Privacy and Security A Pedagogic Cybersecurity Framework

4 Pages Posted: 1 Nov 2018

See all articles by Peter Swire

Peter Swire

Georgia Institute of Technology - Scheller College of Business

Date Written: October 1, 2018

Abstract

“Real” cybersecurity today devotes enormous effort to non-code vulnerabilities and responses. This essay proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. The PCF adds three layers beyond the traditional seven layers in the Open Systems Interconnection model. In the framework, Layer 8 is organizations, often studied in business schools. Layer 9 is government, often studied in law and public policy schools. Layer 10 is international, often studied in international relations programs.

The PCF creates a 3x3 matrix that refines which institutions are involved in each area of cyber-vulnerability or response. Each of the three columns refines the sorts of institutions making the decisions. For each layer, Column A contains issues arising within the institution - the organization or nation. Column B contains issues defined by relations with other actors at that level. Column C contains issues where other limits arise from actors at the same layer of the stack.

For students, the PCF provides context for how all the issues fit together, to ensure they understand the “big picture”. The framework also clarifies the scope of a cyber-curriculum. Some classes, for instance, focus primarily on how a CISO or company should manage a company’s risks (layer 8). Others are mostly about international affairs (layer 10), perhaps with discussion of national cybersecurity laws (Cell 9A). The PCF enables program directors and students to concisely describe the coverage of a cybersecurity class or curriculum.

The 3x3 matrix clarifies a research agenda for those seeking to identify and mitigate non-code cyber problems. Researchers can develop an issue list for each cell, along with canonical readings to assign in general examinations. For cybersecurity practitioners, the sheer volume of issues identified in the 3x3 matrix drives home the growing significance of non-code issues – bad decisions in any part of the matrix can negatively affect cybersecurity.

In sum, the PCF provides a parsimonious way to identify and develop a response to the growing number of non-code cyber risks. The 3x3 matrix visually categorizes and communicates the range of non-code cybersecurity issues. No longer can “real” cybersecurity refer only to technical measures. Instead, a large and growing amount of cyber-risk arises from problems at layers 8, 9, and 10. By extending the stack to these ten layers, we gain an effective mental model for identifying and mitigating the full range of these risks.

Suggested Citation

Swire, Peter, Privacy and Security A Pedagogic Cybersecurity Framework (October 1, 2018). Georgia Tech Scheller College of Business Research Paper No. 18-42. Available at SSRN: https://ssrn.com/abstract=3276887 or http://dx.doi.org/10.2139/ssrn.3276887

Peter Swire (Contact Author)

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States
(404) 894-2000 (Phone)

Register to save articles to
your library

Register

Paper statistics

Downloads
82
rank
295,513
Abstract Views
399
PlumX Metrics
!

Under construction: SSRN citations will be offline until July when we will launch a brand new and improved citations service, check here for more details.

For more information