The Cybersecurity Body of Knowledge
The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity
The Cybersecurity Body of Knowledge explains the content, purpose, and use of eight knowledge areas that define the boundaries of the discipline of cybersecurity. The discussion focuses on, and is driven by, the essential concepts of each knowledge area that collectively capture the cybersecurity body of knowledge to provide a complete picture of the field.
This book is based on a brand-new and up to this point unique, global initiative, known as CSEC2017, which was created and endorsed by ACM, IEEE-CS, AIS SIGSEC, and IFIP WG 11.8. This has practical relevance to every educator in the discipline of cybersecurity. Because the specifics of this body of knowledge cannot be imparted in a single text, the authors provide the necessary comprehensive overview. In essence, this is the entry-level survey of the comprehensive field of cybersecurity. It will serve as the roadmap for individuals to later drill down into a specific area of interest.
This presentation is also explicitly designed to aid faculty members, administrators, CISOs, policy makers, and stakeholders involved with cybersecurity workforce development initiatives. The book is oriented toward practical application of a computing-based foundation, crosscutting concepts, and essential knowledge and skills of the cybersecurity discipline to meet workforce demands.
Dan Shoemaker, PhD, is full professor, senior research scientist, and program director at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan is a former chair of the Cybersecurity & Information Systems Department and has authored numerous books and journal articles focused on cybersecurity.
Anne Kohnke, PhD, is an associate professor of cybersecurity and the principle investigator of the Center for Academic Excellence in Cyber Defence at the University of Detroit Mercy. Anne’s research is focused in cybersecurity, risk management, threat modeling, and mitigating attack vectors.
Ken Sigler, MS, is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. Ken’s research is in the areas of software management, software assurance, and cybersecurity.
Table of Contents
Forward 1. Forward 2. Author Biographies. Introduction. Chapter 1. Securing Cyberspace is Everybody’s Business. Chapter 2. The Cybersecurity Body of Knowledge. Chapter 3. Data Security. Chapter 4. Software Security. Chapter 5. Component Security. Chapter 6. Connection Security. Chapter 7. System Security. Chapter 8. Human Security. Chapter 9. Organizational Security. Chapter 10. Societal Security. Index.
Dan Shoemaker, PhD, is full professor, senior research scientist, and Program Director at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan is a former chair of the Cybersecurity & Information Systems Department and has authored numerous books and journal articles focused on cybersecurity.
Anne Kohnke, PhD, is an associate professor of cybersecurity and the principle investigator of the Center for Academic Excellence in Cyber Defence at the University of Detroit Mercy . Anne’s research is focused in cybersecurity, risk management, threat modeling, and mitigating attack vectors.
Ken Sigler is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. Ken’s research is in the areas of software management, software assurance, and cybersecurity.
I have great pleasure in writing this foreword. I have worked with Dan, Anne, and Ken over the past six years as this amazing team has written six books for my book collection initiative. Their newest effort, The Cybersecurity Body of Knowledge: The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity, brings together a comprehensive understanding of cybersecurity and should be on the book shelf of every professor, student, and practitioner.
Right now, the study of cybersecurity is pretty-much in the eye of the beholder because the number of interpretations about what ought to be taught is limited only by the number of personal agendas out there in the field.
Through discussion with the team, I've learned that every well-established discipline of scholarship and practice has gone through the process of research, extensive discussions, formation of communities of practice, and thought leadership to continually build the body of knowledge. Over time, diverse voices put forth ideas, concepts, theories, and empirical evidence to advance the thinking and in every discipline there comes a time when thought leaders establish generally accepted standards based on a comprehensive view of the body of knowledge.
I believe that time has come for the discipline of cybersecurity.
Beginning with a narrow focus on computer security, the discipline has advanced tremendously and has accurately become known as a fundamentally computing-based discipline that involves people, information, technology, and processes. Additionally, as the global cyber infrastructure increases the possible targets, the interdisciplinary nature of the field includes aspects of ethics, law, risk management, human factors, and policy. The growing need to protect not just corporate information and intellectual property, but to maintain national security has created a demand for specialists across a range of work roles, with the knowledge of the complexities of holistically assuring the security of systems. A vision of proficiency in cybersecurity, that aligns with industry needs and involves a broad global audience of stakeholders, was needed to provide stability and an understanding of the boundaries of the discipline.
The formation of the CSEC2017 Joint Task Force - involving four major international computing societies: the Association of Computing Machinery (ACM), the IEEE Computer Society (IEEE CS), the Association for Information Systems Special Interest Group on Information Security and Privacy (AIS SIGSEC), and the International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8) - came together to publish the single commonly accepted guidelines for cybersecurity curriculum (the CSEC2017 Report). The CSEC2017 Report authors have produced a thought model and structure in which the comprehensive discipline of cybersecurity can be well understood. With this understanding, development within academic institutions and industry can prepare a wide range of programs grounded in fundamental principles.
This book explains the process by which the CSEC2017 Report was formulated and its pedigree. It discusses the knowledge units of each of the eight knowledge area categories of the field in detail. The reader will understand the required knowledge for cybersecurity and gain a basic understanding of the application and purpose of each of these myriad elements.
I have studied the various chapters and believe the seamless flow of the content will benefit all readers and that the extensive use of visuals greatly improves readability. Although knowledge knows no end, dissemination and sharing of knowledge are critical. I believe this book will help form the foundation of the next evolution of cybersecurity and I congratulate the team on their work and their amazing result.
"The Cybersecurity Body of Knowledgeis a technical but readable guide to the eight areas that make up the core cybersecurity areas. Rather than treating the book as a knowledge dump of everything cybersecurity, the authors present the essential cybersecurity elements readers need to know.
Cybersecurity knowledge cannot be conveyed in a single volume. In fact, the cybersecurity curriculum guidelines developed by the JTF run to more than 100 pages. Those looking for a comprehensive roadmap to effectively begin their cybersecurity journey will find that The Cybersecurity Body of Knowledge is an excellent guide."
Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), is a senior information security specialist with Tapad, Inc.