Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland




To understand the genuine needs of information security education, we must first analyze the present situation including organizational needs, business and societal environments and the technology used as well as the changes that are taking place. Particular attention should be paid to the conditions of the new economy, e.g., e-business and e-commerce. Security education is currently strongly related to technical solutions in hardware, software and various kinds of protocols and relies heavily on encryption. People must be trained to take advantage of these solutions. Within the next two years, however, technical solutions will be embedded into the basic structure of the next generation of protocols, such as IPv6. This means that security will soon be transparent and requires no extra activities to be undertaken by end-users. At the same time, the role of groups, experts in various fields and individuals is becoming increasingly important. Also the concept technology acquires a wider meaning. As a result, security education in its classical formulation will lose some of its relevance.

Keywords: Information security, Information technology and communication (ITC) security education, changing technology


If security education is to keep up with the development of the society, it must take a step forward. Information systems, software, hardware and various combinations thereof have become highly complicated, and the systems will be used by a multitude of users world-widely. A prime example of this development is the Internet. Complicated systems such as the Internet are characterized by reaction chains, where changes in one component lead to corresponding changes in other components. If this trend continues, less and less time can be spent on actual system management.

Some researchers claim that knowledge can be divided into two classes, namely, explicit data and information (5%) and tacit knowledge (95%). Explicit information consist of printed and electronic materials, while tacit information refers to all other forms of information embedded in human thinking, competence, knowledge, will and wisdom. These aspects have a major role in all activities within organizations, enterprises and communities, and should be reflected accordingly in security considerations.

Information security education is experiencing a paradigm shift from technical details to a focus on human aspects. In the future, information security awareness will increase in importance and a great part of this process will inevitably be based on tacit knowledge. In the organizational perspective, this translates into stronger co-operation between organizations and culture - and security education must lead the way.

In this presentation, we concentrate on understanding why complex systems are so difficult to control and why they generate more and more information security-related work. The trend is to incorporate security into programs, systems and networks by means of new technical solutions. This means that current solutions will become obsolete in the near future. From the end-user perspective, the new solutions are more transparent than the ones we are familiar with at the moment. The new solutions can be divided into two areas. The first area centers on biometric methods, while the other one focuses on end-users, particularly on strengthening their knowledge of information processing, including higher information security awareness.

To sum up briefly, information security will be seamlessly integrated into the normal activities of individuals and into the operational processes of businesses. Information security cannot be achieved by means of distinct or external controls or assurance actions, such as certifications.

The increasing complexity of operational environment

The world we live and work in has become a "blur" (Davis & Meyer, 1998) that includes the following:

- Every aspect of business and interconnected organizations operates and changes in real time.
- Everything is becoming electronically connected to everything else: products, people, companies, countries.
- Every offer has both a tangible and an intangible economic value. The intangible value grows faster.

That means, for example, that new products' or systems' time-to-market decreases drastically as does the life-time of the solutions incorporated into them. The growing role of innovation in organizational competitiveness produces an increasing number of changes in technologies and in their implementation. Also the concept technology itself has been extended beyond engineering and manufacturing to encompass a range of marketing, investment and management processes. The performance of many of the new technologies, so called disruptive technologies in particular, is in fact worse than that of the existing ones, although they are gaining an upperhand in the market (Christensen, 1997). Also, the diversity of solutions has increased, while the time for design, development and engineering has decreased. As for the human aspect, experts are less likely to stay long on the payroll of any company, they are more active than before in the recruitment market.

At the moment, all organizations can be characterized as knowledge-based organizations and their employees as knowledge workers. The entire society is electronically interconnected. The Internet covers all areas of human life (Dyson, 1997), and mobility has increased through mobile Internet solutions and devices like Personal Digital Assistants (PDAs).

The all-pervasiveness of electronic interconnectedness requires comprehensive security solutions. Thus, information security considerations can no longer be solved by specialists only: information security has become a management issue. However, business management is confronted with a difficult dilemma: the time required to solve the increased complexity has increased, while simultaneously the time available due to increased dynamics has decreased. This can be depicted by the "Time Scissors" diagram (Figure 1) (Seghezzi, 1993).

Figure 1. "The Time Scissors" as a business managers' dilemma.

In these new business conditions, one must adopt new guidelines and operating principles, new theories, tools and methodologies and new innovative solutions for management infrastructure. Many studies have emphasized that old management truths are dead, and that business models that worked admirably until the last decade of the twentieth century must be replaced (Moore, 2000). Practical cases have demonstrated that time-honoured business and planning practices leading to logical, sound and competent management decisions have in fact been the main reasons why solid companies have lost their business positions and opportunities. These aspects must be seriously considered also in information security management. Security issues cannot be considered separately from the realities of business conditions, and they cannot be solved with distinct security technologies or systems.

The character of information

The operation and management of any organization is based on knowledge. In fact, knowledge is justified through activity or operations. Information represents the explicit part of knowledge. However, the implicit or tacit part of knowledge is much larger and more important (Figure 2). People are committed to their actions through tacit knowledge, based on their understanding, will, capabilities and competence. As a result, most activities are carried out on the basis of tacit knowledge. Also explicit information is viewed in the light of tacit knowledge. Hence, in terms of information security, tacit knowledge is more important than information itself.

Figure 2. The information to be secured is partly explicit and partly tacit. The realization of security is based both on explicit systems or solutions and on the tacit behavior of people. In practice, the tacit part is more significant - and risky - than the explicit part.

Teaching new skills and technologies comprises only a portion of information security education. More essential is the necessity to emphasize the importance of a) learning new principles in order to understand operational realities, b) learning new tools and methodologies, and, 3) learning new possibilities for constructing innovative infrastructures to get the new ideas implemented.

Information security education

To understand the genuine needs of information security education, we must first analyze the present technological situation and the changes that are taking place. Currently, being strongly related to technical solutions in hardware, software and various kinds of protocols, security education relies heavily on encryption. People must be trained to take advantage of these solutions.

There are two major obstacles in this expanded field of study. The first one relates to changes in technology which inevitably bring new security solutions in their train. Nevertheless, some systems continue to function as if nothing has changed and that the system is still as reliable as it was when it was first designed. The other problem concerns how to make the leap from teaching to the adoption of new security attitudes and to the keen appliance of security-related knowledge. Broad curricula for information security education have been presented at the Sec'93 IFIP conference (Dougal & Jones 1993) and at IFIP conferences on information security education, for example, WISE 1 (Yngström & Fischer-Hübner, 1999).

Information security education is closely connected with changes in technology. The past decade witnessed a remarkable improvement in security in connections between two adjacent servers. However, the advent of the Internet changed all that by interconnecting all those small networks, thereby enabling large numbers of people to access the systems. The rapid growth of telecommunications adds to the problem as most of it takes place via the Internet (Kajava & Varonen, 2000).

During the 1990s, interconnected partners could negotiate an agreement on the secure use of their networks, but this 1:1 relationship has changed dramatically to a N:N relationship involving an enormous number of interconnected servers. This paradigm change that affects large computer systems such as those used by public administrations brings other problems in its train. For example, the question of who owns particular information may arise, along with its corollaries, such as who has the right to alter it, delete it, append to it, and so on. These questions may be solved in a particular government office or company, but even that may result in a loss of compatibility with other organizations. If technology changes produce unresolved questions of this kind, the ensuing effects include loss of flexibility in interconnectivity and a reduction in security control.

Researchers have debated at recent international conferences over the issue of whether a run-through of the information security features of the Internet protocol is enough to educate end-users. If the development of networks had stayed at the level it had reached when EDI-based (Electronic Data Interchange) solutions were designed in the 1980s, the answer would be a resounding yes. After all, we can be fairly sure that encryption between two interconnected partners, be they administrative offices or commercial companies, is secure. But the mere use of an encryption algorithm may pose problems when a third server is included, let alone one which has to be contacted through a network of other servers. A case in point is the identification of the various co-operation partners. Moreover, how can we ascertain the integrity of a service we buy through an open network? And whose responsibility is it to answer for it?

Education and training are a means of directing people's attention to these matters and, gradually, to act accordingly. Therefore, the emphasis in security education must be diverted from predominantly technical issues to including a strong human component, by raising end-users' awareness level, enhancing their security skills and simply by respecting and paying more attention to them.

Within the next two years, however, technical solutions will be embedded into the basic structure of the next generation of protocols, such as IPv6. This means that security will soon be transparent and requires no extra activities to be undertaken by end-users. As a result, security education in its classical formulation loses a lot of its relevance.

An open question begging to be solved during the next two years relates to the Public Key Infrastructure (PKI). The method has been well known for a number of years and is becoming increasingly widely used. In banking, it can be used with smart cards and in governmental co-operation for the personal identification of citizens. PKI can also be used for various kinds of certification. In e-commerce, it is important for its non-repudiancy, and in mobile communication, it is needed in Internet operations.

A lot of people seem to feel that there may be no need for traditional security education after a couple of years, since basic security operations will become transparent and comprise just another facet of life for end-users. But we have to ask ourselves, where are the PKI server solutions that will be incorporated into our everyday activities? They are a long time coming! The situation harks back to the early days of the Pascal programming language. The standardization of PKI takes a lot of time, but people want the product immediately, just like they wanted Pascal two decades ago. If the Pascal scenario is lived, there will be a number of parallel PKI dialects available, but not a single server solution capable of dealing with real problems.

Perhaps we should wait a while before rushing products based on the new Internet security protocol to the market. But if we do that, we shall find very soon that most of our software is based on older solutions like IPv4. The new IPv6 protocol, when it finally becomes widely available, will not understand our old software.

The common consensus seems to be that security solutions will become increasingly more automatic. This view, however, appears to overlook the old truth relating to computers and people. New technological solutions, no matter how self-evident and easy they are touted to be, require that the software change process must be managed. Just consider the situation a year ago with the Millennium bug.

In terms of university education, this means that security education in its current form cannot be discarded. But as it will inevitably lose some of its relevance, there will have to be a shift in emphasis. Because technical solutions like firewalls increase security by keeping outsiders at bay, insider problems have become the most serious threat. As a logical consequence, human-related activities are increasing in importance. Hence, the user or end-user is the most important component in security work and this consideration should be reflected in security education.

Requirements business organizations impose on information security education at the university level

As the world around us changes, the requirements that businesses and other organizations pose on good information security expertise are in a state of flux. Changes are brought about by such factors as outsourcing, continuous structural changes in organizations and globalization. As a result of these forces, security experts must be able to:
- adapt quickly to organizational changes and bring their working methods in line with the goals of the new policy
- investigate misuse of information technology and suspicions of misuse
- update their knowledge and skills relating to information security and information technology
- design new, innovative security solutions
- develop an ability to work in different cultural environments among people with diverse ethnic backgrounds. One of the most highly valued tools of any security expert will be the ability to speak foreign languages fluently.

In the future, information security education cannot continue to concentrate on technological solutions. Security experts must possess a range of skills varying from traditional security expertise to an ability to work in foreign cultures.


Earlier, people working in computer centers were held in high esteem by computer users. We are currently in a situation, where computer specialists could learn something from security people. It is time for the various experts to co-operate to achieve the strategic and operational needs of their organizations and to facilitate the work of all user groups. The main users of ITC systems are not ITC experts, but business leaders, organizational employees and individuals citizens.

A key player in this game is software. Each new version of any programme tends to be larger than the previous one. This has not been experienced as a problem, since computers have kept abreast of this development by getting faster and having bigger memories. However, this has led to a situation where we do not know the contents of the programmes we are using. We only know that the programmes have certain elements that we need. But we do not know, what else they contain. Perhaps we should start a global project to simplify software.

The changes that are in the cards can be derived partly from discussions on security and partly from real activities. The direction of change is not only pointed at universities, but also at industry and, inevitably, at the entire information society.

On the way to the future, we may not fully appreciate the time that the society requires to implement increasingly automated solutions. Information security could be a test field for understanding such a complex and wide process. Security education could be a tool guiding us on our gradual progress, and it should focus on the most important component, the weakest link, in information security, people.


Christensen, C. (1997): The Innovator's Dilemma. Harvard Business School Press.
Davis, S. and Meyer, C. (1998): Blur the Speed of Change in the Connected Economy. Perseus Books. USA.
Dougal, E.G. and Jones D. (1993) (eds.): Computer Security: Discovering tomorrow. IFIP Sec'93. Deerhurst, Ontario, Canada.
Dyson, E. (1997): Release 2.0. Broadway Books. USA.
Kajava J. & Varonen R. (2000), Intranet Security from the Organizational Point of View - The Re-emerging Insider Threat. In Steven Furnell (ed.): Proceedings of the Second International Network Conference (INC'2000). Plymouth, UK.
Moore, G. (2000): Living on the Fault Line. HarperBusiness. USA.
Seghezzi, H.D. (1993): Europe as Part of the Triad. In Juhani Anttila (ed.): Proceedings of the EOQ 93 World Quality Congress. Vol. 1. Helsinki, Finland.
Yngström L. and Fischer-Hübner S. (1999), (eds.): WISE 1, Proceedings of the IFIP TC 11 WG 11.8 Conference on Information Security Education. Stockholm, Sweden.

[This text was made together with Jorma Kajava of the University of Oulu, Finland and Juha E Miettinen of Sonera Corporation and presented as a conference paper at the EUNIS Conference in Berlin, germany in March, 2001]