CyberSec4Europe’s report Design of Education and Professional Framework reviews the most common cybersecurity-related professional frameworks and analyses the challenges and requirements for quality professional cybersecurity education courses and proposes several framework taxonomies and methodologies in support of providing professional cybersecurity programmes.

A credible education programme builds on identifying the particular skills and competences, and at what level, as required in various cybersecurity-related roles. This can be achieved by prioritising the cyber skills needed for security professionals in general. Furthermore, it is feasible to assess how educational, customisable cybersecurity programmes for professionals can be built in the light of already existing industry programmes. This requires designing a methodology for this particular process, and implementing the related capabilities required to run such programmes.

The report establishes a framework for cybersecurity professional categories, and a scale for assessing the skills and skill levels for each category. The end goal is to provide good education resources for those wanting to learn about cybersecurity, and some form of criteria that people can present as evidence of their qualifications for cybersecurity-related employment positions. The framework is based on that defined by CyberSec4Europe, and on other common frameworks that have been proposed in the field of cybersecurity. To enhance the framework applicability and build relevant and wide-ranging job profiles for the framework, four specific use cases with twelve scenarios are presented. The skills required in each of these scenarios is evaluated from which related job profiles are derived. Then the average cybersecurity skill level for each profile required in each of the scenarios is evaluated according to a four-step skill rating scale. From the scenario evaluations, the report concludes that the most needed skills in such scenarios are data integrity and authentication, access control, secure communication protocols and usable security and privacy. Less often required skills are in the areas of cryptanalysis, design, component procurement and system thinking. In general, most scenarios require a multitude of broad cybersecurity skills.

Even though skill requirements related to the scenarios represent a particular point of view, some general conclusions can be drawn. Because the variance of required skills can differ vastly depending on the role, general cybersecurity programmes targeted to a certain work environment might be useful to some extent. However, to efficiently add value, there is a need for well-justified and customised skills education for a certain professional group. Also, an analysis of a scenario of this kind, in the form of a standard and easily comparable table framework, may help point to the breadth of skills needed. The framework can help visualise highly relevant cybersecurity skills that can be difficult to discover otherwise. For instance, when considering a cybersecurity education offering in general for IT professionals, usability skills might often be overlooked in favour of technical skills, even though an awareness of usable security and privacy is required in many of the scenarios at an advanced level. In addition, this kind of illustration reveals overlapping education needs and may help combine different target groups when arranging cybersecurity education.

In the future, we aim to validate our work with a wider audience, using a targeted survey. Our aim is to ensure that the evaluations via our framework help organisations resolve what kind of skills education would be most beneficial for their professionals.

Anni Karinsalo, VTT Technical Research Centre of Finland