How [NOT] to teach Information Security

With more and more high profile attacks, and rising customer expectations with regards to their privacy, Information Security studies, in various formats, are becoming a very lucrative field these days. For those of us already working in the field it may seem as either a good development, bringing in fresh blood into the system, or as a bad one with the field overcrowding with so called “experts” with a shinier diploma but zero experience.

There is one aspect however that I think most of us can agree on: too many courses are either just bad. There may be many reasons for that but I want to focus on one that I find is the most common – Teaching too much stuff in too little time.

I’ve been part of one such course just now during my studies for a degree in CS, so I’ll focus on it, but those same lessons can be applied to many more courses.

To begin, lets cover the the topics the course aimed to teach, in no particular order: Web Application Security, Malware, Exploits, Side Channel Attacks, Privacy, Cryptography and I’m not sure I’ve covered everything. For this, we had 13 weeks with one meeting a week that is less than 3 hours long. Doable? Probably, but there was a critical problem with he course – student level. All those taking the class were 3rd year CS students, and even here the difference in knowledge was extreme. For some of us the class was just easy, we haven’t seen anything new in it that we haven’t seen before, for some it was just right to teach them something, but for too many the class was just too much.
How different were we in our skills? There were students who never used a ssh connection before, most never saw assembly code before, many never saw PHP and JavaScript, most had no idea how a program is laid out in computer memory.
You can guess right now, that for those students the subject matter was just too hard, so they passed the course the only way they could – by cheating.
The other aspect that has to be answered is, are those the subject we want to be taught as parts of such a course? Risk Management was never mentioned, System Security was never mentioned, basic concepts like “Defense in Depth” were not there. If I were to describe what I expect a CS graduate specialising in InfoSec to know, those are the fundamental concepts. I don’t want a hacker with a BSc degree, I can get a bright kid with a CEH to do it better. I want someone who is able to see the larger picture, who knows attacks enough so that he can defend against them, but also understands his environment and is able to see the big picture.

So why am I writing this? Because I think that the same problems are showing in many similar courses. They focus too much on attacks, they don’t bring their students to a certain basic skill baseline,and they end up teaching buzzwords.
If you’re going to teach a course, here’s what you should do:

1. Remember that your students fall into three categories:

  • Those who already know most of the stuff you’re teaching and are there for a diploma/credits.
  • Those who don’t know the course material, but have experience with basic concepts and posses the skills needed for learning.
  • Those who have no idea what you’re talking about – those are the ones you have to manage.

2. Prepare yourself for the course, devote the first couple of meetings to bring everyone to YOUR baseline for the course. Those in the last category will NEED it, those in the second can use it as well. But don’t forget your advanced group, give them something to do, a challenge of sorts, perhaps even assign them credits for doing it – this way you’ll keep them occupied and interested.

3. Don’t expect everyone to be a quick learner, make sure the course material is not overwhelming for the students. What is simple to you is hard as hell for most of them.

4. Prioritize the course material, teach what’s most important first and only then cover advanced topics if time allows.

Those advices seem simple, but too many teachers simply don’t do that and it’s a shame.

Leave a Reply

Your email address will not be published. Required fields are marked *