Students aim to peer into the mind of the cyber thief

For such a specialised area of knowledge, one with which only a handful of people within an organisation are likely to be familiar, information security or, as it increasingly known, cyber security, has huge importance. Nobody spares the subject a second thought – until something goes embarrassingly wrong. In 2011, Sony share prices fell by 4 per cent after the company admitted that the personal details, including credit card information, of more than 25 million PlayStation users might have been stolen by cyber-hackers. Similar scandals have befallen many other organisations, with red faces in boardrooms and, often, a hefty bill to pay cleaning up the mess. There has never been a better time to add a masters degree in information security to your CV and, at Royal Holloway College, part of London University, demand for such courses, once seen as very esoteric, has never been higher. The reputational damage suffered by companies perceived as lax in their approach to data protection has led to a re-assessment in priorities. In 1992, when London launched its MSc in Information Security, it was the first university in the world to offer a postgraduate course in the subject. In the 20 years since, others have followed its lead, but London remains a world-respected centre of excellence, its qualifications highly sought. Some students study on campus, but an increasing number are distance-learners, doing a full-time job, anywhere from Melbourne to Toronto, while enrolling for the masters course through London University’s international programmes. There are nearly 50 doing the £12,250 course at any one time, taking between two and four years to complete studies. Some of the overseas students come to London to attend a summer school, but the course does not otherwise involve face-to-face teaching. Instead students are inducted into the university’s virtual learning environment, taking part in tutor-supported online seminars and discussions. There is a lot of offline reading and course work to plough through – the course is modular and students take it at their own pace – but if it is long lonely slog at times, students are not working entirely in the dark. A “virtual student cafe” enables them to interact and network with other students, share insights and support each other during the distance-learning process. “I wouldn’t like to generalise about a typical student on the masters course,” says Prof Keith Martin, who heads the Information Security Group at Royal Holloway. “Mainly they are in their thirties or forties, with some hands-on work experience behind them, but they come from every continent and work in sectors ranging from finance and telecommunications to the public sector. Some are high-fliers, targeting board level positions and wanting to buttress their CVs with a new qualification. Others are IT specialists, looking to work as consultants.” What they share is an appreciation that, in the high-risk and increasingly complex world of information security, where small slip-ups can have large consequences, there is a premium on fully qualified professionals who have mastered their brief. “Information security threats tend to fall into two distinct categories,” Prof Martin says. “There is the threat from cyber-hackers deliberately attacking an organisation from outside. Organised crime is becoming increasingly sophisticated in its methods. And, just as importantly, there is the threat from within, failure to keep vital information secure, often through carelessness rather than deliberate malpractice.” Government departments are often the worst offenders in this respect. There have been a string of high-profile information security lapses in Whitehall, including the loss of a database containing the details of 25 million child benefit claimants and the loss of an unencrypted Ministry of Defence laptop, containing 620,000 personal records, including bank accounts. “It has become increasingly common for staff to take vital information out of the office, perhaps on a memory-stick, a laptop or their mobile phone,” Prof Martin says. “The challenge for organisations is how to control their own assets and set in place systems that reduce the risk of leaks.” At the heart of information security controls is cryptography, a subject on which Prof Martin, author of Everyday Cryptography, is an acknowledged expert. “It is a highly specialised field in some respects, but at the end of the day, machines are operated by human beings. Whatever widgets are used, all organisations need to have properly qualified employees who know how to turn security protection systems on and off.” Cryptographic mechanisms, and how they are used in the protection of computers and their networks, play an integral part in the masters course, which is geared to be commercially relevant. The programme ranges over the entire breadth of the subject, from the day-to-day management of security to the particular threat posed by computer crime. There are modules covering network security, database security, secure electronic commerce, the use and misuse of smart cards, and digital forensics – the collection and storing of the evidence needed to take cyber-hackers to court. Students are not just learning more about computer systems: they are trying to think their way into the minds of people trying to penetrate and subvert those systems. A dry-seeming subject also encompasses some of the elements of a fast-moving thriller, a game of cat-and-mouse between holders of confidential information and criminals desperate to get hold of it. The breadth of the course is underscored by the range of topics that students choose for their dissertation, a compulsory element in the programme. Recent topics include security awareness and behaviour, “fuzzy logic”, deep network security such as BGP-4, the motivation and behaviour of attackers, security architectures, and poor coding and vulnerabilities. The course would not appeal to all students: many will continue to prefer the greater breadth of a traditional MBA. But if it is a niche academic field, its relevance to the working world cannot be disputed. “If you were creating an ideal board from scratch, you would certainly have a chief information security officer on it,” Prof Martin says. “The importance of information security has not always been appreciated in the past but, in a fast-changing world, more and more organisations are getting wise to it.”