Case-based Learning in Cybersecurity Management

How can cybersecurity executives be trained and educated to develop the necessary knowledge, skills and abilities to perform their challenging role? What should they be taught and what learning approach is suited to their needs? As a starting point, the joint task force on cybersecurity education[1] identified three key general areas of knowledge in organizational security management – risk management, strategy and planning, and policy and governance (Burley et al. 2017). Although this foundational knowledge is important to the cybersecurity executive, much more work is needed to determine the KSAs required for their role. How should the next generation of practitioners be educated? In their seminal paper on management education, Lowry and Turner (2005) surveyed 273 practitioners and decision-makers of information systems. The outcome of the survey clearly indicated the need to replace the traditional model of teaching (lectures, tutorials, and readings) with new models of instruction centred on case-based learning.

Case-based Learning (CBL) instigates critical discussion, draws out relevant experiences from students, encourages questioning of accepted practices, and creates dialogue between theory and practice (Kendall and Kendall 2017). Case-based learning, with its focus on problem solving, storytelling, and discussion, enables students to actively engage with complex, authentic scenarios. Particularly in the field of cybersecurity management, case-based learning provides an opportunity for students to analyse events across large, complex organisations.

I've recently published two papers on case-based learning that you might find helpful.

Ahmad, Atif; Maynard, Sean; and Motahhir, Sameen, "Teaching Information Security Management in Postgraduate Tertiary Education: The Case of Horizon Automotive Industries" (2020). ACIS 2020 Proceedings. 54.

Ahmad, Atif; Maynard, Sean B.; Motahhir, Sameen; and Alshaikh, Moneer, "Teaching Information Security Management Using an Incident of Intellectual Property Leakage" (2020). ACIS 2020 Proceedings. 36.

[1] The joint task force included the following stakeholders: ACM, IEEE Computer Society, AIS Special Interest Group on Security and Privacy, and IFIP WG 11.8


Burley, D., Bishop, M., Buck, S., Ekstrom, J. J., Futcher, L., Gibson, D., Hawthorne, E. K., Kaza, S., Levy, Y., Mattord, H. J., and Parrish, A. 2017. "Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity," ACM, IEEE, AIS, IFIP, p. 123.

Kendall, J. E., and Kendall, K. E. 2017. "Enhancing Online Executive Education Using Storytelling: An Approach to Strengthening Online Social Presence," Decision Sciences Journal of Innovative Education (15:1), pp. 62-81.

Lowry, G., and Turner, R. 2005. "Information Systems Education for the 21st Century: Aligning Curriculum Content and Delivery with the Professional Workplace," in Technology Literacy Applications in Learning Environments. IGI Global, pp. 171-202.