Cybersecurity education should start early
Educating students on cybersecurity should start as early as possible, considering they are being exposed to the latest technologies at an increasingly young age, say industry watchers. They suggest an integrated, holistic approach for the curriculum but are divided as to whether hacking skills need to be taught.
Todd Lefkowitz, director of worldwide education services at RSA, the security arm of EMC, noted that cybersecurity skills should be taught the moment students begin adopting technology, which in today's environment mean before they enter tertiary institutes.
After all, students are being introduced to technology at a younger age and it's never too early to begin the process of educating this demographic on the risks associated with using IT, he asserted.
Education institutions will also be helping to safeguard their students from threats and contribute to the appropriate use of technology and related processes within the school systems, Lefkowitz noted. In fact, he went as far as saying it would be "negligent" to introduce the latest tech to students without teaching them best practices and safeguards.
Singapore's Crescent Girls' School, for one, regularly engages its students with regard to creating awareness and highlighting online dangers, Lee Boon Keng, the school's chief technology architect, told ZDNet Asia previously.
The school, which uses tablet devices as part of its education process, also teaches their students on responsible use of hardware and intellectual property rights, he added.
Holistic outlook needed
The RSA executive said cybersecurity education should be holistic, and focus on people, processes and technology. "It is a complex process managed by people that need to understand the threat landscape and how to manage risk to assets within the environment," Lefkowitz explained.
Phil Hassey, owner of research firm CapioIT, agreed. He said the curriculum should take an "integrated approach" that covers the entire IT security ecosystem. This comprises of ethical and societal impacts alongside the technical aspects, he noted.
Both observers could not agree on whether hacking skills should be included within such a holistic curriculum though.
Hassey, for one, felt that it should be added within the teaching program, but putting emphasis on the ethical aspects such as illustrating case studies on the benefits of hacking and the global scope of its impact so that students can be nurtured positively.
He did note that advanced hacking-related content should not be introduced to those still in their early teenage years as they may not be mature enough to understand their actions and end up hacking for illegal purposes.
Rather, children should be exposed to the basics along with ethics at a younger age, and the more advanced syllabus can be introduced to those who have developed strong and positive interest, he suggested.
Liew Chin Chuan, course manager for the diploma of infocomm security management at Singapore Polytechnic, added that students enrolled in its curriculum are required to learn about hacking techniques in the context of how attacks are carried out and the counter-measures that can be implemented to prevent these.
Explaining, he said: "We need to know our enemy in order to win them. Hence, understanding the attacker's technique is important for cyber defenders to set up effective defenses."
The program also includes two modules on ethics to expose students to the consequences of misusing their knowledge and instilling the consequences of "any acts of mischief", Liew said. Students are also required to sign a code of conduct declaration at the beginning of every academic year to remind them to "uphold the integrity and professionalism" as an IT security professional, he pointed out.
RSA's Lefkowitz disagreed with including hacking in the course though. He noted that such modules are "unnecessary" as students need not know how to hack in order to defend against cyberattacks and establish countermeasures. Done wrongly, the students may even have to face legal implications, he warned.
"It is one thing to host competitions to identify users who have the skillsets strong enough to enlist in national security, but another to teach students skills that could potentially be used maliciously," he said.