25.02.20
CyBOK: A knowledge framework for the cyber security workforce
Source: PSE Feb/March 20
Professor Awais Rashid - University of Bristol, UK
An online resource, bringing together the latest intelligence on cyber security, providing a go-to resource for information security professionals across the public sector.
Cyber security of our connected digital world is a major challenge for the foreseeable future – even more so given the shortage of qualified personnel to take on a variety of roles across a wide range of sectors and employers.
Reports from organisations such as ISC(2) estimate a global shortage of ca. 4M. The problem is compounded by the fact that, as we build increasingly complex, highly connected systems and infrastructures – for instance, smart cities, intelligent transportation, future manufacturing, smart grids – different pieces of cyber security knowledge need to be brought together when architecting, implementing, deploying and running such systems. And there isn’t a singular cyber security professional who can either fulfil all those knowledge needs or at those different stages of a system’s lifecycle.
For instance, cyber risk analysts typically require a deep understanding of risk assessment and management approaches with a broader understanding of other topics such as software, hardware and cyber physical environments as well as attack and defence techniques and human factors.
In contrast, those responsible for developing software systems are likely to require deep knowledge of software security, secure software development practices and, depending on the application context, security of web and mobile technologies or cyber-physical systems. These are not exhaustive examples but highlight that cyber security professionals with different types of knowledge are required for different roles and contexts.
Though there is a wealth of cyber security knowledge available – in the form of academic research, text books, industry reports, standards – this knowledge has historically been fragmented. Those responsible for training the cyber security workforce, for example, designers of: university-level undergraduate and postgraduate programmes, continuing professional development (CPD) programmes or professional training courses, do not have a one-stop authoritative source to identify what cyber security knowledge is relevant for particular education and training contexts and what are the key sources from which such knowledge should be drawn.
Similarly, employers need authoritative sources to identify what knowledge is required for particular roles and the specific details (for example, specific sub-topics) that can be used to establish an incoming employee’s command of that knowledge.
The Cyber Security Body of Knowledge, CyBOK, aims to address these needs by synthesising the wealth of authoritative sources into 19 knowledge areas (KAs), divided into five high-level categories. CyBOK has been developed through a rigorous process from February 2017 to October 2019 involving a wide-ranging consultation – nationally and internationally – to identify the scope of the CyBOK from which the 19 KAs were distilled.
Following this scoping work, 110 experts from academia, industry, practice and professional organisations have come together as authors, expert reviewers or advisors to develop detailed descriptions of the KAs which have been further reviewed through an open consultation process that elicited a further 1600 comments from the wider community. The result is an extensive resource – 828 pages bringing together 1839 authoritative sources.
CyBOK has many uses – ranging from the design of education programmes to underpinning development of job descriptions for roles through to benchmarking of cyber security capacity (strengths and gaps) within an organisation or a nation.
The knowledge area descriptions are complemented by knowledge trees, visual representations that act as a quick index into the topic. Webinars and podcasts are also being made available. Furthermore, an additional set of resources for those designing education and training programmes as well as job descriptions will also be released soon.
These resources are being developed for the community by the community that has engaged with this work nationally and internationally and are a key stepping stone in providing rigorous knowledge-based foundations for cyber security as a discipline and profession.
The CyBOK project is funded by the National Cyber Security Programme.