2020 EDSIG Proceedings: Abstract Presentation

How to Apply an Agile Framework to InfoSec Management

Leigh Mutchler
James Madison University

Amy Connolly
James Madison University


Information security (InfoSec) is a vital yet complex sociotechnical system (Zimmermann & Renaud, 2019) in today’s digital age. Because of the ever-changing landscape, students entering the workforce lack skills that organizations desperately need (Mickos, 2019). The need for well-trained InfoSec professionals increases yearly; more than 200,000 jobs remained open in 2015 (Sheridan, 2016) and 4 million workers are needed by 2021 (Help Net, 2019; Morgan, 2017). Here, we propose that agile is desperately needed to help universities train dexterous InfoSec professionals who can meet the demands of this novel field. Multiple entities have identified InfoSec’s core content for a curriculum (Burley et al., 2017; Newhouse et al., 2017; NSA CSS, 2020), but they fail to provide pedagogical models, formal research or example cases to build a course (Ahmad & Maynard, 2014; Spears, 2018; Yates et al., 2018). The expansive InfoSec content is typically addressed either from a managerial focus or a technological one (Yates et al., 2018). As an instructor of InfoSec Management for the past two years and despite the use of active learning, I discovered that students completing the course generally lack sufficient understanding to make informed security decisions. This lack is partly due to the breadth of the material – too much time on definitions and not enough opportunity to work with and apply material to specific problems. Additionally, I find that student groups do not work well as a team, and as a result, experience internal problems and fail to gain deeper learning from group socialization and collaboration.

Therefore, I am taking a new, innovative approach in InfoSec Management. Students need opportunities to apply classroom knowledge to real-world problems, to iteratively work through decision-making processes, and to develop camaraderie and collaborative skills working in a team. One potential tool to meet these goals is Scrum (Course Expert, 2020). This agile framework is typically associated with software development, and while developers are encouraged to include InfoSec professionals on projects, agile methods are not integrated into InfoSec programs. Practitioners argue that agile should be embraced in the field (Curry, 2019; Lietz, 2015; Platinum Edge, 2015), even calling for agile InfoSec research (Baskerville, 2004), but formal literature provides no insight into the prevalence of InfoSec projects using agile tools such as Scrum, nor whether instructors teach InfoSec with agile tools.

Therefore, my plan to apply Scrum is as follows. First, organize student groupwork into 2- to 3-week Sprints. Groups will maintain standard Scrum artifacts (e.g., Kanban board for tasks, burndown chart for scheduling, etc.). After each Scrum, groups perform retrospectives to discuss and improve work processes. Group tasks contain a series of activities where Sprints build on previous ones, and students present working products then incorporate feedback to improve tasks. Tasks will be too complex to break into individual pieces, thereby requiring students to work together as a team. Working with course material to solve problems will deepen understanding of material.

Despite the added difficulty of conducting class during the COVID-19 pandemic (due to limited physical interaction), I will try this plan during fall 2020 and report on successes, failures, and lessons learned. I welcome suggestions and feedback from fellow InfoSec colleagues attending the conference to improve the course in the future.

Keywords: Information security management, agile framework, active learning, IS pedagogy


Ahmad, A., & Maynard, S. (2014). Teaching information security management: Reflections and experiences. Information Management & Computer Security, 22(5), 513–536. https://doi.org/10.1108/IMCS-08-2013-0058

Baskerville, R. (2004). Agile Security for Information Warfare: A Call for Research. 11. http://aisel.aisnet.org/ecis2004/13

Burley, D., Bishop, M., Kaza, S., Gibson, D. S., Hawthorne, E., & Buck, S. (2017). ACM Joint Task Force on Cybersecurity Education. Proceedings of the 2017 ACM SIGCSE Technical Symposium on Computer Science Education, 683–684. https://doi.org/10.1145/3017680.3017811

Course Expert. (2020, July 20). Using Scrum Principles in Domains other than Software Development. Take This Course. https://takethiscourse.net/scrum-principles/

Curry, S. (2019, May 8). Cybersecurity By Scrum. Forbes. https://www.forbes.com/sites/samcurry/2019/05/08/cybersecurity-by-scrum/

Help Net. (2019, November 8). Cybersecurity workforce skills gap rises to over 4 million. Help Net Security. https://www.helpnetsecurity.com/2019/11/08/cybersecurity-workforce-skills-gap/

Lietz, S. (2015, June 1). What is DevSecOps? Devsecops. https://www.devsecops.org/blog/2015/2/15/what-is-devsecops

Mickos, M. (2019, June 19). The Cybersecurity Skills Gap Won’t Be Solved in a Classroom. Forbes. https://www.forbes.com/sites/martenmickos/2019/06/19/the-cybersecurity-skills-gap-wont-be-solved-in-a-classroom/

Morgan, S. (2017, June 6). Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021. CSO Online. https://www.csoonline.com/article/3200024/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html

Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NIST SP 800-181). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-181

NSA CSS. (2020). National Centers of Academic Excellence. NSA.Gov. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/

Platinum Edge. (2015, August 12). Using Scrum for Cybersecurity & Responding to Attacks. Platinum Edge. https://platinumedge.com/blog/using-scrum-cybersecurity-responding-attacks

Sheridan, K. (2016, August 1). Cyber-Security Skills Shortage Leaves Companies Vulnerable. InformationWeek. https://www.informationweek.com/strategic-cio/security-and-risk-strategy/cyber-security-skills-shortage-leaves-companies-vulnerable/d/d-id/1326463

Spears, J. (2018). Gaining Real-World Experience in Information Security: A Roadmap for a Service-Learning Course. Journal of Information Systems Education, 29(4), 183–202. https://aisel.aisnet.org/jise/vol29/iss4/1

Yates, D. J., Frydenberg, M., Waguespack, L. J., McDermott, I., O’Connell, J., Chen, F., & Babb, J. S. (2018). Dotting i’s and Crossing T’s: Integrating Breadth and Depth in an Undergraduate Cybersecurity Course. 2018 Proceedings of the EDSIG Conference, 21.

Zimmermann, V., & Renaud, K. (2019). Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. International Journal of Human-Computer Studies, 131, 169–187. https://doi.org/10.1016/j.ijhcs.2019.05.005