Information Security Education Overview Non-availability of skilled staff has been identified as the third most significant cause of the failure of users of information technology to ensure the security of their physical assets and information (Furnell & Clarke, 2005). Organizations employing ISA professionals generally base their assessment of an individual's skill level on the following indicators: * Academic qualifications leading to a diploma and/or degree. * Professional Certifications (CISSP, SSCP, CISA, GISEC, etc.). * Vendor-Specific Certifications (MCSE, CCSP, Comp TIA, Security +, TISIA, etc.). Professional and vendor certifications in Information Security validate competencies and skills, but they are not replacing experience or education. While academic qualifications support broad knowledge and skills in general, professional certifications may be effective in a limited area of operations. Academic programs exposing the students to theoretical concepts and problem solving experience are critical for preparing graduates for jobs in the information security. The critical importance of information security curriculum at universities was stressed in (Irvine, Chin, & Fruickle, 1998) as follows: An educational system that cultivates an appropriate knowledge of computer security will increase the likelihood that the next generation of Information Technology (IT) workers will have the background needed to design and develop systems that are engineered to be reliable and secure. Many educational institutions defined the educational model and curricula based on standards and guidelines promoted by government or other organizations, resulting in numerous ISA education models and curricula. Despite a variety of ISA curricula and diverse educational models, universities often fail to graduate students with skills demanded by employers. Therefore, it is necessary to identify the issues and suggest changes in the curricula to ensure that undergraduates and graduates have gained required skills after completing their studies. We primarily focus on Information Security curricula issues in US, and outline a few distinctions from other parts of the world. We recognize that the international aspects of the Information Security curricula are too broad for a single paper to cover comprehensively. The remainder of the paper is organized in sections that review the ISA programs in US and evaluate the quality of academic information security programs including the requirements for an effective information security curricula implementation as well as future directions for more responsive curricula. In this paper, we suggest the actions that should make the ISA curricula in the universities responsive to the needs of the general population and the industry in which graduates with ISA skills and specialization will be employed. Information Security Education in US The National Institute of Standards and Technology (NIST) and the National Security Telecommunications and Information Systems Security Committee (NSTISSC), along with others, contributed to the guidelines for training and education. In addition, ISO 17799 Information Security Management standard of 2000 with additions in 2002 includes requirements for Information security education and training. NSTISSC directive established the requirement for all federal agencies to develop and implement education, training, and awareness programs for national security systems. The required knowledge areas known as Common Body Knowledge (CBK) were defined by International Systems Security Certification Consortium [(ISC).sup.2]. However, the focus is on practical, low level skills which are identified in various standards. In addition, Electronic Develop-A-Curriculum (EDACUM) program supports the development of a curriculum based on NSTISSI standards. Some colleges and universities have been certified to meet one or more NSTISSI standards. …