Experience in the Formation of Competencies in the Field of Information Technology Security in the Educational Programs of MIEM NRU HSE

The paper discusses the development and testing of a model of competencies in information security which ensures the effective interaction of society, business, the labor market and education in the digital economy. The proposed model is based on the requirements of employers for the training of a modern engineer. In accordance with the developed competency model in the field of information security the original educational standards for engineering education implemented at MIEM NRU HSE were modernized.


Introduction
Digital technology is booming all over the world. More and more areas of the economy are using the capabilities of technologies such as Internet of Things, artificial intelligence, data analysis, virtual reality, etc. The digital transformation of the economy involves the introduction of modern technology in the business processes of the enterprise [1]. The concept of smart manufacturing based on the industrial Internet, combining physical production and operations with intelligent digital technologies, introduces fundamental changes in management approaches, corporate culture, external communications [2] as well as the key competencies of a modern engineer [3][4][5].
Obviously for the successful implementation of the digital technologies it is necessary to make significant changes both in the educational programs for training engineers and in approaches to their implementation with the aim of developing skills in such areas as: big data analysis technologies, industrial Internet, cyber-physical systems, cloud technologies for storing and processing information, etc. [6 -8]. Cybersecurity occupies a special place in this series.
The issues of ensuring data security, the security of information systems and technologies themselves ensuring safe information interaction between people and business in the digital economy are becoming extremely important for the digital transformation of the state and society [9 -13]. It is this circumstance that explains the need to form competencies in the field of information security among engineering personnel. Modern production companies and enterprises are in dire need not only of specialists in cybersecurity, but also of engineering and technical workers with the necessary skills in the in at least one area or field of professional activity, or to solve the tasks of professional activity of at least one type established in the HSE original educational standard [17].
Professional competencies are determined on the basis of professional standards corresponding to the professional activities of graduates as well as on the basis of an analysis of labor market requirements, generalization of foreign experience, consultations with leading employers, associations of employers in the industry in which graduates are in demand [18].
The main professional competencies that a graduate of the Computer Security educational program should have can be presented in the form of a Table 1. This table is called the competency model. The ability to protect information in the computer and computer networks. 2 The ability to protect operating systems 3 The ability to protect information in database management systems 4 The ability to provide technical, antivirus, cryptographic protection of information in computer systems 5 The ability to develop computer system security models 6 The ability to analyze the security models of computer systems, including compliance with domestic and foreign standards in the field of computer security 7 The ability to apply mathematical methods to assess the security of computer systems including by designing their mathematical models 8 The ability to develop design and technical (including reporting) documentation 9 The ability to develop draft regulatory legal and methodological documents in the field of information security 10 The ability to analyze design decisions to ensure the security of computer systems 11 The ability to make an informed choice of software and hardware implementations of information protection methods As can be seen from Table 1 very serious requirements are imposed on the graduates of the educational program "Computer Security" both in terms of directly ensuring the security of computer systems and networks and in terms of analyzing and justifying the level of security of these systems. And related design decisions as well as parts of the preparation of the necessary supporting documentation.

The implementation of a competencies model in the field of information security in the engineering educational programs
The issue of designing the necessary competencies in students has two sides: the first side is the direct formation of these competencies, the second is the establishment of the fact of their presence that is the establishment of the availability of necessary knowledge, skills.
In order to solve these problems, a detailed analysis of the problems of training engineering personnel in the field of information protection and the formation of basic professional competencies was carried out at MIEM NRU HSE. Such acute problems of training modern engineers as the low level of cyber hygiene and cyber culture, the insufficiently high and often one-sided level of training of specialists in information protection, and the acute shortage of these specialists in the labor market are noted. Based on an analysis of already existing experience in training information security specialists as well as an analysis of the needs of partner organizations of MIEM NRU HSE especially those at risk and subject to regular cyber attacks methods are proposed for building the competencies required for these specialists to work in the digital economy and a methodology verification of their implementation. The proposed competency model is being tested including project activities in the interests of industrial partners, internships, participation in competitions in the profile of training and involvement of employees of partner organizations in the formation of the necessary competencies and assessment of the level of students' training. Table 2 shows the names of a number of partner organizations of the "Computer Security" educational program and their areas of information protection. Every year, students of the educational program undergo practical training and internships in these organizations under the direct supervision of leading specialists who help students in the formation of the necessary skills, thereby forming the required competencies. Company "InfoWatch" Protection against an internal intruder Directly communicating with students in the process of solving production problems, representatives of partner organizations get an idea of the students having the necessary knowledge and skills, their abilities to master new questions and problems for them, the ability to independently find solutions to problems, and the ability to work in a team. Representatives of the industrial partners reflect their opinion on all these issues including the availability of the necessary competencies in a detailed report on internships which is one of the required indicators for the formation of competencies.
An important element in the implementation of the considered competency designing model is the participation of students in project activities [18]. Table 3 is presented some topics of projects in which students of the educational program "Computer Security" participated in the 2018-2019 academic year and their types.

Table 3. Student Project Topics
As can be seen from Table 3 the topics of projects carried out by students of the design bureau and their types are very diverse. The project implementation procedure consists of two stages. At the first stage students choose topics, make up a detailed technical task and shoot a short video with a presentation of the task. At the second stage direct substantive work is carried out to fulfill the technical specifications. At the final stage students draw up a detailed report on the work done and a short presentation that they make before the examination committee. The assessment for the project consists of the assessment of the first and second stages including the assessment for the presentation and assessment of the project manager [19].
An important tool for the formation of the necessary competencies is the activity of students performed in the process of passing various kinds of internships. This type of study forms the student's competencies allowing to solve the practical problems of the chosen profession including design, research, entrepreneurial, expert and analytical activities.
The curriculum of the Computer Security educational program provides for three groups of internships: -the internships in the companies and organizations or in the workplace; -the design internships; -the research internships.
The following methods of conducting internships are allowed: stationary and visiting. A group of internships in the companies or organizations or in the workplace includes educational, industrial and other types of internships. The group of design internships includes: student's project activities (project, course project), project seminar as mentioned above. The group of research internships is including: the preparation of the thesis, written coursework of a research nature, a research seminar (RS).
RS is provided for a limited circle of students who have chosen the research or expertanalytical option as the main type of future professional activity. Both the University employees and invited specialists with experience and significant achievements in the field to which the scientific seminar is oriented are involved in the RS.
Currently studies to test the above competency model are ongoing in the search for new forms of their formation and verification of content. In particular, discussions are being held to address the issue of accounting in determining the level of formation of competencies of individual and group achievements of students in scientific work helping teachers to conduct the educational process and various competitions in the profile of training, such as CTF and several others.
As noted above the second important point in the formation of student's competencies is to establish the fact of their presence that is to establish the availability of the necessary knowledge, skills and abilities both in the field of natural Sciences and in the professional field.
Traditional methods of testing student's knowledge and skills are various forms of intermediate and final control, determined by the leading subject teacher. The intermediate forms of control usually include colloquiums, control and independent work, homework and laboratory work, presentation of reports and abstracts on the subjects studied. The forms of final control usually include tests and exams which in turn are written and oral as well as in the form of computer tests.
The final control in the disciplines of natural science cycle such as mathematics, physics, information theory as a rule is carried out in the form of an oral exam in which students receive tickets containing theoretical questions and problems. In the theoretical part at the same time it is required to prove some statement and to solve the problem in any known way and explain the course of the solution. A convenient form of final control is a combination of written and oral examination when first the teacher is given a written task and checked its implementation and then an oral interview is conducted.
When determining the final grade on the subject along with the assessment for the exam, the results of the intermediate control are also taken into account. This approach on the one hand stimulates continuous work during the period of study of the discipline and on the other allows you to more objectively assess the development of the stated competencies [20].
Modern information technologies make it possible to apply other forms of intermediate and final control of the development of competencies especially in the professional field. An example of such forms of control are computer business games in which the student must perform various tasks: to find vulnerabilities, identify malicious impacts and neutralize them, to develop a system of protection of a local, remote network or database, to detect traces of a computer attack and other similar tasks. In the course of these tasks the teacher or the Commission is not difficult to make an objective conclusion about the level of development of the relevant competencies of the student.
It seems that the problem of constant search and introduction of modern methods and technologies both in terms of the formation of competencies and in terms of checking the level of their development is very important in the issues under consideration.
As an illustrative example of modern technical means of training let us consider a training stand that simulates the operation of an automatic process control system (ACS) [21].
The stand consists of the following main parts: -Models of three enterprises in respect of which the attack on the ACS TP can cause serious damage: power plant, oil pumping station, railway, -The Cisco Catalyst 2960 Switch, -Layout controls, -Administrator computer, -The attacker's computer. The photo of the stand is shown in Figure 1.   Fig. 1. General photo of the studied stand As noted above the stand has three main modes (scenarios) of operation: 1. Layout of the power plant, the administrator works with the power plant management console.
2. Layout of the oil pumping station, the administrator works with the control console of the oil pumping station.
3. Layout of the railway, the administrator works with the power grid management console.
Work on the stand involves the actions of an attacker trying to use specially implemented vulnerabilities, to carry out unauthorized access to process management in order to change the normal mode of operation of the enterprise. The actions of an information system security officer involve the detection of an intruder's interference and its neutralization. The student performing the role of an attacker demonstrates the ability to find and exploit system vulnerabilities, and the student performing the role of a security officer demonstrates the ability to detect the intruder and eliminate the consequences of his activities.
Work at this stand is a business game and serves as an objective test of the knowledge and skills gained in terms of ensuring the security of real information systems.

Conclusion
The proposed competency model in the field of information security was used in the development of original educational standards for engineering training programs at MIEM NRU HSE. It took into account the requirements of industrial partners as well as modern technologies of digital education.