Is Information Security Education Failing?

By Daniel Miessler on December 19th, 2006: Tagged as Education | Security

A friend of mine is finishing his Masters in Information Security and just told me the craziest story. As a bonus question on the final exam in his information security management class, the professor asked if it was ever possible to guarantee e-commerce security if one were to implement security recommendations such as SET and SSL.

Can we guarantee the security of e-commerce if we adopt all recommended security mechanisms including SET and SSL?

Half the class — over 30 people — answered yes.

The professor got so infuriated that he threatened to fail everyone that answered in the affirmative. I think he’d be completely justified if he were to do so. I seriously can’t believe this many people are about to enter the security field — some of them probably as managers — without understanding this key concept.

If I were the professor, I’d send out an email to those who got it wrong that simply said, “You make me sad.” – [Edit: Posted the actual question, which was more specific than just "perfect security" in general]

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

View Comments

  • DF
    Agreed, althought I'd also recommend incasing the computer in 6 feet of concrete and burying it in a deep hole. That's my personal definition of guaranteed security.

    I wonder though if the Professor had included the idea of RISK MANAGEMENT in the course work. Still if it was a bonus question its would be hard to justify failing the course because you messed up the extra credit part. It should be a learning experience for the teacher who should not limit it to extra credit next time. Then the professor would be justified in failing students for getting it wrong.
  • Carl M
    I was going to say basically the same thing. Can you prevent attacks on a computer from the outside? Sure, just don't connect the computer to a network. Similarly, you can prevent attacks from the inside if you don't let anyone anywhere near the computer. But, yeah, as a yes/no question, the better answer is perhaps "no" ... if only because fewer qualifiers are needed with that answer than with "yes".
  • Stephen Moore
    Not that it matters, but was this posed as a yes / no question? One *could* have said "yes", providing usability was zero. I think it could have been a good essay question.

    The professor should have hammered away at the fact that management of risk is never perfect.

    Great blog, and congrats - she said yes : )

    -Steve
blog comments powered by Disqus

 

twitter_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives