An Institutional Risk Reduction Model for Teaching Cybersecurity

Abstract

This work presents a model for reviewing the risks of institutions teaching cybersecurity. The work is based on efforts in this direction at Regis University and Adams 12 Five Star Schools in Colorado. These two institutions are described in a comparative case study reviewing the following four aspects of addressing risk: policy, adjudication, infrastructure protection, and curricular boundaries. The model is presented in a generalizable framework to facilitate risk analysis across the education of children in public schools, university level education, and professional development programs. This framework is not intended to supplement a traditional threat analysis program and not replace it. In addition to the specialized risks addressed here, institutions teaching cybersecurity are often perceived as potential targets for adversaries because of the schools as a pipeline to cyber defense activities, and because institutions teaching cybersecurity are part of societal long-term cyber defense strategies that confront criminal, nation state, and activist threats.