The Development of a Longitudinal Security Case Study Susan J Lincke PhD CISA
Stephen Hawk PhD CISA
University of Wisconsin-Parkside Kenosha WI +1-262-595-2129
University of Wisconsin-Parkside Kenosha WI +1-262-595-2024
[email protected]
[email protected]
performed. However, a security case study can provide students a practical, real world, problem-based learning experience, to accompany theoretical learning. This work describes the development and improvement of a semester-long case study on security planning, including lessons learned through assessment of student perceptions.
ABSTRACT A longitudinal walkthrough case study can teach students skills to develop a system of security with a big picture view. This security teaching case study helps students plan organizational security, develop secure software requirements, and prevent fraud. The case study uses a doctor’s office that must adhere to HIPAA as a foundation for student problem-based learning. We have taught the course with and without service learning, with undergraduate and graduate students, with foreign, American, computer science and business students. As part of our assessment, we evaluated students’ perceptions and learning effectiveness. This paper addresses the improvements made and lessons learned through assessment of this longitudinal teaching case study.
This project is of a longitudinal case study, which is a case study performed over a semester. This has the advantage of creating one environment over the semester instead of changing the scenario weekly. Also, students begin to see a system that is security: how information security informs network security, physical security, and incident response, as well as other relationships. The goals of the case study are to educate in the following areas:
Categories and Subject Descriptors K.3.2 Information Systems Education; K.6.5 Security and Protection
1.
Information security planning: How does an organization plan for security? This goal trains students to become security analysts. HIPAA (Health Insurance Portability and Accountability Act) protects for both privacy and security in the medical field, and thus is a good case study for students to experiment with.
2.
Secure software requirements: How can we train software engineers to design requirements for security?
3.
Fraud: What is fraud, and how do we protect against it?
4.
Professional Security: Can we build on professional certification materials, such as ISACA’s Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) [6, 7] or ISC2 CISSP?
General Terms Security, Human Factors, Documentation, Design, Legal Aspects.
Keywords Longitudinal Teaching Case Study; Assessment, Security Planning.
1. INTRODUCTION High impact methods of teaching include authentic learning techniques, such as Problem-Based Learning, Service Learning, and Case Studies. Problem-Based Learning is good for technical evaluations, such as teaching sniffing, testing/configuring computers/networks, and secure coding. However, students also need to apply security within an organization. It can be difficult to find partners for Service Learning, since the nature of the security function is private and all work must be expertly
This case study is used in a 3-credit Information Security course offered to upper-level Computer Science and Management Information Systems majors, and graduate Computer Information Systems students, as well as a 2-credit hour course offered to MBA students. It has also been taught as a 1-credit short course for international summer school in Europe. This project has developed lecture materials and a hypothetical case study, based on a doctor’s office, to help students plan security. Students use a Security Workbook to guide them through the security planning process. They practice with the Health First Case Study, and have worked with not-for-profit organizations, as part of community-based learning. This Information Security course was developed from professional security materials.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from
[email protected]. SIGITE'15, September 30–October 3, 2015, Chicago, IL, USA © 2015 ACM. ISBN 978-1-4503-3835-6/15/09…$15.00 DOI: http://dx.doi.org/10.1145/2808006.2808018
The case study provides an active-learning or problem-based learning experience, which can be combined with service learning. Students in the 3-credit hour version of the course did the service learning component after practicing with the case
49
learn about security-related law [12]. Our goal is to educate students in developing security planning skills.
study. For shorter courses, only the case study was used. While shorter courses focus on information security planning (sometimes with a fraud exercise), the full course adds sections on secure software and fraud. This paper focuses on lessons learned from using the security case study across the 5 different types of courses.
Computer science tends to emphasize problem based learning, via software development projects or technical problems, instead of traditional case studies. However, case studies are worthy of investigation. Lu and Wang [8] found that case studies enable student-centered learning, by promoting interactivity between students and faculty, reinforcing educational concepts taught by lecture, and deepening student understanding by building knowledge into students. Students not only learn to apply theoretical knowledge to practical problems, but also to be creative in discovering solutions.
This paper gives an overview to this teaching case study, and lessons learned from teaching the course to various types of students.
2. Case Study Literature Review Case studies are popular in business schools, where four types are defined [1,2]. The most common type, made popular by Harvard Business School, is the ‘Discussion’ teaching case. Discussion cases provide a story and decision to be made, has the class consider possible options, and come to an optimal solution. An ‘Exercise’ type of case study gives a rich word problem to solve. Research case studies are of the ‘Example’ type, which tell a story about a scenario and decision, and its effects. With these types of case studies, the important aspect is the decision. Case studies can also teach a process (e.g., of designing security) in addition to decision-making. This rarer type of case study, the ‘Walkthrough’, provides a ‘rich problem solving context used to guide students through a process’ [2]. The advantage of the Walkthrough type is that it can introduce security to new students, by addressing Bloom’s taxonomy levels of Comprehension, Application and Analysis, instead of addressing the top levels of Synthesis and Evaluation, as Discussion cases do [1]. Our case study is of the Walkthrough type.
Thus, a fifth set of ‘case study’ may be described as technical exercises also fitting the category of Problem-Based Learning. Case studies in security, for example, have students build attack packets and defend against them with Snort [3]; or create technical mobile security cases on mobile malware, secure mobile coding, cryptography, access control, etc [4]. In computer science, problem-based case studies have been used to have students work with existing code [18, 19] and usability engineering [20]. Our case study combines organizational knowledge with technology, and thus is not a purely technical problem. Whiddett et al. [5] write that lectures are a good way of transmitting intellectual knowledge, but not for teaching precise skills employers are seeking. To our knowledge, they are the originators of a semester long “longitudinal” case study, used before working with a service learning project. A longitudinal case study is where students work with one case throughout the semester. Wei et al. [13] found that cases help students transition to the workplace, by exposing students to diverse situations, thereby enhancing adaptation skills to new environments, and increasing students’ self confidence in dealing with the world. Students increase their communications skills, which includes listening and persuasion skills. Our case study is also meant to provide students real world experience in security planning.
While literature on ‘security case study’ abounds, most of these relate to research-related Example types. Even most ‘teaching case study’ research discusses an implementation of teaching security at a university; not how a case study was used in class. Many research papers which discuss teaching case studies used in classrooms is of the single-instance Discussion type. For example, ISACA has a number of security-related managementoriented Discussion case studies available for academic advocates at www.isaca.org.
Chinowsky and Robinson [14] stress that case studies enable interdisciplinary experience, which students are more likely to encounter in the real world. They stress the importance of using real-world artifacts in the case study. We did not expect, but also found that our case study exposes students to multiple views. Our case study achieves the interdisciplinary aspect, by enabling students to experience multiple perspectives: the doctors’, HIPAA regulation, IT and financial, including through the use of real artifacts: business documents.
Literature attributes the following characteristics to Discussion case studies: peer-to-peer contributions dominate the discussion; the experience and personalities of the students may color their solution; cases are recognized as being incomplete; and there is no clear ‘right’ answer [1]. Grandon Gill describes cases as having multiple peaks or optimized points, and lots of non-optimal solutions [2]. This is true of many real world projects, but a challenge in our world of education, where black and white answers predominate. In fact, Whiddett et al. [5] found that while student pre-and post- assessment of learning showed gains in student understanding, applying knowledge, and working in a team, students confidence in working in an organization actually decreased slightly, particularly for “less experienced students”. The authors attributed this to students gaining a more realistic perception of the difficulties in the real world. We have also found that the problem of multiple solutions challenges our students.
Security planning is a system: information security, network security, physical security, risk management, business continuity and incident response all interrelate. To understand this interrelationship, it is useful for students to work with a series of case studies related to one business scenario. This work discusses the implementation of a longitudinal Walkthrough type case study, which builds skills in security planning.
3. THE CASE STUDY In this Health First case study, students plan security for a doctor’s office, which must adhere to the U.S. Health Insurance Portability and Accountability Act (HIPAA). HIPAA is important in the U.S., because approximately 58% of organizations must adhere to it, and it is representative of regulation that is concerned with state-of-the-art privacy and security [17]. (Note that even universities must adhere to HIPAA when they have a nurses’ office.) While these teaching materials are freely available, some
Three sets of traditional (shorter) teaching Discussion case studies relate to security management. ISACA provides graduate-level teaching cases [9, 10], which emphasize corporate governance problems related to security management and the COBIT maturity model. However, understanding law, in addition to security technology, is also important for IS security students [11,12]. Schembari has students debate legal case studies, to help them
50
Application Controls: Extending Requirements Preparation by Planning for HIPAA Security Rule
aspects of the case study solution will need to be modified for use in other countries to reflect national law. Nearly all of the lecture materials and the Security Workbook can be used in other countries without modification, since they are mainly based on professional security principles.
Update Requirements Document to Include Segregation of Duties
The four aspects of the Case Study are described in more detail below.
In addition, some Information Security Planning case labs also include an optional step where students consider changes to the Requirements Document. One case lab has students work with UML to design Requirements-level use cases:
3.1 Information Security Planning
Software Requirements: Extending UML with MisUse Cases
This main focus of the case study helps to train security analysts to plan security for an organization [15]. HIPAA protects for privacy and security in the medical field, and thus is a good case study for students to experiment with. Through this law, students understand that security procedures are important, including risk, business continuity, physical security, and personnel security.
3.3 Fraud overview A PowerPoint lecture on Fraud helps to introduce what fraud is, including an introduction to internal and external fraud, and ways to recognize and prevent it. Case labs include [16]: Developing a Code of Ethics: This is an easy case study that can be used first, to get the class used to working with a case study.
Here we provide a brief overview of each case lab. Each case lab is associated with a PowerPoint lecture on the same topic. Labs marked with asterisks (*) we consider higher priority for shorter courses, and are also the topics most requested by community partners.
Combatting Social Engineering: This potentially-first case lab also introduces students to why security is important. Students read a social engineering case where a scoundrel tries to get the medical records of his wife for a divorce case – and succeeds with two phone calls. The point of the case is to develop a procedure to counter social engineering attacks.
Analyzing Risk*: Analyze risk using qualitative and quantitative techniques. Addressing Business Impact Analysis & Business Continuity*: Define tolerance to lost data and downtime. Design controls to ensure tolerance is met.
Other case labs concerned with fraud include: Update Requirements Document to Include Segregation of Duties, Information Security, Personnel Security, and Incident Response. These are first defined in other categories and are not repeated here.
Designing Information Security*: Classify data, defining who can see what, and how data is handled per classification.
3.4 Using the Case Study
Planning for Network Security*: Define required services, where they connect to/from. Compartmentalize network zones and servers, and define controls.
We teach the case study as an active learning exercise in class, although it could be used as homework. A PowerPoint lecture is given in the first half of a 3-hour class, and the second half is the active learning exercise. For active learning, students are grouped into 3-4 person teams, and each team is provided a computer to edit the Security Workbook directly on-line. All students should be able to see the display, so computers are selected and manipulated for the best display.
Planning for Incident Response*: Define detection techniques, controls, and procedures to recognize and handle incidents. Designing Physical Security*: Design security room classifications and controls, addressing both availability and confidentiality. (The PowerPoint lecture is combined with Personnel Security.)
The instructor provides a copy per student, of the 2-3 pages of the specific case study exercise (or a link to the specific case study). The beginning of each case study indicates the corresponding section in the Workbook to work with, but is also announced by the instructor. Each case study includes a conversation that helps students complete the subsection in the Workbook. The Workbook is retained on the computer, so that students may add to the Workbook each week. This enables students to review previous decisions during case study exercises.
Organizing Personnel Security: Define employee responsibilities and training related to security and security-related matters. Defining Security Metrics: Define metrics for important risks and methods of measurement. IT Governance: Planning for Strategic, Tactical, and Operational Security: Define stages of security implementation and a schedule.
Very recently, author Susan Lincke has published a textbook that provides a detailed chapter of most processes: Security Planning: An Applied Approach, published with Springer.
Developing a Partial Audit Plan: Measure compliance to HIPAA policy via an audit plan.
3.2 Secure software overview
4. LESSONS LEARNED: DEVELOPING A CASE STUDY
Systems analysts need to understand security to design a system that conforms to it. A Secure Software Development lecture focuses on integrating security into the Requirements and Design process, and on common attacks left open by insecure design and coding techniques.
There are two aspects in evaluating a course and its case study: its effectiveness, and student perception. Most of this analysis will focus on student perception. This case study has been used in a course 5 times, including three 1- or 2-credit courses with 4-6 case labs each, and two 3-credit courses with 10-12 topics/case labs each. The two longer courses included a service learning project, which used the Workbook to help actual small businesses in planning security. The three
Example case labs have students modify a professional Requirements Document to address security concerns: HIPAA: Including Privacy Rule Adherence to Requirements Document
51
shorter courses included a substantial number of international students. While most courses were taught to undergraduate computer science and MIS majors, and/or graduate CIS majors, one course was taught to MBA students.
The three areas that the improvements are categorized into include:
4.1 Course Effectiveness An excellent test of whether the teaching effectively helps students transition to the workplace, is whether students can work with a community partner on a real project, after practicing with the case study. Undergraduate students used the Workbook to work with small business management in our community. The instructor led the students for one visit to the community partner if students had IS/IT experience, or participated twice (of 6 visits) if they had no experience.
Leading the Walkthrough Case Study The Importance of Motivating the Student Developing a Case Study
4.3 Leading the Walkthrough Case Study Two goals of leading a longitudinal walkthrough case study is to ensure students are actively engaged, and that students are not confused (providing poor ratings). Leading the case study the right way can get students off to a quick and confident start. Many of these recommendations are from our observation of student behavior, and help to make running the labs easier. There were fewer questions, and students are busy right from the lab start.
At the end of the semester, we asked students and community partners about their experiences. The semester’s work was rated highly by the community and students. Of our five community partner organizations that used this Workbook with student guidance, 100% were Very Satisfied with “The Quality of Students’ Work”. During our last year, students agreed/strongly agree (100%) or strongly agreed (28.6%) with the statement: “I felt that the community project I did through this course benefited the community partner’s organization.”
0.8 0.7 0.6
Another measure of effectiveness is the number of students (and one instructor) who passed either the CISA or CISM exam after taking (or teaching) the course. I am aware of 3 people who took the exam, after additional work with ISACA’s question database. All three passed – two the CISA, and one the CISM.
2009‐3
0.5
2010‐1
0.4
2011‐3 2012‐1
0.3
4.2 Student Perception
MBA‐2
An evaluation tool measuring student perception was used weekly for each case lab in each course. Each case lab was evaluated with two questions, which students rated with a 5-point scale, from Strongly Agree (SA), Agree (A), Neither Agree Nor Disagree (NAND), Disagree (D), and Strongly Disagree (SD). Students could also provide comments. The two questions included:
0.2
2013‐3
0.1 0 SA
I feel I have a solid understanding of the course material from the past week I understood what was expected as part of the case study exercise, and it helped me to learn the material. The ratings for each case lab were calculated, and the average ratings per semester were averaged, and analyzed. Improvements to course materials were made each summer. The ratings for the two questions very similarly ranked by students; thus, for simplicity we will only discuss scores for the question relating to the case study. Course averages for percentage of students ‘agreeing’ or ‘strongly agreeing’ “that the case study helped them learn the material” ranged between 54% and 90%. Thus, the case lab ratings are more consistent by course, than by case lab. In other words, case lab ratings are not consistent across courses, but a course is fairly consistent across labs – with a few exceptions, which will be noted. Thus, this discussion will focus mainly on the differences observed between courses for average case lab results.
A
NAND
D
SD
Figure 1. Results: The case study helped me to learn the material Organizing the case study also helps in student understanding. These recommendations eliminate negative comments and reduce the ‘Neither Agree Nor Disagree’, ‘Disagree’ and ‘Strongly Disagree’ ratings. However, they seem to have no effect on increasing the number of ‘Strongly Agree’ ratings. Start focused and easy. The first case study is always confusing to the students. It should be very easy, to build comfort and confidence in working with a case study. Early case studies should focus on that week’s lecture materials. Toward the end of the semester, the focus can be more general and complex (integrating multiple concepts). Give students only the materials they need. One instructor told me that when he provides the full case study and full workbook, students get lost as to where they should be working. I provide a paper copy of the case lab separately (not as a full document), but provide students the full Workbook to edit directly and electronically. I also keep binders of relevant information in the lab and distribute one per group, but only when necessary: HIPAA lecture and Requirements Document. Except for the first week, there is little confusion.
This section describes the actions that were taken, and the results that were observed in average ratings and comments. In some cases, later courses rated lower than earlier courses. The distribution of ratings for each category (SA, A, NAND, D, SD) for each course for Question 2 are shown in Figure 1.
Explain complex material well. Initial low rankings for case labs are often due to insufficient explanation during lecture on the
52
The service learning component rated highly with undergraduate students: quantitatively, when students rated the impacts of service learning versus the case study on their learning, service learning rated higher. However, in a qualitative analysis with an independent reviewer, students recognized the benefit of the case study in preparing them for working with a community partner: “It was a good test drive”. “Gave you a guideline for working with your partner.”
topic. With difficult technical labs (on network security), rankings started off as low as 2.3-2.4. These had a considerable number of ‘Neither Agree Nor Disagree’ and ‘Disagree’ rankings. Other case study instructors have also indicated the need to clarify concepts in lecture and/or add preliminary exercises to better prepare students for an authentic case. [18, 19]. Start the exercise as a full-class discussion. When students started the case study in groups, students would read silently and the class would appear inactive. Starting the case study as a fullclass discussion means having students read parts out loud, and then the instructor can guide the direction of the initial discussion. The lecture also has introductory slides to the case study, too. Doing the case study is possible as homework (instead of as an active learning exercise) but may be more difficult. Again, starting the exercise in class helps by giving students a chance to ask the instructor questions.
Show computer scientists how security planning relates to software development. When comparing the ‘Agree/SA’ weekly case study scores for mainly undergraduate computer students (86%, 80%, 75%, and 57%) versus MBA students (90%) it appears that computer students needed to be better sold on the case study compared to MBA students. In part, one explanation is that MBA students view cases as a normal way of learning, unlike computer science students. Since most computer science students plan to become programmers, they appear to not relate as well to security planning at the organizational level. To counter this, CS students were assigned cases to modify a Requirements Document as homework. In the first year of this assignment, many students rated this aspect higher than the organizational security aspects – but not all students (presumably IT-oriented). In contrast, there did not appear to be a pattern of CS students preferring technical labs over procedural (audit, social engineering).
Provide easily-accessible details and examples. Provide details of your lecture on-line or within the case study (just as it is needed). I provide examples and details in the on-line PowerPoint lecture, and have observed that students referred to these examples. The lecture and newly written text provide an example education-related case study solution for many of the Workbook case study tables. Explain that case studies have multiple correct answers. ‘Authentic’ problems have increased complexity, which undergraduates are uncomfortable with. Since time in the lab is too short to develop a perfect answer, we have each student team contribute part of their answer at the end of each lab. This way, the best ideas are highlighted. Students do not feel they need to have completed the full correct answer. The instructor shows a complete answer, but explains that multiple correct answers exist, and that the demo answer has been improved from previous student teams.
Recruit students with work experience. The two courses with the highest average weekly ‘Agree/SA’ ratings, and the largest number of ‘Strongly Agree’ ratings had entirely or a few graduate or full-time-employed undergraduate students. (See Fig. 1.) Their enthusiasm for the case study may have had an effect on other undergraduate students (when undergraduates were in the course). Therefore, we prefer to run this course in the evening, when working and graduate students are more likely to sign up.
Help international students. Providing a dictionary of technical vocabulary with translations from English to student languages received positive comments on weekly evaluations. Foreign students struggling with language problems will indicate so in the comments, but do not seem to give lower rankings for the case labs. Also, standardizing the language in the case study helps student understanding. For example, standardize on ‘service’ instead of using multiple words: ‘service’, ‘business function’, ‘application’, etc.
4.5 Developing a Case Study If you wish to develop your own case study, these recommendations can eliminate negative comments and low ratings. Don’t assume students understand the business environment. Do not be surprised when undergraduate students do not understand the basics of the business environment. Students prefer not to make up story facts for a lack of case study detail (although it is not possible to provide all facts). Periodically check in with each group to uncover misunderstandings.
4.4 The Importance of Motivating the Student Making the topic relevant appears to have a major effect on weekly ratings, particularly in moving students into the ‘Agree’ and ‘Strongly Agree’ categories.
Fact-check the case study. Even if you understand the case fairly well, getting professional advice can ease frustration for the rare students who have some experience with your case business and expect your story to match theirs’.
Demonstrate why the topic is important. Two ways to engage students include: adding a service learning component, and setting a context for the course. In every course except one (2012-1), the first lecture was on the HIPAA regulation. The HIPAA lecture demonstrates that all the course topics were required to adhere to this regulation. The one course, 2012-1, where the HIPAA lecture did not occur first (or at all) had the lowest case study ‘Agree’ rating of 54% compared to a range of 75-90% for all other courses. This course also had the highest ‘Neither Agree Nor Disagree’ rating.
Describe any technology well. Security texts tend to be theoretical and difficult to apply. Therefore including example solutions for another domain can help students apply the material. Dr Lincke wrote a book to guide students through the solution process: Security Planning: An Applied Approach, published in 2015 with Springer. This book provides an example detailed case related to the fictitious Einstein University. Test and rewrite the step-by-step procedural guide for multistep case study labs. Provide definitions and instructions just when they are needed in the procedural lab of the Workbook. This also enables students to be competent in their communitybased service learning exercise (with initial instructor assistance).
Service Learning appears to have a positive effect on case study ratings. Undergraduate courses with service learning had average ‘Agree/SA’ ratings of 80% and 84%, compared to 75% and 54%.
53
Many factors may have affected our results: two instructors taught many different students. However, both instructors used the same lecture materials, and all case study labs were taught by one instructor. Although our results are for one particular case study, many of our findings seem to be consistent with other case study situations at other universities. One other study shows a Student Perception trend similar to Figure 1 2012-1 [20]. Another author remarked: “This case study is not for the faint of heart, but we believe that the extra time and effort needed to teach it are justified. Our students demonstrate knowledge and skills over a variety of topics that otherwise they would not have been exposed to. We also observed that subsequent assignments of this size and difficultly are not so overwhelming [19].” We hope that the iterations that we have gone through have refined our lecture materials, workbook, and case study and solution, so that an instructor trying the materials will find it relatively easier to work with!
[6] ISACA (2009) CISA Review Manual 2010. Arlington Heights IL, DOI=http://www.itgovernance.co.uk/products/1403.
5. ACKNOWLEDGMENTS
[11] Katerinsky, A., Rao, H. R., and Upadhyaya, S. 2010. Harsh Realities 101 - Augmenting Information Assurance with Legal Curricula. Proc. 14th Colloquium for Information Systems Security Education (CISSE). www.cisse.info.
[7] ISACA (2009) CISM Review Manual 2010. Arlington Heights IL. DOI=http://www.itgovernance.co.uk/products/1402. [8] Lu, S. and Wang, Y. 2009. The Research and Practice of Case Teaching Method in Computer Curricula for Undergraduates. Proc. 2009 4th International Conf. on Computer Science and Education. IEEE, 1460-1463. [9] ITGI. .2007. IT Governance Using COBIT® and Val IT: Student Book, 2nd Ed. IT Governance Institute, www.isaca.org, Rolling Meadows, IL. [10] ISACA. 2010. Information Security Using the CISM® Review Manual and BMISTM: Caselets. www.isaca.org, Rolling Meadows, IL.
The development of the Security Workbook, lecture materials, and Health First Case Study was funded by the National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.
[12] Schembari, N. P. 2010. An Active Learning Approach for Coursework in Information Assurance Ethics and Law. Proc. 14th Colloquium for Information Systems Security Education (CISSE). www.cisse.info, 1-8. [13] Wei, H., Xin, C., and Ying, H. 2010. Non-computer Professional IT Education in the MBA Model. The 5th International Conf. on Computer Science & Education. IEEE, 612-614.
6. CONCLUSION This paper has two purposes: introduce a longitudinal security case study that can be used to train computer science, CIS, MIS, health, and MBA students in information security. It includes aspects of security planning, security software requirements, fraud, HIPAA, and information and network security.
[14] Chinowsky, P. S., and Robinson, J. (1995) Facilitating Interdisciplinary Design Education Through Case Histories. 1995 IEEE Frontiers in Education Conf. IEEE, 4a3.6-4a3-9.
The second important aspect of this paper is in assessment. We evaluated an evaluation of student perceptions related to the development of the case study. These results provide sample statistics and resulting guidelines for preparing and using a longitudinal case study. Also, we integrate in findings from unrelated teaching studies.
[15] Lincke, S. J. 2012. Planning Organizational Security: The Health First Case Study. 13th Annual Conf. on IT Education (SIGITE). [16] Lincke, S. J. and Green, D. T. 2012. Combatting IS Fraud: A Teaching Case Study. America Conference on Information Systems (AMCIS). Aug. 2012.
7. REFERENCES [1] Gill, T. G. 2011. Informing with the Case Method. Informing Science Press. Pp. 1-12.
[17] Computer Security Institute. 2009. 14th Annual CSI Computer Crime and Security Survey Executive Summary. GoCSI.com, Dec. 2009, p. 2.
[2] Gill, T. G. 2013. Case Method Workshop. USF College of Business, July 22-25, 2013.
[18] Clancy, M. J., and Linn. 1992. M. C. Case Studies in the Classroom. ACM. 220-224.
[3] Trabelsi, Z. and Ibrahim, W. (2013) Teaching Ethical Hacking in Information Security Curriculum: A Case Study. IEEE Global Engineering Education Conference (EDUCON). IEEE. 130-137.
[19] Robbins, K. A., Key, C. S., and Dickenson, K. 2002. Integrating a Simulation Case Study into CS2: Developing Design, Empirical and Analysis Skills. SIGCSE ’02. ACM. 391-395.
[4] Guo, M., Bhattacharya, P., Qian, K., and Yang, L. (2013) Authentic Learning of Mobile Security with Case Studies. Frontiers in Education Conference, IEEE. 1519-1521.
[20] Rosson, M. B, Carroll, J. M., and Rodi, C. M. 2004. Case Studies for Teaching Usability Engineering. SIGCSE ’04, ACM. 36-40.
[5] Whiddett, R. J., Handy, J. A., and Pastor, J. L. 1997. CrossSectional Case Studies: Integrating Case Studies and Projects in I.S. Management Education. ACSE ’97. ACM. 52-58.
54
