Material vs the CPHC/(ISC)2 cybersecurity themes

Phil Brooke, 11 August 2022 (last update 22 Aug 2022)

The CPHC/(ISC)2 Cybersecurity principles and learning outcomes for computer science and IT-related degrees document from 2015 identifies five core themes:

Although the primary focus of this document is to outline how the material developed through this project can be used to target these themes, there are some broader comments on general and specialist infosec education, followed by some broader reflections on general computing and information systems education.

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Mapping against content for CPHC/(ISC)2

Each theme in the document is provided with:

In this section and the accompanying spreadsheet, we primarily concentrate on the core concepts and show how they are covered in the material from this project. In each of the sections below, we list the material against the core concepts. In the vast majority of cases, this material is aimed at generalist IT students, not specialist infosec students.

Theme 1 — Information and Risk

Core concepts listed are

The material provided mostly concentrates on the high-level concept of C-I-A for information nad using this for an assessment of the threats, vulnerabilities and risk associated with an information system. Throughout this should be viewed holistically — all the components, human, software and hardware along with the intended processes together.

Theme 2 — Threats and Attacks

The material emphasises some classic areas of risk, primarily database injection and cross-site scripting (XSS). These are commonly attacked in naïve applications. Buffer overflows aren’t directly covered; although still of interest for technical attackers; something like a simple break on the web front-end of a system is often easier.

Theme 3 — Cybersecurity Architecture and Operations

The material provided places much emphasis on recognising end-users. Practical experience of projects suggests they are often forgotten, resulting in a poor UX or mismatches with existing (actual) business projects. Sometimes the users then work around these resulting in security failures. Many students will not have come across business processes such as JML (but will have been a subject of these processes in any work experience, previous/current jobs, and enrolling at a university, so should be able to call on that experience).

The “Controls” section is marked in brackets. The CPHC/(ISC)2 document expands this across physical controls, process/operational controls, logical controls, and technical controls. Most junior IT professionals will not often consider physical controls (dealt with by estates! — but mobile/agile working makes this more “exciting” as we lose much protection), and some areas such as firewalls, malware and patch processes will be specified in existing IT policies and processes. Being aware of the process/operational and technical issues are valuable, e.g., least privilege, access, authentication, authorisation. A basic understanding of the need for firewalls and when to ask for help cryptography is useful.

Theme 4 — Secure Systems and Products

Emphasis in the material developed addresses classical issues of validation and sanitisation. This addresses some of the issues raised, particularly in theme 2. Comms elements (e.g., always use HTTPS with valid certificates) are “obvious” to experienced practitioners but are corners sometimes cut by unexperienced or rushed developers. The potential for virtualisation, containers and emerging risks (and benefits) of cloud deployment arise here.

Theme 5 — Cybersecurity Management

The material covers several areas in moderate depth, particularly incident response and the wider organisational constraints on both IT development/deployment as well as the demands and necessary compromises with regulatory demands. A minimum strict compliance can be (relatively) easy, but sufficient due diligence is far more complex. Examples and ethical dilemmas can be easily highlighted here for generalist students.


Final year projects (and other team projects) can cover a lot of useful areas without detriment to other aspects of the project, ideally to cover

It should be clear that a large swath of the CPHC/(ISC)2 themes can be covered, albeit at a relatively cursory level.

Those with an information security aspiration could choose an infosec-relevant project — see comments below on “general vs. specialist cybersecurity / infosec curricula” for possible areas to look for ideas.

Other criteria / curricula suggestions

NCSC criteria

…this is not currently easily visible. However much is aligned against CyBOK…

The Cyber Security Body of Knowledge (CyBOK)

The Cyber Security Body of Knowledge provides

[a] comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.

The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic.

This describes 21 “knowledge areas” covering a breadth of topics. YMMV.

ACM CC 2020

The ACM’s Computing Curricula 2020 is a thorough document, but possibly not quite as usable as a primary source for choosing content to cover. It references other frameworks, e.g., SFIA.

General vs. specialist cybersecurity / infosec curricula

Some final thoughts (from August 2022): in the current position,

Specialist students with a more practical interest may be better aligned to the CIISec/UKCSC aspects, whereas those with a theoretical/research interests might find more of use in CyBOK.

Aside on curricula and certifications

(22 Aug 2022) — shows the sheer volume of certifications available, albeit US focus.

Final reflections, particularly for general IT / computing / information systems students and professionals

I write “IT” as a shorthand here for the huge field of IT, computing, information systems, ….

For infosec people: they come from all sorts of backgrounds. (This is mentioned in the induction / career type parts of lectures.) Although there are some highly specialised roles, all infosec people need to understand how IT fits into organisations in the big picture. Again, that means that the IT is there to solve a problem for people.

Future visiting professors — I think the most useful contribution over the three years is not something easily recorded here. The conversations with students (and staff), in passing before and after lectures, are an area where different experiences count — something brought by the VPs. Other opportunities are in small group teaching, particularly for final year projects and group projects: I spent much time in conversations in tutorial classes, sometimes about the topic at hand, but often ranging much more widely. This does not scale and is something where VPs will be able to continue contributing.