Content uploaded by David Garcia Rosado
Author content
All content in this area was uploaded by David Garcia Rosado on Sep 10, 2014
Content may be subject to copyright.
ORIENTATION OF SECURITY IN THE ACM CURRICULA
Carlos Blanco, David G. Rosado, Luis Enrique Sánchez, Eduardo Fernández-
Medina and Mario Piattini
Alarcos Research Group – Institute of Information Technologies & Systems
Dep. of Information Technologies & Systems – Escuela Superior de Informática
University of Castilla-La Mancha. Ciudad Real. Spain
{Carlos.Blanco, David.GRosado, Luise.Sanchez, Eduardo.Fdezmedina, Mario.Piattini}@uclm.es
Abstract
It is evident that information has become one of the main assets of organizations, and in
many cases represents the main strategic element in the fulfilment of their objectives and
as a support for their activities. Organizations invest enormous amounts of time and
money in creating information systems that offer them the highest productivity and
quality, and it is for this reason that security related issues are gaining importance at both
an international and a national level.
Security is currently considered to be a new area of engineering, and computer security
engineers are those professionals that are most in demand in this area. Security deals
with highly diverse areas of computer science, which are applicable to a wide range of
fields such as business, scientific research, medicine, manufacturing, logistics, banking,
meteorology, law and networks, among many others. Given the importance that such
professionals represent for organizations, and owing to the increasing potential that
information technologies are taking on in improving organizations’ productivity, ensuring
their survival, and even changing their way of life (e-Government, e-Commerce, etc.), the
tremendous importance of the implementation of security in our modern society is
justified.
It would therefore appear logical to believe that there should be a correspondence
between the importance of security, and the weight that it receives in the curricula of our
universities. This paper discusses what the current situation with regard to Security is
within the various sub-disciplines of computing defined in the Computing Curricula of
ACM. The different proposals related to security as defined in each of these sub-
disciplines are studied in detail, and the recommendations offered by each are also
presented.
Keywords - Security, ECTS, Computer Engineering, ACM curricula.
1 INTRODUCTION
Government and commercial organizations rely heavily on the use of information to conduct their
business activities. Compromise of confidentiality, integrity, availability, non-repudiation,
accountability, authenticity and reliability of an organization’s assets can have an adverse impact.
Consequently, there is a critical need to protect information and to manage the security of ICT
systems within organizations. This requirement to protect information is particularly important in
today’s environment because many organizations are internally and externally connected by networks
of ICT systems not necessarily controlled by their organizations [1].
Software systems are created to satisfy business and mission goals. To ensure that the system
satisfies these goals, you must ensure that the various activities involved in the creation of the system
(requirements engineering, architecture design, and implementation) conform to the business and
mission goals of the system.
The Computing Curricula provides an overview of the different kinds of undergraduate degree
programs in computing that are currently available and for which curriculum standards are now, or will
soon be, available. Teachers, administrators, students, and parents need this report because
computing is a broad discipline that crosses the boundaries between mathematics, science,
engineering, and business and because computing embraces important competencies that lie at the
foundation of professional practice. Computing consists of several fields, and many respected colleges
and universities offer undergraduate degree programs in several of them such as computer science,
computer engineering, information systems, information technology, software engineering, and more.
These computing fields are related but also quite different from each other. The variety of degree
programs in computing presents students, educators, administrators, and other community leaders
with choices about where to focus their efforts [2].
Given how important it is for organizations to have security professionals, and because of the
increasing potential that are becoming the information technology to improve productivity of
organizations, to ensure their survival, and even change our lifestyle (eGovernment, eCommerce,
etc.), is warranted the great importance of the implementation of security in our modern society and
connected. Despite its great importance in the current curricula (plans to extinguish) is not considered
as an important subject and defined as specific elective subjects or as free configuration about
security, devoting a very small amount of credits, or talking about security in a paragraph within the
compulsory subjects of your degree, such as operating systems or networks.
That is the reason why we study the different disciplines of Computing Curricula trying to find the more
important security aspects of each discipline for incorporating to the new curricula which are been
implemented in the EU states.
The remainder of this paper is organized as follows: Section 2 briefly show the different curricula
proposed by the ACM/IEEE for Computer Engineering; Section 3 analyses the main security topics
considered for a computer engineer and how these topics are covered by the curricula; finally, Section
4 presents our conclusions.
2 COMPUTING CURRICULA OF ACM
In 1998 ACM and the Computer Society of IEEE set up a scientific committee called Year 2001 Model
Curricula for Computing (CC2001) [3], to whom were asked to review the curriculum of 1991 and
develop a set of curriculum guidelines that address the latest developments of information technology
in the past decade and to resist the next decade. The CC2001 report is divided into six parts: A
general volume (general principles and common parts to all volumes of specific disciplines) and five
volumes of specific disciplines. All these disciplines are: 1) Computer Science (CS 2008); 2) Computer
Engineering (CE 2004); 3) Software Engineering (SE 2004); 4) Information Systems (IS 2002); and 5)
Information Technologies (IT 2008).
In 2005 the so-called Computing Curricula 2005 (CC2005) [2] was published, which is a clear
evolution of CC2001, which consists of a report called “Overview Report”, which attempts to
summarize the content of the specific reports of each discipline.
This “Overview Report” summarizes the body of knowledge of the courses of degree of each one of
the five disciplines, highlighting their commonalities and differences. In addition, this document
includes “The Guide to Undergraduate Degree Programs in Computing”. This guide has been
produced with the aim of serving a wider audience and provides a more concise characterization of
each discipline and characteristic factors that students can take into account when selecting an area
of study in “computing”.
Next, we will summarize the most important aspects of each discipline of the Computing Curricula.
A. Curriculum ACM/IEEE CS 2008
Since the development of CS2001, some relevant trends in the evolution of the discipline of computer
science have become apparent. These include: the emergence of security as a major area of concern;
the growing relevance of concurrency; and the pervasive nature of net-centric computing.
Early in its history, the original CS2001 Task Force identified a set of 14 areas that together
represented the body of knowledge for computer science at the undergraduate level. This structure
remains in this interim report. Therefore, the CS2008 [4] establish the following main areas in the body
of knowledge for computer science: Discrete Structures, Human-Computer Interaction, Programming
Fundamentals, Graphics and Visual Computing, Algorithms and Complexity, Intelligent Systems,
Architecture and Organization, Information Management, Operating Systems, Social and Professional
Issues, Net-Centric Computing, Software Engineering, Programming Languages and Computational
Science.
This new volume captures in a succinct form the major changes that appear as a consequence of this
interim review of the CS2001 Computer Science volume. In summary, this new report
recognizes the existence of additional curricular advice that has been published since around
2001
incorporates a general updating of the body of knowledge
includes advice on new courses or course fragments that are provided as exemplars.
B. Curriculum ACM/IEEE SE 2004
The document known as SE 2004 (Software Engineering 2004 – Curriculum Guidelines for
Undergraduate Degree Programs in Software Engineering) [5] was developed by ACM and the
education activities team of IEEE-CS. Other participating organizations are the Australian Computer
Society, British Computer Society and the Japan Information Processing Society.
The main objective of this report is to provide guidance to academic institutions and accreditation
agencies about what should constitute the education degree in IS. The two main contributions of this
report are: i) Education knowledge of software engineering that every graduate should know (known
as SEEK - Software Engineering Education Knowledge) and ii) the curriculum, i.e., the various ways in
which this associated knowledge and skills can be acquired.
The ten knowledge areas that make up the SEEK are: Computing Essentials, Mathematical &
Engineering Fundamentals, Professional Practice, Software Modelling & Analysis, Software Design,
Software Verification & Validation, Software Evolution, Software Process, Software Quality, and
Software Management.
C. Curriculum ACM/IEEE IS 2002
The Information Systems curriculum [5] is an initiative of ACM, AIS and AITP. It has been widely
accepted and has become the basis for the accreditation of degree programs in information systems.
IS 2002 Model Curriculum and Guidelines for Undergraduate Degree Programs in Information
Systems is the latest report on the model curriculum work in the information systems field. This report
specifies a set of grouped courses of the following way:
Prerequisites: IS 2002.P0 Personal Productivity with IS Technology.
Information Systems Fundamentals: IS 2002.1 Fundamentals of Information Systems; IS
2002.2 Electronic Business Strategy, Architecture and Design.
Information Systems Theory and Practice: IS 2002.3 Information Systems Theory and
Practice.
Information Technology: IS 2002.4 Information Technology Hardware and Software; IS 2002.5
Programming, Data, File and Object Structures; IS 2002.6 Networks and Telecommunications.
Information Systems Development: IS 2002.7 Analysis and Logical Design; IS 2002.8 Physical
Design and Implementation with DBMS; IS 2002.9 Physical Design and Implementation in
Emerging Environments.
Information Systems Deployment and Management: IS 2002.10 Project Management and
Practice.
D. Curriculum ACM/IEEE CE 2004
Computer Engineering is a growing and important area of endeavor. The Computer Engineering Task
Force established a set of principles to guide its work that reflects in part those that appeared in the
Computer Science Report [6]. They appear here with appropriate rewording and modification to reflect
better the tenets expected from a computer engineering program: Computer engineering is a broad
and developing field; Computer engineering is a distinct discipline; Computer engineering draws its
foundations from a wide variety of other disciplines; The rapid evolution of computer engineering
requires an ongoing review of the corresponding curriculum; Development of a computer engineering
curriculum must be sensitive to changes in technology, new developments in pedagogy, and the
importance of lifelong learning; The Computer Engineering Task Force should seek to identify the
fundamental skills and knowledge that all computer engineering graduates must possess; The
required core of the body of knowledge should be as small as reasonably possible; Computer
engineering must include appropriate and necessary design and laboratory experiences; The
computer engineering core acknowledges that engineering curricula are often subject to accreditation,
licensure, or governmental constraints; The computer engineering curriculum must include preparation
for professional practice as an integral component; The computer engineering report must include
discussions of strategies and tactics for implementation along with high-level recommendations; The
development of the final report must contain a broad base; The computer engineering final report must
strive to be international in scope.
This curriculum defines a set of disciplines such as: Algorithms, Computer Architecture and
Organization, Computer Systems Engineering, Circuits and Signals, Database Systems, Digital Logic,
Digital Signal Processing, Electronics, Embedded Systems, Human-Computer Interaction, Computer
Networks, Operating Systems, Programming Fundamentals, Social and Professional Issues, Software
Engineering, and VLSI Design and Fabrication.
E. Curriculum ACM/IEEE IT 2008
The academic discipline of Information Technology can well be characterized as the most integrative
of the computing disciplines. One implication of this characteristic is that a graduate of an IT program
should be the first one to take responsibility to resolve a computing need, no matter the source or
description of the problem, and no matter the solution that is eventually adopted. The depth of IT lies
in its breadth: an IT graduate needs to be broad enough to recognize any computing need and know
something about possible solutions. The IT graduate would be the one to select, create or assist to
create, apply, integrate, and administer the solution within the application context.
In formulating this curriculum [7], the working group followed the following principles: Although this
document can in principle be used as a stand-alone document, the formulation of the curriculum was
governed by the desire to provide a blueprint to create accreditable programs; This curriculum is
intended to exist as part of the CC2005 series; Despite the rapidly evolving nature of information
technology, we wanted to formulate a curriculum with some longevity; The curriculum must be flexible
and the required body of knowledge must be as small as possible; The curriculum must reflect those
aspects that set Information Technology apart from other computing disciplines; The curriculum must
reflect the relationship of Information Technology to other computing disciplines; This curriculum is
aimed at four-year programs offered at U.S. institutions of higher learning, but should also be
applicable in other contexts; The development of this volume must be broadly based; This volume
must go beyond knowledge areas to offer significant guidance in terms of implementation of the
curriculum.
In developing a curriculum for four-year study in Information Technology, one of the first steps is to
identify and organize the material that would be appropriate for that level. A set of knowledge area
focus groups and assigning to each one the responsibility of defining the body of knowledge
associated with one of the following knowledge areas: Information Technology Fundamentals, Human
Computer Interaction, Information Assurance and Security, Information Management, Integrative
Programming and Technologies, Math and Statistics for IT, Networking, Programming Fundamentals,
Platform Technologies, Systems Administration and Maintenance, System Integration & Architecture,
Social and Professional Issues, and Web Systems and Technologies.
3 SECURITY RECOMENDATIONS FOR EACH DISCIPLINE
The increasing importance of security in our society has been taken into account in the curricula’s
revision. Thus, curricula in computer science have been improved by including more security contents
related in the existing subjects and also by creating new security subjects.
Since the depth of the security knowledge defined and recommended by the curricula, security cannot
be directly included into the educational innovation project, being necessary to extract the most
interesting security topics and to define several core subjects. These subjects should cover all the
security concepts that a professional in computer science has to know.
CS 08 SE 04 IS 02 CE 04 IT 08 MSIS 06
Security Fundamentals X X X X X X
Standards and certifications X - - P - -
Ethics X P P P X X
Risks X P P X P P
Threats X - - X X X
Security Techniques X - - X P P
Cryptographic techniques P X - X X P
Secure Development P X P - P -
Security on Operating Systems X - X X - -
Security on Networks X X X X X X
Security on Data Bases - X X - - -
Security in ecommerce - X - - - X
Table 1. Security topics overview
Therefore, this paper analyses what security topics we consider as more important for a professional
and how these are included in the different curricula. Tables 1 and 2 show the main security topics
related with each curriculum. Table 1 is an overview and Table 2 shows more information about the
concepts dealt by each security topic. If the topic is completely fulfilled by the curriculum by a core
subject (“X”), if it is partially fulfilled by elective subjects (“P”) or if it is not considered (“-“).
Firstly, all curricula dealt with security fundamentals and the importance of security by spending some
time of core subjects on each field, for instance systems’ development, networks, operating systems,
etc. Furthermore, security on networks is a topic considered in all curricula and used to dedicate
several core subjects to explain a secure design of networks and the use of firewalls, VPNs, and so
on.
Other security topics such as ethic issues, threats and risks, are mainly taken into account by the
more recent curricula (CS 08, IT 08 and CE 04) which spend several core subjects, whereas the
remainder of curricula spend elective subjects to cover them.
Since there are laws to protect personal data in many countries, this is an ethic issue considered in all
curricula, however other ethic-related aspects such as intellectual property or cybercrime are less
important for these curricula. The list of security threats studied in these curricula is quite complete
and includes the most common threats related with Internet such as viruses, worms, Trojan horses,
DoS attacks or phishing. Finally, security risks are considered by all curricula but not in a complete
way. They spend some core and elective subjects on security risks but do not cover all the stages
related: analysis, control, evaluation and recuperation.
The most recent curricula (CS 08, IT 08 and CE 04) also teach security and cryptographic techniques
such as authentication protocols, access control mechanisms, security policies, confidentiality and
integrity models, auditing and logging, encryption, keys (public, private and symmetric) and digital
signatures.
Nevertheless, there are some important security topics which are not completely covered by these
curricula. These are security standards and certifications, secure development of information systems
and security on operating systems, data bases and ecommerce. Although some curricula deal with
security on the development of information systems, they do not cover all the development stages:
requirements, analysis, design, implementation and testing.
CS
08 SE
04 IS
02 CE
04 IT
08 MSIS
06
Security Fundamentals X X X X X X
Standards and certifications X - - P - -
Standards P - - P X -
Certifications X P - - - -
Ethics X P P P X X
Personal data protection X X X X X X
Intellectual property X - - - X P
Cibercrime, ciberwar X - - - - X
Risks X P P X P P
Analysis P X - P - -
Control P - - P - -
Evaluation P - - P - -
Recuperation P X - P X -
Threats
Viruses, worms, trojan horses, DoS attacks, phising.
X - - X X X
Security Techniques X - - X P P
Authentication protocols - - - X X -
Access control mechanisms X - - X - -
Security policies X - - P - -
Confidentiality models X - - X X -
Integrity models X - - X P -
Auditing and logging P - - - P P
Cryptographic techniques
Encryption, public keys, private keys, symmetric keys, digital
signatures.
P X - X X P
Secure Development P X P - P -
Security Requirements - X - - X -
Secure Modelling X X - - - -
Secure Design - X X - - -
Secure Implementation X - - - X -
Security Testing X X - - - -
Security on Operating Systems
Security topics related with OS, design principles, policies.
X - X X - -
Security on Networks
Design, firewalls, VPNs.
X X X X X X
Security on Data Bases
Design, policies.
- X X - - -
Security in ecommerce
Accounting, policies, strategies.
- X - - X
Table 2. Security topics detailed
4 CONCLUSIONS
The main international curricula related to Computer Engineering try to ensure the best possible
training for students according to the requirements of the computer industry for different professional
profiles. Due to the importance of the information for the organizations, security is a critical issue
which has to be considered in all the aspects related with Computer Engineering, thus taking a special
role in the new curricula.
This paper analyses the main security topics which should to be included in these curricula and how
curricula are actually covering these topics.
The main conclusion is that the most recent curricula (CS 2008, IT 08, CE 04) offer a more complete
study of security topics. They spend several core subjects on ethic issues such as personal data
protection, security threats related with Internet such us viruses, worms, Trojan horses, phishing, etc.
and security and cryptographic techniques such us authentication protocols, confidentiality and
integrity models, auditing, encryption, keys, etc.
Nevertheless, all the stages involved in the secure development of information systems are not
completely covered by using core subjects. We think that it is a very important topic to consider in the
curricula, security issues should to be included in the whole development process (requirements,
analysis, design, implementation, testing) and enough core subjects should be provided to cover them
in the different curricula. Furthermore, although standards are included in the curricula, they do not
pay special attention into security standards.
5 ACKNOWLEDGMENT
This research is part of the following projects: QUASIMODO (PAC08-0157-0668) financed by the
“Viceconsejería de Ciencia y Tecnología de la Junta de Comunidades de Castilla-La Mancha” (Spain),
MEDUSAS (IDI-20090557) financed by the "Centro para el Desarrollo Tecnológico Industrial.
Ministerio de Ciencia e Innovación (CDTI)” (Spain), SISTEMAS (PII2I09-0150-3135) financed by the
“Consejería de Educación y Ciencia de la Junta de Comunidades de Castilla-La Mancha” (Spain), y
BUSINESS (PET2008_0136) financed by the “Ministerio de Ciencia e Innovación” (Spain).
References
[1]. ISO/IEC, ISO/IEC 13335-1:2004, Information technology - Security techniques - Management of
information and communications technology security, 2004.
[2]. ACM/IEEE, Computing Curricula 2005. The Overview Report, 2005.
[3]. ACM/IEEE, “Computing Curricula 2001. Computer Science. Final Report (15 de Diciembre).”
2001; www.computer.org/education/cc2001/final/index.htm.
[4]. ACM/IEEE, Computer Science Curriculum 2008, 2008.
[5]. ACM/IEEE, Software Engineering 2004. Curriculum Guidelines for Undergraduate Degree
Programs in Software Engineering, 2004.
[6]. ACM/IEEE, Computer Engineering 2004. Curriculum Guidelines for Undergraduate Degree
Programs in Computer Engineering, 2004.
[7]. ACM/IEEE, Information Technology 2008. Curriculum Guidelines for Undergraduate Degree
Programs in Information Technology, 2008.
