Paper presented to: Federal Information Systems Educator's Association (FISSEA) Conference, February 15-16, 1995. Gaithersburg, MD.

Psychological Aspects of Sensitive Training Course Development

Dr. Bruce C. Gabrielson
Kaman Sciences Corporation
2560 Huntington Ave
Alexandria, VA 22303-1410

in association with:

Naval Research Laboratory
4555 Overlook Avenue, SW
Washington D.C. 20375-5320

Introduction

What does an organization do when faced with a difficult training need that extends well beyond what might typically be necessary for a structured traditional program? This paper describes such a situation, and suggests a methodology for delivering the training package under these conditions. Of primary interest is the psychology and various motivational factors contributing to the final learning outcome delivered by the training.

An Existing Technical Issue

Let's envision that a leading technology edge network penetration tool capable of being used for either testing or making mischief is developed by an engineering activity. The activity, as well as the overall organization it represents, is under pressure to release the tool as soon as possible. The technical issue becomes how to deliver the tool to trained testers in a manner both expeditious and under strict control?

The tool will be neither simple to use, nor will it be highly protected by internal program safeguards. Using the tool will require a higher than average level of network related expertise, plus those with access to the tool must be absolutely trusted to protect against its unauthorized release. A part of the needed user technical expertise involves learning a technology that in some orientations could become dangerous.

Background of the Problem

The security problems associated with today's networked computer world appear to be wide spread and continuously evolving. Each day, more systems are added to the multitude of existing networks in both the commercial and defense sectors. As the access to these networks increases, the potential for problems due to the actions of a disgruntled employee, network cracker [1], or covert operator grow steadily greater.

With network and system attacks continuing to rise, system administrators have grown increasingly weary of their continuous security problems. They simply cannot keep up with all the new approaches their adversaries continue to develop. In addition, numerous legal, political, technical, and ethical difficulties exist for computer security personnel trying to catch a system attacker. The result of all the various control issues is a new thinking on ways to protect network resources. This new direction utilizes an approach termed proactive network testing.

Reactive or Proactive Solutions

Security software generally falls into one of two categories, reactive [2] or proactive [3]. The most common and easiest to use is reactive, while proactive software is just beginning to emerge from theory to actual products.

Reactive computer security is often an application set up to monitor traffic and connections, keep audit trails, and generally help `react' to cracking attempts. The goal of reactive security is to give the system administrator enough auditing or real-time information to clean up after a system attack, or prevent the attack altogether. Examples of reactive security services include network sniffers, C2 audit trails, and network daemon [4] connection loggers.

Proactive security deals with the conditions and environment the computer system is operating in. A proactive approach to local system security would check the default setup of system files, possibly try to crack encrypted user passwords, check the setup of user accounts, etc. It also could involve an evaluation of remote system security. To check remote systems, the proactive software attacks the computer system from the outside (as a system cracker would) in order to discover if the system is free of known security holes.

How the Training Situation Evolved

The problem with the development of a proactive test tool is that it is capable of being used both for and against a network. It relies on using technologies that in some orientations could be illegal and perhaps even dangerous. An example is the bomb builder who could build bombs for the defense industry or for illicite activities.

In our case, the application to be developed is simply a tool. It has few internal program safeguards, but also needs a certain level of expertise to be used properly. Faced with pressure to develop and release such a tool as soon as possible, certain issues need to be resolved relative to both training and psychology of the individual users.

A major problem exists with the availability of individuals with the pre-existing declarative knowledge necessary to use the tool. Individuals are available within targeted organizations, but their skill level and background can vary greatly. In addition, there is no acceptable way to pre-screen those individuals who would be provided for the initial student population.

Another problem relates to the sensitivity and interpersonal skills of those available. A proactive tester would get little cooperation from the system administrator if a test was performed without prior notification, and the tester simply provided a list of fixes to correct identified vulnerabilities. Or even worse, the tester notified the system administrator with: "We tested your network and found the following holes. And by the way, we also gained root and had access to all your personal files when we broke in."

The ideal situation for a tester would be to contact the network administrator first with something like: "Your site security group is planning to test your network next week for vulnerabilities. Our goal is to help you strengthen your current profile. Let us know if you would like to be involved during testing." Dealing with people under the conditions described is a skill that must be incorporated into the training process.

The Training Problem

The needed training is not as straight forward as it might at first seem. Since the information embodies both technical and sensitivity issues, is adult oriented, and is intended for a technical audience, some overlap of learning domains is indicated. Basically we need to reinforce two learning domains, affective and cognitive. The primary focus of the affective domain is the development of attitudes and values. The cognitive domain concentrates on intellectual development in terms of knowledge building and the processing and manipulation of information.

The test tool is to be an advanced applications program intended for use with networks using TCP/IP protocol. Declarative and procedural training at both the awareness and Learning level (or higher) as shown in Table I is indicated. We need to understand the body of knowledge the user requires to apply the program successfully, and also how to decrease the turn-around time that might be needed to train users with various experience levels.

Table I - Suggested Specific Knowledge Breakdown

Declarative Knowledge

Technology Oriented

UNIX

TCP/IP

System Admininistration

Network Security

Other Issues

Organization Specific

Laws & Regulations

Human Relations

Procedural Knowledge

Using the Tool

Interpreting Results

Problem Solving

Turn-around time involved for the quickest possible training for each student is a driver for the delivery methodology selected. The generalized training mission to meet the objectives becomes:

1. Provide background information on various network security issues.

2. Provide user operational skills

3. Provide problem solving skills (inquiry training)

4. Provide human relations skills

5. Incorporate motivational safeguards into the training

6. Other Issues (psychology oriented)

A thorough investigation of the demographic and operational needs, and the factors indicated in the training mission, will result in the identification and bounding (eclipsing) of the depth of knowledge a typical user needs and how much turn-around time will be required to learn the necessary technical skills. In INFOSEC terms, we determine the body of knowledge necessary to both use the tool and interpret its results. On the learning continuum [5], the Training level appears most appropriate since it involves a more formal and active role buy students while teaching specific skills in the learning process. Related to strictly technical aspects, we want long term memory enhancement while stimulating the learner to identify new vulnerability issues and understand ever evolving security needs as they are discovered.

Technology Oriented Background Issues

The technical background of the typical user seems the easiest training area to bound. An average understanding of how the Internet works would provide the basic learning platform. Thorough familiarity with the TCP/IP protocol and how UNIX commands work provide the best technical foundation. In addition, the user needs to have an in-depth understanding of system administrator functions and system vulnerability concerns.

If the tester is already familiar with 'hacker' techniques and how to set up firewalls, then the test results and vulnerability reduction efforts would be most effective.

Operational/Problem Solving Training

As stated, using the tool will require more than a simple understanding of the Internet. The operational problem is that incorporating artificial intelligence into a test tool isn't always all inclusive. It is difficult to handle multiple solutions when each can be successful to a varying degree. In this case, there is sometimes more than one approach to finding the network hole, and often there are multiple fixes that can be used. In addition, some fix's are interactive in that a particular fix could potentially cause a problem with another vulnerability issue. Thus, both interpreting the test results and recommending a suite of fixes requires some advanced technical knowledge.

There also needs to be a human factors/technical skills training tradeoff to establish the level of conditioning necessary for each student before allowing then to test actual systems. We wouldn't want to train and unleash an army of hackers, and we also wouldn't want to have the tool so simple to use and easy to understand that anyone with a copy could immediately go into the hacking business. In contrast, we want to make a tool so simple to operate that a large number of 'pre-conditioned' testers would be interested in using it. The ultimate dilemma of any applications developer.

Student Selection Criteria

Using the test tool would not involve classified information or processes, so stringent security control over the program doesn't apply. Therefore, it is absolutely essential for protection of this or any other sensitive tool that students be selected who are inherently honest, or at least will respect proper safeguards that are in effect. One of the major problems faced with this particular program is that the type of people best suited for the task are those who have a predisposition towards hacking behavior.

The question involves who can be trusted to maintain strict distribution control while working on the job or after leaving for another job, and also who will resist the temptation to 'look' once access was gained? What is needed is the psychology profile of those individuals selected as students who have potential for releasing the program. Since this is not possible, the next best approach is to incorporate affective conditioning of attitudes and values into the training program.

Motivational Safeguards (The Ethics vs Education Issue)

An individual's moral attitudes are often in a state of flux until their early twenties [6], with many hackers falling into this age group. However, once adulthood is reached, attitudes become firmly established. To attempt affective conditioning is an extremely difficult task in an adult, one well outside the scope of most traditional defense oriented training programs. Affective conditioning is also considered a moral issue because changing the way a person thinks about something is a very sensitive subject.

Having established that a pre-screening process for student selection is impossible, the alternative investigated is to provide conditioning using the non-direct technique of describing the potential 'enemy' in terms of personality and motivations. Motivation conditioning is discussed further in the section on Sensitivity/Human Relations Training. Positioning this unit of instruction at the beginning of the course, followed immediately by a discussion of the legal issues involved with testing helps to 'set the stage' for the following technical material. In addition, using a delivery model that would allow this format could potentially be used for further conditioning efforts. Such a model will also be discussed later in this paper.

Typical Personality Traits of Hackers

To understand the 'enemy better, a thorough investigation of hacker personality traits is necessary. Many sources of personality and motivational characteristics of hackers are available via the Internet and published material. Screened selections from these sources are used to prepare the first unit of the training course material. The following paragraph from Humphrey [7] is an example of the material selected for incorporation.

"Stereotypically, hackers are an unusual bunch. They have been characterized as highly intelligent, egotistical, logical, quiet, withdrawn, inventive, creative, humorous, elitist, quirky, arrogant, talented, messy, control oriented, etc, etc ... with an image like that, it's no wonder - Hackers often feel like outsiders, or in an organization among themselves. People of a hacker nature are most often 'cliquey' in that they socialize together in groups, and get along well with one another. Some have also described the hacker as 'incompletely socialized'."

"..., the hacker has been classified as typically being 'afflicted' with psychological tendencies toward compulsive and obsessive behavior. This personality type can often fall deep into single-minded episodes of heightened awareness, and narrow focus, wherein the individual may dwell for days at a time without any knowledge what-so-ever of the goings-on around him or her. This deep 'trance like' state is often called a 'hacker high', 'trance', 'zone', or other highly descriptive words by hackers."

The Legality Issues

Two fundamental issues drive the need for protecting an organization's network and computing resources. The National Computer Security Act requires computer security implementation and training on Government computers in order to provide for information protection. Government organizations should be in full compliance with this and other security and privacy type requirements. In addition, Government organizations have issued site specific instructions regarding the protection of their sensitive, but unclassified information. Penalties for the unauthorized release of protected information, as well as specific access authorization criteria are well documented and can be easily covered in a training unit.

Commercial organizations, while falling under various state laws, have similar information authorization and protection requirements as does Government, especially if they wish to stay in business very long. Trade secrets and market edge information are essential if a business is to remain competitive. However, each individual organization is different, and the legal basis or penalties for unauthorized activity may vary greatly. Training to cover the commercial environment would by necessity be both generalized and organization/site specific.

Another protection driver related to unauthorized access and information cost control is data protection. Down time to get an organization's network back on-line, or to simply recover data after a virus attack can run to millions of dollars. Costs can also be high if certain types of data is manipulated to show other than actual information. For training, some coverage of the personal legal responsibility for organizational financial loss is most desirable.

Is Proactive Testing Legal?

Convincing the student that what he or she is doing is legal, and also making the student capable of convincing others is a major issue with this type of a program. One of the initial concerns a testing organization has is their legal basis for testing. Remember that the tool works by actually attacking a network. While Public Law 99-474 applies to those who knowingly access a computer without authorization, or to those who exceed their authorization, there are also numerous site/organization specific legal issues in accessing sensitive non-classified information which may include private information.

The number of applicable statues, laws, acts, etc. includes:

Applicable Defense Statutes (Navy Example)

DOD 5200.28-STD (Orange Book)

OPNAVINST 5239

SECNAVINST 5239

SITE INSTRUCTION

Relevant Laws/Acts/Circular

PL 97-255

Federal Managers Financial Integrity Act of 1987

PL 99-473

Comprehensive Crime Control Act of 1984

PL 99-474

Computer Fraud & Abuse Act of 1986

PL 100-235

Computer Security Act of 1987

PL 100-503

Computer Matching and Privacy Protection Act

OMB Circular A-130

Mgt. of Federal Information Resources

OMB Circular A-123 & 127

Internal Control/Financial Management Systems

Other Relevant Documents

OMB Bulletin 89-22

OMB Bulletin 90-08

EO 12333

EO 12356

DCI DIR 1/16

US CODE, TITLE 18, SECTION 2511

Some Government agencies have complete control over their network and include a monitoring notice such as that shown below which appears every time a user logs onto their net.

Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times.

This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in this system is subject to monitoring and is not subject to any expectation of privacy.

If monitoring of this or any DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer system reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action.

Unfortunately, implied consent isn't always accepted. Not every organization can claim they have the legal right to gain access to an individual's personal files. Therefore, under some conditions, additional audit type monitoring tools must be installed prior to proactive testing. This control function would then automatically provide a check on the testers activities as well as protecting the test authorizing organization from access liability. By knowing what is available, the tester also can recommend what methodology and pre-test controls will be involved at a particular site.

Providing the legal information background for the student to evaluate his own test activities is one means of accomplishing affective conditioning. Another way of accomplishing this objective is through role-playing (also discussed in the next section). Provide the student with a situation and ask him or her to select one of several possible solutions, each with their respective legal basis and potential consequences. Tailor the possible answers initially such that the correct answer is obviously the one with a "safe for me" outcome. After several such role-playing situations, the student will have a good understanding of what he or she can and can't do, and will also help place the burden of responsibility directly on the students shoulders should a potential legal issue develop later during an actual test. Making the student an active part of the responsibility process has long been used by other classified security type training programs to meet their affective conditioning goals.

Sensitivity/Human Relations Training

Affect is defined as any kind of feeling or emotion attached to an idea or idea complexities. Until recently, emotions and feelings have been ignored to a large extent in traditional educational curriculum. Training that attempts to integrate affective domain conditioning can have very strong student consequences. Although cognitive techniques have long been understood [8], where there has been some historical attempt to integrate affective learning with cognitive learning is in human relations training directed towards business and industrial settings[9], [10]. The most common forms of structured training are role-playing and case studies. Role-playing and case studies, while commonly used to present higher level simulations, can also be used to introduce affective learning as indicated below.

Role-playing was designed specifically to help students study their social values and reflect on them (values, behavior, empathy, interpersonal problems). In role-playing, situations and roles are selected to provide a learning experience for the participants. Participants "act-out" designated roles which are believed to offer useful (and good) learning experiences. Case study also involves learning from an analysis of roles, but the role is defined in text by means of a problem situation presented from the point of view of one of the individuals involved. While role-playing provides an emotional experience through face-to- face contact, case study is normally more concerned with thinking a problem through by using cognitive skills to analyze problems and related communication issues.

Using case study type techniques, affective learning can be influenced by presenting problems relevant to what is perceived as good/bad situations[11]. Therefore, one potentially effective means of influencing behavior in this course might be to accurately place the student in the good guy/bad guy role (like role-playing) and then provide direction towards the desired results. In other words, put the student in the shoes of the system administrator that is being tested, the site director who is responsible for the network, etc. and then ask which type of non-aggressive approaches to initial contact and result reporting would be most sensitive to their needs.

Understanding another person's perspective (how does he view his problem) is not an easy task. The student must be placed in the situation where the internal frame of reference is the person being helped. In this way not only can the tester be conditioned to have some sensitivity in dealing with people (we're here to help), but other responsibilities such as question answering skills, dealing with a site administrative structure, and methods of prior notification to those being tested can also be addressed.

Psychology of Learning

At least three major factors stand out in effective learning: attention to material, repetition, and reward. These factors have long been identified and incorporated into various training activities. While many learning techniques for transferring the previously identified declarative and procedural knowledge may be successful under varying conditions, for information regarding the test tool to be transferred effectively, multiple techniques will be utilized. These learning techniques will be applied to address the technology, the work through example, and the self paced sensitivity conditioning training.

Learning psychology describes a student's declarative to procedural knowledge transfer in the Transfer of Training Principal. The principle states that training in a similar Task A will help learning in Task B. There must be similar aspects in each task. However, the task must not consist of rote memorization. Generalization, which can occur in operant conditioning as well as classical conditioning, is an integral part of the transfer. We move the similarities from Task A to Task B by a process of transfer. The generalization occurs because the student sees similarities between the declarative knowledge and the procedures to be followed during testing (network administration/network security). This theory is useful for application to both the primary course material and the work- through example to be presented.

Sensitivity, laws, and hacker conditioning requires a complex learning arrangement called clustering (or categorizing). Clustering is a form of discrimination in that we detect differences between two or more things or actions by understanding their unique characteristics. Basically, clustering means organizing the background by either/or descriptions like "good/bad" to describe activities like hacking verses testing. Examples of good and bad ways of approaching a system administrator and a discussion of laws and penalties will help condition a student when using this learning mechanism. As with generalization, for this learning to be effective, the information requires a unifying theme. In this case, the theme will be that tests are needed to protect ourselves and here is how and why we do it.

Since the sensitivity/laws and hacker units are to be presented as self study units, another learning theory can also be applied for reinforcement. Consolidation theory states that the storage system needs time to consolidate after learning. Therefore, a period of rest after a period of learning is helpful for enhanced learning. Keeping self paced modules to a reasonable length allows maximization of learning when using the consolidation theory of learning mechanism.

Adult Learning Theory

At this point we know what material is needed for the training, what the hoped for outcomes should be, the primary psychological factors involved in the needed learning, and we are starting to converge on a methodology for delivering the material. The question still remains of how to motivate the learners so that the training material will be comprehensive and effective for the student population. In an effort to satisfy the motivation issue, self directed learning and adult learning theory can be directly employed in this training activity.

According to Dejoy [12], self-directed learning refers to the self-motivated and self-managed planning process adults use to "learn, change, and improve" themselves. For the process to be effective, the student must maintain 'some' degree of control over the learning goals, the materials they must use, and the kind of evaluation they are subjected to. Of interest to us is that self-directed learning attempts to solve some of the problems identified with traditional learning techniques, those of providing an individualized match between student information needs and learning content, and the development of intrinsic student motivation to meet their learning goals. Table II from Dejoy [13] identifies several recommendations for implementing a self directed learning program.

Table II

Trainees should begin with assessments that help identify their personal learning needs.

Trainees should evaluate their own learning style and learning preferences.

The support organization should be part of the assessment stage to combine performance appraisal results and contribute to individualized learning goals.

Promote opportunities for choosing learning resources and activities and make flexibility part of the individual learning plan.

Make every effort to involve program administrators as in- house experts and resource people.

Include in every form of learning opportunities for careful feedback.

Adult Learning Theory also supports motivation, while at the same time allows for further structuring of the presentation model. It suggests there are several assumptions concerning adults as learners which should be considered along with traditional learning models in the development and presentation of adult training. According to Beta Analytics [14], as a person matures, four basic assumptions form the basis for new learning activities.

1. One's self-concept moves from being one of a dependent personality towards one of being a self-directing human being.

2. A growing reservoir of experience is accumulated that becomes an increasing internal resource for additional learning.

3. An individuals readiness to learn becomes increasingly oriented towards the developmental tasks of their social rolls.

4. An individuals time perspective changes from one of postponed application of knowledge to immediacy of application, and their orientation toward learning shifts from one of subject- centeredness to one of problem-centeredness.

Notice that the selected learning techniques for the training tend to mesh with the above assumptions and which can be used to tailor individual training blocks. Certainly assumption 1 and 4 fit with self study units and with the immediate needs of the individual to learn how to use a new test tool. Assumption 3 somewhat fits with the increasing responsibilities the tester will be given by the organization once the information is learned, plus the tool orientation (hacking) is an exciting and exotic enough technology to effect an individual's social roll. Assumption 2 can be addressed by selecting a delivery model that both allows training flexibility and stresses the individuals accumulated experience.

Mastery Model for Course Delivery

Basing the delivery model on what is envisioned as the expected outcomes (learning, conditioning and structural), the potential technical diversity of student population, and learning theory for adults leads to the selection of the Mastery Model for course structure. Mastery Learning is a teaching technique founded upon the assumption that given sufficient time and appropriate materials, most students, regardless of their previous knowledge level, can achieve the desired outcomes.

In this model, the objectives of each unit are first stated, and then existing student skills are pre-assessed. By doing so, a determination is made if the student already has the requisite background to begin the unit of study, or to establish if the student has already mastered the unit's training objective. Following the unit of study, a post-assessment is also provided.

The pre-assessment/post-assessment scenario also allows learning reinforcement to take place by using the recitation theory and programmed learning. The recitation theory is repeating to yourself what you have just learned. In our case, the immediate final test following a block of instruction helps to reinforce the learned unit. Programmed learning is presentation of material in an organized sequence that follows an overall program (model). It is essentially self-instructional. An example would be sentence/paragraph structure with fill in the blanks as you proceed through the training unit. However, by structuring the pre-assessment and post-assessment test with fill in the blank questions, reinforcement will take place.

In our case we want two other additional outcomes from the pre- assessment. We want to tailor our pre-assessment test questions in the first unit, Hacker Motivations and Traits, to set the stage for the rest of the course. In addition, by looking at responses to the questions in this unit, potential problem areas with students can be identified and addressed immediately.

The traditional Mastery Model supports three learning tracks, the main line, the self-pacing enrichment, and the alternative (correctional) track. This approach also has the appeal of being multi-sensory in nature and provides instructional designers the vehicle to meet a variety of multi-modality [15] learning styles, particularly Individually Prescribed Instruction (IPI) [16] techniques. Individualization is promoted within two of the three tracks. In the suggested adult training course model for the test tool, it is the student who decides, based on the pre- assessment, what training track should be chosen. Especially for self study learning units, this technique allows for self paced training and the use of additional learning materials if necessary.

The format for delivery of the first two instruction units can also evaluated in terms of human factors supporting self study or traditional classroom format. In a book by Barefoot [17], it is suggested that face-to-face discussions of dishonesty and its full ramifications are more difficult than less direct approaches such as posters, flyers, etc. With this in mind, providing the first two instruction units, Hacker Motivations and Traits and Legality and Human Relations in a self study format provides a workable solution still within the Mastery Model.

Conclusion

This paper has stepped the reader through the formal process developing an educational model for a subject field not simple to address through traditional educational techniques. The final course instills moral conditioning, supports self paced very quick turnaround training for advanced individuals, is flexible enough to allow either a traditional classroom or self study training format, provides very quick feedback and evaluation responses using the Internet, and satisfies the goals of the training program.

bruceg@hightop.nrl.navy.mil

---

Training Goal Statement

The student will be able to use the test tool correctly and interpreted its results.

The student will be aware of the legal and moral responsibilities involved with testing

The student will be able to successfully coordinate the test program with the Designated Approving Authority and with the respective system administrator.

Training Evaluation Statement

The student will be able to list the capabilities and limitations of various networks

Will be able to summarize network TCP/IP related vulnerabilities

The student will be able to explain the consequences of misusing of the tool

Will be able to locate and identify appropriate regulations and laws for specific sites

The student will be able to communicate the sensitivity and nature of proactive testing

Will be able to interface with those to be tested

The student will be able to apply the tool to various network configurations

---

User Lesson Plan Summary
(Main line is indicated as the primary training track)

Phase I

Initial Two Self-Study Training Blocks (with immediate feedback reviews of pre/post-assessments)

Pre-training self-assessment tests

Clustering and fill in the blank for recitation reinforcements

Primary training (using case study role-playing and good/bad conditioning)

Hackers Motivations and Techniques

Sensitivity Issues/Laws

Suggested enrichment track sources

Published paper listings and law synopsis

Suggested alternative track sources

Selected papers and law synopsis

Primary Training Unit (may be provided for self study or presented in a traditional setting first)

Pre-training self-assessment test for each unit

UNIX, TCP/IP & Internet workings, network vulnerabilities and protection and/or countermeasure techniques

Primary training

Using the tool

Exact vulnerabilities and how the tool exploits them

Suggested enrichment track sources

Provide sources for CIRT/CERT/CIAC Advisories, Usenet Groups, suggestions on how to get involved with the hacker community

Suggested alternative track sources

Intro to UNIX text, Network Security Overview text, CBT

Phase II

Practical Real-World Workthrough Example

Self paced work through example over the Internet

Phase III

Hands-on Training at an Individual's Site

Immediate question/response support

Includes course and tool upgrading based on immediate feedback from users (over the Internet if information not a site specific vulnerability concern)

References

[1] Cracker: A cracker is a person who exploits, breaks into, or otherwise gains unauthorized access to a computer system or network. Crackers come in a variety of forms labeled appropriately (i.e. System Cracker, Network Cracker, etc.). Cracker should not be confused with the term hacker.

[2] Reactive Security: Reactive computer security deals with who-did-what-when issues as related to local and remote system activity.

[3] Proactive Security: Proactive computer security addresses the need to check the current setup of a system in order to verify that system is secure. A proactive package would look at default conditions as they currently exist on the system and identify problem areas.

[4] Daemon: A program running in the background (or activated by interrupt) which provides a network based service to remote users.

[5] W. V. Maconachy, PhD, Computer Security Education, Training, and Awareness: Turning a Philosophical Orientation into Practical Reality, Proceedings, 12th National Computer Security Conference, PP557A-I, October 1989.

[6] McMahon, Frank, Psychology, The Hybrid Science, Prentice-Hall, New Jersey, 1974.

[7] Humphrey, Jeff, Phreakers, Trashers, and Hackers ... oh my ..., INFOSEC, An Advanced Technical Course by Bruce C. Gabrielson, PhD, AFCEA Educational Foundation, 1993.

[8] Bloom , Benjamin, Taxonomy of Educational Objectives, David Mckay Co, NY, Yearbook 57, Pt 2, National Society of Education, Chicago University Press, 1956.

[9] Foster, Robert, and Danielian, Jack, An Analysis of Human Relations Training and Its Implications for Overseas Performance, Report prepared for Office, Chief of Research and Development, Dept. of the Army, DA 44-188-ARO-2, August, 1966.

[10] Stimac, Michele, From Empathy to Kenepathy, Presented at the Annual Convention of the National Association of Women Deans, Washington D.C., April 4-7, 1979.

[11] Casto, Glen, Human Relationships Skill Training: Trends, Issues, Programs, Exceptional Child Center, Utah State University.

[12] Dejoy, J.K. and D. M, Self-Directed Learning: The Time is Now, Training and Developmental Journal, Vol. 41, p. 64- 66, September, 1987.

[13] ibid

[14] Beta Analytics, Inc., 9600 Pennsylvania Avenue, Upper Marlboro, MD 20772

[15] Multi-mode: various methods of teaching groups or individuals

[16] Individually Prescribed Instruction, Learning Research and Development Center of the University of Pittsburgh, 1966.

[17] Barefoot, J. Kirk, Employee Theft Investigation, Butterworth Publishers, Boston, 1979.