Outcomes-Based Assessment as an Assurance Education Tool

  • Susan Older
  • Shiu-Kai Chin
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 125)


The goal of Syracuse University’s Certificate of Advanced Study in Systems Assurance (CASSA) program is to develop students who (1) comprehend the concepts underlying security and system assurance; (2) can apply those concepts to construct assured systems; and (3) can critically analyze and evaluate systems’ conformance to their requirements. Because of this third requirement, a key component of the CASSA program is an emphasis on using formal mathematics and logic to provide a rigorous basis for the assurance of information and information systems.

Our purpose in writing this paper is twofold. The first is to report on our progress in delivering an assurance curriculum with a strong emphasis on logic and formal methods. Specifically, we describe what we are teaching in two of our foundational courses, as well as what our students are learning. The second and broader purpose is to advocate the use of an outcome-based approach when developing IA courses and curricula. We have found that focusing on the desired educational outcomes from the outset has made it easier to identify what is working and what is not, and we wish to share our experiences.

Key words

Formal methods educational outcomes assessment of student learning assurance. 


  1. [ABLP93]
    Martin Abadi, Michael Burrows, Butler Lampson, and Gordon Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15 (4): 706–734, September 1993.CrossRefGoogle Scholar
  2. [BAN90]
    Michael Burrows, Martin Abadi, and Roger Needham. A logic of authentication. Technical report, SRC Research Report 39, Systems Research Center, Digital Equipment Corporation, Palo Alto, CA, 1990.Google Scholar
  3. [B1o74]
    Benjamin S. Bloom. The Taxonomy of Educational Objectives: Affective and Cognitive Domains. David McKay, New York, 1974.Google Scholar
  4. [CPS93]
    Rance Cleaveland, Joachim Parrow, and Bernhard Steffen. The Concurrency Workbench: a semantic-based tool for the verification of concurrent systems. ACM Transactions on Programming Languages and Systems, 15: 36–72, 1993.CrossRefGoogle Scholar
  5. [Dia98]
    Robert M. Diamond. Designing & Assessing Courses & Curricula: A Practical Guide. Jossey-Boss, revised edition, 1998.Google Scholar
  6. [FBK99]
    David F. Ferraiolo, John F. Barkley, and D. Richard Kuhn. A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and Systems Security, 2 (1): 34–64, February 1999.CrossRefGoogle Scholar
  7. [FK92]
    David Ferraiolo and D. Richard Kuhn. Role based access control. In Proceedings of 15th Annual Conference on National Computer Security, pages 554–563, Gaithersburg, MD, 1992. National Institute of Standards and Technology.Google Scholar
  8. [For97]
    Formal Systems (Europe) Ltd, Oxford. Failures-Divergence Refinement: FDR2 User Manual, October 1997.Google Scholar
  9. [For98]
    Formal Systems (Europe) Ltd, Oxford. Process Behaviour Explorer: ProBE User Manual, March 1998.Google Scholar
  10. [FSG+00]
    David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn, and Ramaswamy Chandramouli. A proposed standard for role-based access control. Technical report, National Institute of Standards and Technology, December 2000.Google Scholar
  11. [HK00]
    Jon Howell and David Kotz. A formal semantics for spki. Technical Report TR 2000–363, Dept. of Computer Science, Dartmouth College, Hanover, NH, March 2000.Google Scholar
  12. [Hoa85]
    C.A.R. Hoare. Communicating Sequential Processes. Series in Computer Science. Prentice Hall, London, 1985.Google Scholar
  13. [LABW92]
    Butler Lampson, Martin Abadi, Michael Burrows, and Edward Wobber. Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems, 10 (4): 265–310, November 1992.Google Scholar
  14. [Lam71]
    Butler Lampson. Protection. In Proceedings of the 5th Princeton Conference on Information Sciences and Systems, Princeton, NJ, 1971.Google Scholar
  15. [Low96]
    Gavin Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. Software Concepts and Tools, 17:93–102, 1996. 196 Outcomes-based Assessment as an Assurance Education Tool Google Scholar
  16. [Mi180]
    Robin Milner. A Calculus of Communicating Systems, volume 92 of Lecture Notes in Computer Science. Springer-Verlag, 1980.Google Scholar
  17. [OC02]
    Susan Older and Shiu-Kai Chin. Building a rigorous foundation for assurance into information assurance education. In Proceedings of 6th National Colloquium for Information Systems Security Education, volume 1. George Washington University Journal of Information Security, 2002.Google Scholar
  18. [Ros98]
    A.W. Roscoe. The Theory and Practice of Concurrency. Series in Computer Science. Prentice Hall, London, 1998.Google Scholar
  19. [Sch00]
    Steve Schneider. Concurrent and Real-Time Systems: The CSP Approach. John Wiley & Sons, 2000.Google Scholar
  20. [SS75]
    Jerome Saltzer and Michael Schroeder. The protection of information in computer systems. Proceedings IEEE, 63 (9): 1278–1308, September 1975.CrossRefGoogle Scholar
  21. [Sta99]
    William Stallings. Cryptography and Network Security, Second Edition. Prentice-Hall, 1999.Google Scholar
  22. [Syr98]
    Syracuse University Department of Electrical Engineering and Computer Science. Developing curricula to meet the needs of the next millenium: Preliminary report of the EECS Curriculum & Course Development Committee, 1998.Google Scholar
  23. [WABL94]
    Edward Wobber, Martin Abadi, Michael Burrows, and Butler Lampson. Authentication in the Taos operating system. ACM Transactions on Computer Systems, 12 (1): 3–32, February 1994.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2003

Authors and Affiliations

  • Susan Older
    • 1
  • Shiu-Kai Chin
    • 1
  1. 1.Department of Electrical Engineering and Computer Science, Systems Assurance InstituteSyracuse UniversitySyracuseUSA

Personalised recommendations