Is Information Security Education Failing?

By Daniel Miessler on December 19th, 2006: Tagged as Education | Security

A friend of mine is finishing his Masters in Information Security and just told me the craziest story. As a bonus question on the final exam in his information security management class, the professor asked if it was ever possible to guarantee e-commerce security if one were to implement security recommendations such as SET and SSL.

Can we guarantee the security of e-commerce if we adopt all recommended security mechanisms including SET and SSL?

Half the class — over 30 people — answered yes.

The professor got so infuriated that he threatened to fail everyone that answered in the affirmative. I think he’d be completely justified if he were to do so. I seriously can’t believe this many people are about to enter the security field — some of them probably as managers — without understanding this key concept.

If I were the professor, I’d send out an email to those who got it wrong that simply said, “You make me sad.” – [Edit: Posted the actual question, which was more specific than just "perfect security" in general]

  • Stephen Moore

    Not that it matters, but was this posed as a yes / no question? One could have said “yes”, providing usability was zero. I think it could have been a good essay question.

    The professor should have hammered away at the fact that management of risk is never perfect.

    Great blog, and congrats – she said yes : )

    -Steve

  • Stephen Moore

    Not that it matters, but was this posed as a yes / no question? One could have said “yes”, providing usability was zero. I think it could have been a good essay question.

    The professor should have hammered away at the fact that management of risk is never perfect.

    Great blog, and congrats – she said yes : )

    -Steve

  • Carl M

    I was going to say basically the same thing. Can you prevent attacks on a computer from the outside? Sure, just don’t connect the computer to a network. Similarly, you can prevent attacks from the inside if you don’t let anyone anywhere near the computer. But, yeah, as a yes/no question, the better answer is perhaps “no” … if only because fewer qualifiers are needed with that answer than with “yes”.

  • Carl M

    I was going to say basically the same thing. Can you prevent attacks on a computer from the outside? Sure, just don’t connect the computer to a network. Similarly, you can prevent attacks from the inside if you don’t let anyone anywhere near the computer. But, yeah, as a yes/no question, the better answer is perhaps “no” … if only because fewer qualifiers are needed with that answer than with “yes”.

  • DF

    Agreed, althought I’d also recommend incasing the computer in 6 feet of concrete and burying it in a deep hole. That’s my personal definition of guaranteed security.

    I wonder though if the Professor had included the idea of RISK MANAGEMENT in the course work. Still if it was a bonus question its would be hard to justify failing the course because you messed up the extra credit part. It should be a learning experience for the teacher who should not limit it to extra credit next time. Then the professor would be justified in failing students for getting it wrong.

  • DF

    Agreed, althought I’d also recommend incasing the computer in 6 feet of concrete and burying it in a deep hole. That’s my personal definition of guaranteed security.

    I wonder though if the Professor had included the idea of RISK MANAGEMENT in the course work. Still if it was a bonus question its would be hard to justify failing the course because you messed up the extra credit part. It should be a learning experience for the teacher who should not limit it to extra credit next time. Then the professor would be justified in failing students for getting it wrong.


Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs