A delivery model for an Information Security curriculum Dan Shoemaker University of Detroit Mercy shoemadp@udmercy.edu Julia Bawol Ford Motor Company jbawol@ford.com Antonio Drommi University of Detroit Mercy drommia@udmercy.edu Gregory Schymik Harman Becker Automotive Systems gschymick@harmanbecker.com Abstract This paper details the origin and content of a nationally accepted standard for a university curriculum in information security education. And it offers specific recommendations regarding the proper teaching and learning modalities for the fifteen common knowledge elements embodied in it. These recommendations are based on the cognitive and affective requirements of each element. This can serve as a model for designing a delivery system that fits the precise needs of students and the particular institution. Keywords: Information Systems Education, Training, Security Education, Knowledge, Security Curriculum, Pedagogy, Cognitive, Affective Introduction Information security is an emerging field in information systems education. Although the concept was introduced as far back as 1975 (Saltzer and Schroeder, 1975), it has been a continuing theme throughout the 1980s and 1990s (Nugent, 1982), (Higgins, 1989), (Bishop, 1993), (Irvine, Chin, and Frinke, 1998), (Spafford 1998), and Bishop 1999) to cite a few. Nevertheless, the notion of a dedicated study was more of an interesting side-show rather than a main tent attraction until the events of recent history put it into the center ring. And accordingly, since 2001 the interest in teaching and learning about information security has taken-off. As evidence, the National Security Agency (NSA), through the National INFOSEC Education and Training Program (NIETP), identifies fifty universities that conform to