“Cyber Security Education: Principles and Policies” (2021) edited by Greg Austin, Book Reviewed by Daniel S. Dotson
I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
If this book could be summed up in one sentence, it would be: We need our cybersecurity education programs at universities to produce more interdisciplinary and well-trained workers to fill the large shortfall in qualified cybersecurity professionals.
This book starts with the earliest days of cybersecurity education, dating back to the 1970s and efforts to establish courses and eventually programs that deal with cybersecurity, well before the Internet became into widespread use among the general population. So while the need for cybersecurity education is not a new topic, the rest of the book establishes that this need is in a critical state given that most experts agree that we do not have enough able people to fill the cybersecurity roles we need for government, business, and other entities.
This book does well at providing evidence and examples, although mostly from the US, UK, Australia, and China. Numerous examples related to government policies, security incidents, educational programs and initiatives, professional societies’ recommendations, and more occur throughout the chapters.
In addition to the overarching concept of the need for more well-trained university graduates able to fill the gaps in cybersecurity roles, other themes found throughout the chapters include:
- Formal education is an essential component of having more people with cybersecurity skills and awareness.
- Theoretical cybersecurity education, while important, really needs to be more often supplemented by more practical, workplace-oriented, education.
- Cybersecurity is an interdisciplinary topic that should consider, and should involve education elements from, non-technical disciplines. The social sciences are mentioned in most chapters as essential, but often overlooked, disciplines that should be a component of cybersecurity education. Political science, international relations, psychology, law, and other areas are frequently mentioned.
- Ignoring the input or education of other disciplines in cybersecurity can result in incomplete or problematic approaches of governments, industry, and educational institutions to the overall state of cybersecurity.
- Cybersecurity teams should be interdisciplinary and not just people from an organization’s IT unit.
- Co-curricular elements, such as competitions and war games, of cybersecurity education are important tools to improve cybersecurity knowledge.
- Pre-university cybersecurity education opportunities should be considered.
- Soft skills should be a component of cybersecurity education.
Specific analyses of educational programs across the world are given, with heavily analyzed programs including Oxford University, the United States Military Academy, and a chapter completely dedicated to examining multiple universities in China. These chapters are useful in seeing examples of efforts to improve the cybersecurity gap, room for growth, and examples of where higher education should be headed for quality cybersecurity education that can produce the needed workforce.
The final chapter sums up the book by using a series of cybersecurity dilemmas and commentary on these issues, pulling concepts from the preceding chapters.
Some of the content in this book may be found through other sources as some chapters are updates to, or duplication of, pre-existing conference papers. So those items’ precursors can potentially contain some of the same information presented in their analogous chapter in this book.
While the book has content from a variety of countries, it could have used more in-depth examples related to countries like India, Japan, Germany, France, Brazil, and other countries on the global stage. This would have given the book more variety and a broader perspective from across the globe.
For those looking at options for improving cybersecurity education at their institution, within their country, or to offer opportunities outside of higher education, this book is a good example to use to help identify both the gaps and opportunities. This book does an especially good job at showcasing examples of higher education programs in cybersecurity and well they are approaching this area and where they need to show improvements. The big theme of the importance of non-technical skills and even entire disciplines to be a component of cybersecurity education is emphasized over and over again throughout the book. Thus, this book is a good read for faculty and administrators at institutions with an existing program related to cybersecurity or those wishing to establish one.