competitive edge certifications can give a job candidate. For
faculty considering this approach, we recommend using a
quality study guide as a course textbook, such as an official
CISSP study guide (Stewart, Chapple, and Gibson, 2015).
While some cybersecurity certifications do not require
work experience (e.g., Security+ and GIAC Security
Essentials), other certifications require a minimum length of
professional experience in the field. In some cases, completing
a university degree program reduces the amount of work
experience required (e.g., CISA, CISM, and CISSP). Work
experience requirements should not, however, discourage
IHLs from modeling capstones after certification materials nor
should it discourage current students from taking certification
exams. Many certifying bodies allow an individual’s passing
score to be valid for several years, allowing them time to gain
the experience required to become fully certified. Further,
some certifications offer alternate designations to those who
have passed the exam but are still working toward fulfillment
of the experience requirement. (ISC)
2
awards “associate”
status to such individuals, and, while they are not officially
certified, this status differentiates graduates from others who
have not even prepared for, and passed, a certification exam.
Moreover, many certifications have significant overlap in
coverage, so if a capstone concentrates on one certification, it
will also cover in large measure other major certifications.
Finally, faculty who teach a capstone focusing on
certifications should assess how well students and graduates
perform in passing certification exams. Doing so will help
assess the effectiveness of this capstone approach. In
summary, undergraduate capstones offer timely windows of
opportunity where students can be primed to take entry-level
certifications. Thus, consideration should be given to adding a
capstone course to a program.
5. CONTRIBUTION
Applying our approach should reduce the amount of time
spent determining curricula maintenance in an ongoing
manner. While we should not limit curricula updates to
certification material, staying in tune with certifications can
reduce the time needed to research changes in the
cybersecurity field. In essence, we are proposing a way to
spend less time on figuring out “what” to teach, which allows
for more time spent figuring out “how” to teach it.
Many cybersecurity programs in the United States seek
designations by the Department of Homeland Security and the
National Security Agency (DHS/NSA). These U.S. federal
government organizations have been leaders in helping to
shape cybersecurity and information assurance curriculum for
years and have made significant positive contributions to
cybersecurity education. The approach advocated in this
paper, however, can be used to maintain any IHL’s
cybersecurity curriculum whether designated by DHS/NSA or
not. This is important because our approach can be applied by
any IHL globally since most certifications, such as from
(ISC)
2
, are international in scope whereas DHS/NSA are U.S.-
centric.
Finally, based on our extant review of the scholarly
literature, a gap exists in the literature regarding maintaining
cybersecurity programs. Developing course objectives that are
relevant and applicable is of key significance to such a rapidly
developing field like cybersecurity. Even highly successful
programs can quickly fall behind the curve if their curricula is
not adequately modernized to reflect the current state of the
field. While the current paper strives to provide guidelines to
academicians who wish to update and maintain their existing
programs, the same approach can also provide value to those
looking to create a brand new program.
6. RECOMMENDATIONS
Faculty managing undergraduate cybersecurity curriculum
should include an annual review of key professional
certifications and monitor them for updates and changes. A
great way to stay abreast of changes to these professional
certifications is for faculty to become certified themselves.
Most certification bodies require annual continuing education
credits to ensure that certified individuals remain current on
evolving threats and trends in the cybersecurity field. Having
access to such training materials provides an effective way for
academics to identify potential improvements to their existing
curricula. In the case study, the CISSP, CISA, CISM, and
CEH served as program benchmarks. The cybersecurity
faculty either obtained these certifications or are active
members in the societies supporting them. Any changes to
these certifications are readily identifiable and can be used to
update security courses.
7. LIMITATIONS
Besides certification, other inputs are important to maintaining
curriculum and are not covered in this paper. These include
seeking inputs from stakeholders, employers, graduates, and
faculty. Guidance can also come from academic accreditation
bodies, such as the developing Cyber Science standards from
ABET (Gibson et al., 2015). In keeping curriculum current,
faculty can also solicit the help of graduates and local industry
leaders to be members of an advisory board. These boards can
meet annually to help ensure the relevancy of a program.
Other well-
known or possible resources that may be used
to guide the maintenance of cybersecurity programs include
using international standards, particularly the growing
ISO/IEC 27000 series of information security publications.
Academics could look to these industry standards as a guide
for certain course coverage, such as using ISO 27000
standards in covering Governance, Risk, and Compliance
(GRC) topics. IHLs particularly based in the U.S. can look to
the US. Government’s National Initiative for Cybersecurity
Education (NICE). NICE promotes standards of cybersecurity
education, training, and workforce development throughout
the U.S. This effort publishes the National Cybersecurity
Workforce Framework that gives a blueprint to organize and
describe cybersecurity work into knowledge, skills, and
abilities (KSAs). This comprehensive framework can be used
to maintain and update cybersecurity curricula as it is used to
help define professional requirements in cybersecurity (DHS,
2016). As of this writing, the framework is being developed
into a U.S. standard (NIST, 2016).
Since information security is not a subject like
mathematics where the materials relied upon today will be
timely in five years or even next semester, the faculty must be
motivated to update existing materials, assignments, and
Journal of Information Systems Education, Vol. 28(2) December 2017