Curry, J. and Bird, D.A. (2018) 'A case for using blended
learning and development techniques to aid the delivery of
a UK cybersecurity core body of knowledge’, International
Journal of Systems and Software Security and Protection, 9
(2), pp. 28-45.
“Through IGI Global's Fair Use Policy, authors may post the final typeset PDF of their chapter or
article on the author or editor's secure personal website and/or their university repository site.” –
details here.
To access the final work on the publisher’s site go to http://dx.doi.org/10.4018/IJSSSP.2018040103
ResearchSPAce
http://researchspace.bathspa.ac.uk/
This version is made available in accordance with publisher policies.
Please cite only the published version using the reference above.
Your access and use of this document is based on your acceptance of the
ResearchSPAce Metadata and Data Policies, as well as applicable law:-
https://researchspace.bathspa.ac.uk/policies.html
Unless you accept the terms of these Policies in full, you do not have
permission to download this document.
This cover sheet may not be removed from the document.
Please scroll down to view the document.
DOI: 10.4018/IJSSSP.2018040103
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
Copyright©2018,IGIGlobal.CopyingordistributinginprintorelectronicformswithoutwrittenpermissionofIGIGlobalisprohibited.
28
A Case for Using Blended Learning and Development Techniques to Aid the Delivery of a UK Cybersecurity Core Body of KnowledgeDavid A Bird, Learning and Performance Institute, Coventry, UK
John Curry, Bath Spa University, Bath, UK
https://orcid.org/0000-0003-2872-0678
ABSTRACT
ThisarticleexplorestheUK’scurrentapproachinaddressingthecybersecurityskillsgapchampionedbytheNationalCyberSecurityStrategy.TherehavebeenprogressiveandelaboratestepstakenintheUKtowardprofessionalizationofthecybersecurityfield.However,cybersecurityknowledgehasbeenlabelledasinconsistentwhenacybersecurityCharteredstatusisbeingproposed.TheobjectiveofthisanalysiswastoapplyanacademiclensovertheUK’svoyagetowardstheestablishmentofacybersecurityprofession.Ithasbeenanambitiousbutcomplexendeavor thatat timeshashadalterationsofcourse.Learningfromthisexperience,ablendedlearninganddevelopmentapproachisnowrecommendedunderpinnedbyanoverarchingcoreknowledgeframework.Suchaframeworkcouldjoinuptheexistingsilosoflearninganddevelopmentactivitiestobenefitfrom,andbuildupon,acoherentcoreknowledge-baseforthecommunity.ItisarguedthatthiswillprovideamoresatisfactoryoutcometoenhancetheUK’scybersecuritycapabilityontheroadtoacybersecurityprofession.
KeywoRDSBlended Learning Approach, Core Knowledge Framework, Cybersecurity, Learning and Development, Strategies
1. INTRoDUCTIoN
In2011,theUnitedKingdom(UK)GovernmentsetouttheirstoolbypredictingtheneedtoincreasecybersecurityskillsandexpertiseinlinewiththeirCyberSecurityStrategy.Itwasalsodecreedthateducationandtrainingprovidersshouldheedthisprediction.Themainaimthenwastocountertheeffectsofcyber-crime,whichrequiredspecialisttraininginordertomeetanincreasedskillsdemand(CabinetOffice,2011).In2013,theHarvardBusinessreviewstatedthateducationwasacatalyst,andenabler,forcybersecurityandcalleduponacademicinstitutionstosharecybersecuritybestpracticesandcurricula(Viveros,2013).
ThecomprehensiveInternationalInformationSystemsSecurityCertificationConsortium((ISC)2)surveyof2015statedthat63%ofprivatesectororganizationsdidnothaveenoughcybersecurity
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
29
staffintheUK(Grout,2015).InthesameyeartheChancellorlaidoutthecyber-crimethreatstotheUKeconomy(Osborne,2015).Helaboredthepointthatcybersecurityshouldbeembeddedateverystageoftheeducationandtrainingprocess,sothenextgenerationwillbeabletokeepBritainsafeincyberspace.BythenextiterationoftheCyberSecurityStrategyin2016,itwasstatedthattherewerestillinsufficientskillsincybersecurityandthatthepubliclackedcyberawareness.TheUKGovernmentsubsequentlysettheirintentionforcollaborationintrainingandeducationacrossthetargetaudienceinthepublicandprivatesectors(CabinetOffice,2016).ThiswasapartofthecontinuingagendatakenbyUKGovernmenttomakeBritainthesafestplaceincyberspacechampionedbytheDepartmentforDigital,Culture,MediaandSport(DCMS)(2017)andtheNationalCyberSecurityCenter(NCSC)whichisapartoftheGovernmentCommunicationsHeadquarters(GCHQ).Anumberofapproachestoenthuseadolescentswerespawnedandaimedatrefocusingofattitudesleadingtoacybersecuritycurriculum(Williams,2017).
ThereisamyriadofcertificationscategorizedbytheInstituteofInformationSecurityProfessionals(IISP)rangingfromvendor-based,thoseaimedatrolecompetencies,broadcertificationsandthoseprovidedbyacademia(Finch&Furnell,2018).However,thereareadvantagesanddisadvantageswithprofessionalization.FromaUSAperspective,Schneier(2013)hasdiscussedopenlythatpopularcertificationsusedasaformofentryintocybersecurityruntheriskofbecomingobsolete;andneedtobemaintainedusingContinuousProfessionalDevelopment(CPD).Interestingly,Nepal(2018)hasstatedthatinAustraliacybersecuritytoolshavenotreducedthedemandoncybersecurityexperts,but actually increased demand for more cybersecurity specialists. In tandem, the cybersecurityskillsshortageintheUKincreasedto66%by2017(Cox,2017).The2018editionofInformationSystems Audit and Control Association (ISACA) ‘State of Cybersecurity’ report stated that ofthe60%oforganizationswhohadopen jobs in cybersecurity, 54%ofpositions tookover threemonthstofill(GoCertify,2018);itwassuggestedthattheskillsgapwasactuallywidening(ISACA,2018).Consequently,demandforexpertiseandskillsisdrivingupcybersecuritysalariesintheUK(McDonald,2018)andmakingthemcomparativetomoreestablishedandrecognizedprofessions.
Additionally,therehavebeenendeavorstoincreasecybersecurityawarenessinorganizations(Palmer,2016)andthewiderpopulaceoftheUK;thisfollowsasimilaragendatotheUSA(Morgan,2017).However,awarenessshouldonlybethestartofmakingpeoplemindfulaboutthecybersecurityrisks(Beyeretal.,2015).ThereareotherdiverseandrelevantskillsetswithintheInformationTechnology(IT)industrysuchassystemdesignersanddevelopersalongwithsystemmanagersandsystemadministratorswhoarealsoimportantincybersecurity.Alltheserolesrequirebettercybersecurityawarenessandtherightculturetoensurethatsecurityisanimportantcriterioninthedevelopment,implementationandmaintenanceofnewsystems.AccordingtoasurveybyHarveyNashandPGI(2016)thecreationofasecurity-awareculturehasbeenthemostcriticalyetlackingactioninthepast.
However, to fill the cybersecurity skills shortage there has been a concertedpush aimed atpractitionersworkinginthecybersecuritydisciplineacrossmanyspecialistfields–rangingfromriskmanagementconsultantstopenetrationtesterstosecurityanalystsinsecurityoperationscenters.Existinglearningoptionsandmethodsforestablishingqualifiedpractitionersincybersecurityhavebeendevelopedinisolationofeachotherandasaresultarefragmented.Whiletheycontributetoacareeroutcome,thedisparatedevelopmentanddeliverytechniquesarenotjoinedup.Itissurmisedthatastudyisneededtoqualifythecybersecurityfoundationalknowledgeanddeterminethebestrelevant learning options to achieve a holistic approach. That is, which mix of online learning,lectures,vocationalandpracticalapplicationsandcompetitionoptionscouldfilltheskillsgapsinamoreefficientmanner;andhowcantheycanbeintegratedintoschools,academiaandcertificationsinordertostrengthenadefinedcareerpathway?
Inprinciple, this a errs towards a reason to implement amixed-mode learning approach ofblended-learningtechniquesandexperiences(GreatSchoolsPartnership,2014).Traditionallyusedacrosstrainingandeducation,blendedlearningisnormallyassociatedwithlearning-at-a-distanceandoncampuslectures(Pop,2018).However,inthiscontextblendedlearninganddevelopmentis
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
30
aimedatthenextdimensiontoenableahybridlearning-deliverymodel(GreatSchoolsPartnership,2014)thatcrossesthecybersecurityroledivideinsupportoftheoverallagendachampionedbytheCyberSecurityStrategy.
2. BACKGRoUND
There are a number of diverse training, education and professionalization agendas concurrentlyunderway in the UK to fill the cybersecurity skills gap – some are already established such ascertificationsandothersareevolvingsuchasprofessionalization.In2015,thereportentitledthe‘StateofCybersecurity: Implicationsfor2016’stated thatnearly65%ofapplicantsapplyingforentry-level cybersecurity jobs lacked the requisite skills to perform the job roles that they wereseeking(ISACA),2015);by201737%ofrespondentsdeclaredthatfewerthanoneinfourhadthequalifications needed to keep their organization secure (ISACA, 2017). Within the report skillsdevelopmentstatisticswereattributedtothefollowingareas(fromthehighesttothelowest):(a)86%wasbasedaroundon-the-job training, (b)63% through trainingandcertifications, (c)38%throughcertificationsaroundperformance-basedassessment,(d)27%throughthird-partytrainingproviders,(e)16%throughformaleducation,and(f)5%throughcompetitions.Inaddition,therecentUKCybersecurityBreachesSurveyindicatesthatcybersecuritytrainingstatisticsinbusinessare:(a)76%oftrainingisformanagers,(b)30%forITstaff,(c)26%forcybersecurityspecialistsand25%forallotherstaff(DCMS,2018);denotingthatthespecialistspurportedlyfillingakeyskillsgaparetrainednomorefrequentlythanotherstaffmembers.
Thenext sectionprovidesacase-study that articulates theUK’sapproach toaddressing thecybersecurityskillsgap.Thechronologyofthedisparatetraining,educationandprofessionalizationeffortsareorderedinlinewiththepreviousargumentsfromtheparagraphabove.
2.1. Staff TrainingTraining, education and awareness has been considered as part of the legacy UK GovernmentInformationAssurance(IA)MaturityModel(IAMM);itwasdevelopedbytheformerCommunicationsElectronicSupportGroup(CESG)(CESG,2015)thathasnowbecometheNCSC.DuringitstimetheIAMMwasregardedasbestpracticeforpublicsectororganizationstoaspireto.Itwasalsoastatementontheabilityofanyadoptiveorganizationtoimplementanappropriateinformationsecurityregime(OfficeofNationalStatistics,2011).However,overtimetheIAMMbecamedatedanditsrelevanceblurred,sofrom2018itisnolongerformallysupported(AnneW,2018a).Fromapublicawarenessperspective,in2016aMassiveOpenOnlineCoursewasdesignedandimplementedbyacademiaandpromotedbytheformerUKGovernment’sdepartmentcalledBusiness,InnovationandSkills,nowknownasDCMS.IthasbeenawardedCertifiedTraining(CT)statusbyGCHQandisrecognizedbybodiesliketheIISPforitscontentadequacy(IAAdvisoryCouncil,2016;OpenUniversity,2018).
2.2. Certifications2.2.1. TraditionalInformationsecuritycertificationshavebeen the longest reigningentrypoint forpractitioners tobecomequalifiedinthecybersecuritydomain.VariouspopularbrandsemanatingfromtheUSAtendtofollowinpopularitytermswithintheUK.FourcertificationsareprominentonbothsidesoftheAtlantic(DeGroat,2018;Tittel&Lindros,2018;Afifi-Sabit,2018;MashableUK,2018):
• CertifiedEthicalHacker• (ISC)2CertifiedInformationSecuritySystemsProfessional(CISSP)• CompTIASecurity+• CertifiedInformationSecurityManager
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
31
Thesecertifications targetpenetrationtesters, IApractitionersandmanagersandcurrentlyfallunder thegeneralist categoryofcertifications.ThereareotherUKexamsprovidedby theBritishComputerSociety(BCS)(2018),theCentreforResearchandEvidenceonSecurityThreats(CREST)(CREST,2018a)andcoursesthatareendorsedbytheIISP(IISP,2018).TheCRESTaccreditationandcertificationbodynotonlyprovidesofferingsinthecyberdefenseareabutalsoin thepenetration testing field.TheSysAdmin,Audit,NetworkandSecurity (SANS) Instituteprovidesaplethoraofrole-basedcertificationsandiswellknownforitsGlobalIACertification.Withinthecomputernetworkdefenserealm,SANScertificationsarehighlyprizedintheUSAandintheUK.Additionally,SANSisanaccreditedpartnerofUKGovernmentorganizationsandofferstrainingacademyoptions(SANS,2018).
Under thecurrentCyberSecurityStrategy, theNCSChas implementedaCTapproach thatrecognizescoretrainingofnon-academiccoursematerialsandthetrainingdeliveryfromtrainingproviders.Thelogicbehindthisapproachisthatthecertificationoftrainingprovidersvalidatesthequalityofthetrainingasbeingofanadequatestandard(NCSC,2018a;NCSC,2018b).Thesecoursescanleadtoanexamcomponentofpopularbrandsofexam-basedcertificationspreviouslylisted.
2.2.2. Competency-BasedCompetency-based certifications have become popular in the UK. Offensive Security CertifiedProfessional(OSCP)(Wikipedia,2018)ispopularforthepenetrationtesting(Pentest)disciplineintheUSAandhasbecomesointheUKaswell.ForPentestpractitionersoperatingintheUKpublicsector,additionalqualificationscenteredaroundCESG’sCHECKinitiativearerequired.CHECKTeam Member and CHECK Team Leader qualifications are available through the Tigerscheme(Tigerscheme,2018)andCREST(CREST,2018b)asacomparablequalification to theCHECKTeamMember.Inaddition,throughasetofeligibilitycriteria,CRESToffersCRESTRegisteredTesterequivalencyforpractitionersholdingtheOSCPcertificationnotonlyinAustraliaandNewZealand,butalsointheUSA(CRESTAustralia,2017).
For IA consultants working in the public sector, the UK Government originally levied arequirementfortheInfosecTrainingPathsandCompetenciescertification.Subsequently,themethodofprovingdemonstrablecompetencieschangedtotheCybersecurityCertifiedProfessional(CCP)scheme(CESG,2016)thatwasfoundedin2013(Stevenson,2013).TheCCPschemestandardwasoriginallydevelopedbyCESGandisunderpinnedbytheIISPSkillsFramework(MacWillson,2017);aframeworkthathadbeencorroboratedwithpublicsectorrepresentatives,academiaandindustrysecurityleaders(Kleinman,2018).TheCCPschemeispresentlyadministeredonbehalfofNCSCbythreeselectedCertifyingBodies.Theschemeisdefinedbydifferentroletypesandvariousgradeswithinthoseroles,whichwaspurportedtohaverectifiedacriticismofthefore-runner–theCESGListedAdvisorScheme(CLAS).CLASwasestablishedin1999andhadoriginallybeenproposedasaone-size-fits-allriskassessmentandmanagementschemetosupportgovernmentdepartmentsandagenciesadoptcentralizedgovernmentfocusednetworks(Badaetal.,2016).
2.3. Professionalization2.3.1. Government OrientatedTheUKPentestmarketforthepublicsectorwasstandardizedfirstlyundertheCHECKscheme(NCSC,2017a)andthestatusisattributedtoaparticularcompanywhohasreachedthethresholdnumberofqualifiedPenteststaff.Ithasbeensosuccessfulthatthisapproachhasbeenheraldedasagoodexampleofaprofessionalizationscheme(Knowlesetal.,2016).OriginallyIAconsultancyinthepublicsectorwasfocusedaroundtheCLASmembership(Badaetal.,2016).OvertimeCLAShadgrownbeyonditsoriginalremitandconsultantsdiversifiedintomanydifferentIAskillcamps–notjustspanningriskassessment,butalsoincludingIAArchitecture,AuditorandAccreditorrolestoo.Subsequently,afteraperiodofconsultation,CLASwasdissolvedin2015infavoroftheCertifiedCyberSecurity
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
32
Consultancyformat(Milligan&Rajab,2015)followingasimilarapproachtotheCHECKscheme;again,attributingthestatustoacompanyandnotanyoneindividual(NCSC,2016).Tobeapartofthecertifiedconsultancyschemeatleastoneheadconsultantmustbeappointedwhohastoholdarecognizedcertificationorqualificationtype(NCSC,2018b)andbeinterviewedbyNCSC.
2.3.2. Community RelatedInthepastfewyearstherehasbeenadesiretointroduceacybersecurityCharteredstatus(Dallaway,2017;Finchetal.,2018).Itwasinitiallythoughtthatthiscouldbeconveyedthroughacharteredinstitution,butarecentconsultationheadedbyDCMSisveeringtowardsanindependentbodytoensurethatstandardizationoccurs(DCMS,2018;ChrisE,2018).TheUKGovernmentapproachiserringtowardsanindependentCyberSecurityCouncilthatcouldactasanumbrellaorganizationofexistingprofessionalbodies(ChrisE,2018),similarinfunctiontotheUK’sEngineeringCouncilanditcouldensurethatprofessionalizationwillfollowagainstacentralizedCyberSecurityBodyofKnowledge(CyBOK).CyBOKitselfhasbeendevelopedaspartoftheNationalCyberSecurityProgram,andadvocatedasabodyofknowledgetodistillknowledgeorientatedaroundspecialisms–thesearecurrentlybeingratifiedone-by-one(Rashidetal.,2018).
2.3.3. Professional BodiesSimultaneously, some of the UK’s Chartered professional bodies such as the British ComputerSociety,TheSecurityInstitute,andtheInstitutionofEngineeringTechnologyhavecombinedwithotherprofessionalbodiestojointlytaketheinitiativeoninfluencingthedirectionofthecybersecurityprofession.Thesebodies,withothercollaboratingorganizations,haveformedtheCyberSecurityAlliance thatalso includes the InstituteofAnalystsandProgrammers, theChartered InstituteofMachineryandControl,CRESTand(ISC)2(CREST,2018c).TheremitoftheAllianceistobenchmarksharedstandardsforexcellence,skillsandcapabilities,developingapipelineofexpertisetoadviseandinformnationalpolicyandcontributetowardsthecybersecurityprofession.Itissensibleandcrucialthatthewidercommunityisengagedtoestablish,developandrecognizeadditionalcybersecurityskillsinaconsistentandimpartialmanner.
2.3.4. Skills DiversificationSimilarly to theUS, theUKhasrecognized thatotherskilldiversitiesshouldbe includedin thecybersecurityfraternity(Oesch,2018).Thecybersecuritycommunityhasbeenkeentodifferentiateitselfasbeinggenderneutralbyencouragingmorewomenintothisdevelopingprofession(Thomas,2018).Therehasalsobeenaconcertedefforttopromotecybersecurityasanoptionforreskillingorenhancingtheskillsofmilitaryveterans(Nicholls,2018).Acceptanceofdisparateskillsintothecybersecuritycommunity isnowbeingactivelyencouragedandotherskillsgroupsarenowalsobeingrepresented(Jones&O’Neill,2017).
2.4. Schools and Higher educationThereareincreasingopportunitiesinthecybersecurityindustryfortheyoungergenerationofallgenders.Theintroductionofacybersecuritycurriculumisapositivestepforchildrenandadolescents.Inpre-universityeducationanewtechnicalversionoftheAdvancedLevelqualificationhasbeenintroducedcalledaT-Level(Ryan,2018);thisfollowsthesuccessofanAdvancedSubsidiaryLevelequivalentcoursewhichisapre-cursortothehigherT-LevelandwasdevelopedasanExtendedProject Qualification in cybersecurity (The Engineer, 2016). The UK Government’s CyberFirstthree-yearbursaryschemeisaimedatScience,Technology,EngineeringandMathematics(STEM)undergraduatestudents(TheBigChoice.com,2018).STEMeducationisbeingusedtofilltheskillsgapspanningthenext20years.STEMfollowsonfromtheUSASTEMinitiative(USDepartmentofEducation,2018)toencouragestudentsintoshortageareacategories.CyberFirstfollowedasa
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
33
degreeapprenticeshipandhastheaimofkick-startingcareersincybersecurityreinforcedbyworkexperienceplacements(Murphy,2017).
2.5. AcademiaThereisaplethoraofuniversitiesinallcornersoftheUKofferingcoursesthatcontributetonamedcybersecuritydegrees.InordertodistinguishexcellenceandnurturegrowthoftheUK’scybersecuritycapability,theNCSChasintroducedtheiruniversitydegreecertificationschemethatoffersawideselectionofcareeroptionsandtopicsforgraduates(NCSC,2018c).ThisfollowsasimilarapproachtotheUSA(CyberSecurityEducation,2018).Originallyinitiatedthroughmaster’sdegreecertifications,itispartoftheefforttoraisethebarforcybersecurityskillsintheUK.Universitiesareabletoapplyfor assessment against the scheme through their demonstration of cybersecurity content quality,quantityofdoctoratesbeingundertaken,andcriticalmassofacademicstaffengagedinleading-edgecybersecurityresearch(NCSC,2018d).TheseuniversitiesformtheAcademicCentersofExcellence(ACE)(Parr,2014;SCMagazine,2014).Followingonfromthissuccessfulimplementation,NCSCarenowcertifyingundergraduatedegrees.AcademicCentersforDoctoralTraininghavenowbeenformedintheUK–themselvesdrawnfromtheACEendorseduniversities(NCSC,2018e).ThelistofACEuniversitiesismaintainedbyNCSCandupdatedwhennewuniversitiesareappendedtothelist(NCSC,2018f).
2.6. CompetitionsAnumberofinitiativesoverthepastfewyearshaveusedgamingtoincreasestudentengagement.Theyhavebeenusedtosparktheinterestofadolescentsandenticethemintothinkingaboutacareerincybersecurity.Themostwell-knowneventistheCyberSecurityChallenge,whichinitselfhasdrawninsupportivecompetitionssuchasCyberCenturionfromtheUSA(CyberSecurityChallenge,2018a)andCapture theFlagactivities (CyberSecurityChallenge,2018b). Ina similarvein theSANSInstitutealsorunsitsCyberDiscoveryeventsintheUK(Diggins,2018).Theseeventsandcompetitionsfollowasimilarformattosimulateoremulatecyber-attacksundercontrolledconditions.Theparticipantsareusuallybrokendownintotwoteams:Red(attacker)andBlue(defender).TheCyberSecurityChallengehasafurthertieinwiththecurrentUKGovernmentstrategybypromotingCyberFirst(CyberSecurityChallenge,2018c).
3. ARGUMeNT FoR BLeNDeD LeARNING AND DeVeLoPMeNT
3.1. DiscussionCybersecuritythreatsaregrowinginscaleandeffectiveness(Bird,2015),butuserawarenessisakeydefense(Embers,2018).ArecentmassivephishingcampaignhasrevealedthescaleoftheproblembytargetingtheUSA,UKandEurope(Abel,2018;Paganini,2018).Reportedly,ITworkers,especiallymillennials,aremostsusceptibletofallingforimpersonationfrauddisseminatedbyemail(Dunn,2018).Notsurprisinglythisisrelatedtothebombardmentofemailswithmaliciousintent–oneinahundredemailsareahackingattempt(Palmer,2018).However,researchestimatesthat88%ofUKdatabreachesarecausedbyhumanerror,ratherthanbycyber-attacks(Ismail,2018).
Ineffectauser’sjudgementwhethertoclickthatmaliciouslinkcanbeimpairedbytheirbusyday,absentmindednessorlaziness–thisproblemeffectsbothsidesoftheAtlantic(Tucker,2018).InresponsetheNCSChasdecidedtousetechnicalmeasurestocounteremailspoofinginthepublicsectorthroughtheintroductionofDomain-basedMessageAuthentication,ReportingandConformance(NCSC,2017b;NCSC,2018g).Inaddition,ithasbeenidentifiedthattheeducationsectorneedstocontinually invest inorder toprotect itsnetworks (Kennett,2017).For thepublicandprivatesector,technicalmeasuresneedtobesupplementedbyexplicitandimplicitknowledgetofacilitateeffectivelearning(Stephanou&Daganda,2008).However,people’sattitudesandtheirreceptiveness
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
34
toawarenesstrainingisalsoafactorandeducationshouldbeusedtoinfluencetheconditioningofhumanbehavior(Higbee,2017).Notonlythatpeopleneedtobelieveintheapplicationofinformationsecurity(Olusegun&Ithnin,2013).Furthermore,effectivetrainingandlearningcampaignsneedtobemeaningfultochangepeople’sbehaviors(Alexanderetal.,2013).
CollaborationbetweenacademiaandindustryhasbeenrecommendedthroughresearchconductedbytheUniversityofWestminsterandincludesconsiderationsfromsocialscience(Trimetal.,2014).Althoughthereiscommonalityofunderpinningtechnicalaspects,thereisaperspectiveandparadigmshiftneededtoprovideadequatecybersecuritytrainingandeducation(Stilgherrian,2018).Thescaleoftheneedforcybersecurityunderstandingextendstotheuseofthecloudwhichcouldbeutilizedbypublicandprivatesectorsandthegeneralpublicalike(Adams,2017).Effectively,peoplerequireamind-setchangetoavoidcybersecurityeffortsbeingundermined.TheAustralianComputerSociety(2016)recognizedthefactthattheemploymentofcybersecurityprofessionalsandthetrainingofkeyITstaffandmanagersshouldformpartofanorganization’scybersecurityreadiness.
Traditionally,thecybersecurityindustrydemandedabadge–aqualificationorcertificationasshort-handproofofcompetenceandatlotofemphasiswasplacedontherightcertification(Balaji,2018). Some practitioners entered the IA world by carrying out self-learning and self-fundedexaminationstobecomeestablishedonthecareerladder.Tenyearsorsoagothiswasanacceptableapproach,wherethecommunitytendedtooperateunderaself-helpmind-set(ZDNet,2007).Withlearninganddevelopmentcompaniesallvyingformarketposition,itmightbetemptingforpreviousinformationsecuritycourseware tobe rebadgedunder thecybersecuritybanner.That iswhy theNCSChavetakentheapproachtovetcybersecurityprovidersanduniversitiesinanalignedwaytomeettheUKCyberSecurityStrategyagenda.
Mostoftheclassiccertificationexaminationshaveeitherbeenfullyorpartlyfulfilledbytheuseofmultiple-choicequestionandanswerconstructs.Whilesomecertificationsdorequireanumberofyears’experienceasaprerequisitetotakecertainexaminations,multiplechoiceexamshavebeencriticizedasnotnecessarilydemonstratinganadequatelevelofskillscompetency(Suchetal.,2015)andonlyshowacandidate’sknowledgeretentioncapability.Debatablyakeyproponentofmultiple-choiceexamsinacandidate’sawarenessofthecertificationbody’sexamtechniquesbypracticingsamplequestions.Conversely,itwouldappear-dependingonthetopicbeingexamined-CRESTprovides a combination of practical examinations, short essay and multiple-choice examinationquestiontypes.OSCPisalsorenownedasaveryreputablemeansofqualifyingwithinthePentestdisciplineintheprivatesectorduetotherigorofthepracticalexaminationcomponent.However,CoventryUniversityhasproposedthatacase-studybasedlearningapproachmightbemorebeneficial(Hendrixetal.,2016)andthisisespeciallypertinenttogaming.
While theoptions in theprevioussectionprovidepieces thatcancontribute toawhole,CTbadgedcoursesandACEdegreesdoprovideextrinsicassurancethattrainingcompaniesandacademicinstitutionsarecredibleinspecificcybersecurityspheres.Thisisespeciallypertinentwithcallsforcybersecuritytobeopeneduptoothernon-traditionalinformationsecurityskillsetslikedevelopersforexample(Jones&O’Neill,2017);whereaculturalchangeisrequiredtowardsecureimplementationconsiderationsinsoftwaredevelopment(Bird,2017).Asacaseinpoint,theupsurgeintheuseofInternetofThings(IoT)technologieswasanopportunitytoreevaluatecybersecurityconsiderations.Notwithstandingthelimitationsofsensorcomputeandpowerdraw,IoThasquestionablybecomeanantonymtobestinformationsecuritypractice;thatisfundamentalflawsarebeingintroducedthroughthemisconfigurationofIoTassets(Allen,2018).PerhapsthisiswhytheCyBOKisplacingsomeprominenceoninitiallytacklingcryptographyandsoftwaresecurityconsiderations.
3.1.1. Identified ChallengesTheintentoftheCCPwastoremedysomeofthedeficienciesoftheCLASschemeandbecomethedefactocertificationforthecybersecurityindustryintheUK(McKinnon,2012);itwassubsequentlyrecognizedinEuropeasprovidinggoodcybersecuritypractice(InternationalTelecommunications
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
35
Union,2014).However,eventhoughCLASwasidentifiedbyacademiaasamaturescheme(Suchetal.,2015;Badaetal.,2016)adecisionwasmadetophaseitoutinabidtopurportedlystrengthenthequalityofconsultancyforgovernmentcustomersandachieveabettermatchforgovernmentcustomers using the right expertise (WIREDGOV, 2015). In 2018 the NCSC reaffirmed theircontinuedsupportfortheCCPalbeitthereisrecognitionthatspecialismsshouldbeintroducedovertheexistingrolesformat;theNCSChasprovidedacommitmenttotransitiontheschemeforalignmentwithCyBOK(Anne,2018b).
However,thereexistsaconundrumbetweenqualificationsandcompetencies;thishasalreadybeentestedthroughvariousschemessuchasCLASandCCP.InconsistenciesandfragmentationofknowledgehasbeenleviedasacriticismbyIndustryandthisisreinforcedbytheDCMSpublicconsultation (Suchet al., 2015; Jones&O’Neill, 2017).CyBOK is anopportunity toprovideafoundational and measurable knowledge (University of Bristol, 2018) facilitated by the valuedcontributionofotherprofessionalbodiesandinstitutions.Thatsaid,thechangeindirectiontowardsacorebodyofknowledgeprovidesanopportunitytodefineacentralizedframeworkofdeliveryforthecybersecuritydisciplines(Jones&O’Neill,2017).ThedisparityofexistingcybersecuritytrainingandeducationeffortshasbeenassimilatedandillustratedinFigure1.
So,beforetheUKcommitstointroducingyetanotherscheme,suchastheproposedCharteredstatus,thereispotentiallyaneedtogobeyondCyBOKandbuildaCoreKnowledgeFramework(CKF)ofcriteria;distilledacrossfutureschoolcurricula,trainingcourses,degreesthatissowidelyranging it influences our social-technical culture; this would be a move towards what could beconsideredanunequivocalunderpinningknowledge-basedapproach.Burnap(2018)hasstatedthatthere ispresentlynoclearpathway for cybersecurity compared toother engineeringdisciplines.TheimplementationofaCKFwouldbeconsideredatrulyholisticeducationinitiativetoremedyhisconcern.Therefore,thereisacaseforconsideringhowknowledgetransferwillbeconductedtomaximizeknowledgeretentionandtoassistinfuturepractitionerknowledgedevelopment;enablingindividualstobefulfilledandprogressinamoreroundedcybersecuritycareer.So,thequestionishowthiscouldbeimplemented?
Figure 1. Knowledge fragmentation, silos and inconsistencies
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
36
3.2. Defense Systems Approach to Training exemplarTheDefenseSystemsApproach toTraining (DSAT) is amethodology thatprovides a completeframeworkfortheanalysis,design,deliveryandassuranceoftrainingprovidedfortheUKMinistryofDefense(MOD)(MOD,2017a).ItisrecognizedbythePublicSectorandappliedbyconsultanciesundertakingpublicsectorcontracts.Therefore,itisfamiliartobothpublicandprivatesectorsandacademicsinthedefenseindustry.DSATisbestpracticefortheidentificationoftrainingobjectives,thedesignanddevelopmentoftrainingcoursewareanditsoversightacrosstheMOD.AkeyconsiderationofDSATisblendedlearningasitisdefinedas:
The most appropriate mix of Methods & Media which may include both traditional means, such as face-to-face in a classroom, and the use of modern learning technologies whether centralized or distributed. (MOD, 2017a)
Blendedlearning-asstipulatedbyDSAT-istraditionallyappliedasamixofinstructor-ledtraining combined with the use of virtual learning environments (MOD, 2017b). Even with theintroductionofCyBOK,itisproposedthatawiderknowledgeframeworkneedstobeenvisagedforatrulyintegratedprofessionalframework.ThiscouldbeanextendedversionofCyBOKorCyBOKandcouldbethefirststagetowardsacoherentCKF.TheUKcouldlearnfromtheUSA’srecognitionthatcollaborativeapproachesinlearninganddevelopmentarebeneficial(Williams,2017).ReinforcingthepointthatmixedmethodsandtechniquesareneededforthedeliveryoftrainingandeducationandtheseshouldbecorecomponentsofaCKF.ItisproposedthattheCKFshouldbeunderpinnedbytheprinciplesofblendedlearning,whichcouldbeadoptedacrossawiderspectrumtoinformthecybersecuritycommunitylearninganddevelopmentstrategy.Blendedlearninganddevelopmentasahybridlearning-deliverymodelcouldbeusedtojoinupexistingsilosofdisparatedevelopmentanddeliverytechniquespreviouslyhighlightedinthebackgroundsection.Asamechanismofdelivery,ablendedapproachmovestowardsafullyintegratedknowledgeinpracticeapproachandcouldactasthepillarstosupportthecybersecurityprofession.
3.3. Blended Learning and Development ProposalBasedaroundastandardizedandembeddedCKF,wherethestakeholdersareworkingfromanagreedstructure,therelevantfunctionaltrainingandlearningneedsofthecybersecurityprofessionwillbeabletobediscerned.Thiswouldenablethedevelopmentofrelevantandappropriatetrainingandeducationdelivery.TheCKFshouldbeinterpretedandintegratedatvariouslevelsofcomplexityanddetaildependingontheknowledgelevelimplemented;forexample,thereareobviousdifferencesinthedepthofknowledgeappliedattheschoollevelandtothatatpost-graduatedegreestandard.
Throughpastlessonslearned,anyirregularitiesandsubjectivitywouldneedtobeidentifiedandremovedtoavoidrepetitionsofpastinconsistencies.Therefore,itwouldbenecessaryforlearningobjectivestobeapplicableasassessmentcriteriaandbestructuredinastableformat;butaCKFmustalsobeabletoevolvebytakingaccountofanychanges,enhancementsandamendmentsofknowledgeinacontrolledandnon-deprecatingmanner.Specialismshavebeenidentifiedasarelevantapproach for undergraduate curricula by Marymount University in the USA (Bicak, 2015). TheproposedCharteredstatusapproachalsoendorsessuchanapproach.However,itisnotallabouttheup-and-comingcybersecuritygeneration;inorderforprofessionalizationendeavorstobesuccessful,theknowledgeandskillsofindividualsalreadyactiveincybersecurityneedtobedrawnuponaswell(Swain,2014).Thereshouldbesomeemphasisregardingon-the-jobtraining,mentoringbyexperiencedcybersecuritypractitionersandawarenessfromattendingcybersecurityconferences.
Avarietyofblendedlearningtechniquesarerequired toavoidprohibitingdifferent learningstylesbymembersofthetargetaudienceandlimitingchoice;somepreferacademia,someprefervocationalapproaches,andsomeprefercertifications.However, theCKFneeds tobeembedded
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
37
andintegratedacrossallareasoftrainingandeducation;learningobjectivesfromexistingtrainingandacademiccoursescouldbemappedagainstCKFcriteriabytherequisitetrainingandeducationbodiesinordertoprovetheircorrelationandrelevance.ThecybersecuritycommunityshouldlearnfromthequalifyingexaminationsimplementedbyCREST,OSCPandotherinformationtechnologyvendorswhorequirebothpracticalanddemonstrableknowledgeapplication.Socialconstructionismwouldbeusefulasitreconstructsknowledgebyusinganexperientialmethodofreal-worldcontexts,readinordertoapplylearningtechniquestoremedyspecificproblems(Martin-Brown,2018);itispurportedtobeastepawayfromdirectinstructiontechniquesandcouldbeamethodthatisrelevantforcybersecurityknowledgetransferandreinforcementlearning(Veseli,2011).
IthasbeenrecognizedbytheInstitutionofEducationattheUniversityCollegeLondon(2001)thatlearningcanenhanceperformance,butconverselyjustfocusingonperformancecanactuallyhinderperformanceitself.Therefore,theoverallexperienceofprofessionalizationforindividualsmustbeprogressiveandprovideobviousreward.EventhoughcompetencyassessmentswillberequiredfortheproposedcybersecurityCharteredstatus,itshouldnotbearecyclingofskillsetreaffirmationsalready experienced through previous professionalization scheme changes. As a career pathway,initiallyunderwrittenbyCyBOKitneedstoremainrelevant.ThereforeCyBOKcouldintimebeexpandedfurtheranddevelopedintoaCKFforthedeliveryoftheory,practicalskillsapplication,andcompetenciesappliedincontextonbehalfoftheprofession;andwouldneedtobeconstantlyadaptiveandexpansiveasshowninFigure2.TheenablerbehindthisCKFisblendedlearninganddevelopment,whichcanbetunedtohonetheskillsofpractitionersandbenefitthecybersecurityprofessioninacyclicalmannerinfluencingtheteachingofthenationalcurriculum,trainingandeducation,academiaandinstitutionsbyvocation.Thecybersecurityprofession,asafuturecareerpathway,wouldalsopropagatedemandinarippleeffecttoinspireschools,pushtrainingcompanies,encourageindustryinvolvementandgenerateademandforfurtherresearchefforts.Withoutthistypeofapproach,theadoptionandrecognitionofacybersecurityprofessionwouldbelimited,therebyaffectitsreputationandpotentiallydigressfromthemainaimofestablishingaproficientcybersecuritycapability.
Figure 2. The influencing effects of blended learning and development
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
38
Theratiosanddepthandbreadthoflearningstylesrangingfromacademic,vocational,practicalandcompetitiveapproachestoattaintherequisiteknowledgeunderaCKFareyettobediscernedfromamuch-neededstudy.Crucially,widerinformationtechnologycommunityengagementisrequiredtoadoptablendedtrainingapproachinordertoestablishthevisionforasuccessfulholisticframework.
4. CoNCLUSIoN
ThemorerecentUKGovernmentcybersecurityagendaisundoubtedlyastepintherightdirectiontocultivatecybersecurityasaprofession.Thisisverypositiveandprovidesmorecareeropportunitiesunderthecybersecuritybannerthanbefore.TheroadtowardsprofessionalizationhasbeenanaudaciousjourneyandtheUKGovernment’sagendahasbeenpurposeful.TheNCSChasplayedaninfluentialroleinnavigatingtheprofessiontowardsafuturestate.However,therehavebeensomeissuesonthepathtowardstheUK’scybersecurityprofession;achangeindirectionalongthewayhasresultedinareputableschemebeingwoundupandtherebyspringboardedtheUKcybersecurityprofessionontothenextstep.Onthatbasis,theevolutiontowardsaprofessionalpathwayiserringtowardsCyBOKandaCyberSecurityCouncilfulfillingaregulatory-typefunction.AnynewCharteredstatusprofileshouldalsobeinformedbytheundisputedandvaluablecontributionsbytheCyberSecurityAlliance.ItisimportantfortheCyberSecurityAlliancetobeinvolvedalongthewayanditshouldnotbeseentobeincompetitionwiththeUKGovernmentagenda.Rather,eachshouldcomplementtheotherinacollaborativemannertocreateaviableandrobustframeworkforthecybersecurityprofession.
ACyberSecurityCouncilisperceivedtobethemortartoformafirmstructuretohelppeopleprogress in theircybersecuritycareerand toprovideconfidence thatacareer incybersecurity isfulfilling.Trainingandeducationinstitutionsandbodiesseethecybersecuritytrainingandeducationmarket as very lucrative. Existing training courseware and education regimes, as stated in thebackgroundsection,individuallycontributetowardsthisstrategy;however,individuallytheyarenotthetotalityofknowledgecomprehensionbutcancontributetothesumofcybersecurityunderstanding;thiscanbemappedagainstqualifyingcriteriaforaholisticframework.TheproposedCKFshouldbeawide-reachingamalgamationofknowledgeobjectivesandtherebyinfluencetheentiretrainingandeducationcommunity.Inasimilarveintothescienceandengineeringprofessions,baseprinciplesneedtobeappliedrangingacrosstheschoolcurriculum,throughhighschooltograduateandpost-graduatelevel.ItmustalsoinfluencecertificationsandcompetencyorientatedcareerroutessuchasCharteredstatustoensurethefuturecybersecurityprofessionhasafullyroundedknowledgeablerecipeforsuccess.WhethertheCKFconceptisanextensionorderivationoftheCyBOKorwhethertheCyBOKisasteptowardsamorecoherentCKFwillonlybediscernedfromfutureanalysis.Butwhatisimportantisthatthereisaconcertedeffortbetweenacademia,industryandgovernmenttoachieveacommongoalofformalizingtheprofession.
Althoughthereisadesiretojumpontothecybersecuritybandwagon,thereneedstobebuy-inbythewidertargetaudience,adesireandmind-setchangeforaneffectivestandardizedstructurethatwillbeapplicabletodeveloptheircareer.ThishasalreadystartedwiththeNCSCstatingthatthefollowingareexpectedtodemonstratefoundationknowledge:(a)NCSCcertifieddegree,(b)fullmembershipoftheIISPmeetingtheircorecompetencycriteriathatunderpinstheCCPschemeinitscurrentform,and(c)holdingaCISSPandcontinuedmembershipof(ISC)2(NCSC,2018h);thesearebeingmappedasasteptowardsrationalizingtheCCPschemeforalignmentwithCyBOK.Thatsaid,itisrecommendedthatwebuilduponthispositivefirststepofestablishingCyBOKcybersecurityspecialismsandimplementawiderCKFtoaugmenttheCyBOKinitiativetoaidknowledgeandskillsenhancement.
Withaglobaldeficitofthreeandhalfmillioncybersecurityjobopeningsby2021(Stephenson,2018),fromaUKperspectiveablendedapproachforlearninganddevelopmentcouldbeusedtofillthegapsandjoinupexistingsilosoftrainingandeducationactivitiesbaseduponacommonCKF.TheCKFcouldbeakeycontributoryfactortowardsshapingthenewproposedprofessionandfacilitate
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
39
cybersecurityknowledgeandskillsintelligenceintheUK.ItisarguedthatthisisacrucialelementoflearninganddevelopmentandthenewproposedCharteredstatusisonlypartofthepuzzle.Toflourish,theCKFandsubsequentblendedlearninganddevelopmentimplementationsmustalsoberecognizedasacredibleexemplar-inordertoachievebuy-infromthemajorityofdiversestakeholderswithinthecybersecuritycommunity-andtherebysustainthecybersecuritycapabilitywithintheUK.
ACKNowLeDGMeNT
It is recognized that the NCSC has been crucial in steering the UK’s cybersecurity trainingagenda.Whileotherprofessionalbodiesandinstitutionshavealsoprovidedleadershipintheareaofcybersecurity.
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
40
ReFeReNCeS
Abel,R.(2018).Massive phishing campaign targets half a billion users in the first quarter 2018.Retrievedfromwww.scmagazine.com/massive-phishing-campaign-targets-half-a-billion-users-in-the-first-quarter-2018/article/761541/
Adams,C.(2017).IT Training Choices in a Fast-Paced World.Retrievedfromhttps://www.zdnet.com/article/it-training-choices-in-a-fast-paced-world/
Afifi-Sabet,K.(2018).A guide to cyber security certification and training.Retrievedfromhttp://www.itpro.co.uk/careers/28212/a-guide-to-cyber-security-certification-and-training
Alexander,D.,Finch,A.,&Sutton,D.(2013).Information Security Management Principles.Swindon,UK:BritishComputerSociety.
Allen,T.(2018).There is a massive hole in IoT security, says Avast researcher.Retrievedfromhttps://www.computing.co.uk/ctg/news/3061282/there-is-a-massive-hole-in-iot-security-says-avast-researcher
Anne,W.(2018a).Maturitymodelsincybersecurity:what’shappeningtotheIAMM?NCSC.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/maturity-models-cyber-security-whats-happening-iamm
Anne,W.(2018b).Our commitment to the CCP scheme.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/our-commitment-ccp-scheme
CREST Australia. (2017). OSCP and CRT Equivalency. Retrieved from https://www.crestaustralia.org/certification_crt_equivalency.html
AustralianComputerSociety.(2016).CybersecurityThreatsChallengesOpportunities.AustralianComputerSociety.
Bada,M.,Arreguín-Toft,I.,Brown,I.,Cornish,P.,Creese,S.,Dutton,W.,...&Roberts,T.(2016).CybersecurityCapacityReviewoftheUnitedKingdom.OxfordUniversity,UK:GlobalCyberSecurityCapacityCentre.
Balaji,N.(2018).APerfectWaytoStartandStrengthenYourCyberSecurityCareer.GBHackers.Retrievedfromhttps://gbhackers.com/a-perfect-way-to-start-and-strengthen-your-cyber-security-career/
BCS.(2018).Qualifications and certifications.Retrievedfromhttps://www.bcs.org/category/5677
Beyer,M.,Ahmed,S.,Doerlemann,K.,Arnell,S.,Parkin,S.,&Sasse,M.A.Prof.,&Passingham,N.(2016).Awarenessisonlythefirststep.HewlettPackard,UK:HewlettPackardEnterpriseDevelopmentLP.
Bicak,A.,Liu,M.,&Murphy,D.(2015).CybersecurityCurriculumDevelopment:IntroducingSpecialtiesinaGraduateProgram.Information Systems Education Journal,13(3),99–110.
Bird,D.(2015).Forewarned is Forearmed: Combating the Insider Threat. UK:CyberTalkMagazine.
Bird,D.(2017).Prevent a menace from lurking within. UK:CyberTalkMagazine.
Burnap,P.(2018).IndustryPanel.InProceedings of 11th International Conference on Security of Information and Networks.CardiffUniversity,UK.
CabinetOffice.(2011).The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world.London,UK:CrownCopyright.
CabinetOffice.(2016).National cyber security strategy 2016-2021.London,UK:CrownCopyright.
CESG. (2015).The Information Assurance Maturity Model and Assessment Framework.Cheltenham,UK:CrownCopyright.
CESG.(2016).CESG Certification for Cyber Security/IA Professionals.Cheltenham,UK:CrownCopyright.
Chris,E.(2018).Developingthecybersecurityprofession–haveyoursay!NCSC.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/developing-cyber-security-profession-have-your-say
Cox,J.(2017).UKfacesdramaticcyber-securityskills‘cliffedge’andischronicallyunderpreparedforhackerattacks,studyfinds.The Independent.Retrievedfromhttps://www.independent.co.uk/news/business/news/uk-cyber-security-skills-cliff-edge-under-prepared-hacker-attacks-study-multinationals-government-a7578091.html
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
41
CREST.(2018a).Assurance in Information Security.Retrievedfromhttps://www.crest-approved.org
CREST. (2018b). CREST Registered Penetration Tester. Retrieved from https://www.crest-approved.org/examination/registered-tester/index.html
CREST. (2018c).Collaborative Alliance of Organisations Announced to Advance the UK’s Cyber Security Profession.Retrievedfromhttps://www.crest-approved.org/2018/07/19/collaborative-alliance-of-organisations-announced-to-advance-the-uks-cyber-security-profession/index.html
CyberSecurityChallenge.(2018a).Play the Challenge.Retrievedfromhttps://www.cybersecuritychallenge.org.uk
CyberSecurityChallenge.(2018b).Capture the Flag.Retrievedfromhttps://www.cybersecuritychallenge.org.uk/competitions/capture-the-flag
Cyber Security Challenge. (2018c). CyberFirst. Retrieved from https://www.cybersecuritychallenge.org.uk/education/further-education/cyber-first
Cyber Security Education. (2018). CYBER SECURITY COURSES. Retrieved from https://www.cybersecurityeducation.org/courses/
Dallaway,E.(2017).IISPApplytoPrivyCouncilforInformationSecurityRoyalCharter.Info Security Magazine.Retrievedfromhttps://www.infosecurity-magazine.com/news/iisp-apply-royal-charter/
DCMS.(2017).5. A safe and secure cyberspace - making the UK the safest place in the world to live and work online. Retrieved from https://www.gov.uk/government/publications/uk-digital-strategy/5-a-safe-and-secure-cyberspace-making-the-uk-the-safest-place-in-the-world-to-live-and-work-online
DCMS.(2018).Developing the UK cyber security profession.Retrievedfromhttps://www.gov.uk/government/consultations/developing-the-uk-cyber-security-profession
DeGroat,T.J.(2018).5CybersecurityCertificationsThatWillHelpYouLandaJob.Springboard.Retrievedfromhttps://www.springboard.com/blog/cybersecurity-certifications/
DepartmentforDigital,Culture,MediaandSport.(2018).Cyber Security Breaches Survey 2018.Crown.
Diggins,A.(2018).FinalstageofCyberDiscoveryfinishesinLondon.EdTechnology.Retrievedfromhttps://edtechnology.co.uk/Article/final-stage-of-cyber-discovery-finishes-in-london
Diggins,A.(2018).FinalstageofCyberDiscoveryfinishesinLondon.Edtechnology.Retrievedfromhttps://edtechnology.co.uk/Article/final-stage-of-cyber-discovery-finishes-in-london
Dunn,J.(2018).Feeltheshame:Email-scammedstaffersaren’ttellingbossesaboutit.The Register.Retrievedfromhttps://www.theregister.co.uk/2018/09/07/scam_business_emails_on_the_rise/
Embers,R.(2018).Security:TheRulesofEngagementtoMitigateInsiderRisk.Security Boulevard.Retrievedfromhttps://securityboulevard.com/2018/08/security-the-rules-of-engagement-to-mitigate-insider-risk/
Finch,A.,&Furnell,S.(2018).IsthistheyearfortheSecurityProfessional.Infosecurity Europe.Retrievedfromhttp://www.infosecurityeurope.com/__novadocuments/486575?v=636657836899000000
Finch,A.,Glover, I.,&Smith,R. (2018).Does theUKNeedanInformationSecurityRoyalCharter? Info Security Magazine.Retrievedfromhttps://www.infosecurity-magazine.com/magazine-features/uk-information-security-royal/
GoCertify. (2018). ISACA Study Addresses Global Cybersecurity Challenges. Retrieved from http://www.gocertify.com/articles/isaca-study-addresses-global-cybersecurity-challenges
Great Schools Partnership. (2014). Blended Learning. Retrieved from https://www.edglossary.org/blended-learning/
Grout,V.(2015).Cybersecurity to Become Core Component of UK Computing Degrees.Retrievedfromhttps://cphc.ac.uk/2015/06/29/cybersecurity-to-become-core-component-of-uk-computing-degrees/
Hendrix,M.,Al-Sherbaz,A.,&Bloom,V.(2016).GameBasedCyberSecurityTraining:AreSeriousGamessuitableforcybersecuritytraining?International Journal of Serious Games,3(1),52–61.doi:10.17083/ijsg.v3i1.107
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
42
Higbee,A.(2017).Cybersecurityeducation:Whyweneedtore-thinkit.Training Journal.Retrievedfromhttps://www.trainingjournal.com/articles/opinion/cyber-security-education-why-we-need-re-think-it
IAAdvisoryCouncil.(2016).Free‘Introductiontocybersecurity’courselaunched.’Retrievedfromhttps://www.iaac.org.uk/free-introduction-to-cyber-security-course-launched/
IISP. (2018). Accredited Training Courses. Retrieved from https://www.iisp.org/imis15/iisp/Accreditation/Accredited_Training/iispv2/Accreditation/Accredited_Training.asp
ISACA.(2015).StateofCybersecurity:Implicationsfor2016.In ISACA and RSA Conference Survey, Elsevier Computers & Security.
ISACA.(2017).Survey: Cyber Security Skills Gap Leaves 1 in 4 Organizations Exposed for Six Months or Longer. Retrieved from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2017/Pages/Survey-Cyber-Security-Skills-Gap-Leaves-1-in-4-Organizations-Exposed-for-Six-Months-or-Longer.aspx?utm_referrer=
ISACA.(2018).StateofCybersecurity2018Part1:WorkforceDevelopment.
Ismail,N.(2018).Cybersecuritytraining:Isitlackingintheenterprise?Retrievedfromhttps://www.information-age.com/cyber-security-training-123474550/
ITU.(2014).GlobalCybersecurityIndex–GoodPractices.InternationalTelecommunicationsUnion.
Jones,N.,&O’Neill,L.(2017).The Profession.Swindon,UK:InformationAssuranceAdvisoryCouncil.
Kennett,S.(2017).Cybersecurity:whytheeducationsectorcan’taffordnottoinvest.Retrievedfromhttps://www.jisc.ac.uk/blog/cybersecurity-why-the-education-sector-cant-afford-not-to-invest-13-apr-2017
Kleinman,L. (2018).CybersecurityAndTheNewCISO:TheLeadershipEnigma.Forbes.Retrievedfromhttps://www.forbes.com/sites/forbestechcouncil/2018/07/26/cybersecurity-and-the-new-ciso-the-leadership-enigma/#2abe5fc43422
Knowles,W.,Baron,A.,&McGarr,T.(2016).TheSimulatedSecurityAssessmentEcosystem:DoesPenetrationTestingNeedStandardisation?Computers & Security,1–22.
MacWillson,A.(2018).UKcybereconomywillriseto£2bnby2016,aidedbypartnershipswithFacebookandBT.Realwire.Retrievedfromhttps://www.realwire.com/releases/IISP-Launches-New-Skills-Framework-for-Information-Security-Professionals
Magazine,S.C.(2014).GCHQcertifiessixMSccybersecuritydegrees.SC Magazine.Retrievedfromhttps://www.scmagazineuk.com/gchq-certifies-six-msc-cyber-security-degrees/article/1480937
Martin-Brown,G.(2018).Personalised learning & the future of education [YouTube video].Retrievedfromhttps://www.youtube.com/watch?v=j_eb4TwdWOo
Mashable,U.K.(2018).Switchtoacareerincybersecuritybytakingtheseonlineclasses.Mashable.Retrievedfromhttps://mashable.com/2018/04/17/cyber-security-certifications-online-classes/?europe=true
McDonald,C.(2018).AveragetechnologysalaryinUK&Ireachesover£80,000.Computer Weekly.Retrievedfromhttps://www.computerweekly.com/news/252448472/Average-technology-salary-in-UKI-reaches-over-80000
McKinnon,I.D.(2012).Information Security Group. Review 11/12. Royal Holloway.UK:UniversityofLondon.
Milligan,R.,&Rajab,T.(2015).CESGlaunchnewCertifiedCyberSecurityConsultancyscheme.TechUK.Retrieved from http://www.techuk.org/insights/news/item/4529-cesg-launch-new-certified-cyber-security-consultancy-scheme
MOD. (2017a). JSP 822 Defence Direction and Guidance for Training and Education Part 2. Ministry of Defence.UK:CrownCopyright.
MOD. (2017b). JSP 822 Defence Direction and Guidance for Training and Education Part 1. Ministry of Defence.UK:CrownCopyright.
Morgan,S.(2017).Pleasedon’tsendmetocybersecuritytraining.CSOOnline.Retrievedfromhttps://www.csoonline.com/article/3225471/security/please-dont-send-me-to-cybersecurity-training.html
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
43
Murphy,I.(2017).NCSCappealsforstudentstotakesitsmoney.Enterprise Times.Retrievedfromhttps://www.enterprisetimes.co.uk/2017/11/17/ncsc-appeals-students-takes-money/
NCSC.(2016).CyberSecurityConsultancy.Retrievedfromhttps://www.ncsc.gov.uk/scheme/certified-cyber-consultancy
NCSC. (2017a). CHECK Fundamental Principles. Retrieved from https://www.ncsc.gov.uk/articles/check-fundamental-principles
NCSC.(2017b).Emailsecurityandanti-spoofing.Retrievedfromhttps://www.ncsc.gov.uk/guidance/email-security-and-anti-spoofing
NCSC. (2018a).GCHQCertifiedTraining.Retrieved fromhttps://www.ncsc.gov.uk/scheme/gchq-certified-training
NCSC.(2018b).Cyber Security Consultancy Standard.London,UK:CrownCopyright.
NCSC.(2018c).Certifiedcybersecuritycourses.Retrievedfromhttps://www.prospects.ac.uk/jobs-and-work-experience/job-sectors/law-enforcement-and-security/certified-cyber-security-courses
NCSC.(2018d).AcademicCentresofExcellenceinCyberSecurityResearch.Retrievedfromhttps://www.ncsc.gov.uk/articles/academic-centres-excellence-cyber-security-research
NCSC.(2018e).NCSC-certifieddegrees.Retrievedfromhttps://www.ncsc.gov.uk/information/ncsc-certified-degrees
NCSC. (2018f). Certified Training Courses. Retrieved from https://www.ncsc.gov.uk/information/certified-training-courses
NCSC.(2018g).NCSCMailCheck.Retrievedfromhttps://www.ncsc.gov.uk/mailcheck
NCSC.(2018h).SettingnewfoundationsfortheCCPscheme.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/setting-new-foundations-ccp-scheme
Nepal,S.(2018).BuildingTrustworthyIoT-CloudDataLifecycle.InProceedings of 11th International Conference on Security of Information and Networks,CardiffUniversity,UK.
Nicholls,D.(2018).Veterans to be retrained as cyber warriors, under new partnership backed by the MoD.Retrieved from https://www.telegraph.co.uk/news/2018/08/11/veterans-retrained-cyber-warriors-new-partnership-backed-mod/
Oesch,T.(2018).DiversifyingtheCybersecurityWorkforceWithLearningandDevelopment.Training Industry.Retrieved from https://trainingindustry.com/articles/it-and-technical-training/diversifying-the-cybersecurity-workforce-with-learning-and-development/
OfficeofNationalStatistics.(2011).2011CensusSecurity:ReportoftheIndependentReviewTeam.Retrievedfromhttps://www.ons.gov.uk/census/2011census/confidentiality/assessingourmeasurestoprotectyourconfidentiality
Olusegun,O.J.,&Ithnin,N.B.(2013).PeopleAretheAnswertoSecurity:EstablishingaSustainableInformationSecurityAwarenessTraining(ISAT)PrograminOrganization.International Journal of Computer Science and Information Security,11(8).
OpenUniversity.(2018).IntroductiontoCyberSecurity.Retrievedfromhttps://www.futurelearn.com/courses/introduction-to-cyber-security
Osborne, G. (2015). Chancellor’s speech to GCHQ on cyber security. Retrieved from https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security
Paganini,P. (2018). Iran-linkedCOBALTDICKENSgroup targetsuniversities innewphishingcampaign.Security Affairs. Retrieved from https://securityaffairs.co/wordpress/75710/cyber-warfare-2/cobalt-dickens-iran-attacks.html
Palmer,D.(2016).Training?Whattraining?Workers’lackofcybersecurityawarenessisputtingthebusinessatrisk.ZDNet.Retrievedfromhttps://www.zdnet.com/article/training-what-training-workers-lack-of-cybersecurity-awareness-is-putting-the-business-at-risk/
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
44
Palmer,D. (2018).Phishingwarning:One in everyonehundred emails is nowahacking attempt.ZDNet.Retrieved from https://www.zdnet.com/article/phishing-warning-one-in-every-one-hundred-emails-is-now-a-hacking-attempt/
Parr,C.(2014).FirstGCHQ-certifiedmaster’scoursesunveiled.Times Higher Education.Retrievedfromhttps://www.timeshighereducation.com/news/first-gchq-certified-masters-courses-unveiled/2014921.article
Pop,A.(2018).What’stheDifferenceBetweenBlendedLearning,E-LearningandOnlineLearning?Distance Learning.Retrievedfromhttps://www.distancelearningportal.com/articles/269/whats-the-difference-between-blended-learning-e-learning-and-online-learning.html
Rashid,A.,Danezis,G.,Chivers,H.,Lupu,E.,&Martin,A.(2018).ScopefortheCyberSecurityBodyofKnowledge.UniversityofBristol,UK:CyBOK.
Ryan,G.(2018).Stem vital to UK’s future cybersecurity.Retrievedfromhttps://www.tes.com/news/stem-vital-uks-future-cybersecurity
SANS.(2018).World Leading Cyber Security Training.Retrievedfromhttps://uk.sans.org
Schneier, B. (2013). Is Cybersecurity a Profession? Retrieved from https://www.schneier.com/blog/archives/2013/10/is_cybersecurit.html
Stephanou,T.,&Dagada,R.(2008).TheImpactofInformationSecurityAwarenessTrainingonInformationSecurityBehaviour:TheCaseforFurtherResearch.InProceedings of ISSA 2008 Innovative Minds Conference.
Stephenson,M.(n.d.).InsecurityPodcast:JoeBillingsleyonCyberEducationandtheModernMilitary.Threat Vector.Retrievedfromhttps://threatvector.cylance.com/en_us/home/insecurity-podcast-joe-billingsley-on-cyber-education-and-the-modern-military.html
Stevenson,A.(2013).UKcybereconomywillriseto£2bnby2016,aidedbypartnershipswithFacebookandBT.V3.Retrievedfromhttps://www.v3.co.uk/v3-uk/news/2318616/uk-cyber-economy-will-rise-to-gbp2bn-by-2016-aided-by-partnerships-with-facebook-and-bt
Stilgherrian.(2018).Securitytrainingisuselessunlessitchangesbehaviours.ZDNet.Retrievedfromhttps://www.zdnet.com/article/security-training-is-useless-unless-it-changes-behaviours/
Such,J.M.,Gouglidis,A.,Knowles,W.,Misra,G.,&Rashid,A.(2015).The Economics of Assurance Activities(TechnicalReportSCC-2015-03).SecurityLancaster,LancasterUniversity.
Swain,N.D. (2014).AMulti-TierApproach toCyberSecurityEducation,Training,andAwareness in theUndergraduate Curriculum (CSETA). In Proceedings of 121st ASEE Annual Conference & Exposition,Indianapolis,IN.
TheEngineer.(2016).New cyber security qualification for the UK.Retrievedfromhttps://www.theengineer.co.uk/new-cyber-security-qualification-for-the-uk/
TheBigChoice.com. (2018). CyberFirst Apprenticeships. Retrieved from https://www.thebigchoice.com/Apprenticeships/CyberFirst
Thomas,K.(2018).Womenintech:theITfirmstacklingthegenderimbalance.The Guardian.Retrievedfromhttps://www.theguardian.com/education/2018/jul/09/women-tech-it-technology-firms-tackling-gender-imbalance
Tigerscheme.(2018).Tigerscheme Qualifications.Retrievedfromhttps://www.tigerscheme.org/qualifications.php
Tittel,E.,&Lindros,K.(2018).Best Information Security Certifications 2018.Retrievedfromhttps://www.businessnewsdaily.com/10708-information-security-certifications.html
Trim, P. R., Lee, Y., Ko, E., & Kim, K. H. (2014). Cyber security culture and ways to improve security management.UK:UniversityofWestminster.
Tucker,E.(2018).Cybersecurity–whyyou’redoingitallwrong.Computer Weekly.Retrievedfromhttps://www.computerweekly.com/opinion/Cyber-security-why-youre-doing-it-all-wrong
UniversityCollegeLondon.(2001).Learning about Learning enhances performance.UK:InstituteofEducation,UniversityCollegeLondon.
International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018
45
David Bird has worked in multiple technical disciplines within both the public and private sectors for over 33 years. Over the past 11 years David has worked on many complex consortia-based projects and programs for a number of leading IT integration companies as an information security specialist. He also brings to bear his additional experience in business and training consultancy as well as performing cybersecurity research in his own time. He has had many articles published in several reputable magazines comprising topical, technical and information security subject matter that includes: British Computer Society ITNoW and Digital Leaders editions, CyberTalk and the Institute of Information Security Professionals Pulse Magazine. David has also provided a published chapter entitled ‘The collaborative effects of cyberspace’ in a book published by the Institute of Scientific and Technical Communicators. In 2018, he published two papers in the IEEE Xplore and ACM digital libraries.
John Curry is a senior lecturer in games development and cyber security at Bath Spa University. He has an international reputation in conflict simulations/ serious games and has worked with many of the key personalities in the field. He has been leading umpire in numerous cyber wargames from individual companies to state level. He co-authored handbooks on the development of new methods of serious gaming including Matrix Games and Confrontation Analysis. His professional life consists largely of using games to explore complex situations looking for insights.
UniversityofBristol.(2018).The Cyber Security Body Of Knowledge.Retrievedfromwww.cybok.org
US Department of Education. (2018). Science, Technology, Engineering and Math: Education for Global Leadership.Retrievedfromhttps://www.ed.gov/stem
Veseli,I.(2011).Measuring the Effectiveness of Information Security Awareness Program.Gjøvik,Norway:DepartmentofComputerScienceandMediaTechnology.
Viveros,M.(2013).CyberSecurityDependsonEducation.HBR.Retrievedfromhttps://hbr.org/2013/06/cyber-security-depends-on-educ
Wikipedia. (2018). Offensive Security Certified Professional. Retrieved from https://en.wikipedia.org/wiki/Offensive_Security_Certified_Professional
Williams,C.(2017).Building a Capable Cybersecurity Workforce through Collaborations. National Institute for Standards and Technology.US:NationalInitiativeforCybersecurityEducation.
Williams,H.(2017).UKgovernmenttodeliver‘cybercurriculum’totacklecybersecurityskillsgap.CBR Online. Retrieved from https://www.cbronline.com/cybersecurity/uk-government-cyber-curriculum-tackle-cyber-security-skills-gap/
WIREDGOV.(2015).Certification of IA industry consultancy is changing.Retrievedfromhttps://www.wired-gov.net/wg/news.nsf/articles/Certification+of+IA+industry+consultancy+is+changing+03032015152000?open
ZDNet.(2007).Take responsibility for your own training.Retrievedfromhttps://www.zdnet.com/article/take-responsibility-for-your-own-training/