Venture Knowledgist Quality Integration
CHANGES IN ITC SECURITY EDUCATION DUE
TO CHANGING TECHNOLOGY
To understand the genuine needs of information security education,
we must first analyze the present situation including organizational
needs, business and societal environments and the technology used
as well as the changes that are taking place. Particular attention
should be paid to the conditions of the new economy, e.g., e-business
and e-commerce. Security education is currently strongly related to
technical solutions in hardware, software and various kinds of protocols
and relies heavily on encryption. People must be trained to take advantage
of these solutions. Within the next two years, however, technical
solutions will be embedded into the basic structure of the next generation
of protocols, such as IPv6. This means that security will soon be
transparent and requires no extra activities to be undertaken by end-users.
At the same time, the role of groups, experts in various fields and
individuals is becoming increasingly important. Also the concept technology
acquires a wider meaning. As a result, security education in its classical
formulation will lose some of its relevance.
Keywords: Information security, Information technology and communication
(ITC) security education, changing technology
If security education is to keep up with the development of the society,
it must take a step forward. Information systems, software, hardware
and various combinations thereof have become highly complicated, and
the systems will be used by a multitude of users world-widely. A prime
example of this development is the Internet. Complicated systems such
as the Internet are characterized by reaction chains, where changes
in one component lead to corresponding changes in other components.
If this trend continues, less and less time can be spent on actual
Some researchers claim that knowledge can be divided into two classes,
namely, explicit data and information (5%) and tacit knowledge (95%).
Explicit information consist of printed and electronic materials,
while tacit information refers to all other forms of information embedded
in human thinking, competence, knowledge, will and wisdom. These aspects
have a major role in all activities within organizations, enterprises
and communities, and should be reflected accordingly in security considerations.
Information security education is experiencing a paradigm shift from
technical details to a focus on human aspects. In the future, information
security awareness will increase in importance and a great part of
this process will inevitably be based on tacit knowledge. In the organizational
perspective, this translates into stronger co-operation between organizations
and culture - and security education must lead the way.
In this presentation, we concentrate on understanding why complex
systems are so difficult to control and why they generate more and
more information security-related work. The trend is to incorporate
security into programs, systems and networks by means of new technical
solutions. This means that current solutions will become obsolete
in the near future. From the end-user perspective, the new solutions
are more transparent than the ones we are familiar with at the moment.
The new solutions can be divided into two areas. The first area centers
on biometric methods, while the other one focuses on end-users, particularly
on strengthening their knowledge of information processing, including
higher information security awareness.
To sum up briefly, information security will be seamlessly integrated
into the normal activities of individuals and into the operational
processes of businesses. Information security cannot be achieved by
means of distinct or external controls or assurance actions, such
The increasing complexity of operational
The world we live and work in has become a "blur" (Davis
& Meyer, 1998) that includes the following:
- Every aspect of business and interconnected organizations operates
and changes in real time.
- Everything is becoming electronically connected to everything else:
products, people, companies, countries.
- Every offer has both a tangible and an intangible economic value.
The intangible value grows faster.
That means, for example, that new products' or systems' time-to-market
decreases drastically as does the life-time of the solutions incorporated
into them. The growing role of innovation in organizational competitiveness
produces an increasing number of changes in technologies and in their
implementation. Also the concept technology itself has been extended
beyond engineering and manufacturing to encompass a range of marketing,
investment and management processes. The performance of many of the
new technologies, so called disruptive technologies in particular,
is in fact worse than that of the existing ones, although they are
gaining an upperhand in the market (Christensen, 1997). Also, the
diversity of solutions has increased, while the time for design, development
and engineering has decreased. As for the human aspect, experts are
less likely to stay long on the payroll of any company, they are more
active than before in the recruitment market.
At the moment, all organizations can be characterized as knowledge-based
organizations and their employees as knowledge workers. The entire
society is electronically interconnected. The Internet covers all
areas of human life (Dyson, 1997), and mobility has increased through
mobile Internet solutions and devices like Personal Digital Assistants
The all-pervasiveness of electronic interconnectedness requires comprehensive
security solutions. Thus, information security considerations can
no longer be solved by specialists only: information security has
become a management issue. However, business management is confronted
with a difficult dilemma: the time required to solve the increased
complexity has increased, while simultaneously the time available
due to increased dynamics has decreased. This can be depicted by the
"Time Scissors" diagram (Figure 1) (Seghezzi, 1993).
Figure 1. "The Time Scissors" as a business managers' dilemma.
In these new business conditions, one must adopt new guidelines and
operating principles, new theories, tools and methodologies and new
innovative solutions for management infrastructure. Many studies have
emphasized that old management truths are dead, and that business
models that worked admirably until the last decade of the twentieth
century must be replaced (Moore, 2000). Practical cases have demonstrated
that time-honoured business and planning practices leading to logical,
sound and competent management decisions have in fact been the main
reasons why solid companies have lost their business positions and
opportunities. These aspects must be seriously considered also in
information security management. Security issues cannot be considered
separately from the realities of business conditions, and they cannot
be solved with distinct security technologies or systems.
The character of information
The operation and management of any organization is based on knowledge.
In fact, knowledge is justified through activity or operations. Information
represents the explicit part of knowledge. However, the implicit or
tacit part of knowledge is much larger and more important (Figure
2). People are committed to their actions through tacit knowledge,
based on their understanding, will, capabilities and competence. As
a result, most activities are carried out on the basis of tacit knowledge.
Also explicit information is viewed in the light of tacit knowledge.
Hence, in terms of information security, tacit knowledge is more important
than information itself.
Figure 2. The information to be secured is partly explicit and partly
tacit. The realization of security is based both on explicit systems
or solutions and on the tacit behavior of people. In practice, the
tacit part is more significant - and risky - than the explicit part.
Teaching new skills and technologies comprises only a portion of
information security education. More essential is the necessity to
emphasize the importance of a) learning new principles in order to
understand operational realities, b) learning new tools and methodologies,
and, 3) learning new possibilities for constructing innovative infrastructures
to get the new ideas implemented.
Information security education
To understand the genuine needs of information security education,
we must first analyze the present technological situation and the
changes that are taking place. Currently, being strongly related to
technical solutions in hardware, software and various kinds of protocols,
security education relies heavily on encryption. People must be trained
to take advantage of these solutions.
There are two major obstacles in this expanded field of study. The
first one relates to changes in technology which inevitably bring
new security solutions in their train. Nevertheless, some systems
continue to function as if nothing has changed and that the system
is still as reliable as it was when it was first designed. The other
problem concerns how to make the leap from teaching to the adoption
of new security attitudes and to the keen appliance of security-related
knowledge. Broad curricula for information security education have
been presented at the Sec'93 IFIP conference (Dougal & Jones 1993)
and at IFIP conferences on information security education, for example,
WISE 1 (Yngström & Fischer-Hübner, 1999).
Information security education is closely connected with changes
in technology. The past decade witnessed a remarkable improvement
in security in connections between two adjacent servers. However,
the advent of the Internet changed all that by interconnecting all
those small networks, thereby enabling large numbers of people to
access the systems. The rapid growth of telecommunications adds to
the problem as most of it takes place via the Internet (Kajava &
During the 1990s, interconnected partners could negotiate an agreement
on the secure use of their networks, but this 1:1 relationship has
changed dramatically to a N:N relationship involving an enormous number
of interconnected servers. This paradigm change that affects large
computer systems such as those used by public administrations brings
other problems in its train. For example, the question of who owns
particular information may arise, along with its corollaries, such
as who has the right to alter it, delete it, append to it, and so
on. These questions may be solved in a particular government office
or company, but even that may result in a loss of compatibility with
other organizations. If technology changes produce unresolved questions
of this kind, the ensuing effects include loss of flexibility in interconnectivity
and a reduction in security control.
Researchers have debated at recent international conferences over
the issue of whether a run-through of the information security features
of the Internet protocol is enough to educate end-users. If the development
of networks had stayed at the level it had reached when EDI-based
(Electronic Data Interchange) solutions were designed in the 1980s,
the answer would be a resounding yes. After all, we can be fairly
sure that encryption between two interconnected partners, be they
administrative offices or commercial companies, is secure. But the
mere use of an encryption algorithm may pose problems when a third
server is included, let alone one which has to be contacted through
a network of other servers. A case in point is the identification
of the various co-operation partners. Moreover, how can we ascertain
the integrity of a service we buy through an open network? And whose
responsibility is it to answer for it?
Education and training are a means of directing people's attention
to these matters and, gradually, to act accordingly. Therefore, the
emphasis in security education must be diverted from predominantly
technical issues to including a strong human component, by raising
end-users' awareness level, enhancing their security skills and simply
by respecting and paying more attention to them.
Within the next two years, however, technical solutions will be embedded
into the basic structure of the next generation of protocols, such
as IPv6. This means that security will soon be transparent and requires
no extra activities to be undertaken by end-users. As a result, security
education in its classical formulation loses a lot of its relevance.
An open question begging to be solved during the next two years relates
to the Public Key Infrastructure (PKI). The method has been well known
for a number of years and is becoming increasingly widely used. In
banking, it can be used with smart cards and in governmental co-operation
for the personal identification of citizens. PKI can also be used
for various kinds of certification. In e-commerce, it is important
for its non-repudiancy, and in mobile communication, it is needed
in Internet operations.
A lot of people seem to feel that there may be no need for traditional
security education after a couple of years, since basic security operations
will become transparent and comprise just another facet of life for
end-users. But we have to ask ourselves, where are the PKI server
solutions that will be incorporated into our everyday activities?
They are a long time coming! The situation harks back to the early
days of the Pascal programming language. The standardization of PKI
takes a lot of time, but people want the product immediately, just
like they wanted Pascal two decades ago. If the Pascal scenario is
lived, there will be a number of parallel PKI dialects available,
but not a single server solution capable of dealing with real problems.
Perhaps we should wait a while before rushing products based on the
new Internet security protocol to the market. But if we do that, we
shall find very soon that most of our software is based on older solutions
like IPv4. The new IPv6 protocol, when it finally becomes widely available,
will not understand our old software.
The common consensus seems to be that security solutions will become
increasingly more automatic. This view, however, appears to overlook
the old truth relating to computers and people. New technological
solutions, no matter how self-evident and easy they are touted to
be, require that the software change process must be managed. Just
consider the situation a year ago with the Millennium bug.
In terms of university education, this means that security education
in its current form cannot be discarded. But as it will inevitably
lose some of its relevance, there will have to be a shift in emphasis.
Because technical solutions like firewalls increase security by keeping
outsiders at bay, insider problems have become the most serious threat.
As a logical consequence, human-related activities are increasing
in importance. Hence, the user or end-user is the most important component
in security work and this consideration should be reflected in security
Requirements business organizations
impose on information security education at the university level
As the world around us changes, the requirements that businesses
and other organizations pose on good information security expertise
are in a state of flux. Changes are brought about by such factors
as outsourcing, continuous structural changes in organizations and
globalization. As a result of these forces, security experts must
be able to:
- adapt quickly to organizational changes and bring their working
methods in line with the goals of the new policy
- investigate misuse of information technology and suspicions of misuse
- update their knowledge and skills relating to information security
and information technology
- design new, innovative security solutions
- develop an ability to work in different cultural environments among
people with diverse ethnic backgrounds. One of the most highly valued
tools of any security expert will be the ability to speak foreign
In the future, information security education cannot continue to
concentrate on technological solutions. Security experts must possess
a range of skills varying from traditional security expertise to an
ability to work in foreign cultures.
Earlier, people working in computer centers were held in high esteem
by computer users. We are currently in a situation, where computer
specialists could learn something from security people. It is time
for the various experts to co-operate to achieve the strategic and
operational needs of their organizations and to facilitate the work
of all user groups. The main users of ITC systems are not ITC experts,
but business leaders, organizational employees and individuals citizens.
A key player in this game is software. Each new version of any programme
tends to be larger than the previous one. This has not been experienced
as a problem, since computers have kept abreast of this development
by getting faster and having bigger memories. However, this has led
to a situation where we do not know the contents of the programmes
we are using. We only know that the programmes have certain elements
that we need. But we do not know, what else they contain. Perhaps
we should start a global project to simplify software.
The changes that are in the cards can be derived partly from discussions
on security and partly from real activities. The direction of change
is not only pointed at universities, but also at industry and, inevitably,
at the entire information society.
On the way to the future, we may not fully appreciate the time that
the society requires to implement increasingly automated solutions.
Information security could be a test field for understanding such
a complex and wide process. Security education could be a tool guiding
us on our gradual progress, and it should focus on the most important
component, the weakest link, in information security, people.
Christensen, C. (1997): The Innovator's Dilemma. Harvard Business
Davis, S. and Meyer, C. (1998): Blur the Speed of Change in the Connected
Economy. Perseus Books. USA.
Dougal, E.G. and Jones D. (1993) (eds.): Computer Security: Discovering
tomorrow. IFIP Sec'93. Deerhurst, Ontario, Canada.
Dyson, E. (1997): Release 2.0. Broadway Books. USA.
Kajava J. & Varonen R. (2000), Intranet Security from the Organizational
Point of View - The Re-emerging Insider Threat. In Steven Furnell
(ed.): Proceedings of the Second International Network Conference
(INC'2000). Plymouth, UK.
Moore, G. (2000): Living on the Fault Line. HarperBusiness. USA.
Seghezzi, H.D. (1993): Europe as Part of the Triad. In Juhani Anttila
(ed.): Proceedings of the EOQ 93 World Quality Congress. Vol. 1. Helsinki,
Yngström L. and Fischer-Hübner S. (1999), (eds.): WISE 1,
Proceedings of the IFIP TC 11 WG 11.8 Conference on Information Security
Education. Stockholm, Sweden.
[This text was made together with Jorma Kajava of the University
of Oulu, Finland and Juha E Miettinen of Sonera Corporation and presented
as a conference paper at the EUNIS Conference in Berlin, germany in