeed, a concern for a lack of content convergence and cumulative tradition of the field's subject matter. It has also been recognized that the discipline does presently lack cohesion in the Common-Body-of-Knowledge (CBK), driving the foundational courses in Information Security [6] [7] [8].
No doubt, the rise in cyber security infringements has led to the need for a sound cyber security curricula. A well-thought-out cyber security curriculum insures that students are equipped with a firm foundation of the field and are trained in the state-of-the-art techniques needed to analyze, design and actually implement secure technology infrastructures as pointed out by both Bogolea and Wijekumar [9], and Whitman and Mattord [10].
In addition, Whitman and Mattford [10], noted the up-trending statistics on  [17]. It must be pointed out that the expressed concern is yet to be remedied, while universities are still grappling with the need to provide students with the cognate skills needed by employers. It is also interesting to note that Luallen and Labruyere [16] recommended among others, that a sound cybersecurity curriculum should consist of testbed projects coupled with rapid prototyping in order to provide students with hands-on, learn-by-doing class experience. Ultimately, the ever-present challenge as noted much earlier by Chin, Irvine, & Frincke [12], is the need to train students and individuals that can analyze, design, develop, and deploy complex and trusted cybersecurity systems with confidence.
It is also worth mentioning the numerous studies, reports and white papers that treat cybersecurity academic preparation and industry-readiness of students [18] [19] [20]. These reports individually and collectively, factor into the literature base and the conceptual framework guiding the study. More specifically, this study aims at gathering and reporting empirical data and evidence to support future design of standardized principles of information security course.

Methodology
To lay the foundation for the design of a standardized undergraduate-level Principles of Information/Cybersecurity course, a survey of universities and junior colleges was conducted. The research principle was couched in 1) a sample survey-which emphasizes statistical inference; and 2) personal interviews which emphasize qualitative data.
The study gathered empirical data to determine benchmarks, commonalities and overlaps in content knowledge, skills and abilities covered by the typical

Research Plan
The research plan consists of a Research Procedure, and the process of obtaining research data. Figure 1 and Figure 2 illustrate the research steps and the sample data breakdown.
The research data derived from 187 Universities and Colleges, 87% of which were Universities and 13% of which were 2-year junior colleges.

Instrument and Data Sources
The primary instrument deployed was an omnibus instrument consisting of many parts ranging from demographics, through the different aspects of the survey germane to the relevant course attributes being investigated; it is a 62-question

Emerging Paradigms for the Course
Descriptive and inferential statistics characterized by simple frequency counts, and percentage breakdowns were carried out. There are certain paradigms, which a priori, were expected to provide context for our definition of the Principles of Information Security course. As speculated, and from a preliminary review of the survey results, four (4) main themes emerged.
Additionally, several course syllabi were solicited, and reviewed for their struc-  As to be expected, different programs placed varying degrees of emphasis on the contributing elements and their externalities, which are deemed adjunct to the core cybersecurity subject matter. Also, the trailing list highlights some of the emanating attributes of the course, i.e.
1) The Principles of Information Security course is an integral part of most information/cybersecurity programs.
2) Most Principles of Information Security, courses stress both strong technical and strong organizational skills.
3) Most Principles of Information Security, courses encourage students to study beyond the classroom, for certifications, and to consider licensure options. 4) Course instructions continue to be dominated by instructor-led lecture method, although small group exercises, individual projects and presentations are often included.

Quantitative Descriptive Analysis and Results-Cybersecurity content
On the content side, some analyses suggest that Principles of Information System course seem to be most similar, however, on the substance and depth of course coverage. Oddly enough, there exists much variance on the substance and depth of coverage. The home-college of the program-Engineering/Business dichotomy seems to factor into the course emphasis. Against that backdrop, the challenge of Principles of Information Security not being a uniform course remains a pedagogical limiting factor; this effort seems to have opened the door for an effective remedy.
The following statistics were derived from the survey: 1) The 50.2% return rate of the survey responses indicates respondents' institutional descriptions namely: 7% exclusively 2-year colleges; 68% exclusively 4-year colleges; 15% both undergraduate and graduate programs, and 10% exclusively graduate programs.
2) As to the department where the course is taught, data revealed that the Principles of Information Security is taught across very few academic units and departments; Computer Science, and Computer Information Systems turn out to be the most representative suggesting the limitation of its academic landscape and footprints. 10) The mode of teaching is for the most part, a blend of classroom-based sit-in instruction, pure-online virtual learning, and a variety of click-and-mortar types of instruction delivery. 11) Open-ended questions which encouraged spontaneous and unstructured responses were instructive. Not only did they shed light on the larger question of what improvements could be introduced, it further drew out respondents' opinions, attitudes or suggestions. Ultimately, there was a unanimous recommendation that much time and effort should be devoted to the practical, hands-on aspect of the course. Also, focusing on vendor-neutral certifications was not left out of account. 12) Tools deployed to teach the course can be divided into two major categories: hardware and software. They are generally Graphical User Interface tools designed to perform cybersecurity functions. It is noteworthy that certain Intrusion Detection and Penetration Testing Tools that are commonly deployed are reported in the survey. A listing of the more popular security implementations are-Nmap, Aircrack-ng, WIFIphisher, Burp Suite, Social Engineer Toolkit, and Metasploit. The certification examinations that attract the highest mention are: Security+, Certified Information Systems Security Manager (CISM), Certified Ethical Hacker (CEH), and Risk and Information System Control (RISC).
A regression model consisting of three diagnostic variables and one independent variable (institution-related) was in turn, hypothesized. Model I F-tests of significance were used to assess changes in R 2 resulting from addition of each new set of predictors.
The negligible impact of institutional characteristics on course design and development is noteworthy. Factors such as school-type, accreditation status, and the deployment of cutting-edge IT infrastructure were tested against possible relationships to course emphasis, course activities and mode of instruction delivery. The results yielded no significant relationships, thus confirming the speculation that institution-related factors are not predictive of course design and structure when p is set at 0.05 (Table 1). The lack of relationship suggests that  Greater than 30% of the sample expressed the need for installation of sophisticated, industrial-type equipment in the laboratories to facilitate effective delivery of course instructions. As partly addressed above on the recommendations for improving the course, four broad categories listed below were suggested: 1) the need to acquire better textbooks with case studies; 2) exposure to intense mimicry of real-life cyber threat and breach situations; 3) a practical, hands-on simulation of such scenarios; and 4) risk mitigation strategies and controls.

Qualitative Analysis
As indicated earlier, a multi-method data gathering approach was employed. The attractiveness of this strategy lies in the richness it adds to the data analysis process. Hence, data items were collected and coded using open and common themes in participants' responses. Also, the need to use a multi-method data gathering approach prompted another purposive sampling which was geared towards providing a subjective yet complimentary source of data. This was dictated by the need to elicit additional information from course instructors to augment researchers' confidence in the questionnaire responses. 14 institutions (0.10%) of the survey sample), were targeted to be interviewed and have their course syllabi reviewed. Only 8 instructors cooperated fully. To get a more accurate idea of the nature and structure of the Principles course, course instructors were given latitude to express, in their own words, the descriptive elements of the course. Much congruence was reported.
For example, certain comments made in part are apt, that is: 1) "… Our focus in this course is primarily to expose our students to the conceptual foundations and operational tools of cybersecurity, and address risk and the improvement of cybersecurity posture of organizations." 2) "… It is incontrovertible that the major course here, is the Principles course. It prepares the students to be independent learners for all areas of information security and management." Such anecdotes support the popular belief that standardizing a core Cybersecurity course would go a long way to filling the incongruence in the structure and format of the course and its delivery. The themes that revealed syllabi review, in order of precedence clearly, are cybersecurity, technology, risk management, human factors, policy, law, and ethics. As to be expected, different programs placed varying degrees of emphasis on the externalities which are deemed adjunct to the core cybersecurity core subject matter.

Conclusions
This study indicates that the structure and content of the Principles of Information Security courses are diverse and divergent. Although the study deals with For one thing, some of its findings may be of interest to, and have implications for cybersecurity curriculum planning and management. The core objective of the study, which is to examine the nature and content of the Principles of Information Security course is established, in that, the results reveal an outcome serving as a definitive descriptive model for the typical Principles of Information Security course. Furthermore, apart from providing relevant and useful information regarding course content and format, it could further act as a meaningful basis for designing future Principles of Information Security course. Overall, what the study has demonstrated is the fullness of the Principles of Information Security course as glue that builds bridges between security, technology and the social intangible features of an organization. Overall, its contributions would be invaluable to the future improvement of Principles of information security course, design and development.