CERIAS to CAE: We're Not a Lemon

Every so often we discuss topics like starting out in digital security on this blog. Formal education is one method, with one approach being a Centers of Academic Excellence in Information Assurance Education. This program reports "93 Centers across 37 states and the District of Columbia." At first glance it is tough to see a downside to this program.

This is why I was surprised to read Centers of Academic... Adequacy, a recent post by Dr Gene Spafford. The core argument appears in this excerpt:

[W]e do not believe it is possible to have 94 (most recent count) Centers of Excellence in this field. After the coming year, we would not be surprised if the number grew to over 100, and that is beyond silly. There may be at most a dozen centers of real excellence, and pretending that the ability to offer some courses and stock a small library collection means “excellence” isn’t candid.

The program at this size is actually a Centers of Adequacy program. That isn’t intended to be pejorative — it is simply a statement about the size of the program and the nature of the requirements.

Some observers and colleagues outside the field have looked at the list of schools and made the observation that there is a huge disparity among the capabilities, student quality, resources and faculties of some of those schools. Thus, they have concluded, if those schools are all equivalent as “excellent” in cyber security, then that means that the good ones can’t be very good ("excellent" means defining the best, after all). So, we have actually had pundits conclude that cyber security & privacy studies can’t be much of a discipline. That is a disservice to the field as a whole.

Instead of actually designating excellence, the CAE program has become an ersatz certification program... (emphasis added)

Therefore:

[W]e did not renew the certifications, and we dropped out of the CAE program when our certification expired earlier this year.

Wow, that is striking. CERIAS decided to remove itself from the "Centers of Academic Excellence" program for the reasons cited, plus several more listed in the blog. That's like me deciding to not renew my CISSP on moral grounds... except I did renew late last year when my employer requested the renewal and paid for it. CERIAS drew a real line in the sand and said "no thanks" to the government.

Does Spaf's comments remind you of the market for lemons?

There are good security programs and defective security programs ("lemons"). The prospective student of a security program does not know beforehand whether it is a good program or a lemon. So the student's best guess for a given program is that the program is of average quality; accordingly, he/she will be willing to pay for it only the price of a program of known average quality.

This means that the owner of a good security program will be unable to get a high enough tuition to make offering that program worthwhile. Therefore, owners of good programs will not place their programs in the CAE system. The withdrawal of good programs reduces the average quality of programs on the market, causing students to revise downward their expectations for any given program. This, in turn, motivates the owners of moderately good programs not to participate in CAE, and so on. The result is that a market in which there is asymmetrical information with respect to quality shows characteristics similar to those described by Gresham's Law: the bad drives out the good... (That's the latest Wikipedia entry modified to discuss the issue at hand.)

The question now becomes: will any other university not renew their CAE status? Furthermore, will any of us decide not to renew our CISSP? I already decided not to renew my CCNA and CIFI certs. I let the CCNA lapse because it just isn't important for what I do. I let the CIFI lapse because the organization behind it collapsed following the tragic passing of its founder.