Conference PaperPDF Available

Barriers to Quality Information Security Awareness Program in Computer Science

  • December 2015
  • Conference: International Society of Comparative Education, Science and Technology iscest-logo-greenx2 Who we are We are a scholarly association dedicated to promoting comparative education, science and technology, and as well as enhancing the academic status of these fields. We also seek to deepen our understanding of educational, scientific and technological issues, trends and policies through comparative, national and international perspectives. ISCEST exits to promote teaching and cross-disciplinary research in education, science and technology. Our Mission Our major goal is to strengthen the theoretical basis of comparative studies in education, science and technology and applied those understandings to policy and implementation issues in Nigeria, Africa and other comparable settings. Our Aims To promote teaching and cross-disciplinary research in education, science and technology; to facilitate research publications; network with other professionals and professional organisations; and to support research students, organize conferences, workshops and meetings and being a resource to national policy makers.
  • At: Bayelsa State, Nigeria
Authors:
Ugochukwu Onwudebelu at Federal University Ndufu Alike Ikwo
Ugochukwu Onwudebelu
Nkechi Jacinta Ifeanyi-Reuben at Nnamdi Azikiwe University, Awka
Nkechi Jacinta Ifeanyi-Reuben
Uchenna C. Ugwoke
Uchenna C. Ugwoke
Uchenna C. Ugwoke
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract

Information Security has become a serious concern not just for corporations but also for academic institutions for their normal functioning. No one is immune from cyber attacks which might be coming from various sources such as email, Facebook, ecommerce sites etc. Securing our information technology infrastructure is a major challenge with no simple solutions , nevertheless, education plays a critical role in creating a safe and secure computing environment. However, looking at the academic sector we are bound to ask if the sector is actually playing its part in educating the undergraduates on the issues of information security. Consequently, the Computer Science program in each institution needs to initiate the development of a rich set of courses and experiences to provide students with a solid foundation in information security awareness. The Computer Science department curriculum must reflect the reality concerning the threats posed by hackers as hackers cannot be completely stopped from trying to breach the networks. The users on their part need to know the perpetual battle that is raging in the cyber space as the intensity of the battle increases users' awareness likewise need to be up so as to keep abreast to most current innovative cyber threats. This paper assesses the quantity and quality of information security awareness programs from eleven universities as well as it discusses the barriers to quality information security awareness program in Computer Science.
Content uploaded by Ugochukwu Onwudebelu
Author content
All content in this area was uploaded by Ugochukwu Onwudebelu on May 10, 2018
Content may be subject to copyright.
Barriers to Quality Information Security Awareness
Program in Computer Science
Onwudebelu Ugochukwu
Federal University Ndufu-Alike Ikwo, Abakaliki, Nigeria
Ifeanyi-Reuben Nkechi Jacinta
Rhema University, Aba, Nigeria
Uchenna C. Ugwoke
Federal University of Technology, Minna, Nigeria
ABSTRACT Information Security has become a serious concern not just for
corporations but also for academic institutions for their normal functioning.
No one is immune from cyber attacks which might be coming from various
sources such as email, Facebook, ecommerce sites etc. Securing our infor-
mation technology infrastructure is a major challenge with no simple solu-
tions, nevertheless, education plays a critical role in creating a safe and se-
cure computing environment. However, looking at the academic sector we
are bound to ask if the sector is actually playing its part in educating the un-
dergraduates on the issues of information security. Consequently, the Com-
puter Science program in each institution needs to initiate the development
of a rich set of courses and experiences to provide students with a solid foun-
dation in information security awareness. The Computer Science department
curriculum must reflect the reality concerning the threats posed by hackers as
hackers cannot be completely stopped from trying to breach the networks.
The users on their part need to know the perpetual battle that is raging in the
cyber space as the intensity of the battle increases users’ awareness likewise
need to be up so as to keep abreast to most current innovative cyber threats.
This paper assesses the quantity and quality of information security aware-
ness programs from eleven universities as well as it discusses the barriers to
quality information security awareness program in Computer Science.
Keywords: Information Security, Information Assurance, Curriculum, Un-
dergraduate, Computer Science Curriculum, Hackers, Security Awareness
CURRENT STUDIES IN COMPARATIVE EDUCATION,
SCIENCE AND TECHNOLOGY, VOLUME 2,
NUMBER 2, 2015, PP. 403-425
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
404
Introduction
Prior to 1999, universities in Nigeria were all entities of federal or state gov-
ernments and the mission of those universities is to improve literacy, in-
crease scientific and technological research as well as train human resources
for the developmental needs of the country (Nnadozie & Nnadozie, 2008).
With a need to deregulate and liberalize higher education, the government
monopoly of universities in Nigeria was broken in 1999 with the licensing of
the first private universities. Most commenced academic activities almost
immediately and have been contributing to the Nigerian nation since
then.Information is the lifeblood of any corporation as well as any nation. It
is fundamental to the success of all business functions, from the daily opera-
tions of the various business units to supplying records on any aircraft when
requested by the proper authorities. If any of the information is improperly
disclosed, manipulated, or deleted, the results can be costly and disastrous.
The Internet has come to stay and is becoming a part of everyone’s daily
lives. Simple things such as shopping, sharing files, chatting, and working
now happen over the Internet. Today, the online environment is much less
collegial and trustworthy. Furthermore, it contains dangerous files, scam-
mers, virus and risks (PhysOrg, 2014). Therefore, information security be-
comes one of the biggest issues we face today. Many organizations are trying
to deal with the shortage by focusing on internal promotion and educational
efforts. Security has been a technically challenging problem with computers
almost from the first instance of their operational use. Besides, networking
brought greater security challenges and the arrival of the Internet (network of
networks) is bringing even greater challenges (Al-Hamdani, 2006). Part of
the challenge is the fact that information systems are changing quickly, and
at the same time security menaces also change very quickly as new threats,
vulnerabilities and attack tools are introduced. Consequently, it is an attrac-
tive target for attackers to operate and carry out their mischievous activities,
making Internet attacks easy to accomplish, difficult to detect and hard to
trace.
Constant reports of government network and computer compromises il-
lustrate the importance of providing opportunities for awareness program in
information security (Radha, 2005; Savola, 2007). Recently new threats such
as social engineering attacks, denial of service attacks, cyber attacks amongst
nations along with various vulnerabilities have cemented the need for infor-
mation security awareness and hence governments commitment to research
in security. Awareness as defined in NIST, “is not training”. The purposes of
awareness presentations in this case are simply to have knowledgeable on or
to be well-informed about information security issues. Moreover, awareness
presentations are intended to allow individuals to recognize IT security con-
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
405
cerns and respond accordingly. Awareness also implies understanding the
reality of risk, Internet threats and vulnerabilities. In simple terms, the num-
ber of vulnerabilities continues to rise, while hacker tools are becoming more
powerful and easier to use. At the same time, prevention is much more diffi-
cult because the technology changes rapidly. A few examples of IT infor-
mation security awareness materials/activities include promotional specialty
trinkets with motivational slogans; a security reminder banner on computer
screens, which comes up when a user logs on; information security aware-
ness videotapes; and posters or fliers (Al-Hamdani, 2006).
Information security awareness must be discussed along side with infor-
mation assurance. Information Assurance is critical to the protection of any
data or knowledge management system (Multari, 2004; Bhagyavati, Olan,
Naugler & Frank, 2005; Weiss, 2007). If implemented correctly, it can en-
sure the following four attributes: confidentiality, integrity, availability and
non-repudiation. Though, Information Security is an emerging area there are
enough solutions and products available which are being deployed at various
levels (Multari, 2004). Also, information security practices and policies has
been in place (Bhilare, Ramani & Tanwani, 2009). However, the problem is
that, how is this reflected in our curricula, moreover, especially in Computer
Science curricula across the country both in public and private universities?
The Nigeria Government and its various departments are becoming more
dependent on computer networks, systems and software and therefore more
vulnerable to hostile intelligence gathering as well as computer network at-
tack just like the U. S. Government (Hamilton, Owor, Dajani & Tapia,
2009). In a November 1957 Presidential address entitled "Science in Nation-
al Security," Eisenhower observed that “one of our greatest and most glaring
deficiencies is the failure of us in this country to give high enough priority to
scientific education and to the place of science in our national life.” He also
declared that the shortage of workers in highly skilled fields was “the most
critical problem of all.” President Eisenhower’s 1957 assessment is valid in
2015 even in Nigeria. A new study carried out by RAND Corporation sug-
gested that the nationwide shortage of cyber security professionals in USA is
posing risks for national and homeland security (PhysOrg, 2004; ZDNet,
2004; Halzack, 2014). Leading industry experts say this talent gap is only
getting worse. This is despite the fact that their students are given proper ori-
entation concerning security information awareness received from their un-
dergraduate and graduate level. In Nigeria the level of such awareness and
orientation is very low as would be seen in the content of the curriculum of
several universities investigated.
With the popularity and availability of web-based technology and applica-
tion combined with the growth of revenues in the ecommerce sector, there
has been an increasing demand for education of concepts and skills in the
area of Information Security (IS), especially with regard to the Internet
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
406
(Shaikh, 2004). In this paper, we survey a few of the currently available aca-
demic programmes in Computer Science departments in eleven Nigerian uni-
versities. The purpose of the survey is not only to compare the different pro-
grammes offered but also to give the readers an idea of the IS subject area in
the tertiary institution in Nigeria. We hope the survey will serve as a starting
point for those readers who are interested to learn more about the scope of
information security education in Nigeria.
Vaughn et al. (2004) suggested that information and computer security
courses should be integrated into degree programs in at least the following
three areas: computer science, software engineering, management infor-
mation systems. Since it has been recommended that an entire degree pro-
gram should not be created for IT security, moreover as it concerns our case
in Nigeria, although some schools have done that successfully in USA. Tam-
my et al. (2005) lamented the fact that security professionals often focus on
the need for IS/IA curriculum at the undergraduate and graduate levels.
However, IS/IA training is often overlooked at the primary-school education
level. They suggested one way to combat this epidemic which is to support
the promotion of IA education at a much younger age. Specifically targeting
elementary-level school communities with IA curricula will provide comput-
er literacy and empowerment to those who are too often the victims of these
types of crimes.
Information security awareness programs could cover the followings top-
ics: password construction/ management, authentication, Internet usage, tele-
phone fraud, physical e-mail usage and security, virus protection and detec-
tion, PC security, backups, building access, social engineering, identity theft
and home office security (Al-Hamdani & Griskell, 2005; Ghafarian, 2007). It
is often not sufficient to protect systems. No system is completely secure. It
becomes necessary to be able to find out how those systems were attacked
and find evidence to prosecute the attackers. We would conclude this section
by saying: If you know the enemy and know yourself, you need not fear the
result of a hundred battles. If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle. (Sun Tzu, ART OF WAR)
The rest of this paper is organized as follows. Section 2 describes the data
used in this study. It illustrates the related information security contents de-
rived from the academic programmes in Computer sciences departments in
Nigeria universities. Section 3 discusses the implications of our findings as
well as the notorious barriers as presented in Sections 3.1, 3.2, 3.3, 3.4 and
3.5. Section 4 cited the recommendations from the researchers. Finally, sec-
tion 5 concludes by providing the study’s contributions, and limitations.
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
407
Methodology
This research was conducted to find current IS/IA contents in the CS pro-
grams developed for undergraduate and graduate students in some selected
Nigerian Universities to see if computer security topics were actually well
covered in the curricula. The curriculum of 11 universities were studied in
detailed, course code and course titles whose contents were related to securi-
ty related topics were extracted and tabulated as demonstrated in tables 1, 2,
3 & 4. The universities were a mixture of Federal, state and private universi-
ties. A major problem we have faced is on getting the curricula, we wanted
to assess all the universities curricula of the federal, state and private univer-
sities in Nigeria, but that was not the case because of this hitches. Conse-
quently, we were able to obtain 5 Federal, 1 state and 5 private universities
curricula. The tables 1, 2, 3 & 4 are the summary of our analysis. These re-
search will help to evaluate the reality of these curricula and if there is need
for enhancements or modifications.
Table 1: National Universities Commission (NUC) – CS Curriculum
S/
N
o.
Cour
se
Code
Cre
dit
Uni
t
Course Title Course Contents
Relating to IS
1 CSC
304
3 Data Management 1 Information Privacy
and Security
2 CSC
321
3 Systems Analysis and
Design
System Design – Se-
curity
3 CSC
421
3 Net-Centric Computing Network Security
4 CSC
432
3 Distributed Computing
Systems
Security: Access Con-
trol, Key Manage-
ment and Cryptog-
raphy
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
408
Table 2: Federal Universities – CS Curricula
F1. University of Ibadan (UI), Oyo, Oyo State
S/
No
.
Cours
e Code
Cred
it
Unit
Course Title Course Contents Re-
lating to IS
1 CSC
221
3 Introduction to O. S. Storage organization
and protection
2 CSC
421
3 Computer Operating
System II
Resource protection
3 CSC
472
3 Database Systems Security, privacy, quali-
ty and integrity protec-
tion mechanism
F2. Nnamdi Azikiwe University (NAU), Awka, Anambra State
1 CSC
261
2 Information technol-
ogy
Computer in society –
security, ethics and law
2 CSC
321
2 Operating System Security and multime-
dia
3 CSC
481
3 Net- Centric and dis-
tributed Computing
Fault tolerance, securi-
ty, access control, key
management, cryptog-
raphy
4 CSC
561
3 Data creation and
management
Database security
5 CSC
62I
3 Computer Network Computer Network Se-
curity
F3. Federal University Ndufu Alike Ikwo (FUNAI), Abakaliki,
Ebonyi State
1 CSC
107
1 Practical Skills in
Computer Science
System threats: protec-
tion and security
2 CSC
307
2 Database Systems I Information privacy,
integrity and security
3 CSC
421
2 Net-Centric Compu-
ting
Network security
4 CSC
432
2 Distributed Compu-
ting Systems
Security: Access con-
trol, key management,
cryptography
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
409
F4. Federal University Lokoja (FUL), Lokoja, Kogi State
2 Introduction to Com-
puter Applications
Computer System Pro-
tection (Virus, Trojans,
3 Data Management I information privacy,
integrity, security;
scalability, efficiency
3 System Analysis and
Design
Security
3 Information Technol-
ogy Law
Intellectual Property
Laws, Computer Law
and Cybercrimes, Copy-
right, Trademark, Priva-
cy Protection, Piracy,
3 Data Communica- Network Security –
3 Operating System 1 Design Issues influ-
ences of Security
3 Net-Centric Compu-
ting
Fundamentals of cryp-
tography Authentication
protocols, Public-key
algorithms. Types of
attack, e.g., denial of
service, flooding, sniff-
ing and traffic redirec-
tion. Basic network de-
fense tools and strate-
gies Intrusion Detection,
Firewalls, Detection of
malware Kerberos, IP-
Sec,
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
410
8 CSC41
1
2 Introduction to Cryp-
tography
Symmetric Encryption:
The Enigma Machine,
Information Theoretic
Security, Modern
Stream, Block Ciphers,
Symmetric Key Distri-
bution, Hash Functions
and Message Authenti-
cation, Public Key En-
cryption and Signatures:
Basic Public Key En-
cryption Algorithm, Pri-
mality Testing, Security
Issues: . Attacks on Pub-
lic Key Security, Defini-
tions of Security, Prova-
ble Security: With Ran-
dom Oracles, Provable
Security without Ran-
dom, advanced Proto-
cols: Secret Sharing
Scheme, Commitments
and Oblivious Transfer,
Zero-Knowledge Proofs,
Secure Multi-Party
Computation
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
411
F5. Federal University of Technology (FUT), Minna, Niger State
CSS
216
3 Cryptography Theory
I
Shift Cipher, Substitu-
tion Cipher, Affine Ci-
pher, Vigenere Cipher,
Permutation Cipher,
Stream Cipher. Crypta-
nalysis: Cryptanalysis of
Affine, Cryptanalysis of
Substitution Cipher,
Cryptanalysis of
Vigerene Cipher, Crypt-
analysis of Hill Cipher,
Cryptanalysis of Streams
Ciphers. Perfect Secrecy.
Entropy: Huffman En-
coding, Properties of
Entropy, Spurious Keys
and Unicity distance,
product cryptography
CSS31
1
3 Cyber Crime and
Counter Measures
cyber terrorism, cyber
pornography, defama-
tion, stalking, online
gambling, e-mail spoof-
ing, electronic transac-
tion forgery, etc
CSS
312
3 Cryptography Theory
II
Security of ELGamal:
Bit Security of Discrete
Logarithms, Semantic
Security of ElGamal
Systems, Diffie-Hallman
problems.
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
412
4 CIT315 3 Internet Security Security policy, strate-
gies for a secure net-
work, the ethics of com-
puter security, security
threats and levels, securi-
ty plan, Classes of at-
tacks: stealing pass-
words, social engineer-
ing, bugs and backdoors,
authentication failures,
protocol failures, infor-
mation leakage, expo-
nential attacks, viruses
and worms, denial-of-
service attacks, botnets.
Active attacks: Comput-
er security; viruses, Tro-
jan horse and worm.
Firewalls, packet filters,
filtering, Cryptography:
introduction to basic en-
cryption and decryption,
Diffie, Hellman key ex-
change, concept of Pub-
lic key and Private key,
digital signatures.
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
413
5 CSS
323
2 Cyber Crime Law Cybercrimes, including
computer crimes, Inter-
net fraud, e-commerce
and threats to national
infrastructure. Policies,
legal issues, and investi-
gative techniques and
strategies, and implica-
tions or investigation and
enforcement on a global
scale. Introduction to
cyber law; Studies in
cyber law application at
the international and na-
tional levels with exam-
ples from European,
North American, South
American and Asian
Countries; the cyber law
framework in Nigeria.;
Challenges and opportu-
nities for enforcement in
6 CPT
326
2 Computer and Net-
work Security
threats, risks and vulner-
abilities, data security,
policies/administration,
security procedural con-
trol, security models,
designing secure sys-
tems, effects of hardware
on security, operating
systems security, net-
work security, database
security, programming
language security, cryp-
tography, distributed
systems security and in-
formation systems secu-
rity
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
414
Table 3: Private Universities – Computer Science/ Information Technology
Curricula
P1. Rhema University (RU), Aba, Abia State
S/
No
.
Course
Code
Cre
dit
Unit
Course Title Course Contents Re-
lating to IS
1 CSC
214
3 Operating System 1 Influences of Security
2 CSC
215
2 Introduction To In-
formation Processing
and File Structure
Data Security and Con-
trol
3 CSC
314
3 System Analysis and
Design
System Design – Secu-
rity
4 CSC
411
2 Database Design and
Management 1
Information System
Security
7 CPT
324
2 Information Manage-
ment
Social issues in infor-
mation technology: Intel-
lectual property; comput-
er crime; privacy; securi-
ty and civil liberties; Se-
curity and control issues:
overview of problems
and standard solutions;
database integrity; trans-
actions; the role of en-
cryption.
8 CPT
418
2 Electronic Commerce
Technology
Security for electronic
commerce.
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
415
P2. Bells University of Technology (BUT), Otta, Ogun State
1 CSC
203
2 Introduction to Soft-
ware Engineering
Security and Reusability
2 CSC
205
2 Introduction to Oper-
ating System
Privacy and Security
3 ITP
301
3 Introduction to Inter-
net Technology
Internet Security
4 ITP
306
3 Information Science Security in Information
Exchange across Net-
5 ITP
405
3 Management Infor-
mation System
Information Privacy,
Integrity, Security and
6 ITP 3 Information System Information System and
P3. Covenant University (CU), Ota, Ogun State
1 CSC 2 Computer Application Safety precaution
2 CSC
214
2 High Performance
Computing & Data-
base Management I
Information privacy;
integrity, security, effi-
ciency and effectiveness.
3 CSC
225
3 Operating System II Design Issues Influences
on Security
4 CSC 3 Systems Analysis and System Design: Security
5 CSC
315
3 Internet Programming Network Security
6 CSC
414
3 High Performance
Computing & Data
Recovery and security
issues.
7 CSC
427
3 Distributed Compu-
ting Systems
Security: Access Con-
trol, Key Management,
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
416
P4. Crawford University, Igbesa, Ogun State
1 CSC
201
2 Web design and secu-
rity
The content has no re-
lated topic on security
2 CSC
206
3 Operating System I Protection and security
in operating systems
3 CSC
307
4 Database design and
management
Database privacy, secu-
rity, failure and recov-
4 CSC
308
3 Operating System II Network structure &
security in O. S.
P5. Salem University (SU), Lokoja, Kogi State
1 CSC
206
Computer Architec-
ture, organization and
Influences of security
2 CSC
303
Database design and
Analysis (data man-
Information privacy,
integrity, security
3 CSC
308
3 Operating System II Network structure &
security in O. S.
4 CSC
406
Cryptography, Net-
work Control & Se-
curity
Intrudes, Viruses,
Worms, Disaster Recov-
ery, developing secure
computer system, net-
work and telecommuni-
cation security, effec-
tiveness of database
security
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
417
Table 4: State University – CS Curriculum
As can been seen from tables 1, 2, 3 & 4, many Computer Science (CS) de-
partments does not have courses in information security or assurance. Alt-
hough, the course contents of some of the course titles contained topics on
IS/IA, nevertheless, no course title was entitled information security or infor-
mation assurance. Such assessment gives an idea of present state of security
awareness of a student graduates from these institutions and exposes areas
where more attention is required. Every student in CS both undergraduate
and graduate should be able to understand the underlying concepts/
technological approaches of IS and have significant knowledge of IA.
S1. Benue State University (BSU), Makurdi, Benue State
S/
No
.
Cour
se
Code
Cre
dit
Uni
t
Course Title Course Contents Re-
lating to IS
1 CMP
341
2 Information manage-
ment
Information privacy,
integrity, security, and
presentation scalabil-
ity, efficiency and ef-
fectives.
2 CMP
462
2 Social and Professional
Issue
Risk and liabilities of
computer based sys-
tems, computer crime
3 CMP
464
2 Computer Center Design
and Management
Security management,
Use of passwords and
access control mecha-
nisms, security issues
and firewalls, Net-
work Security – Fun-
damentals of cryptog-
raphy, secret key algo-
rithms, public key al-
gorithms, Authentica-
tion protocols, digital
signature
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
418
Discussion
Recently, there has been a surge in the rate at which users of computer sys-
tems are being defrauded via email, Facebook, fictitious or masquerading
web sites leading to the need for the development of academic programmes
focusing on information security awareness. The increasing body of theory
and knowledge in this particular field and industry are the main driving force
behind this trend cyber crime. Interestingly, the IS education in Nigeria is
being developed and delivered at various different levels catering to the de-
mand of students both in undergraduate and postgraduate study. The discus-
sion that follows provides a suggested approach that will lead to a better
taught and more information security awareness undergraduate program in
CS courses that is offered. In all the tables above, no computer forensics
course or content was cited either as a stand-alone course or content in the
entire program.
In addition to including security topics in the courses above, it is im-
portant to offer a concentrated and focused security course that helps to tie
the above together. This course should include laboratory exercises, past and
current security attacks and their historic basis. Information security courses
should be made a compulsory course rather than a required or an elective one
for all CS students. Students from other discipline who have an interest in
information security area or those students who want to get an idea of what
this specific field entails should take it as an elective course. This approach
will help the student from an example point of view to connect the theory
approach and real world application. Furthermore, it is expedient to expand
information security courses across university disciplines and thus build a
diverse, regional concentration of expertise that will help students from other
discipline to be well prepared to survive in this Internet age.
As cyber-attacks have increased and there is increased awareness of vul-
nerabilities, there is more demand for the professionals who can stop such
attacks and guard themselves against such attacks. Analyzing the tables it is
obvious that most tertiary institutions such as F1, F2, F3, P1, P4, P5 and S1,
do not have a comprehensive information security program as a stand-alone
curriculum already. But educating, recruiting, training, and hiring these
cyber-security professionals take time. That is why it is essential to start edu-
cating and training students in the first year of study, sadly, as can be seen
from our tables, there was virtually no course content for first year students
in their curricula except in F3 and F4 where we have CSC 107 (systems
threats: protection and security) and CSC 102 (computer system protection:
virus, Trojans and worms) respectively. Consequently, universities should be
encouraged to offer information assurance (IA) and information security (IS)
courses in their curricula from the first year. Analyzing the IS content of the
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
419
available curricula, we discover that there were some barriers that mitigate a
proper establishment of information security awareness program in CS de-
partments in Nigeria.
The Lack of Up-To-Date Lecture Material
In order to satisfy the needs of information professionals from industry, gov-
ernment and others there is a need to develop IS/IA course to enhance educa-
tion. A serious challenge we have faced is that there is a rapid change in CS,
IT and security techniques. A well developed information security course
should be designed in such a way as to reflect these changes in a timely man-
ner as well as keeping the lecture material up-to-date. For example, F1, F2,
F3, P1, P4, P5 and S1 were not updated as current topics on information se-
curity issues were not included. This IS course should include: the basic no-
tions of confidentiality, integrity, availability, authentication models, protec-
tion models, security kernels, audit, intrusion detection, personnel/
operational/ physical security issues, policy formation and enforcement, trust
modelling, risks and vulnerabilities assessment, basic issues of law and pri-
vacy, trade secrets, employee covenants, database protection, access control,
secure operating systems and others. Keeping the lecture material up-to-date
is a key issue for teaching the IS course. This allows students to learn new
advanced technology and most recent cyber attacks and new threats in rela-
tionship to today’s technology. After students had learned basic knowledge
and techniques of IS, they can be introduced into advanced Web security
related research topics, such as client side security, server security, security
visualization and Web applications security, modular intrusion detection etc.
This is very necessary because as a Web server provides more functionality,
it is however easier to be attacked and exploited by hackers (Yu, Liao, Yuan
& Xu, 2006).
The Lack of Cyber Defender Laboratory (CDL)
The lack of cyber defender laboratory connecting the classroom knowledge
with real world applications is another barrier that must be overcome. The
absence of a dedicated lab or use of a remote and isolated lab makes it essen-
tial to furnish exercises that, on the one hand, provide meaning to theoretical
concepts and, on the other, can be conducted on students’ home machines or
work systems (Bhagyavati, 2006). Making a connection between the class-
room knowledge and real world Web applications in a laboratory will help in
creating or imparting information awareness program in Nigeria. We cannot
teach the IS course entirely in the classroom because IS/IA and Web security
is the field where network meets the real world. Students will have the op-
portunity to practice learned knowledge in the CDL. All the universities (FI-
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
420
F4, P1-P5, S1) in the tables lack a dedicated lab for information security ex-
cept F5, nonetheless, each can still make use of their computer lab as a
makeshift arrangement.
The Lack of Access to Reputable Journals and Websites
Students should be given access to reputable journals such as IEEE, ACM
etc. Furthermore, they should be guided to choose and read the published
papers to keep up with the pace of new technologies and associated security
threats. Each student must select and read recently published papers, present
them using power point, discuss their opinions in the classroom, and write a
report. Our experience from other courses exhibits that using the hybrid
teaching approach can successfully integrate education, research and real
world applications into the IS course. This will stir students to gain important
insights into how theoretical and practical concepts apply to real world appli-
cation problems, and draw their interest towards security research. Apart
from reputable journals, students need to be exposed to reputable websites
and useful resources that contain freeware such:
www.belarc.com/free_download.html
www.mailwasher.net/download.php
www.sourceforge.net
www.insecure.org
www.annoyances.org
www.sans.org and the CERT agency.
The Lack of Stand-alone Courses on Information Security
Information security and information assurance are important topics that
compel the attention of future computer scientists. Looking from our tables
F1, F2, F3, P1, P3, P4 & S1, it is obvious that undergraduate students in CS
programs today are not exposed to these concepts at the end of their educa-
tion in stand-alone courses on IS. Only P2 has a stand-alone course entitled,
“Information System Security”. As IS educators, we perceive the need to
incorporate IS topics throughout the undergraduate CS curriculum as a
standalone course. Notwithstanding in institutions where additional course
cannot be offered in the department as a result of making an already tight
curriculum even tighter, in such circumstances, the only feasible option is to
insert information security and assurance across the computer science curric-
ulum, incorporating appropriate topics in existing courses. To do this, the
topics must fit well with existing topics, augmenting rather than replacing.
For instance, data integrity can be taught in a database course, the vulnerabil-
ities of memory leaks and buffer overflows can be illustrated in a course on
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
421
operating systems, and so on. Accordingly, there are a number of topics be-
sides security that compelling arguments can be made for inclusion in an
already crowded curriculum as mentioned in (North, Roy, Shujaee &
Alonza, 2005).
The Lack of Resources to Incorporate Hands-On Exercises
Some challenges that might erupt are the excess of other important topics,
the lack of time, the lack of commitment among lecturers, and the lack of
resources to incorporate hands-on exercises, especially in online environ-
ments. Students need to learn to design and to program from their teachers.
Most of the software security problems are in code written by students whom
we, as a professional, taught to program however, lack of commitment
among staff will truncate such benefits. Consequently, only a few students
would be exposed to ideas and material that all CS students should see and
obtain.
We were disappointed by the fact that most students will not be exposed
to IS/IA courses in their first year even simple topic as vulnerability, was not
mentioned form the tables. Vulnerability is a weak point that can be exploit-
ed from both inside and outside of an organization’s network system. The
World Wide Web as the fastest growing part of the Internet is also the most
vulnerable part to be attacked. External vulnerabilities include viruses,
worms, script kiddies, spyware, and denial of services attacks (Bhagyavati,
2006; Ghafarian, 2007). These topics should be targeted toward the under-
graduates as introductory classes in their first year. Students at such level
sometimes do not have the background to harden their systems against
threats that are common knowledge to security professionals.
It is a hands-on exercise for students to download and execute a freely
available Internet security scanner found at www.securityfocus.com/
tools/676. The direct benefits of a hands-on exercise include satisfying
course objectives, covering the syllabus as well as satisfying students’ curi-
osities about information security with long-term benefits. These make stu-
dents to be involved in the learning process, suggest new activities, become
motivated, engage in further research in computer security issues, and grow
professionally. Finally, we are subject to use some non-traditional awareness
programs (that is, non-class method), such as: TV programs on nationwide
level, Video and CD classes, simple guidelines publication, etc. All these
should be carefully prepared and focused the level of awareness on the gen-
eral public as they cannot be left behind in the issue of information security
awareness program in Nigeria.
Recommendations
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
422
Each CS department should maintain an up-to-date record of major IS
risks.
IS awareness should be revised because in each month there are many
new threats.
The lecture notes should be updated every semester based on published
research results to keep the lecture material up-to-date.
The CS program should have plans for general studies and interdiscipli-
nary courses incorporating IS/IA related topics to be offered with Crimi-
nal Justice Program.
Government, universities and companies entities should all focused on
finding ways to close the gap created by these barriers through proper IS
awareness programs.
Conclusion
Information security/information assurance is becoming more and more im-
portant in practice and needs to be integrated into the CS curriculum. The
barriers and hurdles towards the rapid awareness of IS in CS in Nigeria are:
the lack of up-to-date lecture material, the lack of cyber defender laboratory,
the lack of access to reputable journals and websites, the lack of stand-alone
courses on information security and the lack of resources to incorporate
hands-on exercises. It is the opinion of authors that where CS program exists,
IS courses should be included in the curriculum. There are two ways to do
that: a specialized course and components that can be integrated with exist-
ing courses at different levels (in the case of a tighter curriculum). Security
is, after all, a user requirement that must be satisfied. Given that the so-called
social engineering, corporate policy, disgruntled employees, insufficient
background checks, etc. are a major security concern, it is imperative that
undergraduate and graduate students consider the holistic nature of infor-
mation security. We also emphasize the importance of practical sessions.
Security and reliability can only be assured if our students develop good pro-
gramming habits (training and retraining) so that even under pressure they
check all input, document their code and test appropriately. Students with
such a background will be ready and prepared for more specialized IS/IA
courses.
The purpose of the survey is not only to compare the different pro-
grammes offered but also give the readers an idea of the IS subject area in
the tertiary institution in Nigeria. We hope the survey will serve as a starting
point for those readers who are interested to learn more about the scope of IS
education in Nigeria. A major problem we have faced is on getting the cur-
ricula and we hope various institutions will have an online version of their
curricula. Our findings and experience shows that integrating education, re-
search and practical applications into the information security course are es-
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
423
sential for a sound IS education. Using this approach instructors and students
are able to connect knowledge in the classroom to real world applications.
This will attract students to the security area and train students to become IS
professionals that will help the government, industry and higher research
institutions.
Correspondence
Onwudebelu Ugochukwu
Computer Science Department
Federal University Ndufu-Alike Ikwo, FUNAI
P.M.B. 1010, Abakaliki
Ebonyi State, Nigeria
Email: anelectugocy@yahoo.com
Ifeanyi-Reuben Nkechi Jacinta
Computer Science Department
Rhema University, Aba
Abia State, Nigeria
Uchenna C. Ugwoke
Department of Mathematics & Computer Science
Federal University of Technology (FUT)
P.M.B. 65, Minna
Niger State, Nigeria
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
424
References
Al-Hamdani, W. A. 2006. Assessment of Need and Method of Delivery for
Information Security Awareness Program, Information Security Curriculum
Development (InfoSecCD’06) Conference, ACM, pp. 102 -108
Al-Hamdani, W. A. & Griskell, I. J. 2005. A Proposed Curriculum of Cryp-
tography Courses Information Security Curriculum Development
(InfoSecCD’05) Conference, pp. 4 – 11
Bhagyavati (2006) Laboratory Exercises in Online Information Assurance
Courses, ACM Journal on Educational Resources in Computing, 6(4), pp. 1-
5
Bhagyavati, Olan, M., Naugler, D. & Frank, C. E. 2005. Information Assur-
ance in the Undergraduate Curriculum, 43rd ACM Southeast Conference, pp.
25-26
Bhilare, D. S., Ramani, A. K. & Tanwani, S. 2009. Information Security As-
surance for Academic Institutions Using Role Based Security Metric: an In-
cremental Approach, International Conference on Advances in Computing,
Communication and Control (ICAC3’09), ACM, pp. 535-540.
Ghafarian, A. 2007. Ideas for Projects in Undergraduate Information Assur-
ance and Security Courses by ITiCSE’07, ACM, p. 322
Hamilton, J.A., Owor, R. S., Dajani, K. F. & Tapia, R. 2009. Building Infor-
mation Assurance Education Partnerships with Minority Institutions, Cele-
bration of Diversity in Computing Conference, ACM, pp. 58 - 63
http://www.PhysOrg.com Shortage of Cybersecurity Professionals Poses
Risk to National Security (06/18/14)
http://www.ZDNet.com Cybersecurity's Hiring Crisis, August 25, 2014
http://www.iwar.org.uk/comsec/resources/canadaia/ infosecawareness.htm
Multari, N. J. 2004. Information Assurance Technical Challenges, SIGMOD
2004, ACM
CURRENT STUDIES IN COMPARATIVE EDUCATION, SCIENCE AND TECHNOLOGY, VOLUME 2, NUMBER 2, 2015
425
Nnadozie, C. O & Nnadozie, C. D. 2008. The Information Needs of Faculty
Members in a Nigerian Private University: A Self-Study Library Philosophy
and Practice
NIST Special Publication 800-50 Building an Information Technology Secu-
rity Awareness and Training Program
North, S. M., Roy G., Shujaee, K., & Alonza M. 2005. Collaborative Infor-
mation Assurance Capacity Building at a Consortium of Colleges and Uni-
versities, 43rd ACM Southeast Conference, ACM, pp. 361-362
NSTISSI No. 4014 August 1997 National Training Standard Information
Security Officers (ISSO)
Radha P. 2005. Information Assurance in Manets and Wireless Sensor Net-
works, SASN’05, ACM, p. 32
Savola, R. M. 2007. Towards a Taxonomy for Information Security Metrics,
Quality of Protection (QoP’07), ACM, pp. 28 – 30
Shaikh, S. A. 2004. Information Security Education in the UK: a proposed
course in Secure E-Commerce Systems, Information Security Curriculum
Development (InfoSecCD’04) Conference, ACM pp. 53- 58
Tammy A. & Rackley, C. C. 2005. Integrating Information Assurance (IA)
Into K-5 Curriculum Information Security Curriculum Development
(InfoSecCD’05) Conference, ACM, pp. 1-3
Vaughn Jr., R. B., Dampier, D. A. & Warkentin, M. B. 2004. Building an
Information Security Education Program, Information Security Curriculum
Development (InfoSecCD’04), ACM, pp. 41 - 45
Halzack, S. 2014. Washington Post: Shortage of Cybersecurity: Workers Is a
Problem That Will Solve Itself.
Weiss, R. 2007. Adding Information Assurance to the Curriculum: Tutorial
presentation, Consortium for Computer Science in College (CCSC): North
western Conference, pp. 46-48
Yu, H., Liao, W., Yuan, X. & Xu, J. 2006. Teaching a Web Security Course
to Practice Information Assurance, SIGCSE'06, ACM, pp. 12 – 16.
ResearchGate has not been able to resolve any citations for this publication.
Building an information security education program
Article
Full-text available
  • Oct 2004
Information and computer security is a topic that has grown significantly in popularity in the last few years. With the increased level of funding for IT security research, and the support of information assurance education through the Information Assurance Scholarship Program (IASP) and the Scholarship for Service (SFS) program, information assurance education is enjoying a great period of growth in the U.S. Mississippi State University has embraced these programs and is responding with a slate of new information security courses designed to prepare students to serve as security engineers in either government service or in private industry.
View
Assessment of need and method of delivery for information security awareness program
Conference Paper
Full-text available
  • Sep 2006
This paper looks at the assessment for quantity of information security awareness programs needed at Kentucky State University as a first step, and then the model is generated for a larger population. The model used is based on various levels of education and a randomly selected sample space. The model is also based on two assessments: the first focuses on information security in general, while the second assessment covers the following topics: Data classification Security job role Awareness programs Spam and virus knowledge Social engineering The sample space was randomly selected from a population of about 49,640 in Franklin County [5] and the results were then generalized for larger populations. The results show that there is a real need for information security awareness programs for the general public. However, the research also shows a large number of instructors needed per 1000 of population to start the information security awareness public program. These primary results have been looked at in two different aspects - the first as "in-class delivery" and the second as "out-class delivery". The research points out there hold unrealistic results for in-class delivery, hence we must focus on out-class awareness programs.
View
Ideas for projects in undergraduate information assurance and security courses
Article
  • Jun 2007
In this work, we present some ideas for projects that can be used in undergraduate Information Assurance and Security (IAS) courses. The projects range from cryptanalysis of ciphertext, network security, security vulnerability analysis, and programming to demonstrate buffer overflow. The projects can be used in IAS courses such as cryptography, network security, and computer security. Alternatively, they can be used as separate modules in computer science courses such as operating systems, networking, and programming. Some of these projects have been piloted by the author and have achieved their objectives.
View
Information assurance technical challenges
Article
  • Jun 2004
Database system architectures are undergoing revolutionary changes. Most importantly, algorithms and data are being unified by integrating programming languages with the database system. This gives an extensible object-relational system where non-procedural ...
View
Towards a taxonomy for information security metrics
Conference Paper
  • Oct 2007
Systematic approaches to measuring security are needed in order to obtain evidence of the security performance of products or an organization. In this study we survey the emerging security metrics approaches from the academic, governmental and industrial perspectives and aim to bridge the gap between information security management and Information and Communication Technology (ICT) product security practices. If common metrics approaches between different security disciplines can be found, this will advance our holistic understanding and capabilities, both in management and engineering practices.
View
Teaching a web security course to practice information assurance
Conference Paper
  • Mar 2006
This paper presents a hybrid teaching approach, a new Web Security course as well as how to use the hybrid approach to teach the Web Security course to practice information assurance. The hybrid teaching approach contains three key issues that are keeping the lecture materials up-to-date, assigning former research projects as comprehensive team projects, and connecting classroom knowledge with real world web applications. We have applied this approach to the teaching a Web Security course and achieved excellent results. Our experience exhibits that integrating education, research and web applications into the Web Security course to practice information assurance are essential for a sound security education. Using this approach instructors connect knowledge in the classroom to real world applications, attract students to the security area, and train students to become information assurance professionals.
View
Information assurance in the undergraduate curriculum
Conference Paper
  • Mar 2005
Information assurance and systems security are important topics that compel the attention of future computer scientists. Typically, undergraduate students in computer science programs today are exposed to these concepts at the end of their education in stand-alone courses on information security. As information assurance (IA) educators, we perceive the need to incorporate IA topics throughout the undergraduate CS curriculum. In this panel, we will first present the goals, challenges, and current state of progress made at our respective institutions. Then we will solicit feedback and suggestions from the audience for better integrating IA topics across the undergraduate curriculum.
View
Information assurance in manets and wireless sensor networks
Conference Paper
  • Nov 2005
Manets and sensor networks are two classes of the wireless ad hoc networks with resource constraints. Manets typically consist of devices that have high capabilities, mobile and operate in coalitions. Sensor networks are typically deployed in specific geographical regions for monitoring and sensing. Both these wireless networks are characterized by their ad hoc nature that lack pre deployed infrastructure for computing and communication. Resource constraints, medium pathloss, and signal interference limit the communication range between any tow nodes, leading to the need for a multihop communication network. Such a network must be collaboratively formed and supported by the resource constraint nodes. For meaningful service provision, such a network must be able to provide confidentiality, integrity, and entity verification among participating nodes. In this talk, we will focus on such networks and discuss the challenges ahead that require fresh approaches in trust establishment and secure network service operations. We will take secure location services, probabilistic pre key deployment strategies, and group mobility scenarios of VANETs as examples to demonstrate the challenges in trust establishment and providing privacy.
View
Building information assurance education partnerships with minority institutions
Conference Paper
  • Apr 2009
ABSTRACT This paper describes our successful leveraging of the National Security Agency / Department of Homeland,Security Center of Academic,Excellence in Information Assurance program,and Auburn,University’s highly,successful partnership with three (Historically Black College and Universities (HBCU)) universities through,the,National Science Foundation’s Scholarship for Service Program. This paper will describe this ongoing and highly successful program,that has been publicly praised by the National Science Foundation as “a model,for innovative collaboration and community,building. It demonstrates,how,majority institutions and minority serving institutions can effectively build mutually beneficial partnerships,which,will increase,diversity in the
View
Laboratory exercises in online information assurance courses
Article
Information assurance courses delivered in an online environment pose challenges to the development of meaningful hands-on exercises for students. This article presents techniques on furnishing laboratory exercises to online students and presents examples of assignments drawn from the author's experiences in teaching online courses for over three years. These assignments have proven successful in enhancing the learning experiences of undergraduate and graduate computer science students in introductory and advanced courses in the area of information assurance. Typical courses include introduction to computer networks, computer and network security, information assurance, network management, wireless networks and applications, computer forensics, and risk assessment.
View