Curry, J. and Bird, D.A. (2018) 'A case for using blended

learning and development techniques to aid the delivery of

a UK cybersecurity core body of knowledge’, International

Journal of Systems and Software Security and Protection, 9

(2), pp. 28-45.

“Through IGI Global's Fair Use Policy, authors may post the final typeset PDF of their chapter or

article on the author or editor's secure personal website and/or their university repository site.” –

details here.

To access the final work on the publisher’s site go to http://dx.doi.org/10.4018/IJSSSP.2018040103

ResearchSPAce

http://researchspace.bathspa.ac.uk/

This version is made available in accordance with publisher policies.

Please cite only the published version using the reference above.

Your access and use of this document is based on your acceptance of the

ResearchSPAce Metadata and Data Policies, as well as applicable law:-

https://researchspace.bathspa.ac.uk/policies.html

Unless you accept the terms of these Policies in full, you do not have

permission to download this document.

This cover sheet may not be removed from the document.

Please scroll down to view the document.

DOI: 10.4018/IJSSSP.2018040103

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

Copyright©2018,IGIGlobal.CopyingordistributinginprintorelectronicformswithoutwrittenpermissionofIGIGlobalisprohibited.

28

A Case for Using Blended Learning and Development Techniques to Aid the Delivery of a UK Cybersecurity Core Body of KnowledgeDavid A Bird, Learning and Performance Institute, Coventry, UK

John Curry, Bath Spa University, Bath, UK

https://orcid.org/0000-0003-2872-0678

ABSTRACT

ThisarticleexplorestheUK’scurrentapproachinaddressingthecybersecurityskillsgapchampionedbytheNationalCyberSecurityStrategy.TherehavebeenprogressiveandelaboratestepstakenintheUKtowardprofessionalizationofthecybersecurityfield.However,cybersecurityknowledgehasbeenlabelledasinconsistentwhenacybersecurityCharteredstatusisbeingproposed.TheobjectiveofthisanalysiswastoapplyanacademiclensovertheUK’svoyagetowardstheestablishmentofacybersecurityprofession.Ithasbeenanambitiousbutcomplexendeavor thatat timeshashadalterationsofcourse.Learningfromthisexperience,ablendedlearninganddevelopmentapproachisnowrecommendedunderpinnedbyanoverarchingcoreknowledgeframework.Suchaframeworkcouldjoinuptheexistingsilosoflearninganddevelopmentactivitiestobenefitfrom,andbuildupon,acoherentcoreknowledge-baseforthecommunity.ItisarguedthatthiswillprovideamoresatisfactoryoutcometoenhancetheUK’scybersecuritycapabilityontheroadtoacybersecurityprofession.

KeywoRDSBlended Learning Approach, Core Knowledge Framework, Cybersecurity, Learning and Development, Strategies

1. INTRoDUCTIoN

In2011,theUnitedKingdom(UK)GovernmentsetouttheirstoolbypredictingtheneedtoincreasecybersecurityskillsandexpertiseinlinewiththeirCyberSecurityStrategy.Itwasalsodecreedthateducationandtrainingprovidersshouldheedthisprediction.Themainaimthenwastocountertheeffectsofcyber-crime,whichrequiredspecialisttraininginordertomeetanincreasedskillsdemand(CabinetOffice,2011).In2013,theHarvardBusinessreviewstatedthateducationwasacatalyst,andenabler,forcybersecurityandcalleduponacademicinstitutionstosharecybersecuritybestpracticesandcurricula(Viveros,2013).

ThecomprehensiveInternationalInformationSystemsSecurityCertificationConsortium((ISC)2)surveyof2015statedthat63%ofprivatesectororganizationsdidnothaveenoughcybersecurity

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

29

staffintheUK(Grout,2015).InthesameyeartheChancellorlaidoutthecyber-crimethreatstotheUKeconomy(Osborne,2015).Helaboredthepointthatcybersecurityshouldbeembeddedateverystageoftheeducationandtrainingprocess,sothenextgenerationwillbeabletokeepBritainsafeincyberspace.BythenextiterationoftheCyberSecurityStrategyin2016,itwasstatedthattherewerestillinsufficientskillsincybersecurityandthatthepubliclackedcyberawareness.TheUKGovernmentsubsequentlysettheirintentionforcollaborationintrainingandeducationacrossthetargetaudienceinthepublicandprivatesectors(CabinetOffice,2016).ThiswasapartofthecontinuingagendatakenbyUKGovernmenttomakeBritainthesafestplaceincyberspacechampionedbytheDepartmentforDigital,Culture,MediaandSport(DCMS)(2017)andtheNationalCyberSecurityCenter(NCSC)whichisapartoftheGovernmentCommunicationsHeadquarters(GCHQ).Anumberofapproachestoenthuseadolescentswerespawnedandaimedatrefocusingofattitudesleadingtoacybersecuritycurriculum(Williams,2017).

ThereisamyriadofcertificationscategorizedbytheInstituteofInformationSecurityProfessionals(IISP)rangingfromvendor-based,thoseaimedatrolecompetencies,broadcertificationsandthoseprovidedbyacademia(Finch&Furnell,2018).However,thereareadvantagesanddisadvantageswithprofessionalization.FromaUSAperspective,Schneier(2013)hasdiscussedopenlythatpopularcertificationsusedasaformofentryintocybersecurityruntheriskofbecomingobsolete;andneedtobemaintainedusingContinuousProfessionalDevelopment(CPD).Interestingly,Nepal(2018)hasstatedthatinAustraliacybersecuritytoolshavenotreducedthedemandoncybersecurityexperts,but actually increased demand for more cybersecurity specialists. In tandem, the cybersecurityskillsshortageintheUKincreasedto66%by2017(Cox,2017).The2018editionofInformationSystems Audit and Control Association (ISACA) ‘State of Cybersecurity’ report stated that ofthe60%oforganizationswhohadopen jobs in cybersecurity, 54%ofpositions tookover threemonthstofill(GoCertify,2018);itwassuggestedthattheskillsgapwasactuallywidening(ISACA,2018).Consequently,demandforexpertiseandskillsisdrivingupcybersecuritysalariesintheUK(McDonald,2018)andmakingthemcomparativetomoreestablishedandrecognizedprofessions.

Additionally,therehavebeenendeavorstoincreasecybersecurityawarenessinorganizations(Palmer,2016)andthewiderpopulaceoftheUK;thisfollowsasimilaragendatotheUSA(Morgan,2017).However,awarenessshouldonlybethestartofmakingpeoplemindfulaboutthecybersecurityrisks(Beyeretal.,2015).ThereareotherdiverseandrelevantskillsetswithintheInformationTechnology(IT)industrysuchassystemdesignersanddevelopersalongwithsystemmanagersandsystemadministratorswhoarealsoimportantincybersecurity.Alltheserolesrequirebettercybersecurityawarenessandtherightculturetoensurethatsecurityisanimportantcriterioninthedevelopment,implementationandmaintenanceofnewsystems.AccordingtoasurveybyHarveyNashandPGI(2016)thecreationofasecurity-awareculturehasbeenthemostcriticalyetlackingactioninthepast.

However, to fill the cybersecurity skills shortage there has been a concertedpush aimed atpractitionersworkinginthecybersecuritydisciplineacrossmanyspecialistfields–rangingfromriskmanagementconsultantstopenetrationtesterstosecurityanalystsinsecurityoperationscenters.Existinglearningoptionsandmethodsforestablishingqualifiedpractitionersincybersecurityhavebeendevelopedinisolationofeachotherandasaresultarefragmented.Whiletheycontributetoacareeroutcome,thedisparatedevelopmentanddeliverytechniquesarenotjoinedup.Itissurmisedthatastudyisneededtoqualifythecybersecurityfoundationalknowledgeanddeterminethebestrelevant learning options to achieve a holistic approach. That is, which mix of online learning,lectures,vocationalandpracticalapplicationsandcompetitionoptionscouldfilltheskillsgapsinamoreefficientmanner;andhowcantheycanbeintegratedintoschools,academiaandcertificationsinordertostrengthenadefinedcareerpathway?

Inprinciple, this a errs towards a reason to implement amixed-mode learning approach ofblended-learningtechniquesandexperiences(GreatSchoolsPartnership,2014).Traditionallyusedacrosstrainingandeducation,blendedlearningisnormallyassociatedwithlearning-at-a-distanceandoncampuslectures(Pop,2018).However,inthiscontextblendedlearninganddevelopmentis

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

30

aimedatthenextdimensiontoenableahybridlearning-deliverymodel(GreatSchoolsPartnership,2014)thatcrossesthecybersecurityroledivideinsupportoftheoverallagendachampionedbytheCyberSecurityStrategy.

2. BACKGRoUND

There are a number of diverse training, education and professionalization agendas concurrentlyunderway in the UK to fill the cybersecurity skills gap – some are already established such ascertificationsandothersareevolvingsuchasprofessionalization.In2015,thereportentitledthe‘StateofCybersecurity: Implicationsfor2016’stated thatnearly65%ofapplicantsapplyingforentry-level cybersecurity jobs lacked the requisite skills to perform the job roles that they wereseeking(ISACA),2015);by201737%ofrespondentsdeclaredthatfewerthanoneinfourhadthequalifications needed to keep their organization secure (ISACA, 2017). Within the report skillsdevelopmentstatisticswereattributedtothefollowingareas(fromthehighesttothelowest):(a)86%wasbasedaroundon-the-job training, (b)63% through trainingandcertifications, (c)38%throughcertificationsaroundperformance-basedassessment,(d)27%throughthird-partytrainingproviders,(e)16%throughformaleducation,and(f)5%throughcompetitions.Inaddition,therecentUKCybersecurityBreachesSurveyindicatesthatcybersecuritytrainingstatisticsinbusinessare:(a)76%oftrainingisformanagers,(b)30%forITstaff,(c)26%forcybersecurityspecialistsand25%forallotherstaff(DCMS,2018);denotingthatthespecialistspurportedlyfillingakeyskillsgaparetrainednomorefrequentlythanotherstaffmembers.

Thenext sectionprovidesacase-study that articulates theUK’sapproach toaddressing thecybersecurityskillsgap.Thechronologyofthedisparatetraining,educationandprofessionalizationeffortsareorderedinlinewiththepreviousargumentsfromtheparagraphabove.

2.1. Staff TrainingTraining, education and awareness has been considered as part of the legacy UK GovernmentInformationAssurance(IA)MaturityModel(IAMM);itwasdevelopedbytheformerCommunicationsElectronicSupportGroup(CESG)(CESG,2015)thathasnowbecometheNCSC.DuringitstimetheIAMMwasregardedasbestpracticeforpublicsectororganizationstoaspireto.Itwasalsoastatementontheabilityofanyadoptiveorganizationtoimplementanappropriateinformationsecurityregime(OfficeofNationalStatistics,2011).However,overtimetheIAMMbecamedatedanditsrelevanceblurred,sofrom2018itisnolongerformallysupported(AnneW,2018a).Fromapublicawarenessperspective,in2016aMassiveOpenOnlineCoursewasdesignedandimplementedbyacademiaandpromotedbytheformerUKGovernment’sdepartmentcalledBusiness,InnovationandSkills,nowknownasDCMS.IthasbeenawardedCertifiedTraining(CT)statusbyGCHQandisrecognizedbybodiesliketheIISPforitscontentadequacy(IAAdvisoryCouncil,2016;OpenUniversity,2018).

2.2. Certifications2.2.1. TraditionalInformationsecuritycertificationshavebeen the longest reigningentrypoint forpractitioners tobecomequalifiedinthecybersecuritydomain.VariouspopularbrandsemanatingfromtheUSAtendtofollowinpopularitytermswithintheUK.FourcertificationsareprominentonbothsidesoftheAtlantic(DeGroat,2018;Tittel&Lindros,2018;Afifi-Sabit,2018;MashableUK,2018):

• CertifiedEthicalHacker• (ISC)2CertifiedInformationSecuritySystemsProfessional(CISSP)• CompTIASecurity+• CertifiedInformationSecurityManager

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

31

Thesecertifications targetpenetrationtesters, IApractitionersandmanagersandcurrentlyfallunder thegeneralist categoryofcertifications.ThereareotherUKexamsprovidedby theBritishComputerSociety(BCS)(2018),theCentreforResearchandEvidenceonSecurityThreats(CREST)(CREST,2018a)andcoursesthatareendorsedbytheIISP(IISP,2018).TheCRESTaccreditationandcertificationbodynotonlyprovidesofferingsinthecyberdefenseareabutalsoin thepenetration testing field.TheSysAdmin,Audit,NetworkandSecurity (SANS) Instituteprovidesaplethoraofrole-basedcertificationsandiswellknownforitsGlobalIACertification.Withinthecomputernetworkdefenserealm,SANScertificationsarehighlyprizedintheUSAandintheUK.Additionally,SANSisanaccreditedpartnerofUKGovernmentorganizationsandofferstrainingacademyoptions(SANS,2018).

Under thecurrentCyberSecurityStrategy, theNCSChas implementedaCTapproach thatrecognizescoretrainingofnon-academiccoursematerialsandthetrainingdeliveryfromtrainingproviders.Thelogicbehindthisapproachisthatthecertificationoftrainingprovidersvalidatesthequalityofthetrainingasbeingofanadequatestandard(NCSC,2018a;NCSC,2018b).Thesecoursescanleadtoanexamcomponentofpopularbrandsofexam-basedcertificationspreviouslylisted.

2.2.2. Competency-BasedCompetency-based certifications have become popular in the UK. Offensive Security CertifiedProfessional(OSCP)(Wikipedia,2018)ispopularforthepenetrationtesting(Pentest)disciplineintheUSAandhasbecomesointheUKaswell.ForPentestpractitionersoperatingintheUKpublicsector,additionalqualificationscenteredaroundCESG’sCHECKinitiativearerequired.CHECKTeam Member and CHECK Team Leader qualifications are available through the Tigerscheme(Tigerscheme,2018)andCREST(CREST,2018b)asacomparablequalification to theCHECKTeamMember.Inaddition,throughasetofeligibilitycriteria,CRESToffersCRESTRegisteredTesterequivalencyforpractitionersholdingtheOSCPcertificationnotonlyinAustraliaandNewZealand,butalsointheUSA(CRESTAustralia,2017).

For IA consultants working in the public sector, the UK Government originally levied arequirementfortheInfosecTrainingPathsandCompetenciescertification.Subsequently,themethodofprovingdemonstrablecompetencieschangedtotheCybersecurityCertifiedProfessional(CCP)scheme(CESG,2016)thatwasfoundedin2013(Stevenson,2013).TheCCPschemestandardwasoriginallydevelopedbyCESGandisunderpinnedbytheIISPSkillsFramework(MacWillson,2017);aframeworkthathadbeencorroboratedwithpublicsectorrepresentatives,academiaandindustrysecurityleaders(Kleinman,2018).TheCCPschemeispresentlyadministeredonbehalfofNCSCbythreeselectedCertifyingBodies.Theschemeisdefinedbydifferentroletypesandvariousgradeswithinthoseroles,whichwaspurportedtohaverectifiedacriticismofthefore-runner–theCESGListedAdvisorScheme(CLAS).CLASwasestablishedin1999andhadoriginallybeenproposedasaone-size-fits-allriskassessmentandmanagementschemetosupportgovernmentdepartmentsandagenciesadoptcentralizedgovernmentfocusednetworks(Badaetal.,2016).

2.3. Professionalization2.3.1. Government OrientatedTheUKPentestmarketforthepublicsectorwasstandardizedfirstlyundertheCHECKscheme(NCSC,2017a)andthestatusisattributedtoaparticularcompanywhohasreachedthethresholdnumberofqualifiedPenteststaff.Ithasbeensosuccessfulthatthisapproachhasbeenheraldedasagoodexampleofaprofessionalizationscheme(Knowlesetal.,2016).OriginallyIAconsultancyinthepublicsectorwasfocusedaroundtheCLASmembership(Badaetal.,2016).OvertimeCLAShadgrownbeyonditsoriginalremitandconsultantsdiversifiedintomanydifferentIAskillcamps–notjustspanningriskassessment,butalsoincludingIAArchitecture,AuditorandAccreditorrolestoo.Subsequently,afteraperiodofconsultation,CLASwasdissolvedin2015infavoroftheCertifiedCyberSecurity

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

32

Consultancyformat(Milligan&Rajab,2015)followingasimilarapproachtotheCHECKscheme;again,attributingthestatustoacompanyandnotanyoneindividual(NCSC,2016).Tobeapartofthecertifiedconsultancyschemeatleastoneheadconsultantmustbeappointedwhohastoholdarecognizedcertificationorqualificationtype(NCSC,2018b)andbeinterviewedbyNCSC.

2.3.2. Community RelatedInthepastfewyearstherehasbeenadesiretointroduceacybersecurityCharteredstatus(Dallaway,2017;Finchetal.,2018).Itwasinitiallythoughtthatthiscouldbeconveyedthroughacharteredinstitution,butarecentconsultationheadedbyDCMSisveeringtowardsanindependentbodytoensurethatstandardizationoccurs(DCMS,2018;ChrisE,2018).TheUKGovernmentapproachiserringtowardsanindependentCyberSecurityCouncilthatcouldactasanumbrellaorganizationofexistingprofessionalbodies(ChrisE,2018),similarinfunctiontotheUK’sEngineeringCouncilanditcouldensurethatprofessionalizationwillfollowagainstacentralizedCyberSecurityBodyofKnowledge(CyBOK).CyBOKitselfhasbeendevelopedaspartoftheNationalCyberSecurityProgram,andadvocatedasabodyofknowledgetodistillknowledgeorientatedaroundspecialisms–thesearecurrentlybeingratifiedone-by-one(Rashidetal.,2018).

2.3.3. Professional BodiesSimultaneously, some of the UK’s Chartered professional bodies such as the British ComputerSociety,TheSecurityInstitute,andtheInstitutionofEngineeringTechnologyhavecombinedwithotherprofessionalbodiestojointlytaketheinitiativeoninfluencingthedirectionofthecybersecurityprofession.Thesebodies,withothercollaboratingorganizations,haveformedtheCyberSecurityAlliance thatalso includes the InstituteofAnalystsandProgrammers, theChartered InstituteofMachineryandControl,CRESTand(ISC)2(CREST,2018c).TheremitoftheAllianceistobenchmarksharedstandardsforexcellence,skillsandcapabilities,developingapipelineofexpertisetoadviseandinformnationalpolicyandcontributetowardsthecybersecurityprofession.Itissensibleandcrucialthatthewidercommunityisengagedtoestablish,developandrecognizeadditionalcybersecurityskillsinaconsistentandimpartialmanner.

2.3.4. Skills DiversificationSimilarly to theUS, theUKhasrecognized thatotherskilldiversitiesshouldbe includedin thecybersecurityfraternity(Oesch,2018).Thecybersecuritycommunityhasbeenkeentodifferentiateitselfasbeinggenderneutralbyencouragingmorewomenintothisdevelopingprofession(Thomas,2018).Therehasalsobeenaconcertedefforttopromotecybersecurityasanoptionforreskillingorenhancingtheskillsofmilitaryveterans(Nicholls,2018).Acceptanceofdisparateskillsintothecybersecuritycommunity isnowbeingactivelyencouragedandotherskillsgroupsarenowalsobeingrepresented(Jones&O’Neill,2017).

2.4. Schools and Higher educationThereareincreasingopportunitiesinthecybersecurityindustryfortheyoungergenerationofallgenders.Theintroductionofacybersecuritycurriculumisapositivestepforchildrenandadolescents.Inpre-universityeducationanewtechnicalversionoftheAdvancedLevelqualificationhasbeenintroducedcalledaT-Level(Ryan,2018);thisfollowsthesuccessofanAdvancedSubsidiaryLevelequivalentcoursewhichisapre-cursortothehigherT-LevelandwasdevelopedasanExtendedProject Qualification in cybersecurity (The Engineer, 2016). The UK Government’s CyberFirstthree-yearbursaryschemeisaimedatScience,Technology,EngineeringandMathematics(STEM)undergraduatestudents(TheBigChoice.com,2018).STEMeducationisbeingusedtofilltheskillsgapspanningthenext20years.STEMfollowsonfromtheUSASTEMinitiative(USDepartmentofEducation,2018)toencouragestudentsintoshortageareacategories.CyberFirstfollowedasa

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

33

degreeapprenticeshipandhastheaimofkick-startingcareersincybersecurityreinforcedbyworkexperienceplacements(Murphy,2017).

2.5. AcademiaThereisaplethoraofuniversitiesinallcornersoftheUKofferingcoursesthatcontributetonamedcybersecuritydegrees.InordertodistinguishexcellenceandnurturegrowthoftheUK’scybersecuritycapability,theNCSChasintroducedtheiruniversitydegreecertificationschemethatoffersawideselectionofcareeroptionsandtopicsforgraduates(NCSC,2018c).ThisfollowsasimilarapproachtotheUSA(CyberSecurityEducation,2018).Originallyinitiatedthroughmaster’sdegreecertifications,itispartoftheefforttoraisethebarforcybersecurityskillsintheUK.Universitiesareabletoapplyfor assessment against the scheme through their demonstration of cybersecurity content quality,quantityofdoctoratesbeingundertaken,andcriticalmassofacademicstaffengagedinleading-edgecybersecurityresearch(NCSC,2018d).TheseuniversitiesformtheAcademicCentersofExcellence(ACE)(Parr,2014;SCMagazine,2014).Followingonfromthissuccessfulimplementation,NCSCarenowcertifyingundergraduatedegrees.AcademicCentersforDoctoralTraininghavenowbeenformedintheUK–themselvesdrawnfromtheACEendorseduniversities(NCSC,2018e).ThelistofACEuniversitiesismaintainedbyNCSCandupdatedwhennewuniversitiesareappendedtothelist(NCSC,2018f).

2.6. CompetitionsAnumberofinitiativesoverthepastfewyearshaveusedgamingtoincreasestudentengagement.Theyhavebeenusedtosparktheinterestofadolescentsandenticethemintothinkingaboutacareerincybersecurity.Themostwell-knowneventistheCyberSecurityChallenge,whichinitselfhasdrawninsupportivecompetitionssuchasCyberCenturionfromtheUSA(CyberSecurityChallenge,2018a)andCapture theFlagactivities (CyberSecurityChallenge,2018b). Ina similarvein theSANSInstitutealsorunsitsCyberDiscoveryeventsintheUK(Diggins,2018).Theseeventsandcompetitionsfollowasimilarformattosimulateoremulatecyber-attacksundercontrolledconditions.Theparticipantsareusuallybrokendownintotwoteams:Red(attacker)andBlue(defender).TheCyberSecurityChallengehasafurthertieinwiththecurrentUKGovernmentstrategybypromotingCyberFirst(CyberSecurityChallenge,2018c).

3. ARGUMeNT FoR BLeNDeD LeARNING AND DeVeLoPMeNT

3.1. DiscussionCybersecuritythreatsaregrowinginscaleandeffectiveness(Bird,2015),butuserawarenessisakeydefense(Embers,2018).ArecentmassivephishingcampaignhasrevealedthescaleoftheproblembytargetingtheUSA,UKandEurope(Abel,2018;Paganini,2018).Reportedly,ITworkers,especiallymillennials,aremostsusceptibletofallingforimpersonationfrauddisseminatedbyemail(Dunn,2018).Notsurprisinglythisisrelatedtothebombardmentofemailswithmaliciousintent–oneinahundredemailsareahackingattempt(Palmer,2018).However,researchestimatesthat88%ofUKdatabreachesarecausedbyhumanerror,ratherthanbycyber-attacks(Ismail,2018).

Ineffectauser’sjudgementwhethertoclickthatmaliciouslinkcanbeimpairedbytheirbusyday,absentmindednessorlaziness–thisproblemeffectsbothsidesoftheAtlantic(Tucker,2018).InresponsetheNCSChasdecidedtousetechnicalmeasurestocounteremailspoofinginthepublicsectorthroughtheintroductionofDomain-basedMessageAuthentication,ReportingandConformance(NCSC,2017b;NCSC,2018g).Inaddition,ithasbeenidentifiedthattheeducationsectorneedstocontinually invest inorder toprotect itsnetworks (Kennett,2017).For thepublicandprivatesector,technicalmeasuresneedtobesupplementedbyexplicitandimplicitknowledgetofacilitateeffectivelearning(Stephanou&Daganda,2008).However,people’sattitudesandtheirreceptiveness

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

34

toawarenesstrainingisalsoafactorandeducationshouldbeusedtoinfluencetheconditioningofhumanbehavior(Higbee,2017).Notonlythatpeopleneedtobelieveintheapplicationofinformationsecurity(Olusegun&Ithnin,2013).Furthermore,effectivetrainingandlearningcampaignsneedtobemeaningfultochangepeople’sbehaviors(Alexanderetal.,2013).

CollaborationbetweenacademiaandindustryhasbeenrecommendedthroughresearchconductedbytheUniversityofWestminsterandincludesconsiderationsfromsocialscience(Trimetal.,2014).Althoughthereiscommonalityofunderpinningtechnicalaspects,thereisaperspectiveandparadigmshiftneededtoprovideadequatecybersecuritytrainingandeducation(Stilgherrian,2018).Thescaleoftheneedforcybersecurityunderstandingextendstotheuseofthecloudwhichcouldbeutilizedbypublicandprivatesectorsandthegeneralpublicalike(Adams,2017).Effectively,peoplerequireamind-setchangetoavoidcybersecurityeffortsbeingundermined.TheAustralianComputerSociety(2016)recognizedthefactthattheemploymentofcybersecurityprofessionalsandthetrainingofkeyITstaffandmanagersshouldformpartofanorganization’scybersecurityreadiness.

Traditionally,thecybersecurityindustrydemandedabadge–aqualificationorcertificationasshort-handproofofcompetenceandatlotofemphasiswasplacedontherightcertification(Balaji,2018). Some practitioners entered the IA world by carrying out self-learning and self-fundedexaminationstobecomeestablishedonthecareerladder.Tenyearsorsoagothiswasanacceptableapproach,wherethecommunitytendedtooperateunderaself-helpmind-set(ZDNet,2007).Withlearninganddevelopmentcompaniesallvyingformarketposition,itmightbetemptingforpreviousinformationsecuritycourseware tobe rebadgedunder thecybersecuritybanner.That iswhy theNCSChavetakentheapproachtovetcybersecurityprovidersanduniversitiesinanalignedwaytomeettheUKCyberSecurityStrategyagenda.

Mostoftheclassiccertificationexaminationshaveeitherbeenfullyorpartlyfulfilledbytheuseofmultiple-choicequestionandanswerconstructs.Whilesomecertificationsdorequireanumberofyears’experienceasaprerequisitetotakecertainexaminations,multiplechoiceexamshavebeencriticizedasnotnecessarilydemonstratinganadequatelevelofskillscompetency(Suchetal.,2015)andonlyshowacandidate’sknowledgeretentioncapability.Debatablyakeyproponentofmultiple-choiceexamsinacandidate’sawarenessofthecertificationbody’sexamtechniquesbypracticingsamplequestions.Conversely,itwouldappear-dependingonthetopicbeingexamined-CRESTprovides a combination of practical examinations, short essay and multiple-choice examinationquestiontypes.OSCPisalsorenownedasaveryreputablemeansofqualifyingwithinthePentestdisciplineintheprivatesectorduetotherigorofthepracticalexaminationcomponent.However,CoventryUniversityhasproposedthatacase-studybasedlearningapproachmightbemorebeneficial(Hendrixetal.,2016)andthisisespeciallypertinenttogaming.

While theoptions in theprevioussectionprovidepieces thatcancontribute toawhole,CTbadgedcoursesandACEdegreesdoprovideextrinsicassurancethattrainingcompaniesandacademicinstitutionsarecredibleinspecificcybersecurityspheres.Thisisespeciallypertinentwithcallsforcybersecuritytobeopeneduptoothernon-traditionalinformationsecurityskillsetslikedevelopersforexample(Jones&O’Neill,2017);whereaculturalchangeisrequiredtowardsecureimplementationconsiderationsinsoftwaredevelopment(Bird,2017).Asacaseinpoint,theupsurgeintheuseofInternetofThings(IoT)technologieswasanopportunitytoreevaluatecybersecurityconsiderations.Notwithstandingthelimitationsofsensorcomputeandpowerdraw,IoThasquestionablybecomeanantonymtobestinformationsecuritypractice;thatisfundamentalflawsarebeingintroducedthroughthemisconfigurationofIoTassets(Allen,2018).PerhapsthisiswhytheCyBOKisplacingsomeprominenceoninitiallytacklingcryptographyandsoftwaresecurityconsiderations.

3.1.1. Identified ChallengesTheintentoftheCCPwastoremedysomeofthedeficienciesoftheCLASschemeandbecomethedefactocertificationforthecybersecurityindustryintheUK(McKinnon,2012);itwassubsequentlyrecognizedinEuropeasprovidinggoodcybersecuritypractice(InternationalTelecommunications

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

35

Union,2014).However,eventhoughCLASwasidentifiedbyacademiaasamaturescheme(Suchetal.,2015;Badaetal.,2016)adecisionwasmadetophaseitoutinabidtopurportedlystrengthenthequalityofconsultancyforgovernmentcustomersandachieveabettermatchforgovernmentcustomers using the right expertise (WIREDGOV, 2015). In 2018 the NCSC reaffirmed theircontinuedsupportfortheCCPalbeitthereisrecognitionthatspecialismsshouldbeintroducedovertheexistingrolesformat;theNCSChasprovidedacommitmenttotransitiontheschemeforalignmentwithCyBOK(Anne,2018b).

However,thereexistsaconundrumbetweenqualificationsandcompetencies;thishasalreadybeentestedthroughvariousschemessuchasCLASandCCP.InconsistenciesandfragmentationofknowledgehasbeenleviedasacriticismbyIndustryandthisisreinforcedbytheDCMSpublicconsultation (Suchet al., 2015; Jones&O’Neill, 2017).CyBOK is anopportunity toprovideafoundational and measurable knowledge (University of Bristol, 2018) facilitated by the valuedcontributionofotherprofessionalbodiesandinstitutions.Thatsaid,thechangeindirectiontowardsacorebodyofknowledgeprovidesanopportunitytodefineacentralizedframeworkofdeliveryforthecybersecuritydisciplines(Jones&O’Neill,2017).ThedisparityofexistingcybersecuritytrainingandeducationeffortshasbeenassimilatedandillustratedinFigure1.

So,beforetheUKcommitstointroducingyetanotherscheme,suchastheproposedCharteredstatus,thereispotentiallyaneedtogobeyondCyBOKandbuildaCoreKnowledgeFramework(CKF)ofcriteria;distilledacrossfutureschoolcurricula,trainingcourses,degreesthatissowidelyranging it influences our social-technical culture; this would be a move towards what could beconsideredanunequivocalunderpinningknowledge-basedapproach.Burnap(2018)hasstatedthatthere ispresentlynoclearpathway for cybersecurity compared toother engineeringdisciplines.TheimplementationofaCKFwouldbeconsideredatrulyholisticeducationinitiativetoremedyhisconcern.Therefore,thereisacaseforconsideringhowknowledgetransferwillbeconductedtomaximizeknowledgeretentionandtoassistinfuturepractitionerknowledgedevelopment;enablingindividualstobefulfilledandprogressinamoreroundedcybersecuritycareer.So,thequestionishowthiscouldbeimplemented?

Figure 1. Knowledge fragmentation, silos and inconsistencies

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

36

3.2. Defense Systems Approach to Training exemplarTheDefenseSystemsApproach toTraining (DSAT) is amethodology thatprovides a completeframeworkfortheanalysis,design,deliveryandassuranceoftrainingprovidedfortheUKMinistryofDefense(MOD)(MOD,2017a).ItisrecognizedbythePublicSectorandappliedbyconsultanciesundertakingpublicsectorcontracts.Therefore,itisfamiliartobothpublicandprivatesectorsandacademicsinthedefenseindustry.DSATisbestpracticefortheidentificationoftrainingobjectives,thedesignanddevelopmentoftrainingcoursewareanditsoversightacrosstheMOD.AkeyconsiderationofDSATisblendedlearningasitisdefinedas:

The most appropriate mix of Methods & Media which may include both traditional means, such as face-to-face in a classroom, and the use of modern learning technologies whether centralized or distributed. (MOD, 2017a)

Blendedlearning-asstipulatedbyDSAT-istraditionallyappliedasamixofinstructor-ledtraining combined with the use of virtual learning environments (MOD, 2017b). Even with theintroductionofCyBOK,itisproposedthatawiderknowledgeframeworkneedstobeenvisagedforatrulyintegratedprofessionalframework.ThiscouldbeanextendedversionofCyBOKorCyBOKandcouldbethefirststagetowardsacoherentCKF.TheUKcouldlearnfromtheUSA’srecognitionthatcollaborativeapproachesinlearninganddevelopmentarebeneficial(Williams,2017).ReinforcingthepointthatmixedmethodsandtechniquesareneededforthedeliveryoftrainingandeducationandtheseshouldbecorecomponentsofaCKF.ItisproposedthattheCKFshouldbeunderpinnedbytheprinciplesofblendedlearning,whichcouldbeadoptedacrossawiderspectrumtoinformthecybersecuritycommunitylearninganddevelopmentstrategy.Blendedlearninganddevelopmentasahybridlearning-deliverymodelcouldbeusedtojoinupexistingsilosofdisparatedevelopmentanddeliverytechniquespreviouslyhighlightedinthebackgroundsection.Asamechanismofdelivery,ablendedapproachmovestowardsafullyintegratedknowledgeinpracticeapproachandcouldactasthepillarstosupportthecybersecurityprofession.

3.3. Blended Learning and Development ProposalBasedaroundastandardizedandembeddedCKF,wherethestakeholdersareworkingfromanagreedstructure,therelevantfunctionaltrainingandlearningneedsofthecybersecurityprofessionwillbeabletobediscerned.Thiswouldenablethedevelopmentofrelevantandappropriatetrainingandeducationdelivery.TheCKFshouldbeinterpretedandintegratedatvariouslevelsofcomplexityanddetaildependingontheknowledgelevelimplemented;forexample,thereareobviousdifferencesinthedepthofknowledgeappliedattheschoollevelandtothatatpost-graduatedegreestandard.

Throughpastlessonslearned,anyirregularitiesandsubjectivitywouldneedtobeidentifiedandremovedtoavoidrepetitionsofpastinconsistencies.Therefore,itwouldbenecessaryforlearningobjectivestobeapplicableasassessmentcriteriaandbestructuredinastableformat;butaCKFmustalsobeabletoevolvebytakingaccountofanychanges,enhancementsandamendmentsofknowledgeinacontrolledandnon-deprecatingmanner.Specialismshavebeenidentifiedasarelevantapproach for undergraduate curricula by Marymount University in the USA (Bicak, 2015). TheproposedCharteredstatusapproachalsoendorsessuchanapproach.However,itisnotallabouttheup-and-comingcybersecuritygeneration;inorderforprofessionalizationendeavorstobesuccessful,theknowledgeandskillsofindividualsalreadyactiveincybersecurityneedtobedrawnuponaswell(Swain,2014).Thereshouldbesomeemphasisregardingon-the-jobtraining,mentoringbyexperiencedcybersecuritypractitionersandawarenessfromattendingcybersecurityconferences.

Avarietyofblendedlearningtechniquesarerequired toavoidprohibitingdifferent learningstylesbymembersofthetargetaudienceandlimitingchoice;somepreferacademia,someprefervocationalapproaches,andsomeprefercertifications.However, theCKFneeds tobeembedded

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

37

andintegratedacrossallareasoftrainingandeducation;learningobjectivesfromexistingtrainingandacademiccoursescouldbemappedagainstCKFcriteriabytherequisitetrainingandeducationbodiesinordertoprovetheircorrelationandrelevance.ThecybersecuritycommunityshouldlearnfromthequalifyingexaminationsimplementedbyCREST,OSCPandotherinformationtechnologyvendorswhorequirebothpracticalanddemonstrableknowledgeapplication.Socialconstructionismwouldbeusefulasitreconstructsknowledgebyusinganexperientialmethodofreal-worldcontexts,readinordertoapplylearningtechniquestoremedyspecificproblems(Martin-Brown,2018);itispurportedtobeastepawayfromdirectinstructiontechniquesandcouldbeamethodthatisrelevantforcybersecurityknowledgetransferandreinforcementlearning(Veseli,2011).

IthasbeenrecognizedbytheInstitutionofEducationattheUniversityCollegeLondon(2001)thatlearningcanenhanceperformance,butconverselyjustfocusingonperformancecanactuallyhinderperformanceitself.Therefore,theoverallexperienceofprofessionalizationforindividualsmustbeprogressiveandprovideobviousreward.EventhoughcompetencyassessmentswillberequiredfortheproposedcybersecurityCharteredstatus,itshouldnotbearecyclingofskillsetreaffirmationsalready experienced through previous professionalization scheme changes. As a career pathway,initiallyunderwrittenbyCyBOKitneedstoremainrelevant.ThereforeCyBOKcouldintimebeexpandedfurtheranddevelopedintoaCKFforthedeliveryoftheory,practicalskillsapplication,andcompetenciesappliedincontextonbehalfoftheprofession;andwouldneedtobeconstantlyadaptiveandexpansiveasshowninFigure2.TheenablerbehindthisCKFisblendedlearninganddevelopment,whichcanbetunedtohonetheskillsofpractitionersandbenefitthecybersecurityprofessioninacyclicalmannerinfluencingtheteachingofthenationalcurriculum,trainingandeducation,academiaandinstitutionsbyvocation.Thecybersecurityprofession,asafuturecareerpathway,wouldalsopropagatedemandinarippleeffecttoinspireschools,pushtrainingcompanies,encourageindustryinvolvementandgenerateademandforfurtherresearchefforts.Withoutthistypeofapproach,theadoptionandrecognitionofacybersecurityprofessionwouldbelimited,therebyaffectitsreputationandpotentiallydigressfromthemainaimofestablishingaproficientcybersecuritycapability.

Figure 2. The influencing effects of blended learning and development

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

38

Theratiosanddepthandbreadthoflearningstylesrangingfromacademic,vocational,practicalandcompetitiveapproachestoattaintherequisiteknowledgeunderaCKFareyettobediscernedfromamuch-neededstudy.Crucially,widerinformationtechnologycommunityengagementisrequiredtoadoptablendedtrainingapproachinordertoestablishthevisionforasuccessfulholisticframework.

4. CoNCLUSIoN

ThemorerecentUKGovernmentcybersecurityagendaisundoubtedlyastepintherightdirectiontocultivatecybersecurityasaprofession.Thisisverypositiveandprovidesmorecareeropportunitiesunderthecybersecuritybannerthanbefore.TheroadtowardsprofessionalizationhasbeenanaudaciousjourneyandtheUKGovernment’sagendahasbeenpurposeful.TheNCSChasplayedaninfluentialroleinnavigatingtheprofessiontowardsafuturestate.However,therehavebeensomeissuesonthepathtowardstheUK’scybersecurityprofession;achangeindirectionalongthewayhasresultedinareputableschemebeingwoundupandtherebyspringboardedtheUKcybersecurityprofessionontothenextstep.Onthatbasis,theevolutiontowardsaprofessionalpathwayiserringtowardsCyBOKandaCyberSecurityCouncilfulfillingaregulatory-typefunction.AnynewCharteredstatusprofileshouldalsobeinformedbytheundisputedandvaluablecontributionsbytheCyberSecurityAlliance.ItisimportantfortheCyberSecurityAlliancetobeinvolvedalongthewayanditshouldnotbeseentobeincompetitionwiththeUKGovernmentagenda.Rather,eachshouldcomplementtheotherinacollaborativemannertocreateaviableandrobustframeworkforthecybersecurityprofession.

ACyberSecurityCouncilisperceivedtobethemortartoformafirmstructuretohelppeopleprogress in theircybersecuritycareerand toprovideconfidence thatacareer incybersecurity isfulfilling.Trainingandeducationinstitutionsandbodiesseethecybersecuritytrainingandeducationmarket as very lucrative. Existing training courseware and education regimes, as stated in thebackgroundsection,individuallycontributetowardsthisstrategy;however,individuallytheyarenotthetotalityofknowledgecomprehensionbutcancontributetothesumofcybersecurityunderstanding;thiscanbemappedagainstqualifyingcriteriaforaholisticframework.TheproposedCKFshouldbeawide-reachingamalgamationofknowledgeobjectivesandtherebyinfluencetheentiretrainingandeducationcommunity.Inasimilarveintothescienceandengineeringprofessions,baseprinciplesneedtobeappliedrangingacrosstheschoolcurriculum,throughhighschooltograduateandpost-graduatelevel.ItmustalsoinfluencecertificationsandcompetencyorientatedcareerroutessuchasCharteredstatustoensurethefuturecybersecurityprofessionhasafullyroundedknowledgeablerecipeforsuccess.WhethertheCKFconceptisanextensionorderivationoftheCyBOKorwhethertheCyBOKisasteptowardsamorecoherentCKFwillonlybediscernedfromfutureanalysis.Butwhatisimportantisthatthereisaconcertedeffortbetweenacademia,industryandgovernmenttoachieveacommongoalofformalizingtheprofession.

Althoughthereisadesiretojumpontothecybersecuritybandwagon,thereneedstobebuy-inbythewidertargetaudience,adesireandmind-setchangeforaneffectivestandardizedstructurethatwillbeapplicabletodeveloptheircareer.ThishasalreadystartedwiththeNCSCstatingthatthefollowingareexpectedtodemonstratefoundationknowledge:(a)NCSCcertifieddegree,(b)fullmembershipoftheIISPmeetingtheircorecompetencycriteriathatunderpinstheCCPschemeinitscurrentform,and(c)holdingaCISSPandcontinuedmembershipof(ISC)2(NCSC,2018h);thesearebeingmappedasasteptowardsrationalizingtheCCPschemeforalignmentwithCyBOK.Thatsaid,itisrecommendedthatwebuilduponthispositivefirststepofestablishingCyBOKcybersecurityspecialismsandimplementawiderCKFtoaugmenttheCyBOKinitiativetoaidknowledgeandskillsenhancement.

Withaglobaldeficitofthreeandhalfmillioncybersecurityjobopeningsby2021(Stephenson,2018),fromaUKperspectiveablendedapproachforlearninganddevelopmentcouldbeusedtofillthegapsandjoinupexistingsilosoftrainingandeducationactivitiesbaseduponacommonCKF.TheCKFcouldbeakeycontributoryfactortowardsshapingthenewproposedprofessionandfacilitate

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

39

cybersecurityknowledgeandskillsintelligenceintheUK.ItisarguedthatthisisacrucialelementoflearninganddevelopmentandthenewproposedCharteredstatusisonlypartofthepuzzle.Toflourish,theCKFandsubsequentblendedlearninganddevelopmentimplementationsmustalsoberecognizedasacredibleexemplar-inordertoachievebuy-infromthemajorityofdiversestakeholderswithinthecybersecuritycommunity-andtherebysustainthecybersecuritycapabilitywithintheUK.

ACKNowLeDGMeNT

It is recognized that the NCSC has been crucial in steering the UK’s cybersecurity trainingagenda.Whileotherprofessionalbodiesandinstitutionshavealsoprovidedleadershipintheareaofcybersecurity.

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

40

ReFeReNCeS

Abel,R.(2018).Massive phishing campaign targets half a billion users in the first quarter 2018.Retrievedfromwww.scmagazine.com/massive-phishing-campaign-targets-half-a-billion-users-in-the-first-quarter-2018/article/761541/

Adams,C.(2017).IT Training Choices in a Fast-Paced World.Retrievedfromhttps://www.zdnet.com/article/it-training-choices-in-a-fast-paced-world/

Afifi-Sabet,K.(2018).A guide to cyber security certification and training.Retrievedfromhttp://www.itpro.co.uk/careers/28212/a-guide-to-cyber-security-certification-and-training

Alexander,D.,Finch,A.,&Sutton,D.(2013).Information Security Management Principles.Swindon,UK:BritishComputerSociety.

Allen,T.(2018).There is a massive hole in IoT security, says Avast researcher.Retrievedfromhttps://www.computing.co.uk/ctg/news/3061282/there-is-a-massive-hole-in-iot-security-says-avast-researcher

Anne,W.(2018a).Maturitymodelsincybersecurity:what’shappeningtotheIAMM?NCSC.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/maturity-models-cyber-security-whats-happening-iamm

Anne,W.(2018b).Our commitment to the CCP scheme.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/our-commitment-ccp-scheme

CREST Australia. (2017). OSCP and CRT Equivalency. Retrieved from https://www.crestaustralia.org/certification_crt_equivalency.html

AustralianComputerSociety.(2016).CybersecurityThreatsChallengesOpportunities.AustralianComputerSociety.

Bada,M.,Arreguín-Toft,I.,Brown,I.,Cornish,P.,Creese,S.,Dutton,W.,...&Roberts,T.(2016).CybersecurityCapacityReviewoftheUnitedKingdom.OxfordUniversity,UK:GlobalCyberSecurityCapacityCentre.

Balaji,N.(2018).APerfectWaytoStartandStrengthenYourCyberSecurityCareer.GBHackers.Retrievedfromhttps://gbhackers.com/a-perfect-way-to-start-and-strengthen-your-cyber-security-career/

BCS.(2018).Qualifications and certifications.Retrievedfromhttps://www.bcs.org/category/5677

Beyer,M.,Ahmed,S.,Doerlemann,K.,Arnell,S.,Parkin,S.,&Sasse,M.A.Prof.,&Passingham,N.(2016).Awarenessisonlythefirststep.HewlettPackard,UK:HewlettPackardEnterpriseDevelopmentLP.

Bicak,A.,Liu,M.,&Murphy,D.(2015).CybersecurityCurriculumDevelopment:IntroducingSpecialtiesinaGraduateProgram.Information Systems Education Journal,13(3),99–110.

Bird,D.(2015).Forewarned is Forearmed: Combating the Insider Threat. UK:CyberTalkMagazine.

Bird,D.(2017).Prevent a menace from lurking within. UK:CyberTalkMagazine.

Burnap,P.(2018).IndustryPanel.InProceedings of 11th International Conference on Security of Information and Networks.CardiffUniversity,UK.

CabinetOffice.(2011).The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world.London,UK:CrownCopyright.

CabinetOffice.(2016).National cyber security strategy 2016-2021.London,UK:CrownCopyright.

CESG. (2015).The Information Assurance Maturity Model and Assessment Framework.Cheltenham,UK:CrownCopyright.

CESG.(2016).CESG Certification for Cyber Security/IA Professionals.Cheltenham,UK:CrownCopyright.

Chris,E.(2018).Developingthecybersecurityprofession–haveyoursay!NCSC.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/developing-cyber-security-profession-have-your-say

Cox,J.(2017).UKfacesdramaticcyber-securityskills‘cliffedge’andischronicallyunderpreparedforhackerattacks,studyfinds.The Independent.Retrievedfromhttps://www.independent.co.uk/news/business/news/uk-cyber-security-skills-cliff-edge-under-prepared-hacker-attacks-study-multinationals-government-a7578091.html

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

41

CREST.(2018a).Assurance in Information Security.Retrievedfromhttps://www.crest-approved.org

CREST. (2018b). CREST Registered Penetration Tester. Retrieved from https://www.crest-approved.org/examination/registered-tester/index.html

CREST. (2018c).Collaborative Alliance of Organisations Announced to Advance the UK’s Cyber Security Profession.Retrievedfromhttps://www.crest-approved.org/2018/07/19/collaborative-alliance-of-organisations-announced-to-advance-the-uks-cyber-security-profession/index.html

CyberSecurityChallenge.(2018a).Play the Challenge.Retrievedfromhttps://www.cybersecuritychallenge.org.uk

CyberSecurityChallenge.(2018b).Capture the Flag.Retrievedfromhttps://www.cybersecuritychallenge.org.uk/competitions/capture-the-flag

Cyber Security Challenge. (2018c). CyberFirst. Retrieved from https://www.cybersecuritychallenge.org.uk/education/further-education/cyber-first

Cyber Security Education. (2018). CYBER SECURITY COURSES. Retrieved from https://www.cybersecurityeducation.org/courses/

Dallaway,E.(2017).IISPApplytoPrivyCouncilforInformationSecurityRoyalCharter.Info Security Magazine.Retrievedfromhttps://www.infosecurity-magazine.com/news/iisp-apply-royal-charter/

DCMS.(2017).5. A safe and secure cyberspace - making the UK the safest place in the world to live and work online. Retrieved from https://www.gov.uk/government/publications/uk-digital-strategy/5-a-safe-and-secure-cyberspace-making-the-uk-the-safest-place-in-the-world-to-live-and-work-online

DCMS.(2018).Developing the UK cyber security profession.Retrievedfromhttps://www.gov.uk/government/consultations/developing-the-uk-cyber-security-profession

DeGroat,T.J.(2018).5CybersecurityCertificationsThatWillHelpYouLandaJob.Springboard.Retrievedfromhttps://www.springboard.com/blog/cybersecurity-certifications/

DepartmentforDigital,Culture,MediaandSport.(2018).Cyber Security Breaches Survey 2018.Crown.

Diggins,A.(2018).FinalstageofCyberDiscoveryfinishesinLondon.EdTechnology.Retrievedfromhttps://edtechnology.co.uk/Article/final-stage-of-cyber-discovery-finishes-in-london

Diggins,A.(2018).FinalstageofCyberDiscoveryfinishesinLondon.Edtechnology.Retrievedfromhttps://edtechnology.co.uk/Article/final-stage-of-cyber-discovery-finishes-in-london

Dunn,J.(2018).Feeltheshame:Email-scammedstaffersaren’ttellingbossesaboutit.The Register.Retrievedfromhttps://www.theregister.co.uk/2018/09/07/scam_business_emails_on_the_rise/

Embers,R.(2018).Security:TheRulesofEngagementtoMitigateInsiderRisk.Security Boulevard.Retrievedfromhttps://securityboulevard.com/2018/08/security-the-rules-of-engagement-to-mitigate-insider-risk/

Finch,A.,&Furnell,S.(2018).IsthistheyearfortheSecurityProfessional.Infosecurity Europe.Retrievedfromhttp://www.infosecurityeurope.com/__novadocuments/486575?v=636657836899000000

Finch,A.,Glover, I.,&Smith,R. (2018).Does theUKNeedanInformationSecurityRoyalCharter? Info Security Magazine.Retrievedfromhttps://www.infosecurity-magazine.com/magazine-features/uk-information-security-royal/

GoCertify. (2018). ISACA Study Addresses Global Cybersecurity Challenges. Retrieved from http://www.gocertify.com/articles/isaca-study-addresses-global-cybersecurity-challenges

Great Schools Partnership. (2014). Blended Learning. Retrieved from https://www.edglossary.org/blended-learning/

Grout,V.(2015).Cybersecurity to Become Core Component of UK Computing Degrees.Retrievedfromhttps://cphc.ac.uk/2015/06/29/cybersecurity-to-become-core-component-of-uk-computing-degrees/

Hendrix,M.,Al-Sherbaz,A.,&Bloom,V.(2016).GameBasedCyberSecurityTraining:AreSeriousGamessuitableforcybersecuritytraining?International Journal of Serious Games,3(1),52–61.doi:10.17083/ijsg.v3i1.107

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

42

Higbee,A.(2017).Cybersecurityeducation:Whyweneedtore-thinkit.Training Journal.Retrievedfromhttps://www.trainingjournal.com/articles/opinion/cyber-security-education-why-we-need-re-think-it

IAAdvisoryCouncil.(2016).Free‘Introductiontocybersecurity’courselaunched.’Retrievedfromhttps://www.iaac.org.uk/free-introduction-to-cyber-security-course-launched/

IISP. (2018). Accredited Training Courses. Retrieved from https://www.iisp.org/imis15/iisp/Accreditation/Accredited_Training/iispv2/Accreditation/Accredited_Training.asp

ISACA.(2015).StateofCybersecurity:Implicationsfor2016.In ISACA and RSA Conference Survey, Elsevier Computers & Security.

ISACA.(2017).Survey: Cyber Security Skills Gap Leaves 1 in 4 Organizations Exposed for Six Months or Longer. Retrieved from http://www.isaca.org/About-ISACA/Press-room/News-Releases/2017/Pages/Survey-Cyber-Security-Skills-Gap-Leaves-1-in-4-Organizations-Exposed-for-Six-Months-or-Longer.aspx?utm_referrer=

ISACA.(2018).StateofCybersecurity2018Part1:WorkforceDevelopment.

Ismail,N.(2018).Cybersecuritytraining:Isitlackingintheenterprise?Retrievedfromhttps://www.information-age.com/cyber-security-training-123474550/

ITU.(2014).GlobalCybersecurityIndex–GoodPractices.InternationalTelecommunicationsUnion.

Jones,N.,&O’Neill,L.(2017).The Profession.Swindon,UK:InformationAssuranceAdvisoryCouncil.

Kennett,S.(2017).Cybersecurity:whytheeducationsectorcan’taffordnottoinvest.Retrievedfromhttps://www.jisc.ac.uk/blog/cybersecurity-why-the-education-sector-cant-afford-not-to-invest-13-apr-2017

Kleinman,L. (2018).CybersecurityAndTheNewCISO:TheLeadershipEnigma.Forbes.Retrievedfromhttps://www.forbes.com/sites/forbestechcouncil/2018/07/26/cybersecurity-and-the-new-ciso-the-leadership-enigma/#2abe5fc43422

Knowles,W.,Baron,A.,&McGarr,T.(2016).TheSimulatedSecurityAssessmentEcosystem:DoesPenetrationTestingNeedStandardisation?Computers & Security,1–22.

MacWillson,A.(2018).UKcybereconomywillriseto£2bnby2016,aidedbypartnershipswithFacebookandBT.Realwire.Retrievedfromhttps://www.realwire.com/releases/IISP-Launches-New-Skills-Framework-for-Information-Security-Professionals

Magazine,S.C.(2014).GCHQcertifiessixMSccybersecuritydegrees.SC Magazine.Retrievedfromhttps://www.scmagazineuk.com/gchq-certifies-six-msc-cyber-security-degrees/article/1480937

Martin-Brown,G.(2018).Personalised learning & the future of education [YouTube video].Retrievedfromhttps://www.youtube.com/watch?v=j_eb4TwdWOo

Mashable,U.K.(2018).Switchtoacareerincybersecuritybytakingtheseonlineclasses.Mashable.Retrievedfromhttps://mashable.com/2018/04/17/cyber-security-certifications-online-classes/?europe=true

McDonald,C.(2018).AveragetechnologysalaryinUK&Ireachesover£80,000.Computer Weekly.Retrievedfromhttps://www.computerweekly.com/news/252448472/Average-technology-salary-in-UKI-reaches-over-80000

McKinnon,I.D.(2012).Information Security Group. Review 11/12. Royal Holloway.UK:UniversityofLondon.

Milligan,R.,&Rajab,T.(2015).CESGlaunchnewCertifiedCyberSecurityConsultancyscheme.TechUK.Retrieved from http://www.techuk.org/insights/news/item/4529-cesg-launch-new-certified-cyber-security-consultancy-scheme

MOD. (2017a). JSP 822 Defence Direction and Guidance for Training and Education Part 2. Ministry of Defence.UK:CrownCopyright.

MOD. (2017b). JSP 822 Defence Direction and Guidance for Training and Education Part 1. Ministry of Defence.UK:CrownCopyright.

Morgan,S.(2017).Pleasedon’tsendmetocybersecuritytraining.CSOOnline.Retrievedfromhttps://www.csoonline.com/article/3225471/security/please-dont-send-me-to-cybersecurity-training.html

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

43

Murphy,I.(2017).NCSCappealsforstudentstotakesitsmoney.Enterprise Times.Retrievedfromhttps://www.enterprisetimes.co.uk/2017/11/17/ncsc-appeals-students-takes-money/

NCSC.(2016).CyberSecurityConsultancy.Retrievedfromhttps://www.ncsc.gov.uk/scheme/certified-cyber-consultancy

NCSC. (2017a). CHECK Fundamental Principles. Retrieved from https://www.ncsc.gov.uk/articles/check-fundamental-principles

NCSC.(2017b).Emailsecurityandanti-spoofing.Retrievedfromhttps://www.ncsc.gov.uk/guidance/email-security-and-anti-spoofing

NCSC. (2018a).GCHQCertifiedTraining.Retrieved fromhttps://www.ncsc.gov.uk/scheme/gchq-certified-training

NCSC.(2018b).Cyber Security Consultancy Standard.London,UK:CrownCopyright.

NCSC.(2018c).Certifiedcybersecuritycourses.Retrievedfromhttps://www.prospects.ac.uk/jobs-and-work-experience/job-sectors/law-enforcement-and-security/certified-cyber-security-courses

NCSC.(2018d).AcademicCentresofExcellenceinCyberSecurityResearch.Retrievedfromhttps://www.ncsc.gov.uk/articles/academic-centres-excellence-cyber-security-research

NCSC.(2018e).NCSC-certifieddegrees.Retrievedfromhttps://www.ncsc.gov.uk/information/ncsc-certified-degrees

NCSC. (2018f). Certified Training Courses. Retrieved from https://www.ncsc.gov.uk/information/certified-training-courses

NCSC.(2018g).NCSCMailCheck.Retrievedfromhttps://www.ncsc.gov.uk/mailcheck

NCSC.(2018h).SettingnewfoundationsfortheCCPscheme.Retrievedfromhttps://www.ncsc.gov.uk/blog-post/setting-new-foundations-ccp-scheme

Nepal,S.(2018).BuildingTrustworthyIoT-CloudDataLifecycle.InProceedings of 11th International Conference on Security of Information and Networks,CardiffUniversity,UK.

Nicholls,D.(2018).Veterans to be retrained as cyber warriors, under new partnership backed by the MoD.Retrieved from https://www.telegraph.co.uk/news/2018/08/11/veterans-retrained-cyber-warriors-new-partnership-backed-mod/

Oesch,T.(2018).DiversifyingtheCybersecurityWorkforceWithLearningandDevelopment.Training Industry.Retrieved from https://trainingindustry.com/articles/it-and-technical-training/diversifying-the-cybersecurity-workforce-with-learning-and-development/

OfficeofNationalStatistics.(2011).2011CensusSecurity:ReportoftheIndependentReviewTeam.Retrievedfromhttps://www.ons.gov.uk/census/2011census/confidentiality/assessingourmeasurestoprotectyourconfidentiality

Olusegun,O.J.,&Ithnin,N.B.(2013).PeopleAretheAnswertoSecurity:EstablishingaSustainableInformationSecurityAwarenessTraining(ISAT)PrograminOrganization.International Journal of Computer Science and Information Security,11(8).

OpenUniversity.(2018).IntroductiontoCyberSecurity.Retrievedfromhttps://www.futurelearn.com/courses/introduction-to-cyber-security

Osborne, G. (2015). Chancellor’s speech to GCHQ on cyber security. Retrieved from https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security

Paganini,P. (2018). Iran-linkedCOBALTDICKENSgroup targetsuniversities innewphishingcampaign.Security Affairs. Retrieved from https://securityaffairs.co/wordpress/75710/cyber-warfare-2/cobalt-dickens-iran-attacks.html

Palmer,D.(2016).Training?Whattraining?Workers’lackofcybersecurityawarenessisputtingthebusinessatrisk.ZDNet.Retrievedfromhttps://www.zdnet.com/article/training-what-training-workers-lack-of-cybersecurity-awareness-is-putting-the-business-at-risk/

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

44

Palmer,D. (2018).Phishingwarning:One in everyonehundred emails is nowahacking attempt.ZDNet.Retrieved from https://www.zdnet.com/article/phishing-warning-one-in-every-one-hundred-emails-is-now-a-hacking-attempt/

Parr,C.(2014).FirstGCHQ-certifiedmaster’scoursesunveiled.Times Higher Education.Retrievedfromhttps://www.timeshighereducation.com/news/first-gchq-certified-masters-courses-unveiled/2014921.article

Pop,A.(2018).What’stheDifferenceBetweenBlendedLearning,E-LearningandOnlineLearning?Distance Learning.Retrievedfromhttps://www.distancelearningportal.com/articles/269/whats-the-difference-between-blended-learning-e-learning-and-online-learning.html

Rashid,A.,Danezis,G.,Chivers,H.,Lupu,E.,&Martin,A.(2018).ScopefortheCyberSecurityBodyofKnowledge.UniversityofBristol,UK:CyBOK.

Ryan,G.(2018).Stem vital to UK’s future cybersecurity.Retrievedfromhttps://www.tes.com/news/stem-vital-uks-future-cybersecurity

SANS.(2018).World Leading Cyber Security Training.Retrievedfromhttps://uk.sans.org

Schneier, B. (2013). Is Cybersecurity a Profession? Retrieved from https://www.schneier.com/blog/archives/2013/10/is_cybersecurit.html

Stephanou,T.,&Dagada,R.(2008).TheImpactofInformationSecurityAwarenessTrainingonInformationSecurityBehaviour:TheCaseforFurtherResearch.InProceedings of ISSA 2008 Innovative Minds Conference.

Stephenson,M.(n.d.).InsecurityPodcast:JoeBillingsleyonCyberEducationandtheModernMilitary.Threat Vector.Retrievedfromhttps://threatvector.cylance.com/en_us/home/insecurity-podcast-joe-billingsley-on-cyber-education-and-the-modern-military.html

Stevenson,A.(2013).UKcybereconomywillriseto£2bnby2016,aidedbypartnershipswithFacebookandBT.V3.Retrievedfromhttps://www.v3.co.uk/v3-uk/news/2318616/uk-cyber-economy-will-rise-to-gbp2bn-by-2016-aided-by-partnerships-with-facebook-and-bt

Stilgherrian.(2018).Securitytrainingisuselessunlessitchangesbehaviours.ZDNet.Retrievedfromhttps://www.zdnet.com/article/security-training-is-useless-unless-it-changes-behaviours/

Such,J.M.,Gouglidis,A.,Knowles,W.,Misra,G.,&Rashid,A.(2015).The Economics of Assurance Activities(TechnicalReportSCC-2015-03).SecurityLancaster,LancasterUniversity.

Swain,N.D. (2014).AMulti-TierApproach toCyberSecurityEducation,Training,andAwareness in theUndergraduate Curriculum (CSETA). In Proceedings of 121st ASEE Annual Conference & Exposition,Indianapolis,IN.

TheEngineer.(2016).New cyber security qualification for the UK.Retrievedfromhttps://www.theengineer.co.uk/new-cyber-security-qualification-for-the-uk/

TheBigChoice.com. (2018). CyberFirst Apprenticeships. Retrieved from https://www.thebigchoice.com/Apprenticeships/CyberFirst

Thomas,K.(2018).Womenintech:theITfirmstacklingthegenderimbalance.The Guardian.Retrievedfromhttps://www.theguardian.com/education/2018/jul/09/women-tech-it-technology-firms-tackling-gender-imbalance

Tigerscheme.(2018).Tigerscheme Qualifications.Retrievedfromhttps://www.tigerscheme.org/qualifications.php

Tittel,E.,&Lindros,K.(2018).Best Information Security Certifications 2018.Retrievedfromhttps://www.businessnewsdaily.com/10708-information-security-certifications.html

Trim, P. R., Lee, Y., Ko, E., & Kim, K. H. (2014). Cyber security culture and ways to improve security management.UK:UniversityofWestminster.

Tucker,E.(2018).Cybersecurity–whyyou’redoingitallwrong.Computer Weekly.Retrievedfromhttps://www.computerweekly.com/opinion/Cyber-security-why-youre-doing-it-all-wrong

UniversityCollegeLondon.(2001).Learning about Learning enhances performance.UK:InstituteofEducation,UniversityCollegeLondon.

International Journal of Systems and Software Security and ProtectionVolume 9 • Issue 2 • April-June 2018

45

David Bird has worked in multiple technical disciplines within both the public and private sectors for over 33 years. Over the past 11 years David has worked on many complex consortia-based projects and programs for a number of leading IT integration companies as an information security specialist. He also brings to bear his additional experience in business and training consultancy as well as performing cybersecurity research in his own time. He has had many articles published in several reputable magazines comprising topical, technical and information security subject matter that includes: British Computer Society ITNoW and Digital Leaders editions, CyberTalk and the Institute of Information Security Professionals Pulse Magazine. David has also provided a published chapter entitled ‘The collaborative effects of cyberspace’ in a book published by the Institute of Scientific and Technical Communicators. In 2018, he published two papers in the IEEE Xplore and ACM digital libraries.

John Curry is a senior lecturer in games development and cyber security at Bath Spa University. He has an international reputation in conflict simulations/ serious games and has worked with many of the key personalities in the field. He has been leading umpire in numerous cyber wargames from individual companies to state level. He co-authored handbooks on the development of new methods of serious gaming including Matrix Games and Confrontation Analysis. His professional life consists largely of using games to explore complex situations looking for insights.

UniversityofBristol.(2018).The Cyber Security Body Of Knowledge.Retrievedfromwww.cybok.org

US Department of Education. (2018). Science, Technology, Engineering and Math: Education for Global Leadership.Retrievedfromhttps://www.ed.gov/stem

Veseli,I.(2011).Measuring the Effectiveness of Information Security Awareness Program.Gjøvik,Norway:DepartmentofComputerScienceandMediaTechnology.

Viveros,M.(2013).CyberSecurityDependsonEducation.HBR.Retrievedfromhttps://hbr.org/2013/06/cyber-security-depends-on-educ

Wikipedia. (2018). Offensive Security Certified Professional. Retrieved from https://en.wikipedia.org/wiki/Offensive_Security_Certified_Professional

Williams,C.(2017).Building a Capable Cybersecurity Workforce through Collaborations. National Institute for Standards and Technology.US:NationalInitiativeforCybersecurityEducation.

Williams,H.(2017).UKgovernmenttodeliver‘cybercurriculum’totacklecybersecurityskillsgap.CBR Online. Retrieved from https://www.cbronline.com/cybersecurity/uk-government-cyber-curriculum-tackle-cyber-security-skills-gap/

WIREDGOV.(2015).Certification of IA industry consultancy is changing.Retrievedfromhttps://www.wired-gov.net/wg/news.nsf/articles/Certification+of+IA+industry+consultancy+is+changing+03032015152000?open

ZDNet.(2007).Take responsibility for your own training.Retrievedfromhttps://www.zdnet.com/article/take-responsibility-for-your-own-training/