Transcription
26Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. EEE'17 THE CYBERSECURITY ENHANCED LEARNING MODEL(ELM)Dr. Loyce Best Pailen, CISSPCollegiate ProfessorDirector, Center for Security StudiesUniversity of Maryland University ywordsIn order to share a cybersecurity curriculum model fortoday’s public- and private-sector managers, this paperemphasizes two very important subjects for ensuringcontinuous improvement and innovation in teaching. First,the author offers foundational background about theincreasingly important field of cybersecurity. This subjectarea is constantly changing as a result of new cyber threatsto the global public and private sectors. Because newthreats appear daily, higher education programs andcourses in this discipline are difficult to keep current andneed to be continually updated in order to be relevant totechnologists, policy-makers, managers and strategists.Second, with this basic knowledge about the cybersecurityfield, a competency-based model of curriculumdevelopment is then discussed to provide the reader with aframework for designing and redesigning curriculum in thisshifting cybersecurity environment.Categories and Subject DescriptorsCybersecurity professionals, IT and Cybersecurity HiringManagers, Instructional Designers, graduate school-levelProgram Managers and Directors, Cyber Subject MatterExpertsGeneral TermsManagement, Measurement, Documentation, Performance,Design, Experimentation, Security, Human Factors,Cybersecurity, Curriculum DevelopmentPermission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made ordistributed for profit or commercial advantage and that copies bear this notice andthe full citation on the first page. To copy otherwise, or republish, to post onservers or to redistribute to lists requires prior specific permission and/or a fee.EEE'17: The 16th International Conference on e-Learning, e-Business, EnterpriseInformation Systems, and e-Government. July 17-20, 2017, Las Vegas, NV.Copyright 2017Cybersecurity curriculum, enhanced learning model,competency-based model, multi-disciplinary curriculumapproaches, Open University1. INTRODUCTIONUMUC is working on a comprehensive programreview/revision project for its transformation tocompetency-based learning models. UMUC continues toinvest in the capacity to have the best and most compellingprograms in the world. Most recently, they started thecurriculum development conversation with a clean slate,asking the question: “What should students know and beable to do in their area of expertise when they graduatefrom the best program in the world?” This freed theUniversity to think outside of the boundaries of what theycurrently do, and literally “whiteboard” the bestcybersecurity and information assurance programs in theworld.The University looked to the professionalorganizations and/or accrediting bodies for expert inputinto their programs and received overwhelming guidanceabout what students should know and be able to do upongraduation. As well, the University scanned theenvironments of a few aspirant schools to see what theyoffered. Most importantly, using its cadre of public- andprivate- sector cybersecurity scholar practitioners, UMUCidentified the student competencies that are criticallyimportant. This paper reviews what the University has doneto assemble the fundamental list of all competencies,learning demonstrations, assessments and the like, thinkingabout the cybersecurity professions of today and tomorrow(i.e., what would students need to know and be able to dofive years from now in various cyber roles)[4].Summarizing why the University embarked on this mission,Kraus states, “Adult learners have a ‘career problem,’ and theyISBN: 1-60132-454-5, CSREA Press
Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. EEE'17 are looking for an educational institution partner to help themsolve that problem. They want a better job, a different career, toachieve something. Their aspiration drives them to seek educationthat empowers them to achieve that aspiration - and theinstitution that does that better than anyone else will get theirenrollment -- beyond what is said in marketing ads.” [7]To lay the foundation for this paper on curriculumredesign, the author begins by putting forth anunderstanding of the need for up-to-date and relevantcourses in cybersecurity for the adult professional. Theneed is for not only those in the information technologyand digital forensics arenas, but those in traditional,interdependent fields such as human resources, finance andaccounting, law, public policy, and supply chainmanagement.2. MULTI-DISCIPLINARY APPROACH2.1 Traditional Cross-DisciplinesToday, the requirement to understand and apply theconcepts of cybersecurity such as technology, risk, policy,law, privacy, regulation and compliance, in one’smanagerial career has grown far beyond the needs andperceptions from only a few years ago. Why? Because ona daily basis, the news reports are strewn with stories aboutsecurity breaches, privacy issues, hackers, insider threats,intellectual property concerns, hacktivism, anonymity,social media, ransomware and cyber warfare/threats.College programs, training and development boot camps,and seminars exist but mainly teach students aboutinformation technology systems associated with networkand applications software security, and digital forensicstools and technologies. Most university and trainingprograms touch on the managerial, regulatory and policyarenas. The operative words though are “touch on” as theydo so without providing the depth — neither needed fortoday’s professionals, nor for maintaining the attention ofthe purely technical audience looking for careeradvancement along with the need to provide managerialand policy support for vulnerable organizations[2].In addition, academic courses of studies versus training issignificant because employers are looking for graduateswho, in the context of their cybersecurity specialties, cando all of the following foundational skills. With muchconsideration, UMUC built the enhanced learning modelbased on these skills.[8]9Think critically, creatively and strategically9Communicate effectively through writingand speaking9Synthesize information279Analyze data, problems, information and issues9Make sound decisions9Lead AND followResearch shows that the issues associated with managing ina world where cybersecurity matters reach into manydisciplines. There is a lack of adequate training,professional development, and graduate level programs thatmeet the needs. This is true for non-technical managers inthe public and private sectors, as well as technicalmanagers in upper level, decision-making and strategydevelopment positions.[6]2.2 Critical Infrastructure Sector WorkforceNeedsAs important, cybersecurity management and policyprograms geared toward the advanced professional whomay work somewhere in the list of Department ofHomeland Security (DHS) 16 critical infrastructure areasare desperately needed. These industry-specific managersmust be prepared to address current and futurecybersecurity issues and threats “from their perspectives.”Supporting this need is the latest 2015 (ISC)2 GlobalInformation Security Workforce Study — a profile of over14K respondents and the 2013 (ISC)2 Global InformationSecurity Workforce Study — a profile of over 12K -- whosaid that “a broad understanding of the security field” wasthe #2 or #1 factor, respectively, in contributing to careersuccess.An associated concern is the significant growth in databreaches within all industries requiring the attention ofevery manager in the financial, electronic medical records,and mobile technology fields — fields that the U.S.Department of Labor, Bureau of Labor Statistics havepredicted to have unprecedented workforce growth.3. CURRICULUM DEVELOPMENT3.1 Cybersecurity CurriculumTherefore, given projected traditional and future workforcedemands, teaching courses that require rapidly changingcontent in the 21st century is a challenging task for anyinstitution.Most progressive institutions update theircourse content at least annually for traditional disciplines,which is usually sufficient. What about those disciplinesthat are dynamic with change due to the introduction ofadvanced technologies, new public and privateorganizational tensions, new local, national andinternational threats, and the ever-changing nature ofglobal enterprises and politics? Cybersecurity is greatlyaffected by these pressures, which require nearly constantISBN: 1-60132-454-5, CSREA Press
28Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. EEE'17 attention to keep courseware current, relevant, and usefulto IT and non-IT cybersecurity professionals.3.2 Overall Redesign ApproachIn order to offer the highest quality career-relevantprograms to adult learners, UMUC’s Graduate Schoolembarked on a total redesign of their programs, the successof which can be measured by the academic andprofessional accomplishments of its graduates. Anoverarching goal was to be the leading provider of highquality workforce-relevant education to busy professionals.Rejecting the traditional way of developing courses with atextbook, standard syllabus, research papers and tests, thecourse redesign mandated an approach that would makestudents, upon graduation, capable of “doing” the workusing theoretical and practical foundations.Highfunctioning graduates would result —ready to immediatelycontribute to his or her employer’s business goals and tosociety.3.3 Competency-Based Approaches3.3.1 American Council on Education, in its September2014 publication entitled, "Clarifying Competency-BasedEducation Terms,” defined CBE as:done considerable research on what training and educationthe workforce must have to receive the necessary skills tobe successful in the labor market[3] .3.4 ELM DevelopmentEnhancing the Learning Model (ELM) is the projectthrough which UMUC reviews and revises itsundergraduate and graduate programs. More specifically,the ELM model includes the development of learning goalsthat depict what students should be able to do and breaksthem down into competencies, or discrete skills studentswill need to demonstrate mastery of the learning goals. Inorder to gain the competencies, learning demonstrations,authentic assessments and rubrics are used. (See Figure3.1) The foundational thinking for learning goals andcompetencies is this: they are measurable, observable anddefine the behavior that, again, would signal mastery of astudent’s competency. It is also important to point out atthis time that assessments are not tests in the traditionalsense. They are planned, choreographed activities used bystudent to learn, demonstrate, and master. Modularizedlearning demonstrations allow for shifting andreplacements as current events dictate."Competency based education (CBE) is an alternative to thecredit hour-based system of credentialing. Student progress isbased on demonstration of proficiency and/or mastery asmeasured through assessments and/or through application ofcredit for prior learning. In competency based educationprograms, time is the variable and student competency mastery isthe focus, rather than a fixed-time model where students achievevarying results. In competency-based education, as distinct fromcompetency-based learning, the focus is on academic programs,practices, and policies.”[12]3.3.2 Learning science has evolved rapidly over the past20 years and the University has garnered a great deal abouthow to create experiences that help students learn best. TheUniversity used that research to put together the beststudent experience possible. UMUC did not need toreinvent the wheel, but brought together all of the bestpractices. This student learning experience is unique toUMUC and unmatched when looked at in its entirety, andthat will differentiate UMUC students from competitors [3] .Figure 3.1 – ELM Process3.3.3 Many universities are looking at ways to modifycurricula and academic models to ensure they are providingan education that enables students to be career-ready.Noted researcher, Dr. Tony Carnevale, Director of theCenter on Education and the Workforce at GeorgetownUniversity, argues that higher education has to meet theneeds of students who want to be career-ready. He has3.4.1 Graduate School Cybersecurity ELM processThe “competency-based” approach was practical andpragmatic for the entire graduate school.ProgramDirectors developed an approach to programs that focusedon the capabilities of students in competency/ability anddisposition in their profession. Career relevance and careerISBN: 1-60132-454-5, CSREA Press
Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. EEE'17 connectedness were critical considerations in every step ofthe design process.As noted in Figure 3.2, the University enlisted anecosystem of experts to validate the new curriculum.Concepts from the NIST National Initiative forCybersecurity Education (NICE) framework, ISACA,(ISC)2 and their associated components were incorporatedin the planning and development. Advisory councils andfocus groups consisting of industry, government andmilitary subject matter experts provided input to supportthe design, as well.Employers and students were, and continue to be part ofthe “ecosystem,” making sure programs are up-to-date andstudents are prepared to be successful in their profession.Programs are thoughtfully built on an appropriatelysequenced series of profession-relevant learningdemonstrations that help students build increasing levels ofability. Programs are built on “doing.”29Throughout the graduate program, the students develop aportfolio of learning opportunities and paths that facilitatetheir entry into and/or update their skillset in the careerthey desire. For example, a learning opportunity mayinclude an employer’s requirement to develop an InternetAcceptable Use Policy. In the redesigned competencybased programs, graduates would have created one in theircoursework and studies; so in the real world they havealready mastered the competency, thus reducing learningcurves “on the job.” The model gives students theopportunity to get personalized feedback from theprofessors for every graded deliverable until they masterthe project. This is powerful and different from traditionalgrading that only allowed students a single assignmentsubmission and a single grade.Figure 3.3 is an overall depiction of the learning cycles.Figure 3.3 – ELM Learning CycleSource: ELM Workstreams Kickoff Design Criteria by WorkstreamFigure 3.2. How We Validate the ProgramAgain, while this competency-based approach tocurriculum development applied to the entire graduateschool, it was especially relevant to the area ofcybersecurity. Employers and employees who have policyrelated skills are relevant today and tomorrow. Suchgraduates must be prepared to meet daily challengesimmediately rather than go through an extendedapprenticeship. The outcome of ELM has been curriculumand learning experiences that employers value because theprograms are up-to-date and focus on abilities that do notbecome obsolete.4. RESULTS4.1 Results PlanningEarly in the project, the University delineated cleardefinitions of what would be considered “done,” or acompleted effort. It was certain that with a competencybased learning model in place that focused on studentlearning achievement, leveraging learning science, andaligning with career/employer/professional needs, successcould be attained.ISBN: 1-60132-454-5, CSREA Press
30Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. EEE'17 Concerning supporting structures, the University wouldalso have identified and implemented a new internalcommunity with the appropriate resources, processes,policies, technology, culture, and communicationmechanisms to deliver the desired student experience andsupport enhanced academic programs.An example of an important supporting structure would beone that provides the means for selecting the appropriateinstructors for this model and providing faculty with toolsfor teaching in a rapidly changing subject area andallocating ample time for professional development andcurriculum guidance.On the topic of the technology to support the desiredstudent and faculty experiences in the new learning model,users would be fully trained and management of the modelwould be fully operationalized. Finally, feedback andanalytics on the new learning model would be gathered andfed into a review process focused on continuousimprovement.Despite the fact that the layout of the class was good,students felt a bit overwhelmed with the number of steps ineach of the graded projects. These required a significantlevel of effort to complete in the allotted period. Whilesome students welcomed the aforementioned flexibility,others longed for deadlines, more rubrics and structuredgrades.In addition, faculty feedback was well received by studentsbut the timeliness of the feedback was reported assometimes delayed. Faculty appreciated the opportunity toprovide this feedback, but they initially felt overwhelmedwith the number of feedback opportunities, (i.e. possibly,over the course of 15 project steps, X 4 projects X 25students over the term). A missing link in the ELM modelis the introduction of peer interaction and group projects.With students working on projects at their individual pace,peer interaction becomes difficult.In summary, the items identified with the ELM project thatdid not work as planned were:4.2 Actual ResultsFeedback from one semester of ELM courses exposed thefollowing strengths, recommended improvements, featuresthat worked and those that did not.The new learning model requires repeated faculty-studentinteraction in a new way that allows both parties to focuson a task with frequent opportunities for feedback.Interaction and feedback with faculty was a very strongfeature. With the repetitive feedback, the need forflexibility regarding due dates was a welcomed benefit foradult working students with “life issues” that influencetheir schedules. Parents, traveling professionals and activeduty military especially welcomed this flexibility.Regarding the flow of the courses and the assignments’applicability to the program, students felt better connectedto the real-life examples (not “busy-work”) that they wouldlikely encounter in the workplace.In summary, the items in the new ELM designed coursesthat worked well were:xOriginal design of the classroom – ease ofnavigationxTeacher experience and interactionxCourse content relative to real-world examplesxFlexibility in due dates and ability to resubmitassignments for improvement for particularlymotivated studentsWhile the consensus about the course redesign was verypositive, students and faculty also proffered recommendedimprovements. As the redesign effort is an ongoing,iterative process, the program administrators welcomedthese recommendations: Rubrics and the new grading modelProject step length and timeframeLack of deadlines/penaltiesGroup projects and peer discussionsFaculty workloadTherefore, with this project in motion, one can see thatwith motivated, active learners, you have a strong valueproposition: a highly personalized, current, dynamic andrelevant program. Upon completion, cybersecurity studentswho have aspired to different careers or higher levels intheir careers can lay the foundation for success.5. CONCLUSION AND FUTURERESEARCHCybersecurity concerns affect today’s professionals in alldisciplines and industries– personally and in the workplace.Failure to upgrade and maintain their knowledge andcredentials will be detrimental to their careers, corporateinterests, and society as a whole. Learning institutions arehere to ensure success in this arena with focused, relevant,and up-to-date teaching and programs. The ELM project isa key step in support of these efforts.
competency-based model, multi-disciplinary curriculum approaches, Open University 1.INTRODUCTION UMUC is working on a comprehensive program review/revision project for its transformation to competency-based learning models. UMUC continues to invest in the capacity to
