Does 'Network and Computer Security' touch on some of the high profile cases of hacking such as the US Department of Justice and the IRS?
Yes, to an extent. Security has two components to it: one is the technology, which is really what that part of the MOOC is all about. We can't, in a MOOC, talk about absolutely everything, so the focus here is on the technical defence.
Cryptography provides the nuts and bolts, if you like, of the security solution. ‘Network and Computer Security’ is very much about what you'd then assemble, using cryptography and other things. That is related to hacking, I suppose, because hackers will exploit flaws, errors, weaknesses in network defences and in computer defences.
These modules talk about the principles of doing these things properly. But if there are cracks in the machines that are built, then obviously they provide potential avenues in for hackers.
A much more powerful way for hackers to get into systems, even secure systems, is to exploit the people that are using the systems. You could have an excellently defined system with superb encryption and superb network protection, but if one of the users of that system gets threatened with a lead piping then you may lose all your security.
These weeks are about technically defending networks and computers. We just have to keep in mind that there are other routes in and that there's a human side of things.
You can see highly intelligent and honest citizens around the world who would never walk into a Virgin Megastore and steal a CD, but are quite content and even proud of their ability to rip music off the internet.
Is the seeming ability of hackers to steal and sell a company's data becoming an increasingly worrying trend?
Yes, it is a worrying trend, but we do all our business in cyberspace now. That's where life happens, and so that's where crime happens, so we shouldn't really be too surprised. Criminality and people attempting to exploit systems are really just going where the action is, and we've moved it there by doing everything in cyberspace.
What's weird about cyberspace is you can conduct bad activities remotely, you can sit in London and attack a server in New York or Bangladesh. And the other thing is that it's relatively low cost.
But there's a whole layer above this, which I think is fascinating, which is that what we probably have not yet fully understood is, let's say, the psychological changes: cyber bullying, for example. There's a habit of putting 'cyber' in front of traditional crimes, 'cyber theft', 'cyber fraud', and so on. But it's not that straightforward, because these are in some sense similar to things we've understood before, but in some sense they're new and people will conduct crimes and attacks for different kinds of reasons. And possibly people who, for example, would never conduct a fraud or robbery in the physical world might be willing to attempt one in the cyber world because they almost psychologically don't accept it as theft or robbery. You can see highly intelligent and honest citizens around the world who would never walk into a Virgin Megastore and steal a CD, but are quite content and even proud of their ability to rip music off the internet.
The week 4 'Security Management' module includes videos on 'Security Controls', 'Security Policies' and 'Risk Assessment'. Are there international laws and standards relating to Security Management?
Yes, absolutely. Best practice guidelines, international standards, all sorts of regulations – just as there are for financial audit and control requirements. There are some very well-respected standards that large organisations really should follow, and most of the good ones do.
The UK government has had a very big cyber security strategy over the last five years, and one of the things they did as part of that was try to bring out a 'lite' security management guidance for smaller organisations. They realised that a lot of the stuff that was around was targeting the big corporates who can afford to build a huge management system for their security. So there's a focus now to help smaller organisations. A big focus of attacks now is on SMEs because they tend not to be well defended at all, so they're now quite a big target for cyber crime.
We're seeing students on the MSc course going into almost every sector: telecommunications, the NHS, medical, government, almost any corporate environment you can think of.
What happens in the final week of the MOOC?
It was decided that the MOOC wouldn't just be an introduction to the subject, but that there’d be an attempt to indicate where people could go with a career in information security.
Depending on people's skills, there's a whole range of things they can do. Almost any organisation now deals with cyber space, so needs to be aware of cyber security. We're seeing students on the MSc course going into almost every sector: telecommunications, the NHS, medical, government, almost any corporate environment you can think of.
And then, on the other side, you've now got an enormous cyber security service sector, serving that need - organisations building and selling cyber security technology and services - and a vast and increasingly expanding cyber consultancy sector. Almost all of the big accountancy firms such as KPMG and PwC have huge cyber security teams and are actually doing a lot of security advice, audits, testing and forensics.
In some sense, everybody needs security expertise, and large organisations will want to employ people who have such expertise, but you've also got this huge sector providing cyber security services to meet that demand.
I suppose you could argue a third layer is government: the national policy makers provide a third big tier, people who are involved in defending nation states or in setting policy. Quite a lot of our students, who come from around the world, are working for their governments or their military. That's a third swathe of activity.
In terms of the overview that the MOOC provides, do you hope to attract learners on to the MSc?
We'd be absolutely delighted if people who were not considering following the MSc still got something from this MOOC. The world generally lacks understanding about these issues, and everybody needs to know a little about information security. They maybe don't all need to know about encryption or what a firewall is, but everybody on the planet needs to know a little bit about cyber security, and everybody would benefit from understanding the principles being talked about here. It would help keep them secure in cyber space and they will get something useful for their daily lives."