Privacy and Security A Pedagogic Cybersecurity Framework

4 Pages Posted: 1 Nov 2018

See all articles by Peter Swire

Peter Swire

Georgia Institute of Technology - Scheller College of Business; Georgia Tech Institute for Information Security & Privacy; Cross-Border Data Forum

Date Written: October 1, 2018


“Real” cybersecurity today devotes enormous effort to non-code vulnerabilities and responses. This essay proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. The PCF adds three layers beyond the traditional seven layers in the Open Systems Interconnection model. In the framework, Layer 8 is organizations, often studied in business schools. Layer 9 is government, often studied in law and public policy schools. Layer 10 is international, often studied in international relations programs.

The PCF creates a 3x3 matrix that refines which institutions are involved in each area of cyber-vulnerability or response. Each of the three columns refines the sorts of institutions making the decisions. For each layer, Column A contains issues arising within the institution - the organization or nation. Column B contains issues defined by relations with other actors at that level. Column C contains issues where other limits arise from actors at the same layer of the stack.

For students, the PCF provides context for how all the issues fit together, to ensure they understand the “big picture”. The framework also clarifies the scope of a cyber-curriculum. Some classes, for instance, focus primarily on how a CISO or company should manage a company’s risks (layer 8). Others are mostly about international affairs (layer 10), perhaps with discussion of national cybersecurity laws (Cell 9A). The PCF enables program directors and students to concisely describe the coverage of a cybersecurity class or curriculum.

The 3x3 matrix clarifies a research agenda for those seeking to identify and mitigate non-code cyber problems. Researchers can develop an issue list for each cell, along with canonical readings to assign in general examinations. For cybersecurity practitioners, the sheer volume of issues identified in the 3x3 matrix drives home the growing significance of non-code issues – bad decisions in any part of the matrix can negatively affect cybersecurity.

In sum, the PCF provides a parsimonious way to identify and develop a response to the growing number of non-code cyber risks. The 3x3 matrix visually categorizes and communicates the range of non-code cybersecurity issues. No longer can “real” cybersecurity refer only to technical measures. Instead, a large and growing amount of cyber-risk arises from problems at layers 8, 9, and 10. By extending the stack to these ten layers, we gain an effective mental model for identifying and mitigating the full range of these risks.

Suggested Citation

Swire, Peter, Privacy and Security A Pedagogic Cybersecurity Framework (October 1, 2018). Georgia Tech Scheller College of Business Research Paper No. 18-42, Available at SSRN: or

Peter Swire (Contact Author)

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States
(404) 894-2000 (Phone)

Georgia Tech Institute for Information Security & Privacy ( email )

Atlanta, GA 30332
United States

Cross-Border Data Forum

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics