Cybersecurity Competency Models: Analysis of Existing Work and a New Model

What is it about?

Recently, competency modeling has sparked interest in computing education in general and cybersecurity education in particular. The current computing curricula 2020 report (CC2020) is fully embracing the concept of competency, and cybersecurity scholars are starting to discuss benefits of cybersecurity competency models. However, a systematic analysis of cybersecurity competency models has thus far been lacking. In our research, we make two contributions to the growing field of cybersecurity competency modeling. First, we analyze the current state of competency models in the cybersecurity and information security domains. Second, we build a new competency model informed by the competency model analysis. In the first part of our result section, we present a competency model analysis that includes, inter alia, the identification of competencies required by cybersecurity professionals, an analysis of knowledge areas covered by the models, a revelation of imbalance issues, a list of models’ uses, and an analysis of models’ bibliometric aspects. Our newly developed competency model is presented in the second part of the paper. Taking our competency model analysis into account, our new competency model addresses issues (e.g., lack of social and personal competencies) associated with the existing models.

Featured Image

Photo by Dan Nelson on Unsplash

Photo by Dan Nelson on Unsplash

Why is it important?

In our discussion section, we highlight the benefits of competency models for tackling the cybersecurity skills shortage. Given their uses related to competency development, workforce development, and curriculum design, competency models can help to address many of the pressing challenges facing the cybersecurity education system and the labor market, including outdated curricula and poor alignment between industry and education. For example, competency models can be used for maintenance strategies, sustaining professional development, and identifying skills gaps. Our new competency model is particular useful when it comes to developing and evaluating qualification programs as well as recruiting and selecting talent. As the model is up to date and exhaustive, identifying outdated curricula becomes possible. Similarly, the clear description of competencies facilitates the identification and assessment of job candidates. What is more, our analysis points to several imbalances, which, when not addressed, might result in adverse consequences (e.g., ineffective cybersecurity professionals). Our new competency model mitigates these risks by incorporating a diverse spectrum of cybersecurity competencies, including social and personal competencies. To sum up, our research addresses the need for an overview of the current state of security competency models and the need for a comprehensive competency model. We hope that our analysis sheds light on the emerging (research) topic of competency modeling in cybersecurity education and supports the educational and industrial sector to improve training and education and to narrow the skills shortage.