The complex and evolving nature of the cyber domain requires that cybersecurity professionals have both technical skills and social intelligence. In a new article, researchers argue that cybersecurity educators need to share teaching resources to teach students critical technical and non-technical skills, and they describe a course they created that allows for such sharing to take place.
The article, by researchers at Carnegie Mellon University and Community College of Allegheny Co., appears in the Proceedings of the 56th ACM Technical Symposium on Computer Science Education. ACM—the Association for Computing Machinery—is the world's largest educational and scientific computing society.
"Most cybersecurity education at the postsecondary level is focused on technical knowledge and skills without enough attention to vital non-technical skills," says Lee Branstetter, professor of public policy and economics at Carnegie Mellon's Heinz College, who coauthored the article. "Cybersecurity education has to integrate teaching and practicing non-technical competencies alongside technical knowledge and skills to ensure that both technical and non-technical skills transfer to cybersecurity workplaces."
Cybersecurity professionals say that collaboration and written and verbal communication abilities are some of the most valuable skills in the workplace. But efforts to incorporate social, business, and other non-technical competencies with technical skills in postsecondary cybersecurity curricula are rare and face challenges.
For example, ACM and the Office of Personnel Management have urged institutions of higher education to incorporate non-technical competencies into postsecondary cybersecurity curricula, but in practice, cybersecurity certification exams often shape course content in ways that run counter to this aim. As a result, students typically encounter unrealistically pristine environments with unlimited access to systems, unconstrained authority to make changes, and little attention to how their actions could affect business operations or social dynamics.
Community colleges play a significant role in increasing the number of entry-level cybersecurity professionals and providing pathways to jobs for learners for whom a four-year degree is not a desirable option.
In this work, after identifying specific learning outcomes, researchers suggest research-based pedagogical approaches to support learning and transfer. In particular, they describe a cybersecurity lab they developed that uses experiential learning, role play, collaborative learning, technical simulation, and metacognitive engagement to support the learning outcomes they deem important.
The CyberSim Lab is a one-semester class that can be taught alongside classes on ethical hacking. In the lab, students work in small groups to identify system vulnerabilities, assess the extent of the weaknesses, develop a change management plan to address issues they have discovered, present their plan to upper management, incorporate feedback, and make necessary changes to the network.
"Gaps in the cybersecurity workforce threaten national security, commercial innovation, and the nature of public discourse in the digital age," explains Judeth Oden Choi, a researcher who recently received her Ph.D. from Carnegie Mellon's Human Computer Interaction Institute, who coauthored the article. "The CyberSim Lab serves as a curricular bridge between the classroom and the workplace, supporting cybersecurity curriculum designers by sharing learning outcomes and teaching strategies drawn from the educational research literature and tailored to the cybersecurity educational context."
"The resources we identify are especially useful for under-resourced cybersecurity programs, such as those in community colleges," adds Rotem Guttman, a Ph.D. student at the Human-Computer Interaction Institute at Carnegie Mellon, who coauthored the article.
The work was funded by the National Science Foundation, the Richard King Mellon Foundation, and the Southwest AP Build Back Better Initiative.
