Toward Effective Cybersecurity Education

in Saudi Arabia 12
Mohammad Zarour, Mamdouh Alenezi, Maurice Dawson, and Izzat Alsmadi

Abstract bersecurity, availability, and confidentiality. Moreover, new

technologies such as IoT and cloud computing make our
Securing the cyberspace is a challenging task that needs lives more efficient and productive yet provide new tools and
well educated and trained professionals. Developing approaches for cybercriminals to commit and spread their
a workforce that can hold the burden of monitoring crimes on the cyberspace! In this vast cyberspace, the volume
and ensure cyberspace security is becoming prominent of information added on daily basis is really very immense.
nowadays. Accordingly, developing effective cyberse- A virus hitting your computer can cause delays and maybe
curity programs is gaining more focus in academia and cost money, but information loss is really a catastrophe.
industry. This paper examines the current state of various Accordingly, the need for cybersecurity professionals, to
cybersecurity programs in Saudi universities and provides protect our cyber lives, is growing rapidly worldwide. Cy-
some recommendations. bersecurity depends not only on cybersecurity professionals
but it is also highly dependent on educated users who are
Keywords
aware of and routinely employ sound practices [1]. Hence,
NICE framework · Cybersecurity · Education · all people and technologies involved in producing and con-
Cybersecurity curriculum design suming information are playing a major role in information
assurance.
Information assurance is a multidisciplinary field which
requires expertise in computer sciences, forensic and crim-
inology sciences, information security, system engineering,
12.1 Introduction
law, policies and procedures and others related domains [2].
Information assurance, different than information security,
Internet and web technologies are currently being integrated
encompasses not only information protection and detection
into many social, educational, economic and military systems
but includes survivability and dependability of the infor-
which creates a vast and expanding the cyber world. Al-
mation systems that are subject to attacks [2]. Information
though security is a main non-functional requirement for all
assurance supports governance of industry and government
web-based systems, such systems are suffering from various
on all their delivered services and products.
vulnerabilities that can affect users’ privacy and availability.
The Saudi information technology sector is expanding
Cyber-users, at all levels, are struggling to maintain their cy-
year after another. The percentage of deployment of the
M. Zarour () · M. Alenezi internet has soared from 64% in 2014 to about 82% by the
College of Computer and Information Sciences, Prince Sultan end of 2017 [3]. The number of current internet users in
Unviersity, Riyadh, Saudi Arabia the Kingdom is estimated to be over 26 million users [3].
e-mail: mzarour@psu.edu.sa; malenezi@psu.edu.sa Saudi Arabia is ranked first as the most vulnerable of the Gulf
M. Dawson countries to fall victim to cyber-crimes [4]. Cyberattacks cost
Center for Cybersecurity and Forensics Education, llinois Institute of Saudi public and private sectors a lot of money every year,
Technology, Chicago, IL, USA
unfortunately, not much-authenticated information has been
I. Alsmadi published in academic circles about Saudi cyber-security and
Department of Computing and Cyber Security, A&M, San Antonio,
TX, USA its annual cost [5].

© Springer Nature Switzerland AG 2020 79

S. Latifi (ed.), 17th International Conference on Information Technology–New Generations
(ITNG 2020), Advances in Intelligent Systems and Computing 1134,
https://doi.org/10.1007/978-3-030-43020-7_12
80 M. Zarour et al.

Unfortunately, despite all the attempts to solve the cyber- related initiatives include the National Cybersecurity Work-
security problem worldwide and locally in Saudi Arabia, the force Framework (NCWF) [13] as well as the Department of
trend is always in one direction: “One massive hack after Homeland Security’s (DHS) National Initiative for Cyberse-
another” [6]. Education is seen back as the main institution curity Careers and Studies (NICCS) educational framework
that can provide the engine to change and shape our solutions [14].
to the cybersecurity problem [7]. This engine participates NICE cybersecurity framework is proposed as part of an
in graduating and certifying cybersecurity professionals and initiative to enhance cybersecurity education to accommo-
most importantly disseminate the awareness among all the date industry or jobs’ needs. NICE provides, “Educators,
inhabitants of cyberspace. Awareness is very crucial as it students, and training providers with a common language to
has been recognized that two-thirds of actual losses were at- define cybersecurity work as well as a common set of tasks
tributable to activities that were not specifically electronic but and skills required to perform cybersecurity work” [13]. The
are more related to human behavior [7]. Education will help NICE framework comprises seven Categories [13]:
in bridging the cybersecurity workforce gap in the coming
years. Several references indicate that there is a significant 1. Securely Provision: Conceptualizes, designs, procures,
shortage in terms of quantity and quality for cybersecurity and/or builds secure information technology (IT) systems
professionals. “The (ISC)2 survey states that the cybersecu- 2. Operate and Maintain: Provides the support, administra-
rity workforce gap is on pace to hit 1.8 million by 2022” [8]. tion, and maintenance necessary to ensure effective and
New roles and jobs in cybersecurity arise beyond the classical efficient information technology (IT) system performance
job roles to bridge this gap. and security
Accordingly, this paper aims to study the cybersecurity 3. Oversee and Govern: Provides leadership, management,
programs in Saudi Universities and benchmarking its cur- direction, or development and advocacy so the organiza-
ricula with the NICE framework as recommended in [9]. tion may effectively conduct cybersecurity work.
The rest of this paper is organized as follows: Section 12.3 4. Protect and Defend: Identifies, analyses, and mitigates
discusses the cybersecurity in Saudi Arabia and its state of threats to internal information technology (IT) systems
practice. Section 12.4 presents the cybersecurity programs and/or networks
in the educational sector. Section 12.5 presents the discus- 5. Analyse: Performs highly-specialized review and evalua-
sions and recommendations and Sect. 12.6 concludes the tion of incoming cybersecurity information to determine
paper. its usefulness for intelligence.
6. Collect and Operate: Provides specialized denial and de-
ception operations and collection of cybersecurity infor-
12.2 NICE Framework Overview mation that may be used to develop intelligence
7. Investigate: Investigates cybersecurity events or crimes
Recent cybersecurity educational frameworks such as NICE, related to information technology (IT) systems, networks,
OPM and SEI emerge as a result of the need of changing cur- and digital evidence.
rent education methods in IT and particularly in cybersecurity
education. The NICE framework comprises 33 Key Specialty Areas
There are two major observations about IT education and (KSA), as well as Work Roles, Tasks, and Knowledge, Skills,
cybersecurity [10], firstly, “a typical US degree has limited and Abilities (KSAs). Specialty area includes a distinct cy-
time for technical computing topics; approximately 1.5 years bersecurity work. Work roles are more specific than specialty
of a four-year program might be so devoted”. Secondly, area and can be identified in the NICE framework with
“cybersecurity students need a sound background in com- specific KSAs (Knowledge, Skills, and Ability).
puter science, software engineering, or a related degree”. The
research and reported experiences on cybersecurity education
are still very limited, see for example [11, 12]. Developing 12.3 Cybersecurity Commitment: Global
cybersecurity programs, courses’ contents, labs and studying and Regional Ranking
related human-centric factors in such programs are still in its
infancy stage. United States leading the momentum in such In 2017, Saudi Arabia cybersecurity ranking was 46 out of
programs by providing various frameworks as baselines for 155 states according to the Global Cybersecurity Index (GCI)
better cybersecurity education such as the National Initiative [15, 16]. In 2018 report, Saudi Arabia cybersecurity ranking
for Cybersecurity Education’s (NICE) [13]. The work in was enhanced to become 13 over the same CGI Index. Table
the NICE project started in early 2010 and the first version 12.1 depicts the top three ranked Arabic countries with high
of the NICE framework was disseminated in 2014. Other cybersecurity commitment [15, 16].
12 Toward Effective Cybersecurity Education in Saudi Arabia 81

Fig. 12.1 Detailed assessment of cybersecurity commitment in Saudi Arabia [15]

Table 12.1 Global cybersecurity commitment score for Arabic re- the SAFCSP (The Saudi Federation for Cyber Security and
gion [15, 16] Programming).
Country GCI-V2-2017 [15] GCI-V3-2018 [16] Figure 12.2 show the recent top three score in Arab states
Global according to CGI report version 3 [16]. It shows that Saudi
GCI score rank GCI score Global rank
Arabia scores high in capacity building with a score of 0.
Arabic states Oman 0.871 4 0.868 16
0.198 followed by Oman (0.195). Qatar scored best in the
Egypt 0.772 14 0.842 23
legal pillar. Saudi Arabia and Oman scored equal points
Qatar 0.676 25 0.860 17
(0.16) in the cooperation pillar.
Saudi 0.569 46 0.881 13
Arabia

12.4 Saudi Cybersecurity in Education

Table 12.1 gives an indication about the tremendous effort
achieved by Saudi Arabia to enhance its cybersecurity index, Several Saudi universities have programs in information as-
where Saudi Arabia made a big pounce in a year and moved surance, and cybersecurity. Table 12.2 summarizes the differ-
from rank 46–13. Oman, Qatar, and Egypt respectively are ent cybersecurity-related programs delivered by Saudi uni-
in the maturing stage of cybersecurity commitment and are versities.
leading the rank of the Arabic states while several other Universities that deliver programs in information security
states are still in the initiating stage. Accordingly, Cyberspace only have been excluded (actually two universities have been
becomes vital to achieving the Kingdom’s 2030 Vision. The excluded) as the information security is a subset of the wider
detailed assessment of cybersecurity commitment in Saudi domain of cybersecurity. Overall there are four universities
Arabia is shown in Fig. 12.1 [15]. It is shown that Cyber delivering cybersecurity core programs/tracks at the under-
laws exist in the Kingdom, but its non-awareness among graduate level and three universities deliver cybersecurity
internet users has created a potential imbalance between core programs at the graduate levels. The master program of
safe internet usage and vulnerability against crime [4]. Al- Jeddah university is not discussed as at the time of writing
though Saudi Arabia is doing well in legal aspects related this paper no information was available about it.
to cybersecurity, it has some pitfalls in technical, organiza-
tional, capacity building and cooperation practices that need Imam Abdulrahman Bin Faisal University
improvements. Imam Abdulrahman Bin Faisal University has been launched
Recently, Saud Arabia has launched the National Cyber in 1975 with two colleges only in Dammam city. Nowadays,
Security Center (NCSC) to be at the forefront of the king- the university consists of 21 colleges spread throughout the
dom’s national cybersecurity defense initiative [17]. The cen- Eastern Province and a student population of over 45,000.
ter is expected to play a major role in studying and solving the The Cyber Security and Digital Forensics Program is an
pitfalls mentioned above with the collaboration of industry, undergraduate program that grants a bachelor level degree
academia and other governmental agencies. All these pillars and is offered in the College of Computer Science and Infor-
and their corresponding sub-pillars should be integrated into mation Technology. The program has 153 credit hours. Table
any current or future cybersecurity programs in the Kingdom 12.3a shows the core courses for the cybersecurity program
to bridge the gap between Academia and industry in cyber- [18].
security and build trusted workforce needed in cybersecurity.
Other centers that have been established un Saudi Arabia University of Prince Mugrin
include: the BADIR (programme for technology incubator), The University of Prince Mugrin is located in Madinah, Saudi
the MAEEN (Saudi Research and Innovation Network) and Arabia. It was founded in 2017. The University of Prince
82 M. Zarour et al.

Arab States region

0.25

0.2

0.15

0.1

0.05

0
Legal Technical Organizational Capacity Building Co operation

Saudi Arabia Oman Qatar

Fig. 12.2 Top three score in Arab States region according to the five pillars of GCI [16]

Table 12.2 Cybersecurity-related programs in Saudi universities

University Program level Program title
Imam Abdulrahman bin Faisal University Undergraduate Bachelor of Science in Cyber Security and Digital Forensics
University of Prince Mugrin Undergraduate Forensic Computing and Cyber Security
Prince Sultan University Undergraduate, Bachelor, Master of Science in Cybersecurity
Graduate
King Fahd University of Petroleum & Minerals Graduate Master of Science in Security and Information Assurance
Jeddah University Undergraduate, Bachelor, Master of Science in Cyber Security
Graduate

Table 12.3 Cybersecurity program for Imam Abdulrahman Bin Faisal University and University of Prince Mugrin
(a) Imam Abdulrahman Bin Faisal University (b) University of Prince Mugrin
CYS 401 Cyber laws and security policy FC 381 Ethical hacking
CYS 402 Mathematical foundations of information security FC 313 Cyber security
CYS 403 Network forensics, intrusion detection, and response FC 353 Operating system security
CYS 404 Information system audit FC 311 Web security
CYS 406 Network security FC 302 Computer forensics and investigations
CYS 407 Digital evidence analysis FC 332 Secure software design
CYS 408 Architecture of secure operating system FC 372 Ethics and professionalism
CYS 410 Digital forensic techniques and tools FC 304 Digital forensic tools and techniques
CYS 409 Information security management and standards FC 382 Defense mechanisms
CYS 526 Mobile and wireless security FC 411 Secure network design
CYS 532 Secure software design and engineering FC 421 Applied cryptography
CYS 523 Security threats and vulnerabilities FC 472 Security and privacy policies
CYS 533 Applied cryptography FC 462 Security risk management
CYS 57X Project FC 49X Capstone project
CYS 471 Cooperative summer training program FC Two elective courses
CYS Three elective courses

Mugrin offers Bachelor degree programs in the majors of The university has a sperate department of forensic com-
Engineering, Business Administration, Computer and Infor- puting and cybersecurity (FCCS). The FCCS department is
mation Technology, and further offers degree programs in seeking accreditation in the BCS (British Computer Society).
unique majors such as: Mechatronics Engineering, Forensic The program has 132 credit hours. Table 12.3b shows the core
Computing and Cyber Security [19]. courses for the cybersecurity program.
12 Toward Effective Cybersecurity Education in Saudi Arabia 83

Prince Sultan University the university has launched a cybersecurity program at the
Prince Sultan University was originally founded in 1999 as undergraduate level.
Prince Sultan Private College, then, in 2003, the Ministry of The college of computer science and engineering offers
Higher Education declared it to be a university. an undergraduate program in cybersecurity. The program
The university consists of five colleges: Business, Com- requires a 149 credit hours. The program has 11 courses as
puter and Information Science, Engineering, Law, and Hu- core courses. Table 12.5b summarizes the core courses of this
manities [18]. program. The university also shas a master program.
Prince Sultan university offers a cybersecurity track in the
undergraduate level that constitutes of five core courses in
cybersecurity, See Table 12.4, and one graduate program in 12.5 Discussions and Recommendations
cybersecurity as well that also constitutes of five courses and
three elective courses in the domain, See Table 12.4. As can be seen from the delivered cybersecurity programs
at Saudi universities, we can see that most of the programs
King Fahd University of Petroleum and Minerals deliver courses of wide ranges of domains in cybersecurity.
King Fahd University of Petroleum and Minerals (KFUPM) This will give the graduates a god and wide background in the
was established in 1963. The university has more than 8000 domain and leave their specialization in certain field to their
students in the meantime enrolled in various colleges and work in the market. Such programs are useful at the short run
programs [20]. as the market needs are high now, but at the medium and long
The Department of Information and Computer Science terms, the academic programs should provide more special-
offers a Master of Science in “Security & Information Assur- ized cybersecurity programs that will supply the market with
ance”, a research-oriented program targeting those who may more skilled and specialized graduates in various domains
ultimately pursue a doctoral degree in this field. The Master of cybersecurity. Hence, the number of offered programs in
of Science in Security & Information Assurance requirement Saudi Arabia at the undergraduate and graduate levels are not
is 30 credit hours that include 24 credit hours of coursework enough to satisfy the market thirst for certified professionals
(i.e., eight courses, see Table 12.5a and six credit hours of in cybersecurity, more programs and specialized tracks are
thesis work. still needed to cover the various work roles needed in the
market.
Jeddah University Collecting the available data related to different Saudi
Jeddah University was established in 2004. The university cybersecurity programs was not an easy task. Most of the
consists of 22 colleges with different programs. Recently published information provides the study plan and courses
descriptions at most. Accordingly, we believe that the avail-
Table 12.4 Prince Sultan University Cybersecurity undergraduate track and graduate program
PSU Undergraduate Track in Cybersecurity PSU Graduate Program in Cybersecurity
CYS 401 Fundamentals of cybersecurity CYS501 Fundamentals of cybersecurity
CYS 402 Secure software development CYS502 Foundations of cryptography
CYS 403 Penetration testing and ethical hacking CYS503 Privacy in a digital networked world
CYS 404 Security risk management, governance, and control CYS504 Threats, exploits and countermeasures
CYS 405 Cyber-physical systems security CYS505 Enterprise security architecture
CYSxxx Three electives

Table 12.5 Cybersecurity program for Imam Abdulrahman Bin Faisal University and University of Prince Mugrin
(a) King Fahd University (KFUPM) (b) Jeddah University
SIA 511 Principles of information assurance and security CCCY 210 Computing ethics
ICS 555 Data security and encryption CCCY 320 Cybersecurity fundamentals
SIA 521 Network security CCCY 412 System administration
XXX Three SIA elective courses CCCY 410 Cryptography
YYY Two elective courses CCCY 422 Information security management
CCCY 420 Network security
CCCY 423 Software security
CCCY 421 Security architecture and engineering
CCCY 511 Vulnerability analysis and testing
CCCY 512 Cybersecurity operation
CCCY 521 Computer forensics
84 M. Zarour et al.

able data gives no clue about the work roles that the different roles that they serve is missed or not published. Universities
programs in different universities are serving or which gaps should show evidence that illustrates how their courses fit
they are trying to fill in the market’s needs. Hence, we with the market needs. Moreover, more cooperation is needed
recommend that various cybersecurity programs’ managers among the academia and the public and private cybersecurity
should work to identify the work roles they need to support agencies in Saudi Arabia to develop stronger cybersecurity
in short, medium and long-term plans. This identification national capabilities. In Future, the delivered courses for
process should be proceeded by an analysis of the Saudi each program in each university is to be classified based on
cybersecurity market needs. certain framework such as NICE framework to know which
Accordingly, most cybersecurity programs lack clear pro- dimensions are covered by each program and which are not
gram objectives. They don’t clearly specify the learning and give some thorough recommendations to enhance the
outcomes of the program nor the attained skills by the end of delivered curricula in this regard.
completing the program. Another missed issue is describing
which framework or model was used to build the cybersecu-
rity program. These frameworks will shape up the programs References
and clarify the achieved skills by the end of them. For
instance, the program can be built around the Roles specified 1. Furman, S., Theofanos, M.F., Choong, Y.-Y., Stanton, B.: Basing
cybersecurity training on user perceptions. IEEE Secur. Priv. Mag.
by the NICE framework. Each course in the program can 10(2), 40–49 (2012)
be mapped to one or two of these Roles. Another example 2. Ezingeard, J.-N., McFadzean, E., Birchall, D.: A model of infor-
would be the ACM cybersecurity curricula guidelines 2017 mation assurance benefits. Inf. Syst. Manag. 22(2), 20–29 (2005)
where the courses can be mapped to the knowledge areas. 3. CITIC: Communucation and Information Technology Commis-
sion, annual report, 2017. https://www.citc.gov.sa/en/MediaCenter/
A third example would be the Cyber Security Body of Annualreport/Pages/default.aspx
Knowledge (CyBOK) where the courses are also mapped to 4. Elnaim, B.M.: Cyber crime in Kingdom of Saudi Arabia: the threat
the knowledge areas in the CyBOK. In case these programs today and the expected future. Inf. Knowl. Manag. 3(12), 14–19
followed one of these frameworks, it would clarify the ob- (2013)
5. Dehlawi, Z., Abokhodair, N.: Saudi Arabia’s response to cyber
jectives of these programs and skills attained that match the conflict: a case study of the Shamoon malware incident. In: IEEE
market needs. It would also clarify the content and interest of International Conference on Intelligence and Security Informatics,
potential students. pp. 73–75. IEEE (2013)
Note that although cooperation, which is measured based 6. Gamer, N.: A Decade of Breaches: Myths Versus Facts.
Trend Micro. http://blog.trendmicro.com/a-decade-of-breaches-
on the existence of partnerships, cooperative frameworks myths-versus-facts/ (2015). Accessed 25 Dec 2018
and information sharing networks both at the national and 7. Shoemaker, D., Davidson, D., Conklin, A.: Toward a discipline of
international levels, is at good levels in Saudi Arabia, See cyber security: some parallels with the development of software
Fig. 12.2, We believe that the cooperation at the national level engineering education. EDPACS. 56(5–6), 12–20 (2017)
8. Cybersecurity jobs and CareersCybersecurity ventures. Herjavec
among the academia and cybersecurity public and private Group. https://cybersecurityventures.com/jobs/ (2017) Accessed
agencies is not at its best level. More cooperation is needed 23 Mar 2019
to ensure the development of much stronger Saudi cyberse- 9. Alsmadi, I., Zarour, M.: Cybersecurity programs in Saudi Arabia:
curity capabilities. issues and recommendations. In: 1st International Conference on
Computer Applications & Information Security (ICCAIS), pp. 1–
5. IEEE (2018)
10. McGettrick, A.: Toward effective cybersecurity education. IEEE
12.6 Conlusions and Future Work Secur. Priv. 11(6), 66–68 (2013)
11. Caulkins, B.D., Badillo-Urquiola, K., Bockelman, P., Leis, R.:
Cyber workforce development using a behavioral cybersecurity
Education has been seen as the cornerstone to enhancing
paradigm. In: 2016 International Conference on Cyber Conflict
the awareness in cybersecurity and to face the current and (CyCon U.S.), pp. 1–6. IEEE (2016)
future cyber threats. NICE cybersecurity framework which 12. Conklin, W.A., Cline, R.E., Roosa, T.: Re-engineering cyberse-
is a new internationally recognized framework is introduced curity education in the US: an analysis of the critical factors. In:
2014 47th Hawaii International Conference on System Sciences,
to promote better cybersecurity education programs. Cyber-
pp. 2006–2014. IEEE (2014)
security programs in the Arabic region should evolve rapidly 13. Newhouse, W., Keith, S., Scribner, B., Witte, G.: National Initia-
to accommodate such changes in the field that occur globally. tive for Cybersecurity Education (NICE) Cybersecurity Workforce
This is necessary to ensure graduating students’ skills to Framework. NIST special publication (2017)
14. National Initiative for Cybersecurity Careers and Studies: https://
fulfill local industrial demands in this area.
niccs.us-cert.gov/. Accessed 23 Dec 2019
In this article, we have explored the cybersecurity pro- 15. International Telecommunication Union (ITU): Global cybersecu-
grams Saudi Arabia. We found that although the different rity index (GCI)-V2 (2017)
cybersecurity programs constitute of a set of core and impor- 16. International Telecommunication Union (ITU): Global cybersecu-
rity index (GCI)-V3, ITU Rep. (2018)
tant courses, the linkage between these courses and the work
12 Toward Effective Cybersecurity Education in Saudi Arabia 85

17. Saudi National Cyber Security Center (NCSC): https:/ 18. Imam Abdulrahman bin Faisal University: https://www.iau.edu.sa/
/www.moi.gov.sa/wps/portal/ncsc/home/home/!ut/p/z1/ en. Accessed 17 Apr 2019
lVLLboMwEPyWHnJEu37UwBG1CJK2QiIKBF8QISRxFQxpUdr- 19. University of Prince Mugrin: https://www.upm.edu.sa/. Accessed
fe2212B1T7PSjHdGHpCwBambqzo2kxp0czZ7JUWNS85TwulTli 14 Jul 2019
NixIo0ZcEDwYRBOUsICMh5fQESZKuncTpBpdv39qx2C7Rgga 20. King Fahd University of Petroleum & Minerals: http://
eh735xbWHdaUseW7WHigrKRXtPPeSN73EaNl5IQuodBBddICg www.kfupm.edu.sa. Accessed 14 Jul 2019
Nd. Accessed 25 Dec 2019