Information Security Education Journal Joseph R. Laracy, Thomas Marlowe 5 2 2018 10.6025/isej/2018/5/2/35-48 http://www.dline.info/isej/fulltext/v5n2/isejv5n2_1.pdf Information security education has traditionally been approached with a variety of tools. Models such as Bell- LaPadula and Clark-Wilson, cryptography, and formal methods seek to design systems without certain classes of vulnerabilities. Red teaming seeks to find vulnerabilities that were missed and security software often removes the vulnerabilities. To a lesser extent, probabilistic risk assessment and game theory have also been applied to assess threats. However, on their own, in isolation, these approaches have not “solved” the information security crisis. Internet security in particular is an area of great concern given the plethora of vulnerabilities that enable threats to confidentiality, integrity, availability, non-repudiation, authorization, authentication, and audit ability. A new approach to information security engineering education is necessary that views the Internet as a complex, socio-technical system. A systems perspective acknowledges that security can only be achieved through a holistic model that addresses technological architecture and software processes, organizational behavior, and human factors. This paper suggests a novel method for information security education to identify and characterize current deficiencies in a network security control structure, elucidate the relationship between software/systems engineering and security risks, and inform an architectural description of a secure information system architecture.