In a constantly changing field like cybersecurity, nothing stays the same for long. And as Jim Lewis, a senior VP at the Center for Strategic and International Studies, has learned first hand, this makes teaching about cybersecurity a challenge.
Lewis this spring started teaching a section of a social engineering course to cybersecurity majors at the U.S. Naval Academy. Once it became apparent that the textbooks available to support the course were all several years old, Lewis opted to ditch the traditional approach and adopt a different source of reading materials: daily newspapers.
And why not? When the headlines are dominated by stories about everything from hacking of the Democratic National Committee and collusion with the Russians to the latest phishing attacks or whether the President can order a wiretap of an individual, it's almost like newspapers are serving as a living cybersecurity textbook.
"This was kind of a bumper year for stories about social engineering, cyber espionage and cybersecurity," said Lewis. "Every day when you opened the paper, it was just a gold mine."
Lewis was not alone with his realization; another practitioner invited to lead a section of the class, Chris Inglis, former deputy director of the National Security Agency, also chose to ditch textbooks in favor of newspapers.
Lewis' and Inglis' actions speak to a larger topic: Just how do you go about teaching cybersecurity? How do you teach students a topic that's in its infancy and is in a constant state of flux? When the rules are changing daily, and the threats are constantly changing form, the shelf life of a textbook gets mighty short.
"When you say you're going to teach cybersecurity, what are you going to be teaching? There's not a consensus on this. Part of that is because it's all so new," Lewis said. "It's like the 18th century and physical science. People are discovering whole new worlds to look at."
As a result, Lewis believes that teaching cybersecurity requires a more flexible approach, one that enables instructors and students to keep up with a fast-evolving field and ensure that what's being taught retains as much relevance as possible.
Along those lines, Lewis didn't limit himself to newspapers. He also brought in current data that the industry itself puts out regularly. For instance, he circulated Verizon's annual breach report, which is one of the industry's most complete and anticipated sources of breach data. His students' response was enthusiastic.
What Lewis especially likes about this more current approach is how it injects his instruction with real-world examples. Teaching cybersecurity, he said, is about more than code and technical architectures. It's about law and policy and social engineering, each of which are the subjects of classes Naval Academy cybersecurity majors can take.
In the case of social engineering, for instance, phishing is a huge topic that has been all over the media this year, and clearly those stories have more current information about how phishing attacks are being engineered in 2017 than a textbook written in 2012 could possibly contain.
Because his students are being trained to defend ship networks, buildings, weapons systems and the like, Lewis wants his students to understand attackers' motivations as much as possible. After reading reports of current attacks, students are able to more easily put themselves in the attackers' shoes and imagine what they might do or think if they were the bad guys. And this, naturally, informs what they'd do in response.
Lewis believes this approach more effectively engages today's students by connecting what they're learning to their own experiences, and more importantly, to how social engineering efforts might reach them, or the people and systems they'll be charged with protecting.
Textbooks, conversely, only scratch the surface, providing history but not context. By adding immediacy to what they're learning, Lewis hopes to make his students more effective security practitioners when they enter the real world.
"I think they'll have a broader understanding of the scope of the problem," Lewis said. "Textbooks were written for PC world, but we now live in a social media world."