The Production of Information Security Professionals

There is a global shortfall in the number of qualified information security professionals required to fill critical security roles in governments, industry, and society. Numerous information security education programs have been developed to address this shortfall; however, the practice of information security requires more than just skills that can be learned in a classroom. In this project, I am studying how the everyday practices of information security professionals depend upon coordination and collaboration with their peers, enabled by relationships of trust that cut across corporate and state boundaries. I am interested in the processes through which people learn the skills of information security in participation and engagement in professional communities, as much as in classroom education. Through this research, I aim to offer recommendations for information security education, as well as for policies for cybersecurity information sharing.

This project was funded by the UC Berkeley Center for Long-Term Cybersecurity.

Representative publications and presentations:

    • A Fragmented Whole: Cooperation and Learning in the Practice of Information Security (with Coye Cheshire). Report for Center for Long-Term Cybersecurity, UC Berkeley and Packet Clearing House. February 2018. [pdf] [link]
    • Risky Business: Social Trust and Community in the Practice of Cybersecurity for Internet Infrastructure (with Coye Cheshire). Proceedings of the 50th Hawaiian International Conference on System Sciences. Waikoloa, Hawaii, USA. January 2017. [pdf]
    • Becoming an Information Security Engineer. Invited paper, Ostrom Workshop Colloquium on Cybersecurity and Internet Governance, Indiana University, Bloomington. April 2017.