Conference PaperPDF Available

Cyber workforce development using a behavioral cybersecurity paradigm

Authors:
Cyber Workforce Development
Using a Behavioral Cybersecurity Paradigm
Bruce D. Caulkins, Ph.D.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
bcaulkin@ist.ucf.edu
Patricia Bockelman, Ph.D.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
Karla Badillo-Urquiola, M.S.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
kbadillo@ist.ucf.edu
Rebecca Leis, M.S.
Institute for Simulation & Training (IST)
University of Central Florida (UCF)
Orlando, Florida USA
Abstract—This paper contributes to the ongoing efforts in the
cybersecurity community to strengthen cyber workforce
development by providing an overview of key gaps and proposing
practical education strategies. Leveraging documented incidents
from defense, industry, and academia and the rest of the United
States government, we identify emerging cyber-education
opportunities highlighting human-centric elements using a gap
analysis approach. We closely examine the National Initiative for
Cybersecurity Education’s (NICE) National Cybersecurity
Workforce Framework (NCWF) as well as the Department of
Homeland Security’s (DHS) National Initiative for Cybersecurity
Careers and Studies (NICCS) educational framework. These
documents provide a foundation for current and future research
with cybersecurity workforce development.
Next, the paper outlines a pilot education program launched
at the University of Central Florida (UCF), designed to address
the unique challenges of the human dimension in cybersecurity.
The purpose of highlighting this pilot program is to provide an
example of human-centric cyber-educational curriculum. The
present paper offers a launching point for further discussion
about the human side of cybersecurity, closing with
considerations of the “lessons learned” from early responses to the
UCF program from the program’s inaugural student cohort.
Keywords—cybersecurity; behavioral cyber; workforce
development; human factors
I. INTRODUCTION.
The world is now highly connected and arguably improved
by the introduction of new technologies and advanced
network-enabled devices collectively contributing to the
Internet of Things (IoT). This interconnectedness increases
efficiency and coordination through objects like planes,
vehicles, buildings, appliances, and thermostats [1], but the
benefits come with a cost. The ongoing expansion of the IoT
environment, coupled with increased reliance upon mobile
devices and computers, introduces a range of private and
public cyber-based vulnerabilities. Although some may
perceive minimal personal threat, media outlets report cyber-
related events daily, suggesting widespread prevalence [2] and
[3]. Malicious hackers expose security flaws in new “smart”
device architectures and systems and create novel cyber-attack
software to take advantage of these flaws [4].
As IoT evolves and perpetrators of cybercrimes expand
their tools and approaches, the demand for cyber-professionals
grows. Recruitment and job distribution websites report an
influx of cyber-related job postings [5]. Further, Forbes reports
that more than 200,000 cybersecurity jobs in the U.S. remain
open in 2016 with 1 million jobs postings worldwide. They
also report that within three years, the projected shortfall will
reach 1.5 million [6]. So as these shortfalls become more acute,
pressure will be put onto the corporate, academic, and
government leadership who are trying to fill cybersecurity
workforce positions with highly-qualified personnel. With
such a high demand and short supply of quality cybersecurity
workers, wages will continue their upward trend for all
disciplines within the cybersecurity workforce, to include
support personnel like systems administrators and network
engineers.
II. NATIONAL
CYBERSECURITY
WORKFORCE
FRAMEWORK.
In response to the need for enhanced cybersecurity and a
larger workforce, the Department of Homeland Security (DHS)
and the National Initiative for Cybersecurity Education (NICE)
built the National Cybersecurity Workforce Framework
(NCWF) as a foundation for understanding the necessities of
the cybersecurity workforce [7]. The framework organizes
cybersecurity into seven categories: Securely Provision,
Operate and Maintain, Protect and Defend, Investigate, Collect
and Operate, Analyze, and Oversight and Development [8].
These categories are discussed more fully below.
A. Securely Provision.
These jobs encompass the specialty areas that are
responsible for overseeing, evaluating, and accrediting the
information technology (IT) systems and network structure
planning and implementation, using solid information
assurance (IA) policies and controls. Jobs range from IA
Compliance Analysts, IA compliance Managers, to Software
978-1-5090-5258-5/16/$31.00 ©2016 IEEE
Developers and Computer Programmers [8]. We assess that the
current training and education in these areas are fairly robust
and readily available; however, most educational courses in
this category are stove-piped and not well integrated into the
overall cybersecurity training domain.
B. Operate and Maintain.
Cybersecurity operators and maintainers focus on the
support and administration of the various underlying systems
and networks to ensure network performance, systems and
services’ performance, and overall security. Jobs in the
Operate and Maintain area encompass Knowledge Managers,
Systems Administrators, and Systems Security Analysts [8].
We assess that the current training and education in this
category is similar to the Securely Provision category’s areas.
Training within the cybersecurity operators and maintainers is
robust and readily available. Further, due to the nature of the
related cyber training, operators and maintainers’ job training
is better integrated into the overarching cybersecurity training
domain as each of the six specialty areas (Data Administration,
Network Services, Knowledge Management, System
Administration, Customer Service and Technical Support, and
Systems Security Analysis) [8] focuses on the integration and
management of tools of cybersecurity, like firewalls, accounts,
intrusion prevention devices, and passwords.
C. Protect and Defend.
These cybersecurity experts are the core personnel
protecting and responding to cyber-related incidents and
intrusions. They are the first defenders in cyberspace, using
defensive measures to identify, analyse, mitigate, and reports
threats and possible intrusions. Typical jobs are Computer
Network Defense (CND) Analysts, Incident Responders, and
CND Infrastructure Supporters [8]. We assess that the current
training and education in this area is less developed than the
Securely Provision or Operate and Maintain categories;
however, the integration of these specialty areas in the
cybersecurity training domain is well developed as these areas
focus directly into cybersecurity operations and analysis.
D. Investigate.
Cybersecurity investigators come largely from the digital
forensics background, focusing in on the proper and legal
collection, processing, and analysis of any and all related
evidence of intrusions, whether they originate from outside of
organization or from within the organization. Law
enforcement and counterintelligence support is crucial to these
investigators [8]. We assess that the current training and
education in this category is highly developed, especially in the
realm of digital forensics. Courseware is readily available at
institutions of higher learning in the undergraduate and
graduate levels.
E. Collect and Operate.
The Collect and Operate category encompasses those areas
that are responsible for cyber operations that deny access and
other capabilities to threat actors across many vectors. Three
specialty areas fall under this category: Collection Operations,
Cyber Operations, and Cyber Operations Planning [8]. We
assess that this category mostly falls into the government and
law enforcement lanes of effort; as such, the Knowledge,
Skills, and Abilities (KSAs) required for this category are not
listed in the NCWF.
F. Analyze.
This category encompasses the analysis of the cyber
threats, targets that were exploited, methods used, and
vulnerabilities found, especially in the case of a zero-day
attack. Four specialty areas fall under this category: Threat
Analysis, All Source Intelligence, Exploitation Analysis, and
Targets [8]. While there concerted and intentional growth has
been made in this area, we assess that this category mostly falls
into the government and law enforcement lanes of effort; as
such, the Knowledge, Skills, and Abilities (KSAs) required for
this category are not listed in the NCWF.
G. Oversight and Development.
The final category addresses the fundamental and
overarching leadership and managerial work required to
properly oversee and manage the cybersecurity workforce for
the previous six categories shown above. In addition to the
leadership and managerial aspects, this category encompasses
jobs with Cyber Law, Education and Training, and Strategic
Planning and Policy Development. We assess that while these
jobs are not overtly technical in nature, a solid understanding
of the technical and behavioral aspects of cybersecurity is
crucial in these senior-level jobs [8].
III. MAPPING
THE
NCWF.
Numerous colleges and universities now offer programs to
prepare cybersecurity personnel. In February of 2016, the
National Initiative for Cybersecurity Careers and Studies
(NICCS) published a list of the most common degree programs
associated with cybersecurity careers [7]. The research team
mapped these programs to the NCWF [8] (Figure 1).
A. Initial Mapping to the NCWF.
This mapping represents an initial look at the NCWF
categories and how the various academic programs best fit into
the model. The UCF behavioural cybersecurity efforts will
continue to define and refine these alignments over the next
year in follow-on research in order to produce a more accurate
construct that reflects the current reality in the cyber
workforce, both in the commercial and government sectors.
The mapping was conducted internal to UCF as part of the
ongoing evaluation and development of its cybersecurity
offerings through panel assessment of each factor. While
informal and subjective, the internal team observed patterns
that merit consideration more broadly.
Figure 1. Mapping of the NICCS list of the most
common cyber-related degree programs to the seven NCWF
categories
The map demonstrates the high-level and notional
connections between the NICCS-identified academic programs
and the NCWF categories. While several of these connections
could have more than one “correct answer,” the exemplar in
Figure 1 demonstrates how the internal research team
categorized each degree areas. The aim was not to create a map
that reflected a generalizable picture, with certainty that all
field experts would agree. Rather the research team sketched
the connections pertinent for considering whether or not
programs would address the NCWF categories. For example,
the cybersecurity academic program mapped to the Protect and
Defend NCWF category could be placed in several other
categories, like Operate and Maintain, Securely Provision, or
Oversight and Development. The present study’s researchers
chose Protect and Defend since it appears to be the best fit for
the cybersecurity academic program area. Other similarly
mapped academic programs were put through the best-fit filter
as well.
The mapping of the academic programs to the particular
categories is fluid; therefore, we encourage other cybersecurity
professionals to provide further recommendations for
formulating this categorization. In order to do a proper
cyberspace workforce gap analysis over the long term, we will
conduct follow on work in this area to further define and refine
the crosswalk of the relevant academic programs to the NCWF.
B. Gaps Found.
The research team observed discrepancies between in the
degree programs represented across NICE’s seven categories in
their NCWF. Three categories – Collect and Operate, Analyze,
and Investigate – have little to no programs listed in those
fields. These categories are listed with their formal definitions
from NICE [8].
Collect & Operate - areas responsible for specialized
denial and deception operations and collection of cybersecurity
information that may be used to develop intelligence
Analyze - areas responsible for highly specialized
review and evaluation of incoming cybersecurity information
to determine its usefulness for intelligence
Investigate - areas responsible for the investigation of
cyber events and/or crimes of IT systems, networks, and digital
evidence.
As seen in Figure 2, gaps exist in the most common
university and college degree programs associated
with cybersecurity careers today. First, the three categories
that contain gaps (Analyze, Collect and Operate, and
Investigate) are generally seen most often in the U.S.
government workforce, particularly in the intelligence
and cyberspace operations fields. Second, cybersecurity
and cyberspace operations are relative newcomers to the
workplace. Very few senior leaders in these areas have
sufficient technical and operational backgrounds to make
proper long-range decisions and vision for their respective
workplaces. Finally, the actual numbers of job
descriptions in these three categories are relatively small.
Figure 2. Gaps Highlighted in the NICCS list mapped to
the NCWF
The table below shows the number of jobs, according to the
Occupational Outlook Handbook from the U.S. Department of
Labor’s Bureau of Labor Statistics (BLS) in 2014 [9]. We
used the DLS handbook’s statistics to compare them to
selected specialty areas (Computer and Information Systems
Managers, Network and Computer Systems Administrators,
Computer Programmers, and Operations Research
Analysts/ORSA) and mapped to the appropriate NCWF
category.
IV. THE
HUMAN
ELEMENT
IN
CYBERSECURITY.
While we concur with NICCS that these are the degree
programs most commonly associated with cybersecurity areas
[7], we assert that this situation reflects an oversight in post-
secondary instruction, because of the omission of human-
centered areas. Although every aspect related to cybersecurity
is inseparable from human behavior (human hackers attack
human victims) training to prevent or respond to attacks
focuses heavily on technical aspects and fails to prioritize
human elements. “The cyber content is very important, but as a
means to an end, not the end in itself” [10]. Emphasizing
technical aspects within cyber-education prepares trainees to
respond to only part of the problem. The breadth of content
available within cyber-education makes it difficult to cover all
essential knowledge, skills, and abilities (KSAs) necessary to
the field and each specialization (e.g., specific tools). Thus,
emphasis should be placed on “softer” more human-centric
skills, fostering innovation, problem-solving, and self-directed
inquiry [10].
We assert that technical skills preparation is a necessary
component of thorough cybersecurity education and training;
however, it is our position that technical skills alone are
insufficient to form a holistic understanding of a particular
problem space. We also assert that experts in cyber (although
they may not realize it yet) will support this position, having
first-hand experienced the complexities of cybersecurity.
Experts tend to recognize behavioral patterns and meanings
that are not apparent to novice cyber-operators [10]. Cyber
operators with more experience (especially those working in
interdisciplinary teams) are better able to understand the KSAs
(e.g., “soft” skills) necessary to solve complex cyber-issues.
However, cybersecurity is a new discipline. Thus, instructors
are not necessarily experienced in a range of real-world
problems or have not had formal training on task analyses or
instructional design, both helpful for course and curriculum
development.
Recently we completed a study via Qualtrics, an online
survey platform. We hope that the results of this study will be
published as a conference paper in the Interservice/Industry
Training, Simulation and Education Conference, pending
ongoing review and approval [11]. We randomly presented
three out of the five case studies to each survey participant for
their review. Participants then answered a series of questions
for each case study. We designed these questions in order to
capture the perception of relevance for techno-centric and
human-centric KSAs as seen in Figure 3. The survey included
constructs and KSAs beyond those listed, however, these 10
KSAs (5 techno-centric and 5 human-centric) were identified a
priori to the creation of the survey’s questions based on
researcher judgment of potentially related human-centric
constructs. We received 117 valid survey responses. The need
for human-centric training in addition to techno-centric training
was a major theme to the responses we received [11].
V. APPROACHES
TO
CYBER
EDUCATION.
While much of today’s cybersecurity efforts in academia
and elsewhere revolve around teaching the required tools to
address general security challenges in cyberspace, little has
been done to date to address the most-critical component in
cyberspace operations - the human element [12]. In 2015, the
U.S. Department of Defense (DoD) recognized this issue as a
major gap within its cyber strategy. DoD subsequently
published a holistic cyber strategy document, which acts as a
guide for the military’s ongoing efforts to strengthen its cyber
forces and organizations while promoting complementary
initiatives like the National Initiative for Cyberspace Education
(NICE) [13].
To address the human element in cyberspace, we first
considered the requisite training and education curricula
available (assessing the current state of the domain). We
conducted an informal survey of cyber programs at accredited
universities and colleges and predictably, the vast majority of
programs are embedded within the organization’s computer
science department or closely aligned with computer science
and engineering-related departments.
VI. BEHAVIORAL
CYBER
EDUCATION:
AN
EXAMPLE.
Considering the requisite training and education required to
transition from existing approaches to those most needed to
address current cyber challenges, UCF shaped a program
specifically in behavioral aspects of cyber-security.
A relatively new graduate-level certificate program at UCF
provides a template of holistic approach. Individual institutions
may customize this template to fill the human-centered
training/learning gaps specific to that school. For example, the
UCF certificate supplements techno-centric courses from
programs such as Modeling and Simulation or Engineering.
UCF Students of the Modeling and Simulation of
Behavioral Cybersecurity Certification are required to
complete 13 credit hours over 5 courses. These courses can
also be used as electives within either the Ph.D. program for
Modeling and Simulation at UCF (Behavioral Cybersecurity
track) or the Masters program for Modeling and Simulation at
UCF (Behavioral Cybersecurity track).
Descriptions of the five courses in the graduate certificate
program are listed below:
Cybersecurity: A Multidisciplinary Approach (3
credit hours) – This course is an interdisciplinary, graduate
level modeling and simulations course that discusses and
introduces the behavioral aspects to cybersecurity. Further,
this course explores the other non-technical disciplines that
support cybersecurity efforts in the government, academia, and
commercial arenas. Cyber strategy, national cyber policy,
behavioral aspects to cyber, and cybersecurity education and
training are selected subjects discussed in this class [14].
Cyber Operations Lab (3 credit hours) – This course
is a hands on class that students use to immerse themselves in
initial cybersecurity planning and management. While
computer science expertise is not required, it is beneficial in
this class. However, students of all related disciplines will
discover the intricacies of cyber-related topics like firewall
administration, penetration testing, port scanning, and
operating systems security [14].
Behavioral Aspects of Cybersecurity (3 credit hours)
This course digs deeper into the interdisciplinary nature of
cybersecurity, focusing more heavily on the behavioral aspects
of cyber and what motivates cyber attackers. Threat modeling,
digital ethics, organizations, culture, cyber training, and
motives involved in cyber attacks are a few of the subjects
discussed in this class [14].
Emerging Cyber Issues (1 credit hour) – This course
expands upon the work of the previous three courses through
the discussion of issues raised each week by the guest speakers
who are brought in to discuss the current and pressing issues
facing cyber personnel today. Lectures include cybersecurity
policy and planning at the national levels, open source
intelligence and the effect of social media, virtual economies,
cyber penetration testing, and data security and the human
factor [14].
Simulation Research Methods and Practicum (3 credit
hours) – This course is the final, capstone course of the
program, designed to showcase the knowledge the students
learned over the past year in the behavioral aspects of
cybersecurity through their writings on the deployment of
modeling and simulation techniques and processes [14].
These courses are specifically designed to teach student
techniques for approaching authentic and complex tasks that
mirror real-world problems. Figure 4 shows how each of the
KSAs identified in Table 1 maps to the five courses.
As we have little knowledge of ways in which specific
KSAs map to course curriculum in other programs beyond the
course description listed online, we encourage other program
staff and faculty to also map KSAs to the specific programs
they belong to in order to continue conversation about
integrating standard human-centric topics within cybersecurity
education.
VII. EARLY
FEEDBACK
AND
FUTURE
WORK
UCF is currently in the middle of the first cohort of
students participating in the Modeling and Simulation of
Behavioral Cybersecurity Program. Initial feedback has been
overwhelmingly positive from the students.
Future training development will focus on the coursework
itself, where we plan on continuing to develop and re-develop
the current courses and expand the use of modeling the
behavioral aspects of cyber actors, to include hackers,
administrators, and users. We expect that both agent-based and
discrete event simulations will be used by students and
researchers to create models of these and other “non-
traditional” aspects of cybersecurity (i.e., non-technical aspects
mentioned earlier).
We plan on expanding the cyber operations lab as well.
We will use the lab as a testbed for future cybersecurity tools,
models, and practices. We also will tightly connect the lab to
other cybersecurity researchers at IST, UCF, the Florida Center
for Cybersecurity (FC2) and elsewhere in the academia,
corporate and government sectors. Much work remains to be
done in the behavioral aspects of cybersecurity.
VIII.
REFERENCES
[1] J. Carretero and J. Daniel Garcia, "The Internet of
Things: connecting the world," Personal and Ubiquitous
Computing, vol. 18, pp. 445-447, Feb 2014.
[2] J. Davidson, "‘Inadvertent’ cyber breach hits 44,000
FDIC customers," vol. 2016, ed. Washington Post online:
Washington Post, 2016.
[3] B. Gertz, "FBI warns of cyber threat to electric grid,"
ed, 2016.
[4] Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, and D. Qiu,
"Security of the Internet of Things: perspectives and
challenges," Wireless Networks, vol. 20, pp. 2481-2501, Nov
2014.
[5] A. Freeman. (2016, July 15, 2016). Could we see an
influx of cyber security job roles in 2016? Available:
https://www.technojobs.co.uk/info/tech-news/20160105-could-
we-see-an-influx-of-cyber-security-job-roles-in-2016.phtml
[6] S. Morgan. (2016) One Million Cybersecurity Job
Openings in 2016. Forbes. Available:
http://www.forbes.com/sites/stevemorgan/2016/01/02/one-
million-cybersecurity-job-openings-in-2016/#7a235147d274
[7] NICCS, "Most Common Degree Programs Associated
with Cybersecurity Careers," ed. Washington, D.C., 2016.
[8] NICE, "The National Cybersecurity Workforce
Framework (NCWF)," ed. Washington, D.C., 2013.
[9] DOL, "Bureau of Labor Statistics Occupational
Outlook Handbook," U. S. D. o. Labor, Ed., ed. Washington,
D.C., 2016.
[10] L. McDade-Morrison, "Cyber Space Engineer
Learning Lab: Facilitators Guide to Course Methodology and
Innovation.," ed, 2013.
[11] R. Leis, K. Badillo-Urquiola, B. D. Caulkins, and P.
Bockelman, "Modeling and Simulation Education for
Behavioral Cybersecurity," in Interservice/Industry, Training,
Simulation and Education Conference (I/ITSEC), in review,
Orlando, FL, 2016.
[12] M. Champion, S. Jariwala, P. Ward, and N. J. Cooke,
"Using Cognitive Task Analysis to Investigate the Contribution
of Informal Education to Developing Cyber Security
Expertise," in Proceedings of the Human Factors and
Ergonomics Society 58th Annual Meeting, 2014, p. 5.
[13] DoD, "The Department of Defense Cyber Strategy,"
D. o. Defense, Ed., ed. Washington, D.C., 2015.
[14] UCF, "Graduate Catalog, M&S of Behavioral
Cybersecurity," 2016.
... However, it becomes quite obligatory to adopt a peoplecentered approach, championing the protection of human rights and digital rights in this education itself. These have been found to be extremely important (Caulkins et al., 2016;Jerman Blažič & Jerman Blažič, 2022). They also do not have integrated knowledge to indicate best practices in the deployment of tools, technologies, and digital learning interventions within legal education. ...
... Future research should, thus, take the development of human-centered cybersecurity curricula as a top priority. This would be important in dealing with the unique challenges emanating from the human dimension of cybersecurity, which is mostly lacking in curricula focused on technical and legal aspects (Caulkins et al., 2016). When approached from a human-centered perspective, cybersecurity education can increase its effectiveness in dealing with issues concerning human rights and digital rights. ...
... Also, the rising trend in international collaboration-signified by this 13.64% figure of international co-authorship-reflects that cybersecurity and digital legal education are international issues of significance with global relevance to humanity (Tirumala et al., 2016;Caulkins et al., 2016). Collaborations add value to research, bringing a global aspect to the sharing of knowledge and best practices, leading toward a unified and combined approach to ameliorate the issues in these areas. ...
Article
Full-text available
This study analyzes current trends in the integration of digital technologies with legal education and their impact on cybersecurity awareness among students. Through a bibliometric approach, the research identifies challenges, opportunities, and future directions in digital legal education, emphasizing the importance of a holistic approach that encompasses technical, digital rights, and ethical dimensions. While technology is increasingly embedded in legal education, human-centeredness and ethical considerations remain underrepresented in cybersecurity curricula. The findings reveal that current cybersecurity education predominantly focuses on technical and legal aspects, thereby neglecting critical humanistic factors necessary for comprehensive training. This paper underscores the need for more interactive and innovative educational strategies, such as collaborative learning and virtual reality simulations, to bridge the skills gap and adequately prepare students for the digital challenges of the modern world. Future research should further explore these strategies to enhance the effectiveness of cybersecurity education within legal studies, equipping students to navigate the complexities of a digitally driven age.
... Research in the area of the use of honeypots has been successful in identifying how honeypots can be created and deployed (Kambow and Passi, 2014). Also, behavioral cybersecurity researchers have extensively investigated honeypots' use in predicting adversary's decisions during a cyberattack (Furman et al., 2012;Addae et al., 2016;Caulkins et al., 2016). Researchers have documented the effect of early and late deception on an attacker's decision using abstract games and simulated networks (Singal et al., 2017;Aggarwal et al., 2020). ...
... The error bars show % CI around the average estimate. Caulkins et al., 2016). Researchers experimented with the effect of subnetting a network during a cyber-attack (Achleitner et al., 2017;Kelly et al., 2019). ...
Article
Full-text available
Prior research in cyber deception has investigated the effectiveness of the timing of deception on human decisions using simulation tools. However, there exists a gap in the literature on how the availability of subnets and port-hardening influence human decisions to attack a system. We tested the influence of subnets and port-hardening on human attack decisions in a simulated environment using the HackIT tool. Availability of subnets (present/absent) within a network and port-hardening (easy-to-attack/hard-to-attack) were varied across four between-subject conditions (N = 30 in each condition): with-subnet with easy-to-attack, with-subnet with hard-to-attack, without-subnet with easy-to-attack, and without-subnet with hard-to-attack. In with-subnet conditions, 40 systems were connected in a hybrid topology network with ten subnets connected linearly, and each subnet contained four connected systems. In without-subnet conditions, all 40 systems were connected in a bus topology. In hard-to-attack (easy-to-attack) conditions, the probabilities of successfully attacking real systems and honeypots were kept low (high) and high (low), respectively. In an experiment, human participants were randomly assigned to one of the four conditions to attack as many real systems as possible and steal credit card information. Results revealed a significant decrease in the proportion of real system attacks in the availability of subnetting and port hardening within the network. Also, more honeypots were attacked in with-subnet conditions than without-subnet conditions. Moreover, a significantly lower proportion of real systems were attacked in the port-hardened condition. This research highlights the implications of subnetting and port-hardening with honeypots to reduce real system attacks. These findings are relevant in developing advanced intrusion detection systems trained on hackers' behavior.
... The National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce, is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development to promote a robust network and an ecosystem of cybersecurity education, training, and workforce development [5]. The curriculum designs in NICE Cybersecurity Workforce Framework are aimed to increase the impact of cybersecurity educational practice in depth and breadth [6]. ...
Article
This paper discusses about how to design a teaching and learning (T&L) framework for cyber security using game at higher education in Malaysia. The paper begins with literature review of key concepts and issues associated with Capture the Flag (CTF) and cybersecurity education framework, which led to the process of defining the CTF game to support the research aims. A version of CTF game was created using an open-source engine through Technology Pedagogy and Content Knowledge (TPACK) framework and five-step gamification approach, which was aligned to the course structure of cyber security courses offered in two institutions of higher education in Malaysia. The intended learning outcomes of the course were mapped into the CTF game features. The constructive alignment and the CTF game were then verified by subject matter experts. Pre and post-test are conducted to study the difference in students’ performance. Mixed-mode research approach with quasi experiment will be used to study the difference among the treatment group. Data collection and analysis require supplement from follow-up interviews in order to complete the analysis of this T&L framework.
... This includes having a designated privacy officer or team responsible for handling such issues and ensuring that employees feel comfortable raising concerns without fear of retaliation. Prompt and effective responses to privacy concerns demonstrate the organization's commitment to respecting employee privacy [11]. ...
Research
Full-text available
The integration of cybersecurity within Human Resources Management (HRM) introduces a complex interplay of legal and ethical considerations. As organizations increasingly rely on digital systems to manage employee data, the protection of this sensitive information has become paramount. Legally, companies must navigate a myriad of regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which mandate strict guidelines on data handling, storage, and breach notification. Non-compliance can lead to severe penalties, making it imperative for HR departments to implement robust cybersecurity measures. Ethically, HR professionals face the challenge of balancing the need for security with respect for employee privacy. This involves ensuring transparency about data collection practices and obtaining informed consent from employees. Additionally, ethical dilemmas arise in monitoring employee behavior to prevent insider threats, as excessive surveillance can infringe on personal freedoms and create a climate of distrust. The role of HR in fostering a culture of cybersecurity awareness is critical. Training programs aimed at educating employees about phishing, password management, and other cyber threats are essential. However, these initiatives must be conducted ethically, respecting individual privacy and promoting a sense of shared responsibility rather than coercion. Furthermore, the integration of cybersecurity measures must consider the potential for bias and discrimination. Algorithms used in cybersecurity can inadvertently reinforce existing biases, leading to unfair treatment of certain employee groups.
... Many cybersecurity training frameworks face issues due to the trainees' perceptions. The training and instructional materials on awareness, or any other cybersecurity topic within an organization, rarely consider the employees' preferences for learning styles [2,17,18]. In fact, organizational training frameworks are often perceived as time-consuming, non-inviting, or intimidating. ...
Article
Full-text available
Formalizing the approach towards risk management on social media is critical for organizations. Regrettably, a review of the state-of-the-art on cybersecurity training highlighted that the existing frameworks are either too generic or too cumbersome to be adapted to different organizations and needs. Thus, we developed the Adaptive Cybersecurity Training Framework for Social Media Risks (ACSTF-SMR), a framework that incorporates social media cybersecurity policies and best practices. The ACSTF-SMR enables organizations, trainers, and policymakers to address the challenges posed by social media in a way that satisfies employees’ training needs and adjusts to their preferences. We tested the ACSTF-SMR with 38 case studies. Employees’ behaviors, learning, and responses after training were assessed, and feedback was gathered to improve the framework. Interviews with policymakers were held to gain insight into the enforcement of social media policies. We conclude that the ACSTF-SMR is a reliable option to mitigate social media threats within organizations.
... It is observed that the average ransom attack jumped from $373 and $294 in 2014 and 2015, respectively, to $1077 in 2016 [38]. Hence, it is crucial to establish a strong curriculum in both high schools and undergraduate schools to familiarize the internet users with the consequences of cyberattacks and information theft [39], [40]. ...
Preprint
Full-text available
The Internet and cyberspace are inseparable aspects of everyone’s life. Cyberspace is a concept that describes widespread, interconnected, and online digital technology. Cyberspace refers to the online world that is separate from everyday reality. Since the internet and the virtual world are very recent advances in human lives, there are many unknown and unpredictable aspects to it that sometimes can be catastrophic to users in financial aspects, high-tech industry, and even life-threatening aspects in healthcare. Cybersecurity failures are usually caused by human errors or their lack of knowledge. According to the International Business Machines Corporation (IBM) X-Force Threat Intelligence Index in 2020, around 8.5 billion records were compromised in 2019 due to failures of insiders, which is an increase of more than 200 percent compared to the number of records that were compromised in 2018. In another survey performed by the Ernst & Young Global Information Security during 2018-2019, it is reported that 34% percent of the organizations stated that employees who are inattentive or do not have the necessary knowledge are the principal vulnerabilities of cybersecurity, and 22% of the organizations indicated that phishing is the main threat to them. As stated earlier, it is noteworthy to mention that inattentive users are one of the reasons for data breaches and cyberattacks. In fact, the National CyberSecurity Centre (NCSC) in the United Kingdom observed that 23.2 million users who were victims of cybersecurity attacks used a carelessly selected password, which is “123456”, as their account password. On the other hand, the Annual Cybersecurity Report published by Cisco in 2018 announced that phishing and spear phishing emails are the root causes of a good number of cybersecurity attacks in recent years. Given the examples above, enhancing the cybersecurity behaviors of both personal users and organizations can protect vulnerable users from cyber threats. In fact, both human factors and technological aspects of cybersecurity should be addressed in organizations for a safer environment.
... In the future, it is critical to have a program that helps cybersecurity professionals identify the area they fit best before specializing in different areas. This will ensure that cybersecurity professionals specialize in areas that fit their traits and where they can produce optimal results (Caulkins et al., 2016). The other aspect that should be addressed is the emerging roles in the cyber domain, which is experiencing continuous change. ...
Article
This paper will discuss the future of cybersecurity workforce development. Cybersecurity is a field that is increasingly becoming important in today's workplaces. Considering the rapid growth of technology, it is expected that the field of cybersecurity will change significantly in the future. As such, preparedness is needed to ensure that the future cybersecurity workforce is not hindered by a lack of training, resources, or technical expertise. The personality traits of a cybersecurity professional should be evaluated before the assumption of a given occupation to ensure that this professional is the best fit and possesses all skills, values, and values required for that post. Teamwork should be integral in future workforce development because, according to the current trend in different industries, being a team player is essential. Lastly, cybersecurity professionals should be trained to observe ethics and civic duty by being loyal to their employers. They should also prioritize continued learning because the cyber domain is ever-changing and requires flexibility and adjustment. This paper will first explore the cyber environment and highlight some of the challenges currently facing the area. Next, the most fundamental skills needed for the furtherance of this field will be covered. One area that will be the paper's focus will be the importance of social skills. The article will finally provide an overview of some of the anticipated changes that will take place in the area of cybersecurity workforce development.
Article
Full-text available
Aim of this study was to assess challenges facing implementation of information security critical success factors. The study employed quantitative research approach and survey research design where case study design was used. A sample of 79 respondents derived from the population sample of 372 were used by using Slovin’s formula sampling technique, 86% of respondents questionnaire filled effectively were used. Descriptive data analysis was used to analyze variables based on research questions while, statistical tables and figures were used in data presentation. Results of this study indicate that, there are challenges in implementation of information security critical success factors such as security training program, security policy, risk assessment, regular system update, system auditing and committed of top management. The study found reasons for challenges of implementation from respondent views as availability of limited resources, weak financial support from top management, lack of understanding of needed technology from information technology professionals; poor security awareness program for top management who may think that information security is the issue of information technology department only and not the whole organization. It is therefore concluded that organization should identify their specific information security critical success factors to enhance useful of organization limited resource, without investing in generalization and give solutions based on risk priority, in order to make organization secure also utilization of information security critical success factors holds significant importance in ensuring security of an organization's data. It is crucial to address and eliminate any challenges that are within the scope of affordability or manageability.
Conference Paper
Full-text available
Much of today’s cybersecurity efforts focus on underlying technologies influencing cyberspace operations. Installing, operating, and maintaining cybersecurity-related technologies (e.g., firewalls, intrusion prevention systems) have consumed government and commercial sectors; but, this unilateral attention on the technology has led to significant oversight. Although cybersecurity requires emphasis on technology, exclusive focus on hardware and software leads to lapses in the area that is arguably a critical aspect of any given system—human users. Consequently, a more holistic cybersecurity education strategy must be developed to focus on the gaps between cybersecurity-related technologies and the human domain.
Article
Full-text available
Current education systems must respond to meet the increasing need for cyber security and information technology (IT) professionals. However, little research has been conducted on understanding the development of expertise in cyber security and IT, the efficacy of current systems designed to accelerate expertise and/or train cyber security and IT professionals, and the perceived efficacy of these systems rated by the professionals themselves. Moreover, virtually no research exists with respect to the benefit of traditional (classroom-based) formal education compared to informal (self-taught) learning in these complex settings. This paper attempts to address these questions through the use of an online survey of professionals and a follow-up interview with professionals examining this question.
Article
Full-text available
Internet of Things (IoT) is playing a more and more important role after its showing up, it covers from traditional equipment to general household objects such as WSNs and RFID. With the great potential of IoT, there come all kinds of challenges. This paper focuses on the security problems among all other challenges. As IoT is built on the basis of the Internet, security problems of the Internet will also show up in IoT. And as IoT contains three layers: perception layer, transportation layer and application layer, this paper will analyze the security problems of each layer separately and try to find new problems and solutions. This paper also analyzes the cross-layer heterogeneous integration issues and security issues in detail and discusses the security issues of IoT as a whole and tries to find solutions to them. In the end, this paper compares security issues between IoT and traditional network, and discusses opening security issues of IoT.
Article
Full-text available
Wireless mesh networks (WMNs) are cost-efficient networks that have the potential to serve as an infrastructure for advanced location-based services. Location service is a desired feature for WMNs to support location-oriented applications. WMNs are also ...
Could we see an influx of cyber security job roles in
  • A Freeman
A. Freeman. (2016, July 15, 2016). Could we see an influx of cyber security job roles in 2016? Available: https://www.technojobs.co.uk/info/tech-news/20160105-couldwe-see-an-influx-of-cyber-security-job-roles-in-2016.phtml [6] S. Morgan. (2016) One Million Cybersecurity Job Openings in 2016. Forbes. Available: http://www.forbes.com/sites/stevemorgan/2016/01/02/onemillion-cybersecurity-job-openings-in-2016/#7a235147d274
One Million Cybersecurity Job Openings in 2016. Forbes
  • S Morgan
Cyber Space Engineer Learning Lab: Facilitators Guide to Course Methodology and Innovation
  • L Mcdade-Morrison
Inadvertent' cyber breach hits 44,000 FDIC customers
  • J Davidson
J. Davidson, "'Inadvertent' cyber breach hits 44,000 FDIC customers," vol. 2016, ed. Washington Post online: Washington Post, 2016.
FBI warns of cyber threat to electric grid
  • B Gertz
B. Gertz, "FBI warns of cyber threat to electric grid," ed, 2016.
Using Cognitive Task Analysis to Investigate the Contribution of Informal Education to Developing Cyber Security ExpertiseThe Department of Defense Cyber StrategyGraduate Catalog
  • M Bockelman Behavioral Cybersecurity
  • S Champion
  • P Jariwala
  • N J Ward
  • Cooke
Bockelman, "Modeling and Simulation Education for Behavioral Cybersecurity," in Interservice/Industry, Training, Simulation and Education Conference (I/ITSEC), in review, Orlando, FL, 2016. [12] M. Champion, S. Jariwala, P. Ward, and N. J. Cooke, "Using Cognitive Task Analysis to Investigate the Contribution of Informal Education to Developing Cyber Security Expertise," in Proceedings of the Human Factors and Ergonomics Society 58th Annual Meeting, 2014, p. 5. [13] DoD, "The Department of Defense Cyber Strategy," D. o. Defense, Ed., ed. Washington, D.C., 2015. [14] UCF, "Graduate Catalog, M&S of Behavioral Cybersecurity," 2016.