The Situation of Cybersecurity in Education

1. Introduction

Digital infrastructure helps in almost every aspect of our lives, from healthcare and banking and energy. Cyber-attacks can have catastrophic consequences for businesses, governments, and citizens. In recent times there have been an increasing number of cyber incidents on critical infrastructures, banking systems, healthcare, and other systems.

Despite the headlines we have seen over the past two years indicating a terrible need for better protection against these attacks, there is still a cybersecurity workforce gap of more than 2.72 million positions. The global cybersecurity workforce needs to grow by 65% to effectively defend organizations’ critical assets.

But no one organization can close this gap alone. No single government can fix it and no institution can train enough skilled professionals. Making a difference in deterring and mitigating cyber threats, and defending the bodies they threaten, will require active and ongoing participation and partnership between industries, academia, and governments, competitors or not.

Technological innovation is fundamentally transforming education, and updating the skills required for modern work. Building future-ready education systems require curricula fit for the 21st century, coupled with the consistent delivery of widely accessible instruction that builds a solid foundation for a lifetime of adapting and developing new skills. Specialized education should focus on skills that are in demand in the real world and address the disconnect between employer needs and available talent pools.

2. Overview of Countries

Cybersecurity requires a wide range of specialty areas and working roles. Thus, no single educational program could cover all the specialized skills and sector-specific knowledge requested by each employer. However, there are certain knowledge sets and skills that are essential for any new person in his/her critical technical working role, dealing with security, regardless of the field, they are in or the specialty they adopt. This includes an understanding of basic computer architectures, cryptography, network systems, secure coding principles, and operating systems (OSs) internals, as well as working proficiency with OSs, flow in mid-level programming languages, and familiarity with common exploitation methods and mitigation techniques.

Considering the wide range of the special areas, it is not surprising that cybersecurity education has been addressed differently by various countries building cybersecurity strategies with different focuses. The educational part of these strategies is mostly formulated as strategies for improving the general state of cybersecurity, which also includes education.

2.1 The USA

In the US, the National Initiative for Cybersecurity Education (NICE) was created to improve the long-term cybersecurity position of the USA (NICE, 2013). NICE recognizes that those performing cybersecurity work -including students, job seekers, and employees- are lifelong learners throughout their efforts to emphasize and address cybersecurity implications across many domains.

The NICE Framework has been developed to help provide a reference taxonomy of the cybersecurity work and of the individuals who carry out that work. The NICE Framework supports the NICE mission to energize, promote, and coordinate a robust community working together to advance an integrated ecosystem of cybersecurity education, training, and workforce development. The NICE Framework provides a set of building blocks for describing the tasks, knowledge, and skills that are needed to perform cybersecurity work performed by individuals and teams. Through these building blocks, the NICE Framework enables organizations to develop their workforces to perform cybersecurity work, and it helps learners to explore cybersecurity work and to engage in appropriate learning activities to develop their knowledge and skills. This development, in turn, benefits employers and employees through the identification of career pathways that document how to prepare for cybersecurity work using the data of task, knowledge, and skill statements bundled into Work Roles and Competencies.

The NICE Framework provides organizations with a way to describe learners by associating Knowledge and Skill statements with an individual or group. By using their Knowledge and Skills, learners can complete Tasks to achieve organizational objectives. While not all organizations will use every concept about learners, the NICE Framework provides organizations with a flexible set of building blocks to use as needed by their unique context. The recognition of the role the learner plays in developing capabilities to perform cybersecurity work also reinforces the applicability of the NICE Framework to education and training providers.

By describing both the work and the learner, the NICE Framework provides organizations a common language to describe their cybersecurity work and workforce. Parts of the NICE Framework describe an organizational work context (Tasks), other parts describe a learner context (Knowledge and Skill), and finally, the building block approach of the NICE Framework allows organizations to link the two contexts together.

Furthermore, the NICE Framework provides a mechanism to communicate across organizations at a peer level, sector level, state level, national level, or international level using the same building blocks. This communication can drive innovative solutions to common challenges, lower barriers to entry for new organizations and individuals, and facilitate workforce mobility.

The NICE addresses awareness, formal education, professional training, and workforce structure. However, employers in the US still see that graduates from US higher-education institutions are lacking the NICE foundation. One recent response from a major corporation to a request for information issued by NICE indicated that “the current education environment does not provide a common baseline set of skills from which to build the specific knowledge necessary for meeting the employer’s workforce requirements”.

Another body, NIST, has developed a common language (lexicon and taxonomy) to be used by academia, industry, and government for dealing with cybersecurity content (Sharkey et al., 2013). However, experts have found that the terms are tediously dense, making it difficult to apply the included guidelines from the instructors and the instructional designers. Despite that criticism, the use of selected portions of the NIST framework has influenced the way cybersecurity education is taking place today. And the National Science Foundation’s (NSF’s) CyberCorps: Scholarship for Service (SFS) programs, have worked closely together for years to produce positive outcomes for students and thereby improve cybersecurity for all.

2.2 The UK

In the UK, enhancing cybersecurity education and skills is one of the four main components of the national program to secure cyberspace.  UK cyber policy has incorporated cybersecurity at all levels of education starting at the age of 11 years. Current strategies include supporting schools (e.g., “Girls get coding”), providing resources (e.g., The Open University), apprenticeships, support for undergraduate and postgraduate research, cybersecurity career opportunities, and internships. In 2013, a self-assessment (including interviews in academia) to identify challenges in the implementation of their program found that present gaps in cyber education should be overcome in less than 20 years.

The National Cyber Security Centre (NCSC) and its experts certify bachelor’s, integrated master’s, and master’s degrees, as well as apprenticeships. The NCSC provides either a provisional or a full certification, which is valid for 5 years. To receive certification, the programs must be focused on the main cybersecurity domain, while emphasizing the multidisciplinary scope of the program. Furthermore, the program needs to be aligned with the United Kingdom’s cybersecurity needs. It should also detail how the admission process for students will take place and what kind of profiles meet the national cybersecurity strategy. Evidence is also desired for the successful delivery of a master’s or a doctoral course and the production of scientific research, as well as the provision of external training. Engagement with industry and users should be part of the planned activities, together with dissemination activities and outreach strategies.

Besides, the NCSC has produced free cybersecurity training to raise awareness and help school staff manage some of the key cyber threats facing schools. The training is available in two formats: "a scripted presentation pack" and "a self-learn video".  At the end of the training, a link to a downloadable training certificate can be accessed. This can be printed so staff and schools can demonstrate their cybersecurity awareness training.

2.3 France

In France, the cybersecurity degree program is labeled according to the SecNumedu committee which labels programs according to the rules maintained by ANSSI. The main purpose of such labeling is to inform students and employers that the university degree in cybersecurity meets the required criteria for teaching and training defined by ANSSI’s experts. These criteria have been developed by ANSSI in partnership with the industry, academia, professional associations, and the Ministry of Education. The accredited certification is valid for 3 years. The program is considered to be predominantly technical when more than 50% of the course is dedicated to practical technical activities, and when the practical technical activities account for less than 50% of the course, the program is regarded as predominantly organizational. The higher proficiency levels require practical activities to be included in the program, such as laboratory work, and this has to last for at least 50% of the course. Training is considered predominantly technical when more than 50% of the training in the course is dedicated to practical technical activities. If they are fewer, the course is allocated to the organizational group of courses. Currently, 13 master’s degrees, 7 master’s specializations, and 17 engineering degrees (including one engineering specialist) are labeled in SecNumedu and published on ANSSI’s website.

2.4 EU

The Europe Union (EU) adopted a cybersecurity strategy in 2013, where education was addressed as well. ENISA was set up a few years earlier with specific tasks to be performed in this domain, for example enhancing awareness and providing information and guidelines for effective cybersecurity education. In December 2019, ENISA delivered an exhaustive report describing the state of cyber-skills development in the EU, highlighting the ever-growing lack of cybersecurity skills and cybersecurity professionals in most EU Member States. Europe lags in the development of a comprehensive approach to defining a set of roles and skills relevant to the cybersecurity field, as described in the ENISA Report - Cybersecurity Skills Development in the EU.

As a response to the need to build knowledge, skills, and capacity in cybersecurity, as required by European employers in cybersecurity, four competence centers were established in 2019 by the European Commission with the mission to provide leading research, technology, industrial, and public competences. Leaderships in technology, processes, and services to establish a user-centric EU-integrated cybersecurity ecosystem for digital sovereignty in Europe were set as the main objectives of the competence centers’ work. Two of the established centers, Concordia (2019) and Cybersec4Europe (2020), have also specified tasks that focus on re-shaping the cybersecurity educational ecosystem in the EU.

Another action in the provision of information about the current HEI programs in the EU was launched by ENISA in 2019 and resulted in a Cybersecurity EU Educational Map with an exhaustive number of educational programs in cybersecurity. The version from 2019 was revised in 2020 with a description of the user interface introduced that facilitates a friendlier user approach to the map. Additional content was added as well. The main purpose of the map was to become the premier source of information for EU citizens looking to update their cybersecurity knowledge and skills. With this goal, the map is designed as a tool providing links to qualitative educational programs with degrees in cybersecurity, therefore, enabling better access to the available knowledge for EU citizens in an approach that should reduce the identified labor skills shortage in Europe. The current data collected in the database provides 105 programs from 23 countries. The map is available online on the ENISA portal.

2.5 Turkey

Turkey's national cybersecurity strategy includes issues for training and capacity building in the field of cybersecurity. In this context, there is "To make cybersecurity more widespread in formal and non-formal education curricula and to enrich the educational contents.", target in the strategy. Several Turkish organizations, institutions, academics, NGOs, and the private sector organize national seminars on cybersecurity. In addition, "Cyber Star" capture-the-flag competitions have been held by TR-CERT in 2017, 2019, and 2020.

Turkish universities have cybersecurity and related programs for master/Ph.D. graduation levels (namely cybersecurity, information security, information security engineering, cryptography, digital forensics, digital forensics engineering, etc.).  Universities also have research and application centers that have studies on cybersecurity and related concepts. Technologies produced by universities are transferred through technology transfer interfaces built-in respective universities’ technology development zones; and realized by industries. Cybersecurity R&D programs and training activities are also the key factors to promote cybersecurity innovation in Turkey.

Within the scope of the conscious, safe, and effective use of the Internet, regular training is held at schools, especially for children, teachers, and families. The main purpose of these seminars is to raise awareness and educate families and children about the safer use of the internet.

In addition, the ICTA-Academy, which was established within the body of ICTA, provides online training open to the public in cyber security and other related fields to contribute to increasing the level of expertise of Turkey's human resources.

3. The Cybersecurity Workforce

Although countries have started to take action, there is currently a need for personnel in the field of cybersecurity. There is a need for trained personnel and replacement personnel in different fields of the sector. The study conducted by the ISC2 (https://www.isc2.org/) organization contains data on this. Accordingly, in a study conducted in 14 countries, they estimated a 4.2 million cybersecurity workforce for 2021.
 

Countries	2019	2020	2021
U.S.	804,700	879,157	1,142,462
Canada	84,000	101,963	123,696
Mexico	341,000	421,750	515,527
Brazil	486,000	626,650	581,349
U.K.	289,000	365,823	300,087
France	121,000	365,823	300,087
Germany	133,000	175,159	464,782
Ireland	N/A	12,212	15,028
Spain	N/A	122,284	124,336
Netherlands	N/A	34,406	35,106
Australia	107,000	108,950	134,690
Japan	193,000	226,269	276,556
Singapore	43,000	57,765	92,744
South Korea	201,000	232,281	239,085
Total	2,802,700	3,484,971	4,192,255

 

Organizations experienced an accelerated transformation during a worldwide pandemic and increased attention on cybersecurity. Still, cybersecurity professionals say the workforce gap remains the number one barrier to meeting their security needs. About two-thirds (60%) of study participants report a cybersecurity staffing shortage is placing their organizations at risk.

Despite another inflow of approximately 700,000 professionals into the cybersecurity workforce, the 2021 study shows that global demand for cybersecurity professionals continues to outpace supply — resulting in the Cybersecurity Workforce Gap. All areas of cybersecurity are affected by the staff shortage.

According to the NICE, there is a “dangerous shortage of cybersecurity workers that puts our digital privacy and infrastructure at risk.” Currently, there are roughly two openings for every person employed in the field, according to NICE. And the situation is only expected to get worse with time. A 2017 projection by consulting firm Frost & Sullivan forecasts a shortage of 1.8 million cybersecurity workers by 2022.

Published by the Information Systems Security Association (ISSA) research report, "The Life and Times of Cybersecurity Professionals 2021", surveyed 489 cybersecurity professionals and reveals several nuances surrounding the well-documented cybersecurity skills shortage. The top consequences of the skills shortage include an increased workload for the cybersecurity team (62%), unfilled open job demands (38%), and high burnout among staff (38%). Also, 95% of respondents state the cybersecurity skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.

In the report published by ISC2, statistical data were shared in areas such as age, education, experience, and sector in the cybersecurity workforce.

 

 

SOURCES:

1.  (ISC) Cybersecurity Workforce Study, 2021. https://www.isc2.org/-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx 
2.  UK Cabinet Office. The UK Cyber Security Strategy Protecting and Promoting the UK in a Digital World, 2011. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf  
3.  Cyber security training for school staff. https://www.ncsc.gov.uk/information/cyber-security-training-schools 
4.  European Cybersecurity Skills Framework. https://www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-framework
5.  National Cyber Security Strategy 2020-2023 of Turkey. https://hgm.uab.gov.tr/uploads/pages/siber-guvenlik/national-cyber-security-strategy-2020-2023.pdf 
6.  The Life and Times of Cybersecurity Professionals 2021. https://www.issa.org/cybersecurity-skills-crisis-continues-for-fifth-year-perpetuated-by-lack-of-business-investment/