Towards a framework for the integration of information security into undergraduate computing curricula

  • K-L. Thomson Nelson Mandela University
  • L.A. Futcher Nelson Mandela University PE
  • L. Gomana Nelsen Mandela University PT


With the rapid rise of the world’s reliance on technology, organisations are facing an increased demand for a security savvy workforce. It is, therefore, important that computing graduates possess the necessary information security skills, knowledge and understanding that can enable them to perform their organisational roles and responsibilities in a secure manner. The information security skills, knowledge and understanding can be acquired through a computing qualification that is offered at a higher education institution. The ACM/IEEE, as a key role player that provides educational guidelines for the development of computing curricula, recommends that information security should be pervasively integrated into the curriculum. However, its guidelines and recommendations do not provide sufficient guidance on “how” this can be done. This study therefore, proposes a framework to address the pervasive integration of information security into computing curricula. Various research methods were used in this study. Firstly, a literature review was undertaken to inform the various phases and elements of the proposed framework. The literature reviewed included relevant information security education standards and best practices, including key computing curricular guidelines. Secondly, a survey in the form of semi-structured interviews supported by a questionnaire were used to elicit computing educators’ perspectives on information security education in a South African context, including the perceived challenges and ideas on how to integrate information security into the curricula. Finally, elite interviews were conducted to validate the proposed framework. It is envisaged that the proposed framework can assist computing departments and undergraduate computing educators in the integration of information security into the curricula thereby helping to ensure that computing graduates exit higher education institutions possessing the necessary information security skills, knowledge and understanding to enable them to perform their roles and responsibilities securely.

Author Biography

K-L. Thomson, Nelson Mandela University

Associate Professor in the School of Information and Communication Technology

Senior Instructor in the Nelson Mandela University Cisco Networking Academy


ACM/IEEE - CS. (2008). Computer Science Curriculum 2008 : An Interim Revision of CS 2001 Report from the Interim Review Task December 2008 Association for Computing Machinery IEEE Computer Society. Security. Retrieved from

ACM/IEEE - CS. (2013). Computer Science Curricula 2013. Current Practice, 1–172. Retrieved from:

ACM/IEEE – IT (2008). Information Technology 2008 Curriculum Guidelines for Undergraduate Degree Programs in Information Technology. Current Practice, 1–139. Retrived from:

ACM/IEEE - IT (2017) Information Technology Curricula 2017. Retrieved from:

Amankwa, E., Loock, M., & Kritzinger, E. (2014). A conceptual analysis of information security education, information security training and information security awareness definitions. In The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014) (pp. 248–252).

Conti, G., Hill, J., Lathrop, S., Alford, K., & Ragsdale, D. (2003). A comprehensive undergraduate information assurance program. IFIP Advances in Information and Communication Technology, 125, 243–260.

Dodge, R. C. (2013). Information Assurance and Security in the ACM/IEEE CS2013. In D. J. Ronald C & L. A. Futcher (Eds.), IFIP World Conference on Information Security Education (pp. 48–57). Berlin, Heidelberg: Springer.

Futcher, L., Schroder, C., & Von Solms, R. (2010). Information security education in South Africa. Information Management & Computer Security, 18(5), 366–374.

Futcher, L. & Van Niekerk, J. (2011). Towards a Pervasive Information Assurance Security Educational Model for Information Technology Curricula. In D. J. Ronald C & L. A. Futcher (Eds.), Proceedings of the 8th World Information Security Education Conference (pp. 164–171). Springer Berlin Heidelberg.

Author1, Author2, Author3. (2015). Reference details removed.

Author1. Author2, Author3 (2016). Reference details removed.

Hinson, G. (2005). The Value of Information Security Awareness. Noticebored-Creative Help for Your Information Security Awareness Program, (June), 1–20. Retrieved from

Institute of Progressive Education and Learning (2018). Curriculum Development Cycle. Retrieved from

Irvine, C. E., Chin, S. K., & Frincke, D. (1998). Integrating security into the curriculum. Computer, 31(12), 25–30.

ISO/IEC 7498-2. (1989). Information Processing Systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture (1st ed.). Switzerland: ISO/IEC.

King, M. (2009). King Code of Governance for South Africa 2009. Institute of Directors in Southern Africa.

McCumber, J. (2005). Assessing and Managing Security Risk in IT Systems: A structured methodology. Auerbach Publications.

Perrone, L. F., Aburdene, M., & Meng, X. (2005). Approaches to undergraduate instruction in computer security. 2005 ASEE Annual Conference and Exposition: The Changing Landscape of Engineering and Technology Education in a Global World, 651–663.

Rajasekar, S., Philominathan, P., & Chinnathambi, V. (2006). Research Methodology. Methods, 68(1), 23.

SIGITE Curriculum Committee. (2005). Computing Curriculum Information Technology Volume.

Smith, E., Von Solms, S., Oosthuizen, H., & Kritzinger, E. (2005). Information Security education: Bridging the gap between academic institutions and industry, (1998), 1–14. Retrieved from

Talib, M. A., Khelifi, A., & Ugurlu, T. (2012). Using ISO 27001 in teaching information security. IECON Proceedings (Industrial Electronics Conference), 3149–3153.

Tomhave, B. L. (2005). Alphabet soup: Making sense of models, frameworks, and methodologies, 1–57. Retrieved from

Von Solms R., & Von Solms B. Information security governance: A model based on the Direct-Control cycle. Computers & Security, Vol 25, 2006;6 : 408 – 412.

Von Solms, S., & Von Solms, R. (2009). Information Security Governance. Springer.

Whitman, M. E. (2003). Information Security. Communications of the ACM, 46(8), 91–95.

Whitman, M. E., & Mattord, H. J. (2004). A Draft Model Curriculum for Programs of Study in Information Security and Assurance. Information Systems Security Education, 30114(770). Retrieved from

Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security (4th ed.). Course Technology, Cengage Learning.

How to Cite
Thomson, K-L., L.A. Futcher, and L. Gomana. 2019. “Towards a Framework for the Integration of Information Security into Undergraduate Computing Curricula”. South African Journal of Higher Education 33 (3), 155-75.
General Articles