Education for information security professionals
Because this very morning I made the first payment for my sons' college tuition, I've been thinking about eduction a lot recently. (Yes, the apostrophe is in the correct place there. They're close enough together in age so that they're both starting at once. This is definitely not good in some ways. Perhaps even tens of thousands of ways.)
College does have some unexpected benefits. An example of this is the fact that your parents end up being unable to afford any new clothes for several years, which is a powerful incentive for them to not gain weight.
But there are also others – some of the classes that you take and don't really expect to have much use for actually end up being very useful after you graduate. I've heard Jeff Ullman talk about how surveys of Stanford computer science graduates taken after they'd been working for a few years suggested that automata theory was actually the second most useful CS class that they'd taken, second only to C or Java programming. That's certainly not something that I would have expected, and it's not something that most CS undergraduates seem to appreciate when they're learning automata theory.
So what we need is for someone to do a similar survey of information security professionals. There are already people getting undergraduate and graduate degrees in information security, and the curriculum that they study in school is getting to be more and more common from college to college. Much llike happened to CS a couple of decades ago.
I'd guess that one of the more useful courses for information security professionals would be a course in microeconomics. Microeconomics is an interesting field unto itself, but the single lesson that I'd guess that students of information security would find extremely useful is understanding that every decision involves trade-offs. That principle is extremely clear in economics, but it's often overlooked or forgotten in the business world.
But because every information security project involves things like trade-offs between security and usability, this idea certainly seems like something that information security professionals really ought to understand. Their job often involves trying to convince people that certain trade-offs are really worth making and the trade-offs aren't always explained very clearly.
Maybe that sort of thinking is taught in other classes, but I only saw it in economics classes. Caltech offers an excellent class on economics for scientists. Maybe there's a need for a version that's roughly economics for information security. Or is that class already being taught somewhere?