Cyber Workforce Development Using a Behavioral Cybersecurity

Cyber Workforce Development Using a Behavioral Cybersecurity Paradigm Bruce D. Caulkins, Ph.D.

Karla Badillo-Urquiola, M.S.

Institute for Simulation & Training (IST) University of Central Florida (UCF) Orlando, Florida USA [email protected]

Institute for Simulation & Training (IST) University of Central Florida (UCF) Orlando, Florida USA [email protected]

Rebecca Leis, M.S.

Patricia Bockelman, Ph.D.

Institute for Simulation & Training (IST) University of Central Florida (UCF) Orlando, Florida USA

Institute for Simulation & Training (IST) University of Central Florida (UCF) Orlando, Florida USA Abstract—This paper contributes to the ongoing efforts in the cybersecurity community to strengthen cyber workforce development by providing an overview of key gaps and proposing practical education strategies. Leveraging documented incidents from defense, industry, and academia and the rest of the United States government, we identify emerging cyber-education opportunities highlighting human-centric elements using a gap analysis approach. We closely examine the National Initiative for Cybersecurity Education’s (NICE) National Cybersecurity Workforce Framework (NCWF) as well as the Department of Homeland Security’s (DHS) National Initiative for Cybersecurity Careers and Studies (NICCS) educational framework. These documents provide a foundation for current and future research with cybersecurity workforce development. Next, the paper outlines a pilot education program launched at the University of Central Florida (UCF), designed to address the unique challenges of the human dimension in cybersecurity. The purpose of highlighting this pilot program is to provide an example of human-centric cyber-educational curriculum. The present paper offers a launching point for further discussion about the human side of cybersecurity, closing with considerations of the “lessons learned” from early responses to the UCF program from the program’s inaugural student cohort. Keywords—cybersecurity; development; human factors

behavioral

cyber;

workforce

I. INTRODUCTION. The world is now highly connected and arguably improved by the introduction of new technologies and advanced network-enabled devices collectively contributing to the Internet of Things (IoT). This interconnectedness increases efficiency and coordination through objects like planes, vehicles, buildings, appliances, and thermostats [1], but the benefits come with a cost. The ongoing expansion of the IoT environment, coupled with increased reliance upon mobile devices and computers, introduces a range of private and public cyber-based vulnerabilities. Although some may perceive minimal personal threat, media outlets report cyberrelated events daily, suggesting widespread prevalence [2] and [3]. Malicious hackers expose security flaws in new “smart”

device architectures and systems and create novel cyber-attack software to take advantage of these flaws [4]. As IoT evolves and perpetrators of cybercrimes expand their tools and approaches, the demand for cyber-professionals grows. Recruitment and job distribution websites report an influx of cyber-related job postings [5]. Further, Forbes reports that more than 200,000 cybersecurity jobs in the U.S. remain open in 2016 with 1 million jobs postings worldwide. They also report that within three years, the projected shortfall will reach 1.5 million [6]. So as these shortfalls become more acute, pressure will be put onto the corporate, academic, and government leadership who are trying to fill cybersecurity workforce positions with highly-qualified personnel. With such a high demand and short supply of quality cybersecurity workers, wages will continue their upward trend for all disciplines within the cybersecurity workforce, to include support personnel like systems administrators and network engineers. II. NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK. In response to the need for enhanced cybersecurity and a larger workforce, the Department of Homeland Security (DHS) and the National Initiative for Cybersecurity Education (NICE) built the National Cybersecurity Workforce Framework (NCWF) as a foundation for understanding the necessities of the cybersecurity workforce [7]. The framework organizes cybersecurity into seven categories: Securely Provision, Operate and Maintain, Protect and Defend, Investigate, Collect and Operate, Analyze, and Oversight and Development [8]. These categories are discussed more fully below. A. Securely Provision. These jobs encompass the specialty areas that are responsible for overseeing, evaluating, and accrediting the information technology (IT) systems and network structure planning and implementation, using solid information assurance (IA) policies and controls. Jobs range from IA Compliance Analysts, IA compliance Managers, to Software

978-1-5090-5258-5/16/$31.00 ©2016 IEEE

Developers and Computer Programmers [8]. We assess that the current training and education in these areas are fairly robust and readily available; however, most educational courses in this category are stove-piped and not well integrated into the overall cybersecurity training domain. B. Operate and Maintain. Cybersecurity operators and maintainers focus on the support and administration of the various underlying systems and networks to ensure network performance, systems and services’ performance, and overall security. Jobs in the Operate and Maintain area encompass Knowledge Managers, Systems Administrators, and Systems Security Analysts [8]. We assess that the current training and education in this category is similar to the Securely Provision category’s areas. Training within the cybersecurity operators and maintainers is robust and readily available. Further, due to the nature of the related cyber training, operators and maintainers’ job training is better integrated into the overarching cybersecurity training domain as each of the six specialty areas (Data Administration, Network Services, Knowledge Management, System Administration, Customer Service and Technical Support, and Systems Security Analysis) [8] focuses on the integration and management of tools of cybersecurity, like firewalls, accounts, intrusion prevention devices, and passwords. C. Protect and Defend. These cybersecurity experts are the core personnel protecting and responding to cyber-related incidents and intrusions. They are the first defenders in cyberspace, using defensive measures to identify, analyse, mitigate, and reports threats and possible intrusions. Typical jobs are Computer Network Defense (CND) Analysts, Incident Responders, and CND Infrastructure Supporters [8]. We assess that the current training and education in this area is less developed than the Securely Provision or Operate and Maintain categories; however, the integration of these specialty areas in the cybersecurity training domain is well developed as these areas focus directly into cybersecurity operations and analysis. D. Investigate. Cybersecurity investigators come largely from the digital forensics background, focusing in on the proper and legal collection, processing, and analysis of any and all related evidence of intrusions, whether they originate from outside of organization or from within the organization. Law enforcement and counterintelligence support is crucial to these investigators [8]. We assess that the current training and education in this category is highly developed, especially in the realm of digital forensics. Courseware is readily available at institutions of higher learning in the undergraduate and graduate levels. E. Collect and Operate. The Collect and Operate category encompasses those areas that are responsible for cyber operations that deny access and other capabilities to threat actors across many vectors. Three specialty areas fall under this category: Collection Operations, Cyber Operations, and Cyber Operations Planning [8]. We

assess that this category mostly falls into the government and law enforcement lanes of effort; as such, the Knowledge, Skills, and Abilities (KSAs) required for this category are not listed in the NCWF. F. Analyze. This category encompasses the analysis of the cyber threats, targets that were exploited, methods used, and vulnerabilities found, especially in the case of a zero-day attack. Four specialty areas fall under this category: Threat Analysis, All Source Intelligence, Exploitation Analysis, and Targets [8]. While there concerted and intentional growth has been made in this area, we assess that this category mostly falls into the government and law enforcement lanes of effort; as such, the Knowledge, Skills, and Abilities (KSAs) required for this category are not listed in the NCWF. G. Oversight and Development. The final category addresses the fundamental and overarching leadership and managerial work required to properly oversee and manage the cybersecurity workforce for the previous six categories shown above. In addition to the leadership and managerial aspects, this category encompasses jobs with Cyber Law, Education and Training, and Strategic Planning and Policy Development. We assess that while these jobs are not overtly technical in nature, a solid understanding of the technical and behavioral aspects of cybersecurity is crucial in these senior-level jobs [8]. III. MAPPING THE NCWF. Numerous colleges and universities now offer programs to prepare cybersecurity personnel. In February of 2016, the National Initiative for Cybersecurity Careers and Studies (NICCS) published a list of the most common degree programs associated with cybersecurity careers [7]. The research team mapped these programs to the NCWF [8] (Figure 1). A. Initial Mapping to the NCWF. This mapping represents an initial look at the NCWF categories and how the various academic programs best fit into the model. The UCF behavioural cybersecurity efforts will continue to define and refine these alignments over the next year in follow-on research in order to produce a more accurate construct that reflects the current reality in the cyber workforce, both in the commercial and government sectors. The mapping was conducted internal to UCF as part of the ongoing evaluation and development of its cybersecurity offerings through panel assessment of each factor. While informal and subjective, the internal team observed patterns that merit consideration more broadly.

• Investigate - areas responsible for the investigation of cyber events and/or crimes of IT systems, networks, and digital evidence.

Figure 1. Mapping of the NICCS list of the most common cyber-related degree programs to the seven NCWF categories The map demonstrates the high-level and notional connections between the NICCS-identified academic programs and the NCWF categories. While several of these connections could have more than one “correct answer,” the exemplar in Figure 1 demonstrates how the internal research team categorized each degree areas. The aim was not to create a map that reflected a generalizable picture, with certainty that all field experts would agree. Rather the research team sketched the connections pertinent for considering whether or not programs would address the NCWF categories. For example, the cybersecurity academic program mapped to the Protect and Defend NCWF category could be placed in several other categories, like Operate and Maintain, Securely Provision, or Oversight and Development. The present study’s researchers chose Protect and Defend since it appears to be the best fit for the cybersecurity academic program area. Other similarly mapped academic programs were put through the best-fit filter as well. The mapping of the academic programs to the particular categories is fluid; therefore, we encourage other cybersecurity professionals to provide further recommendations for formulating this categorization. In order to do a proper cyberspace workforce gap analysis over the long term, we will conduct follow on work in this area to further define and refine the crosswalk of the relevant academic programs to the NCWF. B. Gaps Found. The research team observed discrepancies between in the degree programs represented across NICE’s seven categories in their NCWF. Three categories – Collect and Operate, Analyze, and Investigate – have little to no programs listed in those fields. These categories are listed with their formal definitions from NICE [8]. • Collect & Operate - areas responsible for specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence • Analyze - areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence

As seen in Figure 2, gaps exist in the most common university and college degree programs associated with cybersecurity careers today. First, the three categories that contain gaps (Analyze, Collect and Operate, and Investigate) are generally seen most often in the U.S. government workforce, particularly in the intelligence and cyberspace operations fields. Second, cybersecurity and cyberspace operations are relative newcomers to the workplace. Very few senior leaders in these areas have sufficient technical and operational backgrounds to make proper long-range decisions and vision for their respective workplaces. Finally, the actual numbers of job descriptions in these three categories are relatively small.

Figure 2. Gaps Highlighted in the NICCS list mapped to the NCWF The table below shows the number of jobs, according to the Occupational Outlook Handbook from the U.S. Department of Labor’s Bureau of Labor Statistics (BLS) in 2014 [9]. We used the DLS handbook’s statistics to compare them to selected specialty areas (Computer and Information Systems Managers, Network and Computer Systems Administrators, Computer Programmers, and Operations Research Analysts/ORSA) and mapped to the appropriate NCWF category.

IV. THE HUMAN ELEMENT IN CYBERSECURITY. While we concur with NICCS that these are the degree programs most commonly associated with cybersecurity areas [7], we assert that this situation reflects an oversight in postsecondary instruction, because of the omission of humancentered areas. Although every aspect related to cybersecurity is inseparable from human behavior (human hackers attack

human victims) training to prevent or respond to attacks focuses heavily on technical aspects and fails to prioritize human elements. “The cyber content is very important, but as a means to an end, not the end in itself” [10]. Emphasizing technical aspects within cyber-education prepares trainees to respond to only part of the problem. The breadth of content available within cyber-education makes it difficult to cover all essential knowledge, skills, and abilities (KSAs) necessary to the field and each specialization (e.g., specific tools). Thus, emphasis should be placed on “softer” more human-centric skills, fostering innovation, problem-solving, and self-directed inquiry [10]. We assert that technical skills preparation is a necessary component of thorough cybersecurity education and training; however, it is our position that technical skills alone are insufficient to form a holistic understanding of a particular problem space. We also assert that experts in cyber (although they may not realize it yet) will support this position, having first-hand experienced the complexities of cybersecurity. Experts tend to recognize behavioral patterns and meanings that are not apparent to novice cyber-operators [10]. Cyber operators with more experience (especially those working in interdisciplinary teams) are better able to understand the KSAs (e.g., “soft” skills) necessary to solve complex cyber-issues. However, cybersecurity is a new discipline. Thus, instructors are not necessarily experienced in a range of real-world problems or have not had formal training on task analyses or instructional design, both helpful for course and curriculum development. Recently we completed a study via Qualtrics, an online survey platform. We hope that the results of this study will be published as a conference paper in the Interservice/Industry Training, Simulation and Education Conference, pending ongoing review and approval [11]. We randomly presented three out of the five case studies to each survey participant for their review. Participants then answered a series of questions for each case study. We designed these questions in order to capture the perception of relevance for techno-centric and human-centric KSAs as seen in Figure 3. The survey included constructs and KSAs beyond those listed, however, these 10 KSAs (5 techno-centric and 5 human-centric) were identified a priori to the creation of the survey’s questions based on researcher judgment of potentially related human-centric constructs. We received 117 valid survey responses. The need for human-centric training in addition to techno-centric training was a major theme to the responses we received [11].

V. APPROACHES TO CYBER EDUCATION. While much of today’s cybersecurity efforts in academia and elsewhere revolve around teaching the required tools to address general security challenges in cyberspace, little has

been done to date to address the most-critical component in cyberspace operations - the human element [12]. In 2015, the U.S. Department of Defense (DoD) recognized this issue as a major gap within its cyber strategy. DoD subsequently published a holistic cyber strategy document, which acts as a guide for the military’s ongoing efforts to strengthen its cyber forces and organizations while promoting complementary initiatives like the National Initiative for Cyberspace Education (NICE) [13]. To address the human element in cyberspace, we first considered the requisite training and education curricula available (assessing the current state of the domain). We conducted an informal survey of cyber programs at accredited universities and colleges and predictably, the vast majority of programs are embedded within the organization’s computer science department or closely aligned with computer science and engineering-related departments.

VI. BEHAVIORAL CYBER EDUCATION: AN EXAMPLE. Considering the requisite training and education required to transition from existing approaches to those most needed to address current cyber challenges, UCF shaped a program specifically in behavioral aspects of cyber-security. A relatively new graduate-level certificate program at UCF provides a template of holistic approach. Individual institutions may customize this template to fill the human-centered training/learning gaps specific to that school. For example, the UCF certificate supplements techno-centric courses from programs such as Modeling and Simulation or Engineering. UCF Students of the Modeling and Simulation of Behavioral Cybersecurity Certification are required to complete 13 credit hours over 5 courses. These courses can also be used as electives within either the Ph.D. program for Modeling and Simulation at UCF (Behavioral Cybersecurity track) or the Masters program for Modeling and Simulation at UCF (Behavioral Cybersecurity track). Descriptions of the five courses in the graduate certificate program are listed below: • Cybersecurity: A Multidisciplinary Approach (3 credit hours) – This course is an interdisciplinary, graduate level modeling and simulations course that discusses and introduces the behavioral aspects to cybersecurity. Further, this course explores the other non-technical disciplines that support cybersecurity efforts in the government, academia, and commercial arenas. Cyber strategy, national cyber policy, behavioral aspects to cyber, and cybersecurity education and training are selected subjects discussed in this class [14]. • Cyber Operations Lab (3 credit hours) – This course is a hands on class that students use to immerse themselves in initial cybersecurity planning and management. While computer science expertise is not required, it is beneficial in this class. However, students of all related disciplines will discover the intricacies of cyber-related topics like firewall administration, penetration testing, port scanning, and operating systems security [14].

• Behavioral Aspects of Cybersecurity (3 credit hours) – This course digs deeper into the interdisciplinary nature of cybersecurity, focusing more heavily on the behavioral aspects of cyber and what motivates cyber attackers. Threat modeling, digital ethics, organizations, culture, cyber training, and motives involved in cyber attacks are a few of the subjects discussed in this class [14]. • Emerging Cyber Issues (1 credit hour) – This course expands upon the work of the previous three courses through the discussion of issues raised each week by the guest speakers who are brought in to discuss the current and pressing issues facing cyber personnel today. Lectures include cybersecurity policy and planning at the national levels, open source intelligence and the effect of social media, virtual economies, cyber penetration testing, and data security and the human factor [14]. • Simulation Research Methods and Practicum (3 credit hours) – This course is the final, capstone course of the program, designed to showcase the knowledge the students learned over the past year in the behavioral aspects of cybersecurity through their writings on the deployment of modeling and simulation techniques and processes [14]. These courses are specifically designed to teach student techniques for approaching authentic and complex tasks that mirror real-world problems. Figure 4 shows how each of the KSAs identified in Table 1 maps to the five courses.

behavioral aspects of cyber actors, to include hackers, administrators, and users. We expect that both agent-based and discrete event simulations will be used by students and researchers to create models of these and other “nontraditional” aspects of cybersecurity (i.e., non-technical aspects mentioned earlier). We plan on expanding the cyber operations lab as well. We will use the lab as a testbed for future cybersecurity tools, models, and practices. We also will tightly connect the lab to other cybersecurity researchers at IST, UCF, the Florida Center for Cybersecurity (FC2) and elsewhere in the academia, corporate and government sectors. Much work remains to be done in the behavioral aspects of cybersecurity.

VIII. REFERENCES [1] J. Carretero and J. Daniel Garcia, "The Internet of Things: connecting the world," Personal and Ubiquitous Computing, vol. 18, pp. 445-447, Feb 2014. [2] J. Davidson, "‘Inadvertent’ cyber breach hits 44,000 FDIC customers," vol. 2016, ed. Washington Post online: Washington Post, 2016. [3] B. Gertz, "FBI warns of cyber threat to electric grid," ed, 2016. [4] Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, and D. Qiu, "Security of the Internet of Things: perspectives and challenges," Wireless Networks, vol. 20, pp. 2481-2501, Nov 2014. [5] A. Freeman. (2016, July 15, 2016). Could we see an influx of cyber security job roles in 2016? Available: https://www.technojobs.co.uk/info/tech-news/20160105-couldwe-see-an-influx-of-cyber-security-job-roles-in-2016.phtml [6] S. Morgan. (2016) One Million Cybersecurity Job Openings in 2016. Forbes. Available: http://www.forbes.com/sites/stevemorgan/2016/01/02/onemillion-cybersecurity-job-openings-in-2016/#7a235147d274

As we have little knowledge of ways in which specific KSAs map to course curriculum in other programs beyond the course description listed online, we encourage other program staff and faculty to also map KSAs to the specific programs they belong to in order to continue conversation about integrating standard human-centric topics within cybersecurity education.

VII. EARLY FEEDBACK AND FUTURE WORK UCF is currently in the middle of the first cohort of students participating in the Modeling and Simulation of Behavioral Cybersecurity Program. Initial feedback has been overwhelmingly positive from the students. Future training development will focus on the coursework itself, where we plan on continuing to develop and re-develop the current courses and expand the use of modeling the

[7] NICCS, "Most Common Degree Programs Associated with Cybersecurity Careers," ed. Washington, D.C., 2016. [8] NICE, "The National Cybersecurity Workforce Framework (NCWF)," ed. Washington, D.C., 2013. [9] DOL, "Bureau of Labor Statistics Occupational Outlook Handbook," U. S. D. o. Labor, Ed., ed. Washington, D.C., 2016. [10] L. McDade-Morrison, "Cyber Space Engineer Learning Lab: Facilitators Guide to Course Methodology and Innovation.," ed, 2013. [11] R. Leis, K. Badillo-Urquiola, B. D. Caulkins, and P. Bockelman, "Modeling and Simulation Education for Behavioral Cybersecurity," in Interservice/Industry, Training, Simulation and Education Conference (I/ITSEC), in review, Orlando, FL, 2016. [12] M. Champion, S. Jariwala, P. Ward, and N. J. Cooke, "Using Cognitive Task Analysis to Investigate the Contribution

of Informal Education to Developing Cyber Security Expertise," in Proceedings of the Human Factors and Ergonomics Society 58th Annual Meeting, 2014, p. 5. [13] DoD, "The Department of Defense Cyber Strategy," D. o. Defense, Ed., ed. Washington, D.C., 2015. [14] UCF, "Graduate Catalog, M&S of Behavioral Cybersecurity," 2016.