Cybersecurity Education snapshot for workforce development in the EU

Transcription

1 Cybersecurity Education snapshot for workforce development in the EU Network and Information (NIS) Platform Working Group 3 Final version v0.9 Last modified: September 2015 Editors: Claire Vishik (Intel), Maritta Heisel ( Duisburg-Essen)

2 Contents 1 Executive Summary Objectives Preliminary Findings Recommendations Introduction Scope Methodology Identification and type of sources Survey ENISA database Reinforcement from secondary sources Results and findings Survey findings Conclusions drawn from data Conclusions based on secondary sources Achievements and Gaps Achievements Gaps Opportunities and recommendations Multi-disciplinary focus Responsiveness to changes in technology and societal environment End-to-end skill development Alignment of curricula and training with demand for skills Using appropriate methodologies for teaching cybersecurity at all levels, from awareness to focused expertise Bring all Member States to the agreed upon baseline with regard to cybersecurity indicators Conclusions and Future Work Acknowledgements Appendix I. References Appendix II. Evaluation of some secondary sources Dlamini, M. T., Eloff, J. H., & Eloff, M. M. (2009). Information security: The moving target: Computers &, 28(3), e-skills in Europe. Country Report Estonia. (2014) Evans, K., & Reeder, F. (2010). A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters. CSIS, Goodyear, M., Goerdel, H. T., Portillo, S., & Williams, L. (2010). Cybersecurity Management In the States: The Emerging Role of Chief Information Officers

3 Kleinberg, H., Reinicke, B., & Cummings, J. (2014). Best Practices: What to do? Proceedings of the Conference for Information Systems Applied Research Baltimore, Maryland USA Kleiner, A., Nicholas, P., & Sullivan, K. (2013). Linking Cybersecurity Policy and Performance. Microsoft Trustworthy Computing Kortjan, N., & von Solms, R. (2014). A conceptual framework for cyber-security awareness and education in SA. South African Computer Journal, 52, McDuffie, E. (2011, October). NICE: National Initiative for Cybersecurity Education. In Proceedings of the Seventh Annual Workshop on Cyber and Information Intelligence Research. ACM McGettrick, A. (2013). Toward curricular guidelines for cybersecurity: Report of a workshop on cybersecurity education and training. New York, ACM National Cyber Strategy 2 From awareness to capability. (n.d). Publication of the national coordinator for and counterterrorism OECD. (2012). Cybersecurity Policy Making at a Turning Point: Analysing a new generation of national cybersecurity strategies for the Internet economy Paulsen, C., McDuffie, Ernest, Newhouse, W., & Toth, Patricia. (2012). Nice: Creating a Cybersecurity Workforce and Aware Public. IEEE & Privacy, 10(3), Ponemon Institute. (2014). Best Schools for Cybersecurity: Study of Educational Institutions in the States Rowe, D. C., Lunt, B. M., & Ekstrom, J. J. (2011, October). The role of cyber-security in information technology education. In Proceedings of the 2011 conference on Information technology education (pp ). ACM Unit, E. I. (2011). Cyber power index: findings and methodology. Booz Allen Hamilton Willets, D. (2014). Developing our capability in cyber security: Academic Centres of Excellence in Cyber Research Appendix III. List of institutions with courses in various areas of cybersecurity, for which information was provided by individual contributors Index of figures Figure 1. Summary of opportunities and recommendations for a long term Education framework... 5 Figure 2. Cross-domain processes... 7 Figure 3. Levels of Proficiency... 8 Figure 4. List of countries who provided data Figure 5. European Education and Training Map by NIS WG3 and ENISA Figure 6. Numbers of graduate and undergraduate courses per country (snapshot taken in August 2015).. 16 Figure 7. Number of Disciplines in which most courses are offered (snapshot taken in August 2015) Figure 8. Main audience (snapshot taken in January 2015) Index of tables Table 1. Data collected so far Table 2. List of Institutions and courses in Cybersecurity

4 1 Executive Summary NIS Platform working group (WG3) on Secure ICT Research and Innovation identified a snapshot of the education and training landscape as one of the input deliverables needed for the creation of a Network and Information Strategic Research Agenda (SRA). The goal of this report is to produce an analysis of available offers in higher education and training in Cyber in Europe and beyond. We consider one of the achievements of this initiative the synergies and collaboration with ENISA for the creation of an EU cybersecurity education database 1, maintained by ENISA under their Cyber Month initiative. The database includes a list of available courses and certification programmes linked to Network and Information, privacy and data protection and will permit to continue this project and periodically revise the conclusions based on the new information in the database and additional secondary sources. We express our gratitude to ENISA for making a sustainable effort on this subject possible. For the purposes of this work, we have accepted a broad definition of cybersecurity that comprises a wide range of relevant topics (see definitions in chapter 3), from cryptography, computer, information and network security to privacy, security economics, or legal, regulatory, and policy frameworks. 1.1 Objectives As Education and Training in Cybersecurity should be a dynamic process because of their continuous evolution nature, we have defined a methodology to get quick insights (also named as short term) from current available data sources as well as to define some keys to support the future set-up of an EU education and training framework in cybersecurity in order to guarantee a consistent evolution process (also named as long term) aligned with scientific research and industrial skills needed along the time. The short term objectives focus on the curricula for higher education since the information on training is more dispersed and difficult to collect: 1. Collect sufficient information on cybersecurity higher education curriculum in member states of EU to form the first impressions of trends and degrees of coverage in this area across the region. 2. Develop a mechanism to collect information about training and education. 3. Collect and analyse secondary sources, i.e., work already performed by others to analyse some areas of cybersecurity education and skills development. 4. Form preliminary impression on gaps and formulate recommendations for development based on the information currently available. The long term objectives focus on the future creation of an EU education and training framework in cybersecurity as an evolution of the project, in order to provide the European Commission, ENISA and member states with processes and tools to keep an up-to-date snapshot on education and training in cybersecurity as well as effective mechanisms to support the implementation of different policies to reduce the gap between available education in EU and skills needed by the cybersecurity sector: 1. Refine the data collection mechanism to continue to build our knowledge of the state of curriculum in cybersecurity available in the EU. 2. Define a process, by which the information on cybersecurity curricula could be continuously collected and kept up to date. 3. Define an approach to collecting and analysing more diverse information on training in cybersecurity. 4. Formulate durable research questions to better understand the current state and future needs of education/training in cybersecurity. 5. Define an analysis methodology that permits us to draw reliable conclusions based on incomplete information. 1 The database is available at 3

5 6. Develop analysis methodologies that would allow us to benchmark and compare activities at peer institutions and different EU countries. 7. Form a community of practice with representation from all the EU member states in order to continue collecting information and developing relevant analyses, on demand, if needed. 1.2 Preliminary Findings Analysis of primary and secondary data sources indicate that cybersecurity education is a fast growing field, with positive changes in coverage and awareness occurring consistently. Although coverage appears to be uneven for different European countries, the availability of coursework and training in cybersecurity and privacy is growing, especially in the area of core security curriculum. Some curriculum is also available online, and emerging K-12 curricula on cybersecurity basic permit, in some cases, to commence higher education on this subject at an elevated level of proficiency. Many gaps still remain. Soft definition of the science of cybersecurity has led to great diversity in training and curricula impeding the creation of common context and core knowledge in cybersecurity. Furthermore, there is a lack of differentiation between traditional programmes offering fundamental security related curricula and more versatile cybersecurity programs with multi-disciplinary coverage and multi-faceted training materials. In general, there are limited vehicles available today to create an all-round skill set in cybersecurity, with expertise in technology and societal issues. Although multidisciplinary programs exist, the graduates continue to specialize in either societal or technical aspects of the subject, with limited knowledge of some subjects. The responsiveness of cybersecurity curricula and training to changes in technology and achievements in science remains low due to the lack of mechanisms to quickly develop and share materials on emerging threats or newly crucial skills. As a result, education and training provided under various cyber-security programs tend to coalesce around a useful common goal, but struggle to match the requirements of the dynamic workplace. Mechanisms are also missing for continuing education for those who already acquired undergraduate and graduate degrees or have focused on various aspects of cybersecurity in their work. Although some EU countries have made strides in bringing cybersecurity students in contact with industry and government for apprenticeship projects, these programs remain limited and do not have solid and permanent sources of funding. Cybersecurity is a very dynamic field. Like similarly fast paced environments, it suffers from the lack of reliable mechanisms to bring the results of research into the curriculum as quickly as possible and to engage students in academic research. The lack of feedback mechanism between research and curricula reflects negatively on actionable nature of skills acquisition. 1.3 Recommendations As a high level summary, the following picture represents opportunities and recommendations as main pillars of a potential future creation of an EU education and training framework in cybersecurity: 4

6 Figure 1. Summary of opportunities and recommendations for a long term Education framework Furthermore, we are in a position to formulate more detailed and specific short-medium preliminary recommendations based on the work done during the current (short term) stage of the project (subchapters see methodology). They belong to the following different categories: Multidisciplinary focus Responsiveness to changes in technology and societal environment End-to-end skill development Alignment of curricula and training with demand for skills Using appropriate methodologies for teaching cybersecurity at all levels, from awareness to focused expertise Bring all Member States to the agreed upon baseline with regard to cybersecurity indicators These recommendations are given in more detail in chapter 7 Opportunities and recommendations. 5

7 2 Introduction The Cybersecurity Strategy of the European Union was published in February As a part of the strategy, the European Commission invited the European Parliament and the Council to adopt a proposal for a Directive on a common high level approach to the Network and Information (NIS) across the European Union. The purpose of the directive was to address national capabilities and preparedness, EU level cooperation, the take-up of risk management practices and information sharing, and other issues. Two and a half years later there is still no agreement on the NIS directive. The NIS Platform, the venue where this report was created, is a private public partnership mechanism created in conjunction with the NIS Directive work, but its mission was extended to address a set of relatively independent NIS issues. As a part of establishing the NIS Public-Private Platform, three working groups were set up to investigate risk management, information exchange and incident coordination and secure ICT research and innovation. The working group on ICT research and innovation (WG3) identified various deliverables, including a snapshot on the education and training landscape for workforce and skill development. This report is the result of the work of a subteam of WG3. 6

8 3 Scope There are diverse, although not contradictory, definitions of cybersecurity. For the purposes of this work, we have accepted a broad definition of cybersecurity that comprises a wide range of relevant topics, from cryptography, computer, information and network security to privacy, security economics, or legal, regulatory, and policy frameworks. According to NICCS Portal Glossary 2, cybersecurity in the narrow sense is: The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation. The source also offers an extended definition: Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompassing the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. It is obvious that cybersecurity touches many aspects of everyday lives. Not surprisingly, the scope adopted for this project is very broad. Based on the broad definition of cybersecurity, it is difficult to narrow down the scope of cybersecurity as a subject. And due to the multi-disciplinary nature of cybersecurity, it is impossible to avoid significant breadth in the subject matter. With increasing diversity and mobility of the computing environment, a narrow approach to cybersecurity is no longer possible. Today processes are cross-domain (see Figure 2 below) and collectively participate in defining risk levels that are attributable to transactions and online activities, both in security and privacy. Most environments are dynamic, with entities (e.g., devices and users) joining and leaving domains during a process. However, work on security and trust composition has remained minimal because it is so complex. The complexity is even more significant in the modern integrated computing environments, such as IoT (Internet of Things) or Cloud. For example, cyber-physical systems (or CPS) representing a large part of IoT systems have not only communication and computing capabilities, but also a physical interface permitting them to manipulate physical environments. Figure 2. Cross-domain processes While we focus on graduate curriculum, we recognize that coursework in undergraduate and graduate curricula in specialized areas like cybersecurity cannot be easily separated from graduate programmes. We therefore do not make a distinction in this report between beginner or advanced levels of training, although these distinctions are pertinent to adopt for future work. Although the subject of this report is higher education and professional level training, we recognize that, with the digital world becoming part of everyday life from an early age, awareness of cybersecurity and privacy issues and elementary skill development should become organic. When the students reach higher education 2 NICCS is National Initiative for Cybersecurity Careers & Studies 7

9 levels with basic skills in cybersecurity well developed, most students and consumers will have the ability to better assess cybersecurity risks in everyday lives, and it will be easier to develop more diverse and multidisciplinary curricula and training. Increasing the general levels of proficiency in cybersecurity by the time the students reach higher education will have a fundamentally positive effect on the level of advanced cybersecurity programs and on the ability of the students to successfully develop multi-disciplinary skills. The pipeline of qualified individuals will be significantly wider, thus enabling various programs to incorporate cybersecurity as an organic component instead of a series of elementary courses. We can illustrate the levels of proficiency and their influence on the expertise pipeline as a stack, starting with passive awareness and moving toward innovation at the highest level (see figure below). Figure 3. Levels of Proficiency Although significant progress was made in extending and propagating cybersecurity curricula, we need to assume also that the degree of innovation in this area would increase significantly if a greater number of individuals progressed to the basic skills level and were able to move on to achieve proficiency. These insights are out of scope for this study, but we believe that, when we assess the state of cybersecurity curricula and skills developments, we also need to understand the negative impact the loss of opportunity early in the skill development cycle is likely to have on innovation. 8

10 4 Methodology In 2003, a report was published on the state of cybersecurity training by academic institutions in Europe 3. The study came in response of the Communication on Network : Information Policy Approach issued by the European Commission in The study, by Fondazione Rosselli, was entitled: Cybersecurity Curricula in European Universities. It included six countries: Greece, Belgium, France,, Italy and UK. The study used a methodology similar to the one adopted for this study: acquire insights based on survey containing minimal information on content and level of university courses. But because of the views on cybersecurity more than ten years ago, the report focused on the narrow view on cybersecurity, putting emphasis on information security courses, with the focus on cryptography. Other areas were considered, but to a lesser degree. With regard to general methodology, we used an approach compatible with the 2003 report that we considered an example of work that could be carried out through NIS platform constituency. Then, we adopted a broad multi-disciplinary view of cybersecurity and relied on secondary sources to validate, to the extent possible, views derived from data, as data are still limited. The work on education landscape conducted for the NIS Platform initiative has been a volunteer effort, with its limitations, but at the same time it provides a broader multi-disciplinary view of cybersecurity. We understand that informal collection of information as undertaken for this project may offer an incomplete and sometimes biased picture. So far, we have not found inconsistencies of views among those who participated in data collection and shared their insights. However, in order to avoid bias, we also seek to establish a mechanism, by which data collection from primary sources could be continued leading to the possibility of a more in depth analysis of the education environment and education needs in cybersecurity. In addition to this report, we hope that the efforts will jumpstart the use of the data collection mechanism created by ENISA (database at: resulting in improved communication among cybersecurity education practitioners. We believe that it is important to continue data collection beyond these initiatives as a key for a potential Education and training cybersecurity framework. The report is intended to set the general direction based on data samples and insights in secondary sources, but assumes that comprehensive analysis will emerge as the findings of this and other projects in this area are aggregated. 4.1 Identification and type of sources The methodology used for the short term stage of the initiative has been simple and includes the identification and analysis of both primary and secondary sources. It has been done by desktop research as well as consultation during some interactive meetings of the Working Group 3 of NIS platform. Primary sources We have asked the cybersecurity community to submit information about cybersecurity curricula in their countries. We have collected some information from a number of member states, including, the UK, Greece, Cyprus, Italy, France, Spain, Portugal, Poland, Luxemburg, and other countries. This information was provided by individual volunteer contributors, and does not represent an official survey by EU institutions and organizations. Data collected has not been comprehensive, but it is relatively representative. In order to increase the value of the online database, we recommend a more official and periodic process, with consistent requests for information sent to all relevant institutions across the EU. Information collection has started in 2014 and has not yet been completed. However, at this level, the representativeness of the information collected is on par with other reports published in this space 4.The 3 Available at: 4 See, e.g., report published by Fondazione Rosselli available at: 9

11 available data was analysed to simulate answers to simple questions that were raised with regard to cybersecurity curricula. Secondary sources Since the collected data is insufficient for drawing all the conclusions, we have also used secondary sources produced by similar projects to support the early conclusions and recommendations. Although the focus of the report is on Europe, other countries, such as the States and Australia, experience the same problems. Consequently, we included secondary sources reflecting also the situation outside of Europe. We consider this a viable approach for the future as well. Even if data collected become more comprehensive, validation by other work will be invaluable to draw broadly applicable conclusions. Secondary sources are listed under Appendix I. References. 4.2 Survey We have collected information from a number of member states, including, the UK, France, Greece, Cyprus, Italy, France, Spain, Portugal, Poland, Luxemburg, and other countries. The data for this report was provided by individual volunteer contributors, and represents a community effort rather than an official survey by EU institutions and organizations. We have formulated, for the first stage, the following research questions: 1. Are the cybersecurity courses predominantly offered as part of dedicated cybersecurity programs or as individual courses within more general curriculum? 2. Are cybersecurity courses predominantly provided as complete courses or modules within more general security courses? 3. Does the recognized multidisciplinary nature of cybersecurity come through in the curriculum, or are courses dedicated primarily to one topic (e.g., policy, user psychology, economics, computer & device security)? 4. Is the curriculum taught predominantly in academic departments (e.g., computer science or economics) or in professional schools (law, international relations, and business) or both? Are multi-disciplinary degrees in cybersecurity available? 5. Is there a strong relationship between cybersecurity curricula, awareness programs and training in cybersecurity? 6. Is there a community of practice associated with teaching cybersecurity across EU? 7. Is there a connection between early preparedness and level of sophistication of cybersecurity classes? 8. What needs to be done to start teaching cybersecurity concepts as early as the children begin to use connected devices? Some of these questions can be answered to a certain extent with the data we collected while the answers to other questions constitute parts of the conclusions and generalization of the data we collected and secondary sources. The information collected for this report permitted us to glimpse some dependencies and relationships between the components of the education systems in EU countries with regard to cybersecurity and a number of problems, such as awareness raising and flexible customizable training. It would be difficult to conceptualize these dependencies as a volunteer effort. We recommend a coordinating action to support deeper insights into the education system and the creation of a larger community of practice around cybersecurity education. 10

12 4.3 ENISA database Data collection A database was created with information on Network and Information courses in Europe in the context of a close partnership with ENISA due to the synergies between NIS WG3 Education deliverable and their NIS Driver license initiative. It was launched in October 2014 which coincides with the advocacy campaign European Cyber Month. The database lists available courses and certification programmes linked to Network and Information, privacy and data protection. The webpage ( ) allows educational institutions representatives to add to the map courses, programmes and trainings on these topics. The information encoded via the web form is pending for approval and then reviewed by the administrator before being published on the website. The ENISA team is supporting in order to modify the information at any stage. Note that the database of available courses and certification programmes is not an exhaustive list and the intention is to have it updated yearly. The plan for 2016 is to consistently improve the search functionality, the display of the information and the promotion towards education providers to encode their offers. Data analysis In addition to this, to better understand the data, we created a list of more specific research questions that we will use after the data is available: A. In which disciplines are most courses offered? (e.g., computer science, information security, etc.)? B. Are there courses offered in disciplines which are not directly related to IT (e.g., business administration, law, etc.)? C. Can the topics be clustered into overall topics or research fields (e.g., hacking, cryptography, IT security, etc.)? Which fields are covered most/least? D. Comparing the countries: Are there any similarities in the courses offered, or any distinctive difference? E. Can the courses be clustered into overall topics? (e.g., hacking, data protection, secure software, etc.) F. Are relevant topics missing in the training which is offered? (maybe this is covered in an organization which is not part of the dataset yet) G. Who is the main audience? (e.g., project Managers, data protection managers, system administrators, etc.) H. Is there some audience which is excluded from the training yet, but should be included? (maybe this is covered in an organization which is not part of the dataset yet) I. Which are the types of organizations that offer the training courses? (e.g. universities, research organizations, consultancies, etc.) J. Comparing the countries: Are there any similarities in the training courses offered, or any distinctive differences? 4.4 Reinforcement from secondary sources We have examined a number of secondary sources focusing on the analysis and recommendations on cybersecurity and privacy education and skills development. Most of the reports we studied focused on Europe, but reports from the States and Canada were also included. The list of materials studied is provided in Appendix I. References and a detailed report for some of these references is presented in Appendix II. Evaluation of some secondary sources. 11

13 5 Results and findings 5.1 Survey findings The data we collected as well as information gleaned from secondary sources permit us to form some impressions about the state of security curriculum. We present some of the preliminary findings under the research questions that we have attempted to answer. We have been aided in these answers by more specific questions we posed to analyse the data collated so far (see below). 1. Are the cybersecurity courses predominantly offered as part of dedicated cybersecurity programs or as individual courses within more general curriculum? The first impression is that there is a lot of fragmentation in the field. Curriculum on core elements in security has been available for a while, either as complete courses or elements of other coursework. In addition to technical courses, cybersecurity social science curriculum in psychology, economics, law, and policy, especially with the focus on privacy, has been developed. While the availability of curricula on some elements of cybersecurity is a positive development, multidisciplinary synthesis of such coursework has remained complicated. Although numerous multi-disciplinary programs emerged, they tend to synthesize either technical or societal subjects. If these two groups of subjects are bridged, according to coursework required for graduation, exposure to cybersecurity subjects outside of the main specialization remains insufficient. 2. Are cybersecurity courses predominantly provided as complete courses or modules within more general security courses? Different education systems in different member states complicated the answer to this question. However, it appears that the inventory of curriculum components includes both complete courses and course modules, with complete courses readily available. Due to the increase in the number of faculties specializing in security, the number of opportunities has increased. However, rigid program requirements adopted at most universities make it hard to quickly introduce new courses associated with degree requirements. The first impression is that there are a lot of technologies, processes and practices designed to protect networks, computing devices, programs and data from attack, damage or unauthorized access. Instead, the predominant type of courses continues to focus on general technical and societal aspects of security and privacy. This approach may not constitute a drawback, since the definitions of cybersecurity are diverse, and the core subjects of this field remain open to interpretation. 3. Does the recognized multidisciplinary nature of cybersecurity come through in the curriculum, or are courses dedicated primarily to one topic (e.g., policy, user psychology, economics, computer & device security)? We have found limited coursework that seriously integrates societal and technical aspects of cybersecurity. Without individual review of all courses or descriptions of the programs provided online and in secondary sources, it is impossible to confirm that at least some multidisciplinary elements are studied in depth. A cursory look at degree requirements where available indicates that either technical or societal specification are the norm, while the integrated skill sets remain rare. Even if such integration is pervasive, it is clear that it is insufficient. The lack of multidisciplinary approaches is the most serious concern we have with regard to available curriculum, on par with the late start of the teaching of concepts associated with cybersecurity literacy. Multiple programs exist, in Europe and beyond, that count multi-disciplinary curriculum in cybersecurity among their most important characteristics. We can name Oxford, Royal Holloway, Vrije in Brussels, and several other schools as homes to multidisciplinary cybersecurity or privacy as evidence of novel mechanisms to introduce multidisciplinary training in core curriculum and avoid one sided specialization, beyond offering social sciences and technology courses alongside each other rather than provide integration of several bodies of knowledge. 4. Is the curriculum taught predominantly in academic departments (e.g., computer science or economics) or in professional schools (law, international relations, and business) or both? Are multi-disciplinary degrees in cybersecurity available? 12

14 Both environments have become reliable sources of training for cybersecurity professionals, although academic preparation remains predominant. Evidence was provided that introduction of cybersecurity curricula is beneficial for academic institutions, especially small colleges and universities. Institutions of this type in the US, for example, reported significant increase in enrolment after being designated a Centre of Excellence 5. The number and maturity of multidisciplinary initiatives remain insufficient. 5. Is there a strong relationship between cybersecurity curricula, awareness programs and training in cybersecurity? We have insufficient data to make conclusions on the existing relationship between cybersecurity curriculum and available information or certification-connected training. The dynamic nature of cybersecurity makes it imperative to forge such a relationship, in order to provide a light-weight mechanism to bring cybersecurity skills up-to-date. Moreover, awareness programs are mostly dispensed at the elementary level, making such a relationship unlikely. 6. Is there a community of practice associated with teaching cybersecurity across EU? Our review of secondary sources indirectly (by lack of consistent events, meetings, or publications) indicates that such a community, if it exists, is not very strong. Although workshops and training sessions are conducted, they do not form multi-year series, and international representation is not consistent. 7. Is there a connection between early preparedness and level of sophistication of cybersecurity classes? There is no direct evidence in favour of this view, since teaching of even minimal cybersecurity subjects has begun very recently. But the experience in other subjects as well as experimental programs offering basic and continuing education in cybersecurity early, e.g., Crescent Girls School in Singapore 6, have led to increased interest in pursuing the subject at later stages in education and, consequently, elevated levels of proficiency. 8. What needs to be done to start teaching cybersecurity concepts as early as the children begin to use connected devices? National educational systems should adopt the way to teach cybersecurity early, starting in elementary schools that works in a country s environment. Like traffic rules that are taught early to improve children s safety, we need to incorporate elements of cybersecurity early, to ensure safety in cyberspace Conclusions drawn from data Collected data Regarding metrics we could specify that after +1 year of existence this map displays 18 countries in Europe with close to 100 entries. Figure 4. List of countries who provided data

15 Figure 5. European Education and Training Map by NIS WG3 and ENISA Experience shows that this crowd sourced collaborative model paid off and the results can be of great support for a user in search for long life learning education. We have started collecting information at the beginning of 2014, and since then, we have acquired some data about a number of programs in a dozen European countries. We are grateful to the volunteers for these contributions (see Acknowledgements). The data we collected were either directly distributed by contact persons from the various countries via , or we collected data from some countries, e.g., by ourselves. In a later state of the process several countries submitted data also via the ENISA online database. Overall,19 countries delivered data regarding cybersecurity education, information on training programs and seminars came from 5 countries. The cybersecurity education database encompasses 418 entries, the training database 197 entries. To keep our database updated with the online database, we currently compared both databases and added entries to ours when we encountered differences. Although the data are not comprehensive, they give us a preliminary view of the curriculum available and general characteristics of such curriculum. The information collected is too sketchy to permit us to compare approaches in different member states at this time, but, with the online database operational, we hope it will be possible in the future. Note that the following data reflect the state of the database as of September Table 1. Data collected so far Country Undergraduate Training Austria + + Belgium Cyprus + + Finland

16 Country Undergraduate Training France Greece + Hungary + + Ireland + + Italy Luxemburg + Netherlands + + Norway + + Portugal + Romania + Serbia + Spain + + Sweden + + UK + + Turkey + 15

17 Figure 6. Numbers of graduate and undergraduate courses per country (snapshot taken in August 2015) Most of the curriculum elements submitted so far come from computer science, computer engineering, information systems, or information management departments. We have scant information on multidisciplinary programs focusing on cybersecurity, although information about these programs is a key part of this project. Information on training programs and seminars come from, Italy, Turkey, Hungary and Belgium. Therefore, the dataset is still incomplete and only gives a first impression. findings Based on the data collected so far, we developed more specific research questions to better understand the data: A. In which disciplines are most courses offered? (e.g., computer science, information security, etc.)? B. Are there courses offered in disciplines which are not directly related to IT (e.g., business administration, law, etc.)? C. Can the topics be clustered into overall topics or research fields (e.g., hacking, cryptography, IT security, etc.)? Which fields are covered most/least? D. Comparing the countries: Are there any similarities in the courses offered, or any distinctive difference? We are now able to provide answers to some of these questions, to illustrate the progress: A. In which disciplines are most courses offered? (e.g., computer science, information security, etc.)? As shown below in Figure 7, most courses are offered in the discipline of computer science with a large distance to the subsequent disciplines, IT security technology, information security, business informatics and electrical engineering. 16

18 Figure 7. Number of Disciplines in which most courses are offered (snapshot taken in August 2015) B. Are there courses offered in disciplines which are not directly related to IT (e.g., business administration, law, etc.)? A few courses are offered not directly related to IT disciplines. The subjects range from business studies and business administration, to law, media related disciplines or mathematics. Even though these disciplines do not represent the overall majority, they demonstrate that the field of cybersecurity has acquired breadths in the last 10 years, and now spans into some fields which are only distantly related to IT and IT security. Training findings Even though the material on training is still limited, we also developed some more specific research questions. For two of them we were able to provide answers so far. Please note that the database for this evaluation is still incomplete and is only based on the five countries which have provided their data yet. E. Can the courses be clustered into overall topics? (e.g., hacking, data protection, secure software, etc.) F. Are relevant topics missing in the training which is offered? (maybe this is covered in an organization which is not part of the dataset yet) G. Who is the main audience? (e.g., project managers, data protection managers, system administrators, etc.) H. Is there some audience which is excluded from the training yet, but should be included? (maybe this is covered in an organization which is not part of the dataset yet) I. Which are the types of organizations that offer the training courses? (e.g. universities, research organizations, consultancies, etc.) J. Comparing the countries: Are there any similarities in the training courses offered, or any distinctive differences? We are now able to provide answers to some of these questions, to illustrate the progress: 17

19 G. Who is the main audience? (e.g., project managers, data protection managers, system administrators, etc.) As displayed in Figure 8 the main audience of the training courses dedicated to cybersecurity are IT security officers/managers, network and system administrators, data protection officers, heads of IT departments, the management level and auditors. Figure 8. Main audience (snapshot taken in January 2015) I. Which are the types of organizations that offer the training courses? (e.g. universities, research organizations, consultancies, etc.) The training courses are offered by private, academic or public research organizations, as well as by some non-profit organizations. Besides universities, the organizations can overall be divided into training centers, consultancies (e.g., business consulting or IT security consulting), IT security service providers or IT security specialists. Insights acquired through the exploratory analysis of data collected so far confirm the importance of data driven education strategies in cybersecurity. Most of the secondary sources evaluated for this report contained limited information about the nature, reach, and composition of concrete cybersecurity programs and course; instead, they relied on literature and related statistics to make conclusions and recommendations. While good ideas can be collected through reasoning and the analysis of the environment, we encourage consistent data collection and analysis in this area, in order to design flexible and broadly applicable strategies for cybersecurity education and skill development. 5.3 Conclusions based on secondary sources We have examined a number of secondary sources focusing on the analysis and recommendations on cybersecurity and privacy education and skills development. Most of the reports we studied focused on Europe, but reports from the States and Canada were also included. The list of materials studied is provided in Appendix II. Evaluation of some secondary sources. The secondary sources used for this report were based on approaches similar to the ones selected for this deliverable. Many authors engaged technologists and academics in providing information about their programs 18

20 and ideas for recommendations and improvements. Some documents used other information to list and analyse available programs from their descriptions. Government reports focusing on skills in cybersecurity used mixed approaches, combining surveys and descriptive data. With one exception, the consensus in the secondary materials was that currently available education programs did not cover the needs for cybersecurity professionals and related skills that exist in industry, academia, and government. The reports noted the corrective actions undertaken by organizations, where professionals in other disciplines acquired cybersecurity skills. These corrective actions were reported as sufficiently pervasive in academia and industry, but insufficient to cover the needs of the government workforce. One report (see below) disagreed with this view and suggested that the only category that was chronically understaffed was at the top of the profession where a combination of multi-disciplinary in-depth knowledge and significant experience is required. While we disagree with this view, we acknowledge that the shortage of cybersecurity workers is especially acute in areas that combine significant responsibility and great diversity of required skills. All the materials that reported trends in cybersecurity education noted significant improvement achieved in the last decade, with increasing numbers of programs and course offerings across most countries. At the same time as the number of the programs grew, international events appeared to bring together cybersecurity curriculum designers. Among the notable events, we can mention those conducted by the cyber education project in the US 8 and ENISA s conference on cybersecurity education to be conducted later this year. Most sources also noted the links between university education and awareness programs, although the nature of those connections remains unexplored. The reports and other secondary sources offer the following insights into the state of cybersecurity skills and education: 1. The secondary sources we reviewed acknowledge the skills shortage for cybersecurity professionals (e.g., UK Government report on cybersecurity skills or RAND report for the US as well as numerous other sources), stressing that jobs remain unfilled because of the lack of qualified professionals. At the same time, they acknowledge significant growth in the education of cybersecurity professionals over the last ten years. a) RAND 9 report concludes that the shortage is predominantly at the high end of the profession and concerns predominantly the federal government, while industry and academia developed avenues to deal with shortage of skills at the high end of the profession through additional education and, in industry, internal promotion. RAND report concludes that the shortage will self-correct through a combination of activities. b) The UK Government report 10 indicates that the skills shortage is connected to the fact that cybersecurity profession is not yet well defined, the view that this group also shares. The activities directed to alleviate the skills shortage include a new GCHQ Certification scheme or accreditation of 11 additional certification programs. Differently from RAND report, this report states that it will take many years and focused programs to alleviate the skills shortage. c) The IBM report 11 on Cybersecurity Education for the Next Generation states that, while the number of cybersecurity programs (under various names) increased significantly over the past ten years, with 160 programs certified as Centres of Excellence in the US alone, the perceptions of a strong skills shortage remain strong, with the growing demand created by government and industry. d) The comparative report 12 on cybersecurity education commissioned by the Australian government attempts to highlight gaps in content in relations to the diversity of the audiences. 2. The sources we examined stress the need for greater level collaboration of government and industry (as the main sources of employment in cybersecurity, and academia, the main source of training)

21 a) While government and academia recognize that jobs go unfilled because of dearth of skilled professionals, survey of academia (quoted in the IBM report) showed that 60% of academics believe training is adequate for the requirements of the workplace. b) While many industry members, including SAP, Microsoft, Intel, ARM, and many other have established programs to support the design of adequate curriculum in security, these efforts remain fragmented and received minimal support from funding agencies in Europe and elsewhere. 3. The sources surveyed for this report highlight the importance of certification and awareness campaigns in shaping the skills of professionals. Because of the nature of cybersecurity as a subject and opportunities for employment, the importance of certifications is increasing. 4. Reports produced in this area acknowledge that the field of cybersecurity is so large and so dynamic, with so many interdependencies, that building a more complete picture and shared context remains a top priority. Otherwise, intrinsic complexity will be an inhibitor for creating stable foundational skills for cybersecurity professionals that could support their continued re-training as the security environment changes. 5. There is no unified view on methodologies. Some reports and academic papers recommend removing cybersecurity curriculum in individual courses while others prefer teaching cybersecurity as course modules inserted in other coursework. 6. The technology community is in agreement on the importance of collaborative exercises and handson work in cybersecurity, and these methods are increasingly used by diverse institutions. 7. There is still a disconnection between the emphasis of theoretical work in cybersecurity and the key problems that are of interest to practitioners. 20