Computer Security Training : A Military Officer Case Study

Understanding and dealing with computer security issues is normally considered a key objective for information technology (IT) support personnel. From a broader perspective, however, information-based threats are primarily a concern for managers and superior commanders who need to authorise and initiate the necessary investments and to enforce the appropriate policies and procedures to protect the organisation at hand. Enabling these latter-mentioned superior decision-makers to make well-founded decisions and to make sure the personnel actually conform to the approved procedures and practices require the decision-makers to have at least a fair understanding of computer security fundamentals. For this purpose, the Swedish National Defence College is in the midst of putting together a series of courses within information assurance to fulfil the need of IT training in governmental organisations. This paper presents the course design and the laboratory settings that were used within the first experimental course taught to students becoming high rank officers, i.e., officers elected for the very last two years of education within the curriculum of ordinary Swedish military training. The course looks at computer security from an attack versus defend viewpoint, i.e., computer attacks are studied to learn about prevention and self-defence. The pedagogical challenges related to education of high rank officers or similar personnel are discussed in light of the recently-held course. A standpoint taken is that computer security is best taught using hands-on laboratory experiments focusing on problem solving assignments. This is not undisputed since, e.g., high rank officers are busy people who are not fond of getting stuck learning about the peripherals. Also, it is emphasised that knowledge and tools within computer security by nature serve both the purpose of the attacker and the defender. The difference should be regarded purely as a question regarding intent.