RFC: Remove Cybersecurity Fundamentals from curriculum

[waciumawanjohi]

Problem:
Cybersecurity Fundamentals was added to the curriculum, but needs discussion by the contributor community.

Duration:
2022, Aug 4

Background:
The previous intro to security course was discontinued by Coursera. Read more here. In order to provide some recommendation, a new course was added without going through the normal RFC process. This RFC is a space to discuss the proposed course and any alternatives.

CS2013 has as a core security topic "Foundational Concepts in Security". This includes the topics of:

• CIA (Confidentiality, Integrity, Availability)
• Concepts of risk, threats, vulnerabilities, and attack vectors (cros- reference SE/Software Project
  Management/Risk)
• Authentication and authorization, access control (mandatory vs. discretionary)
• Concept of trust and trustworthiness
• Ethics (responsible disclosure). (cross-reference SP/Professional Ethics/Accountability, responsibility and
  liability)

CS2013 expects this to be a light introduction, requiring as little as 1 hour of in-class instruction (which we can assume includes an additional 3 hours of out of classroom work).

Cybersecurity Fundamentals appears to address these topics. At the same time, a major disadvantage to Cybersecurity Fundamentals is that it is much longer than the previous course, at roughly 80 hours compared to the previous 15 hours. The core security curriculum recommends 2 courses after this. We should be wary of overemphasizing what is one of many important topics in the curriculum.

There are few courses that are targeted to these topics. These include:

• Introduction to Cybersecurity Essentials: This is a well rated course (albeit with few reviews) and expects only 5 hours of work. The syllabus looks as if the course may be more appropriate for software users rather than CS students, with topics such as "Safe Browsing Practices" and "Demonstrate the installation of software updates and patches".
• Design and Analyze Secure Networked Systems: This is the first course in the Fundamentals of Computer Network Security Specialization specialization. The course and specialization have low ratings.

Another possibility is to simply not include Cybersecurity Fundamentals from the curriculum without a replacement. The following course Principles of Secure Coding is the intro course for the Secure Coding Practices Specialization.

With no course that tightly addresses the CS2013 topic in question, along with the very few course hours expected to address the topic in question, it seems the best choice is not to recommend any course.

Proposal:
Remove Cybersecurity Fundamentals from curriculum.

Alternatives:
See Background.

[waciumawanjohi]

A possible future addition:
Coursera expected the University of London to offer a Cyber Security Foundations course. This has not happened. When it does, perhaps it will be a suitable substitute for the RIT Cybersecurity Foundations course.

[aayushsinha0706]

A better course that does not require that much work compared to CyberSecurity fundamentals might be this also it covers most CS2013 recommended topics.

Information Security - Introduction to Information Security

[waciumawanjohi]

While I'm still wary of the course burden (40-50 hours), this does look like a course covering the required material along with logical extensions. Good find!

[nicol4us]

You may want to check course from future learn below.
Introduction to cyber security
The rating is around 4.7 and has so many reviews. Probably just need around 24 hrs to finish it.

[bradleygrant]

I found the following series of articles discussing common OpSec issues that programmers have to navigate. Each of these are written from a practical standpoint, and they illustrate some of the common pitfalls in web/app design and how to mitigate them. The articles take from 5-10 minutes each to read.

However, this requires a Medium subscription (or free trial) to access.

In this series about application security (AppSec) we already explained some of the techniques of the attackers 😈 and also techniques of the defenders 😇. We also covered parts of the OWASP Top 10 🐝:

Part 1: SQL Injections 😈🐝
Part 2: Don’t leak Secrets 😇
Part 3: Cross-Site Scripting (XSS) 😈🐝
Part 4: Password Hashing 😇
Part 5: ZIP Bombs 😈
Part 6: CAPTCHA 😇
Part 7: Email Spoofing 😈
Part 8: Software Composition Analysis (SCA) 😇🐝
Part 9: XXE attacks 😈🐝
Part 10: Effective Access Control 😇🐝
Part 11: DOS via a Billion Laughs 😈
Part 12: Full Disk Encryption 😇
Part 13: Insecure Deserialization 😈🐝
Part 14: Docker Security 😇
Part 15: CSRF 😈🐝

[bradleygrant]

OWASP itself is a good free resource for cybersecurity-related content:

https://owasp.org/www-community/

Perhaps we can select several of these articles and build an annotated study guide or something?

[riceeatingmachine]

Check out this course: https://www.udacity.com/course/intro-to-information-security--ud459

The course information after you enroll says:

This is a graduate-level introductory course in information security. It teaches the basic concepts, principles, and fundamental approaches to secure computers and networks.
Its main topics include:

Security basics
Security management and risk assessment
Software security
Operating systems security
Database security
Cryptography algorithms and protocols
Network authentication and secure network applications
Malware
Network threats and defenses
Web security
Mobile security
Legal and ethical issues
Privacy

It doesn't seem too long and seems to hit most things in the CS2013 list:

CIA (Confidentiality, Integrity, Availability) - Lesson 1
Concepts of risk, threats, vulnerabilities, and attack vectors (cros- reference SE/Software Project
Management/Risk) - Lesson 2 and 5
Authentication and authorization, access control (mandatory vs. discretionary) - Lesson 3
Concept of trust and trustworthiness - this seems like more of an implicit topic? We could find a youtube video discussing it if we want it to be explicitly covered
Ethics (responsible disclosure). (cross-reference SP/Professional Ethics/Accountability, responsibility and liability) - The course information says it's there, we already have entire courses on ethics

I am in the favor of getting rid of the entire core security section and having one course - this one or any other that covers the CS2013 guidelines. This is because Software Security is primarily a programming topic, and not a computer science topic. There's already so many courses, it doesn't make sense to ask students to devote 20 weeks to a topic that's supposed to take 1-4 hours of instruction. .

I recommend 1 course, and either getting rid of the rest or moving them to the advanced section so they become elective.

[romanbird]

There's already so many courses, it doesn't make sense to ask students to devote 20 weeks to a topic that's supposed to take 1-4 hours of instruction. .

Feel like this is a major flaw. What CS curriculum would have 16 weeks on algorithms and 20 weeks on security?

[waciumawanjohi]

Unfortunately, the discussion around Security has always been fairly disjoint. I kept the original RFC open for 2.5 years in hopes of getting some sort of majority or consensus choice from contributors. Similar to this thread, that RFC suffered from many suggestions from contributors that had little overlap.

I encourage contributors to respond directly to the many courses already suggested in this RFC and the original security RFC. Well reasoned reviews in favor of or opposed to courses already suggested will be much more valuable contributions than suggestions of entirely new courses.

[waciumawanjohi]

Check out this course: https://www.udacity.com/course/intro-to-information-security--ud459

The course has a free textbook: https://docs.google.com/document/d/1_kehNQg6mgUUbX2zPZnpddUORjmkz-QnIhOYhlzmdF0/edit#

Reviews from GA Tech grad students who have taken this course can be found here: https://www.omscentral.com/courses/introduction-to-information-security/reviews

The reviews focus mostly on the projects, which shouldn't be a factor for OSSU (I would be surprised if OSSU students had access to the project assignments and stunned if they had access to a project grader). Reviews of the textbook seem to universally mention that it is very dry reading but I didn't see anything to suggest it was otherwise deficient. I would characterize reviews of the lectures as middling, some positive some negative.

[riceeatingmachine]

Unfortunately, the discussion around Security has always been fairly disjoint. I kept the original RFC open for 2.5 years in hopes of getting some sort of majority or consensus choice from contributors. Similar to this thread, that RFC suffered from many suggestions from contributors that had little overlap.

I encourage contributors to respond directly to the many courses already suggested in this RFC and the original security RFC. Well reasoned reviews in favor of or opposed to courses already suggested will be much more valuable contributions than suggestions of entirely new courses.

I understand. Regarding this course: Introduction to cybersecurity essentials:

The what you will learn section contains:
Recognize the importance of data security, maintaining data integrity,and confidentiality
Demonstrate the installation of software updates and patches
Identify preferred practices for authentication, encryption, and device security
Discuss types of security threats, breaches, malware, social engineering, and other attack vectors

Seems like decent coverage for low course time overhead. We can use this.

However, I am still in favor of cutting the entire security section to less than 4-8 weeks i.e 40 hours of work as it's not particularly a CS topic. To further support the argument, I will say that Teachyourselfcs.com doesn't even include security as a topic.

[waciumawanjohi]

However, I am still in favor of cutting the entire security section to less than 4-8 weeks i.e 40 hours of work as it's not particularly a CS topic. To further support the argument, I will say that Teachyourselfcs.com doesn't even include security as a topic.

Just a reminder of our standards:

Courses must:

• Be open for enrollment
• Run regularly (ideally in self-paced format, otherwise running multiple times per year)
• Be of generally high quality in teaching materials and pedagogical principles
• Match the curricular standards of the CS 2013: Curriculum Guidelines for Undergraduate Degree Programs in Computer Science

While it may be interesting to note what other CS curricula do (we keep a running list of them here) or to note the graduation requirements at a particular school one admires, recommendations to changes should be grounded in the CS2013.

That said, I don't want to come off as unsympathetic to concerns that the curriculum is too long. I highly encourage contributors to look for places where we can replace recommendations that overshoot our guidelines with other courses that are better aligned.

[aayushsinha0706]

Just to mention this course is of just 4 weeks only and 5th week final exam is behind a paywall

And I enrolled into course just to browse material the average time for a week lecture is around 30-45 minutes and quizzes is behind a paywall but the course comes with extra optional reading resources that students can learn from.

A better course that does not require that much work compared to CyberSecurity fundamentals might be this also it covers most CS2013 recommended topics.

Information Security - Introduction to Information Security