To respond to this demand, there is rapid, but unfocused, expansion in cybersecurity educational programs – without broad, universal expectations for graduates. Broad skills based on the entire cyber domain are needed, and those skills need to be taught in the context of a well-understood disciplinary foundation. Over the past decade, several universities have stepped up to deliver undergraduate programs in cybersecurity, but the growth in such programs has been slow due to little consensus on program name, objectives and scope.
Building on prior work by the NSA/DHS Centers of Academic Excellence, the NICE Cybersecurity Workforce Framework1 and the Cyber Education Project initiative, ABET — the global accreditor of university programs in computing, engineering, applied and natural sciences and engineering technology — has released proposed accreditation criteria for Cybersecurity for public review and comment. These criteria will complement existing ABET criteria for programs in computer science, information systems and information technology. The program criteria for cybersecurity serve a useful role in undergraduate cybersecurity by attempting to describe what a “good” cybersecurity program ought to include in terms of student learning and curriculum.
(Note. ABET is also releasing cybersecurity engineering criteria to join other engineering disciplines such as software engineering, systems engineering, electrical engineering and computer engineering.)
The ABET criteria are based on clear expectations for graduates that are based on common expectations for effective members of the technology workforce of the future, coupled with some general expectations of cybersecurity graduates. These expectations for graduates include the following:
- An ability to analyze a problem, and to identify and define the computing requirements appropriate to its solution.
- An ability to design, implement, and evaluate a computer-based solution to meet a given set of computing requirements in the context of the discipline.
- An ability to communicate effectively with a range of audiences about technical information.
- An ability to make informed judgments in computing practice based on legal and ethical principles.
- An ability to function effectively in teams to establish goals, plan tasks, meet deadlines, manage risks and produce deliverables.
- An ability to apply security principles and practices to the environment, hardware, software, and human aspects of a system.
- An ability to analyze and evaluate systems with respect to maintaining operations in the presence of risks and threats.
These outcomes are coupled with some general requirements for cybersecurity content of a technical nature, alongside social engineering, legal, ethical and government policy issues, and organizational security governance and management. The combination provides a foundation for lifelong learning in a dynamic field. Our objective is to provide a “center of gravity” for the field – but one that is broad and inclusive, and focused on educational outcomes rather than prescriptive content that could limit the applicability of cybersecurity degrees. In taking this approach, we hope to help provide a unifying “lane” for the field to stem the tide of one-off educational opportunities that are confusing to students and potential employers, and may not be grounded in a common set of sound principles.
1 National Initiative for Cybersecurity Education, on the Internet at http://csrc.nist.gov/nice/framework/, accessed: August 31, 2017.
ABET is a forward-thinking, purpose-driven organization recognized by the Council for Higher Education Accreditation. All over the world, ABET accredits college and university technical programs committed to the quality of the education they provide their students.
Based in Baltimore, we are a global company, with over 3,800 programs in 31 countries in the areas of applied and natural science, computing, engineering and engineering technology at the associate, bachelor and master degree levels.