Information Security

» SPSU Home / Information Security / Research Initiatives

Information Security

SPSU Center for Information
Security Education
Building J
Suite 387
1100 South Marietta Pkwy
Marietta, GA 30060

Svetlana Peltsverger, Ph.D.
Director
speltsve@spsu.edu
678-915-4285

Research Initiatives

NSF CPATH Project: Creating a Security Thread in CS Program

The revitalization of undergraduate computing education structurally and pedagogically will certainly require a departure from the existing traditions and curriculum models that have not been effective in spite of all the advances in the design of language, software development techniques, hardware systems, and algorithmic processes. This project calls these traditions in question, re-examines the historical evolution of computing education including course content and course sequences, and proposes a new educational model for undergraduate computing education for the new century.

CISE encourages various research activities in information assurance (IA) areas. All participating faculty in CISE will publish papers on IA topics within refereed journals or peer reviewed conference proceedings. A special technical report series will be implemented to make those publications available both in print and online.

At the ACM SIGITE (Special Interests Group in IT Education) 2006 conference from October 18 to 21 in Minneapolis, Mr. Fred Gutierrez, an MSIT student, won the Student Paper Award for his paper entitled "Stingray: A Hands-on Approach to Learning Information Security", which is based on his thesis work on information security research.

Research shows that students learn more effectively if they are more engaged in a learning environment that challenges students to apply their enthusiasm and knowledge toward various levels of problems. This paper presents a prototype of such a learning support environment for teaching and learning information security concepts, principles, and techniques.
Our approach and implementations help students learn important computer and network security concepts and techniques combining the traditional classroom with much more emphasis on a hands-on approach. As many security professionals advocate, it is a good idea to learn from the malicious attacker’s view as well. This system is made of three components ranging from beginner, intermediate, to advanced levels, and attempts to accommodate the different learning styles that are prevalent in a diverse student body. The first component has already been tested in a classroom setting and met with great success. From there, students that are able to successfully complete all three components will gain an understanding on various tools, techniques and concepts that may help them in their future endeavors whether it be in Information Security field or not.

Building an online conference with open-source components. Proceedings of the 43rd Annual Association of Computing Machinery Southeastern Conference Vol. 1. Pages 376-377. March, 2005, Kennesaw, GA With Yang Lu. (Reviewed) (Rich Halstead-Nussloch)

This paper covers a recent experience at Southern Polytechnic State University (SPSU) of building an online conference with open-source web components. With the Georgia State Archives (Archives), SPSU co-sponsored a project funded by the National Historical Publication and Records Commission (NHPRC). The project investigated privacy and access issues in Georgia's electronic government. SPSU's main role was to provide the information technology (IT) for the sponsored project's computer-based conference and workshop. Utilizing open-source IT resources, we built a web site to support an online computer conference in response to business needs articulated by the Archives. The web site met the initial business needs and provided content and value throughout its life cycle. As business owner the Archives were satisfied with the open source components' capability to meet needs. As developers we were satisfied with the technical capability of the open source components to provide web services to meet needs. For special-project web sites we therefore can recommend that IT developers consider utilizing open source components.

Rose Shumba, J. A. Wang, et. al., “Teaching the Secure Development Lifecycle: Challenges and Experiences”, in Proceedings of the Tenth Colloquium for Information Systems Security Education, June 5 – 8, 2006, University of Maryland, University College, Adelphi, Maryland, ISBN: 1-933510-98-6, pp 116 – 123.

A large portion of security vulnerabilities result from mistakes in the design or code of software systems. To address this problem, secure development lifecycle practices have been introduced into the software engineering curriculum at five different universities. Each phase of the software development lifecycle has been modified in at least one university to incorporate security. This paper provides a survey of practices involved in the secure development lifecycle and describes how these practices can be introduced into the software engineering curriculum. Each contributor discusses his or her experiences and challenges while integrating security into one phase of the software development process.

J. A. Wang and Ken Yetsko, “Building Reusable Information Security Courseware”, in Proceedings of Information Security Curriculum Development, September 23 – 24, 2005, Kennesaw, GA, pp 88 – 94.

Well-designed courseware improves teaching effectiveness and encourages active learning. This paper reports our experience in developing a multimedia and interactive courseware for an information security course in our distance education WebBSIT program as well as course supplementary materials for our on-site information security courses. The courseware emphasizes interactivity and reusability, following common cognitive principles and pedagogical methods.

J. A. Wang, “MICS: Multimedia, Interactive Courseware for Information Security”, in Proceedings of The 3rd International Conference on Education and Information Systems, Technologies and Applications, July 14 – 17, 2005, Orlando, Florida.

The paper presents the architecture and preliminary design of MICS, a multimedia, interactive teaching and learning tool for information security. MICS consists of a collection of interactive multimedia animations to enhance the undergraduate/graduate curriculum in trustworthy computing for the state-wide Web-based WebBSIT program in Georgia as well as for our regular on-site information security courses at Southern Polytechnic State University. Each animation illustrates some important concepts and encourages the user to examine these concepts in depth. These animations require active participation and reasoning to improve the student’s understanding and to make learning enjoyable and challenging. MICS covers the standard topics of security, privacy, reliability, and business integrity, but for each topic there is one or more projects implemented with interactive animations for the student to participate in. Each animation project contains five major sections. First is an overview of the activity including information on its definition and history. Second is the usage of the activity, explaining how it should be employed including specific syntax or operating requirements. Third is a discussion of the activity’s use in trustworthy computing practice. The fourth section is a detailed, guided, set of exercises. The last section is a discussion of further research topics related to the activity in this exercise. For each animation project, there are continuing questions requiring students to seek and record information about their sessions, and answer sheets students can use to submit their findings for a grade. These interactive animations will challenge students to examine the topics in a substantial way.

J. A. Wang, “Web-Based Interactive Courseware for Information Security”, in Proceedings of ACM SIGITE 2005 Annual conference, October 20 – 22, 2005, Neward, New Jersey. ISBN: 1-59593-252-6. pp 199 – 204.

Interactive courseware encourages student participation and active learning. Prior research and teaching experience has shown that IT students prefer to learn information security in a hands-on manner. How do we offer information security as a distance learning course while give students the similar hands-on teaching and learning style as we do in a traditional classroom or lab? This paper discusses our experience in developing Web-based multimedia and interactive courseware for an undergraduate information security course. The courseware is based on a simple yet powerful software tool called MICS (Multimedia and Interactive Courseware Synthesizer), designed for generating multimedia and interactive courseware for science and engineering students. We report in this paper our experience in designing such a course development tool and in using the courseware in our IT curricula.

J. A. Wang, “Information Security Models and Metrics”, in Proceedings of 43rd ACM Southeast Conference, Volume 2, pp. 178 – 184. ISBN: 1-59593-059-0. March 2005, Kennesaw, GA.

Security assessment is largely ad hoc today due to its inherent complexity. The existing methods are typically experimental in nature highly dependent of the assessor’s experience, and the security metrics are usually qualitative. We propose to address the dual problems of experimental analysis and qualitative metrics by developing two complementary approaches for security assessment: (1) analytical modeling, and (2) metrics-based assessment. To avoid experimental evaluation, we put forward a formal model that permits the accurate and scientific analysis of different security attributes and security flaws. To avoid qualitative metrics leading to ambiguous conclusions, we put forward a collection of mathematical formulas based on which quantitative metrics can be derived. The vulnerability analysis model responses to the need for a theoretical foundation for modeling information security, and security metrics are the cornerstone of risk analysis and security management. In addition to the security analysis approach, we discuss security testing methods as well. A Relative Complete Coverage (RCC) principle is proposed along with an example of applying the RCC principle. The innovative ideas proposed in this paper include a hierarchical multi-level modeling approach to modeling vulnerability using model composition and refinement techniques, a data-centric, quantitative metrics mechanism, and multidimensional assessment capturing both process and product elements in a formalized framework.

J. A. Wang, “Security Testing in Software Engineering Courses”, in Proceedings of Frontiers in Education Conference, Session F1C, IEEE Catalog Number 04CH37579C, ISBN: 0-7803-8553-5. October 2004, Savannah, Georgia.

Writing secure code is at the heart of computing security. Unfortunately traditional software engineering textbooks failed to provide adequate methods and techniques for students and software engineers to bring security engineering approaches to software development process generating secure software as well as correct software. This paper argues that a security testing phase should be added to software development process with systematic approach to generating and conducting destructive security test sets following a complete coverage principle. Software engineers must have formal training on writing secure code. The security testing tasks include penetrating and destructive tests that are different from functional testing tasks currently covered in software engineering textbooks. Systematic security testing approaches should be seamlessly incorporated into software engineering curricula and software development process. Moreover, component-based development and formal methods could be useful to produce secure code, as well as automatic security checking tools. Some experience of applying security testing principles in our software engineering course teaching is reported.

Rich Halstead-Nussloch
Embedding sponsored projects in classes: A case study. Proceedings of the 43rd Annual Association of Computing Machinery Southeastern Conference Vol. 1. Pages 339-360. March, 2005, Kennesaw, GA (Reviewed)


This paper covers a recent experience at Southern Polytechnic State University (SPSU) of embedding a sponsored project within the information technology curriculum. With the Georgia State Archives, SPSU co-sponsored a project funded by the National Historical Publication and Records Commission (NHPRC). The project investigated privacy and access issues in Georgia's electronic government. SPSU's main role was to provide the information technology (IT) for the sponsored project's computer-based conference and workshop. Utilizing presentations from the project-funded graduate student, we embedded the IT development as an ongoing example in a class on web development. Students in the class responded positively and indicated that seeing and doing (parts of) an ongoing project gave them a better "big picture" of web development. The graduate student responded positively to the chance for learning to teach.

 

 

                                                                                                                                                                                                                                                                                                                                         
Facebook Twitter YouTube
 ©