Today I’d like to share a simple and personal thought about teaching models on cybersecurity. Quite often students ask me how to improve their technical skills and the most common question is: “would it be better an university course a professional certification or getting directly on the field working in a Cybersecurity company ?”. The answer is not trivial at all since it really depends on the student maturity and on what he desires to be in few years from now (is. a researcher, a professional penetration tester, a reverse engineer, a CISO, etc.) but that recursive question raised a more general question: what are the differences between cybersecurity educational models?
The education process is based upon the information to be shared, by meaning that information is the “starting brick” of education. If there is no information to be shared there isn’t an education process. Off course information alone it’s not enough for education, everybody knew the difference between a good teacher and an ordinary one, but every teacher starts from a concept do be explained, that concept I would call (in this post) information. If there is someone who teaches there is at least another one who learn and by learning he will increase his knowledge on the topic. So the knowledge is the focus and understanding what knowledge means could definitely help us to improve our teaching processes. But we have many teaching processes, for example we have Universities teaching process which is mainly based on scientific evidences, Certifications teaching process which is mainly focused on procedures and tool sets, Camp teaching process which is mainly focused on relational approach (a.k.a knowing the right person for the specific problem), Technical Laboratory which is mainly focused on personal experiences, and so on and so forth. Every process differs from each other so what teaching process would be more effective to increase the cybersecurity knowledge ?
According to Paul Boghossian (Fear of Knowledge, Against Relativism and Constructivism), Luciano Floridi ( The Fourth Information Revolution and its Ethical and Policy Implications) and the internet Encyclopedia of Philosophy we might divide knowledge into 4 separate categories.
Section 1: The certainty. The information that I had. What I am sure it’s true.
Section 2: The foolishness. The information that I know I’m missing.
Section 3: The uncertainty. The information that I have but that I am not sure to be true.
Section 4: The ignorance. The information that I don’t known I don’t have yet.
Let me try to clarify those categories with an example by assuming Alice as our company CIO . Alice knows exactly what cybersecurity defence systems has implemented and she knows eventually her network will be hit by the next cybersecurity attack. This is what we call certainty. In other words this information is what Alice knows and believes it’s true. However she doesn’t know when the cyber attack will happen, what infrastructures the attacker will hit and what technique the attacker will use (phishing, exploiting, scam, etc). This is her foolishness. In other words she knows that she doesn’t know some information for example who will be the victim. Moreover Alice is definitely not sure 100% the countermeasures she adopted will be enough strong to defeat the upcoming cyber attack. This is her uncertainty. Again she has no idea if her shields would resist against the attack is going to happen. Finally Alice doesn’t know that the attacker unfortunately has already powned the company domain controller. This is what we have defined as ignorance. In other words all the information that Alice is not aware of.
What a good teaching process should do is to increase Section 1 by giving certainties and to drastically reduce Section 2, Section 3 and Section 4. In my personal point of view the academic teaching process (university) is perfect to increase Section 1 and to drastically reduce Section 3. This sounds plausible since increasing the certainty by reducing the uncertainty is an evidence-based-process which is build upon tests and researches: a typical university oriented approach. Section 2 should be addressed by professional certifications. Professional certifications would definitely fill foolishness by getting more tactics and techniques to be implemented in the real world. And finally Section 4 is filled by experience. Direct teaching process would help in providing stereotypes, but the reality is always different from stereotypes, it’s our experience that associate the reality to the closed stereotype in order to find the best solution. In other words it’s hard to know what is not known and the experience is a main road to fight ignorance.
We probably could end-up with an obvious answer to the original question, but I really don’t think there is a preferred path to increase your technical skill, it’s a never ending learning process where every step takes its own time.