Cybersecurity as a Crosscutting Concept Across an Undergrad Computer Science Curriculum: An Experience Report
Azqa Nadeem
TL;DR
The paper investigates embedding cybersecurity as a crosscutting concept within undergraduate CS curricula to address workforce shortages and curricular gaps. It documents a five-year implementation (CSLS) across three year-1 core courses at a European university, with security experts delivering lectures, hands-on activities, and exam content aligned to CSEC2017 knowledge areas, reaching over 2200 students. Evaluation from students and instructors reveals strong student enthusiasm and retention of security concepts, but reveals systemic barriers due to misaligned incentives and lack of organizational oversight that threaten sustainability. The authors propose a hybrid, coordinator-supported model—combining crosscutting security content with a potential later dedicated security course—to guide scalable adoption in other programs. Overall, the work provides practical guidance for integrating security across CS curricula to produce security-literate graduates and a more cyber-ready workforce.
Abstract
Although many Computer Science (CS) programs offer cybersecurity courses, they are typically optional and placed at the periphery of the program. We advocate to integrate cybersecurity as a crosscutting concept in CS curricula, which is also consistent with latest cybersecurity curricular guidelines, e.g., CSEC2017. We describe our experience of implementing this crosscutting intervention across three undergraduate core CS courses at a leading technical university in Europe between 2018 and 2023, collectively educating over 2200 students. The security education was incorporated within CS courses using a partnership between the responsible course instructor and a security expert, i.e., the security expert (after consultation with course instructors) developed and taught lectures covering multiple CSEC2017 knowledge areas. This created a complex dynamic between three stakeholders: the course instructor, the security expert, and the students. We reflect on our intervention from the perspective of the three stakeholders -- we conducted a post-course survey to collect student perceptions, and semi-supervised interviews with responsible course instructors and the security expert to gauge their experience. We found that while the students were extremely enthusiastic about the security content and retained its impact several years later, the misaligned incentives for the instructors and the security expert made it difficult to sustain this intervention without organizational support. By identifying limitations in our intervention, we suggest ideas for sustaining it.