2020 EDSIG Proceedings: Abstract Presentation
How to Apply an Agile Framework to InfoSec Management
Leigh Mutchler
James Madison University
Amy Connolly
James Madison University
Abstract:
Information security (InfoSec) is a vital yet complex sociotechnical system (Zimmermann & Renaud, 2019)
in today’s digital age. Because of the ever-changing landscape, students entering the workforce lack
skills that organizations desperately need (Mickos, 2019). The need for well-trained InfoSec professionals
increases yearly; more than 200,000 jobs remained open in 2015 (Sheridan, 2016) and 4 million workers are
needed by 2021 (Help Net, 2019; Morgan, 2017). Here, we propose that agile is desperately needed to help
universities train dexterous InfoSec professionals who can meet the demands of this novel field.
Multiple entities have identified InfoSec’s core content for a curriculum (Burley et al., 2017; Newhouse et al., 2017;
NSA CSS, 2020), but they fail to provide pedagogical models, formal research or example cases to build a course
(Ahmad & Maynard, 2014; Spears, 2018; Yates et al., 2018). The expansive InfoSec content is typically
addressed either from a managerial focus or a technological one (Yates et al., 2018). As an instructor of
InfoSec Management for the past two years and despite the use of active learning, I
discovered that students completing the course generally lack sufficient understanding to
make informed security decisions. This lack is partly due to the breadth of the material –
too much time on definitions and not enough opportunity to work with and apply material to specific problems.
Additionally, I find that student groups do not work well as a team, and as a result, experience internal problems
and fail to gain deeper learning from group socialization and collaboration.
Therefore, I am taking a new, innovative approach in InfoSec Management.
Students need opportunities to apply classroom knowledge to real-world problems,
to iteratively work through decision-making processes, and to develop camaraderie and
collaborative skills working in a team. One potential tool to meet these goals is Scrum (Course Expert, 2020).
This agile framework is typically associated with software development, and while developers are encouraged
to include InfoSec professionals on projects, agile methods are not integrated into InfoSec programs.
Practitioners argue that agile should be embraced in the field (Curry, 2019; Lietz, 2015; Platinum Edge, 2015),
even calling for agile InfoSec research (Baskerville, 2004), but formal literature provides no insight into the
prevalence of InfoSec projects using agile tools such as Scrum, nor whether instructors teach InfoSec with agile tools.
Therefore, my plan to apply Scrum is as follows. First, organize student groupwork into 2- to 3-week Sprints.
Groups will maintain standard Scrum artifacts (e.g., Kanban board for tasks, burndown chart for scheduling, etc.).
After each Scrum, groups perform retrospectives to discuss and improve work processes.
Group tasks contain a series of activities where Sprints build on previous ones, and students present
working products then incorporate feedback to improve tasks. Tasks will be too complex to break into individual pieces,
thereby requiring students to work together as a team. Working with course material to solve problems will
deepen understanding of material.
Despite the added difficulty of conducting class during the COVID-19 pandemic
(due to limited physical interaction), I will try this plan during fall 2020 and report on successes,
failures, and lessons learned. I welcome suggestions and feedback from fellow InfoSec colleagues
attending the conference to improve the course in the future.
Keywords: Information security management, agile framework, active learning, IS pedagogy
References:
Ahmad, A., & Maynard, S. (2014). Teaching information security management: Reflections and experiences. Information Management & Computer Security, 22(5), 513–536. https://doi.org/10.1108/IMCS-08-2013-0058
Baskerville, R. (2004). Agile Security for Information Warfare: A Call for Research. 11. http://aisel.aisnet.org/ecis2004/13
Burley, D., Bishop, M., Kaza, S., Gibson, D. S., Hawthorne, E., & Buck, S. (2017). ACM Joint Task Force on Cybersecurity Education. Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education, 683–684. https://doi.org/10.1145/3017680.3017811
Course Expert. (2020, July 20). Using Scrum Principles in Domains other than Software Development. Take This Course. https://takethiscourse.net/scrum-principles/
Curry, S. (2019, May 8). Cybersecurity By Scrum. Forbes. https://www.forbes.com/sites/samcurry/2019/05/08/cybersecurity-by-scrum/
Help Net. (2019, November 8). Cybersecurity workforce skills gap rises to over 4 million. Help Net Security. https://www.helpnetsecurity.com/2019/11/08/cybersecurity-workforce-skills-gap/
Lietz, S. (2015, June 1). What is DevSecOps? Devsecops. https://www.devsecops.org/blog/2015/2/15/what-is-devsecops
Mickos, M. (2019, June 19). The Cybersecurity Skills Gap Won’t Be Solved in a Classroom. Forbes. https://www.forbes.com/sites/martenmickos/2019/06/19/the-cybersecurity-skills-gap-wont-be-solved-in-a-classroom/
Morgan, S. (2017, June 6). Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021. CSO Online. https://www.csoonline.com/article/3200024/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html
Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NIST SP 800-181). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-181
NSA CSS. (2020). National Centers of Academic Excellence. NSA.Gov. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/
Platinum Edge. (2015, August 12). Using Scrum for Cybersecurity & Responding to Attacks. Platinum Edge. https://platinumedge.com/blog/using-scrum-cybersecurity-responding-attacks
Sheridan, K. (2016, August 1). Cyber-Security Skills Shortage Leaves Companies Vulnerable. InformationWeek. https://www.informationweek.com/strategic-cio/security-and-risk-strategy/cyber-security-skills-shortage-leaves-companies-vulnerable/d/d-id/1326463
Spears, J. (2018). Gaining Real-World Experience in Information Security: A Roadmap for a Service-Learning Course. Journal of Information Systems Education, 29(4), 183–202. https://aisel.aisnet.org/jise/vol29/iss4/1
Yates, D. J., Frydenberg, M., Waguespack, L. J., McDermott, I., O’Connell, J., Chen, F., & Babb, J. S. (2018). Dotting i’s and Crossing T’s: Integrating Breadth and Depth in an Undergraduate Cybersecurity Course. 2018 Proceedings of the EDSIG Conference, 21.
Zimmermann, V., & Renaud, K. (2019). Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. International Journal of Human-Computer Studies, 131, 169–187. https://doi.org/10.1016/j.ijhcs.2019.05.005