A Study of the UK Undergraduate Computer

Science Curriculum: A Vision of Cybersecurity

Rodrigo Ruiz[0000-0003-1644-3933]
DICSI/NSSI
CTI Renato Archer, Rodovia Dom Pedro I (SP-65), Km 143,6 - Campinas, SP, Brazil - ZIP 13069-901
rodrigosruiz@outlook.com

Abstract: When the content is not written in the discipline

syllabus, it is possible that it will not be taught. In this work, the
author has investigated 100 computer science undergraduate II. LITERATURE REVIEW
courses in the UK, to assess the capability of the software
developers in the Country to create secure pieces of software.
Besides that, to evaluate to which extent the UK Engineering Some years ago, computers were operated by highly
and System Design students are being taught about the specialized people in data processing offices. Today, many
relevance of considering security issues when developing educators and politicians think that all of our children need to
software or if this subject is treated as just an optional element know computer programming. A list of countries that plan to
at the end of their professional education. include compulsory learning on Computer Science in
Keywords: Cybersecurity; Computer Science; secondary education or under, highlight how the
Undergraduate; Human Factors; Teaching; I.T. Education. encompassed disciplines are being taught at an increasingly
earlier age. This list includes Austria, Australia, Finland,
France, Germany, Ireland, Italy, Japan, Lithuania, Portugal,
I. INTRODUCTION Republic of Korea, South Africa and Spain [3].
When one thinks about teaching computer programming
According to the Global Risk Report 2018 [1], for the to children and adults he/she must consider how they will be
first time in a decade, we have two technological features
educated to develop secure software. The European
threatening the global economy: cyberattacks and data fraud
being the top five most likely global risks, abreast with Commission has published a report that proposes levels of
natural disasters, extreme climate events and the failure to knowledge about cybersecurity, suggesting what each
mitigate climate change. Recognizing such technological student needs to know in three phases: beginner,
threats is important and represents the first step towards intermediate and advanced levels [4].
improving security in cyberspace. If the aim is to teach secure programming to the
youngsters, it´s necessary to make sure the future teachers of
Considering that people develop all technology, human
Computer Science are being prepared during their
factors are the principal issue in the context of abusive
undergraduate courses to learn how to teach their future
communications and faulty software since the 1970s.
pupils about secure software development. It´s to say, how
Moreover, the technology is not the main cause of data
one can design a piece of software, taking into account since
leakage. Sometimes, users are influenced by sophisticated
the very beginning, security concerns.
marketing campaigns, that reaffirm the quality of products
According to Professors Moufida Sadok and Peter
and services.
Bednar, an excessively technical focus is one of the main
If cybersecurity is on the international agenda, it makes
reasons why there are deficiencies in cybersecurity [5]. If
sense to ask whether our people are prepared to tackle this
technology is only a part of the problem, why does society
topic. According to HESA [2], there were 79,480 students
pay only and too much attention to the technical side of the
enrolled on Computer Science courses in the UK in 2016/17.
problem?
This work investigates whether UK graduate students are
“While information security risks have
being prepared to develop secure programs for the society.
involved and financial costs of cybercrime
In order to do this, the author has analysed the curricula of
have increased, security practices and
UK computer science courses.
strategies have not adequately kept up with
It´s worth mentioning that this work is not looking
dynamic and challenging attacks that are
specifically at cybersecurity courses. Professionals working
highly complex and difficult to detect.” [5]
in this field are rather as firefighters who extinguish flames
Conversely, are security problems caused by the high
in buildings (or, in this case, into the cyberspace) made
costs of maintaining security?
according to security standards. Rather, this work analyses
Human factors are discussed by [6] and they work present
the education of UK students who are responsible for
two cases on security incidents caused by human factors in
developing software based on cybersecurity standards.
two financial organizations, also mentioning the relevance
of education in information security. [6]
A careful assessment of the current actual privacy and
cybersecurity issues and the pleaded/alleged solutions
offered by software vendors, [7] [8] [9] [10] raises doubts When a trainee configures TrueCrypt or similar software
about vendors’ promises. The privacy as advertised is not for a business person, politician, high-ranking military or for
provided. Typically, they recommend the developers to a researcher, installing the piece of software with the
explicitly alert the users of their products about the password “123”, the user is advised to change it to a “strong
limitations of private browsing functionality. password”. As this procedure is commonplace [21] [22]
Moreover, cybercriminals are capable enough toclone [23], billions of dollars’ worth of data may be in the hands
passwords from Internet users. A survey conducted by of the trainee. The way to gain access to the new data with
Insight Express and Cisco [11] draws attention of the IT the old password is to change the values in the reader of the
professional’ perceptions about data loss incidents in container file. Similar problems have been identified by
companies and gives solid supporting arguments reinforcing Symantec Encryption Desktop [16].
the importance of protecting companies’ sensitive The typical Internet user enters his/her credentials many
information: times a day. Logging into social media at the same time for
“70% of IT professionals believe the use of maintenance purposes exposes their daily routine. The same
unauthorized programs responds for as many is true when using an intranet and other web-based private
as half of their companies ‘data loss systems in the workplace. Personal credentials enter the e-
incidents’.” [11] commerce domain when a user buys flowers, food, vehicles
“44% of employees share work devices and company shares on the New York Stock Exchange, or
with others without supervision.” [11] takes part in home banking to pay bills and/or to make other
“39% of IT professionals said they have bank transactions.
dealt with an employee accessing When all common users are affected, the bulks gain
unauthorized parts of a company’s network or global proportions. The research in this field focuses on the
facility.” [11] treatment of user login information (usernames and
“46% of employees admitted to transferring passwords) by major service provider websites, such as
files between work and personal computers search sites, home banking, e-mail and e-commerce, in
when working from home.” [11] which clients input important personal details), and on how
“18% of employees share passwords with these websites manage their users’ passwords. Many
co-workers. That rate jumps to 25% in China, different bank and retail websites have been tested and
India, and Italy.” [11] found to be vulnerable to password leakage.
Those figures testify how relevant is the human factor as As far as authentication problems are concerned, [24] it’s
the big problem in cybersecurity. Surveys like this one worth consider three categories of attack. In the first one,
carried out by the DSS Company [12] are very common and known as existential forgery, an attacker can forge an
normally high lighten special product features. The authenticator for some unspecified user, which means that
aforementioned research reveals the existence of an he/she cannot target one specific user. In the second, known
environment that is dark and uncertain. Moreover, as selective forgery, a specific user can be targeted. In the
manufacturers often exaggerate with promises of highly third and final category, known as total break, an attacker is
efficient protection, sometimes beyond the scope of real able to recover the user key and can therefore build valid
security. Under certain circumstances, this assurance can authenticators at his/her will.
hide threats, it´s to say, are misleading. Some faults are In addition, [25] It´s also important to analyse a vast class
difficult to detect, such as enabling revoked users in crypto of information about the navigation activities that browsers
systems. Also, research institutes are attacked by hackers save onto the hard-disk. Credentials were found in the form
due to the nature of this activity. of clear text in non-volatile memory. When the respective
According to statistics from the Russian information site failed to hide its login data, it’s possible to extract the
security certification system, about one third of the pieces of password. This occurred with all browsers tested by the
software tested exhibited vulnerabilities during a two-year author of the present paper, which means that, independently
study. [13] Recent publications about failures in many of the browser, Gmail, Amazon, eBay, Hotmail, and the
cryptographic application systems expose the level of access Santander, Caixa and Citibank websites showed the same
to private data. According to [14], [15] and [16] it´s not vulnerability [26].
known how failures can compromise information security Investigations into cryptographic programs, web browsers
and people’s privacy. and web credentials have shown that the credential
It is possible to confirm that attackers can gain full access management, security and privacy protection measures are
to encrypted files, enabling credentials to be revoked. For currently at a poor level. Meanwhile, investigations in to
that purpose,, a wide range of cryptographic software has “in-private navigation” shows that the “privacy software”
been tested, including TrueCrypt [17], VeraCrypt [18], does not, in fact, gives the adequate privacy to the user.
GhostCrypt [19] and PGP Symantec Encryption Desktop Many researchers have focused on the technologic aspects
[20]. All TrueCrypt deviants provide a unique password that of those cases, such as flaws in the code written or project
grant user access to data. The problem, however, is that it errors. Some studies the environment found in companies
doesn’t matter how many times the user changes the and governments, while others point out that the process can
password, for each one always open the container and be corrupted. While all of them are correct in their
expose the data. conclusions, it is necessary to find the common factor in all
these situations.
 The technology already promises quantum cryptography; curriculum for teaching programming to teenagers [31].
but, if vendors and users continue to manage credentials Unfortunately, no security or privacy aspects have been
they are doing today, it will be like a locked car with the car considered so far.
key forgotten in its door lock. What can one expect from In New Zealand, there have also been discussions about
cybersecurity and privacy when our universities are Computer Science on the High School curriculum, without
encouraging the sharing of our credentials? taking cybersecurity and privacy into account [32].
“We use TrueCrypt in a In the UK, researchers have been concerned with
corporate/enterprise environment. Is there a teaching Computer Science to produce more and more
way for an administrator to reset a volume programming from the secondary level onwards [33] [34]
password or pre-boot authentication password [35].
when a user forgets it (or loses a key file)? “The challenge of introducing security in a
Yes. Note that there is no ‘back door’ sensible and useful manner can be addressed
implemented in TrueCrypt. However, there is by considering the contextual perspectives”.
a way to ‘reset’ volume passwords/key files [5]
and pre-boot authentication passwords.” [23] In this way, the basis of cybersecurity must be introduced
“If someone needs to access an encrypted in the early education, according to the Joint Task Force on
file or a shared encrypted laptop, the Cybersecurity Education [36]. While this report provides
encryption password will need to be shared, guidelines for delivering cybersecurity education, all
unlike your University password which should managers of technological courses could benefit from
always be kept private. If you forget the reading it.
encryption password for a file or USB stick,
then the data will be inaccessible. In the case
of laptops encrypted by the University, IT III. METHOD AND DATA COLLECTION
Services will store a recovery disk that will
enable the laptop password to be reset.” [21] From the perspective that everything has a human
In the same way that universities orient their users element, the author has gathered information to understand
towards using “in-private” navigation, one has to stand still what UK universities are thinking about cybersecurity and
and review what is being taught about security and privacy. how its people are being trained. For this, it is necessary to
[27] [28]. analyse the curricula of the offered courses. For that, one
[29] Classifies cybersecurity according to four categories: needs to study the common basis of those courses,
public, infrastructure, business and general. The basic disregarding cybersecurity specific courses. The intention
message is to transform cybersecurity courses in a here is not to evaluate cybersecurity as a specialist; but
multidisciplinary direction. While this is laudable, rather, to understand the impact rendered by the lack of
broadening the knowledge of security experts does not solve study on security disciplines, in the context of Computer
the issue. Science knowledge.
“From a socio-technical perspective, it is For this purpose, the author has considered the discipline
claimed that a viable system would be more components of 100 UK G400 Computer Science courses
user-centric by accommodating and balancing [37] or similar, from the top 100 UK universities offering
human process rather than entertaining an such courses. The ranking used was the one prepared by the
expectation of a one-sided change of “Webometrics Ranking of World Universities”, which is an
behaviour of the end user.” [5]. initiative of the Cybermetrics Lab, a research group
“Two reasons could potentially explain the belonging to the Consejo Superior de Investigaciones
poor effectiveness of the implemented security Científicas (CSIC), the largest public research body in Spain
solutions and procedures: the boundary [38]. This ranking includes 280 UK universities. This study
problem of risk analysis scope and the considers that the first 100 UK universities represent a
background of involved actors in risk relevant sampling in the universe of UK universities in order
assessment and in security policy design.” [5] to analyse the situation of cybersecurity disciplines on G400
Agreeing with Sadok and Bednar, this author considers courses in the UK. Computer Science courses focused in
human-centricity as the best approach for address the Cyber Security is discarded.
cybersecurity problem. It´s necessary to adjust the whole The title of the module or discipline and the content of
background, specifically, the way cybersecurity and privacy the discipline as see on Fig.1, Fig.2 and Fig3., when
are explained to the students and I.T. professionals. available online, were manually read line by line to identify
Gal-Ezer et al. proposed five units to teach High School cybersecurity content keywords as security, privacy, cyber
programming courses in Israel: fundamentals, advanced security, risk management, forensics, cryptography, safe
programming, second paradigm, applications and theory. software, safe programming, cybercrime, data protection,
Likewise, [30] declared that security is among the key credential management and others security terms or
aspects in the field of computing. expressions, or other contextualized elements that refer to
Twenty-two years after the latter study, an interesting cybersecurity enforcement. The main focus was on
piece of research carried out in the US about teaching identifying security elements for software development.
Computer Science in High School has suggested a new
 Fig. 3 Security content in the module title.

If a word or expression linked to security was found

during the reading of a discipline’s menu, the totals are
summarized in Table 1.
Annotations have been also made by the author also made
to identify at which point in time the safety element was
addressed, as well as whether the subject discipine was
Fig. 1 One of the best module descriptions founded. mandatory or optional.

Table 1-Collected data extracted by reading course descriptions provided by

each institution on their own website.

Total of
Amount
courses
100
security content
189
optional security content
81
mandatory security content
108
courses without security content
13
courses without mandatory security content
39
security content in the year 1 of courses
32
security content in the year 2 of courses
43
Total security content in the year 3 or later of courses
114

IV. DISCUSSION
Fig. 2 Security content in the module description.

The absence of anything about security and privacy in the

curricula says a lot about the relevance of this theme on the
courses in question.
After the analysis of course grades, if the curriculum has
one or more explicit citations about cybersecurity or privacy,
a value of 1 was given, or 0, otherwise:

x 6% of security content in the UK G400 have no

references to cybersecurity, privacy, secure programming
or other cybersecurity content during the course, Fig. 4;
x 39% of G400 UK courses do not offer mandatory
cybersecurity content, Fig 5;
x 17% of courses offer cybersecurity content in the first
year of the course, Fog 6;
x 13 Computer Science Courses do not have any security
content explicated in the curriculum Table 1;

For those analyses, It´s straightforward to notice that a

total of 118 content areas identified in 100 Computer
Science courses, some of those present more than one
content area. Fig. 4 shows the proportion of mandatory
cybersecurity content on Computer Science courses in the
U.K, while Fig. 5 shows the proportion of any kind of
cybersecurity content on these courses. Besides the
importance of having security content included in the course
curricula, it’s necessary to analyse the disposition of this
content across all the years of the course. This distribution is
presented in Fig. 6. Our people learn to program without
information on security issues.

Fig. 5 Considering 100 Computer Science Courses, Security as an optional

discipline or an element of others disciplines on UK computer science
courses. 61% have security on the curriculum and 39% have no security on
the curriculum. Source: Table 1.

Fig. 4 Considering the total contents 118 under 100 Computer Science
Courses, Security as a mandatory discipline or an element of other
disciplines on UK computer science courses. 6% of courses have no
security content on the curriculum and 54% of courses have mandatory
cybersecurity elements on the curriculum and 40% have optional security
content. Source: Table 1.

Fig. 6 Considering the total 118 security content, Security discipline’s

distribution by year on UK computer science courses. 17% focus on
security content in the first year, 23% in the second year, 60% in the third
year or later. Source: Table 1.

The data analysis indicates that more than one third of

G400 courses in the U.K leave cybersecurity out of their
mandatory curricula, while cybersecurity is an optional
discipline, which is relegated to the end of the course in the
case of the other two thirds.
According to the author of reference [6], people are at the
centre of any technological design and for the author of
reference [39], the education of cybersecurity content are cybernetic concepts to all computer-related courses only
failing to attend industry demands. offers a thread of hope.
Forensic concept is not just a police issue. According to There is no point in continuing to create more and more
the author of reference [40], it is incorporated by the courses for cybersecurity experts. Today, these professionals
companies and that is time for Government and universities are involved in repairing programs with little notion of
include its concepts into computer science courses taught. cybersecurity. At the same time, the vast majority of IT
One of principal challenges concerning digital privacy practitioners are not being properly trained to develop secure
and security is the management of credentials. Credentials applications from the first line of code.
are literally “the key” and one need to encourage U.K users The world will have secure systems only when the first
to keep safe the key. Meanwhile, developers need to design line of the first algorithm has been written under the
security systems without critical failures and breaches from mandatory cybersecurity premises, concepts and techniques.
the first line of code onwards. The existence and massive In the meantime, education and training are the more
use of password-based authentication and their limitations accessible ways to prevent and to fix cybersecurity
and risk are explored by [41]. problems.
According to the National Academies Press, seven Even with a large capacity of trained personnel pointed
principles need to be observed concerning people learning out in [45], a percentage that does not reach 10% of security
and understanding of any subject/discipline. Some of those content was offered until 2016 in the programs of Computer
principles are highly relevant to this work: Science in the USA.
Firstly, it is easier for students when they establish a firm Cybercrimes are classified in seven categories according
foundation before adding new knowledge. All new to [46], Phishing, Spam, Hacking, Cyber Harassment or
knowledge is influenced by previous experience. 17% of Bullying; Identity Theft, Plastic Card Fraud and Internet
exposition in cybersecurity concepts at the year 1 for Auction Fraud. To improve security in software
Computer Science courses, including mandatory and development and increase difficult to cybercriminals, it’s
optional content, is too little. When one learns how to cross necessary to reconfigure Computer Science courses. This
a road, it is more difficult to adapt to the concept of a formal work proposes a change in the teaching paradigm by
road crossing because the person always is influenced by including cybersecurity as a mandatory and explicit content
his/her previous experience. Practising cybersecurity and throughout the duration of undergraduate Computer Science
privacy every day while on a Computer Science course will and software design courses and disciplines, so students will
foster security mind-set, way of thinking and attitudes. [42] become proficient enough to develop secure pieces of
To teach at the end of course and leave it optional is the software. Cybersecurity content must be formal and explicit
biggest problem that this work likes to expose. in the programming disciplines.
The first stage in the process of acquiring knowledge is to Unfortunately, security requirements use to be considered
“remember” [43]. To remember something, one needs to be just after the ‘conclusion’ of the design efforts of a given
exposed to something new. In this work, it´s important to piece of software [47]; it’s to say, non-rarely seldom, after
examine whether U.K students are being exposed to already being totally written.
cybersecurity. As long as cybersecurity content is not written into the
discipline’s syllabus, it is likely that it won’t not be taught at
all the consequences of that being potentially disastrous,
costing millions of pounds.
V. CONCLUSION

How then one can make cyberspace safer? It´s necessary

to teach cybersecurity to Computer Science students since VI. REFERENCES
the very first year of school.
An ERP computer program or a website into which input
the necessary credentials to get access to one’s bank account [1] World Economic Forum, “Global Risks Report
is normally developed with totally blind faith using the piece 2018,” World Economic Forum, Geneva, 2018.
of software above mentioned. If an OS project fails, this is
[2] H. E. S. A. HESA, “Higher Education Student
ignored by other actors because they know that the OS will
Statistics: UK, 2016/17,” HESA, Promenade, 2018.
save all data in the physical memory. The author is quite
aware of browser developers who ignore the fact that false [3] D. Passey, “Computer science (CS) in the
“in-private navigation” exists. One can have an SDK that Compulsory Education Curriculum: Implications
offers a password field without any security requirements, if for Future research,” Education and Information
the preceding steps fail. Furthermore, this field can be Technologies, vol. 22, p. 401, 2017.
dragged and dropped by the website developer. [4] A. Ferrari, “DIGCOMP: A Framework for
The UK National Cyber Security Strategy 2016-2021 Developing and Understanding Digital
[44], in 7.1.1, states that directing efforts to invest in an Competence in Europe,” European Commission
increasing number cybersecurity specialists is misplaced, Institute for Prospective Technological Studies,
while quietly citing the precariousness of exposing Seville , 2013.
[5] M. Sadok and P. Bednar, “Understanding [16] R. Ruiz and R. Winter, “Lazarus: Data Leakage
Security Practices Deficiencies: A Contextual with PGP and Resurrection of the Revoked User,”
Analysis. In S. Furnell, & N. Clarke (Eds.),” in Journal of Cyber Security and Mobility, vol. 5, no.
Human Aspects of Information Security and 2, pp. 1-14, 20 11 2016.
Assurance Conference Proceedings, Plymouth , [17] T. Foundation, “Truecrypt,” 15 02 2013.
2015. [Online]. Available: http://truecrypt.org.
[6] A. Reza and H. J. a. A. A.-N. Shareeful Islam, [18] IDRIX, “VeraCrypt,” 2018. [Online]. Available:
“Analyzing Human Factors for an Effective https://veracrypt.codeplex.com/.
Information Security Management System,”
[19] Ghostcrypt, “Ghostcrypt,” 04 01 2018. [Online].
International Journal of Secure Software
Available: https://www.ghostcrypt.org/.
Engineering (IJSSE), vol. 4, no. 1, pp. 50-74, 18 9
2013. [20] Symantec, “Symantec Desktop Encryption User
Manual,” [Online]. Available:
[7] R. d. S. Ruiz, F. P. Amatte and K. J. B. Park ,
https://symwisedownload.symantec.com/resources/
"Opening the “Private Browsing” Data – Acquiring
sites/SYMWISE/content/live/DOCUMENTATION
Evidence of Browsing Activities," in Proceedings
/6000/DOC6205/en_US/symcEncrDesktop_103_w
of the International Conference on Information
in_usersguide_en.pdf?__gda__=1475850268_9092
Security and Cyber Forensics, Kuala Terengganu,
5006947a919661523e2f67f5cea7. [Accessed 5
Malaysia, 2014.
October 2016].
[8] R. Ruiz, K. Park, F. Amatte and R. Winter,
[21] IT Services, The University of Manchester,,
"Overconfidence: Personal Behaviors Regarding
“Encryption Software,” 2014. [Online]. Available:
Privacy that Allows the Leakage of Information in
http://www.itservices.manchester.ac.uk/cybersecuri
Private Browsing Mode," International Journal of
ty/advice/encryption/.
Cyber-Security and Digital Forensics (IJCSDF),
vol. 4, no. 3, pp. 404-416, 2015. [22] University of Exeter, “Important Information for
Users of TrueCrypt on Windows Laptops,” 25
[9] R. d. S. Ruiz, F. P. Amatte and K. J. B. Park,
April 2014. [Online]. Available:
"Tornando Pública a Navegação “InPrivate”," in
http://www.exeter.ac.uk/ig/infosec/encryptionforla
Proceedings of the IcoFCS2012, Brasília - Brazil,
ptops/usingtruecrypt/.
2012.
[23] Wake Forest University, “TrueCrypt install,” 25
[10] G. B. E. J. C. B. AGGARVAL, “An Analysis of
04 2014. [Online]. Available:
Private Browsing Modes in Modern Browsers,” in
http://users.wfu.edu/yipcw/is/truecrypt/.
Proceedings of the USENIX 2010, 2010.
[24] K. S. K. F. N. FU, “Dos and Don'ts of Client
[11] Cisco, “Data Leakage Worldwide: Common
Authentication On The Web,” in Proceedings of
Risksand Mistakes Employees Make.,” 24 02 2014.
the 10th USENIX Security Symposium,
[Online]. Available: http://www.
Whashington DC, 2001.
cisco.com/c/en/us/solutions/collateral/enterprise-
networks/data-loss-pre vention/white paper c11- [25] J. L. S. L. S. Oh, “Advanced Evidence
499060.html. Collection and Analysis of Web Browser Activity,”
Digital Investigation, pp. 62-70, 2011.
[12] A. Filatov, “Data Security Solution,” 25 02
2015. [Online]. Available: [26] R. Ruiz, R. Winter, K. Park and F. Amatte, “The
http://pt.slideshare.net/AndSor/dss-symantec-pgp- leakage of passwords from home banking sites: A
encryption-fortress2014-arrowecs-roadshow- threat to global cyber security?,” Journal of
baltics. Payments Strategy and Systems, vol. 11, no. 2, pp.
174-186, 2017.
[13] A. &. S. M. A. &. L. T. V. V Barabanov,
“Statistics of software vulnerability detection in [27] University of Michigan, “Safe Computing,” 01
certification testing,” Journal of Physics: September 2018. [Online]. Available:
Conference Series., vol. 1015, no. 4, pp. 1-9, 2018. https://www.safecomputing.umich.edu/be-
aware/privacy/resources.
[14] R. d. S. Ruiz, F. P. Amatte and K. J. B. Park,
"Security Issue on Cloned TrueCrypt Containers [28] Wake Forest University School of Business,
and Backup Headers," in The International “MSBA Software Installation,” 2018. [Online].
Conference on Cyber-Crime Investigation and Available: business.wfu.edu/msba-software.
Cyber Security (ICCICS2014), Kuala Lumpur - [29] R. B. Ramirez, Making Cyber Security
Malaysia, 2014. Interdisciplinary: Recommendations for a Novel
[15] R. Ruiz and R. Winter, “Corrosive Secrecy and Curriculum and Terminology Harmonization,
Confidence: The Paradox Among Bypassing Cambridge: Master’s thesis in technology and
Cryptographic Software, Loss of Privacy and policy, Massachusetts Institute of Technology,
Information Security,” Cyber Security Review, pp. 2017.
66-74, 01 03 2016. [30] J. Gal-Ezer, C. Beeri, D. Harel and A. Yehudai,
 “A High-School Program in Computer Science,” Mathematics and Science in U.S. High Schools,
Computer, vol. 28, no. 10, pp. 73-80, 1995. Washington, DC, National Academies Press, 2002,
[31] G. Alexandron, M. Armoni, M. Gordon and D. pp. 117-130.
Harel, “Teaching Scenario-based Programming: [43] B. (. E. M. F. E. H. W. K. D. Bloom, Taxonomy
An Additional Paradigm for the High School of Educational Objectives, Handbook I:, Allyn &
Computer Science Curriculum, Part 1,” Computing Bacon ed., New York: Pearson, 1956.
in Science & Engineering, vol. 19, no. 5, pp. 58-67, [44] UK Government, “National Cyber Security
2017. Strategy 2016-2021,” 2016. [Online]. Available:
[32] T. Bell, P. Andreae and L. Lambert, “Computer https://www.gov.uk/government/uploads/system/up
Science in New Zealand High Schools,” Brisbane, loads/attachment_data/file/567242/national_cyber_
2010. security_strategy_2016.pdf. [Accessed 15 January
[33] N. C. C. BROWN, S. SENTANCE, T. CRICK 2018].
and S. HUMPHREYS, “Restart: The Resurgence [45] S. C. Y. &. B. Wen, “Toward a cybersecurity
of Computer Science in UK Schools,” ACM curriculum model for undergraduate business
Transactions on Computing Education (TOCE), schools: A survey of AACSB-accredited
vol. 14, no. 2, p. 9, 2014. institutions in the United States,” Journal of
[34] N. C. C. Brown, M. Kölling, T. Crick, S. P. Education for Business, vol. 92, no. 1, pp. 1-8,
Jones, S. Humphreys and S. Sentance, “Bringing 2017.
Computer Ccience Cack Into Schools: Lessons [46] H. Jahankhani, AmeerAl-Nemrat and
From The UK,” Denver, 2013. AminHosseinian-Far, “Chapter 12 - Cybercrime
[35] S. Sentance, M. Dorling, A. McNicol and T. classification and characteristics,” in Cyber Crime
Crick, “Grand challenges for the UK: upskilling and Cyber Terrorism Investigator's Handbook,
teachers to teach computer science within the Elsevier, 2014, pp. 149-164.
secondary curriculum,” Hamburg, 2012. [47] R. M. S. C. Hosseinian-Far A., “Emerging
[36] ACM; IEEE-CS; AIS SIGSEC; IFIP WG 11.8, Trends in Cloud Computing, Big Data, Fog
“Cybersecurity Curricula 2017,” ACM; IEEE-CS; Computing, IoT and Smart Living,” in Technology
AIS SIGSEC; IFIP WG 11.8, New York, 2017. for Smart Futures, A. H. A. B. Dastbaz M., Ed.,
Springer, Cham, 2017, pp. 29-40.
[37] Universities Central Council on Admissions,
“Universities Central Council on Admissions,”
2018. [Online]. Available:
https://www.ucas.com/ucas-terms-explained.
[Accessed 01 February 2018].
[38] Cybermetrics, “Webometrics,” 2018. [Online].
Available: http://www.webometrics.info.
[Accessed 04 02 2018].
[39] J. M. Pittman and R. E. Pike, “An Observational
Study of Peer Learning for High School Students at
a Cybersecurity Camp,” Information Systems
Education Journal, vol. 4, no. 3, pp. 4-13, 13 5
2016.
[40] H. Jahankhani and AminHosseinian-far,
“Chapter 8 - Digital forensics education, training
and awareness,” in Cyber Crime and Cyber
Terrorism Investigator's Handbook, B. Akhgar, A.
Staniforth and F. Bosco, Eds., Elsevier Inc. , 2014,
pp. 91-100.
[41] H.-F. A. Jahankhani H., “Challenges of Cloud
Forensics,” in Enterprise Security. ES 2015.
Lecture Notes in Computer Science, R. M. W. R.
W. G. Chang V., Ed., Springer, Cham, 2017, pp. 1-
18.
[42] National Research Council, Division of
Behavioral and Social Sciences and Education,
Board on Testing and Assessment, “Learning with
Understanding: Seven Principles,” in Learning and
Understanding: Improving Advanced Study of