Cybersecurity is growing in importance, with recent cyberattacks showing an exceptional level of impact in organizations. This chapter presents a cybersecurity capability building proposal for organizations that the authors designate cybersecurity learning framework (CyberLearn). The chapter discusses cybersec initiatives in Portugal, in the European Union, in the North Atlantic Treaty Organization, and the United States of America, introducing the NICE framework as a basis to develop the CyberLearn framework and the concept representation considering functions, roles, and work roles and the knowledge units related to each role area. This framework has been applied in Portugal by Técnico to meet business needs on this domain.
TopIntroduction
“Change is the law of life and those who look only to the past or present are certain to miss the future.”
– John F. Kennedy
Cybersecurity (cybersec) is growing in importance world-wide with recent cyberattacks showing an exceptional level of impact on private and public organizations. Cybersec concepts like threat, risk, strategy, impact, attack, and vulnerability are among the top interests of governments, public administration, companies, military, and other organizations. Although much has been done in recent years, often in reaction to cyber-attacks, it is still necessary to find a path from the notion of cyber hygiene, a responsibility of every citizen, to the creation of highly specialized personnel in organizations that can detect, deter, and react in a proactive manner to cyber threats. In other words, we need to find a path for cybersec capability building for organizations.
This chapter presents a cybersecurity capability building proposal for organizations that we designate Cybersecurity Learning framework (CyberLearn). This framework aims to establish paths for education and training, from basic cyber hygiene to high specialization. The framework is firstly targeted at organizations, either public or private. However, it can also serve as the foundation for a larger-scale capability building joint venture between government, universities, the military, security institutes and companies, in a similar way to initiatives that have been appearing in the European Union (EU) and the North Atlantic Treaty Organization (NATO). The CyberLearn framework builds on the National Initiative for Cybersecurity Education (NICE) (Newhouse, 2017). The proposed framework also considers the work being developed in Europe in the cyber domain and is based on a set of requirements: i) the universe of education and training candidates includes both military and civilian professionals; ii) the program shall provide students with basic theoretical and practical knowledge in all key areas of cybersec; iii) the program should provide deep conceptual and professional, theoretical, and practical skills in cybersec; iv) the program has to be modular and adaptable to the needs of different organizations.
The CyberLearn framework aims to foster individual learning to progress through the following levels: security awareness, cybersec essentials, role-based training, and education and/or experience to develop the ability and vision to perform complex multi-disciplinary tasks. The highest level comprehends personal competencies and skills to counter cyber-attacks and foster comprehensive cybersec activities. The framework is generic, not targeted as a specific organization. In practice, when it is going to be applied to a specific company, it must be adapted in a process of interaction between the education provider and the target organization.
Instituto Superior Técnico (Técnico) is the engineering school of University of Lisbon, the largest in Portugal. Técnico has been deeply involved in cybersec teaching activities, from courses in programs like the master’s in computer science and engineering, to full programs like the master’s in information security and Cyberspace Law (a master program) or Cybersecurity for Companies (a short program for professionals). We use some of these courses and programs to show how the CyberLearn framework can be instantiated in practice.
This chapter is organized as follows. Chapter 2 discusses cybersec initiatives in Portugal, EU, NATO, and the US, as well as NIST’s NICE cybersec education initiative. Chapter 3 introduces the NICE framework and the concept representation considering functions, roles and work roles and the knowledge units related to each role area. In Chapter 4, we use the NICE framework as a basis to develop the CyberLearn framework proposal. Chapter 5 concludes.
TopObjectives, Questions And Methodology
The objective of the research was to find (or create) a cybersec framework that, with adequate adaptations, would provide a path to educate people through a grooming process that, once adapted, would provide learning content that supports career and knowledge progress.
The research questions are:
- •
(RQ1) is there a framework that is suited, after adaptation, to the objectives or, in turn, it is necessary to develop a new framework?
- •
(RQ2) after completing the adaptation or development of the framework is it possible to fill it with meaningful content that will foster cybersec leaning?