Content uploaded by Bruce Caulkins
Author content
All content in this area was uploaded by Bruce Caulkins on Nov 01, 2017
Content may be subject to copyright.
Cyber Workforce Development
Using a Behavioral Cybersecurity Paradigm
Bruce D. Caulkins, Ph.D.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
bcaulkin@ist.ucf.edu
Patricia Bockelman, Ph.D.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
Karla Badillo-Urquiola, M.S.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
kbadillo@ist.ucf.edu
Rebecca Leis, M.S.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
Abstract—This paper contributes to the ongoing efforts in the
cybersecurity community to strengthen cyber workforce
development by providing an overview of key gaps and proposing
practical education strategies. Leveraging documented incidents
from defense, industry, and academia and the rest of the United
States government, we identify emerging cyber-education
opportunities highlighting human-centric elements using a gap
analysis approach. We closely examine the National Initiative for
Cybersecurity Education’s (NICE) National Cybersecurity
Workforce Framework (NCWF) as well as the Department of
Homeland Security’s (DHS) National Initiative for Cybersecurity
Careers and Studies (NICCS) educational framework. These
documents provide a foundation for current and future research
with cybersecurity workforce development.
Next, the paper outlines a pilot education program launched
at the University of Central Florida (UCF), designed to address
the unique challenges of the human dimension in cybersecurity.
The purpose of highlighting this pilot program is to provide an
example of human-centric cyber-educational curriculum. The
present paper offers a launching point for further discussion
about the human side of cybersecurity, closing with
considerations of the “lessons learned” from early responses to the
UCF program from the program’s inaugural student cohort.
Keywords—cybersecurity; behavioral cyber; workforce
development; human factors
I. INTRODUCTION.
The world is now highly connected and arguably improved
by the introduction of new technologies and advanced
network-enabled devices collectively contributing to the
Internet of Things (IoT). This interconnectedness increases
efficiency and coordination through objects like planes,
vehicles, buildings, appliances, and thermostats [1], but the
benefits come with a cost. The ongoing expansion of the IoT
environment, coupled with increased reliance upon mobile
devices and computers, introduces a range of private and
public cyber-based vulnerabilities. Although some may
perceive minimal personal threat, media outlets report cyber-
related events daily, suggesting widespread prevalence [2] and
[3]. Malicious hackers expose security flaws in new “smart”
device architectures and systems and create novel cyber-attack
software to take advantage of these flaws [4].
As IoT evolves and perpetrators of cybercrimes expand
their tools and approaches, the demand for cyber-professionals
grows. Recruitment and job distribution websites report an
influx of cyber-related job postings [5]. Further, Forbes reports
that more than 200,000 cybersecurity jobs in the U.S. remain
open in 2016 with 1 million jobs postings worldwide. They
also report that within three years, the projected shortfall will
reach 1.5 million [6]. So as these shortfalls become more acute,
pressure will be put onto the corporate, academic, and
government leadership who are trying to fill cybersecurity
workforce positions with highly-qualified personnel. With
such a high demand and short supply of quality cybersecurity
workers, wages will continue their upward trend for all
disciplines within the cybersecurity workforce, to include
support personnel like systems administrators and network
engineers.
II. NATIONAL
CYBERSECURITY
WORKFORCE
FRAMEWORK.
In response to the need for enhanced cybersecurity and a
larger workforce, the Department of Homeland Security (DHS)
and the National Initiative for Cybersecurity Education (NICE)
built the National Cybersecurity Workforce Framework
(NCWF) as a foundation for understanding the necessities of
the cybersecurity workforce [7]. The framework organizes
cybersecurity into seven categories: Securely Provision,
Operate and Maintain, Protect and Defend, Investigate, Collect
and Operate, Analyze, and Oversight and Development [8].
These categories are discussed more fully below.
A. Securely Provision.
These jobs encompass the specialty areas that are
responsible for overseeing, evaluating, and accrediting the
information technology (IT) systems and network structure
planning and implementation, using solid information
assurance (IA) policies and controls. Jobs range from IA
Compliance Analysts, IA compliance Managers, to Software
978-1-5090-5258-5/16/$31.00 ©2016 IEEE
Developers and Computer Programmers [8]. We assess that the
current training and education in these areas are fairly robust
and readily available; however, most educational courses in
this category are stove-piped and not well integrated into the
overall cybersecurity training domain.
B. Operate and Maintain.
Cybersecurity operators and maintainers focus on the
support and administration of the various underlying systems
and networks to ensure network performance, systems and
services’ performance, and overall security. Jobs in the
Operate and Maintain area encompass Knowledge Managers,
Systems Administrators, and Systems Security Analysts [8].
We assess that the current training and education in this
category is similar to the Securely Provision category’s areas.
Training within the cybersecurity operators and maintainers is
robust and readily available. Further, due to the nature of the
related cyber training, operators and maintainers’ job training
is better integrated into the overarching cybersecurity training
domain as each of the six specialty areas (Data Administration,
Network Services, Knowledge Management, System
Administration, Customer Service and Technical Support, and
Systems Security Analysis) [8] focuses on the integration and
management of tools of cybersecurity, like firewalls, accounts,
intrusion prevention devices, and passwords.
C. Protect and Defend.
These cybersecurity experts are the core personnel
protecting and responding to cyber-related incidents and
intrusions. They are the first defenders in cyberspace, using
defensive measures to identify, analyse, mitigate, and reports
threats and possible intrusions. Typical jobs are Computer
Network Defense (CND) Analysts, Incident Responders, and
CND Infrastructure Supporters [8]. We assess that the current
training and education in this area is less developed than the
Securely Provision or Operate and Maintain categories;
however, the integration of these specialty areas in the
cybersecurity training domain is well developed as these areas
focus directly into cybersecurity operations and analysis.
D. Investigate.
Cybersecurity investigators come largely from the digital
forensics background, focusing in on the proper and legal
collection, processing, and analysis of any and all related
evidence of intrusions, whether they originate from outside of
organization or from within the organization. Law
enforcement and counterintelligence support is crucial to these
investigators [8]. We assess that the current training and
education in this category is highly developed, especially in the
realm of digital forensics. Courseware is readily available at
institutions of higher learning in the undergraduate and
graduate levels.
E. Collect and Operate.
The Collect and Operate category encompasses those areas
that are responsible for cyber operations that deny access and
other capabilities to threat actors across many vectors. Three
specialty areas fall under this category: Collection Operations,
Cyber Operations, and Cyber Operations Planning [8]. We
assess that this category mostly falls into the government and
law enforcement lanes of effort; as such, the Knowledge,
Skills, and Abilities (KSAs) required for this category are not
listed in the NCWF.
F. Analyze.
This category encompasses the analysis of the cyber
threats, targets that were exploited, methods used, and
vulnerabilities found, especially in the case of a zero-day
attack. Four specialty areas fall under this category: Threat
Analysis, All Source Intelligence, Exploitation Analysis, and
Targets [8]. While there concerted and intentional growth has
been made in this area, we assess that this category mostly falls
into the government and law enforcement lanes of effort; as
such, the Knowledge, Skills, and Abilities (KSAs) required for
this category are not listed in the NCWF.
G. Oversight and Development.
The final category addresses the fundamental and
overarching leadership and managerial work required to
properly oversee and manage the cybersecurity workforce for
the previous six categories shown above. In addition to the
leadership and managerial aspects, this category encompasses
jobs with Cyber Law, Education and Training, and Strategic
Planning and Policy Development. We assess that while these
jobs are not overtly technical in nature, a solid understanding
of the technical and behavioral aspects of cybersecurity is
crucial in these senior-level jobs [8].
III. MAPPING
THE
NCWF.
Numerous colleges and universities now offer programs to
prepare cybersecurity personnel. In February of 2016, the
National Initiative for Cybersecurity Careers and Studies
(NICCS) published a list of the most common degree programs
associated with cybersecurity careers [7]. The research team
mapped these programs to the NCWF [8] (Figure 1).
A. Initial Mapping to the NCWF.
This mapping represents an initial look at the NCWF
categories and how the various academic programs best fit into
the model. The UCF behavioural cybersecurity efforts will
continue to define and refine these alignments over the next
year in follow-on research in order to produce a more accurate
construct that reflects the current reality in the cyber
workforce, both in the commercial and government sectors.
The mapping was conducted internal to UCF as part of the
ongoing evaluation and development of its cybersecurity
offerings through panel assessment of each factor. While
informal and subjective, the internal team observed patterns
that merit consideration more broadly.
Figure 1. Mapping of the NICCS list of the most
common cyber-related degree programs to the seven NCWF
categories
The map demonstrates the high-level and notional
connections between the NICCS-identified academic programs
and the NCWF categories. While several of these connections
could have more than one “correct answer,” the exemplar in
Figure 1 demonstrates how the internal research team
categorized each degree areas. The aim was not to create a map
that reflected a generalizable picture, with certainty that all
field experts would agree. Rather the research team sketched
the connections pertinent for considering whether or not
programs would address the NCWF categories. For example,
the cybersecurity academic program mapped to the Protect and
Defend NCWF category could be placed in several other
categories, like Operate and Maintain, Securely Provision, or
Oversight and Development. The present study’s researchers
chose Protect and Defend since it appears to be the best fit for
the cybersecurity academic program area. Other similarly
mapped academic programs were put through the best-fit filter
as well.
The mapping of the academic programs to the particular
categories is fluid; therefore, we encourage other cybersecurity
professionals to provide further recommendations for
formulating this categorization. In order to do a proper
cyberspace workforce gap analysis over the long term, we will
conduct follow on work in this area to further define and refine
the crosswalk of the relevant academic programs to the NCWF.
B. Gaps Found.
The research team observed discrepancies between in the
degree programs represented across NICE’s seven categories in
their NCWF. Three categories – Collect and Operate, Analyze,
and Investigate – have little to no programs listed in those
fields. These categories are listed with their formal definitions
from NICE [8].
• Collect & Operate - areas responsible for specialized
denial and deception operations and collection of cybersecurity
information that may be used to develop intelligence
• Analyze - areas responsible for highly specialized
review and evaluation of incoming cybersecurity information
to determine its usefulness for intelligence
• Investigate - areas responsible for the investigation of
cyber events and/or crimes of IT systems, networks, and digital
evidence.
As seen in Figure 2, gaps exist in the most common
university and college degree programs associated
with cybersecurity careers today. First, the three categories
that contain gaps (Analyze, Collect and Operate, and
Investigate) are generally seen most often in the U.S.
government workforce, particularly in the intelligence
and cyberspace operations fields. Second, cybersecurity
and cyberspace operations are relative newcomers to the
workplace. Very few senior leaders in these areas have
sufficient technical and operational backgrounds to make
proper long-range decisions and vision for their respective
workplaces. Finally, the actual numbers of job
descriptions in these three categories are relatively small.
Figure 2. Gaps Highlighted in the NICCS list mapped to
the NCWF
The table below shows the number of jobs, according to the
Occupational Outlook Handbook from the U.S. Department of
Labor’s Bureau of Labor Statistics (BLS) in 2014 [9]. We
used the DLS handbook’s statistics to compare them to
selected specialty areas (Computer and Information Systems
Managers, Network and Computer Systems Administrators,
Computer Programmers, and Operations Research
Analysts/ORSA) and mapped to the appropriate NCWF
category.
IV. THE
HUMAN
ELEMENT
IN
CYBERSECURITY.
While we concur with NICCS that these are the degree
programs most commonly associated with cybersecurity areas
[7], we assert that this situation reflects an oversight in post-
secondary instruction, because of the omission of human-
centered areas. Although every aspect related to cybersecurity
is inseparable from human behavior (human hackers attack
human victims) training to prevent or respond to attacks
focuses heavily on technical aspects and fails to prioritize
human elements. “The cyber content is very important, but as a
means to an end, not the end in itself” [10]. Emphasizing
technical aspects within cyber-education prepares trainees to
respond to only part of the problem. The breadth of content
available within cyber-education makes it difficult to cover all
essential knowledge, skills, and abilities (KSAs) necessary to
the field and each specialization (e.g., specific tools). Thus,
emphasis should be placed on “softer” more human-centric
skills, fostering innovation, problem-solving, and self-directed
inquiry [10].
We assert that technical skills preparation is a necessary
component of thorough cybersecurity education and training;
however, it is our position that technical skills alone are
insufficient to form a holistic understanding of a particular
problem space. We also assert that experts in cyber (although
they may not realize it yet) will support this position, having
first-hand experienced the complexities of cybersecurity.
Experts tend to recognize behavioral patterns and meanings
that are not apparent to novice cyber-operators [10]. Cyber
operators with more experience (especially those working in
interdisciplinary teams) are better able to understand the KSAs
(e.g., “soft” skills) necessary to solve complex cyber-issues.
However, cybersecurity is a new discipline. Thus, instructors
are not necessarily experienced in a range of real-world
problems or have not had formal training on task analyses or
instructional design, both helpful for course and curriculum
development.
Recently we completed a study via Qualtrics, an online
survey platform. We hope that the results of this study will be
published as a conference paper in the Interservice/Industry
Training, Simulation and Education Conference, pending
ongoing review and approval [11]. We randomly presented
three out of the five case studies to each survey participant for
their review. Participants then answered a series of questions
for each case study. We designed these questions in order to
capture the perception of relevance for techno-centric and
human-centric KSAs as seen in Figure 3. The survey included
constructs and KSAs beyond those listed, however, these 10
KSAs (5 techno-centric and 5 human-centric) were identified a
priori to the creation of the survey’s questions based on
researcher judgment of potentially related human-centric
constructs. We received 117 valid survey responses. The need
for human-centric training in addition to techno-centric training
was a major theme to the responses we received [11].
V. APPROACHES
TO
CYBER
EDUCATION.
While much of today’s cybersecurity efforts in academia
and elsewhere revolve around teaching the required tools to
address general security challenges in cyberspace, little has
been done to date to address the most-critical component in
cyberspace operations - the human element [12]. In 2015, the
U.S. Department of Defense (DoD) recognized this issue as a
major gap within its cyber strategy. DoD subsequently
published a holistic cyber strategy document, which acts as a
guide for the military’s ongoing efforts to strengthen its cyber
forces and organizations while promoting complementary
initiatives like the National Initiative for Cyberspace Education
(NICE) [13].
To address the human element in cyberspace, we first
considered the requisite training and education curricula
available (assessing the current state of the domain). We
conducted an informal survey of cyber programs at accredited
universities and colleges and predictably, the vast majority of
programs are embedded within the organization’s computer
science department or closely aligned with computer science
and engineering-related departments.
VI. BEHAVIORAL
CYBER
EDUCATION:
AN
EXAMPLE.
Considering the requisite training and education required to
transition from existing approaches to those most needed to
address current cyber challenges, UCF shaped a program
specifically in behavioral aspects of cyber-security.
A relatively new graduate-level certificate program at UCF
provides a template of holistic approach. Individual institutions
may customize this template to fill the human-centered
training/learning gaps specific to that school. For example, the
UCF certificate supplements techno-centric courses from
programs such as Modeling and Simulation or Engineering.
UCF Students of the Modeling and Simulation of
Behavioral Cybersecurity Certification are required to
complete 13 credit hours over 5 courses. These courses can
also be used as electives within either the Ph.D. program for
Modeling and Simulation at UCF (Behavioral Cybersecurity
track) or the Masters program for Modeling and Simulation at
UCF (Behavioral Cybersecurity track).
Descriptions of the five courses in the graduate certificate
program are listed below:
• Cybersecurity: A Multidisciplinary Approach (3
credit hours) – This course is an interdisciplinary, graduate
level modeling and simulations course that discusses and
introduces the behavioral aspects to cybersecurity. Further,
this course explores the other non-technical disciplines that
support cybersecurity efforts in the government, academia, and
commercial arenas. Cyber strategy, national cyber policy,
behavioral aspects to cyber, and cybersecurity education and
training are selected subjects discussed in this class [14].
• Cyber Operations Lab (3 credit hours) – This course
is a hands on class that students use to immerse themselves in
initial cybersecurity planning and management. While
computer science expertise is not required, it is beneficial in
this class. However, students of all related disciplines will
discover the intricacies of cyber-related topics like firewall
administration, penetration testing, port scanning, and
operating systems security [14].
• Behavioral Aspects of Cybersecurity (3 credit hours)
–This course digs deeper into the interdisciplinary nature of
cybersecurity, focusing more heavily on the behavioral aspects
of cyber and what motivates cyber attackers. Threat modeling,
digital ethics, organizations, culture, cyber training, and
motives involved in cyber attacks are a few of the subjects
discussed in this class [14].
• Emerging Cyber Issues (1 credit hour) – This course
expands upon the work of the previous three courses through
the discussion of issues raised each week by the guest speakers
who are brought in to discuss the current and pressing issues
facing cyber personnel today. Lectures include cybersecurity
policy and planning at the national levels, open source
intelligence and the effect of social media, virtual economies,
cyber penetration testing, and data security and the human
factor [14].
• Simulation Research Methods and Practicum (3 credit
hours) – This course is the final, capstone course of the
program, designed to showcase the knowledge the students
learned over the past year in the behavioral aspects of
cybersecurity through their writings on the deployment of
modeling and simulation techniques and processes [14].
These courses are specifically designed to teach student
techniques for approaching authentic and complex tasks that
mirror real-world problems. Figure 4 shows how each of the
KSAs identified in Table 1 maps to the five courses.
As we have little knowledge of ways in which specific
KSAs map to course curriculum in other programs beyond the
course description listed online, we encourage other program
staff and faculty to also map KSAs to the specific programs
they belong to in order to continue conversation about
integrating standard human-centric topics within cybersecurity
education.
VII. EARLY
FEEDBACK
AND
FUTURE
WORK
UCF is currently in the middle of the first cohort of
students participating in the Modeling and Simulation of
Behavioral Cybersecurity Program. Initial feedback has been
overwhelmingly positive from the students.
Future training development will focus on the coursework
itself, where we plan on continuing to develop and re-develop
the current courses and expand the use of modeling the
behavioral aspects of cyber actors, to include hackers,
administrators, and users. We expect that both agent-based and
discrete event simulations will be used by students and
researchers to create models of these and other “non-
traditional” aspects of cybersecurity (i.e., non-technical aspects
mentioned earlier).
We plan on expanding the cyber operations lab as well.
We will use the lab as a testbed for future cybersecurity tools,
models, and practices. We also will tightly connect the lab to
other cybersecurity researchers at IST, UCF, the Florida Center
for Cybersecurity (FC2) and elsewhere in the academia,
corporate and government sectors. Much work remains to be
done in the behavioral aspects of cybersecurity.
VIII.
REFERENCES
[1] J. Carretero and J. Daniel Garcia, "The Internet of
Things: connecting the world," Personal and Ubiquitous
Computing, vol. 18, pp. 445-447, Feb 2014.
[2] J. Davidson, "‘Inadvertent’ cyber breach hits 44,000
FDIC customers," vol. 2016, ed. Washington Post online:
Washington Post, 2016.
[3] B. Gertz, "FBI warns of cyber threat to electric grid,"
ed, 2016.
[4] Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, and D. Qiu,
"Security of the Internet of Things: perspectives and
challenges," Wireless Networks, vol. 20, pp. 2481-2501, Nov
2014.
[5] A. Freeman. (2016, July 15, 2016). Could we see an
influx of cyber security job roles in 2016? Available:
https://www.technojobs.co.uk/info/tech-news/20160105-could-
we-see-an-influx-of-cyber-security-job-roles-in-2016.phtml
[6] S. Morgan. (2016) One Million Cybersecurity Job
Openings in 2016. Forbes. Available:
http://www.forbes.com/sites/stevemorgan/2016/01/02/one-
million-cybersecurity-job-openings-in-2016/#7a235147d274
[7] NICCS, "Most Common Degree Programs Associated
with Cybersecurity Careers," ed. Washington, D.C., 2016.
[8] NICE, "The National Cybersecurity Workforce
Framework (NCWF)," ed. Washington, D.C., 2013.
[9] DOL, "Bureau of Labor Statistics Occupational
Outlook Handbook," U. S. D. o. Labor, Ed., ed. Washington,
D.C., 2016.
[10] L. McDade-Morrison, "Cyber Space Engineer
Learning Lab: Facilitators Guide to Course Methodology and
Innovation.," ed, 2013.
[11] R. Leis, K. Badillo-Urquiola, B. D. Caulkins, and P.
Bockelman, "Modeling and Simulation Education for
Behavioral Cybersecurity," in Interservice/Industry, Training,
Simulation and Education Conference (I/ITSEC), in review,
Orlando, FL, 2016.
[12] M. Champion, S. Jariwala, P. Ward, and N. J. Cooke,
"Using Cognitive Task Analysis to Investigate the Contribution
of Informal Education to Developing Cyber Security
Expertise," in Proceedings of the Human Factors and
Ergonomics Society 58th Annual Meeting, 2014, p. 5.
[13] DoD, "The Department of Defense Cyber Strategy,"
D. o. Defense, Ed., ed. Washington, D.C., 2015.
[14] UCF, "Graduate Catalog, M&S of Behavioral
Cybersecurity," 2016.