Information Security Services Education in Serbia – ISSES

Motivation

In the past couple of years we received more and more news reports about serious security-related incidents in information systems. In December 2016 and January 2017 the media reports were full of the Yahoo security breach, which happened in 2013 and allowed hackers to access information about more than 1 billion Yahoo accounts. In the past, similar accidents happened at other, well-known companies whose operations are mainly Internet-based, e.g. Dropbox, LinkedIn, MySpace. Unfortunately, high technology criminal is not limited to online content only. Criminal organizations and state-funded hacker groups are diversifying their portfolios and attacking systems which were earlier thought untouchable. Multiple hospitals were hit with ransomware in 2016, in December 2015 hackers managed to access the Industrial Control Systems (ICS) of multiple electric power distribution systems in the Ukraine and turn off electricity to ~225,000 consumers and in 2010 the world witnessed the first malware attack against the Industrial Control Systems of the nuclear facilities in Natanz, Iran. As the amount of such attacks rises, it is ascertained that high technology criminal organizations carrying out such attacks are usually one step ahead of the security experts designing and implementing security controls.

The information security industry is shifting towards accepting the fact that such security breaches are going to happen and beside trying to stop them, the industry is now also focusing on developing proper detection, response and recovery techniques and solutions. As these additional activities often require additional human expertise and labor, the need for highly skilled information security services experts is expected to be on a continuous rise in the following years. Gartner reports claim the information security spending will be rise up to 10% until 2020. Other market analyses forecast that the global security services market will be worth ~200 Billion USD by 2021. This rise in market value is currently not closely followed by a rise in the number of new, highly skilled information security services professionals either in Serbia, Europe or the World. Projections based on the 2015 (ISC)² Global Information Security Workforce Study suggest that only in Europe there might be ~379,000 unfilled information security positions in 2019.

The European Parliament adopted the Directive on security of network and information systems (the NIS Directive) in July 2016, as the first piece of EU-wide legislation on cybersecurity. With the new NIS Directive the EU aims to raise its cyber resilience and it will require security experts with comparable skills and qualifications to implement the measures and controls defined by legislation. In 2016 Great Britain published the National Cyber Security Strategy 2016-2021 planning significant investments into the field of cyber security and founding a National Cyber Security Centre, which will provide expertise to businesses and individuals. Serbia adopted the Law on Information Security in 2016 and it is expected that its first ever National Cybersecurity Strategy will be adopted in 2017, further elaborating the national information security requirements in line with the new law. The Guide through Information Security in the Republic of Serbia published by the Organization for Security and Co-operation in Europe (OSCE) Mission to Serbia lists in its mid term goals the development of undergraduate and postgraduate programmes at universities in cyber security. The Guide also identifies among its long term goals the need to establish networks of research and development centres, centres of excellence, laboratories, technological incubators and innovative centres in the cyber security domain. It is further explained that this course of action would have a significant economic impact through the sales of information security services and products.

Additionally, an ACM and IEEE Joint Task Force on Computer Engineering Curricula published in December 2016 the new Curriculum Guidelines for Undergraduate Degree Programs in Computer Engineering in which Information Security is listed as one of the core areas.

Serbia listed ‘Security Services’ as a national priority for Erasmus+ Capacity Building in Higher Education calls. The consortium was put together because of these reasons and because the HEIs from Serbia identified the need to invest into upgrading their existing capacities in this domain. The project will additionally address one more national priority, namely ‘Computing’, as all project activities and outputs will involve information and communication technologies.

 

Mission

The goal of the ISSES project is to improve the higher education capacities in the field of Information Security in the Republic of Serbia. Entirely new courses will be developed, which will raise the competitiveness of students graduating at the participating HEIs in Serbia. Compared to the current situation in which there are no laboratories supporting education in this field, the project team will develop state-of-the-art laboratories which will allow the students to gain hands-on experience directly transferrable to the information security industry. The information security teachers and researchers working at the four Serbian HEIs involved in this project and at other technical HEIs in Serbia do not cooperate. They often invest redundant efforts to prepare teaching materials for the same courses taught at different institutions. This project will strive to standardize information security education in Serbia, by jointly developing and sharing teaching materials between the partners. This will allow them to avoid effort duplication and to focus on their key expertise, e.g. UB on digital forensics, UNS on critical infrastructure security.

A subset of the courses built during the project will be novel on a regional and European level, as well, e.g. Security and privacy in the Internet of Things, Cloud Security, Secure Software Development. The hybrid Critical Infrastructure Security + Network Security + Cloud Security laboratory planned to be built at P1 will be more advanced than its role model industrial testbed at P3 because of the inclusion of the cloud computing element. Together with the other two hybrid laboratories built at P5 and P9, it will allow teachers and researchers to carry out cutting-edge teaching and research activities. The Digital Forensics Laboratories (DF Lab) will be also equipped with the latest hardware and software, allowing Serbian HEIs to transfer up-to-date knowledge to students and conduct research activities.