Cybersecurity Education snapshot for workforce development in the EU

Transcription

1 Cybersecurity Education snapshot for workforce development in the EU Network and Information (NIS) Platform Working Group 3 Final version v0.9 Last modified: September 2015 Editors: Claire Vishik (Intel), Maritta Heisel ( Duisburg-Essen)

2 Contents 1 Executive Summary Objectives Preliminary Findings Recommendations Introduction Scope Methodology Identification and type of sources Survey ENISA database Reinforcement from secondary sources Results and findings Survey findings Conclusions drawn from data Conclusions based on secondary sources Achievements and Gaps Achievements Gaps Opportunities and recommendations Multi-disciplinary focus Responsiveness to changes in technology and societal environment End-to-end skill development Alignment of curricula and training with demand for skills Using appropriate methodologies for teaching cybersecurity at all levels, from awareness to focused expertise Bring all Member States to the agreed upon baseline with regard to cybersecurity indicators Conclusions and Future Work Acknowledgements Appendix I. References Appendix II. Evaluation of some secondary sources Dlamini, M. T., Eloff, J. H., & Eloff, M. M. (2009). Information security: The moving target: Computers &, 28(3), e-skills in Europe. Country Report Estonia. (2014) Evans, K., & Reeder, F. (2010). A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters. CSIS, Goodyear, M., Goerdel, H. T., Portillo, S., & Williams, L. (2010). Cybersecurity Management In the States: The Emerging Role of Chief Information Officers

3 Kleinberg, H., Reinicke, B., & Cummings, J. (2014). Best Practices: What to do? Proceedings of the Conference for Information Systems Applied Research Baltimore, Maryland USA Kleiner, A., Nicholas, P., & Sullivan, K. (2013). Linking Cybersecurity Policy and Performance. Microsoft Trustworthy Computing Kortjan, N., & von Solms, R. (2014). A conceptual framework for cyber-security awareness and education in SA. South African Computer Journal, 52, McDuffie, E. (2011, October). NICE: National Initiative for Cybersecurity Education. In Proceedings of the Seventh Annual Workshop on Cyber and Information Intelligence Research. ACM McGettrick, A. (2013). Toward curricular guidelines for cybersecurity: Report of a workshop on cybersecurity education and training. New York, ACM National Cyber Strategy 2 From awareness to capability. (n.d). Publication of the national coordinator for and counterterrorism OECD. (2012). Cybersecurity Policy Making at a Turning Point: Analysing a new generation of national cybersecurity strategies for the Internet economy Paulsen, C., McDuffie, Ernest, Newhouse, W., & Toth, Patricia. (2012). Nice: Creating a Cybersecurity Workforce and Aware Public. IEEE & Privacy, 10(3), Ponemon Institute. (2014). Best Schools for Cybersecurity: Study of Educational Institutions in the States Rowe, D. C., Lunt, B. M., & Ekstrom, J. J. (2011, October). The role of cyber-security in information technology education. In Proceedings of the 2011 conference on Information technology education (pp ). ACM Unit, E. I. (2011). Cyber power index: findings and methodology. Booz Allen Hamilton Willets, D. (2014). Developing our capability in cyber security: Academic Centres of Excellence in Cyber Research Appendix III. List of institutions with courses in various areas of cybersecurity, for which information was provided by individual contributors Index of figures Figure 1. Summary of opportunities and recommendations for a long term Education framework... 5 Figure 2. Cross-domain processes... 7 Figure 3. Levels of Proficiency... 8 Figure 4. List of countries who provided data Figure 5. European Education and Training Map by NIS WG3 and ENISA Figure 6. Numbers of graduate and undergraduate courses per country (snapshot taken in August 2015).. 16 Figure 7. Number of Disciplines in which most courses are offered (snapshot taken in August 2015) Figure 8. Main audience (snapshot taken in January 2015) Index of tables Table 1. Data collected so far Table 2. List of Institutions and courses in Cybersecurity

4 1 Executive Summary NIS Platform working group (WG3) on Secure ICT Research and Innovation identified a snapshot of the education and training landscape as one of the input deliverables needed for the creation of a Network and Information Strategic Research Agenda (SRA). The goal of this report is to produce an analysis of available offers in higher education and training in Cyber in Europe and beyond. We consider one of the achievements of this initiative the synergies and collaboration with ENISA for the creation of an EU cybersecurity education database 1, maintained by ENISA under their Cyber Month initiative. The database includes a list of available courses and certification programmes linked to Network and Information, privacy and data protection and will permit to continue this project and periodically revise the conclusions based on the new information in the database and additional secondary sources. We express our gratitude to ENISA for making a sustainable effort on this subject possible. For the purposes of this work, we have accepted a broad definition of cybersecurity that comprises a wide range of relevant topics (see definitions in chapter 3), from cryptography, computer, information and network security to privacy, security economics, or legal, regulatory, and policy frameworks. 1.1 Objectives As Education and Training in Cybersecurity should be a dynamic process because of their continuous evolution nature, we have defined a methodology to get quick insights (also named as short term) from current available data sources as well as to define some keys to support the future set-up of an EU education and training framework in cybersecurity in order to guarantee a consistent evolution process (also named as long term) aligned with scientific research and industrial skills needed along the time. The short term objectives focus on the curricula for higher education since the information on training is more dispersed and difficult to collect: 1. Collect sufficient information on cybersecurity higher education curriculum in member states of EU to form the first impressions of trends and degrees of coverage in this area across the region. 2. Develop a mechanism to collect information about training and education. 3. Collect and analyse secondary sources, i.e., work already performed by others to analyse some areas of cybersecurity education and skills development. 4. Form preliminary impression on gaps and formulate recommendations for development based on the information currently available. The long term objectives focus on the future creation of an EU education and training framework in cybersecurity as an evolution of the project, in order to provide the European Commission, ENISA and member states with processes and tools to keep an up-to-date snapshot on education and training in cybersecurity as well as effective mechanisms to support the implementation of different policies to reduce the gap between available education in EU and skills needed by the cybersecurity sector: 1. Refine the data collection mechanism to continue to build our knowledge of the state of curriculum in cybersecurity available in the EU. 2. Define a process, by which the information on cybersecurity curricula could be continuously collected and kept up to date. 3. Define an approach to collecting and analysing more diverse information on training in cybersecurity. 4. Formulate durable research questions to better understand the current state and future needs of education/training in cybersecurity. 5. Define an analysis methodology that permits us to draw reliable conclusions based on incomplete information. 1 The database is available at 3

5 6. Develop analysis methodologies that would allow us to benchmark and compare activities at peer institutions and different EU countries. 7. Form a community of practice with representation from all the EU member states in order to continue collecting information and developing relevant analyses, on demand, if needed. 1.2 Preliminary Findings Analysis of primary and secondary data sources indicate that cybersecurity education is a fast growing field, with positive changes in coverage and awareness occurring consistently. Although coverage appears to be uneven for different European countries, the availability of coursework and training in cybersecurity and privacy is growing, especially in the area of core security curriculum. Some curriculum is also available online, and emerging K-12 curricula on cybersecurity basic permit, in some cases, to commence higher education on this subject at an elevated level of proficiency. Many gaps still remain. Soft definition of the science of cybersecurity has led to great diversity in training and curricula impeding the creation of common context and core knowledge in cybersecurity. Furthermore, there is a lack of differentiation between traditional programmes offering fundamental security related curricula and more versatile cybersecurity programs with multi-disciplinary coverage and multi-faceted training materials. In general, there are limited vehicles available today to create an all-round skill set in cybersecurity, with expertise in technology and societal issues. Although multidisciplinary programs exist, the graduates continue to specialize in either societal or technical aspects of the subject, with limited knowledge of some subjects. The responsiveness of cybersecurity curricula and training to changes in technology and achievements in science remains low due to the lack of mechanisms to quickly develop and share materials on emerging threats or newly crucial skills. As a result, education and training provided under various cyber-security programs tend to coalesce around a useful common goal, but struggle to match the requirements of the dynamic workplace. Mechanisms are also missing for continuing education for those who already acquired undergraduate and graduate degrees or have focused on various aspects of cybersecurity in their work. Although some EU countries have made strides in bringing cybersecurity students in contact with industry and government for apprenticeship projects, these programs remain limited and do not have solid and permanent sources of funding. Cybersecurity is a very dynamic field. Like similarly fast paced environments, it suffers from the lack of reliable mechanisms to bring the results of research into the curriculum as quickly as possible and to engage students in academic research. The lack of feedback mechanism between research and curricula reflects negatively on actionable nature of skills acquisition. 1.3 Recommendations As a high level summary, the following picture represents opportunities and recommendations as main pillars of a potential future creation of an EU education and training framework in cybersecurity: 4

6 Figure 1. Summary of opportunities and recommendations for a long term Education framework Furthermore, we are in a position to formulate more detailed and specific short-medium preliminary recommendations based on the work done during the current (short term) stage of the project (subchapters see methodology). They belong to the following different categories: Multidisciplinary focus Responsiveness to changes in technology and societal environment End-to-end skill development Alignment of curricula and training with demand for skills Using appropriate methodologies for teaching cybersecurity at all levels, from awareness to focused expertise Bring all Member States to the agreed upon baseline with regard to cybersecurity indicators These recommendations are given in more detail in chapter 7 Opportunities and recommendations. 5

7 2 Introduction The Cybersecurity Strategy of the European Union was published in February As a part of the strategy, the European Commission invited the European Parliament and the Council to adopt a proposal for a Directive on a common high level approach to the Network and Information (NIS) across the European Union. The purpose of the directive was to address national capabilities and preparedness, EU level cooperation, the take-up of risk management practices and information sharing, and other issues. Two and a half years later there is still no agreement on the NIS directive. The NIS Platform, the venue where this report was created, is a private public partnership mechanism created in conjunction with the NIS Directive work, but its mission was extended to address a set of relatively independent NIS issues. As a part of establishing the NIS Public-Private Platform, three working groups were set up to investigate risk management, information exchange and incident coordination and secure ICT research and innovation. The working group on ICT research and innovation (WG3) identified various deliverables, including a snapshot on the education and training landscape for workforce and skill development. This report is the result of the work of a subteam of WG3. 6

8 3 Scope There are diverse, although not contradictory, definitions of cybersecurity. For the purposes of this work, we have accepted a broad definition of cybersecurity that comprises a wide range of relevant topics, from cryptography, computer, information and network security to privacy, security economics, or legal, regulatory, and policy frameworks. According to NICCS Portal Glossary 2, cybersecurity in the narrow sense is: The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. The source also offers an extended definition: Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompassing the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. It is obvious that cybersecurity touches many aspects of everyday lives. Not surprisingly, the scope adopted for this project is very broad. Based on the broad definition of cybersecurity, it is difficult to narrow down the scope of cybersecurity as a subject. And due to the multi-disciplinary nature of cybersecurity, it is impossible to avoid significant breadth in the subject matter. With increasing diversity and mobility of the computing environment, a narrow approach to cybersecurity is no longer possible. Today processes are cross-domain (see Figure 2 below) and collectively participate in defining risk levels that are attributable to transactions and online activities, both in security and privacy. Most environments are dynamic, with entities (e.g., devices and users) joining and leaving domains during a process. However, work on security and trust composition has remained minimal because it is so complex. The complexity is even more significant in the modern integrated computing environments, such as IoT (Internet of Things) or Cloud. For example, cyber-physical systems (or CPS) representing a large part of IoT systems have not only communication and computing capabilities, but also a physical interface permitting them to manipulate physical environments. Figure 2. Cross-domain processes While we focus on graduate curriculum, we recognize that coursework in undergraduate and graduate curricula in specialized areas like cybersecurity cannot be easily separated from graduate programmes. We therefore do not make a distinction in this report between beginner or advanced levels of training, although these distinctions are pertinent to adopt for future work. Although the subject of this report is higher education and professional level training, we recognize that, with the digital world becoming part of everyday life from an early age, awareness of cybersecurity and privacy issues and elementary skill development should become organic. When the students reach higher education 2 NICCS is National Initiative for Cybersecurity Careers & Studies 7

9 levels with basic skills in cybersecurity well developed, most students and consumers will have the ability to better assess cybersecurity risks in everyday lives, and it will be easier to develop more diverse and multidisciplinary curricula and training. Increasing the general levels of proficiency in cybersecurity by the time the students reach higher education will have a fundamentally positive effect on the level of advanced cybersecurity programs and on the ability of the students to successfully develop multi-disciplinary skills. The pipeline of qualified individuals will be significantly wider, thus enabling various programs to incorporate cybersecurity as an organic component instead of a series of elementary courses. We can illustrate the levels of proficiency and their influence on the expertise pipeline as a stack, starting with passive awareness and moving toward innovation at the highest level (see figure below). Figure 3. Levels of Proficiency Although significant progress was made in extending and propagating cybersecurity curricula, we need to assume also that the degree of innovation in this area would increase significantly if a greater number of individuals progressed to the basic skills level and were able to move on to achieve proficiency. These insights are out of scope for this study, but we believe that, when we assess the state of cybersecurity curricula and skills developments, we also need to understand the negative impact the loss of opportunity early in the skill development cycle is likely to have on innovation. 8

10 4 Methodology In 2003, a report was published on the state of cybersecurity training by academic institutions in Europe 3. The study came in response of the Communication on Network : Information Policy Approach issued by the European Commission in The study, by Fondazione Rosselli, was entitled: Cybersecurity Curricula in European Universities. It included six countries: Greece, Belgium, France,, Italy and UK. The study used a methodology similar to the one adopted for this study: acquire insights based on survey containing minimal information on content and level of university courses. But because of the views on cybersecurity more than ten years ago, the report focused on the narrow view on cybersecurity, putting emphasis on information security courses, with the focus on cryptography. Other areas were considered, but to a lesser degree. With regard to general methodology, we used an approach compatible with the 2003 report that we considered an example of work that could be carried out through NIS platform constituency. Then, we adopted a broad multi-disciplinary view of cybersecurity and relied on secondary sources to validate, to the extent possible, views derived from data, as data are still limited. The work on education landscape conducted for the NIS Platform initiative has been a volunteer effort, with its limitations, but at the same time it provides a broader multi-disciplinary view of cybersecurity. We understand that informal collection of information as undertaken for this project may offer an incomplete and sometimes biased picture. So far, we have not found inconsistencies of views among those who participated in data collection and shared their insights. However, in order to avoid bias, we also seek to establish a mechanism, by which data collection from primary sources could be continued leading to the possibility of a more in depth analysis of the education environment and education needs in cybersecurity. In addition to this report, we hope that the efforts will jumpstart the use of the data collection mechanism created by ENISA (database at: resulting in improved communication among cybersecurity education practitioners. We believe that it is important to continue data collection beyond these initiatives as a key for a potential Education and training cybersecurity framework. The report is intended to set the general direction based on data samples and insights in secondary sources, but assumes that comprehensive analysis will emerge as the findings of this and other projects in this area are aggregated. 4.1 Identification and type of sources The methodology used for the short term stage of the initiative has been simple and includes the identification and analysis of both primary and secondary sources. It has been done by desktop research as well as consultation during some interactive meetings of the Working Group 3 of NIS platform. Primary sources We have asked the cybersecurity community to submit information about cybersecurity curricula in their countries. We have collected some information from a number of member states, including, the UK, Greece, Cyprus, Italy, France, Spain, Portugal, Poland, Luxemburg, and other countries. This information was provided by individual volunteer contributors, and does not represent an official survey by EU institutions and organizations. Data collected has not been comprehensive, but it is relatively representative. In order to increase the value of the online database, we recommend a more official and periodic process, with consistent requests for information sent to all relevant institutions across the EU. Information collection has started in 2014 and has not yet been completed. However, at this level, the representativeness of the information collected is on par with other reports published in this space 4.The 3 Available at: 4 See, e.g., report published by Fondazione Rosselli available at: 9

11 available data was analysed to simulate answers to simple questions that were raised with regard to cybersecurity curricula. Secondary sources Since the collected data is insufficient for drawing all the conclusions, we have also used secondary sources produced by similar projects to support the early conclusions and recommendations. Although the focus of the report is on Europe, other countries, such as the States and Australia, experience the same problems. Consequently, we included secondary sources reflecting also the situation outside of Europe. We consider this a viable approach for the future as well. Even if data collected become more comprehensive, validation by other work will be invaluable to draw broadly applicable conclusions. Secondary sources are listed under Appendix I. References. 4.2 Survey We have collected information from a number of member states, including, the UK, France, Greece, Cyprus, Italy, France, Spain, Portugal, Poland, Luxemburg, and other countries. The data for this report was provided by individual volunteer contributors, and represents a community effort rather than an official survey by EU institutions and organizations. We have formulated, for the first stage, the following research questions: 1. Are the cybersecurity courses predominantly offered as part of dedicated cybersecurity programs or as individual courses within more general curriculum? 2. Are cybersecurity courses predominantly provided as complete courses or modules within more general security courses? 3. Does the recognized multidisciplinary nature of cybersecurity come through in the curriculum, or are courses dedicated primarily to one topic (e.g., policy, user psychology, economics, computer & device security)? 4. Is the curriculum taught predominantly in academic departments (e.g., computer science or economics) or in professional schools (law, international relations, and business) or both? Are multi-disciplinary degrees in cybersecurity available? 5. Is there a strong relationship between cybersecurity curricula, awareness programs and training in cybersecurity? 6. Is there a community of practice associated with teaching cybersecurity across EU? 7. Is there a connection between early preparedness and level of sophistication of cybersecurity classes? 8. What needs to be done to start teaching cybersecurity concepts as early as the children begin to use connected devices? Some of these questions can be answered to a certain extent with the data we collected while the answers to other questions constitute parts of the conclusions and generalization of the data we collected and secondary sources. The information collected for this report permitted us to glimpse some dependencies and relationships between the components of the education systems in EU countries with regard to cybersecurity and a number of problems, such as awareness raising and flexible customizable training. It would be difficult to conceptualize these dependencies as a volunteer effort. We recommend a coordinating action to support deeper insights into the education system and the creation of a larger community of practice around cybersecurity education. 10

12 4.3 ENISA database Data collection A database was created with information on Network and Information courses in Europe in the context of a close partnership with ENISA due to the synergies between NIS WG3 Education deliverable and their NIS Driver license initiative. It was launched in October 2014 which coincides with the advocacy campaign European Cyber Month. The database lists available courses and certification programmes linked to Network and Information, privacy and data protection. The webpage ( ) allows educational institutions representatives to add to the map courses, programmes and trainings on these topics. The information encoded via the web form is pending for approval and then reviewed by the administrator before being published on the website. The ENISA team is supporting in order to modify the information at any stage. Note that the database of available courses and certification programmes is not an exhaustive list and the intention is to have it updated yearly. The plan for 2016 is to consistently improve the search functionality, the display of the information and the promotion towards education providers to encode their offers. Data analysis In addition to this, to better understand the data, we created a list of more specific research questions that we will use after the data is available: A. In which disciplines are most courses offered? (e.g., computer science, information security, etc.)? B. Are there courses offered in disciplines which are not directly related to IT (e.g., business administration, law, etc.)? C. Can the topics be clustered into overall topics or research fields (e.g., hacking, cryptography, IT security, etc.)? Which fields are covered most/least? D. Comparing the countries: Are there any similarities in the courses offered, or any distinctive difference? E. Can the courses be clustered into overall topics? (e.g., hacking, data protection, secure software, etc.) F. Are relevant topics missing in the training which is offered? (maybe this is covered in an organization which is not part of the dataset yet) G. Who is the main audience? (e.g., project Managers, data protection managers, system administrators, etc.) H. Is there some audience which is excluded from the training yet, but should be included? (maybe this is covered in an organization which is not part of the dataset yet) I. Which are the types of organizations that offer the training courses? (e.g. universities, research organizations, consultancies, etc.) J. Comparing the countries: Are there any similarities in the training courses offered, or any distinctive differences? 4.4 Reinforcement from secondary sources We have examined a number of secondary sources focusing on the analysis and recommendations on cybersecurity and privacy education and skills development. Most of the reports we studied focused on Europe, but reports from the States and Canada were also included. The list of materials studied is provided in Appendix I. References and a detailed report for some of these references is presented in Appendix II. Evaluation of some secondary sources. 11

13 5 Results and findings 5.1 Survey findings The data we collected as well as information gleaned from secondary sources permit us to form some impressions about the state of security curriculum. We present some of the preliminary findings under the research questions that we have attempted to answer. We have been aided in these answers by more specific questions we posed to analyse the data collated so far (see below). 1. Are the cybersecurity courses predominantly offered as part of dedicated cybersecurity programs or as individual courses within more general curriculum? The first impression is that there is a lot of fragmentation in the field. Curriculum on core elements in security has been available for a while, either as complete courses or elements of other coursework. In addition to technical courses, cybersecurity social science curriculum in psychology, economics, law, and policy, especially with the focus on privacy, has been developed. While the availability of curricula on some elements of cybersecurity is a positive development, multidisciplinary synthesis of such coursework has remained complicated. Although numerous multi-disciplinary programs emerged, they tend to synthesize either technical or societal subjects. If these two groups of subjects are bridged, according to coursework required for graduation, exposure to cybersecurity subjects outside of the main specialization remains insufficient. 2. Are cybersecurity courses predominantly provided as complete courses or modules within more general security courses? Different education systems in different member states complicated the answer to this question. However, it appears that the inventory of curriculum components includes both complete courses and course modules, with complete courses readily available. Due to the increase in the number of faculties specializing in security, the number of opportunities has increased. However, rigid program requirements adopted at most universities make it hard to quickly introduce new courses associated with degree requirements. The first impression is that there are a lot of technologies, processes and practices designed to protect networks, computing devices, programs and data from attack, damage or unauthorized access. Instead, the predominant type of courses continues to focus on general technical and societal aspects of security and privacy. This approach may not constitute a drawback, since the definitions of cybersecurity are diverse, and the core subjects of this field remain open to interpretation. 3. Does the recognized multidisciplinary nature of cybersecurity come through in the curriculum, or are courses dedicated primarily to one topic (e.g., policy, user psychology, economics, computer & device security)? We have found limited coursework that seriously integrates societal and technical aspects of cybersecurity. Without individual review of all courses or descriptions of the programs provided online and in secondary sources, it is impossible to confirm that at least some multidisciplinary elements are studied in depth. A cursory look at degree requirements where available indicates that either technical or societal specification are the norm, while the integrated skill sets remain rare. Even if such integration is pervasive, it is clear that it is insufficient. The lack of multidisciplinary approaches is the most serious concern we have with regard to available curriculum, on par with the late start of the teaching of concepts associated with cybersecurity literacy. Multiple programs exist, in Europe and beyond, that count multi-disciplinary curriculum in cybersecurity among their most important characteristics. We can name Oxford, Royal Holloway, Vrije in Brussels, and several other schools as homes to multidisciplinary cybersecurity or privacy as evidence of novel mechanisms to introduce multidisciplinary training in core curriculum and avoid one sided specialization, beyond offering social sciences and technology courses alongside each other rather than provide integration of several bodies of knowledge. 4. Is the curriculum taught predominantly in academic departments (e.g., computer science or economics) or in professional schools (law, international relations, and business) or both? Are multi-disciplinary degrees in cybersecurity available? 12

14 Both environments have become reliable sources of training for cybersecurity professionals, although academic preparation remains predominant. Evidence was provided that introduction of cybersecurity curricula is beneficial for academic institutions, especially small colleges and universities. Institutions of this type in the US, for example, reported significant increase in enrolment after being designated a Centre of Excellence 5. The number and maturity of multidisciplinary initiatives remain insufficient. 5. Is there a strong relationship between cybersecurity curricula, awareness programs and training in cybersecurity? We have insufficient data to make conclusions on the existing relationship between cybersecurity curriculum and available information or certification-connected training. The dynamic nature of cybersecurity makes it imperative to forge such a relationship, in order to provide a light-weight mechanism to bring cybersecurity skills up-to-date. Moreover, awareness programs are mostly dispensed at the elementary level, making such a relationship unlikely. 6. Is there a community of practice associated with teaching cybersecurity across EU? Our review of secondary sources indirectly (by lack of consistent events, meetings, or publications) indicates that such a community, if it exists, is not very strong. Although workshops and training sessions are conducted, they do not form multi-year series, and international representation is not consistent. 7. Is there a connection between early preparedness and level of sophistication of cybersecurity classes? There is no direct evidence in favour of this view, since teaching of even minimal cybersecurity subjects has begun very recently. But the experience in other subjects as well as experimental programs offering basic and continuing education in cybersecurity early, e.g., Crescent Girls School in Singapore 6, have led to increased interest in pursuing the subject at later stages in education and, consequently, elevated levels of proficiency. 8. What needs to be done to start teaching cybersecurity concepts as early as the children begin to use connected devices? National educational systems should adopt the way to teach cybersecurity early, starting in elementary schools that works in a country s environment. Like traffic rules that are taught early to improve children s safety, we need to incorporate elements of cybersecurity early, to ensure safety in cyberspace Conclusions drawn from data Collected data Regarding metrics we could specify that after +1 year of existence this map displays 18 countries in Europe with close to 100 entries. Figure 4. List of countries who provided data

15 Figure 5. European Education and Training Map by NIS WG3 and ENISA Experience shows that this crowd sourced collaborative model paid off and the results can be of great support for a user in search for long life learning education. We have started collecting information at the beginning of 2014, and since then, we have acquired some data about a number of programs in a dozen European countries. We are grateful to the volunteers for these contributions (see Acknowledgements). The data we collected were either directly distributed by contact persons from the various countries via , or we collected data from some countries, e.g., by ourselves. In a later state of the process several countries submitted data also via the ENISA online database. Overall,19 countries delivered data regarding cybersecurity education, information on training programs and seminars came from 5 countries. The cybersecurity education database encompasses 418 entries, the training database 197 entries. To keep our database updated with the online database, we currently compared both databases and added entries to ours when we encountered differences. Although the data are not comprehensive, they give us a preliminary view of the curriculum available and general characteristics of such curriculum. The information collected is too sketchy to permit us to compare approaches in different member states at this time, but, with the online database operational, we hope it will be possible in the future. Note that the following data reflect the state of the database as of September Table 1. Data collected so far Country Undergraduate Training Austria + + Belgium Cyprus + + Finland

16 Country Undergraduate Training France Greece + Hungary + + Ireland + + Italy Luxemburg + Netherlands + + Norway + + Portugal + Romania + Serbia + Spain + + Sweden + + UK + + Turkey + 15

17 Figure 6. Numbers of graduate and undergraduate courses per country (snapshot taken in August 2015) Most of the curriculum elements submitted so far come from computer science, computer engineering, information systems, or information management departments. We have scant information on multidisciplinary programs focusing on cybersecurity, although information about these programs is a key part of this project. Information on training programs and seminars come from, Italy, Turkey, Hungary and Belgium. Therefore, the dataset is still incomplete and only gives a first impression. findings Based on the data collected so far, we developed more specific research questions to better understand the data: A. In which disciplines are most courses offered? (e.g., computer science, information security, etc.)? B. Are there courses offered in disciplines which are not directly related to IT (e.g., business administration, law, etc.)? C. Can the topics be clustered into overall topics or research fields (e.g., hacking, cryptography, IT security, etc.)? Which fields are covered most/least? D. Comparing the countries: Are there any similarities in the courses offered, or any distinctive difference? We are now able to provide answers to some of these questions, to illustrate the progress: A. In which disciplines are most courses offered? (e.g., computer science, information security, etc.)? As shown below in Figure 7, most courses are offered in the discipline of computer science with a large distance to the subsequent disciplines, IT security technology, information security, business informatics and electrical engineering. 16

18 Figure 7. Number of Disciplines in which most courses are offered (snapshot taken in August 2015) B. Are there courses offered in disciplines which are not directly related to IT (e.g., business administration, law, etc.)? A few courses are offered not directly related to IT disciplines. The subjects range from business studies and business administration, to law, media related disciplines or mathematics. Even though these disciplines do not represent the overall majority, they demonstrate that the field of cybersecurity has acquired breadths in the last 10 years, and now spans into some fields which are only distantly related to IT and IT security. Training findings Even though the material on training is still limited, we also developed some more specific research questions. For two of them we were able to provide answers so far. Please note that the database for this evaluation is still incomplete and is only based on the five countries which have provided their data yet. E. Can the courses be clustered into overall topics? (e.g., hacking, data protection, secure software, etc.) F. Are relevant topics missing in the training which is offered? (maybe this is covered in an organization which is not part of the dataset yet) G. Who is the main audience? (e.g., project managers, data protection managers, system administrators, etc.) H. Is there some audience which is excluded from the training yet, but should be included? (maybe this is covered in an organization which is not part of the dataset yet) I. Which are the types of organizations that offer the training courses? (e.g. universities, research organizations, consultancies, etc.) J. Comparing the countries: Are there any similarities in the training courses offered, or any distinctive differences? We are now able to provide answers to some of these questions, to illustrate the progress: 17

19 G. Who is the main audience? (e.g., project managers, data protection managers, system administrators, etc.) As displayed in Figure 8 the main audience of the training courses dedicated to cybersecurity are IT security officers/managers, network and system administrators, data protection officers, heads of IT departments, the management level and auditors. Figure 8. Main audience (snapshot taken in January 2015) I. Which are the types of organizations that offer the training courses? (e.g. universities, research organizations, consultancies, etc.) The training courses are offered by private, academic or public research organizations, as well as by some non-profit organizations. Besides universities, the organizations can overall be divided into training centers, consultancies (e.g., business consulting or IT security consulting), IT security service providers or IT security specialists. Insights acquired through the exploratory analysis of data collected so far confirm the importance of data driven education strategies in cybersecurity. Most of the secondary sources evaluated for this report contained limited information about the nature, reach, and composition of concrete cybersecurity programs and course; instead, they relied on literature and related statistics to make conclusions and recommendations. While good ideas can be collected through reasoning and the analysis of the environment, we encourage consistent data collection and analysis in this area, in order to design flexible and broadly applicable strategies for cybersecurity education and skill development. 5.3 Conclusions based on secondary sources We have examined a number of secondary sources focusing on the analysis and recommendations on cybersecurity and privacy education and skills development. Most of the reports we studied focused on Europe, but reports from the States and Canada were also included. The list of materials studied is provided in Appendix II. Evaluation of some secondary sources. The secondary sources used for this report were based on approaches similar to the ones selected for this deliverable. Many authors engaged technologists and academics in providing information about their programs 18

20 and ideas for recommendations and improvements. Some documents used other information to list and analyse available programs from their descriptions. Government reports focusing on skills in cybersecurity used mixed approaches, combining surveys and descriptive data. With one exception, the consensus in the secondary materials was that currently available education programs did not cover the needs for cybersecurity professionals and related skills that exist in industry, academia, and government. The reports noted the corrective actions undertaken by organizations, where professionals in other disciplines acquired cybersecurity skills. These corrective actions were reported as sufficiently pervasive in academia and industry, but insufficient to cover the needs of the government workforce. One report (see below) disagreed with this view and suggested that the only category that was chronically understaffed was at the top of the profession where a combination of multi-disciplinary in-depth knowledge and significant experience is required. While we disagree with this view, we acknowledge that the shortage of cybersecurity workers is especially acute in areas that combine significant responsibility and great diversity of required skills. All the materials that reported trends in cybersecurity education noted significant improvement achieved in the last decade, with increasing numbers of programs and course offerings across most countries. At the same time as the number of the programs grew, international events appeared to bring together cybersecurity curriculum designers. Among the notable events, we can mention those conducted by the cyber education project in the US 8 and ENISA s conference on cybersecurity education to be conducted later this year. Most sources also noted the links between university education and awareness programs, although the nature of those connections remains unexplored. The reports and other secondary sources offer the following insights into the state of cybersecurity skills and education: 1. The secondary sources we reviewed acknowledge the skills shortage for cybersecurity professionals (e.g., UK Government report on cybersecurity skills or RAND report for the US as well as numerous other sources), stressing that jobs remain unfilled because of the lack of qualified professionals. At the same time, they acknowledge significant growth in the education of cybersecurity professionals over the last ten years. a) RAND 9 report concludes that the shortage is predominantly at the high end of the profession and concerns predominantly the federal government, while industry and academia developed avenues to deal with shortage of skills at the high end of the profession through additional education and, in industry, internal promotion. RAND report concludes that the shortage will self-correct through a combination of activities. b) The UK Government report 10 indicates that the skills shortage is connected to the fact that cybersecurity profession is not yet well defined, the view that this group also shares. The activities directed to alleviate the skills shortage include a new GCHQ Certification scheme or accreditation of 11 additional certification programs. Differently from RAND report, this report states that it will take many years and focused programs to alleviate the skills shortage. c) The IBM report 11 on Cybersecurity Education for the Next Generation states that, while the number of cybersecurity programs (under various names) increased significantly over the past ten years, with 160 programs certified as Centres of Excellence in the US alone, the perceptions of a strong skills shortage remain strong, with the growing demand created by government and industry. d) The comparative report 12 on cybersecurity education commissioned by the Australian government attempts to highlight gaps in content in relations to the diversity of the audiences. 2. The sources we examined stress the need for greater level collaboration of government and industry (as the main sources of employment in cybersecurity, and academia, the main source of training)

21 a) While government and academia recognize that jobs go unfilled because of dearth of skilled professionals, survey of academia (quoted in the IBM report) showed that 60% of academics believe training is adequate for the requirements of the workplace. b) While many industry members, including SAP, Microsoft, Intel, ARM, and many other have established programs to support the design of adequate curriculum in security, these efforts remain fragmented and received minimal support from funding agencies in Europe and elsewhere. 3. The sources surveyed for this report highlight the importance of certification and awareness campaigns in shaping the skills of professionals. Because of the nature of cybersecurity as a subject and opportunities for employment, the importance of certifications is increasing. 4. Reports produced in this area acknowledge that the field of cybersecurity is so large and so dynamic, with so many interdependencies, that building a more complete picture and shared context remains a top priority. Otherwise, intrinsic complexity will be an inhibitor for creating stable foundational skills for cybersecurity professionals that could support their continued re-training as the security environment changes. 5. There is no unified view on methodologies. Some reports and academic papers recommend removing cybersecurity curriculum in individual courses while others prefer teaching cybersecurity as course modules inserted in other coursework. 6. The technology community is in agreement on the importance of collaborative exercises and handson work in cybersecurity, and these methods are increasingly used by diverse institutions. 7. There is still a disconnection between the emphasis of theoretical work in cybersecurity and the key problems that are of interest to practitioners. 20

22 6 Achievements and Gaps Analysis of literature indicates that cybersecurity education is a fast growing field, and that training in this area has become available from various sources and awareness programs. 6.1 Achievements Among the main achievements, we would like to mention the following: 1. Increase in number of university programs focusing on various aspects of cybersecurity. 2. Emergence of a number of government initiatives supporting the development of cybersecurity skills and related professions. 3. Increasing interest among students and professionals to pursue educational opportunities in cybersecurity. 4. Pioneering programmes focusing on teaching cybersecurity concepts at an earlier age, in school systems and sponsored by governments and industry (e.g., Deutsche Telekom Children Summit). 5. Emergence of awareness programs in EU member states and ENISA-driven coordinated European awareness program. 6. Emergence of several efforts working on assessing the needs of cybersecurity education and training. 7. Growing number of organizations and enterprises providing cybersecurity training to all members/employees. 8. Emergence of the first programs for primary and secondary school education in cybersecurity. 9. Growing interest in cybersecurity as a subject of research. 6.2 Gaps Among the gaps, the following stand out: 1. Lack of general agreement on the science of cybersecurity, leading to great diversity in training and curricula offered under the name of cybersecurity. Creation of common context in cybersecurity needs to be encouraged. 2. Lack of shared methodologies. The most fundamental issues associated with teaching cybersecurity remain a matter of debate. 3. Lack of differentiation between traditional programs offering fundamental security related curricula and more practical cybersecurity programs. While fundamental preparation is always key to good education, multidisciplinary skills necessary to a cybersecurity professional need to be included in many more programs. 4. Dearth of multidisciplinary programs combining technology and societal subjects, as well as multi-faceted training materials. At a minimum, technologists focusing on cybersecurity need to have good understanding of privacy, legal and regulatory frameworks, economics or usability issues. Likewise, those focusing on legal and societal issues need to acquire a solid understanding of technology. 5. Lack of mechanisms to quickly create and share materials on emerging threats or newly crucial skills, to ensure that education provided under various cyber-security programs is up to date and matches the requirements of the dynamic workplace. 6. Limited mechanisms to provide emergency training in cybersecurity when new skills become very important as new attacks emerge. This need is shared by many high tech areas. 21

23 7 Opportunities and recommendations Finally, we list several opportunities and recommendations in Education based on the work done so far. They are presented under different categories: 7.1 Multi-disciplinary focus Although there is general agreement about multi-disciplinary nature of cybersecurity, it remains difficult to reflect the need for multi-disciplinarity in teaching and training environments, because of the diverse skill sets required for truly integrated programs. While a number of multi-disciplinary programs and centres are in place, acquiring in-depth skills in multiple subjects rather than lighter supplemental skills around the area of specialization remains rare. As a result, professionals with understanding of technology as well as law, policy, psychology, or economics are uncommon. Yet, professionals with multi-disciplinary skills continue to be at the top of the lists of skills gaps, according to reports and surveys. Multi-disciplinary research that is necessary to feed multi-disciplinary programs also continues to be fragmented. Although efforts had been made to support multi-disciplinary approaches to cybersecurity, funding mechanisms, availability of publications and conferences that support multi-disciplinary work are insufficient. Ultimately, fragmentation of knowledge in cybersecurity impacts all aspects of society, from the technology environment to legal and policy frameworks. According to this, we can formulate the following opportunities and recommendations: Support strengthening of multi-disciplinary curriculum and training, with clear goals for professional preparation, to ensure future workforce is capable to address complex cybersecurity problems. Continue to build infrastructure to encourage multi-disciplinary skill development in cybersecurity including curricula and programs in higher education, funding for multi-disciplinary research, and establishment of a multi-disciplinary work. Evaluate collaboration mechanisms to enable universities in the EU to provide multidisciplinary degrees when a certain specialization is not available at the degree institution. Evaluate and extend mechanisms for custom degrees in cybersecurity, especially graduate level degrees for professionals already engaged in one aspect of cybersecurity. Establish infrastructure to enable specialists in various areas in cybersecurity to add multidisciplinary knowledge through additional educational modules (e.g., for a computer scientist specializing in security to add a three month module on legal frameworks or economics of security). Establish prizes for successful multi-disciplinary work in cybersecurity. 7.2 Responsiveness to changes in technology and societal environment With increasing diversity and dynamic nature of the computing environment, a static approach to teaching cybersecurity skills is no longer effective. The issues of security composition in complex environments or security and privacy challenges arising at the intersection of several domains remains unresolved, and effects of this complexity on security remain unknown. Preparation and training of cybersecurity professionals continues to focus on one domain, further impacting technologists understanding of inter-dependencies that need to be considered. Approaches used for teaching technical and societal aspects of cybersecurity continue to focus on the development of fundamental skills and knowledge in key areas, similarly to teaching fundamental sciences or law. It remains crucial to acquire fundamental skills, and the importance of this aspect of education and training will never decrease. No continued education is possible before solid fundamental skills are acquired. 22

24 However, the dynamic nature of the technology environment, as well as reactive components and positioning of cybersecurity make it imperative to create additional mechanisms to acquire and continue to develop new skills and knowledge as the environment evolves. The emergence of the new mechanisms to address the quick evolution of technology and usage models will permit us to prepare professionals with deep fundamental knowledge and the ability to solve the new problems as they emerge. Better knowledge of the connections and dependencies in the ecosystem will make it easier to select more effective solutions. A more responsive approach to evolving technology environment in cybersecurity curricula and training is needed to help ensure quicker alignment of approaches to teaching cybersecurity across the EU, rapid awareness of emerging global issues or new solutions, and greater competitiveness of the EU members. Thus, we can formulate the following opportunities and recommendations: Establish a task force with an advisory focus to ensure quick and agile strategy development in cybersecurity and privacy education. Institute an annual survey of employers in cybersecurity to publish lists for skills in highest demand for the next 1-2 years. Devise mechanisms to develop and deploy community built sharable curricula and training modules in cybersecurity in order to make curricula and training more agile and responsive to real life security threats and changes in the technology environment. Establish ways for professionals to update their knowledge of latest technologies online. Support international collaboration and awareness campaigns, to ensure all EU countries are aligned on levels of proficiency and also aware of globally significant issues in cybersecurity. 7.3 End-to-end skill development With the digital world becoming integral part of everyday life from an early age, awareness of cybersecurity and privacy issues and elementary skill development should become more organic. Acquiring fundamental skills earlier and organically, as part of regular education, will not only help develop the competence of consumers to take important decisions, but also the preparation of experts and innovators in cybersecurity and privacy. Ensuring that more people move from the lowest to the higher levels of proficiency will positively affect the technology environment; development of secure devices, networks, and applications; effective remediation following cybersecurity attacks, and, ultimately, innovation. Focusing on higher education and expert training on one side and very basic proficiency on the other is likely to have reduced impact through the loss of talent early in the skill development cycle. According to this, we can formulate the following opportunities and recommendations: Support research to define curriculum & training requirements including coordination actions for these activities with end-to-end coverage (from minimal proficiency to dedicated curriculum). Invest in development of communities of practice operating mostly through online interactions. Establish a task force with an advisory focus to address strategic requirements of end-to-end cybersecurity and privacy education in order to develop consistent analysis of the dependences among different levels of education and establish concrete measures to encourage continued acquisition of skills in cybersecurity. Support research to develop new mechanisms to provide greater visibility of cybersecurity and privacy vulnerabilities when using common devices, systems, applications, and processes. Encourage activities with joint participation of people with different levels of proficiency, to make it easier to move from minimal awareness levels to greater understanding of cybersecurity and related issues. Encourage earlier start for cybersecurity awareness and acquisition of basic skills in the EU, to coincide with the independent use of connected devices. The earlier start will lead to greater proficiency in security and privacy skills by all consumers and will facilitate the introduction to more advanced and responsive curricula and greater understanding of cybersecurity requirement by computer scientists. 23

25 Encourage entrepreneurship in cybersecurity defining a path from skills acquisition to innovation. 7.4 Alignment of curricula and training with demand for skills Most reports on cybersecurity skills agree that the shortage of cybersecurity professionals is becoming more acute and highlight the sharpest shortages occurring either with regard to the latest skills or at the top of the profession where experience or multi-disciplinary knowledge are essential. The shortage continues to be felt in government, while industry and academia developed some avenues to deal with shortage of skills at the high end of the profession through additional education and, in industry, internal promotion. The skills shortage is connected to the fact that cybersecurity profession is not yet well defined, negatively affecting the effectiveness of cybersecurity education and training. Greater collaboration of stakeholders in cybersecurity governments, academia, and industry is necessary to align perceptions of the needs for skills and vehicles to combine theoretical and practical training. While many industry members and other communities have established programs to support and encourage the design of adequate curricula in cybersecurity, these efforts remain fragmented and receive minimal support from funding agencies in Europe and elsewhere. Similarly, apprenticeship and internship programs continue to develop as needs for employees with cybersecurity skills is growing, but very few innovative mechanisms to support short term skill development programs have been established. Furthermore, awareness of skills in high demand remains delayed and imperfect, putting additional pressures on students, educators, job seekers, and employers and negatively affecting competitiveness of the EU countries. Thus, we can formulate the following opportunities and recommendations: Support development and enhancement of collaboration mechanisms with industry and government and internationally, in order to ensure consistent coverage of cybersecurity proficiency in all EU countries. Encourage new flexible models for short terms internships and training in operational environments to develop purpose-based acquisition of top-priority skills. Support emergence of fora for interaction with practitioners across Europe. Establish mechanisms to increase awareness of skills in high demand to increase competitiveness of job seekers. Establish high quality mechanisms for on demand acquisition of high priority skills, open across the EU, including the countries where such mechanisms may not be readily available. 7.5 Using appropriate methodologies for teaching cybersecurity at all levels, from awareness to focused expertise Initiate a study of teaching methodologies for cybersecurity and provide a set of recommendations on this topic. Study casual learning of cybersecurity as part of other activities and publish recommendations with regard to processes, interfaces, and metrics for this method of learning. Organize and promote regular cybersecurity competitions at all levels. Create a repository of course or training online modules, to improve EU-wide access to cybersecurity education and training. Support and fund community built sharable curriculum and training modules in order to make curricula and training more agile and responsive to real life security threats and changes in the technology environment. 24

26 7.6 Bring all Member States to the agreed upon baseline with regard to cybersecurity indicators Create a community of practice for cybersecurity education that is inclusive geographically representative, multi-disciplinary, multi-stakeholder, and comprising diverse skill sets. This community will collect consistent data on cybersecurity curricula, and in the future, cybersecurity training available to the EU community for information and analysis; fund this activity at the EU level. Create a data-driven strategy for cybersecurity education, starting with a relatively complete dataset covering existing cybersecurity programs in all EU member states. Set up coordinating action to collect data and catalogue re-usable resources, such as course modules. Engage ENISA to provide guidance and links to broader cybersecurity communities. Task ENISA with creating a report comparing access to cybersecurity education and practical training among EU Member States. Explore methodological and class delivery options to increase access to cybersecurity courses and programs across the EU. Explore feasibility of a practical training internship allowing interested and motivated students from EU countries with lower numbers of cybersecurity courses and opportunities to receive practical training via dedicated programs in other Member States. Support the development of new collaboration mechanisms with industry and government and internationally, in order to ensure consistent coverage of cybersecurity proficiency in all EU countries. Develop common terminology and a common body of knowledge for the cybersecurity area, e.g. cybersecurity ontology effort, to permit the regulators and the community to quickly set-up a common framework allowing a sustainable growth. 25

27 8 Conclusions and Future Work Cybersecurity education in Europe has become very important as the needs of the society exceed specialists available in this area. Although the number of programs has increased over the last ten years and expanded to cover all EU countries, there is still skill shortage in the area. The shortage is felt the most strongly at the top of the profession where multi-disciplinary skills combined with experience are required. In order to deal with the skill shortage, more courses and programmes will need to be created. These programmes will need to be responsive to the key needs in cybersecurity, while also preparing professionals who have strong basic skills and can be retrained as the technology environment changes. New teaching, collaboration, and internship models will need to be created in order to support the dynamic nature of cybersecurity. Expanding use of technology from an early age will make adult awareness programs insufficient. Teaching cybersecurity and privacy concepts at an early age will be necessary to nurture a safer computing environment. Earlier start of training in cybersecurity will have additional benefits: it will permit the universities to increase the number and depth of advanced courses. With greater level of knowledge, greater innovation will follow, so private or industry investments. Cybersecurity education is the area that can pioneer data driven approach to strategy and focus. In order to build a responsive cybersecurity education framework, we need to understand the state of the art in the field. We expect that the online data collection tool created by ENISA will permit the community to collect more information from member states, and we hope that data collection will continue beyond this project to provide materials for future analyses. We also hope that a model capable of supporting a collection of relevant links and reports from past efforts on the state of cybersecurity education could be found. Finally, we recommend to start a repository of course modules in cybersecurity as soon as possible. Such repositories initiated by industry or academia for specific projects already exist, and we hope the cybersecurity community could extend this important work in order to jumpstart cybersecurity education across the EU. 26

28 Acknowledgements Many people have contributed to this report in different ways, but three people deserve special thanks for their contributions: Daria Catalui (ENISA) set up the database that is the foundation to continuously evolve the endeavor on cybersecurity education and training. Daria was very responsive to all the requests that we had for the database. She also contributed to Section 4.3. Raúl Rieso Granadino (Spanish National Cybersecurity Institute, co-leader of WG3) provided many insightful comments and suggestions that were instrumental to provide a more complete set of recommendations and improve the presentation of the report. Last but not least, Christina Menges ( Duisburg-Essen) was of extraordinary help in compiling and editing the document. Christina spent a lot of time on online research to find relevant courses and secondary sources to include in our snapshot. She also made the statistics and figures, and helped polishing the text. Taking up a lot of the details of the editing, Christina s work allowed us to focus on the essentials of this report. Furthermore, we are very thankful for support and assistance we received from our WG3 partners, including: Austen Okonweze, Department for Business, Innovation and Skills UK Government Dimitrina Polmirova, NLCV National Laboratory of Computer Virology George Christou, of Warwick James Clarke, TSSG Janne Uusilehto, Microsoft Marco Hölbl, of Maribor Miguel Herrero Collantes, INCIBE Nick Savage, of Portsmouth Paco Hope, Cigital Raul Riesco Granadino, INCIBE Sokratis Katsikas, of Piraeus Susana de la Fuente, INCIBE Svetla Nikova, KU Leuven 27

29 Appendix I. References 1. Cybersecurity Curricula in European.Final report, Available at: 2. Martin C. Libicki, David Senti, Julia Pollak. H4CKER5 WANTED. An Examination of the Cybersecurity Labor Market. Rand Corporation Research Division, An overview of international cyber-security awareness raising and educational initiatives: Research report commissioned by the Australian Communications and Media Authority. May Andrew McGettrickToward Curricular Guidelines for Cybersecurity: Report of a Workshop on Cybersecurity Education and Training. Association of Computer Machinery, August IBM Center for Applied Insights. Cybersecurity education for the next generation: Advancing a collaborative approach Tempus Report on EU practice for cyber security education Michael Locasto, Sara Sinclair. An Experience Report on Undergraduate Cyber-. Education and Outreach Cybersecurity Skills: Business Perspectives and Government Next Steps UK government report, Available at: 9. Dlamini, M. T., Eloff, J. H., & Eloff, M. M. (2009). Information security: The moving target: Computers &, 28(3), e-skills in Europe. Country Report Estonia. (2014). f 11. Evans, K., & Reeder, F. (2010). A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters. CSIS, Goodyear, M., Goerdel, H. T., Portillo, S., & Williams, L. (2010). Cybersecurity Management In the States: The Emerging Role of Chief Information Officers. Available at SSRN: Kleinberg, H., Reinicke, B., & Cummings, J. (2014). Best Practices: What to do? Proceedings of the Conference for Information Systems Applied Research Baltimore, Maryland USA Kleiner, A., Nicholas, P., & Sullivan, K. (2013). Linking Cybersecurity Policy and Performance. Microsoft Trustworthy Computing. 3/02/SIR-Special-Edition--Atlas-whitepaper.pdf 15. Kortjan, N., & von Solms, R. (2014). A conceptual framework for cyber-security awareness and education in SA. South African Computer Journal, 52, McDuffie, E. (2011, October). NICE: National Initiative for Cybersecurity Education. In Proceedings of the Seventh Annual Workshop on Cyber and Information Intelligence Research. ACM. 28

30 17. McGettrick, A. (2013). Toward curricular guidelines for cybersecurity: Report of a workshop on cybersecurity education and training. New York, ACM National Cyber Strategy 2 From awareness to capability. (n.d). Publication of the national coordinator for and counterterrorism OECD. (2012). Cybersecurity Policy Making at a Turning Point: Analysing a new generation of national cybersecurity strategies for the Internet economy Paulsen, C., McDuffie, Ernest, Newhouse, W., & Toth, Patricia. (2012). Nice: Creating a Cybersecurity Workforce and Aware Public. IEEE & Privacy, 10(3), Ponemon Institute. (2014). Best Schools for Cybersecurity: Study of Educational Institutions in the States. pdf 22. Rowe, D. C., Lunt, B. M., & Ekstrom, J. J. (2011, October). The role of cyber-security in information technology education. In Proceedings of the 2011 conference on Information technology education (pp ). ACM Unit, E. I. (2011). Cyber power index: findings and methodology. Booz Allen Hamilton Willets, D. (2014). Developing our capability in cyber security: Academic Centres of Excellence in Cyber Research. 29

31 Appendix II. Evaluation of some secondary sources Dlamini, M. T., Eloff, J. H., & Eloff, M. M. (2009). Information security: The moving target: Computers &, 28(3), Retrieved from: The paper investigates the evolution of information security by looking at literature in past security issues, followed by an assessment and analysis of information security publications in conjunction with surveys conducted in industry. The paper gives an overview of the following: - Where did information security come from? (the past) - How did it get to where it is today? (the present) - In what direction it is heading? (the future) The results are: - Information security has not changed per se, but it has since gained a broader and wider focus - There is strong emphasis on three aspects: legal and regulatory compliance, risk management and information security management. responsibility is widening to also include risk managers, forensic specialists, compliance regulators and other stakeholders. There is a major shift from pure reactive technical measures towards a more proactive strategic approach. Preserving privacy, preventing identity theft and leakage of private information is critical nowadays. - Furthermore, there is an increase in targeted attacks and cell phone worms. e-skills in Europe. Country Report Estonia. (2014). Retrieved from: Since 2003 there has been a strong activity for raising digital literacy and e-user skills in Estonia, which laid a strong foundation for improving ICT practitioner and e-leadership skills. In the digital literacy domain, since 2002 initiatives such as the Look@World Foundation and its training programmes are generally considered as successful: they helped to cover the country with a network of public Internet access points and equip each school with computer classrooms, and provided training in ICT user skills In recent years demand for professionals with e-practitioner skills and e-leadership skills has increased. Universities have been raising the quality of ICT Programmes and increased the intake of students in ICT study programmes in cooperation with the Estonian Information Foundation. In the area of employability and e-inclusion, a number of programmes targeting the unemployed have used ICT training for creating ICT professional skills. Challenges that the country still faces are the demand for professional ICT specialists and people with e-practitioners skills. A possible solution could be the in-migration of students and ICT professionals from abroad. Furthermore, there are flaws in the education system, as the quality and quantity of ICT education requires modernization. An outlook for the coming years has been described in the new strategy and vision document: Estonian ICT Sector Vision The report calls for increasing the amount of free re-training offered to ICT specialists, focusing on e-practitioner skills and e-leadership skills. The public sector should increase investments in education and science in the field of ICT. 30

32 The Estonian Information Society Development Plan 2020 is under development. It will form the basis for new programmes and initiatives over the coming years, and puts emphasis on several key challenges. The investment in education should be increased. Evans, K., & Reeder, F. (2010). A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters. CSIS, Retrieved from: This report is written by the center for strategic and international studies. It is reported that there are not enough people with good skills in cybersecurity. Four elements for dealing with this challenge are: - promoting and funding the development of more rigorous curricula in schools - supporting the development and adoption of technically rigorous professional certifications that include a tough educational component and a monitored practical component - using a combination of a hiring process, the acquisition process and training resources to raise the level of technical competence of those who build, operate and defend governmental systems - assuring there is a career path as with other disciplines, like engineering or medicine, and rewarding and retaining those with high-level technical skills, both in civilian workforce and in the uniformed services There are some existing efforts addressing this challenge, such as 1. encouraging more young people starting in elementary school for educating and training in technology, engineering, and math, 2. developing more rigorous curricula in computer-related disciplines, 3. automating daily operational tasks in cybersecurity The proposal in this report attempts to build upon such existing efforts. There are also some organizations that address this issue: - Department of Homeland (DHS) - ISACA - The SANS institute - CREST - IEEE - Department of justice: Federal Bureau of investigation (FBI) - NSA - Department of defense (DOD) -... The report focuses on the actions that can be done in the short and medium term to develop and hire cybersecurity capable workforce. The report gives recommendations on how to expand the number and quality of highly skilled cybersecurity professionals. To address the recommendations, an action plan is recommended. 31

33 Goodyear, M., Goerdel, H. T., Portillo, S., & Williams, L. (2010). Cybersecurity Management In the States: The Emerging Role of Chief Information Officers Retrieved from: The importance of cybersecurity increased significantly in recent years, as society has become increasingly dependent on information technology in government, business, and in their personal lives. Cybersecurity has been commonly associated with three aspects of information technology: people, process, and technology. People as users and creators of information and technology systems and defined organizational processes clearly affect the ability of any technological environment to be secured. However, convincing users to utilize secure processes when handling government information is also a solution to cyber-security issues. The technological solutions are also important because they have the ability to define border environments as well as control the behavior of users within those environments. The authors stick to the following definition for cybersecurity as security measures being applied to information technology to provide a desired level of protection. The issue of protection can be defined using the acronym CIA for Confidentiality, Integrity, and Availability. This report is about the actions taken both by US corporations and US government for addressing these issues. These actions were in terms of creating a new role in their organizations to lead the safeguarding efforts entitled as Chief Information Officers (CISOs). The role of these officers is still under development, and this report is a good basis for the respective discussions. The different designed strategies by these officers in different states of the US have been explained. They either used law enforcement techniques and technologies, or proposed offering effective educations for influence the behaviors of users. The roles and responsibilities of CISOs is also partially defined in state governments across the States. Both strategies and activities used by CISOs in under study in some states (serve as case studies). This report summarises the concerns of the States with respect to cybersecurity as below: - Risks associated with potential violations of privacy and civil liberties of citizens. - Managing problems that could morph in scope and scale from domestic to international significance - Risks associated with taking on additional unfunded security mandates. The report also gives an overview of responsibilities and needed skills for a successful CISOs based on a survey. Furthermore, data from the survey and case studies indicate that there are five broad strategies utilized by state-level CISOs to advance their security programs. States are engaging in a common set of activities in relation to cybersecurity, but vary in the emphasis placed on each strategy. These five Strategies Used by State Cybersecurity Officers which falls into one solution categories mentioned earlier (technological solution, or convincing users). The strategies are - Development of policy and legal frameworks - Increased education of users - Use of technology and control mechanisms - Centralization of networks and IT services - Building collaborations across agencies, levels of government and between sectors These strategies are applied by CISO officers in six states of the US. Each of these has been explained as one case study. Based on these case studies the authors conducted five recommendations for building a successful program and the activities of the CISO as following: 1. State cybersecurity officials should increase the use of collaboration and networks. 2. State cybersecurity officials should evaluate their formal and informal relationships with federal cybersecurity officials. 3. State cybersecurity officials should devote increased attention to and receive training in multidisciplinary problem solving. 32

34 4. State cybersecurity officials should receive training in collaboration competencies and those competencies should be recognized and rewarded. 5. State cybersecurity officials should devote increased attention to data management. Kleinberg, H., Reinicke, B., & Cummings, J. (2014). Best Practices: What to do? Proceedings of the Conference for Information Systems Applied Research Baltimore, Maryland USA. Retrieved from: Kleinberg, Reinicke, and Cummings have collected cyber security best practices from 9 sources from industry, standards, and academia. They grouped the practices in a list of 30 best practices. The authors assign to each best practice at least one "Tech Type". Tech Types are: Hardware, Software, Antivirus, Network, and People, Policies and Procedures. Best practices with the Tech Type People, Policies and Procedures are divided into best practices that shall be addressed by each individual and best practices that only have to be considered in organizations. For individuals the authors state that everyone should be running antivirus and antimalware software and you should always keep your software patched and up to date. In addition, users should run frequent backups, make sure their home wireless networks are password protected and passwords are not lying around as well as access to files are limited to the user. This categorization implicitly provides recommendations which best practices should be taught to everyone (in an organization) and which practices only have to be taught to specific persons in an organization. Kleiner, A., Nicholas, P., & Sullivan, K. (2013). Linking Cybersecurity Policy and Performance. Microsoft Trustworthy Computing. Retrieved from: Special-Edition--Atlas-whitepaper.pdf Understanding whether certain policies can measurably reduce cyberrisks at a national level is a critical exercise for policymakers seeking effective solutions to these challenges. Microsoft set out to create a methodology to evaluate the impact of policy solutions on national cybersecurity efforts. By using a reasonable statistical measurement for evaluation of cybersecurity on a national level, a framework was created to examine various factors that distinguish the level of cybersecurity performance among countries and to identify whether the adoption of certain policies or strategic actions is related to cybersecurity performance. Results of the analysis have implications for current and future policy initiatives: countries adopting or implementing certain policies are more likely to overperform on a key cybersecurity metric compared to countries that have not adopted the same policies; for policymakers seeking ways to improve national cybersecurity, these policies represent activities that are likely to have a meaningful and measurable impact. Microsoft s own technical measure of cybersecurity is derived from their broad deployments of enterprise and consumer software products, as well as global investments in online services such as search engines and e- mail systems. Their results are based on findings from the Malicious Software Removal Tool (MSRT), which evaluates the current level of malicious code infections on computer systems across the globe. 33

35 Kortjan, N., & von Solms, R. (2014). A conceptual framework for cyber-security awareness and education in SA. South African Computer Journal, 52, Retrieved from: The paper "A conceptual framework for cyber-security awareness and education in SA" presents a framework the government of South Africa should use to start a broad, public campaign to raise the cyber-security awareness of the citizens of South Africa. The authors identify a general gap regarding the cyber-security awareness in South Africa and serious negative implications for South Africa and its citizens. This gap seems to be widely acknowledged in South Africa which also includes the government, but as the authors state, there are only a few campaigns tackling this gap, and these campaigns currently aim only at the academic and government level. Hence, there is no broad initiative for empowering all citizens of South Africa. Inconsequence, the authors propose a framework, which can be used to establish a broad, government-based campaign to raise the awareness of all citizens. The framework is based on a literature review to select the best practices from other countries, comparative analyzes of the results reported for other countries, and a final reasoning about the best practices which are suitable for South Africa. The resulting framework was evaluated using expert interviews. The framework consists of several layers, starting from a strategic layer, in which the overall campaign is shaped, ending with a monitoring layer to keep track of the results of the campaign. Each layer embodies the involved bodies, tasks, and tools which are necessary for planning and executing the campaign on the specific layer. To the end it is not clear if this framework is just a proposal which maybe taken up by government, if this framework was created on initiative of the government, or if this framework is actually in use for starting a campaign by the government. McDuffie, E. (2011, October). NICE: National Initiative for Cybersecurity Education. In Proceedings of the Seventh Annual Workshop on Cyber and Information Intelligence Research. ACM. Retrieved from: While there is no doubt that technology has changed the way we live, work, and play, there are very real threats associated with the increased use of technology and our growing dependence on cyberspace. Through education, NICE will counter these risks and help make cyberspace more secure. Its mission is to enhance the overall cybersecurity posture of the States. The goals are to raise national awareness about risks in cyberspace, to broaden the pool of individuals prepared to enter the cybersecurity workforce and to cultivate a globally competitive cybersecurity workforce. Goal 1 focuses on the general public to provide basic information to both individuals and organizations on how to better protect themselves in cyberspace. Goal 2 focuses on students at every level to increase interest in cybersecurity classes while better preparing students to pursue careers in cybersecurity. Goal 3 focuses on the current cybersecurity workforce including providers, suppliers, and architects of cybersecurity to make the Nation s cybersecurity workforce the best in the world. The education requirements for each audience correlate to the level of interaction and responsibility each group has in cyberspace. Each of the goals has a key set of stakeholders (= wide array of organizations that benefit from or work in partnership to achieve the NICE goals). 34

36 Throughout the Strategic Plan, NICE refers to consensus building when developing standards and guidelines for cybersecurity education. The National Institute of Standards and (NIST) was appointed as the lead for NICE, it will support NICE in the following ways: - Develop planning documents and build consensus on the strategy and implementation activities of NICE - Facilitate cross-functional cooperation among NICE component lead agencies - Foster communication between the component lead agencies by coordinating meetings, facilitating discussions, and disseminating information - Promote the initiative and its efforts by representing NICE and speaking at cybersecurity events nationwide - Plan and host an annual workshop to promote and support the evolving issues in cybersecurity education - Coordinate with other Federal initiatives and efforts related to NICE - Maintain and update the NICE Web site - Currently, NICE is comprised of four components, each led by one or more Federal agencies: - Component 1: National Cybersecurity; lead agency: Department of Homeland - Component 2: Formal Cybersecurity Education; lead agencies: National Science Foundation, Department of Education - Component 3: Cybersecurity Workforce Structure; lead agency: Department of Homeland - Component 4: Cybersecurity Workforce Training and Professional Development; lead agencies: Department of Homeland, Department of Defense, Office of the Director of National Intelligence McGettrick, A. (2013). Toward curricular guidelines for cybersecurity: Report of a workshop on cybersecurity education and training. New York, ACM. Retrieved from: The shift towards cyber operations represents a shift not only for the defense establishments worldwide but also cyber security research and education. Traditionally it was founded on information assurance, expressed in underlying fields such as forensics, network security, penetration testing, connected to the homeland security agencies and defense through funding, mutual interest in the outcome of the research, and the potential job market for graduates. In the future there will be both defensive information assurance measures and active defense driven information operations. Cohesive cyber defense requires universities to optimize their campus wide resources to fuse knowledge, intellectual capacity, and practical skills in an unprecedented way in cyber security. The future will require cyber defense research teams to address not only computer science, electrical engineering, software and hardware security, but also political theory, institutional theory, behavioral science, deterrence theory, ethics, international law, international relations, and additional social sciences. The NSA clearly states that cyber operations should be interdisciplinary. They require an ability to do collection, exploitation, and response. Academic institutions shall train the workforce that will staff the execution, management and monitoring of cyber operations. How do cyber security centers become successful in cyber operations? There are five steps: 1. Identify scholars at your own university that share the cyber security and cyber operations research interest even if they are located in other schools such as policy school, business school, etc. 35

37 2. Develop cyber relevant courses in a cohesive manner (cyber security research, business school s information and risk management, public policy courses, etc.) and promote these courses to the students. 3. Seek funding with the business school, school of social science, engineering school, as equal partners, where the other school gets a fair share so they are dedicated to the project 4. Find ways to avoid issue ownership conflicts between departments and schools (for example, only business schools can teach information security management because it is management). 5. Be prepared to handle a constructive critique of your research program by the newly-added collaborating peers from other schools. The future for cyber operations research and education requires and institutional and cultural challenge to academia. Many of the resources needed to be successful are already accessible. National Cyber Strategy 2 From awareness to capability. (n.d). Publication of the national coordinator for and counterterrorism. Retrieved from: The Netherlands is the European leader in responding to technological trends and effective use of ICT tools and skills, as well as an international internet hub, has the world s most competitive internet market and one of the highest number of internet users. The digital domain is a precondition to making optimal use of the opportunities offered by digitization to society. The purpose of the National Cyber Strategy 1 (NCSS1) in 2011 was to realize a secure, reliable and resilient digital domain through an integral cyber security approach based on public-private partnerships, and to seize the ensuing opportunities for society. The NCSS2 explains the broader government vision on cyber security, i.e. not viewing cyber security as an isolated element, but rather in correlation with human rights, internet freedom, privacy, social-economic benefits and innovation, and states responsibilities and concrete steps. In recent years, more insight was gained into the threats and vulnerabilities in the digital domain: the biggest threats come from other states and professional criminals. By working with international partners, the Netherlands aims to create a secure and open digital domain. The government should play a more active role in the digital domain, by increasing investments in the security of its own networks and services, and by bringing parties together and taking action if the security of companies and private individuals or the latter s privacy come under threat. Private individuals should apply some form of cyber hygiene (basic security measures) and take a certain amount of personal responsibility. Central elements: - Risk analyses, security requirements and information sharing within critical infrastructure sectors - More active approach to cyber espionage - Feasibility study on separate vital network - Enhancing civil-military cooperation - Strengthening the National Cyber Centre - International approach to cyber crime: updating and strengthening legislation (including the Criminal Code) - Supported standards, security by design and privacy by design - Cyber diplomacy: hub for expertise for conflict prevention 36

38 - Taskforce on cyber security education - Encouraging innovation in cyber security OECD. (2012). Cybersecurity Policy Making at a Turning Point: Analysing a new generation of national cybersecurity strategies for the Internet economy. Retrieved from: This report analyses the latest generation of national cybersecurity strategies in ten volunteer countries (eight which had adopted such a strategy between 2009 and the end of 2011: Australia, Canada, France,, Japan, Netherlands, the UK and US, and two which were in the process of developing one: France and Spain), and identifies commonalities and differences. The volunteer countries responded to a questionnaire and provided relevant material, between February 2011 and May Representatives of business, civil society and the Internet technical community participated actively in the work, in particular by responding to a questionnaire. In many countries, cybersecurity policy making has become a national policy priority supported by stronger leadership. The new generation of national cybersecurity strategies aims to drive economic and social prosperity and protect cyberspace-reliant societies against cyber-threats, a key challenge of cybersecurity policy making today is to pursue these two objectives while preserving the openness of the Internet as a platform for innovation and new sources of growth. Cybersecurity strategies recognize that the economy, society and governments now rely on the Internet for many essential functions and cyber threats have been increasing and evolving at a fast pace. Action plans strengthen key priority areas identified in the early 2000s, including more emphasis on cybersecurity research and development and real time monitoring of government infrastructures. They aim to develop a more robust cybersecurity industry sector and to take advantage of economic drivers and incentives for cybersecurity. The report highlights suggestions by business, civil society and the Internet technical community, calls for further analysis of the intersections between economic, social and sovereignty cybersecurity policies, and points out the opportunity for countries to extend their national co-ordination agency as an international contact point to facilitate co-operation on cybersecurity at policy and operational levels. Paulsen, C., McDuffie, Ernest, Newhouse, W., & Toth, Patricia. (2012). Nice: Creating a Cybersecurity Workforce and Aware Public. IEEE & Privacy, 10(3), Retrieved from: NICE (National Initiative for Cybersecurity Education) was created by US President Obama in 2010 with the idea that an important resource in the fight against cyberthreats is people people who create technologies to protect information and resources, people who recognize cyberthreats and respond to them, and people who understand how to protect themselves and others in cyberspace. Before, there were other initiatives to improve awareness, education, and training of cybertechnology users. However, they were specialized and disconnected. NICE seeks to connect all existing cybersecurity awareness, education and training activities. NICE has four complementary components: 37

39 - Awareness - Formal education - Training and professional development - Workforce structure The first three components work together. Their activities include informing the public about how to avoid cybersecurity threats, improving cybersecurity education in schools, and training cybersecurity professionals more effectively. The forth component provides the technical foundation for NICE by defining the cybersecurity workforce and creating a recruitment strategy. Its recent accomplishment is the NICE Cybersecurity Workforce Framework. The framework was created due to the problem of inconsistency in definitions and descriptions of cybersecurity work. It is a document that organizes cybersecurity work and workers into 7 high-level categories and 31 specialty areas, each with a list of associated knowledge, skills, and abilities (KSAs). Educators and trainers can use the framework to answer questions like: what should I prepare my students for, what knowledge and skills do they need, and what should I be teaching. They can adapt their curricula and training content to cover more KSAs. However, they can also use the framework to generate interest in cybersecurity (for example, by describing to students how somebody in a certain specialty area might be like a detective investigating incidents and figuring out how to solve them). Many people do not realize the variety of cybersecurity fields. Ponemon Institute. (2014). Best Schools for Cybersecurity: Study of Educational Institutions in the States. Retrieved from: The demand for well-educated cyber security professionals is outpacing the supply in both the public and private sectors Ponemon Institute s research has also consistently revealed that one of the major barriers to achieving a strong security posture is the dearth of trained and skilled security professionals. The objective of the 2014 Best Schools for Cybersecurity study is to determine those institutions that are achieving a high level of excellence and the characteristics that set them apart. Learned individuals were asked to identify and rate U.S. colleges and universities they believe are most committed to advancing students learning and domain expertise in the emerging fields of cybersecurity and information assurances. They had to use five normatively important criteria: - Academic excellence - Practical relevance - Experience and expertise of program faculty - Experience and background of students and alumni - Professional reputation in the cyber security community - The characteristics of the top schools are: - Interdisciplinary program that cuts across different, but related fields (especially computer science, engineering, management) - Designated by the NSA and DHS as a center of academic excellence in information assurance education - Curriculum addresses both technical and theoretical issues in cybersecurity - Both undergraduate and graduate degree programs are offered - A diverse student body, offering educational opportunities to women and members of the military 38

40 - Faculty composed of leading practitioners and researchers in the field of cybersecurity and information assurance - Hands-on learning environment where students and faculty work together on projects that address real life cybersecurity threats - Emphasis on career and professional advancement - Courses on management, information security policy and other related topics essential to the effective governance of secure information systems - s of programs are placed in private and public sector positions Rowe, D. C., Lunt, B. M., & Ekstrom, J. J. (2011, October). The role of cyber-security in information technology education. In Proceedings of the 2011 conference on Information technology education (pp ). ACM. Retrieved from: The authors state that cyber-security gains importance due to cyber-attacks and a deficit in cyber-security professionals. Students should be more skilled in the concepts and technologies of cyber-security. Their curriculum (more precisely, the curriculum of Information programs) should be adapted so that more emphasis is placed on cyber-security. To support the adaptation, the authors suggest their Prepare, Defend, Act framework. 1. Introduction Cyber-security gains importance Lots of cyberattacks in the past 2. What is Cyber-? There are different definitions and opinions According to ISO/IEC 27032, cyber-security is preservation of confidentiality, integrity and availability of information in the cyberspace and cyberspace is the complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form. 3. Why Information? All computing and technology programs have a responsibility to ensure a thorough and pervasive security curriculum within their courses. Yet, IT programs are uniquely best-suited to an advanced cyber-security curriculum because: Programming: Programming a computer system to achieve a desired outcome is the most fundamental skill taught in an IT program. Likewise, it is in programming that the ability to rectify vulnerabilities lies. Networking: Cyberspace is defined as a networked group of entities. Understanding the concepts, protocols and vulnerabilities of the networks are prerequisites of an advanced cyber-security education. Human-computer interaction: User error is the primary cause of security breaches. Is this a result of poor user interface design or poor user education? Databases: Databases are often the targets of cyber-attacks. They are rich resources of information. It is necessary to understand how a database management system functions and is administered. These are key skills in protecting information from cyber-theft or sabotage. Web systems: provide the external interface to many different types of computer systems. 39

41 If a separate discipline for cyber-security was designed, it would closely resemble an IT program with a cyber-security emphasis. 4. A Cyber- Curriculum The authors caution strongly against removing security content from IT topics in order to move it to defined cyber-security courses. Rather, they want security across the curriculum and they think that there is still significant advanced content that would benefit undergraduates and help reduce the cyber-security professional deficit. There are some topics simply not found in any other discipline. The authors have defined a framework which can be used to place emphasis on cyber-security in a curriculum. The framework is called Prepare, Defend and Act. Prepare: What cyber-threats are there and how can we prepare for and minimize potential attacks? Defend: How to design and maintain secure systems? Act: What should be done in the event of a cyber-attack and how can one place attribution? 5. Educational Methods The authors suggest also educational methods for teaching: hands-on experience in labs collaboration with industry and government to gain insight into current cyber-security threats, trends and needs case studies to engage in topical discussions of past cyber-security events Unit, E. I. (2011). Cyber power index: findings and methodology. Booz Allen Hamilton. Retrieved from: While strong digital development increases cyber power potential, a rise in dependency also results in greater security risks. As illustrated by the Cyber Power Index, many countries struggle with this inherent contradiction, while leading countries meet these new challenges. Cyber power is the ability to withstand cyber attacks and to deploy the digital infrastructure necessary for a productive and secure economy. The concept encompasses the benefits and potential challenges of reliance on digital resources. The Cyber Power Index is a dynamic quantitative and qualitative model, constructed from 39 indicators and sub-indicators that measure specific attributes of the cyber environment across four drivers of cyber power: legal and regulatory framework, economic and social context, technology infrastructure, industry application. A benchmarking exercise covers 19 countries of the Group of 20 (G20), excluding the EU. The top five countries exhibiting cyber power (UK, US, Australia,, Canada) illustrate that developed Western countries are leading the way into the digital era. The leading emerging market countries (Brazil, Russia, India and China) have some room for improvement. There is also a wide discrepancy between the top and the bottom of the index. Other key findings are: s comprehensive cyber policies are a key to its success Clear Cybersecurity plans are absent in even some of the major economies Cyber Power relies on a solid foundation that includes technical skills, high educational attainment levels, open trade policies, and an innovative business environment Prioritization of ICT access is higher in the developed world The G20 countries exhibit limited technological progress within key industries 40

42 Willets, D. (2014). Developing our capability in cyber security: Academic Centres of Excellence in Cyber Research. Retrieved from: This document gives an overview about cyber security activities in 11 research centers in the UK. For each research center, a short introduction, key areas of expertise/specialism, a number of projects, collaborations or activities, and contact information are provided. Aim of the centers is to make the UK more resilient to cyber attacks. Aim of the document is to give an overview about cyber security UK's activities. The document may be out-dated, since it references a new call during autumn The proposed idea is 'to conquer the enemy is to take his country completely intact.' A likely scenario of the enemy is stated to be 'psychological warfare, propaganda and extremely precise disruptive sabotage operations with threat of conventional force, but not violating the international law while being focused on state destabilization induced by undermining the trust of citizens in their government.' 41

43 Appendix III. List of institutions with courses in various areas of cybersecurity, for which information was provided by individual contributors Table 2. List of Institutions and courses in Cybersecurity Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Austria of Innsbruck Information Austria of Innsbruck IT- Architectures Austria Vienna of Internet Undergrad Course Comuter Science Austria Vienna of Advanced Internet Course Comuter Science Austria Vienna of Introduction to Undergrad Course Comuter Science Cyprus Ledra College BSc Cyber Undergraduate BSc Cyprus Univeristy of Cyprus, Nicosia MSc/BSc Internet Computing/ /UG MSc/BSc Cyprus Open of Cyprus Information & Communications Systems MSc/PhD pathways Computer Science/Computer Engineering/Information Systems/Communication Systems Finland of Turku Cryptography and Data Information and Cryptography Finland of Turku Network Systems Information and Cryptography Finland of Helsinki Tietoturvan perusteet (Introduction to Computer ) Undergraduate Finland of Helsinki Cryptography and Network Finland of Helsinki / Aalto Mobile Platform 42

44 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Finland of Helsinki / Aalto Software Finland Aalto Noin fifty-sixty? Kurssi epävarmuuden käsitteistä, käsittelystä ja käsittämättömyydestä (About fifty-sixty? Exchange rate uncertainty, concepts, processing and incomprehensibility) Finland Aalto Information Undergraduate/ Finland Aalto Science and and Design of and Terrorism: Contemporary and Historical Perspectives Finland Aalto of Communication Protocols Finland Aalto Information Undergraduate Finland Aalto Laboratory Works in Networking and Finland Aalto Information and Usability Finland Aalto Network Finland Aalto Seminar on Network Finland Aalto Special Assignment in Networking and Finland Aalto Special Course in Information Finland Aalto Cryptography and Data Undergraduate France Eurecom Cyber-Crime and Computer Forensics Grad France Eurecom System and Network Grad France Eurecom Secure Communications Grad 43

45 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) France Eurecom applications in networking and distributed systems Grad France Eurecom Imaging for Applications, Watermarking & Biometrics Grad RWTH Aachen IT- 1 Business Administration,, Mathematics, Media Informatics, Software Systems Engineering Augsburg Software- und Systemsicherheit / Software and System Freie Berlin Rechnersicherheit / Computer Freie Berlin IT-Sicherheit / IT- Freie Berlin Kryptographie und Sicherheit in Verteilten Systemen / Cryptography and in Distributed Systems TU Berlin Sicherheitsaspekte in der Softwaretechnik / aspects in Software Engineering, Computer Engineering Ruhr- Bochum Projekt Eingebettete Sicherheit / Project Embedded IT /Information Ruhr- Bochum and Privacy in Wireless Networks IT /Information Ruhr- Bochum Netz- und Datensicherheit / Network and Data Applied Computer Science, IT /Information Ruhr- Bochum Praktikum Appliances / Practical Course Appliances IT /Information Brandenburgische Technische Cottbus IT-Sicherheit / IT-, Engineering Economics, and Innovation Management, Information and Media, ebusiness 44

46 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Dortmund Sicherheit und Softwareengineering / and Softwareengineering, Applied Computer Science TU Dresden Trustworthy and Energy- Efficient Smart Grids, Media Computer Science, Information Systems Engineering TU Dresden Komplexpraktikum Datenschutz in der Anwendungsentwicklung / Practical course on Data protection in Application Development, Media TU Dresden Komplexpraktikum Datenschutzfreundliche Technologien im Internet / Practical Course on Friendly Data Protection Technologies on the Internet, Media TU Dresden Anwendungsforschung Datenschutz und Datensicherheit / Applied Research on Data Protection and Data Duisburg-Essen Entwicklung sicherer Software / Development of save and secure Software Undergraduate/ Applied Computer Science, International Studies in Engineering, Electrical Engineering and Information Heinrich Heine Düsseldorf Sicherheitskritische Systeme / Safety Critical Systems Uni Erlangen- Nürnberg Datenschutz und Compliance / Data protection and Compliance Uni Erlangen- Nürnberg IT- Projekt / IT- Project Uni Erlangen- Nürnberg IT-Sicherheits- Konferenzseminar / IT- Conference Seminar Goethe Frankfurt a. M. Informations- und Kommunikationssicherheit: Infrastrukturen, Technologien und Geschäftsmodelle / Information and Communication -, Business Informatics 45

47 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Infrastructures, technologies, and business models Goethe Frankfurt a. M. Privacy vs. Data: Business Models in the digital, mobile Economy Goethe Frankfurt a. M. Identity management in the crossroad: business interests and users' privacy, Business Informatics Goethe Frankfurt a. M. Mobile Business II - Application Design, Applications, Infrastructures and Goethe Frankfurt a. M. Privacy in Online and Enterprise Social Networks Westfälische Hochschule Gelsenkirchen Datenschutz und Ethik / Data Protection and Ethics Internet Westfälische Hochschule Gelsenkirchen Internet-Sicherheit A + B / Internet A + B Internet Westfälische Hochschule Gelsenkirchen Programmiermethodik und Sicherheit / Programming methodology and Internet Westfälische Hochschule Gelsenkirchen Grundlagen der IT-Sicherheit / Fundamentals of IT Internet TU Hamburg- Harburg Application Computer Science/Engineering, Information and Media Technologies, TU Ilmenau Network TU Ilmenau Schutz von Kommunikationsinfrastrukturen / Protection of Communications Infrastructure Karlsruhe Fortgeschrittene Verschlüsselungstechniken / Advanced Ciphering Techniques Karlsruhe Praktikum Kryptographie und Datensicherheit / Practical and Similar Disciplines 46

48 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Course Cryptography and Data Koblenz-Landau IT-Risk-Management Information Management, Computer Science, Computational Visualistics Koblenz-Landau Sicherheit und Zuverlässigkeit für mobile Anwendungen / and reliability for mobile applications Information Management, Computer Science, Computational Visualistics Lübeck SOA, Sicherheit und Runtime- Verifikation / SOA, and Runtime Verification Lübeck Sicherheit in Netzen und Verteilten Systemen / in Networks and Distributed Systems Magdeburg Multimedia and Computer Visualistics, Business Informatics, Computer Systems in Engineering, Computer Science, Data & Knowledge Engineering Magdeburg Selected Chapters of IT Computer Visualistics, Computer Systems in Engineering, Computer Science, Business Informatics, Computational Mathematics, Data and Knowledge Engineering Magdeburg Advanced Issues in Medical Systems Medical Systems Engineering Magdeburg Praktikum IT Sicherheit / Practical Course IT, Computer Visualistics, Business Informatics, Computer Systems in Engineering, Data & Knowledge Engineering LMU München IT-Sicherheit - Sicherheit vernetzter Systeme, Media Potsdam Network in Practice IT Systems Engineering Potsdam Privacy and in IPv6 IT Systems Engineering 47

49 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Potsdam Sicherheit in komplexen IT- Landschaften / in complex IT environment IT Systems Engineering Regensburg Sicherheit datenintensiver Anwendungen / of data-intensive applications Business Informatics Siegen Kryptographische Verfahren und Anwendungen I / Cryptographic processes and applications I Siegen Kryptographische Verfahren und Anwendungen II / Cryptographic processes and applications II Trier Moderne Kryptographie (IT- Sicherheit III) / Modern Cryptography (IT- III), Business Informatics, Applied Mathematics Trier Ausgewählte Kapitel der Informationssicherheit und Kryptographie (IT-Sicherheit IV) / Selected Topics on Information and Cryptography (IT- IV), Business Informatics Augsburg Safety and Undergraduate Augsburg Internetsicherheit / Internet security Undergraduate Ruhr- Bochum Vertiefungspraktikum Appliances / Immersion Practical Course Appliances Undergraduate IT /Information FH Bonn-Rhein Sieg Sicherheit in Netzen / Network Undergraduate TU Braunschweig Grundlagen der Sicherheit in Netzen und verteilten Systemen / Foundations of Network and Distributed Systems Undergraduate Dortmund Werkzeugunterstützung für sichere Software / Tool support for secure Software Undergraduate, Applied Computer Science 48

50 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Dortmund Fachprojekt Softwaretechniken für sichere Cloud-Computing Systeme / Project Software techniques for secure Cloud- Computing Systems Undergraduate, Applied Computer Science TU Dresden Sicherheit in Computersystemen / in Computer Systems Undergraduate, Media TU Dresden Datenschutz in der Answendungsentwicklung / Data protection in Application Development Undergraduate, Media Uni Erlangen- Nürnberg IT-Sicherheits- Konferenzseminar / IT- Conference Seminar Undergraduate, Medical Engineering TU Hamburg- Harburg Computersicherheit / Computer Undergraduate Information Koblenz-Landau Datenschutz / Data Protection Undergraduate Information Management, Business Informatics Koblenz-Landau Grundlagen der IT-Sicherheit / Fundamentals of IT Undergraduate Information Management, Computer Science, Computational Visualistics Magdeburg Sichere Systeme / Secure Systems Undergraduate Magdeburg Secure Infrastructures Project Undergraduate, Business Informatics, Computer Visualistics,Computer Systems in Engineering Magdeburg Ausgewählte Kapitel der IT- Sicherheit / Selected Chapters of IT- Undergraduate, Business Informatics, Computer Visualistics,Computer Systems in Engineering Magdeburg Sicherheitsfragen eingebetteter Systeme / Safety Issues of Embedded Systems Undergraduate, Business Informatics, Computer Systems in Engineering, Computer Visualistics Magdeburg Grundlagen IT-Sicherheit / Fundamentals of IT Undergraduate, Business Informatics, Computer Systems in 49

51 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Engineering, Computer Visualistics Potsdam Internet : Weaknesses and Targets Undergraduate IT Systems Engineering Regensburg IT- I Undergraduate Business Informatics Regensburg IT- II Undergraduate Business Informatics Saarbrücken and Privacy - A Beginner's Guide Undergraduate Trier Einführung in die Informationssicherheit (IT- Sicherheit I) / Introduction to Information (IT- I) Undergraduate, Business Informatics Trier System- und Netzwerksicherheit (IT- Sicherheit II) / System and Network (IT- II) Undergraduate, Business Informatics, Applied Mathematics Bamberg Informationssicherheit / Information and Undergraduate / Ruhr- Bochum Aktuelle Themen der IT- Sicherheit / Recent Topics in IT Undergraduate / Applied Computer Science, IT /Information Ruhr- Bochum Embedded Undergraduate / Applied Computer Science, Electrical Engineering and Information, IT /Information Ruhr- Bochum Sichere Hardware / Secure Hardware Undergraduate / Electrical Engineering and Information, IT /Information Ruhr- Bochum Projekt Netz- und Datensicherheit / Project Network and Data Undergraduate / Applied Computer Science, IT /Information TU Chemnitz Datensicherheit / Data Undergraduate / Digital Manufacturing, Computational Science, 50

52 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ), Mathematics, etc. Brandenburgische Technische Cottbus IT-Sicherheit in kritischen Infrastrukturen / IT- in critical infrastructures Undergraduate /, ebusiness, Information and Media TU Darmstadt, Privacy and Trust Undergraduate / (or related areas, such as electrical engineering) Dortmund Sicherheit: Fragen und Lösungsansätze / : Questions and Solution Approaches Undergraduate /, Data Science TU Dresden and Cryptography II Undergraduate /, Media TU Dresden Technischer Datenschutz / Technical Data Privacy Undergraduate /, Media Computer Science, Information Systems Engineering TU Dresden Komplexpraktikum Kryptographie und Datensicherheit / Practical course on Cryptography and Data Undergraduate /, Media TU Dresden and Cryptography I Undergraduate /, Media Computer Science, Computational Engineering, Computational Logic TU Dresden Kryptographische Grundlagen der Datensicherheit / Cryptographic Fundamentals of Data Undergraduate /, Media Uni Erlangen- Nürnberg Angewandte IT-Sicherheit / Applied IT- Undergraduate / Fernuniversität Hagen Sicherheit im Internet I / Internet I Undergraduate / TU Hamburg- Harburg Software Undergraduate / Computer Science/Engineering, Information and Media Technologies, Information and Communication Systems, Electromagnetic Theory 51

53 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) TU Hamburg- Harburg Network Undergraduate / Computer Science/Engineering, Information and Media Technologies, Information and Communication Systems, Electromagnetic Theory Karlsruhe Sicherheit / Undergraduate / RWTH Aachen Selected Topics in IT- RWTH Aachen Selected Topics in IT- and Cryptography Ruhr- Bochum Betriebssystemsicherheit / Operating System IT /Information Ruhr- Bochum Systemsicherheit I + II / Systems I + II Applied Computer Science, Electrical Engineering and Information, IT /Information Ruhr- Bochum Netzsicherheit I + II / Network I + II Electrical Engineering and Information, IT /Information Ruhr- Bochum Praktische Aspekte der Cybersicherheit / Practical Aspects of Cyber IT /Information Ruhr- Bochum XML- und Webservice- Sicherheit / XML and Webservice Applied Computer Science TU Chemnitz Praktikum Theoretische Informatik und Informationssicherheit / Practical Course Theoretical and Information, Applied Computer Science TU Darmstadt Secure, Trusted and Trustworthy Computing TU Darmstadt Embedded System TU Darmstadt Practical Lab on Smartphone 52

54 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) TU Darmstadt Physical Layer in Drahtlosen Systemen / Physical Layer in Wireless Systems TU Darmstadt Praktikum Sichere Mobile Netze / Practical Course on Secure Mobile Networks TU Darmstadt Ausgewählte Themen der Netzsicherheit / Selected topics of Network TU Darmstadt Mining Facebook TU Darmstadt Praktikum Smartphone Sicherheit für Android Applikationen / Practical Course Smartphone for Android Applications TU Darmstadt Implementierung in Forensik und Mediensicherheit / Implementation in IT-Forensics and Multimedia TU Darmstadt and Privacy in Information TU Darmstadt Sicherheit von SDN / of SDN TU Darmstadt Cryptography, Privacy and TU Darmstadt Building and Breaking Comply Software Systems TU Darmstadt Implementing Secure & Reliable Software TU Darmstadt and the Cloud - The Issues and Metrics TU Darmstadt Smart Grid Informatics and Trustworthiness TU Darmstadt Cloud Freiburg Sicherheit in BPM / in BPM 53

55 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Freiburg IT-Sicherheit / IT- Freiburg and Risk Management Economics Freiburg Privacy and in der Informationsgesellschaft / Privacy and in the Information Society Freiburg Sicherheitstechnologien der Informationsgesellschaft / Resilient Business Process Management Fernuniversität Hagen Parallelverarbeitung und IT- Sicherheit / Parallel processing and IT Fernuniversität Hagen Sicherheitsgerichtete Echtzeitsysteme / Safety-related real-time Systems Fernuniversität Hagen IT-Sicherheit Konzepte, Standards, Verfahren und Anwendungen / IT Concepts, Standards, Proceedings and Applications Hamburg Verteilte Systeme und Informationssicherheit / Distributed Systems and Information TU Hamburg- Harburg Introduction to TU Hamburg- Harburg IT Risk Management Karlsruhe Asymmetrische Verschlüsselungsverfahren / Asymmetric Ciphering Methods Karlsruhe Seitenkanalangriffe in der Kryptographie / Side Channel Attacks in Cryptography Karlsruhe Beweisbare Sicherheit in der Kryptographie / Verifiable in Cryptography 54

56 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Karlsruhe Symmetrische Verschlüsselungsverfahren / Symmetric Ciphering Methods Magdeburg Biometrics and TU München Sichere mobile Systeme / Secure mobile systems TU München IT-Sicherheit / IT- TU München Practical Course Web Application Rostock Rechnernetze und Datensicherheit / Computer Networks and Data Rostock Datensicherheit / Data Saarbrücken Language-Based Saarbrücken Saarbrücken Hot Topics in & Privacy Saarbrücken Privacy Enhancing Technologies (PETs) LMU, TU, Uni Augsburg IT- master-level computer science Greece of Piraeus Digital Systems (MSc) Computer Science/Computer Engineering/Information Systems/Communication Systems Greece of the Aegean Information & Communication Systems (MSc) Computer Science/Computer Engineering/Information Systems/Communication Systems Italy Universita` degli Studi di Milano Computer and network security (Sicurezza dei Sistemi e delle Reti Informatiche) Undergraduate 55

57 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Italy Universita` degli Studi di Milano Information (master) - Italy of Modena and Reggio Emilia Master on "Information security and Legal disciplines" Computer science, Computer engineering, Law Italy of Modena and Reggio Emilia Master on "Digital forensics" Computer science, Computer engineering Italy of Modena and Reggio Emilia Master on "Cyberdefence" Computer science, Computer engineering Italy Politecnico di Milano Specialist Italy Universita` degli Studi di Milano Computer and network security (Sicurezza dei Sistemi e delle Reti Informatiche) Undergraduate Italy Universita` degli Studi di Milano Information (master) - Italy UCBM Univerity CAMPUS BioMedico di Roma Master in Homelaand Post-graduated Economic, Law, Risk Management, Cybersecurity, Physical, Technologies, Complex Systemn Design Italy of Catania Internet Undergraduate Italy Computer Italy of Padua Computer and Network Luxembourg of Luxembourg in collaboration with CRP Henri Tudor Master in "Information Systems Management" Master Computer science Netherlands Eindhoven of Cryptography I Information Netherlands Eindhoven of Verification of Protocols Information 56

58 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Netherlands Eindhoven of Information Information Netherlands Eindhoven of Hacker's Hut & Engineering, Information, Service Design and Engineering Netherlands Eindhoven of Cryptography II Information Netherlands Eindhoven of Physical Aspects of Digital Information Netherlands Radboud Nijmegen Hardware Computing Science, Information Netherlands Radboud Nijmegen Privacy Seminar Computing Science, Information Netherlands Radboud Nijmegen Law in Cyberspace Computing Science, Information Science, Information Netherlands Radboud Nijmegen Software Computing Science, Information Netherlands Radboud Nijmegen in organisations Computing Science, Information Science, Information Netherlands Radboud Nijmegen Software & Web 1 Undergraduate Netherlands Radboud Nijmegen Software & Web 2 Undergraduate Netherlands of Twente and Privacy in Mobile Systems, Information Netherlands of Twente Secure Data Management, Information 57

59 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Netherlands of Twente Network Business Information, Computer Science, Electrical Engineering, Telematics, Information Netherlands of Twente Cyber Crime Science, Information Netherlands Vrije Universiteit Amsterdam Computer and Network, Parallel and Distributed Computer Systems Netherlands Vrije Universiteit Amsterdam Advanced Topics in Computer and Network Parallel and Distributed Computer Systems Norway of Oslo in distributed systems Norway of Oslo in operation systems and software Norway of Oslo Information Undergraduate Norway of Oslo Intrusion detection and firewalls Norway of Oslo Unassailable IT-systems Norway NTNU - Trondheim Wireless Network Second degree level Norway NTNU - Trondheim ICT- Evaluation Doctoral degree level Norway NTNU - Trondheim Information Second degree level Norway NTNU - Trondheim Software Second degree level Norway NTNU - Trondheim Cryptographic Protocols and Their Applications Doctoral degree level Norway NTNU - Trondheim Cryptography Second degree level Norway Gjøvik College (GUC) Introduction to Information Undergraduate Information 58

60 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Norway Gjøvik College (GUC) Introduction to Information Risk Management Undergraduate Information Norway Gjøvik College (GUC) Data Communication and Network Undergraduate Information Norway Gjøvik College (GUC) Introduction to security Plannin and Incident Handling Undergraduate Information Norway Gjøvik College (GUC) Software Undergraduate Information Norway Gjøvik College (GUC) Ethical Hacking and Penetration Testing Undergraduate Information Norway Gjøvik College (GUC) Introduction to Cryoptology Undergraduate Information Norway Gjøvik College (GUC) Digital Forensics Undergraduate Information Norway Gjøvik College (GUC) Cryptology I Information Norway Gjøvik College (GUC) Applied Information Information Norway Gjøvik College (GUC) Legal Aspects of Information Information Norway Gjøvik College (GUC) Socio-technical Riks Modeling and Analysis 1 Information Norway Gjøvik College (GUC) Foundations of Information Information Norway Gjøvik College (GUC) Cryptology II Information Norway Gjøvik College (GUC) Software Trends Information Norway Gjøvik College (GUC) as Continuous Improvement Information Norway Gjøvik College (GUC) Management Dynamics Information Norway Gjøvik College (GUC) Planning and Incident Management Information 59

61 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Norway of Stavanger Risk Analysis and Risk Management Spain Almeria Especialista en Seguridad Informática, IT specialist Postgrad Computer science Spain Leon MASTER PROFESIONAL EN TECNOLOGÍAS DE LA SEGURIDAD, Proffesional master in Postgrad Computer science Spain UOC, URiV, UAB MISTIC: Máster interuniversitario de seguridad de las tecnologías de la información y de las comunicaciones, Interuniverstity master in technology and communication security Postgrad Computer science Spain Deusto Diploma de especialización en Seguridad de la información, IT security speclaization Postgrad Computer science Spain UAX Máster Universitario en Ingeniería de Seguridad de la Información y las Comunicaciones, Communications and information security Postgrad Computer science Spain UAM Máster en Auditoría, Seguridad,Gobierno y Derecho de las TIC, master in IT audit gobernance and law Postgrad Computer science Spain Uc3M Máster Universitario en Ciberseguridad, Cibersecurity master Postgrad Computer science Spain UDIMA Máster en Dirección de Seguridad de la Información.Information security direction Postgrad Computer science Spain UE MÁSTER UNIVERSITARIO EN SEGURIDAD DE TECNOLOGÍAS DE LA INFORMACIÓN Y DE LAS COMUNICACIONES, master in technology and communication security Postgrad Computer science 60

62 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Spain UNIR máster universitario en seguridad informática, IT security Postgrad Computer science Spain UNED MÁSTER EN SISTEMAS DE GESTIÓN DE SEGURIDAD INFORMÁTICA, IT security systems gobernance Postgrad Computer science Spain UPM DIRECCIÓN Y GESTIÓN DE SEGURIDAD DE LA INFORMACIÓN, Information security gobernance Postgrad Computer science Spain CEU Máster Internacional Universitario en Protección de Datos, Transparencia y Acceso a la Información, Data proteccion, transparency and information access master Postgrad Law Spain CEU Máster en Seguridad de la Información, Information security master Postgrad Computer science Spain Centro Universitario de Tecnológica y Arte Digital (U- TAD) Master Indra en Ciberseguridad, Cybersecurity Sweden Chalmers Computer computer science Sweden Chalmers Network computer science Sweden Chalmers Language-based security computer science Sweden Chalmers Cryptography computer science Sweden Chalmers ICT Support for Adaptiveness and in the Smart Grid computer science Sweden Linköping Software Undergrad Computer science Sweden Linköping Information, Second Course Undergrad Computer science Sweden Linköping Information, Introduction Undergrad Computer science 61

63 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Cardiff Metropolitan (UWIC) Information & Communication Management Management Cardiff with placement Cardiff Information & Privacy City, London Information and Risk Information Systems Coventry Forensic Computing Cranfield Cyber Defence and Information Assurance Cranfield Forensic Computing De Montfort, Leicester Cybersecurity Edge Hill Information and IT Management Edinburgh Napier Advanced and Cybercrime Edinburgh Napier Advanced and Digital Forensics Essex Computer Networks and Glasgow Caledonian IT Glasgow Caledonian Network Heriot-Watt, Edinburgh Advanced Internet Applications Imperial College London MSc in Computing (Secure Software Systems specialism) 62

64 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Kings College ( of London) Computing and Kingston Network and Information with Management Studies Kingston Network and Information Lancaster Cyber Leeds Metropolitan Digital Forensics & Liverpool Hope Networks and Liverpool John Moores Computer Network London Metropolitan Computer Forensics and IT London Metropolitan Computer Networking with London Metropolitan Network Management and Loughborough Communication Networks, and Forensics Loughborough Internet Computing and Network Middlesex Computer and Network Middlesex Electronic and Digital Forensics Newcastle Advanced Newcastle Computer and Resilience 63

65 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) Nottingham Trent Internet and Oxford Software Engineering Robert Gordon Information and Network Royal Holloway, London ( of London) Information Sheffield Hallam Information Systems Staffordshire Computer Networks and College ( of London) Information of Bath Internet Systems and of Bedfordshire Computer and Forensics of Bedfordshire Computer Forensics and IT of Birmingham Computer of Bradford Internet, Computer and System of Central Lancashire IT of Derby Information Information Systems of East London Information and Computer Forensics (ISCF) of Glasgow Information 64

66 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) of Glasgow Information of Gloucestershire Computing (Information ) of Greenwich Computer Forensics and the Law Computing and Law of Greenwich Information and Audit Information Systems of Greenwich Computer Forensics and Cyber of Greenwich Network and Computer Systems of Kent Computer of Kent Networks and of Leicester and Risk Management Law of Manchester Computer of Northampton Computing (Internet and ) of Plymouth Computer and Information of Plymouth Network Systems Engineering of Portsmouth Communication Network Planning and Management of Portsmouth Computer Network Administration and Management of Portsmouth Forensic Information of Portsmouth Computer and Information 65

67 Country Course Title (Local, English) Course Level (Undergrad, Grad) Discipline (E.G., ) of Salford Information Information Systems of South Wales Computer Systems of South Wales Computer Forensics of South Wales Computer Systems of Southampton Corporate Risk and Management Business Studies of Surrey and Applications of the West of England (UWE) Network Systems includes Securing Networks of Westminster Computer Forensics of Wolverhampton ybersecurity and Digital Forensics of York Cyber Warwick Cyber and Management (CSM) The Open Digital Forensics (M812) The Open Information (M811) The Open Network (T828) of Kent Advanced MSc in Computer Post CS of Kent Advanced MSc in Networks and Post CS of Kent Kent Advanced MSc in Information and Biometrics Post CS, Biometrics 66

68 67