Abstract
Competency models are widely adopted frameworks that are used to improve human resource functions and education. However, the characteristics of competency models related to the information security and cybersecurity domains are not well understood. To bridge this gap, this study investigates the current state of competency models related to the security domain through qualitative content analysis. Additionally, based on the competency model analysis, an evidence-based competency model is proposed. Examining the content of 27 models, we found that the models can benefit target groups in many different ways, ranging from policymaking to performance management. Owing to their many uses, competency models can arguably help to narrow the skills gap from which the profession is suffering. Nonetheless, the models have their shortcomings. First, the models do not cover all of the topics specified by the Cybersecurity Body of Knowledge (i.e., no model is complete). Second, by omitting social, personal, and methodological competencies, many models reduce the competency profile of a security expert to professional competencies. Addressing the limitations of previous work, the proposed competency model provides a holistic view of the competencies required by security professionals for job achievement and can potentially benefit both the education system and the labor market. To conclude, the implications of the competency model analysis and use cases of the proposed model are discussed.
1 INTRODUCTION
Recent security breaches [37] point to the inherent danger that cyberspace poses. Given the ongoing risks posed by malware and other threats, the growing sophistication of the threat landscape, and the expansion of the attack surface [36], cybersecurity professionals represent an indispensable resource for protecting assets. The security industry, however, is suffering from a global workforce deficiency [26, 38, 56]. Because the shortage in competent security experts is putting public and private organizations at risk [56], narrowing the skills gap is imperative.
In this context, the lack of capacity and capability of the cybersecurity workforce has fueled efforts by governments, education systems, and companies to advance cybersecurity education. Countries such as the United States, Australia, New Zealand, and France have launched cybersecurity strategies addressing cybersecurity education (e.g., strengthening educational programs) [10, 88]. Likewise, companies have begun to foster recruitment and workforce development (e.g., by offering training and certification opportunities) [54]. To increase efforts, higher education institutions have started to offer stand-alone security programs and programs including security content [17, 88], introduce novel maintenance measures to keep curricula up to date [65], and revise curricula to include competency-based education [103].
Moreover, the notion of competency, often referred to as the integration of knowledge, skills, and attitudes necessary for successful task performance [5], is gaining popularity in cybersecurity education [88, 103]. Professional associations, such as the Institute of Electrical and Electronics Engineers (IEEE) and the Association for Computing Machinery (ACM), are endeavoring to push the concept of competency as the currency of educational outcomes [22], and universities are striving to shift to competency-based education [103]. To incorporate the notion of competency into educational settings, organizations and universities are using competency models to specify professionals’ competencies. Educational institutions recognize competency models as useful tools for the development of competency-based curricula and training [21, 51, 66]. Similarly, public and private organizations are utilizing competency models to improve and align competency-based Human Resource (HR) functions, including workforce development and training [20, 32, 117]. However, despite the merits of competency models in education and training and their widespread use in practice, a systematic cybersecurity competency model analysis has thus far been lacking. To bridge this gap, this study investigates the current state of competency models related to the security domain and also proposes a competency model that addresses the limitations of existing ones.
The rest of the article is organized as follows. After presenting the theoretical background and related work in Section 2, Section 3 outlines the methods used to analyze the existing work and construct a new evidence-based competency model. Subsequently, Section 4 presents the findings of the analysis, and Section 5 describes the proposed competency model. In Section 6, the implications of the findings and use cases of the model are discussed. The article concludes with remarks in Section 7.
2 BACKGROUND AND RELATED WORK
In this section, we outline the theoretical background and related work of our study. Section 2.1 discusses the information security and cybersecurity domains and introduces the Cybersecurity Body of Knowledge (CyBOK) [94]. Sections 2.2 and 2.3 explain the concept of competency and competency models. Section 2.4 presents related work and includes studies analyzing competency models, which are also the subject of the present work. Additionally, Section 2.4 includes job advertisement analyses that shed light on the competency profile of a cybersecurity expert.
2.1 Information Security and Cybersecurity
Information security and cybersecurity can be differentiated by considering the origin of the threats and the assets that are to be protected [112]. Although competing definitions exist, information security can be understood as an ongoing process [83] concerned with the protection of analog and digital information, its security properties, and the Information Technology (IT) that stores valuable data from intentional and unintentional threats that arise from physical and virtual sources [2, 57, 112, 119]. In contrast, cybersecurity is a computing-based approach [60] that focuses on the protection of information systems (e.g., hardware and software), the information stored on them, and non-information-based assets (e.g., humans and society) that are vulnerable to intentional or unintentional threats originating from cyberspace [53, 112]. IT security referring to the protection of information systems can be seen as a subset of both information security and cybersecurity [112].
From the perspective of security, assets have security properties assigned, including confidentiality, integrity, availability, authentication, authorization, and nonrepudiation [39]. These security properties are defined as follows [2, 23]. Confidentiality refers to the ability to ensure that information is not disclosed to unauthorized individuals, processes, or devices. Integrity ensures that information is not maliciously or unintentionally modified or altered. Availability ensures that information is accessible by authorized individuals when required. To establish whether a claim of identity is true, authentication is used. Implemented using access controls, authorization decides what an authorized entity can or cannot do. Last, nonrepudiation is achieved when the people taking action cannot successfully deny that they have done so [2].
In recent years, several efforts [46, 60, 95] have been made to collect, systematize, and codify the foundational information security and cybersecurity knowledge in a Body of Knowledge (BOK). Given that cybersecurity is a broad and interdisciplinary field, different bodies have different foci. For the competency model analysis, we have selected the CyBOK [94], because it (i) is an up-to-date body, (ii) has a strong focus on cybersecurity [124], and (iii) consists of a reasonable number of Knowledge Areas (KAs) that allow for a fine-grained content analysis that is neither too abstract nor too specific. The CyBOK is a comprehensive BOK with a more technical focus than other BOKs, such as the Certified Information Systems Security Professional BOK or the Cybersecurity Curricula 2017 [124]. The CyBOK’s purpose is to codify foundational knowledge and serve as a guide for cybersecurity knowledge. The CyBOK’s basis is formed by 19 KAs that are grouped into five broad categories [94]. Table 1 provides a brief definition of each area.
Human, Organizational, and Regulatory Aspects | |
Risk management & governance | Security management systems and organizational security controls, including standards, best practices, and approaches to risk assessment and mitigation |
Law & regulations | International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare |
Human factors | Usable security, social and behavioral factors impacting security, security culture and awareness, as well as the impact of security controls on user behaviors |
Privacy & online rights | Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing; also includes other systems supporting online rights touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems |
Attacks and Defenses | |
Malware & attack technologies | Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches |
Adversarial behaviors | The motivations, behaviors, and methods used by attackers, including malware supply chains, attack vectors, and money transfers |
Security operations & incident management | The configuration, operation, and maintenance of secure systems, including the detection of and response to security incidents and the collection and use of threat intelligence |
Forensics | The collection, analysis, and reporting of digital evidence in support of incidents or criminal events |
Systems Security | |
Cryptography | Core primitives of cryptography as presently practiced and emerging algorithms, techniques for analysis of these, and the protocols that use them |
Operating systems & virtualization security | Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multiuser systems, secure virtualization, and security in database systems |
Distributed systems security | Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multitenant data centers, and distributed ledgers |
Authentication, authorization, and accountability | All aspects of identity management and authentication technologies and architectures and tools to support authorization and accountability in both isolated and distributed systems |
Software and Platform Security | |
Software security | Known categories of programming errors resulting in security bugs and techniques for avoiding these errors–both through coding practice and improved language design–and tools, techniques, and methods for detection of such errors in existing systems |
Web & mobile security | Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models |
Secure software lifecycle | The application of security software engineering techniques in the whole systems development lifecycle, resulting in software that is secure by default |
Infrastructure Security | |
Network security | Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security |
Hardware security | Security in the design, implementation, and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness |
Cyber-physical systems security | Security challenges in cyber-physical systems, such as the Internet of Things and industrial control systems, attacker models, safe-secure designs, and security of large-scale infrastructures |
Physical layer & telecommunications security | Security concerns and limitations of the physical layer, including aspects of radio frequency encodings and transmission techniques, unintended radiation, and interference |
2.2 About the Concept of Competency
Competency is a widely adopted concept in cognitive, social, and educational science [63] and has been introduced in psychology as a counterterm to intelligence [50, 81]. Theoretical views, national context, and application area influence the concept’s meaning [110], and different approaches to conceptualizing competencies coexist [33, 71, 114]. For instance, Schippmann et al. [99] revealed that experts’ answers to the question of what a competency is vary. Given its different meanings, some authors have referred to the term as a fuzzy concept [109]. Nonetheless, the concept promises to help bridge the gap between education and the labor market [71, 90, 109].
Which components should be included in the competency construct is an ongoing debate. Focusing on a narrow notion of competency, Klieme and Leutner [64] defined competency as a context-specific, cognitive performance disposition, thereby reducing the concept to specialized cognitive prerequisites [49, 50]. In contrast, the computing curricula 2020 report went beyond the cognitive realm and defined competency as “composed of K-S-D dimensions observed within the performance of a task” [22, p. 47]. According to this notion, competency integrates knowledge, skills, and dispositions that are causally related to the accomplishment of a task [41]. The integration of cognitive and noncognitive components into a complex competency system is also frequently found in the concept of action competency [64, 114]. For example, the German Qualifications Framework Working Group [45] defined competency as “the ability and readiness to use knowledge, skills, personal, social, and methodological competencies and to behave in a considered, individual, and socially responsible manner” [45, p. 17]. In this article, we adopt a holistic approach to competency and refer to the definition of Weinert [116, pp. 27–28]: competencies are the cognitive abilities and skills possessed by or able to be learned by individuals that enable them to solve particular problems, as well as the motivational, volitional, and social readiness and capacity to use the solutions successfully and responsibly in variable situations. This notion of competency implies that competencies are comprised of “all those cognitive, motivational, and social prerequisites” [115, p. 51] that are necessary for achievement. Specifically, this holistic approach to competency integrates cognitive and noncognitive components into a complex system of knowledge, skills, attitudes, and cognitive abilities [114]. Although not explicitly stated, knowledge is a component of Weinert’s definition [62]. Here, knowledge refers to the mastery of core concepts and topics acquired through learning [74, 114, 120]. Cognitive abilities refer to general intellectual abilities that are less learnable [69, 114]. Relying on the CC2020 Task Force [22] and the German Qualifications Framework Working Group [45], we define skill as the proficient application of knowledge to successfully meet demands in a particular action context. The construct described as “motivational, volitional, and social readiness and capacity” refers to attitudes respectively dispositions [41] and bridges the gap between the mere ability to do something and the actual behavior [89]. Dispositions are affective by nature and can be understood as tendencies toward a certain behavior and the sensitivity to know how and when to engage in a task [89]. In this sense, the affective component is what transforms the mere ability to act into appropriate action [1]; it establishes the connection between what a person can do (ability) and what a person does do (action) [41]. Last, the internal structure of the competency is derived from the structure of the task, with the task unfolding and framing the purpose and meaning of competency. The task serves as a crystallization point of competency (i.e., the task renders competencies concrete and visible) [90, 115].
For analytical and organizational reasons, competencies can be categorized into competency classes [34, 77, 104]. By default, competency classes can be differentiated according to task or demand [33, 34]. If the subject’s action relates to other people or groups of people (the task), it is a question of social competencies. Personal competencies refer to tasks concerned with oneself (e.g., self-control in stressful situations), and professional competencies pertain to domain-specific and work-related tasks. Methodological competencies are somewhat different, as their task application is more general. Here, we refer to methodological competencies as personal qualities that apply to a broad range of tasks (e.g., problem solving). Depending on the task, the relative emphasis of the competency components varies [41]. Thus, some competencies are strongly knowledge focused, whereas others are more skill- or disposition focused.
2.3 Competency Models
The concept of the competency model has been defined in three ways. First, the term can refer to the modeling of the internal structure of competency in general terms, specifying personal qualities, such as dispositions and skills, as competency components [41]. Second, there are competency structure and level models used to model the dimensionality and differentiate between the levels of proficiency of a concrete competency, such as foreign language competency or programming competency [6, 64, 67]. Third, competency models, as understood in this work, refer to organized catalogs or lists of competencies required by individuals to achieve goals, meet demands, and perform effectively in a specific role within a job, job family, organization, industry, or process [20, 32, 75, 78, 79]. Specifically, the term competency framework is also frequently used in the literature to refer to a structured competency collection [3, 30, 34].
Because models can contain a large number of competencies [34], organization becomes crucial. To organize competencies, different structures have been proposed [106], including hierarchies [32, 108] and typologies [45, 52, 104]. For instance, models by the Employment and Training Administration [32] organize competencies into stacked tiers that form a hierarchically structured pyramid shape. In contrast, the “KompetenzAtlas” [52] classifies competencies based on a competency class typology. Regardless of the underlying structure, competencies constitute the core of a competency model, and models often record competencies in detail. A competency usually consists of (i) a label or title highlighting the name of the competency, (ii) a detailed description of the competency in behavioral terms, and (iii) proficiency levels or behavioral indicators outlining how a competency unfolds in action [20, 97]. Grouping behavioral indicators into proficiency levels (e.g., novice, intermediate, and expert) facilitates the application of competency models in many HR activities, including performance management, appraisal systems, and workforce development [98, 106]. Owing to their many applications, competency models can be considered the backbone of an organization’s competency management [97]. To maximize the benefits of using competency models, many models are highly tailored to an organization’s context and strategy, use organization-specific language, and are graphically elaborated [20].
2.4 Related Work
Against the backdrop of a lack of qualified workers and with the aim of tackling the workforce shortage, several studies have examined competency models to provide input for the preparation of cybersecurity programs. For instance, Manson et al. [76] asked faculty experts to assess the content of several standards, including the IT Security Essential Body of Knowledge (EBK) [150]. According to the results, the EBK’s competency area “data security” was considered most important, whereas “strategic security management” was deemed least important [76]. To determine industry priorities regarding the competencies of entry-level professionals, Whitman [118] asked participants to rate the competencies of the Cybersecurity Competency Model [153]. Results showed that all competencies were in demand, although some were more favored than others. Moreover, the preference for specific competencies did not vary between organization size and industry [118]. With the aim of informing curriculum development, Armstrong et al. [4] and Jones et al. [61] investigated the relative importance of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework’s Knowledge, Skills, and Abilities (KSAs)1 [140] that are listed under specialty areas within the “protect and defend” category. In sum, the most important KSAs common to two or more specialty areas dealt with networks, vulnerabilities, threats, and programming [61], and nontechnical skills were rated highly important for achievement [4]. Next, several studies have compared competency models to identify differences and similarities. From these efforts, we can see that models can vary in several ways, including in the treatment of nonprofessional competencies (e.g., methodological, social and personal competencies), the number of competencies [15], the basic structure [84], and the concepts referred to [40]. Another line of studies has analyzed the content coverage of models and whether predefined characteristics have been met. Using the CyBOK areas to map the content of several frameworks, Hallett et al. [48] found that the NICE Framework, although not exhaustive, covers most KAs, with “security operations and incident management” and “risk management and governance” being the most emphasized. Focusing on the analysis of the e-Competence Framework (e-CF), Plessius and Ravesteyn [91] showed that the e-CF [132] covers the IT domain to a great extent and fulfills many quality criteria. Miloslavskaya and Tolstoy [82] analyzed four models in terms of their applicability to the Internet of things (IoT) and cloud areas and found that the NICE Framework best fulfills the requirements. To inform a possible drafting of an e-competency framework for Malta, Camilleri [19] analyzed the usability of existing e-competency frameworks in Europe. Findings shed light on best practices regarding usability. Examining three models (e.g., e-CF) in terms of user expectations, Brown and Parr [15] found that models did not fully comply with user expectations, such as utility, portability, and simplicity. Moreover, all three models lacked automation features, limiting their usefulness in advanced skill management tasks [15]. Elsewhere, Brown [14] discussed the issue of backward compatibility between the Skills Framework for the Information Age (SFIA) 7 [145] and 6. Another study [25] examined the applicability of the e-CF 3.0 and SFIA 6 to the profile of a data scientist and concluded that both models adequately represented the profile. Last, relating to our investigation are studies extracting competencies from cybersecurity and information security job advertisements. From these efforts, we can draw the conclusion that it is not only professional competencies that are in demand but also methodological, social, and personal competencies [13, 92, 93]. Reducing the competency profile of the cybersecurity workforce to professional competencies is therefore an invalid process.
3 RESEARCH METHOD
This section presents the research method of the study and provides information on the search and selection process, the data analysis method, and the construction and validation procedure of the newly developed competency model. We also compile a maintenance and replication package [9] that contains the dataset and general maintenance advice.
3.1 Research Goal and Questions
To achieve consistency between goals, research questions, and metrics, the Goal–Question–Metric paradigm [7] has been used. The goal of this study is
• | to analyze the current state of competency models related to the information security and cybersecurity domains and to build a competency model for these domains. |
The goal leads to two research questions:
RQ1 Which competency models for cybersecurity and information security are available and what are their characteristics?
RQ2 Can we use existing competency models to build a new security competency model, and which components and properties should characterize the new model?
To answer the research questions, we collected, analyzed, and synthesized evidence for several metrics:
• | annual number of publications, citation frequency, nations’ producing models, publication type of the sources; | ||||
• | competencies and their frequencies, competency classes and their frequencies, competency definition, number of proficiency levels, covered CyBOK categories and KAs in addition to their frequencies; and | ||||
• | completion of competency models in terms of content coverage, competency model uses and their frequencies, target groups, and a competency model based on existing models. |
The search and selection of sources, the data analysis, and the construction and validation process for the new competency model are described in Sections 3.2, 3.3, and 3.4, respectively. The competency model analysis results answering RQ1 are presented in Section 4, and the new competency model that provides answers to RQ2 is presented in Section 5.
3.2 Searching and Selecting Sources
The search process and source selection are critical to our research, as they lay the foundations for all of the results. To optimize the search process and source selection, we adopted recommended strategies stated in the guidelines of systematic and multivocal literature reviews [43, 122].
3.2.1 Search Process.
We decided to collect sources that provided a stand-alone cybersecurity competency model and models that integrate security content to obtain all cybersecurity and information security competencies and other relevant information. Therefore, not only did we search competency models for cybersecurity, but we also searched models from related fields, such as software engineering and information systems. Before the search, determining the source types was crucial. Regarding publication types, two forms were distinguished: formally published literature and Grey Literature (GL) [43]. Although competing definitions exist [100], GL usually refers to “literature that is not formally published in sources such as books or journal articles” [72, Chap. 6]. Although the inclusion of GL in secondary studies is gaining momentum [44] and may be beneficial, for example, to avoid publication bias [105], the inclusion should not be taken lightly and should follow rigorous decision making. To systematically decide whether to include GL, we applied the question-based checklist provided by Garousi et al. [43]. As the sum of the “yes” answers was four out of seven, we chose to include GL. After the decision, we generated search terms. As recommended by Xiao and Watson [122], we expanded the search terms to include synonyms, alternative spellings, and related concepts. Note that we included “curriculum” as a search term to identify curricula encompassing competency models. The search was limited to the 1990–2020 period. From March 13, 2020, to May 15, 2020, search phrases with Boolean operators were used to identify formally published literature and GL in databases (Table 2).
To narrow down the search space, relevance rankings (e.g., using Google’s PageRank algorithm) of the databases were determined, and only the first 50 pages were examined. This action limited the search space and set a stopping criterion [43]. Typically, the collection of results and the application of inclusion and exclusion criteria are divided into separate steps. For this study, the selection criteria were already applied during the search process. Garousi and Mäntylä [44] also favored this strategy, as it reduces the number of irrelevant sources. After finalizing the initial pool, we utilized forward and backward snowballing methods in the search process [73, 122]. The references of the collected literature were studied (backward snowballing), and the citing literature was determined using the citation tracking functions of Google Scholar and Web of Science (forward snowballing). After checking for inclusion, these methods allowed us to obtain two additional sources [141, 151].
# | Category | Search Terms | Databases for Formally Published Literature | Databases for GL |
---|---|---|---|---|
1 | Stand-alone security competency models | (“Cybersecurity” OR “Cyber Security” OR “Information Assurance” OR “IT Security” OR “Information Security”) AND (“Competency Model” OR “Skills Framework” OR “Competency Framework” OR “Competence Framework” OR “Curriculum” OR “Competency” OR “Competence” OR “Capability” OR “Skills”) | Web of Science, IEEE Xplore, ACM Digital Library, Google Scholar | Google, OpenGrey, arXiv |
2 | Competency models integrating security concepts | (“Information Technology” OR “Software Engineering” OR “Information Systems” OR “ICT” OR “Computer Science” OR “Computer Engineering”) AND (“Competency Model” OR “Skills Framework” OR “Competency Framework” OR “Competence Framework” OR “Curriculum” OR “Competency” OR “Competence” OR “Capability” OR “Skills”) | Web of Science, IEEE Xplore, ACM Digital Library, Google Scholar | Google, OpenGrey, arXiv |
3.2.2 Source Selection.
Source selection deals with defining and applying inclusion and exclusion criteria to identify relevant sources for answering research questions [43]. Similarly to Garousi and Mäntylä [44], we only defined inclusion criteria, as these criteria already indirectly excluded irrelevant sources. Additionally, we used some quality assessment criteria because GL requires special treatment. First, we applied inclusion criteria to the title and the abstract. Subsequently, we applied the criteria to the body of content. Table 3 shows the inclusion criteria and some sources that were excluded. For clarification, we selected sources that solely contained a competency model and sources in which the competency model was only one element among many (e.g., in curricula). Additionally, we included any accompanying material to which no selection criteria were applied (e.g., material of the e-CF [131, 133]). Figure 1 presents the entire search and selection process.
# | Type of Criteria | Inclusion Criteria | Excluded |
---|---|---|---|
1 | Content | The publication contains a stand-alone security competency model or a model integrating security concepts (i.e., a list of competency descriptions, behavioral indicators, or related concepts). | [31, 34, 85, 102] |
2 | Content | The competency model describes competencies that practitioners or graduates of a tertiary program should possess. | [96] |
3 | Language | The literature is in English or German. | |
4 | Access | The full text can be accessed. | [11, 35] |
5 | Bibliographic information | The producer (author, institute, organization, etc.) and the date of publication are indicated. | [58] |
6 | Bibliographic information | The source was published online during the time frame from 1990 to 2020. |
3.2.3 Final Pool.
When finalizing the pool, we arrived at 29 sources, 27 of which were competency models or material encompassing a model and two of which were additional sources that constituted supplementary material [131, 133]. Of the 29 sources, 13 models were stand-alone information security and cybersecurity competency models [127, 130, 135, 136, 138, 140, 141, 148, 149, 150, 151, 153], and 14 competency models [125, 126, 128, 129, 132, 134, 137, 139, 142, 143, 144, 145, 146, 147, 152] were frameworks that integrated cybersecurity content and related to adjacent domains, such as software engineering.
3.3 Data Analysis
To evaluate the content of the 29 sources, we performed a Qualitative Content Analysis (QCA) using MAXQDA.2 QCA is a qualitatively oriented, category-based method that systematically condenses qualitative material, reduces complexity, and deciphers the meaning of qualitative data [70, 80, 101]. QCA does so by assigning text passages (coding units) to categories of a category system [101]. Several forms of QCA exist, and a decision regarding a specific technique depends on the project’s research questions. For this study, we favored a content structuring QCA [70, 80]. A content structuring QCA allows for specific topics to be filtered out of the material and summarized [80]. The category system used in this method usually consists of deductive and inductive categories [70]. We derived some of our deductive categories by transforming the metrics (see Section 3.1) into categories. Additionally, competency classes (e.g., social, methodological, personal, and professional competencies), as well as the five CyBOK categories and 19 CyBOK areas [94] (see Table 1), were converted to categories that, together, formed a theoretically derived hierarchical category system.
When constructing a coding manual [80], we defined the categories and underpinned them with illustrative coding examples. Where required, coding rules were added to support coding decisions [101]. Additionally, we determined appropriate content analytical units (coding unit, context unit, and recording unit) for each research question. When coding competency statements, for example, we coded text snippets that clearly stated what an individual should be able to do. Thus, we coded competency statements such as “develop processes and procedures to mitigate the introduction of vulnerabilities during the engineering process.” After coding the material with the main categories, subcategories were derived using inductive category formation, a strategy to derive categories from material [80]. This way, we developed a deductive-inductive, hierarchically structured category system that served as the basis for answering our research questions.
3.4 Building and Validating the New Competency Model
To build the competency model, we chose an empirical rather than theoretical approach [12] and followed best practice recommendations [20, 79]. The 27 models served as the data basis upon which we developed the new model, and the competency model analysis (see Section 3.3) served as the method for deriving the structure and content of the model. The developed category system already represented the structure of the competency model (i.e., it categorized the competencies according to competency clusters and dimensions). Thus, by converting the category system to a competency model, we obtained the structure of the model. Determining the granularity of the competency model was another critical step in the construction process. Granularity concerns not only the number of competencies included but also the level of detail of each competency [20]. For the model to be exhaustive, we included a large number of competencies, namely 72. When determining the detail of a competency, we followed recommended guidelines [20, 79] and constructed a basic competency anatomy for every competency. Up to six behavioral indicators were selected to anchor the definitions [97]. Because of the coding process, competency categories were already assigned to behavioral indicators. We extracted the indicators and added them to the respective anatomies. In doing so, we avoided the frequently mentioned criticism of “using empty, overly general phrases or a listing of meaningless buzzwords” [102, p. 398].
The next step in the development process was to check and ensure curricular validity [59]. This validation step examined the extent to which the model’s content corresponded to the curricular content. Other competency modeling studies [67, 68] have also regarded this step as essential. Because we are familiar with the cybersecurity education landscape in Austria and consider it representative, we used the Austrian information security and cybersecurity curricula as our basis. The collection process resulted in 10 curricula [154, 155, 156, 157, 158, 159, 160, 161, 162, 163] that were analyzed according to content structuring QCA [70, 80]. To check curricular validity, we used the competency model as a deductive coding scheme. During the first coding session, similarly to Bröker and Magenheim [12], we found that the richness in detail of the content of the curricula varied, with many curricula only stating titles, topics, and content knowledge. Consequently, the corpus included many implicit competencies. Hence, we refined our coding rules to fit the data. Additionally, whenever competency candidates not previously captured by the category system emerged, a new competency category was inductively developed [80].
4 COMPETENCY MODEL ANALYSIS
This section presents the results of the competency model analysis. First, the bibliographic and demographic results are given. Subsequently, the results regarding the content of the models are presented qualitatively and quantitatively.
4.1 Demographic and Bibliographic Aspects
Figure 2 shows the cumulative number of sources per year. In 2006, the first competency model containing security content emerged. Since this emergence, interest has steadily increased, peaking in 2017 and 2019. With exception of 2009, competency models were released regularly, resulting in a continual supply of such models. With regard to the publication type, most sources constituted GL (23). Only some of the models (6) were formally published. As shown in Figure 3, the GL published in this area surpassed the formally published literature many times.
In the next step, we examined which countries have produced the most competency models. To rank countries based on the number of models, we extracted the countries of the universities to which the authors belonged. If several authors from several different countries had developed a model, one credit for each country was assigned. Figure 4 shows the top countries in terms of the releasing of competency models. According to Figure 4, the United States significantly outnumbered the rest of the countries. Noticeably, only 17 countries contributed to the growing body of competency models. Moreover, international collaborations seemed to be the exception, as only two models were developed through collaboration.
To evaluate the influence of models in terms of citation count, we extracted the respective information from Google Scholar and Web of Science. Of particular interest was the relationship between the citations for each article and articles’ years of publication. Showing the relationship, Figure 5 indicates that the actual citation count of the models depended on the database used. In effect, Google Scholar reported higher citation counts than Web of Science, whereas Web of Science indexed more models than Google Scholar. Contrary to expectations, recently published models were more influential than earlier work. Based on data from Google Scholar, the NICE Framework [140] led the list of the most influential models and was followed by the models of Prifti et al. [142] and Topi et al. [147]. Concerning data provided by Web of Science, the model developed by Prifti et al. [142] was cited the most.
4.2 Usages and Target Groups
We developed 18 categories describing the usages and applications of the competency models. According to the results, competency models provide several uses, ranging from performance management to policymaking. Table 4 provides an insight into the results, as well as descriptions and frequencies for all usages. As Table 4 indicates, the category “learning and competency development” led the list of the most frequently coded usages and was followed by the categories “assessment” and “development and evaluation of qualification programs.”
# | Category | CF | Description | Example(s) of Coded Segments |
---|---|---|---|---|
1 | Learning and competency development | 19 | Competency models can help several target groups to develop competencies, set learning goals, and identify means to accomplish and evaluate these goals. Using competency models aids competency development in alignment with market needs and recognized standards. Furthermore, models support organizations and companies in aligning company strategy with competency development. | “Within this context, the e-CF can also support: ICT professionals to show them what to be learnt and possible learning paths” [131, p. 41]; “The e-CF has […] supported the alignment between the company’s competence development and its business strategy” [131, p. 11]. |
2 | Assessment | 16 | Competency models support the application of assessments. Basically, two kinds of assessments can be distinguished: self- and external assessments. The self-assessment process can take place on an individual or organizational level. External assessments refer to the assessments of employees by a third person. | “This Software Assurance (SwA) Competency Model was developed to create a foundation for assessing […] the capability of software assurance professionals” [135, p. VII]; “It provides individuals with a framework for self-assessment […]” [126, p. 3 ]. |
3 | Development and evaluation of qualification programs | 16 | Developing and evaluating qualification programs is a common application of competency models. Two kinds of qualification programs can be distinguished: educational and certification programs. With regard to the development of educational programs, models can be used to build entire competency-based curricula, develop concrete modules, develop learning materials, and plan lessons. One main advantage of using competency models is that the programs are tailored to market needs, which improves students’ employability. Furthermore, models can be used to evaluate and validate existing programs. | “The competencies outlined in the EBK become the basis for training ‘modules’ that can be fit into the specific course curriculum for each of the Department-defined key roles […]” [150, p. 4]; ”aligning curriculum to industry/employer needs and improving employability” [145, p. 7]; “For example, the core IT learning outcomes can be used by colleges to conduct periodic program reviews with the intent of validating their existing IT courses, certificates, and degrees, as well as to create new IT curriculum” [134, p. 8]. |
4 | Career management | 13 | Competency models can be used to manage careers. Job seekers and students can use models to discover industry-valued competencies. Competency models can be the starting point to exploring common job roles in cybersecurity. Technical experts can inform themselves about different career paths. Furthermore, models help to develop career pathways. | “ […] to help job seekers and students understand which cybersecurity work roles and which associated Knowledge, Skills, and Abilities are being valued by employers for in-demand cybersecurity jobs and positions” [140, p. 3]; “provides guidance on a viable career pathway from entry-level data protection executives to regional data protection senior management roles” [141, para. 1 ]. |
5 | Recruitment and selection | 11 | Using competency models for recruitment and selection is beneficial to organizations. Not only is the use of models helpful in improving the efficiency and effectiveness of the process, but it is also helpful in developing competency-based selection criteria. | “The Cyber Security Capability Framework is a tool that can be used in recruitment and selection” [148, p. 9]; “The opportunities for improving the efficiency and effectiveness of recruitment processes by adopting the European e-Competence Framework are significant” [133, p. 15]. |
6 | Job/role profiles and job ads | 10 | Competency models can be used to develop and improve job and role descriptions, as well as job advertisements. Models help to clarify the tasks, competencies, and responsibilities of a certain position and specify the sought-after competencies in job advertisements. A major advantage of using competency models is that the job/role profiles and job advertisements do not have to be built from scratch. Rather, the already developed competencies can be used as “building blocks” [131, p. 38] to create profiles. | “The European e-CF describes competence and can be used in a variety of applications where consistency of competence language is required. These include job descriptions, role profiles […]” [131, p. 15]; “Improve position descriptions and job vacancy announcements selecting relevant KSAs and Tasks, once work roles and tasks are identified” [140, p. 3]. |
7 | Guide to qualification programs | 9 | The qualification landscape is complex. Competency models can act as a guide to qualification programs, including education and certification programs. Competency models help to find the appropriate qualification programs to develop the appropriate competencies through suitable programs or to close competency gaps. For companies and specialists, this assistance is also important from a financial point of view because disinvestment can be avoided. Noticeably, some online tools acting as guides to qualification programs use the models as a basis. | “Consequently, individuals can see opportunities for personal growth aided by the European e-CF and also select appropriate training programmes” [131, p. 37]; “Selecting appropriate educational programs and so on” [137, p. 23]; “addition, practitioners can use a competency model to provide guidance in selecting academic programs and training classes” [125, p. 145]. |
8 | Analysis of workforce and competency gaps | 7 | This category deals with two kinds of gaps: competency and workforce gaps. The qualitatively oriented competency gap analysis deals with the question of which competencies are currently available and which ones are required (in the future). Conversely, the quantitatively oriented workforce gap analysis can determine the gap between the workforce demand and supply. The analysis is not an end in itself. Instead, the analysis is followed by an effort to narrow the diagnosed gaps through appropriate training or hiring. The model by Ardis et al. [125] is especially noteworthy, as it provides dedicated gap analysis worksheets. | “Identifying competence gaps for future requirements is a significant application of the e-CF ” [131, p. 10]; “The first spreadsheet (SWECOM Staffing Gap Analysis Worksheet) is for use by managers, human resources personnel, and others who analyze available and needed skills within an organizational unit” [125, p. 25]; “Assessment data can be combined to determine an organisational view of the skills capability that the organisation has and its skills needs, this characterises the ‘skills gap’ and by using a recognised framework it is less open to misinterpretation” [145, p. 14]. |
9 | Communication | 6 | Competency models not only help to improve communication within a company but also communication between policymakers, qualification providers, HR experts, and the IT sector in general. An essential instrument for the establishment of improved communication is a common language. In fact, many models can be used to establish a common language. | “Using the NICE Framework as a fundamental reference will improve the communication needed to identify, recruit, and develop cybersecurity talent” [140, p. 2]; “SFIA gives individuals and organisations a common language to define skills and expertise in a consistent way” [145, p. 5]. |
10 | (Strategic) personnel planning | 5 | Many models state their usefulness for personnel planning in general. Using competency models can assist organizations and companies with (strategic) personnel planning. Drafting and implementing plans related to workforce planning can be facilitated by competency models. Furthermore, competency models support the planning and anticipation of organizations’ future personnel needs. | “Referencing the NICE Framework will help organizations to accomplish strategic workforce planning […]” [140, p. 8]; “The competencies identified may be used in such agency efforts as workforce planning […]” [127, para. 3]. |
11 | HR development | 4 | By employing competency models, organizations and companies can improve HR development. For instance, competency-based development plans aligned with organizations’ goals can be drafted and implemented. | “Organizations or sectors can use the NICE Framework to […] define or provide guidance on different aspects of workforce development” [140, p. 10]. |
12 | Performance management | 3 | Using competency models can support organizations’ performance management. In effect, models state their general supportive power regarding performance management without going into detail. | “The competencies identified may be used in such agency efforts as performance management” [127, p. 2]. |
13 | Policymaking | 2 | This category emphasizes that competency models can be effective and useful tools for policy initiatives. For instance, the Netherlands used the e-CF [132] to develop its national e-skills strategy and Estonia used the e-CF as the basis for occupational qualification standards. | “The examples from the European level, Estonia, the Netherlands and Ireland show how the e-CF can serve as a useful basis for policy making for the ICT workforce in different environments” [131, p. 53]. |
14 | Reward and compensation | 2 | Using competency models to reward and compensate employees is another useful application area. Included in this category are specific measures to implement reward and compensation mechanisms, such as job family models, job grading, and job evaluation. In essence, competency models can form the basis for such instruments. | “It is essential that individuals and service providers are recognised for their performance, whether through salary and benefits, bonus schemes or feedback and SFIA can form the basis of such mechanisms” [145, p. 15]. |
15 | Talent management | 2 | Two models [145, 151] indicate that line managers and HR professionals can use them for talent management. Furthermore, this category covers succession planning, which is mentioned by SFIA [145]. | “Developing succession plans” [145, p. 9]; “[…] can be used to establish a baseline for the DHS Cybersecurity Workforce Initiative (CWI) and inform […] talent management activities for cybersecurity roles across DHS” [151, p. 4]. |
16 | Instruction | 1 | This category deals with the possibilities offered by competency models in terms of the creation of group-specific instructional materials to support cybersecurity professionals. | “A technology provider can then create appropriate support materials to assist members of the cybersecurity workforce in the proper configuration and management of their products” [140, p. 14]. |
17 | Developing models and mapping | 1 | In addition to using existing models, models can be used to create new models. Furthermore, models can be used to map qualifications and career pathways, for instance. | “Creating discipline-specific competency frameworks aligned to a global standard” [145, p. 10]. |
18 | Organization design and target operating model | 1 | Designing and validating organizational structures and target operating models is another application area of competency models. | “SFIA can be used to design and validate proposed organisation designs and target operating models” [145, p. 11]. |
Subsequently, several target groups were identified, including job seekers, technical professionals, HR experts, qualification providers, and students. To understand how target groups can use competency models, we investigated the relationships between the target groups’ subcategories and the subcategories of usage by looking for co-occurrences. The findings indicate that most target groups can use competency models in several ways. Although market researchers and legislative bodies constitute target groups, the examination did not find any concrete use for these groups. Considering these findings, Table 5 presents a matrix that relates target groups to usages.
Organizations & companies | Technical professionals | HR experts | Qualification providers | Managers | Students | Certification providers | Educational experts | Job seekers | Authorities | Policymakers | Consultants | Professional bodies | Leaders | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Learning and competency development | X | X | X | X | ||||||||||
Assessment | X | X | X | X | X | |||||||||
Development and evaluation of qualification programs | X | X | X | |||||||||||
Career management | X | X | X | X | X | |||||||||
Recruitment and selection | X | X | ||||||||||||
Job/role profiles and job ads | X | X | X | |||||||||||
Guide to qualification programs | X | X | X | X | X | X | ||||||||
Analysis of workforce and competency gaps | X | X | X | X | X | |||||||||
Communication | X | X | X | X | X | X | X | X | X | |||||
(Strategic) personnel planning | X | X | X | |||||||||||
HR development | X | |||||||||||||
Performance management | X | |||||||||||||
Policymaking | X | |||||||||||||
Reward and compensation | X | X | ||||||||||||
Talent management | X | X | ||||||||||||
Instruction | X | |||||||||||||
Developing models and mapping | X | |||||||||||||
Organization design and target operating model | X |
4.3 CyBOK Categories and KAs
As mentioned previously, the CyBOK [94] consists of 19 KAs grouped under five categories. To evaluate the content of competency models, we transformed these categories and KAs into a deductive category system and applied the system to the material. After the coding process, the categories were quantitatively evaluated. Figure 6 shows the category frequencies of the five CyBOK categories. The category “human, organizational, and regulatory aspects” topped the list of the most frequently coded KAs and was followed by the CyBOK category “attacks and defenses.” The categories “infrastructure security” and “systems security” were the least frequently named topics. Evaluating the codings quantitatively, we discovered an imbalance in terms of content. In fact, the competency models analyzed favored less technical content.
To further analyze the models’ content, we conducted a simple configuration according to Kuckartz [70]. Figure 7 shows nine code configurations. Interestingly, the most frequent code configuration was formed by all five CyBOK categories. Put another way, many models included content covering a diverse set of knowledge and competencies, ranging from systems security to regulatory aspects. Excepting two models, most of the models included content related to at least two CyBOK categories. Moreover, the CyBOK category “human, organizational, and regulatory aspects” ran through all code configurations except two. Similarly, most of the configurations, except three, contained the CyBOK category “attacks and defenses.”
Separating the CyBOK categories into 19 KAs allowed the content to be analyzed in more detail. After the coding process, the material was not only reduced to 19 categories describing the models’ content from a bird’s-eye view but also quantitatively evaluated. Figure 8 shows a bar chart revealing the category frequencies of the 19 CyBOK areas. The most frequently coded KA was “security operations and incident management,” which was followed by “risk management and governance” and “secure software lifecycle.” Noticeably, the remainder of the categories occured to a considerably lesser extent. As with the five CyBOK categories, the quantitative evaluation of the 19 KAs revealed an imbalance in terms of content coverage. By comparison, areas such as “risk management and governance” and “security operations and incident management” were emphasized much more than the more technically oriented areas, such as “hardware security” and “physical layer and telecommunications security.”
4.4 Evaluation of Competency Models
Inspired by Plessius and Ravesteyn [91], we evaluated the competency models regarding content coverage. Assuming that the CyBOK areas represented the full range of possible cybersecurity topics, we used the 19 CyBOK categories as a deductive coding scheme to uncover the models’ content coverage. Because models that integrate security content do not claim to be exhaustive, the evaluation process focused on stand-alone models. Table 6 presents the results of the evaluation. In Table 6, beginning with the oldest model, the models are ordered by date. It is to be noticed that Table 6 indicates the presence of a specific KA, not the extent to which the models cover the KA.
Release date | 2008 | 2010 | 2011 | 2012 | 2013 | 2013 | 2014 | 2015 | 2017 | 2018 | 2019 | 2019 | 2020 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Competency model reference | [150] | [148] | [127] | [151] | [135] | [149] | [130] | [144] | [140] | [138] | [153] | [136] | [141] |
Physical layer & telecommunications security | X | X | X | ||||||||||
Cyber-physical systems security | X | X | |||||||||||
Hardware security | X | X | X | ||||||||||
Network security | X | X | X | X | X | X | X | X | X | ||||
Secure software lifecycle | X | X | X | X | X | X | X | X | X | X | |||
Web & mobile security | X | X | X | X | |||||||||
Software security | X | X | X | X | X | X | X | X | X | X | |||
Authentication, authorization, & accountability | X | X | X | X | X | X | X | ||||||
Distributed systems security | X | X | |||||||||||
Operating systems & virtualization security | X | X | X | X | |||||||||
Cryptography | X | X | X | X | X | ||||||||
Forensics | X | X | X | X | X | X | X | X | X | ||||
Security operations & incident management | X | X | X | X | X | X | X | X | X | X | X | X | X |
Adversarial behaviors | X | X | X | ||||||||||
Malware & attack technologies | X | X | X | X | X | ||||||||
Risk management & governance | X | X | X | X | X | X | X | X | X | X | X | X | X |
Privacy & online rights | X | X | X | X | X | X | |||||||
Law & regulation | X | X | X | X | X | X | X | X | X | X | X | ||
Human factors | X | X | X | X | X | X | X | X | X | X | |||
Number of covered KAs | 11 | 9 | 16 | 8 | 6 | 14 | 11 | 6 | 16 | 7 | 18 | 3 | 4 |
Number of missing KAs | 8 | 10 | 3 | 11 | 13 | 5 | 8 | 13 | 3 | 12 | 1 | 16 | 15 |
As shown in Table 6, none of the competency models were exhaustive (i.e., no model studied could be considered complete in terms of content coverage). Missing only one KA, the Cybersecurity Competency Model [153] came closest to being complete. Additionally, the NICE Framework [140], as well as the Competency Model for Cybersecurity [127], omitted relatively few areas compared to other models (e.g., [136, 141]). Consequently, some models offered a general view of cybersecurity, whereas others were better understood as specialized models. However, although models differed, all of the models contained content relating to the KAs “security operations and incident management” and “risk management and governance.” To a lesser extent, the KAs “secure software lifecycle,” “software security,” and “human factors” also represented common ground. Last, each KA was addressed by two models at least.
4.5 Definitions of the Concept of Competency and Proficiency Levels
In the next step, we coded all of the text passages that provided clarification on the concept of competency. Of the 27 models, only 10 actually defined the term explicitly; the rest refrained from doing so. To better understand the competency construct, we examined the characteristics of the coded passages. Inspection of Table 7 reveals that the term is associated with various features, ranging from learnability to measurability, yet no single coded definition of the competency construct contained all of the attributes listed in Table 7. Instead, the list serves as an overview of all of the possible characteristics that a definition of the term competency could provide. To further elaborate on the characteristic “gradual expression,” we extracted the number of competency levels from each model. Table 8 shows that between two and seven competency levels were deployed to express different degrees of proficiency. Approximately half of the models did not group behavioral indicators into varying levels of proficiency.
# | Characteristic | Example of Coded Segments |
---|---|---|
1 | Learnability | “Competency—A cluster of related knowledge, skills, and abilities that affects a major part of one’s job (a role or responsibility), […] that can be improved through training, development, and experience” [153, p. 4]. |
2 | Contextualization | “IT COMPETENCIES = (KNOWLEDGE + SKILLS + DISPOSITIONS) IN CONTEXT” [147, p. 31]. |
3 | Interplay of different attributes | “The term competency represents the set of knowledge, skills, and effectiveness needed to carry out the job activities associated with one or more roles in an employment position” [135, S. 3]. |
4 | Measurability | “Competency—A cluster of related knowledge, skills, and abilities, […] that can be measured against well-accepted standards” [153, S. 4]. |
5 | Sustainability | “Competence is a durable concept, […] the e-CF remains durable requiring maintenance approximately every three years to maintain relevance” [132, p. 5]. |
6 | Gradual expression | “Competency: the demonstrated ability to perform work activities at a stated competency level” [125, S. 23]. |
7 | Competency as a prerequisite for achievement | “[…] the set of knowledge, skills, and effectiveness needed to carry out the job activities […]” [135, S. 3]. |
4.6 Competency Classes
A common way to categorize competencies is to use competency classes. After inductively constructing 240 competencies, we counted the competencies per competency class. As shown in Figure 9, the class “professional competencies” encompassing those competencies associated with the solution of domain-related technical problems was the largest general competency category. Examples of professional competencies are inter alia, penetration testing, risk management, cloud security, and secure operating systems. Although the analysis identified a large set of professional competencies, only a few competencies were assigned to the classes “methodological competencies” (e.g., problem solving), “social competencies” (e.g., teamwork), and “personal competencies” (e.g., self-control). Since only 13 methodological, 10 social, and 17 personal competencies were identified in the analysis, it can be stated that competency models included a limited variety of nonprofessional competencies required by security experts.
Subsequently, we conducted a simple code configuration [70] to analyze the relationship between competency classes and models. By performing a simple configuration, code combinations can be examined. In other words, code configurations provide information about which competency classes are present in the respective competency models. Inspection of Figure 10 reveals that of the 27 models, most models only included professional competencies (18). Conversely, only a small number of models (4) covered the complete range of competency classes. Moreover, all of the other possible code configurations were addressed by two models at most. Consequently, methodological, social, and personal competencies for security professionals were not only underrepresented compared to professional competencies in terms of variety but also seldomly covered in competency models in general.
4.7 Competencies
The analysis identified a unique set of 240 competencies. To elaborate on the competency descriptions for each of the 240 competencies, we conducted a category-based evaluation [70]. In essence, we listed all material under one category and summarized the material’s meanings in a few sentences. When formulating the descriptions, we ensured that all definitions followed the same sentence structure and expressed the competency in an observable manner. Constructing all competencies based on this approach led to the formation of a competency pool, which can be found on Zenodo [8]. It is worth mentioning that the competencies extracted from the models did not prescribe any technologies to be used. Table 9 provides examples of competencies with their respective descriptions and associated KAs. For instance, with regard to the competency “network defense,” cybersecurity experts should be able to design, maintain, install, and apply a range of network defense systems. As regards the competency “secure design,” experts should be able to apply different design principles and perform threat modeling. Regarding the competency “malware analysis and defense,” security professionals are required to analyze different features of malicious software and combat malware.
To identify the category frequencies of each competency, we conducted a quantitative evaluation. By calculating category frequencies, a list of the 20 most frequently coded competencies could be produced. Inspection of Figure 11 reveals that although no competency was shared by all 27 models, the competency “risk management” topped the list of the most coded competencies and was followed by the competencies “risk assessment” and “incident management.”
# | KA | Competency | Description |
---|---|---|---|
1 | Network security | Network defense | The cybersecurity professional designs, maintains, installs, and applies a range of network defense systems, including firewalls, intrusion detection systems, network monitoring, network hardening, network access controls, and grid sensors to detect and respond to threats to protect networks and network traffic. The professional recognizes potential conflicts between systems and reports network events on a daily basis. |
2 | Software security | Prevention of software vulnerabilities | The cybersecurity professional practices defensive and secure programming and uses secure programming languages to prevent the introduction of software vulnerabilities. The expert is aware of the consequences associated with disregarding the rules on secure and defensive programming. The expert comments on and documents defensive programming practices and follows the rules of secure programming. He is able to develop new guidelines for secure programming and review and approve guidelines. |
3 | Secure software lifecycle | Secure design | The cybersecurity professional follows recommended design principles for creating secure systems and uses secure design patterns. The expert understands, evaluates, compares, and applies a number of secure design principles (e.g., open design, isolation, mediation, least privilege). The expert performs threat modeling and identifies the attack surface of the systems. The expert is able to incorporate various security strategies (e.g., defense in depth, access control mechanisms, and encryption of sensitive data) into the design and ensures a balance between security, functional, and quality requirements. |
4 | Malware & attack technologies | Malware analysis & defense | The cybersecurity professional is able to analyze the behavior, capabilities, interactions, intentions, features, and characteristics of malicious software and threats. The professional is also able to develop and successfully apply defense and mitigation strategies and techniques to combat malware. He performs static and dynamic analyses and isolates and removes malware. |
Interestingly enough, the competencies listed were associated with only eight areas of expertise: “risk management and governance,” “security operations and incident management,” “network security,” “human factors,” “law and regulations,” “forensics,” “secure software lifecycle,” and “software security.” The remaining KAs are not covered in Figure 11. Similarly, nonprofessional competencies, such as teamwork and stress tolerance, do not appear on the list. Consequently, the ranking of competencies shows that not only was the level of diversity of nonprofessional competencies lower than that of professional competencies but also their level of importance.
5 NEW COMPETENCY MODEL
This section introduces an evidence-based competency model for information security and cybersecurity professionals. The section presents the details of the design, which are followed by the results of the validation stage.
5.1 Competency Model for Information Security and Cybersecurity Professionals
By transforming the empirically developed category system into a competency model, we produced the competency model for information security and cybersecurity professionals, which is shown in Figure 12. The four competency classes serve as the high-level structure of the model. Unlike the nonprofessional competency classes, the professional competency class was divided into additional subcategories according to the structure of the CyBOK. As the CyBOK areas were insufficient to incorporate all of the identified competencies, we added three additional areas: physical security, job-specific skills, and CyBOK introduction. The latter refers to the foundational professional competencies of the security domain. The competency dimension of job-specific skills highlights the need for professional competencies beyond the security domain (e.g., technology watching). By design, the model incorporates not only professional competencies but also social, personal, and methodological competencies, thereby providing a holistic view of the competency profile of an cybersecurity expert. Furthermore, the model can be considered exhaustive, as the model’s content covers all of the CyBOK areas. In that regard, the proposed model is unique. As shown previously, none of the existing models fulfill this criterion.
When constructing the model, we did not include all 240 competencies. Instead, we selected the three most frequently mentioned competencies per KA from the generated pool. This approach is in line with the advice of the scientific literature, which recommends a manageable number of competencies [20, 75]. In sum, the model displays 72 competencies, which are underpinned with up to six competency indicators expressing the competency in action. Although we set a size limit, we consider this model to be a minimal framework that is expandable. For example, additional competencies from the competency pool could be added to the model. Regarding the definition of the competency construct, the model refers to the definition of Weinert [116]. Due to limited space, the full model, an in-depth description, and key data are provided online [8].
5.2 Curricular Validation
Overall, the model proved to be applicable to the categorization of the curricular content of 10 Austrian security programs. When checking for curricular validity, we found that most of the content of the 10 Austrian curricula could be integrated into the competency model. Consequently, the competencies of our model matching with competency aspects of the curricula reflect a significant number of abilities that are thought to be relevant to information security and cybersecurity experts and can be considered as approved on that basis. Table 10 provides a brief overview of the coding results. However, 11 competencies of the competency model for information security and cybersecurity experts were not mentioned in the curricula (e.g., customer service and technical support, hardware testing, secure hardware design, personal information, and creative thinking). At the same time, it also became apparent that it was impossible to integrate all curricular content into the model immediately, and some of the competencies suggested in the curricula were missing from the proposed model. Hence, 25 new competencies had to be developed inductively to be able to integrate all of the curricular content. Table 11 provides an insight into some of the newly developed competencies. Concerning the competency areas and dimensions, the structure of the model proved to be sufficient to categorize the competencies emerging from the curricular analysis.
# | Competency | Coded Segment(s) |
---|---|---|
1 | Research | This course teaches students about the basic principles of scientific work in the field of applied computer science [155]. |
2 | Network defense | Firewalling and packet filtering (stateless filtering and stateful packet inspection) [159]; students can select security components, such as firewalls, demilitarized zones, and VPN gateways for the corresponding requirements and integrate them into existing networks [161]. |
3 | Secure development | Students should learn the basic software engineering principles for the development of secure software systems [155]; secure software development UE [154]; the graduate of this module has detailed knowledge in dealing with security requirements during the entire software development process [158]. |
4 | Prevention of vulnerabilities | At the end of the ILV, students can define, combine, and use suitable data structures (in the C programming language) for storing and manipulating information in such a way that no security vulnerabilities occur [161]; secure coding [160]; they know basic methods of secure programming in C and can also apply them [157]. |
5 | Risk assessment | The course teaches widely used approaches and techniques for identifying, analyzing, assessing, presenting, and communicating risks [161]; be able to independently conduct risk analyses or lead RA projects and be able to follow and help to shape future developments [158]. |
6 | Legal & regulatory environment | Introduction to the basics of law (structure of the legal order/demarcation between public and private law) [161]. |
7 | Web & mobile defense | Mobile security [156]; hardening using HTTP Header [162]; students can identify the security mechanisms used in current mobile systems (e.g., Android, iOS) [157]. |
8 | Teamwork | They are able to convincingly work in a team [156]; graduates of the master’s program must be able to work effectively in teams [163]. |
9 | Cryptographic overview | Basics of applied cryptography [156]; the lecture covers basic concepts of cryptography, methods of classical cryptography [154]. |
10 | Encryption | Theoretical and practical knowledge of symmetric and asymmetric cryptography and its most important procedures and algorithms [161]; basic procedures for encrypting and decrypting data [154]. |
# | Competency | Coded Segment(s) |
---|---|---|
1 | Self-reflection | Self-reflection [159]; the spectrum ranges from accompanying personality development to reflections [158]. |
2 | Transferability | Transferability: Translating theoretical learning into practical action and at the same time recognizing the possibility and limits of application [161]. |
3 | Economics & ethics | Ethics in economics [154]. |
4 | Corporate culture | After successful completion, students are able to understand the importance of ‘culture’ for a company [162]. |
5 | Physical layer | Electrotechnical basics for data transmission [161]. |
6 | IoT security | Security in the IoT: Threat model in the IoT, concrete attack scenarios, security concepts at organizational and technical levels for manufacturers, service providers, and consumers [158]. |
7 | Embedded security assessment | Embedded security assessment [155]. |
8 | Computer architecture | Boolean algebra, conceptual framework of computer architecture, components of modern computer systems, computer models (von Neumann, Harvard), RISC, CISC, memory hierarchies, memory addressing [157]. |
9 | Data science skills | Sample design, statistical data collection planning, data selection [159]. |
10 | Modeling malicious operations | Classify the attack techniques in the cyber kill chain (R) [162]; cyber kill chain (R), unified kill chain [162]. |
6 DISCUSSION
In this section, we highlight the contribution of our work and relate our results to previous efforts. Additionally, we discuss use cases of the proposed competency model. The section concludes with a reflection on the limitations of the study.
6.1 Discussion in the Context of Literature
To better understand the field of information security and cybersecurity competency modeling, we explored competency models’ characteristics using a QCA. This study addresses the limitations of previous efforts. First, unlike related research, this study analyzes a broad array of competency models, namely 27. Previous research on competency modeling in the information security and cybersecurity domains and beyond [113] has focused on a smaller set of models, ranging from 1 model [14] to 14 models [111]. Second, this study adopts a systematic research method to uncover new, previously missed insights into competency modeling.
First, this study provides a complementary contribution to the discussion on the importance of cybersecurity topics. From this perspective, the competency models’ creators consider “human, organizational, and regulatory aspects” to be more important than knowledge about “systems security” and “infrastructure security.” Diving deeper, we found that less technical content, such as “risk management and governance,” was emphasized more than more technical areas, such as “cyber-physical systems security” and “hardware security.” These results are in line with recent work. Mapping four curricula against the CyBOK areas, Hallett et al. [48] also noticed an overemphasis on the areas “risk management and governance” and “security operations and incident management” in comparison with more engineering-focused areas. Similarly, Cabaj et al. [17] analyzed cybersecurity master’s programs and identified an increased interest in less technical content, such as human, societal, and organizational security. Nevertheless, from the results of other work, we can see that the discussion on the importance of topics continues to be a source of debate. For instance, the work by Parekh et al. [86] highlighted the importance of privacy, ethics, operating system security, and the rooting of trust in hardware. However, the CyBOK areas covering these topics are underemphasized in competency models. Another piece of work [107] analyzing the content of 71 cybersecurity education papers suggested that human, societal, and organizational security are much less important than data security and connection security, for example. In contrast, the present study rather suggests the opposite. Hence, what constitutes the core topics remains controversial at this point.
Next, the findings regarding the competency classes suggest an imbalance that could have profound consequences. Studies analyzing job advertisements have agreed that employers value professional competencies, as well as social, personal, and methodological competencies [13, 87, 92, 93]. Additionally, a recent review of the cybersecurity workforce’s future has argued that the skill set of cybersecurity experts must consist of more than just technical skills [27]. However, social, methodological, and personal competencies are not only underemphasized in number but are also completely missing from many competency models. Consequently, most of the studied competency models paint an incomplete picture of the competencies required in the security domain. Indeed, if security professionals lack personal and social competencies, they may not be successful at work. As discussed by Dawson ahd Thomson [27], lifelong learning is a valuable personal competency, and the absence of a commitment toward lifelong learning could render a security professional useless as the technology and threat landscape changes. Similarly, an inability to communicate complex security issues to nontechnical personnel and a lack of team playing skills reduce job performance [27]. Therefore, most of the analyzed competency models are only partially suitable for curriculum and workforce development, as they miss essential competency dimensions. Purely subject-oriented competency models must not be the only basis for curriculum and workforce development; they must be complemented by other sources.
The evaluation of the models’ content coverage pointed to a similar problem. As some models provided a general view of the domain and others were better understood as specialist frameworks, curriculum designers must carefully select models for curriculum design. For instance, if a designer wishes to build a program providing a holistic view of the security domain and chooses the work of the Hong Kong Monetary Authority [136] or the Personal Data Protection Commission [141] as the basis, they could achieve the opposite. Conversely, these models could meet expectations if a specialist focus were to be desired. As information about the content of models is crucial for the selection process, we believe that the information provided in Table 6 would facilitate decision making.
In accordance with previous efforts [13, 15], our work suggests that more professional competencies are required in terms of variety than nonprofessional ones (e.g., methodological, social, and personal competencies). Additionally, our findings stress the importance of professional competencies. However, the analysis of job advertisements by Brooks et al. [13] showed that teamwork was the most frequently sought-after competency of a security professional. Additionally, the work of Whitman [118] and Rahhal et al. [93] underscored the importance of soft skills. The World Economic Forum’s list of the top 10 most in-demand skills across industries also stressed the importance of nonprofessional competencies [121]. Nonprofessional competencies, however, do not appear in our top 20 list. However, concerning the importance of domain-specific professional competencies, our results comply, to a large extent, with the results reported in the literature. Similarly to our work, previous work has also suggested that competencies related to risk [13, 55, 93], networks [61, 93], incidents [13, 123], audits [13, 93], vulnerabilities [13, 61], and compliance [13] are among the most important competencies required by security professionals. In summary, although our results disagree with those of related work on the importance of nonprofessional competencies, the findings regarding the importance of professional competencies agree with those of the literature.
Furthermore, this study adds to the discussion on what characterizes a competent cybersecurity professional. First, unlike other efforts [13, 93], we underpinned the competencies with a thick description in an observable manner to provide clarification and avoid confusion. Second, we substantially expanded the set of competencies required in the industry and painted a more nuanced picture of the profession. However, the vast number of competencies could also be indicative of challenges for educational programs. Because a single program cannot promote all 240 competencies, curriculum designers must carefully select the competencies that are most important for security jobs [61].
Last, the findings suggest that competency models could help to tackle the skills gap. Given their uses related to competency development, workforce development, and curriculum design, competency models can help to address many of the pressing issues and challenges facing the cybersecurity education system and the labor market, including outdated curricula [18], the low responsiveness of the education system to changes in the cyber domain [10], the poor alignment between educational and industry requirements [28, 47], the insufficient communication between employers and educational institutions [26], the difficulties in hiring and retaining employees [55], the lack of investment in employees [26, 28], and the lack of clear career pathways [18]. Since competency models are applicable to the education system and the labor market, they can support the elimination of deficits with regard to supply and demand, which, in sum, are at the root of the shortage in skills [28]. With regard to employers, competency models, for example, can help to ensure and sustain the professional development of employees by facilitating the identification of skills gaps and ways to address them, supporting the identification of appropriate training opportunities, and providing a means to manage talent and plan succession. With regard to supply, competency models can support the construction and evaluation of educational programs. By mapping the curriculum against a competency model, curriculum designers can identify gaps and ways to address them. Additionally, competency models can complement proactive, cost-effective curriculum maintenance strategies based on monitoring and integrating changes to certification schemes [65]. Competency models are frequently updated (e.g., the e-CF and the Cybersecurity Competency Model), and considering such updates can strengthen curriculum maintenance efforts. In terms of curriculum design, the models facilitate discussion among key stakeholders and provide a clear indication of what cybersecurity professionals should be able to do. Additionally, competency models help to advance the professionalization of individual security occupations. Because a spectrum of different cybersecurity occupations exists, Burley et al. [16] argued against oversimplified one-size-fits-all professionalization mechanisms and recommended tailored occupation-specific activities. When considering occupation-specific activities, competency models can be used to identify occupation characteristics (e.g., competency requirements) and deficits (e.g., competency gaps). Using competency models also addresses some of the disadvantages associated with professionalization activities, such as high barriers to entry based on credentials [16]. In fact, the notion of competency highlights a worker’s actual capacity and job readiness in terms of competencies rather than formal achievements, which provides opportunities for people who have not undertaken formal training but have nevertheless developed competencies informally to enter the cybersecurity labor market [16, 71]. Therefore, we believe that the competency model analysis helps to address workforce issues, especially the qualitative aspects of the issues.
6.2 Application Scenarios
In this section, we wish to draw attention to the potential applications and uses of the competency model for information security and cybersecurity professionals. In principle, the model can be used in all application scenarios identified during the competency model analysis. However, here, rather than discussing all applications in detail, we focus on two important application scenarios and conclude by highlighting the model’s ability to narrow the skills gap. Tailoring the model to the concrete context could be beneficial when using the framework. For example, organizations could pick competencies linked to their missions and goals [20]. Educational staff might wish to adapt the model to fit with the regional and national contexts or the institute’s capacities.
Developing and evaluating qualification programs is one of the main applications of the competency model. The competencies of the model used to define programs’ learning outcomes constitute in-demand abilities that are not technology-specific. Consequently, curricula based on those competencies not only align with industry needs but are also more sustainable than curricula focusing on specific tools, as they are less subject to technological advances [13]. Moreover, as pure knowledge is insufficient to meet industry expectations [103], educational programs must provide opportunities to develop competencies. To support competency development, educational experts must rethink the learning culture. Competencies cannot be traditionally taught, and they can only be developed through hands-on experience in authentic learning environments [63]. Authentic learning environments and tasks can be constructed using the competency model’s behavioral indicators. These indicators suggest how a competency unfolds in action and provide guidance for creating test items and learning tasks. The nature of the learning task (well defined versus ill defined) and the learner’s familiarity with the task are hypothesized to influence the integration process of knowledge, skills, and attitudes (e.g., low-road integration and transformative integration) [5]. Hence, designers should think carefully about the nature of the task. In addition to serving as a tool for the creation of new curricula and content, the competency model is helpful in analyzing existing programs. As outdated curricula are seen as one rationale for the shortages in the security workforce [29, 94], evaluating the currency of curricula is imperative. The proposed model provides a holistic and up-to-date view of the security domain, making the model particularly useful in evaluating educational programs.
Competency models form the basis for competency-based HR management in organizations. Competency-based HR management aims to inform and improve HR systems, including recruitment and selection systems [3]. Evidence has suggested that recruiting competent cybersecurity experts is challenging for organizations [29, 55]. Our model can help to improve the effectiveness and efficiency of recruiting and selecting talent inside and outside the organization. By using the model’s competencies as building blocks for constructing job profiles, recruiters do not have to build profiles from scratch. Moreover, the competency model helps to build attractive job descriptions. Because the competencies have been defined and anchored with indicators to avoid misunderstandings, they are particularly useful in communicating an organization’s needs and attracting candidates who fit the profile. However, when informally studying job advertisements, we found that many organizations do not use a structured process to convey the meaning of competencies. By using the model, organizations can avoid this problem. Additionally, the competencies can be used in competency-based interviews during selection. Again, the behavioral indicators are particularly useful for this process and should help HR experts to decide which candidate should be appointed to the job in question. Consequently, using the model reduces the risk of recruiting and selecting the wrong people, thereby helping to avoid increased costs.
Moreover, the competency model can facilitate other approaches to narrowing the skills gap. For example, some organizations do not exactly know which qualifications and certifications are required for a particular job [42]. By mapping the qualifications and certifications against the competency model, organizations can determine which competencies are actually covered by the educational programs and sort out those requirements and certifications in the job advertisements that do not fit the role. This way, organizations can avoid mismatches [42]. Similarly, by mapping external educational platforms against the model, organizations can compare their offerings and find the training that best fits employees’ training needs. In doing so, organizations ensure cost-effective professional development and retain indispensable personnel. To satisfy workforce needs, the literature has also recommended the hiring of applicants with nontraditional backgrounds [26]. In this case, the competencies of the model are well suited to the assessment and validation of the person’s abilities and support decision making regarding the applicant’s employability. With regard to education, using the model to align industry requirements with educational efforts facilitates the development of cybersecurity experts with sought-after competencies who successfully transition from an academic environment to the industry. To resolve the tension between education and training [24], which represents a long-standing issue in alignment efforts, educational designers can construct authentic learning environments through practical tasks, group work, or internships, for example, using the model’s competencies. Last, the model can serve as a source of input for future competency-based cybersecurity curriculum guidelines and standards.
6.3 Limitations
The main issues related to threats to the validity of this article are an inaccurate category system and an incomplete dataset. Potential issues during the process of searching for and selecting sources can arise from limitations of the search terms, the databases used, and biases when applying inclusion and exclusion criteria. To minimize biases when applying inclusion criteria, we discussed controversial sources as a team and made consensus-based decisions. To minimize the risk of sources being missing, we used formal search terms and considered synonyms, which was followed by full forward and backward snowballing. Moreover, we used a wide range of databases to avoid issues resulting from the limitations of the search engines. The exclusive use of Austrian curricula to validate the competency model threatened external validity. The question concerns whether the curriculum corpus is up to date and covers all types of competencies. In that respect, we argue that the curricula contained enough information to map almost all of the competencies of the competency model. Hence, we are confident that the outcome of these processes constitutes a solid and inclusive basis.
Now, we wish to discuss the validity of the category system. Concerning inductive categories, signs of validity issues are high coding frequencies of residual categories, disproportionately high coding frequencies of subcategories, and disproportionate abstract categories [101]. The validity of the inductive categories is supported by the fact that no residual categories were used. Furthermore, disproportionately high frequencies for one subcategory within a main category were absent in most cases. However, in cases where they were not absent, we are confident that it was not a sign of an undifferentiated category but rather an empirical finding. This assumption is supported by the sheer number of inductive categories, which also indicate appropriate abstraction and differentiation. For evaluation, the second author, who was familiar with the study’s objectives and the procedure of content analysis, reviewed the category system so that the coding frame could also be considered valid from an expert’s perspective. Hence, we consider the validity of the category system as approved.
7 CONCLUSION
This work focuses on analyzing competency models related to the information security and cybersecurity domains and also introduces an evidence-based competency model for information security and cybersecurity professionals. The work’s findings shed light on several previously missed characteristics and provide new insights into the current state of security competency models. According to the results, target groups can use the models in many different ways, from policymaking to performance management. Thematically, the models emphasize the CyBOK areas “security operations and incident management” and “risk management and governance.” Less attention is paid to more technically oriented KAs, such as “hardware security.” In this work, in total, we extracted 240 competencies from existing models, with most of the competencies falling into the class “professional competencies.” As many models only reduce the qualities of a security expert to professional competencies, they paint an inaccurate picture of the security domain. Additionally, the studied models are not exhaustive in terms of content coverage. Addressing these limitations, the proposed competency model provides a holistic view of the security domain by including content covering the full range of competency classes and CyBOK areas. In sum, the model and its competencies are up to date and have already undergone a process of validation.
Our future work will include investigating and exploring the effectiveness of the proposed model in empirical studies to consider implications concerning the usefulness of the model in practical settings. Furthermore, we would like to assess individuals’ general awareness of competency models in organizational and educational contexts. Additionally, we plan to analyze job advertisements based on a category system derived from the competency model. Las, the maintenance of the competency model using, for example, focus groups, online surveys, or subject matter expert groups is necessary to ensure the currency and long-term usefulness of the competency model. To enhance maintenance efforts and stimulate scientific investigation, we have compiled a designated maintenance and replication package [9].
Footnotes
- [1] . 2008. Stepping up the ladder - competence development through e-learning?! In Proceedings of the World Conference on Educational Multimedia, Hypermedia, and Telecommunications (ED-MEDIA’08). 4068–4082.Google Scholar
- [2] . 2019. Foundations of Information Security: A Straightforward Introduction. No Starch Press, San Francisco, CA.Google Scholar
- [3] . 2014. Armstrong’s Handbook of Human Resource Management Practice (13th ed.). Kogan Page, London, UK.Google Scholar
- [4] . 2020. Knowledge, skills, and abilities for specialized curricula in cyber defense: Results from interviews with cyber professionals. ACM Transactions on Computing Education 20, 4 (2020), 1–25. Google ScholarDigital Library
- [5] . 2011. Integrating knowledge, skills and attitudes: Conceptualising learning processes towards vocational competence. Educational Research Review 6, 2 (2011), 125–134. Google ScholarCross Ref
- [6] . 2020. Analysis of programming assessments—Building an open repository for measuring competencies. In Proceedings of the 20th Koli Calling International Conference on Computing Education Research (Koli Calling’20).ACM, New York, NY, Article
31 , 10 pages. Google ScholarDigital Library - [7] . 1994. The goal question metric approach. In Encyclopedia of Software Engineering, (Ed.). John Wiley & Sons, New York, NY, 528–532.Google Scholar
- [8] . 2022. Competency pool and the competency model for information security and cybersecurity professionals. ACM Transactions on Computing Education. Accepted November 2022. Google ScholarCross Ref
- [9] . 2022. Maintenance/Replication Package. Zenodo. Google ScholarCross Ref
- [10] . 2021. The cybersecurity labour shortage in Europe: Moving to a new concept for education and training. Technology in Society 67 (2021), 101769. Google ScholarCross Ref
- [11] . 2020. SFIAplus - IT Skills Framework. British Computer Society. https://www.bcs.org/membership/sfiaplus-it-skills-framework/.Google Scholar
- [12] . 2014. Are there competences every computer scientist should have? In Proceedings of the 2014 IEEE Global Engineering Education Conference (EDUCON’14).IEEE, Los Alamitos, CA, 999–1002. Google ScholarCross Ref
- [13] . 2018. Information systems security job advertisement analysis: Skills review and implications for information systems curriculum. Journal of Education for Business 93, 5 (2018), 213–221. Google ScholarCross Ref
- [14] . 2020. An examination of the Skills Framework for the Information Age (SFIA) version 7. International Journal of Information Management 51 (2020), 102058. Google ScholarDigital Library
- [15] . 2018. ICT skill frameworks: Do they achieve their goals and users’ expectations? Advanced Journal of Professional Practice 1, 2 (2018), 38–47. Google ScholarCross Ref
- [16] . 2014. Would cybersecurity professionalization help address the cybersecurity crisis? Communications of the ACM 57, 2 (2014), 24–27. Google ScholarDigital Library
- [17] . 2018. Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security 75 (2018), 24–35. Google ScholarCross Ref
- [18] . 2013. Plugging the cyber-security skills gap. Computer Fraud & Security 2013, 7 (2013), 5–10. Google ScholarCross Ref
- [19] . 2011. A Report on e-Competence Frameworks: For the Malta Information Technology Agency MITA. Retrieved March 23, 2020 from https://knowledgeinnovation.eu/wp-content/uploads/2015/05/MITA-eCompetences-Master-2.pdf.Google Scholar
- [20] . 2011. Doing competencies well: Best practices in competency modeling. Personnel Psychology 64, 1 (2011), 225–262. Google ScholarCross Ref
- [21] . 2015. Competency Models in Action: College Uses Cybersecurity Competency Model to Align and Create Curricula. Retrieved March 3, 2021 from https://www.careeronestop.org/CompetencyModel/Info_Documents/Excelsior-CaseSummary.pdf.Google Scholar
- [22] . 2020. Computing Curricula 2020: Paradigms for Global Computing Education (CC2020). ACM, New York, NY. Google ScholarDigital Library
- [23] . 2010. National Information Assurance Glossary. Retrieved January 22, 2021 from https://www.hsdl.org/?view&did=7447.Google Scholar
- [24] . 2014. Re-engineering cybersecurity education in the US: An analysis of the critical factors. In Proceedings of the 2014 47th Hawaii International Conference on System Sciences.IEEE, Los Alamitos, CA, 2006–2014. Google ScholarDigital Library
- [25] . 2017. The data scientist profile and its representativeness in the European e-Competence Framework and the Skills Framework for the Information Age. International Journal of Information Management 37, 6 (2017), 726–734. Google ScholarDigital Library
- [26] . 2019. The Cybersecurity Workforce Gap. Center for Strategic and International Studies. Retrieved March 22, 2021 from https://www.csis.org/analysis/cybersecurity-workforce-gap.Google Scholar
- [27] . 2018. The future cybersecurity workforce: Going beyond technical skills for successful cyber performance. Frontiers in Psychology 9 (2018), 1–12. Google ScholarCross Ref
- [28] . 2019. Cybersecurity Skills Development in the EU: The Certification of Cybersecurity Degrees and ENISA’s Higher Education Database. ENISA, Heraklion, Greek. https://www.enisa.europa.eu/publications/the-status-of-cyber-security-education-in-the-european-union.Google Scholar
- [29] . 2014. Cyber Security Skills: Business Perspectives and Government’s Next Steps. HMSO, London, UK. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/289806/bis-14-647-cyber-security-skills-business-perspectives-and-governments-next-steps.pdf.Google Scholar
- [30] . 2017. Competence-based education and assessment in the accounting profession in Canada and the USA. In Competence-Based Vocational and Professional Education, (Ed.). Springer International, Cham, Switzerland, 273–296.Google Scholar
- [31] . 2013. Usable Cyber Security Competency Framework. Retrieved May 7, 2020 from http://ecesm.net/sites/default/files/Dev%203.2%20-%20Usable%20cyber%20security%20competency%20framework%20%5Bdraft%202016.03.31%5D.pdf.Google Scholar
- [32] . 2008. Competency Models: A Review of the Literature and the Role of the Employment and Training Administration (ETA). Retrieved April 29, 2021 from https://wdr.doleta.gov/research/FullText_Documents/Competency%20Models%20-%20A%20Review%20of%20Literature%20and%20the%20Role%20of%20the%20Employment%20and%20Training%20Administration.pdf.Google Scholar
- [33] , , , and (Eds.). 2017. Handbuch Kompetenzmessung: Erkennen, Verstehen und bewerten von Kompetenzen in der Betrieblichen, pädagogischen und psychologischen Praxis (3rd ed.). Schäffer-Poeschel, Stuttgart, Germany.Google ScholarCross Ref
- [34] . 2011. A competency framework for the stakeholders of a software process improvement initiative. In Proceedings of the 2011 International Conference on Software and Systems Process (ICSSP’11). ACM, New York, NY, 139–148. Google ScholarDigital Library
- [35] . 2020. e-Competence Framework (e-CF): A Common European Framework for ICT Professionals in All Sectors: Version 4.0. Retrieved June 27, 2020 from https://standards.cen.eu/dyn/www/f?p=204:110:0::::FSP_PROJECT,FSP_ORG_ID:67073,1218399&cs=1A148766F9EC80CBD3340728E3B8BB892.Google Scholar
- [36] . 2020. Emerging Trends: ENISA Threat Landscape: From January 2019 to April 2020. Retrieved March 22, 2021 from https://www.enisa.europa.eu/publications/emerging-trends.Google Scholar
- [37] . 2020. Main Incidents in the EU and Worldwide: ENISA Threat Landscape: From January 2019 to April 2020. Retrieved April 20, 2021 from https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-main-incidents.Google Scholar
- [38] . 2018. Is Cybersecurity About More Than Protection? EY Global Information Security Survey 2018–19. Retrieved October 8, 2020 from https://assets.ey.com/content/dam/ey-sites/ey-com/en_ca/topics/advisory/ey-global-information-security-survey-2018-19.pdf.Google Scholar
- [39] . 2016. Chapter one—Security testing: A survey. Advances in Computers 101 (2016), 1–51. Google ScholarCross Ref
- [40] . 2018. Analysis of the European ICT competence frameworks. In Multidisciplinary Perspectives on Human Capital and Information Technology Professionals, , , and (Eds.). Vol. 160. IGI Global, Hershey, PA, USA, 225–245. Google ScholarCross Ref
- [41] . 2018. Modelling competencies for computing education beyond 2020: A research based approach to defining competencies in the computing disciplines. In Proceedings Companion of the 23rd Annual ACM Conference on Innovation and Technology in Computer Science Education (ITiCSE’18 Companion). ACM, New York, NY, 148–174. Google ScholarDigital Library
- [42] . 2021. The cybersecurity workforce and skills. Computers & Security 100 (2021), 102080. Google ScholarDigital Library
- [43] . 2019. Guidelines for including grey literature and conducting multivocal literature reviews in software engineering. Information and Software Technology 106 (2019), 101–121. Google ScholarCross Ref
- [44] . 2016. When and what to automate in software testing? A multi-vocal literature review. Information and Software Technology 76 (2016), 92–117. Google ScholarDigital Library
- [45] . 2011. The German Qualifications Framework for Lifelong Learning. Retrieved November 16, 2021 from https://www.dqr.de/media/content/Der_Deutsche_Qualifikationsrahmen_fue_lebenslanges_Lernen.pdf.Google Scholar
- [46] . 2015. Official (ISC)2 Guide to the CISSP CBK. CRC Press, Boca Raton, FL.Google ScholarCross Ref
- [47] . 2022. Towards understanding the skill gap in cybersecurity. In Proceedings of the 27th ACM Conference on Innovation and Technology in Computer Science Education Vol 1 (ITiCSE’22).ACM, New York, NY, 477–483. Google ScholarDigital Library
- [48] . 2018. Mirror, mirror, on the wall: What are we teaching them all? Characterising the focus of cybersecurity curricular frameworks. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE’18). 1–9.Google Scholar
- [49] . 2006. Kompetenz und kompetenzdiagnostik. In Leistung und Leistungsdiagnostik, (Ed.). Springer, Berlin, Germany, 127–143.Google ScholarCross Ref
- [50] . 2007. Möglichkeiten und Voraussetzungen technologiebasierter Kompetenzdiagnostik: Eine Expertise im Auftrag des Bundesministeriums für Bildung und Forschung. BMBF, Berlin, Germany.Google Scholar
- [51] . 2014. ICT curriculum and course structure: The great balancing act. In Proceedings of the 16th Australasian Computing Education Conference.21–30.Google Scholar
- [52] . 2010. Kompetenztraining: Informations- und Trainingsprogramme (2nd ed.). Schäffer-Poeschel, Stuttgart, Germany.Google Scholar
- [53] . 2016. National Cyber Security Strategy 2016-2021. HM Government, London, UK. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf.Google Scholar
- [54] (ISC)2. 2018. Building a Resilient Cybersecurity Culture: A Dedicated Staff with a Clear Mission Helps Retain and Engage a Cybersecurity Workforce. https://www.isc2.org/-/media/Files/Reports/Building-A-Resilient-Cybersecurity-Culture.ashx?la=en&hash=5BBBD1218138977BF7150E1593319F70B5670B6F.Google Scholar
- [55] (ISC)2. 2018. Hiring and Retaining Top Cybersecurity Talent: What Employers Need to Know About Cybersecurity Jobseekers in 2018. Retrieved March 25, 2021 from https://www.isc2.org/-/media/Files/Research/ISC2-Hiring-and-Retaining-Top-Cybersecurity-Talent.ashx.Google Scholar
- [56] (ISC)2. 2020. Cybersecurity Professionals Stand Up to a Pandemic: (ISC)2 Cybersecurity Workforce Study, 2020. Retrieved March 22, 2021 from https://www.isc2.org/Research/Workforce-Study.Google Scholar
- [57] . 2005. Information Technology, Security Techniques, Code of Practice for Information Security Management.
International standard , Vol. ISO/IEC 27002 (2005). ISO/IEC, Genf, Schweiz.Google Scholar - [58] . n.d. Information Technology (IT) Specialist (GS-2210) IT Security Competency Model. Retrieved May 8, 2020 from https://docplayer.net/15738823-Information-technology-it-specialist-gs-2210-it-security-competency-model.html.Google Scholar
- [59] . 2012. Validität. In Testtheorie und Fragebogenkonstruktion, and (Eds.). Springer, Berlin, Germany, 143–171.Google ScholarCross Ref
- [60] . 2017. Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity. Version 1.0. Retrieved March 24, 2020 from https://europe.acm.org/binaries/content/assets/education/curricula-recommendations/csec2017.pdf.Google Scholar
- [61] . 2018. The core cyber-defense knowledge, skills, and abilities that cybersecurity students should learn in school: Results from interviews with cybersecurity professionals. ACM Transactions on Computing Education 18, 3 (2018), Article 11, 12 pages. Google ScholarDigital Library
- [62] . 2003. Zur Entwicklung Nationaler Bildungsstandards: Eine Expertise. BMBF, Berlin, Germany.Google Scholar
- [63] . 2008. Kompetenzkonzepte in den Sozialwissenschaften und im erziehungswissenschaftlichen Diskurs. In Kompetenzdiagnostik, , , and (Eds.). VS Verlag für Sozialwissenschaften, Wiesbaden, Germany, 11–29. Google ScholarCross Ref
- [64] . 2006. Kompetenzmodelle zur Erfassung individueller Lernergebnisse und zur Bilanzierung von Bildungsprozessen. Beschreibung eines neu eingerichteten Schwerpunktprogramms der DFG. Zeitschrift für Pädagogik 52, 6 (2006), 876–903.Google Scholar
- [65] . 2017. Maintaining a cybersecurity curriculum: Professional certifications as valuable guidance. Journal of Information Systems Education 28, 2 (2017), 101–114.Google Scholar
- [66] . 2014. Visualising career progression for ICT professionals and the implications for ICT curriculum design in higher education. In Proceedings of the 16th Australasian Computing Education Conference.13–20.Google Scholar
- [67] . 2016. A competency structure model of object-oriented programming. In Proceedings of the 2016 International Conference on Learning and Teaching in Computing and Engineering (LaTICE’16).IEEE, Los Alamitos, CA, 1–8. Google ScholarCross Ref
- [68] . 2016. Modelling competency in the field of OOP: From investigating computer science curricula to developing test items. In Proceedings of the 1st International Conference on Stakeholders and Information Technology in Education (SAITE’16).37–46. Google ScholarCross Ref
- [69] . 2012. Kompetenzmodelle. Hogrefe, Göttingen, Germany.Google Scholar
- [70] . 2018. Qualitative Inhaltsanalyse: Methoden, Praxis, Computerunterstützung (4th ed.). Beltz Juventa, Weinheim, Germany.Google Scholar
- [71] . 2005. What is competence? Human Resource Development International 8, 1 (2005), 27–46. Google ScholarCross Ref
- [72] . 2008. Searching for studies. In Cochrane Handbook for Systematic Reviews of Interventions Version 5.1.0, and (Eds.). Cochrane, 6.1–6.46. https://crtha.iums.ac.ir/files/crtha/files/cochrane.pdf.Google Scholar
- [73] . 2006. A systems approach to conduct an effective literature review in support of information systems research. Informing Science Journal 9 (2006), 181–212. Google ScholarCross Ref
- [74] . 2021. A competence-based three-layer cybersecurity education framework and its application. In Proceedings of the ACM Turing Award Celebration Conference—China (ACM TURC’21).ACM, New York, NY, 54–60. Google ScholarDigital Library
- [75] . 1996. Building competency models: Approaches for HR professionals. Human Resource Management 35, 1 (1996), 7–18. Google ScholarCross Ref
- [76] . 2009. A framework for improving information assurance education. Communications of the IIMA 9, 1 (2009), 79–90.Google Scholar
- [77] . 2011. Personalentwicklung: Gegenstand, prozessmodell, erfolgsfaktoren. In Praxishandbuch Personalentwicklung, , , and (Eds.). Springer Gabler, Wiesbaden, Germany, 19–34.Google ScholarCross Ref
- [78] . 2005. Confounded by competencies? An evaluation of the evolution and use of competency models. New Zealand Journal of Psychology 34, 2 (2005), 117–127.Google Scholar
- [79] . 2005. Strategies for developing competency models. Administration and Policy in Mental Health 32, 5-6 (2005), 533–561. Google ScholarCross Ref
- [80] . 2015. Qualitative Inhaltsanalyse: Grundlagen und Techniken (12. ed.). Beltz Verlag, Weinheim, Germany.Google Scholar
- [81] . 1973. Testing for competence rather than for “intelligence.” American Psychologist 28, 1 (1973), 1–14.Google ScholarCross Ref
- [82] . 2016. State-level views on professional competencies in the field of IoT and cloud information security. In Proceedings of the 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW’16).IEEE, Los Alamitos, CA, 83–90. Google ScholarCross Ref
- [83] . 2002. The Art of Deception: Controlling the Human Element of Security. Wiley Publishing, Indianapolis, IN.Google ScholarDigital Library
- [84] . 2020. An analysis of the horizontal and vertical consistency of ICT skill standards in selected countries and regions. International Journal of Innovation, Creativity and Change. 11, 11 (2020), 132–146.Google Scholar
- [85] . 2013. A competency framework for software development organizations. In Proceedings of the 2013 UKSim 15th International Conference on Computer Modelling and Simulation.IEEE, Los Alamitos, CA, 507–511. Google ScholarDigital Library
- [86] . 2018. Identifying core concepts of cybersecurity: Results of two Delphi processes. IEEE Transactions on Education 61, 1 (2018), 11–20. Google ScholarCross Ref
- [87] . 2019. Skills requirements for cyber security professionals: A content analysis of job descriptions in South Africa. In Information Security: 17th International Conference (Pretoria, South Africa, August 15–16, 2019), , , , , and (Eds.). Springer International Publishing, Cham, Switzerland, 176–192.Google ScholarCross Ref
- [88] . 2018. Global perspectives on cybersecurity education for 2030: A case for a meta-discipline. In Proceedings Companion of the 23rd Annual ACM Conference on Innovation and Technology in Computer Science Education (ITiCSE’18 Companion).ACM, New York, NY, 36–54. Google ScholarDigital Library
- [89] . 1993. Beyond abilities: A dispositional theory of thinking. Merrill-Palmer Quarterly 39, 1 (1993), 1–21.Google Scholar
- [90] . 2014. Competence as a key concept of educational theory: A semiotic point of view. Journal of Philosophy of Education 48, 4 (2014), 621–636. Google ScholarCross Ref
- [91] . 2016. Mapping the European e-Competence Framework on the domain of information technology: A comparative study. In BLED 2016 Proceedings.1–13.Google Scholar
- [92] . 2015. What skills do you need to work in cyber security? In Proceedings of the 2015 ACM SIGMIS Conference on Computers and People Research (SIGMIS-CPR’15). ACM, New York, NY, 67–72. Google ScholarDigital Library
- [93] . 2019. Analyzing cybersecurity job market needs in Morocco by mining job ads. In Proceedings of the 2019 IEEE Global Engineering Education Conference (EDUCON’19).IEEE, Los Alamitos, CA, 535–543. Google ScholarCross Ref
- [94] , , , , and (Eds.). 2019. CyBOK: The Cyber Security Body of Knowledge: Version 1.0. Retrieved March 23, 2020 from https://www.cybok.org/media/downloads/CyBOK-version-1.0.pdf. Accessed April 4, 2023.Google Scholar
- [95] (Ed.). 2006. Software Assurance: A Guide to the Common Body of Knowledge to Produce, Acquire and Sustain Secure Software: Version 1.1. U.S. Department of Homeland Security.Google Scholar
- [96] . 2016. Bildungsstandards Informatik für die Sekundarstufe II: Beilage zu LOG IN, 36. Jg. (2016), Heft Nr. 183/184. Retrieved April 1, 2020 from https://informatikstandards.de/standards/bildungsstandards-informatik-fuer-die-sekundarstufe-ii.Google Scholar
- [97] . 2016. Strategisches Kompetenzmanagement 2.0: Potenziale nutzen—Performance steigern. Springer Gabler, Wiesbaden, Germany.Google ScholarCross Ref
- [98] . 2007. Das kompetenzmodell auf basis des wertequadrats: Motor von Veränderungen in Unternehmen. In Entwicklungsquadrat—Theoretische Fundierung und praktische Anwendungen, (Ed.). Hogrefe, Göttingen, Germany, 223–244.Google Scholar
- [99] . 2000. The practice of competency modeling. Personnel Psychology 53, 3 (2000), 703–740.Google ScholarCross Ref
- [100] . 2010. Towards a prague definition of grey literature. In Proceedings of the 12th International Conference on Grey Literature: Transparency in Grey Literature.11–26.Google Scholar
- [101] . 2012. Qualitative Content Analysis in Practice. SAGE, London, UK.Google Scholar
- [102] . 2014. Software engineering body of skills (SWEBOS). In Proceedings of the 2014 IEEE Global Engineering Education Conference (EDUCON’14).IEEE, Los Alamitos, CA, 395–401. Google ScholarCross Ref
- [103] . 2015. Towards a digital forensics competency-based program: Making assessment count. In Proceedings of the Annual ADFSL Conference on Digital Forensics, Security, and Law.193–204.Google Scholar
- [104] . 2010. From task-based to competency-based: A typology and process supporting a critical HRM transition. Personnel Review 39, 3 (2010), 325–346. Google ScholarCross Ref
- [105] . 2008. Addressing reporting biases. In Cochrane Handbook for Systematic Reviews of Interventions Version 5.1.0, and (Eds.). Cochrane, 10.1–10.33.Google Scholar
- [106] . 2013. A critical review of the science and practice of competency modeling. Human Resource Development Review 12, 1 (2013), 86–107. Google ScholarCross Ref
- [107] . 2020. What are cybersecurity education papers about? In Proceedings of the 51st ACM Technical Symposium on Computer Science Education.ACM, New York, NY, 2–8. Google ScholarDigital Library
- [108] . 2017. Renewable Energy Competency Model. Retrieved September 02, 2022 from https://www.careeronestop.org/CompetencyModel/competency-models/renewable-energy.aspx.Google Scholar
- [109] . 2003. Competencies: The triumph of a fuzzy concept. International Journal of Human Resources Development and Management 3, 2 (2003), 125–137. Google ScholarCross Ref
- [110] . 2007. Competences and vocational higher education: Now and in future. European Journal of Vocational Training 40, 1 (2007), 67–82.Google Scholar
- [111] . 2010. A comparative analysis of competency frameworks for youth workers in the out-of-school time field. Child Youth Care Forum 39, 6 (2010), 421–441. Google ScholarCross Ref
- [112] . 2013. From information security to cyber security. Computers & Security 38 (2013), 97–102. Google ScholarDigital Library
- [113] . 2012. A comparative analysis of international frameworks for 21st century competences: Implications for national curriculum policies. Journal of Curriculum Studies 44, 3 (2012), 299–321. Google ScholarCross Ref
- [114] . 1999. Defintion and Selection of Competencies: Concepts of Competence. OECD, Paris, Frankreich.Google Scholar
- [115] . 2001. Concept of competence: A conceptual clarification. In Defining and Selecting Key Competencies, and (Eds.). Hogrefe & Huber, Seattle, WA, 45–65.Google Scholar
- [116] . 2001. Vergleichende leistungsmessung in schulen—Eine umstrittene Selbstverständlichkeit. In Leistungsmessung in Schulen, (Ed.). Beltz, Weinheim, Germany, 17–32.Google Scholar
- [117] . 2016. Development of a systems engineering career competency model for the U.S. Department of Defense. INCOSE International Symposium 26, 1 (2016), 1864–1874. Google ScholarCross Ref
- [118] . 2018. Industry priorities for cybersecurity competencies. Journal of the Colloquium for Information System Security Education 6, 1 (2018), 1–21.Google Scholar
- [119] . 2009. Principles of Information Security (3rd ed.). Course Technology, Boston, MA.Google Scholar
- [120] . 2006. Typology of Knowledge, Skills and Competences: Clarification of the Concept and Prototype. Office for Official Publications of the European Communities, Luxembourg.Google Scholar
- [121] . 2018. The Future of Jobs Report 2018. World Economic Forum, Geneva, Switzerland. https://www.weforum.org/reports/the-future-of-jobs-report-2018.Google Scholar
- [122] . 2019. Guidance on conducting a systematic literature review. Journal of Planning Education and Research 39, 1 (2019), 93–112. Google ScholarCross Ref
- [123] . 2019. Cyber security skill set analysis for common curricula development. In Proceedings of the 14th International Conference on Availability, Reliability, and Security (ARES’19).ACM, New York, NY, 1–8. Google ScholarDigital Library
- [124] . 2021. A meta-model of cybersecurity curriculums: Assessing cybersecurity curricular frameworks for business schools. Journal of Education for Business 96, 2 (2021), 99–110. Google ScholarCross Ref
- [125] . 2014. Software Engineering Competency Model: SWECOM: A Project of the IEEE Computer Society. IEEE, Los Alamitos, CA. https://www.computer.org/volunteering/boards-and-committees/professional-educational-activities/software-engineering-competency-model. Accessed April 4, 2023.Google Scholar
- [126] . 2016. Skills Framework. Retrieved May 5, 2020 from https://de.scribd.com/document/538786458/axelos-skills-framework-light. Accessed April 4, 2023.Google Scholar
- [127] . 2011. Competency Model for Cybersecurity. Retrieved April 22, 2020 from https://www.chcoc.gov/content/competency-model-cybersecurity.Google Scholar
- [128] . 2012. 2012 Clinger-Cohen Core Competencies & Learning Objectives. Retrieved April 19, 2020 from https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/2016/10/2012-Learning-Objectives-Final.pdf.Google Scholar
- [129] . 2011. Information Systems Roles in Large Companies: HR Nomenclature—2011. Retrieved March 24, 2020 from https://www.cigref.fr/cigref_publications/RapportsContainer/Parus2011/2011_IS_roles_in_large_companies_HR_nomenclature_CIGREF_EN.pdf.Google Scholar
- [130] . 2014. Competency Model for Information Technology Occupation: Security Analyst. Retrieved April 2, 2020 from https://dli.mn.gov/sites/default/files/pdf/it-sec-analyst.pdf. Accessed April 4, 2023.Google Scholar
- [131] . 2014. Case Studies for the Application of the e-CF 3.0: A Common European Framework for ICT Professionals in All Industry Sectors. Retrieved March 25, 2020 from https://www.myecole.it/biblio/wp-content/uploads/2020/11/Case_studies_e-CF_3.0_CEN_CWA_16234-4_2014.pdf. Accessed April 4, 2023.Google Scholar
- [132] . 2014. European e-Competence Framework 3.0: A Common European Framework for ICT Professionals in All Industry Sectors. Retrieved March 25, 2020 from https://www.aicanet.it/documents/10776/141330/European-e-Competence-Framework-3.0_CEN_CWA_16234-1_2014.pdf/408848f2-a045-4c88-999f-1d7280d12ee8. Accessed April 4, 2023.Google Scholar
- [133] . 2014. User Guide for the Application of the European e-Competence Framework 3.0: A Common European Framework for ICT Professionals in All Industry Sectors. Retrieved March 25, 2020 from https://www.myecole.it/biblio/wp-content/uploads/2020/11/User-guide-for-the-application-of-the-e-CF-3.0_CEN_CWA_16234-2_2014.pdf. Accessed April 4, 2023.Google Scholar
- [134] . 2014. Information Technology Competency Model of Core Learning Outcomes and Assessment for Associate-Degree Curriculum: Technical Report. ACM, New York, NY. http://ccecc.acm.org/files/publications/ACMITCompetencyModel14October201420150114T180322.pdf.Google ScholarDigital Library
- [135] . 2013. Software Assurance Competency Model. Retrieved May 5, 2020 from https://resources.sei.cmu.edu/asset_files/TechnicalNote/2013_004_001_47965.pdf.Google Scholar
- [136] . 2019. Update on Enhanced Competency Framework on Cybersecurity. Retrieved May 10, 2020 from https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2019/20190110e1.pdf.Google Scholar
- [137] . 2016. IT Human Resources Development: i Competency Dictionary (iCD). Retrieved May 2, 2020 from https://www.ipa.go.jp/english/humandev/icd.html.Google Scholar
- [138] . 2018. IISP Skills Framework. Retrieved March 31, 2020 from https://www.ciisec.org/.Google Scholar
- [139] . 2015. Competency profiling for software engineers: Literature Review and a New Model. In Proceedings of the 19th Panhellenic Conference on Informatics.ACM, New York, NY, 235–240. Google ScholarDigital Library
- [140] . 2017. National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. Retrieved April 6, 2020 from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf.Google Scholar
- [141] . 2020. DPO Competency Framework and Training Roadmap. Retrieved April 30, 2020 from https://www.pdpc.gov.sg/dp-competency#competencies.Google Scholar
- [142] . 2017. A competency model for “Industrie 4.0” employees. In Proceedings der 13 Internationalen Tagung Wirtschaftsinformatik (WI’17). 46–60.Google Scholar
- [143] . 2017. Information Technology Curricula 2017: Curriculum Guidelines for Baccalaureate Degree Programs in Information Technology. ACM, New York, NY. Google ScholarDigital Library
- [144] . 2015. Analysis of the competencies of information security consultants: Comparison between required level and retention level. Indian Journal of Science and Technology 8, 21 (2015), 1–8. Google ScholarCross Ref
- [145] . 2018. Skills Framework for the Information Age: SFIA 7: The Complete Reference. Retrieved April 3, 2020 from https://www.sfia-online.org/en/framework/sfia-7/documentation/sfia-7-the-complete-reference.Google Scholar
- [146] . 2019. Skills Framework for Infocomm Technology. Retrieved May 13, 2020 from https://www.skillsfuture.gov.sg/skills-framework/ict. Accessed April 4, 2023.Google Scholar
- [147] . 2017. MSIS 2016: Global competency model for graduate degree programs in information systems. Communications of the Association for Information Systems 40 (2017), MSIS-i–MSIS-107.Google ScholarCross Ref
- [148] . 2010. Cyber Security Capability Framework & Mapping of ISM Roles: Final Report. Retrieved April 23, 2020 from https://www.yumpu.com/en/document/read/43006585/cyber-security-capability-framework-mapping-of-ism-roles-agimo.Google Scholar
- [149] . 2013. Essential Body of Knowledge (EBK): A Competency and Functional Framework for Cyber Security Workforce Development. Retrieved May 2, 2020 from https://www.energy.gov/sites/prod/files/2014/04/f15/DOEEBK_1-2013Revision_NICEv01_SCRM_clean_v04.pdf.Google Scholar
- [150] . 2008. Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development. Retrieved April 10, 2020 from https://www.hsdl.org/?view&did=234220.Google Scholar
- [151] . 2012. Software Assurance Professional Competency Model. Retrieved April 1, 2020 from https://docplayer.net/22397688-Software-assurance-professional-competency-model.html.Google Scholar
- [152] . 2012. Information Technology Competency Model. Retrieved March 24, 2020 from https://www.careeronestop.org/competencymodel/competency-models/pyramid-download.aspx?industry=information-technology.Google Scholar
- [153] . 2019. Cybersecurity Competency Model. Retrieved April 24, 2020 from https://www.careeronestop.org/CompetencyModel/competency-models/pyramid-download.aspx?industry=cybersecurity.Google Scholar
- [154] . 2020. Masterstudium: IT-Security. FH Campus Wien. https://www.fh-campuswien.ac.at/studium-weiterbildung/studien-und-lehrgangsangebot/detail/it-security-master.html.Google Scholar
- [155] . 2020. IT & Mobile Security: Master. FH Joanneum. https://www.fh-joanneum.at/it-und-mobile-security/master/.Google Scholar
- [156] . 2020. Information Security Management: Masterstudiengang. FH Oberösterreich. https://www.fh-ooe.at/campus-hagenberg/studiengaenge/master/information-security-management/.Google Scholar
- [157] . 2020. Sichere Informationssysteme: Bachelorstudium. FH Oberösterreich. https://www.fh-ooe.at/campus-hagenberg/studiengaenge/bachelor/sichere-informationssysteme/.Google Scholar
- [158] . 2020. Sichere Informationssysteme: Masterstudium. FH Oberösterreich. https://www.fh-ooe.at/campus-hagenberg/studiengaenge/master/sichere-informationssysteme/.Google Scholar
- [159] . 2020. Cyber Security and Resilience: Master Studiengang. FH St. Pölten. https://www.fhstp.ac.at/de/studium-weiterbildung/informatik-security/cyber-security-and-resilience.Google Scholar
- [160] . 2020. Information Security: Master Studiengang. FH St. Pölten. https://www.fhstp.ac.at/de/studium-weiterbildung/informatik-security/information-security.Google Scholar
- [161] . 2020. IT-Security: Bachelor Studiengang. FH St. Pölten. https://www.fhstp.ac.at/de/studium-weiterbildung/informatik-security/it-security?gclid=EAIaIQobChMIoIzc5be-7AIVh7LVCh3d2woPEAAYAyAAEgJyIvD_BwE.Google Scholar
- [162] . 2020. Masterstudiengang: IT-Security. FH Technikum Wien. https://www.technikum-wien.at/studium/master/it-security/.Google Scholar
- [163] . 2020. Master: Artificial Intelligence and Cyber Security. Universität Klagenfurt. https://www.aau.at/studien/master-artificial-intelligence-and-cybersecurity/.Google Scholar
Index Terms
- Competency Models for Information Security and Cybersecurity Professionals: Analysis of Existing Work and a New Model
Recommendations
Competency Model of Chinese Internet Product Managers
Cross-Cultural Design. Experience and Product Design Across CulturesAbstractIn recent years, the internet industry in China went through dramatic development, to which product managers made a great contribution. This study aimed to define what qualities are required for internet product managers to be competent. This ...
Competency Leadership Model: A Practical Case
ICIME 2018: Proceedings of the 2018 10th International Conference on Information Management and EngineeringThe objective of this is to find the competencies or success factors that characterize the leaders in the segment of savings and credit cooperatives. To reach the aforementioned objective, the Lominger methodology was used, which considers the ...
Empirical Research on the Competency Model of Senior Researchers
BCGIN '12: Proceedings of the 2012 Second International Conference on Business Computing and Global InformatizationAccording to the competency dictionary of Spencer, this research explores the component of senior researchers' competency in universities, and designs a scale of competency through the literature review, net information analysis, as well as the ...
Comments