The influential British Computer Society (BCS) is to incorporate a new set of cybersecurity guidelines into the accreditation it offers on the computing courses taught by 100 universities across the UK from this year.
Developed with Government backing by a consortium including accreditation organisation (ISC)2, the Council of Professors and Heads of Computing (CPHC) and 30 or so universities, the initiative is designed to make cybersecurity more central to computing degrees than it has been up to now.
“Previously, cybersecurity was treated as a separate discipline to computing with students being taught how to create applications or develop systems and technology but not how to secure them, leading to proliferation of systems with built-in vulnerabilities,” said Carsten Maple, professor of Cyber Systems Engineering at University of Warwick and vice chair of the Council of Professors and Heads of Computing.
“Academia, industry and government have all recognised this, which is why we have come together to address this issue and provide a practical and accessible way of incorporating cybersecurity into our curricula, and move the discipline forward.”
The guidelines have already been incorporated by a handful of pioneer universities, including Warwick, with the whole process taking up to three years to permeate all institutions.
The development is the latest element to be added to the UK government’s National Cybersecurity Strategy which is designed to solve the problem of the skills shortfall in the sector which is starting to have troubling economic repercussions.
“The UK has a world-class cybersecurity sector, but we can only continue in this vein if we have the highly skilled workforce we need to thrive. Initiatives, such as this, are excellent examples of encouraging the best young people to consider careers in cyber,” added Minister for the Cabinet Office, Matthew Hancock.
The 100 universities that use BCS accreditation graduate 20,000 computing science students a year although this might increase in the coming years.
Over the two years in which the framework was developed, consensus was reached on the following elements (we quote):
1. Information and risk: models including confidentiality, integrity and availability (CIA); concepts such as probability, consequence, harm, risk identification, assessment and mitigation; and the relationship between information and system risk.
2. Threats and attacks: threats, how they materialise, typical attacks and how those attacks exploit vulnerabilities.
3. Cybersecurity architecture and operations: physical and process controls that can be implemented across an organisation to reduce information and systems risk, identify and mitigate vulnerability, and ensure organisational compliance.
4. Secure systems and products: the concepts of design, defensive programming and testing and their application to build robust, resilient systems that are fit for purpose.
5. Cybersecurity management: understanding the personal, organisational and legal/regulatory context in which information systems could be used, the risks of such use and the constraints (such as time, finance and people) that may affect how cybersecurity is implemented.
The full guidelines have been published by (ISC)2.