TC 11 Briefing Papers

The role of national cybersecurity strategies on the improvement of

cybersecurity education
Saleh AlDaajeh a, Heba Saleous a, Saed Alrabaee a,∗, Ezedin Barka a, Frank Breitinger b,
Kim-Kwang Raymond Choo c
a
Information Systems & Security, United Arab Emirates University, 15551 Al Ain, United Arab Emirates
b
School of Criminal Sciences, University of Lausanne, 1015 Lausanne, Switzerland
c
Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249-0631, USA

1. Introduction COVID-19 pandemic has also highlighted an urgent need for more
cybersecurity professionals and effective cybersecurity awareness
Information and telecommunication technology (ICT) in its var- programs and initiatives (Hakak et al., 2020; Pranggono and Arabo,
ious forms pervades our modern society and is integral to the 2020). Nearly a decade ago, a study conducted by Evans and
nations’ sustained economic growth, societal well-being, national Reeder (2010) reported an existing shortage not only of highly
security, and global competitiveness. Its importance is clearly ev- skilled professionals needed to manage the operation of deployed
idenced during the COVID-19 pandemic, where people rely on systems, but, more pressingly, individuals who can design secure
ICT to work, live, and socialize. Hence, it is not surprising that systems, write secure code, and create the necessary tools to de-
there have been significant interest and investments in various ter, detect, mitigate, and recover from any damage caused by ma-
ICT research efforts, such as cybersecurity. On the other hand, licious cyber acts. Studies conducted by Cobb (2016) and Hranický
the frequency of cybersecurity attacks is expected to continue ris- et al. (2021) indicated that ICT professional agencies and recruiters
ing as new and more sophisticated attacks are coming to light agree that technical cybersecurity skills, such as intrusion detec-
Herjavec (2019). The increased number of cyber attacks during the tion, secure software development, and attack mitigation, are of
urgent demand. The study conducted by the California Commu-
nity Colleges Center of Excellence for Labor Market Research high-
∗ lighted that challenges exist when one attempts to close the gap
Corresponding author.
E-mail address: salrabaee@uaeu.ac.ae (S. Alrabaee). between the supply shortage in cybersecurity professionals and the
labor-market demands for certain cybersecurity professional skills Table 1
Summary of notations.
(Crumpler and Lewis, 2019).
Cybersecurity resilience is a key concern for global leaders Abbrev. Description
and individuals, particularly as individuals are becoming more ABET Accreditation Board for Engineering and Technology
privacy-aware. Hence, we predicate that cybersecurity education is ACM Association for Computing Machinery
an intrinsic step towards creating a resilient cyber secure society ASEAN Association of Southeast Asian Nations
and organizations. There are, however, limitations in many exist- BCS British Computer Society
CAA Commission of Academic Accreditation (UAE)
ing cybersecurity strategies and education approaches. The study
CAC Cyberspace Administration of China
done by Evans and Reeder (2010) mentioned that having compe- CII Critical Information Infrastructure
tent employees at every level to identify, build, and staff the cyber- ComSec Commonwealth Secretariat
security infrastructure defences and responses is critical to any ro- CPTC Collegiate Penetration Testing Competition
CSCP Cyber Security Cooperation Program (Canada)
bust cybersecurity strategy. Cobb (2016) addressed a number of in-
CSE Communications Security Establishment
creasingly urgent arguments about defending information systems CSIS Center for Strategic and International Studies
against cyber attackers. One of the mentioned questions is whether CSIS Canadian Security Intelligence Service
the world can supply enough cybersecurity professionals to de- CSTA Computer Science Teachers Association
fend our information technology infrastructures and defeat cyber CTO Commonwealth Telecommunications Organization
DoHA Department of Home Affairs
attackers. Crumpler and Lewis (2019) highlighted the gap that ex-
DHS Department of Homeland Security
ists in the United States of America’s (USA) current cybersecurity DSP Digital Service Providers
education and training landscape and elaborates on several exam- ENISA European Union Agency for Cybersecurity
ples of successful programs for addressing the existing gap. Addi- ESDC Employment and Social Development Canada
EU European Union
tionally, their study offered several recommendations for improv-
GAC Global Affairs Canada
ing cybersecurity education from policymakers, educators, and em- GCSCC Global CyberSecurity Capacity Centre
ployers perspectives. A holistic framework for analyzing the skill GCSP Geneva Center for Security Policy
gap in cybersecurity professionals was proposed by (Kreider and GQP Goal Question Purpose
Almalag, 2019), which identified three dimensions to analyze the ICT Information & Communication Technology
IoT Internet of Things
existing gap in cybersecurity educational programs in higher ed-
ISTE International Society for Technology in Education
ucation: Student pipelines, program offering, and program capac- ITU International Telecommunication Union
ity. The Global Information Security Workforce Study indicated in KPI Key Performance Indicator
their report that there are not enough cybersecurity profession- MOE Ministry of Education (UAE)
NCAF National Capabilities Assessment Framework
als in organizations to combat cyber crimes (Booz, 2017). Further-
NCSC National Cyber Security Certification
more, their latest report published in 2017 reveals that cyberse- NCSP National Cybersecurity Strategic Plan
curity workforce gap would reach of 1.8 million by 2022, a 20% NCSS EU National CyberSecurity Strategy
increase over the forecast made in the 2015. NICE National Initiative for Cybersecurity Education
The underlying objective of this study is to improve cyberse- NISA National Institution of Standards and Technology
NRCan Natural Resources Canada
curity education curricula by providing a systematic approach to
NSA National Security Agency
synthesis and align cybersecurity skills, competencies, and knowl- OES Operators of Essential Services
edge needed to fulfill National Cybersecurity Strategic Plan require- PEU Pink Elephant Unicorn (Cybersecurity Competition)
ments (NCSP). This study reviews a sample of world-leading coun- PLOs Program Learning Outcomes
PS Public Safety (Canada)
tries NCSP from different regions, elaborates on cybersecurity cur-
RCMP Royal Canadian Mounted Police
ricula improvement initiatives and best-practices, and investigates SCC Standards Council of Canada
the best approaches to create attractive cybersecurity education SMEs Small and Midsize Enterprises
and training programs for individuals to consider for their future TRA Telecommunication Regulatory Authority
careers. Furthermore, this study examines the different approaches UAEU United Arab Emirates University
UNCTAD United Nations Conference on Trade and Development
to align cybersecurity education and training programs’ curric-
ula improvements to high-level strategic goals. The Goal-Question-
Outcomes (GQO)+Strategies paradigm is utilized to synthesize the
cybersecurity competencies required to fulfill the NCSP require-
ment in terms of supplying professional cybersecurity specialists.
The National Initiative for Cybersecurity Education (NICE) frame- 2. Review of international cybersecurity strategic plans
work was used as a lexicon to determine the required cybersecu-
rity workforce competencies and to define cybersecurity education Digital and information technology cybersecurity challenges
and training programs’ learning outcomes accordingly. have cultivated an urgent need for a more structured discipline in
The article is organized as follows: Guidelines for the develop- curricula, academic programs, and awareness initiatives. Although
ment of NCSP and a sample of NCSP from world-leading countries some success has been witnessed in expanding the workforce of
from different regions are reviewed in Section 2. Various efforts, cybersecurity practitioners and professionals, the supply and de-
standards, and frameworks used as guidelines and/or lexicon for mand gap is estimated to reach between 1.8-3.5 million profes-
cybersecurity knowledge-areas, competencies, and skills are dis- sionals worldwide by the year 2022 (Booz, 2017; NeSmith, 2018).
cussed in Section 3. Section 4 reviews different initiatives taken to- In addition to filling this gap by educating more individuals, cy-
wards improving cybersecurity programs’ curricula and allurement. bersecurity specialists are also encouraged to further expand their
Strategy mapping models approaches are reviewed and discussed skillset to flourish and progress in their careers (Crumpler and
in Section 5. The newly proposed updated model GQO+Strategies Lewis, 2019; Kreider and Almalag, 2019).
and its application to improve cybersecurity program curriculum Section 2.1 describes the guidelines for the development of
of the United Arab Emirates University (UAEU) Master Program in the NCSP presented by the International Telecommunication Union.
Information Security is discussed in Section 6. Finally, the article is Subsequent sections review the ten world-leading NCSPs. A sum-
discussed and concluded in sections 7 and 8 respectively. Table 1 mary of the reviewed plans with focus on cybersecurity education
lists the notations used in this article. and training is provided in the last section.

2
Table 2
Cybersecurity national strategic plan development phases .

Phase Objective Outcome Tasks/ Activities

Initiation Phase Defining processes, timelines, and identifying Elaboration on the • Identifying the Lead Project Authority.
key stakeholders involved in the production development plan of the • Establishing a Steering Committee.
of the cybersecurity strategic plan. strategy • Identifying stakeholders.
• Planning the development of the Strategy.
Stocktaking and Analysis Phase Collecting the necessary data and information Report on the assessment and • Evaluating national perspective on
to evaluate the national perspective on evaluation of the strategic cybersecurity.
cybersecurity and the current and future national cybersecurity • Evaluating the cyber risk landscape.
cyber risk. posture and risk landscapes.
Production of National Define the strategic vision, context, and Develop strategy narrative by • Compiling the National Cybersecurity Strategy.
Cybersecurity Strategy Phase high-level objectives, evaluation of the involving key stakeholders • Maximize involvement of a wide range
current situation and future direction, through series of working key-stakeholders.
prioritization of strategic objectives based groups and public • Obtain formal approval and consent.
on their influence and impact. consultation. • Publication of the National Cybersecurity
Strategy.
Implementation Phase Develop action plans and confirm adequate Action plans and resource • Constitution of action plans.
human and financial resources required to distributions. • Highlighting strategic initiatives that are to be
implement various action plans envisioned implemented.
in NCSP • Allocating required resources (human and
financial) for the implementation phase.
• Defining timeframes and progress assessment
metrics.
Monitoring and Evaluation Monitoring: Government seeks to assure that Adjustment recommendations • Implementing a formal monitoring process.
Phase the strategy is implemented in accordance (Strategic Plan, Action Plans, • Continuous observation for strategy
to preset action plans. Evaluation: and Initiatives and implementation progress.
Government assesses the validity of the Programs). Audits and • Strategy outcomes assessment and evaluation.
NCSP in view of evolving and new risks, the Progress reports. Other
environment, and determine if the plan still related KPIs.
reflects their vision.

2.1. International telecommunication union-cybersecurity strategic services and essential services. Hence, this pillar is considered
plan development guidelines crucial and requires rigorous planning and collaboration with
national and international academic and professional associa-
Twelve partners1 from diverse governmental sectors, interna- tions.
tional organizations, private sector key-stakeholders, academia, and 6. Legislation and Regulations: Prohibiting cybercrime starts by
the civil society collaborated in order to design a guide to as- establishing well-defined legislations and safeguarding individ-
sist nations in developing their national cybersecurity strategy ual rights and liberties. This pillar must be addressed in the
(Sapolu et al., 2018). This NCSP development guide adopts an it- NCSP in order to ensure compliance and consolidate interna-
erative five stage process (elaborated in Table 2) towards compre- tional cooperation towards combating cybercrime.
hending and addressing the following seven pillars (focus areas): 7. International Cooperation: The NCSP is required to contribute
to the international effort towards combating cybercrimes and
1. Governance: The NCSP is required to outline a set of roles and
aligning domestic or national cybersecurity strategies with
responsibilities, authorities, resources, and processes to guide
international foreign policies and efforts towards space cy-
the development and implementation of the cybersecurity na-
berspace.
tional strategic plan.
2. Risk Management in National Cybersecurity: This practice fo- Successful NCSP design and development need to address the
cuses on identifying a risk-management approach and cate- aforementioned listed pillars and associated elements enclosed for
gorise sectoral risk profiles. each focus area. Table 3 elaborates on elements associated with
3. Preparedness and Resilience: This is the NCSP for incident re- the NCSP design and development focus areas (Sapolu et al., 2018).
sponses and to achieve resilient operational environment and In this study, we concentrate on Capability and Capability Build-
infrastructure. ing and Awareness Raising. Specifically, this study is only concerned
4. Critical Infrastructure Services and Essential Services: The ulti- with addressing how to improve cybersecurity education from a
mate goal of all NCSP is to implement effective plans to protect national cybersecurity strategy perspective.
national critical infrastructure services and essential services. The below reviewed NCSPs are samples of available and acces-
Hence, this pillar focuses on identifying critical infrastructure sible NCSPs. Nevertheless, there are many others that are reputable
services and essential services and plan for their protection ac- and worth reviewing. The current study will be implementing the
cordingly. United Arab Emirates NCSP in its analysis.
5. Capability and Capacity Building and Awareness Raising: As an
integral part for developing professional cybersecurity national 2.2. NCSP 1 – United States
manpower, the NCSP shall plan to fulfill their demand towards
achieving resilience and protecting their critical infrastructure The United States of America’s (US) national cyber strategy pri-
orities are focused on empowering the country’s cybersecurity ca-
1
pabilities and securing the nation from cyber threats (Sabillon,
Commonwealth Secretariat (ComSec), the Commonwealth Telecommunications
Organization (CTO), Deloitte, the Geneva Centre for Security Policy (GCSP), the
1993; The White house, Washington DC, 2018). The US cyber strat-
Global CyberSecurity Capacity Centre (GCSCC) at the University of Oxford, the In- egy is based on the following strategic priorities:
ternational Telecommunication Union (ITU), Microsoft, the NATO Cooperative Cy-
ber Defense Centre Of Excellence (NATO CCD COE), the Potomac Institute for Policy
• Defend the US cyberspace by protecting critical assets. This
Studies, RAND Europe, The World Bank and the United Nations Conference on Trade constitutes to elements such as: networks, systems, functions,
and Development (UNCTAD). and data.

3
Table 3 ucation. These initiatives have successfully delivered the National
Cybersecurity national strategic plan pillars and focus areas enclosed Elements.
Initiative for Cybersecurity Education (NICE) program since 2010.
Focus Area Elements The underlying objective of the NICE is to provide a reference-
Governance • Ensure the highest level of support model for educators to create training, degree, and certification
• Establish a competent cybersecurity authority. programs, as well as developing the appropriate curriculum (Daimi
• Ensure intra-government cooperation and Francia III, 2020; Dawson et al., 2019; Haney and Lutters, 2021;
• Ensure inter-sectoral cooperation Newhouse et al., 2017). This initiative goes hand-in-hand with the
• Allocate dedicated budget and resources
guidelines established by the DHS and NSA.
• Develop an implementation plan
Risk Management in • Define a risk-management approach
National Cybersecurity • Design a prevailing methodology or framework 2.3. NCSP 2 - United Kingdom
for cybersecurity risk management
• Develop sectoral cybersecurity risk profiles.
The United Kingdom’s (UK) NCSP for the years 2022–2025 is
• Establishing cybersecurity policies Preparedness
and Resilience designed to support the achievement of their national goals. It fo-
• Establish cyber incident response capabilities cuses on the accomplishment of the UK Cabinet office’s long-term
• Establish contingency plans for cybersecurity 2030 vision to continue leading responsible and democratic cy-
crisis management. ber power capable of protecting and promoting the UK’s interests
• Promote information-sharing
• Conduct cybersecurity exercises
within cyberspace (HM-Government - The Rt Hon Steve Barclay
Critical Infrastructure • Protecting critical infrastructures and services MP Chancellor of the Duchy of Lancaster and Minister for the Cab-
Services and Essential by adopting a prevailing risk-management inet Office, 2022). The UK’s national cyber goals are as follows:
Services approach.
• Adopt a governance model with clear • Using their cyber capabilities to be more secure and resilient
responsibilities. by preparing for evolving threats and risks, and therefore pro-
• Define minimum cybersecurity baselines
tecting citizens against crime, fraud and state threats.
• Utilise a wide range of market levers.
• Establish public-private partnerships. • Prosperous and innovative digital economy that shall evenly
Capability and • Develop cybersecurity curricula spread across the nation and its diverse population.
Capacity Building and • Stimulate skills development and workforce • Employing science and advanced technologies to securely con-
Awareness Raising training. trol transformative technologies in support of a more sustain-
• Implement a coordinated cybersecurity
able and healthier society.
awareness-raising program.
• Nurture cybersecurity innovation, research, and • Taking a more influential role and valuing global partners while
development. defining the future frontiers for an open and steady inter-
Legislation and • Establish cybercrime legislation national order and preserving their freedom of action in cy-
Regulation • Recognise and safeguard individual rights and
berspace.
liberties.
• Create compliance mechanisms The UK’s 2022–2025 NCSP builds on the achievements of the
• Promote capacity-building for law enforcement.
• Establish inter-organisational processes.
predecessor NCSP (2016–2021) (UK (H.M) Government, 2016) and
• Support international cooperation to combat is designed based on the conclusions derived from the govern-
cybercrime. ment’s integrated review of security, defence, and development
International • Prioritize cybersecurity as an integral part of and foreign policy. The conclusions drawn from the integrated re-
Cooperation foreign policy.
view are focused on strengthening the UK’s cyber power as fol-
• Engage in international discussions
• Promote formal and informal cooperation in lows:
cyberspace.
• Align domestic and international cybersecurity • The UK’s cyber power will become more important force to-
efforts. wards the achievement of UK national goals.
• Its sustainability requires a comprehensive and integrated strat-
egy to cover various aspects.
• Elevate the prosperity of the US by fostering a secure, burgeon- • The nation’s cyber power must be a society-oriented, hence
ing digital economy and prosper strong indigenous innovation. deeming partnerships essential to successfully achieve this con-
• Maintain peace and security by bolstering the ability of the US clusion.
– in collaboration with allies and partners – to deter and pe- The UK’s 2022–2025 NCSP is roughly categorized into two main
nalize those who use cyber tools for malicious acts. parts: Strategic context, and Implementation. The strategic context
• Extend US influence abroad to reach the key tenets of an open, demonstrates the rationale for focusing on the 5 strategic pillars.
interoperable, reliable, and secure internet and cyber space. The implementation part presents an organized break-down of the
5 strategic pillars to 16 objectives. The UK has allocated approxi-
The Department of Homeland Security (DHS) and National Se-
mately 22 billion £to the achievement of this NCSP including the
curity Agency (NSA) have a joint project with the objective to set
following pillars and objectives:
a criteria to regulate institutions who intend to offer cybersecurity
and defense education (National Security Agency and Department • Pillar 1: Strengthening the UK’s cyber ecosystem.
of Homeland Security, 2020). Their main objective is to create stan- • Objective 1: Support the whole-society approach by
dards for cybersecurity education in the US and to determine the strengthening the necessary structures, partnerships and
appropriate curriculum to offer students. This joint project con- networks.
cluded that cybersecurity programs should include hands-on ex- • Objective 2: Empowering national future talent with cyber
ercises as part of their skill development. Furthermore, institutions skills at every level through world class and diverse cyber
hosting cybersecurity or related disciplines should establish a cen- professions and competencies.
ter for cybersecurity education to offer guidance and promote col- • Objective 3: Foster the growth of internationally competitive
laboration among academia. The National Institution of Standards cyber- and information security sector by delivering quality
and Technology (NIST) has also established their own initiatives to products and services.
address various challenges faced in the realm of cybersecurity ed- • Pillar2: Building a resilient and prosperous digital UK.

4
 • Objective 1: Enhance the understanding of cyber risks in or- ENISA has developed a cybersecurity strategy with the aim of
der to derive the appropriate actions on cybersecurity and improving security and resilience of the EU’s national infrastruc-
resilience. ture and services. This is done by adopting a high-level top-down
• Objective 2: Improving cyber risk management within UK approach to establish action plans with a specific time frame for
organizations and providing greater protection to citizens to the implementation of a range of national objectives and strate-
prevent and resist cyberattacks effectively. gic priorities (ENISA, 2020). Furthermore, ENISA developed the Na-
• Objective 3: To prepare for, respond to, and recover from cy- tional Capabilities Assessment Framework (NCAF) to provide mem-
berattacks by strengthening resilience at both the national ber states with a self-assessment tool to evaluate their maturity
and organizational levels. and progress towards the achievement of NCSS objectives and to
• Pillar 3: Taking the lead in the technologies vital to cyber build cybersecurity capabilities at both the strategic and opera-
power. tional levels (ENISA, 2020). The NCAF elaborates on four main clus-
• Objective 1: Improve foresight and act on the investments ters, namely: Cybersecurity Governance and Standards, Capability-
in vital science technology development for cyber power. building and awareness, Legal and regulatory, Cooperation. Each
• Objective 2: Nurture and sustain sovereign and allied advan- one of these clusters is defined with a set of objectives in which
tages in the security of critical technologies. the national cybersecurity strategy implementation maturity is be-
• Objective 3: Preserve a robust and resilient national Crypto- ing assessed.
Key enterprise which meets the needs of the government Fig. 1 depicts NCAF clusters and related objectives.
and their partners and allies.
• Objective 4: Securing the next generation of connected
2.5. NCSP 4 - Canada
technologies and infrastructure, and ensuring that the UK
achieves low-dependence on the global market and that the
The National Cybersecurity Action Plan (2019–2024) is the
nation’s users are provided with trustworthy and diverse
blueprint of Canada’s national cybersecurity strategy (Ministry of
supplies.
Public Safety and Emergency Preparedness of Canada, 2019). In
• Objective 5: Collaboration with multiple stakeholders for the
this plan, strategic initiatives and projects are explained, the im-
development of global digital standards, ensuring cybersecu-
plementation time frame is defined, and responsible departments
rity is integrated, and advancing in strategic advantage that
and agencies are allocated. Specifically, this plan focuses on the
is science- and technology-based.
achievement of three main cybersecurity strategic goals:
• Pillar 4: Advancing the UK’s global leadership and influence.
Secure and Resilient Systems The achievement of this goal is
• Objective 1: Ensure cybersecurity and resilience of the UK’s
done by implementing seven strategic initiatives: Supporting Cana-
international partners and increase collective action to dis-
dian Critical Infrastructure Owners and Operators, Improved Inte-
rupt and deter cyber attacks.
grated Threat Assessment, Preparing Government of Canada Com-
• Objective 2: Global governance to encourage a free, open,
munications for Advances in Quantum, Expanding Advise and
peaceful, and secure cyberspace.
Guidance to the Finance and Energy Sectors, Cyber Intelligence
• Objective 3: Enhance the UK’s strategic advantage and pro-
Collection and Cyber Threat Assessments, National Cybercrime
mote its broader foreign policy and interest through lever-
Coordination Unit, and Federal Policing Cybercrime Enforcement.
aging and exporting cyber capabilities.
These seven initiatives are focused on protecting against cyber-
• Pillar 5: Advancing the UK’s global leadership and influence.
crimes and attacks, as well as responding to and defending from
• Objective 1: Protect the UK, its interests, and its citizens by
sophisticated threats targeting critical government and private sec-
detecting and sharing investigation information on criminals
tors’ digital assets. Multiple Canadian governmental agencies and
and other malicious entities and activities.
organizations, such as Public Safety Canada (PS), Canadian Secu-
• Objective 2: Deterring and disrupting criminal parties and
rity Intelligence Services (CSIS), Communications Security Estab-
activities.
lishment, and Royal Canadian Mounted Police (RCMP), are assigned
• Objective 3: Preventing and detecting serious crimes by
to implement these initiatives.
taking appropriate actions that support national security
Create an Innovative and Adaptive Cyber Ecosystem: This strate-
throughout cyberspace.
gic goal aspires Canada to become a global leader in cybersecurity.
Specifically, this goal can be achieved by Canada’s National Cyber-
2.4. NCSP 3 - European Union
security Action Plan for 2019–2024, which includes two main ini-
tiatives:
The European Union Agency for Cybersecurity (ENISA) was
established in 2004 with the objective of achieving a common • The Cybersecurity Student Work Placement Program, which is
high-level cybersecurity across Europe and its member states facilitated by the Employment and Social Development Canada
(ENISA, 2020). Strengthened by the EU Cybersecurity Act, the (ESDC).
ENISA is tasked with contributing to the definition and setup of • The cybersecurity assessment and certification for small-and-
EU cyber policies, the enhancement of the trustworthiness of in- Medium-sized Enterprises (SMEs), which is organized by Inno-
formation and communication technology products and deliver- vation, Science, and Economic Development Canada (ISEDC) in
ables, cybersecurity certification assurance, and schemes for ser- collaboration with the Communications Security Establishment
vices and processes. Additionally, they are tasked with fostering (CSE) and Standards Council of Canada (SCC).
cooperation with Member States and EU bodies and bolstering Eu-
rope to overcome and prepare for future cyber challenges. ENISA’s These two initiatives are focused on aiding advanced research,
scope is focused on knowledge sharing and transfer, building cy- nurturing digital innovation, and developing cyber skills, knowl-
bersecurity key-enablers and enriching mature awareness, collab- edge, and awareness.
orating with and involving key stakeholders to strengthen trust in Effective Leadership, Governance and Collaboration: This goal fo-
the connected economy. Ultimately, this is done in order to ad- cuses on establishing collaboration among Canada’s provinces, ter-
vance the resilience of the EU’s critical infrastructures, and, ulti- ritories, the private sector, governmental agencies, and interna-
mately, to preserve Europe’s society and ensure that citizens are tional allies to work towards shaping the international cybersecu-
digitally secure (ENISA, 2020). rity environment to consolidate Canada’s interests. This strategic

5
 Fig. 1. ENISA: NCAF clusters and their corresponding cybersecurity objectives. OES: Operators of essential services. DSP: Digital services providers (ENISA, 2020).

goal is can be achieved through five initiatives: Strategic Policy Ca- 2.7. NCSP 6 - China
pacity in Cybersecurity and Cybercrime, Cyber Security Coopera-
tion Program (CSCP), Canadian Centre for Cyber Security, Interna- China has the intention of becoming a cyber power while also
tional Strategic Framework for Cyberspace, and Bilateral Collabo- promoting a regulated, secure, and open cyberspace. Additionally,
ration on Cybersecurity and Energy. The organization and facilita- the country intends on safeguarding national cyber sovereignty.
tion for implementing these strategic initiatives is assigned to var- China has set their national cybersecurity strategy to address cy-
ious Canadian government entities, such as Public Safety Canada bersecurity as the nation’s new territory for sovereignty marking a
(PS), Communications Security Establishment (CSE), Global Affairs new step in streamlining cyber control. The Cyberspace Adminis-
Canada (GAC), and the Natural Resources Canada (NRCan). tration of China (CAC) set the strategy with the focus on: defend-
ing cyberspace sovereignty, protecting national security and Criti-
2.6. NCSP 5 - Russian Federation cal Information Infrastructure (CII), building a healthy online cul-
ture to combat cyber crime, espionage, and terrorism, improving
The Russian Federation has set a long-term strategy to cover cyber governance, enhancing baseline cybersecurity, elevating cy-
the years 2017 to 2030. Their strategy outlines strategic goals, berspace defense capabilities, and strengthening international co-
objectives, and measures for the implementation of domestic operation (Daricili and Özdal, 2018). In addition, China plans to
and foreign information and telecommunication related policies prepare and graduate more cybersecurity professionals by open-
(United Nations Institute for Disarmament Research, 2017). The ing ten cybersecurity-specialized educational institutions between
Russian Federation’s strategy for the development of information 2017–2027.
society focuses on six national interests: human development, pre-
serving citizens and state security, promoting Russia’s role and 2.8. NCSP 7 - Australia
contribution in the global humanitarian and cultural space, devel-
opment of a free sustainable and secure communication, efficient The Australian government has taken vigorous action towards
public administration, economic and social development, and the national cybersecurity. In their recent cybersecurity strategy for
formation of digital economy. The Russian cybersecurity strategy 2020, they allocated $1.67 billion over the coming decade to invest
evolves from their understanding of the nature of information war- in a secure online world for Australians, their businesses, and their
fare. Hence, the Russian Federation has a strong need for cyber- critical infrastructures and essential services (Government of Aus-
security as a pillar for their national security (Lilly and Cherav- tralia, Department of Home Affairs, 2020). According to the Aus-
itch, 2020). tralian Government’s Department of Home Affairs (DoHA), the de-

6
velopment of a cybersecurity strategy effort is based on extensive ten spheres of action, which address different aspects of cyber
consultation from across the country. Additionally, the DoHA has risks”: (1) Building competencies and knowledge, (2) threat situ-
formed an Industry Advisory Panel to provide their strategic in- ation, (3) resilience management, (4) standardisation / regulation,
sights and guidance on the development of the 2020 strategy and (5) incident management, (6) crisis management, (7) prosecution,
ensure consistency with industries. The Australian Cybersecurity (8) cyber defence, (9) active positioning of Switzerland in inter-
Strategy 2020 has undertaken three classifications: national cyber security policy, and (10) public impact and aware-
ness raising. Each of these spheres includes specific measures (to-
• Governments are responsible to protect Australian residents,
tal of 29 measures). For instance, the measures (1) Building com-
businesses, and critical infrastructures from sophisticated cyber
petencies and knowledge are: (i) early identification of trends and
threats by bolstering defense and countermeasures of their cy-
technologies and knowledge building, (ii) Expansion and promo-
ber space.
tion of research and educational competence, and (iii) Creation of
• Businesses are required to protect their customers from known
a favourable framework for an innovative ICT security economy in
cyber vulnerabilities by securing their products and services.
Switzerland.
• Communities are prohibited from practicing malicious cyber
acts and must protect themselves by practicing secure online
2.12. Summary
behaviours and making informed decisions.

The Australian Cybersecurity Strategy 2020 focuses on growing Worldwide, cybercrimes and their ramifications have become a
the cyber workforce. In their strategy, they emphasized the impor- predicament. National security and cybersecurity ecosystems are
tance of having of Australia’s digital economy and security. Realiz- strongly dependent on the supply of qualified and proficient cyber-
ing its importance, Australia established a Cybersecurity National security professionals and a cybercrime-educated society. Cyberse-
Workforce Growth Program to assist businesses and academia. curity education is perceived as the primary pipeline supply for
cybersecurity professionals. All reviewed NCSPs concede to certain
2.9. NCSP 8 - Association of southeast asian nations cybersecurity strategic goals or pillars:

• Achieving a strategic vision of becoming cybersecurity resilient,

The Association of Southeast Asian Nations (ASEAN) collabo-
which is a joint effort between government, industry, and com-
rated with the European Union to establish a comprehensive cy-
munity.
bersecurity framework (De Inovação, 2018). Within this framework,
• Cybersecurity professionals are urgently required to protect
two important plans that are mentioned are the Master Plan and
government and private sector systems from malicious acts and
the ASEAN Declaration to Prevent and Combat Cybercrime. The
sophisticated cyber attacks.
key objectives of the Master Plan (2016–2020) focus on enabling
• A country is required to invest in research and developments of
the transformation of the digital economy and the development
cybersecurity countermeasures against emerging sophisticated
of human capacity for an attractive and secure digital investment
attacks targeting their critical infrastructures.
environment. As part of the strategic thrust of the Master Plan,
• Societies’ maturity and awareness of cybersecurity plays a cru-
two initiatives were undertaken to strengthen information secu-
cial role in combating cybercrime.
rity and preparedness in ASEAN. The ASEAN Declaration to Prevent
and Combat Cybercrime focuses on developing awareness and ef- Table 4 summarizes the review of selected sample from world-
fective work on cybersecurity related topics and disciplines (De In- leading countries’ NCSPs, outlining the urgent need to invest in the
ovação, 2018). development and implementation of an effective cybersecurity ed-
ucation and awareness initiatives and programs to supply profes-
2.10. NCSP 9 - United Arab Emirates sional cybersecurity specialists.

The United Arab Emirates (UAE) has successfully developed and 3. Cybersecurity curricula improvement standards and
deployed an advanced digital and information technology solution frameworks
for their critical infrastructure (Ghafir et al., 2018). The government
realized the importance of planning and working towards strength- Given its vital contribution to cybersecurity ecosystem, numer-
ening their defense and resilience countermeasures to combat so- ous efforts have been made to develop cybersecurity curricula and
phisticated cybersecurity threats and attacks (Ghafir et al., 2018). programs. The following subsections presents a sample of various
This includes enriching the skillsets and awareness of individu- standards, guidelines, frameworks, and concepts proposed for cy-
als and organizations. The UAE Cybersecurity strategic plan was bersecurity curricula improvement.
developed by the Telecommunication Regulatory Authority UAE -
Telecommunication Regulatory Authority (2019). It consists of five 3.1. NIST- NICE Framework
pillars and 60 initiatives. The underlying objective of the UAE’s
NCSP is to create a safe and strong cybersecurity ecosystem in or- The National Institute of Standards and Technology (NIST)
der to enable citizens to fulfill their aspirations and empower busi- has developed the National Initiative for Cybersecurity Education
nesses. This NCSP has specific initiatives aimed at consolidating ad- (NICE) Framework, which was first published in 2017 and revised
vanced innovation, research, and development undertaken by aca- in Nov. 2020 (Petersen et al., 2020). NICE works as a reference-
demic institutions and motivating students to pursue cybersecurity framework (lexicon) and is designed to ensure the following ob-
as their future career. jectives:

2.11. NCSP 10 - Switzerland • To provide a cybersecurity work reference taxonomy.

• To empower, advocate, and coordinate a robust ecosystem of
In 2018, Switzerland’s Federal IT Steering Unit (FITSU) Federal IT cybersecurity education, training, and workforce development.
Steering Unit (FITSU) (2018) released a four year plan on protect- • To consolidate the development of a robust cybersecurity cur-
ing their country against cyber risks, which was the continuation ricula by describing tasks, knowledge, and skills.
of the previous plan that took effect from 2012 to 2017. In or- • To assist organizations/sectors with the development of a com-
der to achieve their objectives, their NCSP ”distinguishes among mon and consistent lexicon and categories for cybersecurity

7
Table 4
Summary of NCSP with focus on cybersecurity education improvements and awareness enrichment.

Country/ Region Strategic Agenda

United States (NSA & NIST) • Create standards for cybersecurity education in the United States of America
• Determine the appropriate curricula to offer students
• Encourage collaboration among academia and industry
• Emphasize on hands-on learning in cybersecurity
• Launch the National Initiative for Cybersecurity Education (NICE) program in alignment with the
guidelines established by the DHS and NSA
• Provide a reference-model for educators to create training, degree, and certification programs, as well
as developing the appropriate curriculum
United Kingdom (UK - Government - Cabinet Office) • Strengthening the UK’s cyber ecosystem
• Building a resilient and prosperous digital UK
• Taking the lead in the technologies vital to cyber power
• Advancing UK global leadership and influence
• Detecting, disrupting and deterring adversaries
European Union (ENISA) • National Capabilities Assessment Framework (NCAF) to enable member states to assess their maturity
towards achieving National Cybersecurity Strategy (NCSS) objectives
• Definition of EU cyber policies and enhancement of trustworthiness of information and
communication technology products and deliverable, services, and processes
• Cybersecurity knowledge sharing and capability building through awareness enrichment
• Collaborate and involvement with key stakeholders to assure trust in interconnected economy and
strengthen resilience of critical infrastructure
• Digitally secure EU societies and citizens.
Canada (ESDC, ISED, CSE, SCC) • Commence student work-integrated learning program
• Complete student work-integrated learning program and conduct evaluations
• Launch cyber education and awareness tools
• Launch cyber certification programs
Russia (Governmental Authorities) • Human-Capital Development in Cybersecurity and preserving citizens’ and states’ security
• Profound role and contribution in global humanitarian and cultural space, advancement of developing
free sustainable and secure interaction among citizens, organizations, and authorities
• Efficient public administration, economic and social development, and digital economy
• Nurture cybersecurity innovation, research, and development.
China (CAC) • Defining cyberspace sovereignty and protecting national security and critical information
infrastructure (CII)
• Creating a healthy online culture to fight cyber crime through improved cyber governance, enhancing
baseline cybersecurity, elevating cyberspace defense capabilities, and strengthening international
cooperation
• Increase supply of cybersecurity professionals by establishing specialized educational institutions in
the period of 2017–2027
Australia (DoHA) • Protecting and actively defending the critical infrastructure.
• Greater collaboration to build Australia’s cyber skills and workforce supply
• Establishing a Joint Cybersecurity Center program for stronger partnership with industry
• Guidance and support for small- and medium-sized businesses and consumers to increase their cyber
resilience, and securing Internet of Things devices
Association of Southeast Asian Nations • Enabling transformation to a digital economy
• Building human capacity to create an attractive and secure digital investment environment.
• Developing awareness and effective work on developing advanced cybersecurity related disciplines
and programs
United Arab Emirates (TRA) • Development of national cybersecurity strategy.
• Launching more than 60 initiatives to support research and development in cybersecurity.
• Development of a cybersecurity ecosystem focusing on national cyber safety and cybersecurity
resilience
Switzerland (FITSU) • Focus on building competencies, knowledge, and awareness.
• Improve resilience and be prepared for incidents (e.g., incident management, crisis management, and
prosecution)
• Build expertise on standardisation and active positions in international cybersecurity policy

work skills, knowledge, and competencies in order to develop 3.2. ACM/IEEE

their workforce capabilities in cybersecurity work.
• To help learners on two levels, both professional and on an International professional associations such as Association for
awareness-level, in order to explore cybersecurity themes and Computing Machinery (ACM) and IEEE Computer Society (IEEE-CS)
to enroll in the appropriate learning activities to develop their have formed a joint team in an attempt to define the structure
competency in cybersecurity work. of the cybersecurity discipline, support the alignment of academic
programs from other related disciplines, and to propose guide-
The NICE framework structure consists of cybersecurity compe- lines for cybersecurity curriculum (IEEE Computer Society and
tency building blocks, the structure of which starts by defining a ACM, 2017). This collaboration officially began in 2015, and has
set of cybersecurity work tasks. Each of these work tasks are judi- continued since. The most recent version of their guidelines was
ciously mapped and referenced to correlated knowledge and skills published in 2017 (Shoemaker et al., 2017), which ensures that cy-
(Petersen et al., 2020), which are further classified to assess cy- bersecurity programs include a combination of fundamental topics
bersecurity professional competency levels (i.e. beginner, interme- ranging from computing disciplines, such as computer science and
diate, and advanced). Thus, the NICE framework can be utilized to engineering, to interdisciplinary content, such as human factors,
outline cybersecurity education and training program learning out- law, ethics, and risk management. These guidelines also suggest
comes (Trilling, 2018). key-knowledge areas to be included in a cybersecurity program,

8
such as data security, software security, network security, human by Przyborski et al. (2019) proposes embedding a compulsory com-
security, and organizational security (IEEE Computer Society and mon course for all first-year students across all disciplines. Their
ACM, 2017). evaluation shows promising results (Breitinger et al., 2021).
ENISA perceives the fact that the development of an European
3.3. British computer society Cybersecurity Skills Framework is an integral act that shall shape
the Europe’s digital future and prosperity (Nurse et al., 2021). A
The BCS has established and defined accreditation standards group of professionals were assigned to design the framework with
and guidelines for cybersecurity programs for higher education. the goal of promoting harmonization in the ecosystem of cyberse-
These standards focus on identifying key-knowledge areas of cy- curity education, training, and workforce development and to de-
bersecurity programs (Crick et al., 2019; Irons et al., 2016). The velopment a common European language in the context of cyber-
UK’s BCS (Irons et al., 2016; UK (H.M) Government, 2016) requires security skills.
academic institutions to amend cybersecurity programs’ curricula With the focus on overcoming the cybersecurity skills shortage
to include a practicum component and key-knowledge areas. within EU member states, the underlying objective of the Euro-
pean Cybersecurity Skills Framework is to create a common under-
standing of the roles, competencies, skills and knowledge utilized
3.4. Certification
by and for individuals, employers and training providers cross the
EU member states. Furthermore, the framework serves to support
National Cyber Security Center (NCSC) with partners have ini-
recognition of cybersecurity-related skills and the design of rele-
tiated across UK academia certification degree programs designed
vant cybersecurity training programs. Hence, the framework is ex-
to address the knowledge, skills, and capability requirements for
pected to support employment in cybersecurity sectors throughout
cybersecurity education, products, and services (Nautiyal et al.,
the Union. The framework’s design is articulated based on member
2022). Such certification programs include the Certified Cyber Pro-
state inputs and needs, and therefore, could be restricted to serve
fessionals (CCP). This certification program recognizes those who
the state’s digital economy.
demonstrated their sustainability to apply their skills, knowledge,
In this section, samples of improvement standards and frame-
and expertise in cyber real-world situations.
works were reviewed. Our study employs the NICE framework be-
Several studies has discussed the importance of professional
cause it adopts the competency-based education method of teach-
cybersecurity certificates towards overcoming the existing gap on
ing (Alsmadi and Easttom, 2020).
demand cybersecurity skills. For instance, (Marquardson and El-
noshokaty, 2020) analyzed large number of job-listing for cyberse-
curity professionals and determined that 60% of entry-level jobs in 4. Review of cybersecurity education improvements initiatives
cybersecurity requires computer-related degree while 19% of these
jobs requires professional certificates demonstrating certain knowl- Researchers and academics from all over the world seek to im-
edge, skills, and competencies. prove and promote cybersecurity education. The results of their
work focus on encouraging high school students to pursue careers
in cybersecurity, improving existing curricula, and creating an at-
3.5. UAE - Ministry of education
tractive cybersecurity education.
The NCSP is one the driving forces towards designing an effec-
The MoE K-12 Computer Science and Technology Standards was
tive cybersecurity program. The design paradigm is required to ful-
published in 2015 (Ministry of Education- UAE, 2015) and elabo-
fill NCSP goals and requirements. The following are common ed-
rates on a set of guidelines for schools, describing cybersecurity
ucation requirements found in sample reviewed of world-leading
key-learning areas in order to prepare students to pursue graduate
NCSPs:
degrees in cybersecurity. The standard is divided into four main
domains: Digital literacy and Competence, Computational Think- • Alignment with NCSP: Cybersecurity education plays a vital
ing, Computer Practice and Programming, and Cybersecurity/Safety role in the supply of professionals and in the enrichment of
Ethics. The MoE has adopted and included existing international an individual’s maturity and awareness of cybersecurity. Hence,
standards, such as the International Society for Technology in Ed- programs throughout the world should to be in alignment with
ucation (ISTE), and Computer Science Teachers Association (CSTA) the NCSP goals and priorities.
standards. • Dynamic Revision Process: Cybersecurity programs are re-
quired to have a dynamic revision process for their curricula
3.6. Other frameworks and concepts and be able to cope with new and emerging technologies, new
forms of cyber threats and attacks, and knowledge of new inno-
Several studies have proposed frameworks to create, develop, vative solutions (Cobb, 2016; Crumpler and Lewis, 2019; Kreider
and enhance current practices in both the design and delivery and Almalag, 2019).
of cybersecurity programs. For instance, a study by Hallett et al. • Workforce Demands on Cybersecurity Skills and Competen-
(Hallett et al., 2018) proposed a Cybersecurity Body of Knowledge cies: Recent studies indicate a shortage in the workforce sup-
with the stated aim of providing a common basis to compare var- ply for cybersecurity professionals in terms of numbers and
ious curriculum development frameworks in cybersecurity. Nearly skills (Cobb, 2016; Crumpler and Lewis, 2019; Evans and Reeder,
all proposed frameworks are focused on identifying the sets of fun- 2010). Cybersecurity curricula should demonstrate their capa-
damental knowledge and skills needed to be incorporated in the bility to produce skillful cybersecurity professionals in terms of
cybersecurity curricula (Kreider and Almalag, 2019). Several studies knowledge, skill, and competency.
reviewed existing cybersecurity and computer science higher edu-
cation programs’ curricula for improvements (Alsmadi and Zarour, 4.1. Initiatives to attract cybersecurity students
2018; Cabaj et al., 2018; Cao and Ajwa, 2016). Some improvement
challenges reported the importance of keeping course material up- Several initiatives have been made at the national government
to-date and remaining ethical while practicing new skills (Beuran level to encourage high-school students to pursue cybersecurity
et al., 2016; Santos et al., 2017). Nevertheless, with the goal of en- education as a future career (Government of Australia, Department
riching individuals’ cybersecurity awareness, the study conducted of Home Affairs, 2020; Ministry of Public Safety and Emergency

9
Preparedness of Canada, 2019; UAE - Telecommunication Regu- their studies game-based learning methods for cybersecurity con-
latory Authority, 2019). For instance, the Australian cybersecurity cepts. These games target students of all ages. The games them-
strategic plan (Government of Australia, Department of Home Af- selves were developed for both mobile phones and computers and
fairs, 2020) attempts to attract individuals and have them consider they teach cybersecurity concepts in a simple, easy way that any-
cybersecurity as their future profession several initiatives such as: one can understand. There are several purposes for these games:
Scholarships, Apprenticeships or apprenticeship-style courses in
higher education, Development and delivery of specialist cyberse- 1. To encourage younger students to practice safe digital commu-
curity courses for professionals, Re-training initiatives to help ex- nication and interactions.
isting professionals in other related disciplines transition to the 2. To attract students to the cybersecurity field.
cybersecurity domain, Training or professional development for 3. To offer current cybersecurity students a different, more relaxed
teachers and board executives through practical partnerships or ex- and entertaining way of practicing the skills that they learned
changes with industry figures, and Digital training platforms and in class.
students delivered cybersecurity services. 4. To enrich individuals’ awareness level on cybersecurity and
ENISA has recently developed the Cybersecurity Higher Ed- ethics.
ucation (CYBERHEAD) program to promote cybersecurity edu-
Other research studies proposed that students may bene-
cation and to maintain a unique crowd-sourcing database of
fit from exchanging experiences with their peers. Ahmed and
cybersecurity-related education programs (Nurse et al., 2021).
Roussev (2018); Govan (2016); Straub (2018) proposed the in-
In addition to various government initiatives, another way
tegration of peer-teaching methods into cybersecurity courses.
to encourage individuals to consider cybersecurity as their fu-
Straub (2018) and Ahmed and Roussev (2018) used peer-learning
ture profession is through the creation of activities and competi-
as a platform for students to ask questions and discuss class ma-
tions. For example, the Pink Elephant Unicorn (PEU), Capture the
terials together. These labs also included activities for the stu-
Flag (CtF), and Collegiate Penetration Testing Competition (CPTC)
dents to partake in together to learn from each other. For instance,
are examples of famous cybersecurity competitions (Pattanayak
Govan (2016) introduced roles to these lab activities. According
et al., 2018; Švábenskỳ et al., 2021). Cheung et al. (2011) and
to Ahmed and Roussev (2018), 92% of the students that partici-
Thomas et al. (2019) investigated the implications of challenge-
pated in peer-learning believed that discussing the course topics
based learning in the classroom, where challenges and competi-
with their classmates helped them understand the material better.
tions were created to help teach or practice concepts and skills.
A summary of literature and their proposed / studied initiative is
Once the students were assessed, researchers found that their per-
depicted in Table 5.
formance in the classroom had actually improved.
Diversification in instructional and teaching methodologies is
an important variable to examine when evaluating the quality 4.2. Initiatives for dynamic revision of cybersecurity curricula
of cybersecurity programs. According to the guidelines set by
IEEE Computer Society and ACM (2017) and the standards set Education programs are required to revise their adherence to
by National Security Agency and Department of Homeland Secu- accreditation standards (whether national or international) period-
rity (2020), cybersecurity courses must include practical compo- ically. In fact, nearly all accreditation standards require programs
nents in the form of laboratory exercises. These exercises should to conduct self-assessment exercises on a yearly basis to demon-
involve the sufficient tools to properly train students and to prac- strate its effectiveness and capacity to achieve program learning
tice the application of knowledge in order to develop tangible outcomes, as well as to incorporate new and emerging develop-
skills. As an example, China’s NCSP emphasizes the importance of ments to the program curriculum. In comparison to other scientific
having a laboratory environment setup. In line with this, China is and engineering disciplines such as mathematics, physics, and me-
planning to establish ten advanced cybersecurity academic institu- chanical engineering, the cybersecurity discipline is considered to
tions installed with cutting-edge technologies and state-of-the-art be evolving at a rapid pace (Kreider and Almalag, 2019).
facilities between 2017–2027 (Daricili and Özdal, 2018). Studies conducted by Alsmadi and Zarour (2018);
Zeng et al. (2018) proposed developing virtual and hands-on Beuran et al. (2016); Cabaj et al. (2018); Cao and Ajwa (2016);
laboratories for students. Specifically, a web-based virtual platform Kam and Katerattanakul (2014); Luallen and Labruyere (2013);
was designed to conduct cybersecurity data analysis and intelli- McGettrick (2013); Patterson et al. (2016); Santos et al. (2017);
gence. A similar approach was also proposed by Thompson and Wei et al. (2016) have reviewed existing cybersecurity and com-
Irvine (2018), who suggested using virtual environments known as puter science programs to ensure that they include the required
lab-trainers. Studies conducted by Katerattanakul and Kam (2019); material and appropriate courses. Modifications were proposed
Qian et al. (2012); Yuan (2017) emphasized the importance of us- to cybersecurity programs to keep course modules up-to-date, to
ing hands-on and realistic projects to elevate student competen- ensure that the necessary resources are available and up-to-date,
cies in key cybersecurity knowledge and skill domains. In their and to introduce new skills (Beuran et al., 2016; Santos et al.,
study, Mislan and Wedge (2016) proposed a similar ideology for 2017).
their cybersecurity and digital forensics labs. They designed a Cabaj et al. (2018); Harris et al. (2019); Raj and Parrish (2018);
lab environment that allowed students to assume roles and in- Stange et al. (2019); Wei et al. (2016) reviewed several cyber-
teract with each other while handling small-scale digital devices. security programs offered in different educational institutions to
Sharevski et al. (2018) sought to include students from other dis- determine their adherence to the accreditation standards set by
ciplines in cybersecurity related topics. Namely, they proposed an IEEE Computer Society and ACM (2017); National Security Agency
interdisciplinary course in secure design for cybersecurity students, and Department of Homeland Security (2020). Their studies inves-
user interaction design, and visual design. In order to apply the tigated a variety of courses and practical components of cyberse-
concepts taught in the course, the students were taught to proto- curity curricula that need to be included. Stange et al. (2019) re-
type Internet-of-Things (IoT) products, which is another area that is viewed an accredited program by ACM and Accreditation Board for
gaining in popularity due to the increased presence of IoT devices Engineering and Technology (ABET) called Cyber2yr, which is a cy-
and smart things. bersecurity program that was proposed for two-year associate de-
Gestwicki and Stumbaugh (2015); Jin et al. (2018); Li and Kulka- grees. Their study was focused on testing the generalization of ac-
rni (2016); Olano et al. (2014); Zahed et al. (2019) proposed in creditation standards for different types of degrees.

10
Table 5
Summary of methods used to attract individuals to cybersecurity discipline.

Initiative/ Activity Reference Main Objective

Government Support (Daricili and Özdal, 2018; Government of Australia, • To provide support for individuals pursuing their future
Department of Home Affairs, 2020; Ministry of Public career in cybersecurity
Safety and Emergency Preparedness of Canada, 2019;
The White house, Washington DC, 2018; UAE -
Telecommunication Regulatory Authority, 2019;
UK (H.M) Government, 2016)
• To provide support for research and development in
this field.
• To provide support for academic institutions and
organizations to launch cybersecurity academic and
awareness programs.
Competitions (Cheung et al., 2011; Pattanayak et al., 2018; Thomas • To improve competitions and find ways to be more
et al., 2019) welcoming to those that are interested in cybersecurity
as a career.
Different Teaching Methods (Ahmed and Roussev, 2018; Gestwicki and Stumbaugh, • To offer different methods of teaching cybersecurity in
2015; Govan, 2016; Jin et al., 2018; Katerattanakul and addition to the traditional methods to spark interest in
Kam, 2019; Li and Kulkarni, 2016; Mislan and Wedge, newcomers and enhance training for current students.
2016; Olano et al., 2014; Qian et al., 2012; Sharevski
et al., 2018; Straub, 2018; Thompson and Irvine, 2018;
Yuan, 2017; Zahed et al., 2019; Zeng et al., 2018)
Curriculum Revision and Improvements (Alsmadi and Zarour, 2018; Beuran et al., 2016; Cabaj • To enhance the learning experience for students, as
et al., 2018; Cao and Ajwa, 2016; Kam and well as help the institution become certified and
Katerattanakul, 2014; Luallen and Labruyere, 2013; accredited for cybersecurity education.
McGettrick, 2013; Patterson et al., 2016; Santos et al.,
2017; Wei et al., 2016)

The dynamic revision of cybersecurity curriculum is based on 4.3. Initiatives for the alignment of cybersecurity knowledge, skills,
multiple influencing factors. The followings are critical influenc- and competencies
ing factors to consider when revising cybersecurity education and
training programs’ curricula for improvement: The learning outcomes of cybersecurity education and aware-
ness are incorporated in its curriculum in the form of key-
• NCSP mandates / requirements. knowledge areas, skill sets, and competencies. Cybersecurity edu-
• Labor market demands for cybersecurity skills, knowledge, and cation and awareness programs are required to revise these aspects
competencies in professional cybersecurity workforce. periodically in order to ensure that their standards meet the la-
• New and emerging innovation and research in cybersecurity. bor market demands for the professional cybersecurity workforce.
• New and emerging forms of sophisticated cybersecurity threats. Revision is done regularly to incorporate new or emerging key-
• Evolution in digital information and communication technolo- knowledge areas, skill sets, and competencies. These revisions are
gies. influenced by several factors such as coordinating the cybersecu-
• Evolution in cybersecurity education accreditation standards. rity curriculum material with the NCSP, as well as adding new
• Changing societal expectations (e.g., due to generational culture trends in digital and information technology, and the latest re-
differences). search and innovation in this discipline. Several frameworks have
been proposed to emphasize the factors which influence curricu-
An NCSP enforces the improvement of cybersecurity education lum design and delivery. Accreditation standards impose manda-
and awareness programs with the aim of meeting national cyber tory revision cycles of program curricula and self-assessments in
agendas. Nevertheless, labor market demands and future trends order to ensure its efficacy in the goal towards achieving stu-
impose the pressure to constantly revise and improve the skill dent learning outcomes. For instance, the NICE framework has
and knowledge requirements of cybersecurity education programs been designed to provide a lexicon for the cybersecurity workforce
(Gorham, 2019). Emerging innovative cybersecurity knowledge or (Newhouse et al., 2017; Petersen et al., 2020). ENISA intends to de-
solutions are also driving factors putting increasing pressure on velop a European Cybersecurity Skills Framework to create a com-
the need to constantly revise cybersecurity education curricula. mon understanding of the relevant roles, competencies, skills and
For instance, the use and application of blockchain technology in knowledge (Nurse et al., 2021). IEEE and ACM created a joint effort
cybersecurity and privacy is an area that needs further attention to propose guidelines for defining the structure and fundamental
(Hajizadeh et al., 2020; Maleh et al., 2020). Educating individuals topics to be incorporated into cybersecurity discipline (IEEE Com-
on how cyber threats are conducted and evolving to be more so- puter Society and ACM, 2017).These guidelines suggest that the key
phisticated is an integral part of cybersecurity education. Studies cybersecurity knowledge areas include topics such as data security,
of new and emerging threats are now essential and should be in- software security, network security, human security, and organiza-
corporated into the curricula. tional security.
Digital information and telecommunication technologies evolve The BCS has proposed accreditation guidelines for professional
rapidly, which introduces new aspects to explore and consider for and academic cybersecurity programs (Irons et al., 2016). These
cybersecurity education. For example, new cybersecurity capabili- guidelines emphasize important key-knowledge areas in this disci-
ties and challenges are introduced when looking at 6G networks pline and require cybersecurity programs to include practical com-
(Gui et al., 2020; Guo et al., 2020). Accreditation standards, and ponents in their curricula. The UAE’s Commission of Academic Ac-
any changes to them, have both a direct and indirect impact on creditation (CAA) new accreditation standard of 2019 has an aca-
all educational and professional programs curricula. Therefore, cy- demic program based on its risk-profile (Commission of Academic
bersecurity programs and credentials must be revised in order to Accreditation- Ministry of Education, 2019).
comply with any updates.

11
5. Strategy mapping approaches and models mapping and prioritization with focus on increasing organizational
performance and effectiveness.
The NCSPs determine a set of strategic goals, objectives, and The application2 of strategy mapping using BSC and its four
key-performance indicators towards fulfilling a nation’s cyberse- perspectives in this study’s context has provided high-level action
curity professional requirements. Therefore, a great part of the plans which may be considered, in some cases, as business goals.
responsibility depends on how well cybersecurity education and For instance, addressing the students’ experience perspective did
training programs are aligned with NCSPs and their goals. A prag- not determine which competency to include or to maintain but
matic and systematic process is essential for mapping the high- provided cybersecurity improvement curricula action plan. Never-
level cybersecurity strategic goals with cybersecurity programs’ theless, results obtained from BSC approach are high-level activ-
curricula to assure adequate maintenance and calibrating the com- ities. It is considered to be insufficient when determining which
petitively successful growth of the cybersecurity programs for long cybersecurity professional competencies to consider when revising
terms. cybersecurity education and training program’s curricula and work
To the authors’ knowledge, investigating the process of liais- towards achieving the cybersecurity strategic goal to supply com-
ing the influencing factors to the revision of cybersecurity curric- petent cybersecurity professionals and to create cybersecurity ma-
ula has not yet been investigated. Furthermore, there is currently ture society.
no methodology that is recommended or specifically designed to
align and cascade high-level strategic goals to education or training 5.2. GQM and GQM+strategies
curricula. Thus, in practice, an approach to define required cyber-
security competencies that explicitly links high-level cybersecurity Goal-Question-Metric (GQM) is a systematic and pragmatic
strategic goals and initiatives is needed. method which explicitly integrates high-level goals with models
of various perspectives of interest, based on specific needs. In the
5.1. Balanced scorecard GQM+Strategies approach, the goals are first defined in an opera-
tional and traceable fashion by clarifying them into a set of quan-
The Balanced Scorecard (BSC) is one of the most famous meth- tifiable questions that are utilized to elicit information from the
ods in strategy mapping and was introduced in the early1990s models. These questions and models are employed to determine
(Adamson, 2019; Kopecka, 2015). BSC is used to translate high-level the metrics. The defined metrics are used to specify the data needs
strategic goals into actionable plans. It provides the basis for the to be collected. The models provide a framework which interprets
development of financial and non-financial BSC measures to mon- the collected data (Basili et al., 2007). Fig. 2 depicts the various
itor strategy execution and performance (Kopecka, 2015). Strat- elements of GQM+Strategies model.
egy mapping works as a vehicle to help establishments and indi- Originally, the GQM approach was defined for evaluating de-
viduals interpret the high-level strategic goals and to align their fects for a set of projects the NASA Goddard Space Flight Center
priorities and activities accordingly (Kaplan et al., 2004). Strat- environment where the application involved a set of case study ex-
egy mapping using BSC works by creating a visual representa- periments (Basili and Selby, 1984; Basili and Weiss, 1984; Caldiera
tion that demonstrates how to link low-level operational activi- and Rombach, 1994). Though it was originally utilized for a spe-
ties to higher-level strategic goals. The BSC has been intensively cific project in a particular environment, the GQM has been ex-
employed in various domains since it was introduced, as men- panded to be used in more contexts. For example, it has been used
tioned in (de Almeida Ribeiro et al., 2021; Choong and Islam, 2020; for quality improvement for software development organizations
Goldstein, 2020; Moraga et al., 2020; Oliveira et al., 2021; Urquía- and paradigms within an organizational framework, as well as for
Grande et al., 2021). building software competencies to supply to projects (Caldiera and
The BSC interprets strategies based on four perspectives: fi- Rombach, 1994).
nancial, customer, internal processes, and learning and growth According to Basili et al. (2007), the GQM approach is limited
(Adamson, 2019; Kaplan et al., 2004). Generally, the financial and when it comes to describing goal dependencies and does not en-
customer perspectives answer the general question: ’What does sure the wholeness of goals to constitute a rich set of relation-
the business want to accomplish?’ while the internal processes, ships. On the other hand, the GQM+Strategies leverages the tra-
and learning and growth perspectives answer the question ’How ditional GQM approach (Caldiera and Rombach, 1994). It is de-
does the business plan to accomplish it?’ (Adamson, 2019). signed to identify and utilize the relationships between goals at
Although the BSC is considered to be a mature strategy map- different levels. It makes strategic goals and corresponding busi-
ping method, it also has its own deficiencies (Kopecka, 2015). For ness goals explicit. In addition, it also makes relationships between
example, a study conducted by Speckbacher et al. (2003) reported business goals and related activities explicit (Basili et al., 2007).
that the BSC method lacks in crucial information, competitive en- The GQM+Strategies sequences activities necessary to achieve the
vironment and stakeholders orientation. Additionally, the defini- strategic goal, which are defined by business goals and enclosed
tion of BSC may be unclear and diverse integration may lead to into scenarios. Links identify the business goals that support the
overlooking some crucial issues (Kopecka, 2015). Another study strategic goal achievement. The model GQM+Strategies produces
reported that the BSC method’s learning and growth perspective provides an organization with mechanisms to interpret how the
does not completely assist organizations in achieving organiza- selected output is consistent with upper levels within an organiza-
tional change and strategies (Yee-Ching and Shih-Jen, 1999). In tion. Moreover, links and outcomes ensure that business goals are
some cases, strategy mapping using the BSC approach requires the fulfilled (Basili et al., 2007).
integration of other systems or methods to incorporate integral
components of planning development, execution, and maintenance.
6. An updated GQM+strategis model
For example, a study conducted by Quezada et al. (2021) proposes
the integration of the Analytical Network Process (ANP) to consol-
In this study’s context, we are proposing updates to the
idate the implementation of BSC and to generate performance in-
GQM+Strategies model to systematically align the improvement
dicators for manufacturing areas within companies. A study con-
ducted by Pakdaman et al. (2021) discussed the benefits of com-
bining BSC with other methods, such as Project Portfolio Manage- 2
BSC application to align cybersecurity improvement program goals to NCSP is
ment (PPM) and the Analytical Hierarchy Process (AHP) for strategy demonstrated in Appendix A.

12
 Fig. 2. GQM+Strategies approach aligning business and project goals to measurement program.

process of cybersecurity education and training curricula to NCSP nally, GQO+Strategies linkages and curriculum improvement goals
goals. The newly proposed updated model is called Goal-Question- in terms of learning outcomes ensure the NCSP goals are fulfilled.
Outcomes+Strategies (GQO+Strategies). Cybersecurity improvement
processes focus on determining the best-fit cybersecurity learning 6.1. GQO+Strategies implementation
outcomes. The update to GQO+Strategies is made at the quantita-
tive level to produce a systematic alignment that outlines the best- In this section, we explore the potential of applying the up-
fit learning outcomes instead of metrics. The GQO+Strategies ap- dated GQO+Strategies approach to systematically align cybersecu-
proach is modified while adopting GQM+Strategies peculiarities. It rity education and training programs’ curriculum improvements
offers cybersecurity education and training providers with mean- to consolidating the achievement of cybersecurity strategic goals.
ingful rationale for adequately calibrating best-fit competencies to This method is an analytical inspection that focuses specifically
their curriculum and to have blueprint for justifying/interpreting on identifying conceptual context for strategic goals, cybersecurity
data at each level of the approach (Basili et al., 2007). Therefore, education improvement goals, and curriculum improvement pro-
at each goal level, learning outcomes are defined and linked to the grams as the main influencing factors. It elaborates on the opera-
achievement of cybersecurity improvement goals and aligned with tional context by characterizing the improvement goal with respect
cybersecurity strategic goals. Fig. 3 depicts the transformation of to various aspects of the improvement objective to determine the
the GQM+Strategies approach to GQO+Strategies for the purpose of best-fit learning outcomes. Hence, detailing learning outcomes in
cybersecurity curricula improvement and alignment with cyberse- order to correlate the most appropriate competencies and special-
curity strategic goals integrating NIST-NICE framework for cyber- ity areas to embrace from a relevant lexicon. Concluded learning
security workforce skills and competencies. This study utilizes the outcomes will be therefore used to benchmark against program
UAE’s NCSP to derive and align cybersecurity curriculum improve- learning outcomes for improvement.
ment of the United Arab Emirates University’s Master’s program in
information security. 1. Conceptual level (Goals): Cybersecurity education and training
The GQO+Strategies approach makes the NCSP goals, strategies, curricula improvement program is defined for a variety of rea-
and corresponding Cybersecurity Education Improvement goals ex- sons, from various point of view, relative to its environment.
plicit. Strategies are formulated that deal with NCSP goals such Cybersecurity curriculum improvement program output are:
as supplying cybersecurity professionals, defending from sophis- • Students’ learning outcomes.
ticated cybersecurity threats, and more. The GQO+Strategies ap- • Level of alignment to cybersecurity strategies.
proach also makes the relationship between Cybersecurity Educa- • Competencies obsolescence.
tion Improvement activities and Curriculum Improvement Goals ex- 2. Operational Level: A set of questions to characterize the way to
plicit. Sequences of activities necessary for accomplishing the goals assess the achievement of curriculum improvement goals. Since
are defined by the NCSP and embedded into scenarios in order this study is focused on identifying the most appropriate cyber-
to achieve some cybersecurity education improvement goals. Links security competencies, questions might be asked in the follow-
are established between each cybersecurity education improve- ing formats:
ment goals and the NCSP goals it supports. Attached to goals, • What competency do cybersecurity professionals need to
strategies, and scenarios at each level of the model is the informa- acquire in order to ... ?
tion about the relationships between goals, relevant context fac- • Which competency is best-fit for cybersecurity professionals
tors, and assumptions. The entire model provides NCSP with a to acquire to perform ... ?
mechanism not only to define cybersecurity curriculum improve- • What is the level of the cybersecurity competency cyberse-
ment consistent with larger, upper level NCSP goals, but also to in- curity professionals need to acquire to successfully achieve,
terpret and roll up the resulting curriculum improvement data at complete, and conduct ... ?
each level. NICE framework was then utilized to select the most 3. Outcomes Level: A set of cybersecurity learning outcomes and
appropriate learning outcomes and their competency levels. Fi- speciality areas associated with each question used to charac-
terize the curriculum improvement goal. At this level, the NICE

13
 Fig. 3. GQO+Strategies approach for cybersecurity education and training curricula improvement and alignment to cybersecurity strategic goals.

framework is utilized to identify best-fit cybersecurity cate- goal also requires skills in secure operation and maintenance of
gories and speciality areas. The selection of cybersecurity cate- information technology infrastructure.
gories and speciality areas is governed by the systematic align- • Enrichment of individuals’ maturity and awareness of cyberse-
ment of curriculum improvement goals derived from higher- curity and cyber-crime and threats. This applies to awareness
level strategies. Furthermore, it is dependent on the specifica- programs in both private and national-level organizations.
tions provided in the workforce framework for cybersecurity
NICE framework (Petersen et al., 2020). The GQO+Strategies approach addresses the cybersecurity
strategic goals, which are defined as the following:
As a result of examining NCSPs, the following are shared
strategic goals which require the supply of professional workforce • Strategic Goal-1: Development of secure digital and information
and the enrichment of individuals’ cybersecurity awareness. These technology infrastructures and services.
strategies will be taken into consideration as cybersecurity educa- • Purpose: Supply of competent cybersecurity professionals to
tion and training programs’ curricula improvement program goals. develop secure and digital critical infrastructures and ser-
vices.
• Development of secure digital and information technology in- • Issue: Lack of certain and emerging cybersecurity compe-
frastructures and services. This applies to both government and tencies, advancement in technological solutions, and emerg-
private sectors’ critical infrastructures, including its systems, ing sophisticated cyber threats.
data, and network. • Sector (theme): Cybersecurity Education and Training Pro-
• Defending from sophisticated cyber threats by developing ap- grams.
propriate countermeasures to detect and deter cyber threats. • Viewpoint: National Leadership.
This applies to research, development, and innovation in both • Strategic Goal-2: Defending from sophisticated cyber threats by
cybersecurity countermeasures and defense mechanisms. This developing appropriate countermeasures to detect and deter.

14
 • Purpose: Establishing resilient cyber sovereignty from cyber capsulated by a set questions to identify the best-fit cybersecu-
attacks. rity workforce categories and their corresponding speciality areas
• Issue: Emerging cybersecurity threats with the need for de- mapped from the NICE framework. Ideal learning outcomes are
veloping countermeasures. then generated based on the description of the matched category
• Sector (theme): Cybersecurity Education and Training Pro- from the NICE framework.
grams. Results from implementing GQO+Strategies to determine best-
• Viewpoint: National Leadership. fit cybersecurity competencies to achieve cybersecurity education
• Strategic Goal-3: Enrichment of individuals’ maturity and aware- and training curricula improvement program goals using NICE
ness of cybersecurity and cyber-crime and threats. Framework as a lexicon for cybersecurity workforce competency
• Purpose: Reduce cyber-crimes. are illustrated in Table 6.
• Issue: Enrichment of individuals to combat cyber crimes.
• Sector (theme): Cybersecurity Education and Training Pro- 6.2. Case Study: Utilizing GQO+Strategies to Align UAEU
grams. MSc. Program in Information Security Improvement to UAE NCSP
• Viewpoint: National Leadership.
The College of Information Technology at the United Arab Emi-
Business goals can be addressed using the same approach. As rates University (UAEU) offers an MSc. degree program in Infor-
defined in the strategic goals, cybersecurity education and training mation Security. The program is designed towards fulfilling grow-
providers are required to align their business goals to achieve the ing demands for information technology specialists in the infor-
cybersecurity strategic goal and address related issues. The follow- mation security discipline (United Arab Emirates University, 2021).
ing business goals are just an example, and not an inclusive list, The program consists of 30 credit hours in total and is accred-
of possible cybersecurity improvement goals. Therefore, education ited by the UAE’s CAA. According to United Arab Emirates Univer-
and training providers are not limited to the following cybersecu- sity (2021), the MSc. Information Security program focuses on the
rity improvement business goals: delivery of six Program Learning Outcomes (PLOs):
• Business Goal-1: State-of-the-art cybersecurity education and 1. Apply information security knowledge and effective security
training program’s curricula. strategies and standards.
• Purpose: Emphasizing on the on-demand cybersecurity 2. Design effective security solutions based on given requirements.
competencies and to include emerging cybersecurity skills. 3. Evaluate in depth enterprise security systems.
• Issue: Updating cybersecurity education program’s curricula. 4. Execute ethically project work or research that contributes sig-
• Theme (object): Cybersecurity Education and Training Pro- nificantly to the information security discipline.
grams’ Curricula. 5. Demonstrate advanced oral and written communication skills
• Viewpoint: Cybersecurity Education and Training individually and collectively.
Providers/Sector. 6. Analyze critically emerging information security concepts, mod-
• Business Goal-2: State-of-the-practice cybersecurity training pro- els, techniques, and solutions.
gram’s curricula.
• Purpose: Enrich cybersecurity professionals hands-on capa- Learning outcomes produced from implementing the
bilities. GQO+Strategies paradigm to align cybersecurity curricula improve-
• Issue: Revision of cybersecurity hands-on themes curricu- ment program with cybersecurity strategies are benchmarked
lum and to introduce state-of-the-practice case studies, ex- against the master program’s learning outcomes. Comparing
periments, and exercises. between GQO+Strategies learning outcomes and PLOs, we the pro-
• Theme (object): Cybersecurity Education and Training Pro- gram needs improvement in order to align cybersecurity curricula
grams’ Curricula. improvement goals with overall cybersecurity strategic goals. For
• Viewpoint: Cybersecurity Education and Training instance, the enrichment goal is not fulfilled in any of the program
Providers/Sector. learning outcomes. Hence, it is expected that graduates of this
• Business Goal-3: Cutting-edge facilities and equipment. program will not have the adequate competencies to deliver pro-
• Purpose: Adopt to new and advanced technology. fessional training not awareness programs to individuals. Table 7
• Issue: Coping with technological evolution. shows the bench-marking results.
• Theme (object): Cybersecurity Education and Training Pro- The benchmarking practice explored some shortcomings in the
grams’ Delivery Environment. UAEU master program. It was found that the program offered PLOs
• Viewpoint: Cybersecurity Education and Training that do not cover all cybersecurity workforce categories needed to
Providers/Sector. fulfill the nation’s NCSP. For example, a gap analysis study con-
• Business Goal-4: Cybersecurity research and innovation. ducted by Crumpler and Lewis (2019) indicated the urgent need
• Purpose: Pioneer cybersecurity innovation and contribute to for competent cybersecurity professionals to operate and maintain
its evolution. information technology infrastructure securely. This particular set
• Issue: Participation and exposure to cybersecurity innova- of competencies corresponds to various speciality areas that un-
tion and advanced research. dergo the ‘Operate and Maintain’ category of cybersecurity work-
• Theme (object): Cybersecurity Education and Training Pro- force framework. None of the PLOs in the MSc. in Information Se-
grams. curity emphasized on or introduced enrichment-related competen-
• Viewpoint: Cybersecurity Education and Training cies. Thus, this could be considered as another area for improve-
Providers/Sector. ment. In addition, PLOs delivered by the UAEU master program
were found to contribute significantly to defending more than de-
The requirements to achieve NCSP goals are interpreted into velopment and neglected enrichment competencies. Some of the
business goals. In this study, the business goals are improvements learning outcomes of the program are introduced to adhere to
to cybersecurity education and training programs. As a business national accreditation standards, such as PLO-5. Finally, PLO-6 is
goal, this will require the establishment of cybersecurity educa- found to be generic and does not specifically correspond to any
tion and training curricula improvement programs. These goals are specific cybersecurity workforce competency nor to the identified
tackled from various aspects, as described earlier. They are en- learning outcomes from GQO+Strategies approach. This learning

15
Table 6
GQO+Strateiges aApplication using NICE lexicon cybersecurity curricula alignment framework.

Goal Questions Learning Outcomes NICE Framework

Categories Speciality Areas

Development of secure digital What are the knowledge, Create secure information Securely Provision • Risk Management
and information technology skills, and competencies technology solutions • Software Development
infrastructures and services required to developed secure • Systems Architecture
constitutes of information • Systems Development
technology critical • Systems Requirements Planning
infrastructure? • Technology Research and
Development
• Testing and Evaluation
Operate and Maintain • System Analysis
Defending from sophisticated What does the cybersecurity Manage, lead, direct, develop Oversee and Govern • Cybersecurity Management
cyber threats professional workforce need to or advocate effective conduct • Executive Cyber leadership
know and do in order to of cybersecurity work. • Legal advise and advocacy
identify, classify, detect, and • Program/Project Management
govern security to withstand and Acquisition
sophisticated cyber threats? • Strategic Planning and Policy
• Training, Education, and
Awareness
Evaluate threats to IT systems Protect and Defend • Cyber Defense Analysis
and/or networks and mitigate • Cyber Defense Infrastructure
them. Support
• Incident Response
• Vulnerability Assessment and
Management
Perform a highly-specialized Analyze • All-Source Analysis
review and evaluation of • Exploitation Analysis
incoming cybersecurity • Language Analysis
information to determine its • Threat Analysis
usefulness for intelligence
What does the cybersecurity Supports specialized denial Collect and Operate • Collection Operations
professional workforce need to and deception operations and • Cyber Operations
learn in order to defend and collection of cybersecurity • Cyber Operational Planning
deter sophisticated cyber information that may be used
threats? to develop intelligence
Investigates cybersecurity Investigate • Cyber Investigation
events or crimes related to IT • Digital Forensics
systems, networks, and digital
evidence
What cybersecurity Provide necessary operational Operate and Maintain • Data Administration
competencies are required for and administration skills to • Knowledge Management
operating information ensure efficient and effective • Network Administration
technology infrastructure IT system performance and
securely? security
Collect and Operate • Collection Operations
• Cyber Operations
• Cyber Operational Planning
What cybersecurity Provide adequate maintenance Operate and Maintain • Customer Services and Technical
competencies are required for skills and competencies Support
securely maintaining necessary to ensure efficient • Network Services
information technology and effective IT system • System Analysis
infrastructures? performance and security
Enrichment of Individuals’ What are cybersecurity Conducts training of personnel Oversee and Governance • Training, Education, and
Cybersecurity Maturity and education, teaching, and within pertinent subject Awareness
Awareness training delivery knowledge, domain. Develops, plans,
skill sets, and competencies coordinates, delivers and/or
required for enriching the evaluates training courses,
awareness and maturity for methods, and techniques as
individuals? appropriate.
Addresses problems; installs, Operate and Maintain • Customer Services and Technical
configures, troubleshoots, and Support
provides maintenance and
training in response to
customer requirements or
inquiries. Provide initial
incident information to the
Incident Response (IR)
Specialty.
What are the cybersecurity Consolidation of the creation Multiple categories and • Several key-knowledge areas,
key-knowledge areas, skill of cyber ecosystem speciality areas skill sets, and competencies that
sets, and competencies might be selected from the
individuals must acquire to beginners or intermediate levels
combat cybercrimes and from various categories and
attacks? speciality areas.

16
Table 7
GOQ+Strategies learning application to improve cybersecurity program.

UAEU - MSc. Information Security Knowledge level GQO+Strategies Cybersecurity Learning NICE-Capability Improvement
PLOs (Blooms Taxonomy) Outcomes Category Indicator Goal

1- Apply information security Apply Manage, lead, direct, develop and/or Oversee & Intermediate Defending
knowledge and effective security advocate effective conduct of Govern
strategies and standards cybersecurity work.
2- Design effective security Create Create secure information technology Securely Advanced Development
solutions based on given solutions Provision
requirements.
3- Evaluate in-depth enterprise Evaluate Perform highly-specialized reviews and Analyze Advanced Defending
security systems evaluation of incoming cybersecurity
information to determine its usefulness
for intelligence
Supports specialized denial and deception Collect & Advanced Defending
operations and collections of Operate
cybersecurity information that may be
used to develop intelligence
Evaluate threats to IT systems and/or Protect & Advanced Defending
networks and mitigate them. Defend
Investigates cybersecurity events or Investigate Advanced Defending
crimes related to IT systems, networks,
and digital evidence
4- Execute ethically project work Create Create secure information technology Securely Advanced Development
or research that contributes solutions. Provision
significantly to the information
security discipline.
5- Demonstrate advanced oral and Apply Not Applicable Not Applicable Not Applicable Not
written communication skills Applicable
individually and collectively
6- Analyze critically emerging Analyze Not Applicable Not Applicable Not Applicable Not
information security concepts, Applicable
models, techniques, and solutions.
Not Applicable Not Applicable Provide necessary operational and Operate and Advanced Defending
administrative skills to ensure efficient Maintain
and effective IT system performance and
security
Not Applicable Not Applicable Provide adequate maintenance skills and Operate and Advanced Defending
competencies necessary to ensure efficient Maintain
and effective IT system performance and
security
Not Applicable Not Applicable Addresses problems, and installs, Operate and Advanced Enrichment
configures, troubleshoots, and provides Maintain
maintenance and training in response to
customer requirements or inquiries.
Provide initial incident information to the
Incident Response (IR) specialty.
Not Applicable Not Applicable Conducts training of personnel within Oversee and Advanced Enrichment
pertinent subject domains. Develops, Governance
plans, coordinates, delivers and/or
evaluates training courses, methods, and
techniques as appropriate.

outcome was placed to assure dynamic compliance and to cope process. At this point, detailed learning outcomes mapped to their
with new and emerging UAE-NCSP mandates. corresponding cybersecurity workforce framework categories and
speciality areas are illustrated and become more specific. The un-
7. Discussion derlying objective of this paradigm is to ease the process of map-
ping the high-level cybersecurity strategic goals to the improve-
The NICE framework elaborates on various cybersecurity work- ment initiatives of cybersecurity education and training using cy-
force competency categories and specialty areas, as well as their bersecurity workforce lexica. Hence, consolidating the achievement
corresponding knowledge, skill sets, and level (Daimi and Fran- of the NCSP.
cia III, 2020; Dawson et al., 2019; Petersen et al., 2020). Three main Similarly, being able to defend against cyber threats by devel-
levels were determined according to cybersecurity workforce pro- oping appropriate countermeasures to detect and deter them is a
ficiency or capability indicators: Beginner, Intermediate, and Ad- key characteristic on its own. Therefore, defence-related cyberse-
vanced. curity speciality areas are considered as the second strategic goal.
The development of secure digital and information technology Due to its significant influences, this goal was the subject of our
infrastructures and services is identified as one of the cybersecu- study and the basis for revising cybersecurity education and train-
rity improvement program goals. This goal was characterized by ing programs’ curricula for improvement.
a set of questions and contributes to the supply of professional Enrichment of individuals awareness to create a mature soci-
cybersecurity competencies by enabling them to develop, operate, ety to withstand against cybercrimes and cyberattacks is vital to
and maintain critical infrastructures and services securely. Identi- national sustainability and the establishment of a cyber ecosys-
fying adequate learning outcomes to include in cybersecurity ed- tem. This strategic goal influences the design of cybersecurity ed-
ucation and training program curricula is the final stage of this ucation and training programs significantly. For instance, learning

17
outcomes consolidating the achievement of this strategic goal shall CRediT authorship contribution statement
enable cybersecurity to:
Saleh AlDaajeh: Conceptualization, Methodology, Writing –
• Assuring that skills are acquired for cybersecurity education, original draft. Heba Saleous: Conceptualization, Methodology,
teaching, teaching methods evaluation, and training delivery. Writing – original draft. Saed Alrabaee: Supervision, Writing –
• Defining the set and level of key-knowledge areas, skill sets, original draft. Ezedin Barka: Writing – review & editing. Frank
and competencies required to withstand and combat cyberse- Breitinger: Writing – review & editing. Kim-Kwang Raymond
curity crimes and attacks. Choo: Writing – review & editing.
• Continuously evolving cybersecurity awareness programs for ef-
fectiveness and updates.

We have found that the achievement of cybersecurity strategic Appendix A. BSC Application on NCSP Alignment with
goals for the enrichment of individuals and communities maturity Cybersecurity Curricula Improvement
and awareness on cyber crime and attacks requires mapping vari-
ous key-knowledge areas, skills sets, and competencies from mul- This study is primarily focused on the academic context, in par-
tiple categories and speciality areas. More importantly, by studying ticular, improving cybersecurity education and training programs’
the levels of these aspects for mature awareness on cyber crime curricula by aligning it to national cybersecurity strategy. Hence,
and attacks, we recommended training providers to refer to the support the achievement of NCSP. Each of the BSC perspectives will
NICE framework capabilities indicator to select the most appropri- be addressed by a set of questions amended to the context of this
ate level for cybersecurity learners. study. Figure A.4 depicts the BSC approach and its four perspec-
tives (Kaplan et al., 2004).
8. Conclusions The question addressing the finance perspective of the cyberse-
curity strategic maps would be ‘How a cybersecurity program suc-
In this paper, we reviewed a sample of NCSPs from world- cess is measured by stakeholders?’. This would include any activity
leading countries from different regions around the world: US, UK, that contributes to the financial growth/sustainability within and
EU, Russian Federation, China, Australia, ASEAN, UAE, and Switzer- outside the academic/training institution. The primary customer in
land. Observations from the review include the lack of profession- this context is the cybersecurity learner / students. In this case,
ally trained cybersecurity specialists and the need to design cyber- the question to address the second perspective - customer’s per-
security programs that align with international best practices. We spective - would be ‘What values does the cybersecurity program
also reviewed cybersecurity education improvement initiatives and provide to learners’ experiences?’.
efforts for attracting students, dynamic revisions of cybersecurity The third perspective ‘internal processes’ refers to the core-
curricula, and the consolidation of achievements of national cy- business processes of the program, and operational excellence; es-
bersecurity strategic goals. These achievements were reviewed by tablishing an unique education and training environment; ade-
aligning cybersecurity education curricula improvement initiatives. quately delivering proposed outcomes; and compliance with na-
We then proposed a GQO+Strategies paradigm that draws upon tional and international accreditation standards. The question ad-
the NICE framework and Blooms’ taxonomy, and demonstrated dressing the third perspective ‘internal processes’ would be asked
how it can be applied using the MSc. in Information Security pro- as ‘What core business processes does cybersecurity education and
gram at the UAEU as a case study. Implementing this paradigm has training programs have to be good at?’. The fourth perspective of
shown that our method is effective when determining areas of im- the strategy mapping BSC is the ‘knowledge and growth’. Knowl-
provement for an academic cybersecurity program. edge and growth of cybersecurity education and training program
would be addressed by asking the question ‘What knowledge man-
Declaration of Competing Interest agement practices to implement and professional development ac-
tivities that would contribute to the development and optimization
The authors declare that they have no known competing finan- of the cybersecurity program?’. Tables A.8, A.9, A.10, and A.11 illus-
cial interests or personal relationships that could have appeared to trate an application example for mapping cybersecurity strategies
influence the work reported in this paper. to cybersecurity education and training programs using the BSC

Fig. A1. BSC and its four perspectives: Alignment of strategic goals to business activities.

18
Table A1
BSC application on aligning cybersecurity strategies to cybersecurity education program: Finance perspective.

Strategy Definition Institute Academic Expectations Academic Objectives Specific Deliverable

Activities that would contribute to • Program committees influencing • Maximize involvement in • Industry and research committee
financial gain financial gain. committees influencing financial • National research and development
• Grants and scholarships growth/sustainability of support for cybersecurity
• Research proposals in cybersecurity organization (e.g. research • Research proposals in cybersecurity
domains committee, recruitment committee). domains
• Student capacity and retention rates • International students recruitment
• International students recruitment improvement program
• Balanced work-load among faculty • Industrial partnerships and external
members fund
• Alignment with national cybersecurity • Organizing and hosting international
agenda events

Table A2
BSC application on aligning cybersecurity strategies to cybersecurity education program: Students’ experience perspective.

Strategy Definition Institute Academic Expectations Academic Objectives Specific Deliverable

Refers to the value proposition for • Students involvement in cybersecurity • Curricula revision to align to NCSP • State-of-the-art curriculum
students’ experience research activities • Student professional development • Cutting-edge facilities and IT
• State-of-the-art practice experiences in programs laboratories
cybersecurity discipline. • Student participation in research • Student publications, conferences,
• Students’ enrichment programs and scholarly activities clubs, and journals

Table A3
BSC application on aligning cybersecurity strategies to cybersecurity education program: Internal processes perspective.

Strategy Definition Institute Academic Expectations Academic Objectives Specific Deliverable

Refers to the ’core business’ • New courses and revision of learning • Complying with accreditation • Faculty members contribution to
processes of cybersecurity outcomes standards cybersecurity course delivery.
program and operational • New teaching and delivery techniques, • Implementing a faculty promotion • Foundation courses are allocated to
excellence, building education methods, and approaches policy and system novice faculty members.
and training delivery, or • Program self-evaluation techniques, • Program self-evaluation techniques, • Rotate faculty members on different
research platform through methods, and approaches methods, and approaches program services committees
innovations • Faculty teaching load distribution and • Faculty involvement in curricula • Faculty professional development
planning improvement initiatives and support programs.
• New assessment and progress
evaluation tools

Table A4
BSC application on aligning cybersecurity strategies to cybersecurity education program: Knowledge and growth perspective.

Strategy Definition Institute Academic Expectations Academic Objectives Specific Deliverable

Activities that shall contribute to • Cybersecurity program knowledge • Data and information management • Emerging teaching methods using
the development and management policies and system systems technology (e.g., virtual distance
optimization of cybersecurity • Automated tools and systems for • Faculty conferences, journal teaching).
program delivery, research, and knowledge sharing, storing, and publications, training and • Faculty orientation on Intellectual
professional development retrieval professional workshops property laws and regulations.
• Encourage faculty members’ • Knowledge sharing, ethics, rules, • Knowledge management system
collaboration in research projects and regulations improvement program.
• Support faculty members to organize • Support faculty members to
and bid for international conferences organize and bid for international
• Internal clubs and publications conferences.
• Internal clubs and publications.

four perspectives: finance, students’ experience, Internal Processes First International Symposium on Empirical Software Engineering and Measure-
and knowledge and growth respectively. ment (ESEM 2007). IEEE, pp. 488–490.
Basili, V.R., Selby, R.W., 1984. Data collection and analysis in software research and
management. Proceedings of the American Statistical Association and Biomea-
References sure Society 13–16.
Basili, V.R., Weiss, D.M., 1984. A methodology for collecting valid software engineer-
ing data. IEEE Trans. Software Eng. 728–738.
Adamson, K., 2019. Strategy mapping: An essential tool for new academic faculty
Beuran, R., Chinen, K.-i., Tan, Y., Shinoda, Y., 2016. Towards effective cybersecurity
- faculty focus | higher ed teaching & learning. https://www.facultyfocus.com/
education and training. Technical Report. Japan Advanced Institute of Science
articles/faculty-development/strategy- mapping- an- essential- tool- for- new-
and Technology.
academic-faculty/. (Accessed on 07/21/2021).
Booz, H.Allen, 2017. The 2017 (isc) 2 global information security workforce study.
Ahmed, I., Roussev, V., 2018. Peer instruction teaching methodology for cybersecu-
Center for Cyber safety and Education ISC2.
rity education. IEEE Security & Privacy 16 (4), 88–91.
Breitinger, F., Tully-Doyle, R., Przyborski, K., Beck, L., Harichandran, R.S., 2021. First
de Almeida Ribeiro, J., Ladeira, M.B., de Faria, A.F., Barbosa, M.W., 2021. A reference
year students’ experience in a Cyber World course–an evaluation. Education and
model for science and technology parks strategic performance management: an
Information Technologies 26 (1), 1069–1087.
emerging economy perspective. J. Eng. Tech. Manage. 59, 101612.
Cabaj, K., Domingos, D., Kotulski, Z., Respício, A., 2018. Cybersecurity education: evo-
Alsmadi, I., Easttom, C., 2020. The NICE Cyber Security Framework. Springer.
lution of the discipline and analysis of master programs. Computers & Security
Alsmadi, I., Zarour, M., 2018. Cybersecurity programs in saudi arabia: Issues and rec-
75, 24–35.
ommendations. In: 2018 1st International Conference on Computer Applications
Caldiera, V.R.B.G., Rombach, H.D., 1994. The goal question metric approach. Encyclo-
& Information Security (ICCAIS). IEEE, pp. 1–5.
pedia of software engineering 528–532.
Basili, V., Heidrich, J., Lindvall, M., Munch, J., Regardie, M., Trendowicz, A., 2007.
Cao, P.Y., Ajwa, I.A., 2016. Enhancing computational science curriculum at liberal
Gqm+ strategies–aligning business strategies with software measurement. In:

19
 arts institutions: a case study in the context of cybersecurity. Procedia Comput Jin, G., Tu, M., Kim, T.-H., Heffron, J., White, J., 2018. Evaluation of game-based learn-
Sci 80, 1940–1946. ing in cybersecurity education for high school students. Journal of Education
Cheung, R.S., Cohen, J.P., Lo, H.Z., Elia, F., 2011. Challenge based learning in cyber- and Learning (EduLearn) 12 (1), 150–158.
security education. In: Proceedings of the International Conference on Secu- Kam, H.-J., Katerattanakul, P., 2014. Diversifying cybersecurity education: A
rity and Management (SAM). The Steering Committee of The World Congress non-technical approach to technical studies. In: 2014 IEEE Frontiers in Educa-
in Computer Science, Computer Ǫ, p. 1. tion Conference (FIE) Proceedings. IEEE, pp. 1–4.
Choong, K.K., Islam, S.M., 2020. A new approach to performance measurement using Kaplan, R.S., Kaplan, R.E., Norton, D.P., Davenport, T.H., Norton, D.P., et al., 2004.
standards: a case of translating strategy to operations. Operations Management Strategy maps: Converting intangible assets into tangible outcomes. Harvard
Research 13 (3), 137–170. Business Press.
Cobb, S., 2016. Mind this gap: Criminal hacking and the global cybersecurity skills Katerattanakul, P., Kam, H.-J., 2019. Enhancing student learning in cybersecurity ed-
shortage, a critical analysis. In: Virus Bulletin Conference, pp. 1–8. ucation using an out-of-class learning approach. Journal of Information Technol-
Commission of Academic Accreditation- Ministry of Education, 2019. Standards for ogy Education: Innovations in Practice 18 (1), 29–47.
Institutional Licensure and Program Accreditation in UAE December 2019. 2020 Kopecka, N., 2015. The balanced scorecard implementation, integrated approach and
(accessed May 9, 2020). the quality of its measurement. Procedia Economics and Finance 25, 59–69.
Crick, T., Davenport, J.H., Irons, A., Prickett, T., 2019. A uk case study on cybersecu- Kreider, C., Almalag, M., 2019. A framework for cybersecurity gap analysis in higher
rity education and accreditation. arXiv preprint arXiv:1906.09584. education. SAIS 2019 Proceedings 6.
Crumpler, W., Lewis, J.A., 2019. Cybersecurity Workforce Gap. Center for Strategic Li, C., Kulkarni, M.R., 2016. Survey of cybersecurity education through gamification.
and International Studies (CSIS). 2016 ASEE Annual Conference & Exposition.
Daimi, K., Francia III, G., 2020. Innovations in Cybersecurity Education. Springer. Lilly, B., Cheravitch, J., 2020. The past, present, and future of Russia’s cyber strategy
Daricili, A.B., Özdal, B., 2018. Analysis of the cyber security strategies of people’s and forces. In: 2020 12th International Conference on Cyber Conflict (CyCon),
republic of china. Security Strategies Journal 14 (28). Vol. 1300. IEEE, pp. 129–155.
Dawson, M., Taveras, P., Taylor, D., 2019. Applying software assurance and cyberse- Luallen, M.E., Labruyere, J.-P., 2013. Developing a critical infrastructure and control
curity nice job tasks through secure software engineering labs. Procedia Comput systems cybersecurity curriculum. In: 2013 46th Hawaii International Confer-
Sci 164, 301–312. ence on System Sciences. IEEE, pp. 1782–1791.
De Inovação, S.P., 2018. Overview of Cybersecurity Status in ASEAN and the EU. Maleh, Y., Shojafar, M., Alazab, M., Romdhani, I., 2020. Blockchain for cybersecurity
2018. Technical Report. European Union Horizon’s 2020 Research and Innova- and privacy: architectures, challenges, and applications. CRC Press.
tion Program. Marquardson, J., Elnoshokaty, A., 2020. Skills, certifications, or degrees: what com-
ENISA, 2020. The European Union agency for cybersecurity. [Online]. Available at: panies demand for entry-level cybersecurity jobs. Information Systems Educa-
https://www.enisa.europa.eu/about-enisa. tion Journal 18 (1), 22–28.
Evans, K., Reeder, F., 2010. A human capital crisis in cybersecurity: Technical profi- McGettrick, A., 2013. Toward effective cybersecurity education. IEEE Security & Pri-
ciency matters. CSIS. vacy 11 (6), 66–68.
Federal IT Steering Unit (FITSU), 2018. National strategy for the protection of Ministry of Education- UAE, 2015. Ministry of Education: K-12 Computer Science
Switzerland against cyber risks 2018–2022. [Online]. Available at: https: and Technology Standards. Accessed October 9, 2020.
//www.ncsc.admin.ch/dam/ncsc/en/dokumente/strategie/Nationale_Strategie_ Ministry of Public Safety and Emergency Preparedness of Canada, 2019. Na-
Schutz_Schweiz_vor_Cyber-Risiken_NCS_2018-22_EN.pdf.download.pdf/ tional cyber security action plan 2019–2024 of canada. [Online]. Available
Nationale_Strategie_Schutz_Schweiz_vor_Cyber-Risiken_NCS_2018-22_EN.pdf. at: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl- cbr- scrt- strtg- 2019/
Gestwicki, P., Stumbaugh, K., 2015. Observations and opportunities in cybersecurity ntnl- cbr- scrt- strtg- 2019- en.pdf.
education game design. In: 2015 Computer Games: AI, Animation, Mobile, Mul- Mislan, R.P., Wedge, T., 2016. Designing laboratories for small scale digital device
timedia, Educational and Serious Games (CGAMES). IEEE, pp. 131–137. forensics. Annual ADFSL Conference on Digital Forensics, Security, and Law.
Ghafir, I., Saleem, J., Hammoudeh, M., Faour, H., Prenosil, V., Jaf, S., Jabbar, S., Moraga, J.A., Quezada, L.E., Palominos, P.I., Oddershede, A.M., Silva, H.A., 2020. A
Baker, T., 2018. Security threats to critical infrastructure: the human factor. J quantitative methodology to enhance a strategy map. Int. J. Prod. Econ. 219,
Supercomput 74 (10), 4986–5002. 43–53.
Goldstein, J.C., 2020. Strategy maps: the middle management perspective. Journal of National Security Agency, Department of Homeland Security, 2020. National centers
Business Strategy. of academic excellence in cyber defense education program (CAE-CDE): Criteria
Gorham, M., 2019. Internet Crime Report - Annual Report 2019. Technical Report. for measurement - bachelor, master, and doctoral level.
Federal Bureau of Investigation (FBI-IC3), USA. Nautiyal, L., Rashid, A., Hallett, J., Shreeve, B., K, M., E, C., H, C., 2022. The united
Govan, M., 2016. The application of peer teaching in digital forensics education. kingdoms cyber security degree certification program: a cyber security body of
Higher Education Pedagogies 1 (1), 57–63. knowledge case study. IEEE Security Privacy 20 (1), 87–95. doi:10.1109/MSEC.
Government of Australia, Department of Home Affairs, 2020. Australia cyber se- 2021.3127845.
curity strategy 2020. [Online]. Available at: https://www.homeaffairs.gov.au/ NeSmith, B., 2018. Council post: The cybersecurity talent gap is an industry cri-
cyber- security- subsite/files/cyber- security- strategy- 2020.pdf. sis. [Online]. Available at: https://www.forbes.com/sites/forbestechcouncil/?sh=
Gui, G., Liu, M., Tang, F., Kato, N., Adachi, F., 2020. 6G: Opening new horizons for 70d45011649b.
integration of comfort, security and intelligence. IEEE Wireless Commun.. Newhouse, W., Keith, S., Scribner, B., Witte, G., 2017. National initiative for cyberse-
Guo, L., Ye, J., Du, L., 2020. Cyber-physical security of energy-efficient power- curity education (nice) cybersecurity workforce framework. [Online]. Available
train system in hybrid electric vehicles against sophisticated cyber-attacks. IEEE at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf.
Trans. Transp. Electrif.. Nurse, J.R., Adamos, K., Grammatopoulos, A., Di Franco, F., 2021. Addressing the eu
Hajizadeh, M., Afraz, N., Ruffini, M., Bauschert, T., 2020. Collaborative cyber attack cybersecurity skills shortage and gap through higher education. European Union
defense in SDN networks using blockchain technology. In: 2020 6th IEEE Con- Agency for Cybersecurity (ENISA) Report.
ference on Network Softwarization (NetSoft). IEEE, pp. 487–492. Olano, M., Sherman, A., Oliva, L., Cox, R., Firestone, D., Kubik, O., Patil, M., Sey-
Hakak, S., Khan, W.Z., Imran, M., Choo, K.R., Shoaib, M., 2020. Have you been a mour, J., Sohn, I., Thomas, D., 2014. Securityempire: development and evaluation
victim of covid-19-related cyber incidents? survey, taxonomy, and mitigation of a digital game to promote cybersecurity education. 2014 USENIX Summit on
strategies. IEEE Access 8, 124134–124144. Gaming, Games, and Gamification in Security Education (3GSE 14).
Hallett, J., Larson, R., Rashid, A., 2018. Mirror, mirror, on the wall: what are we Oliveira, C., Martins, A., Camilleri, M.A., Jayantilal, S., 2021. Using the balanced score-
teaching them all? characterising the focus of cybersecurity curricular frame- card for strategic communication and performance management. In: Strate-
works. 2018 USENIX Workshop on Advances in Security Education ASE 18). gic Corporate Communication in the Digital Age. Emerald Publishing Limited,
Haney, J.M., Lutters, W.G., 2021. Cybersecurity advocates: discovering the pp. 78–87.
characteristics and skills of an emergent role. Information & Computer Pakdaman, M., Abbasi, A., Sankaran, S., 2021. Translating organisational strategies to
Security. projects using balanced scorecard and AHP: a case study. International Journal
Harris, M.A., et al., 2019. Using bloom’s and webb’s taxonomies to integrate emerg- of Project Organisation and Management 13 (2), 111–134.
ing cybersecurity topics into a computic curriculum. Journal of Information Sys- Pattanayak, A., Best, D.M., Sanner, D., Smith, J., 2018. Advancing cybersecurity edu-
tems Education 26 (3), 4. cation: pink elephant unicorn. In: Proceedings of the Fifth Cybersecurity Sym-
Herjavec, 2019. 2019 official annual cybercrime report. posium, pp. 1–7.
HM-Government - The Rt Hon Steve Barclay MP Chancellor of the Duchy of Patterson, W., Winston, C.E., Fleming, L., 2016. Behavioral cybersecurity: a needed
Lancaster and Minister for the Cabinet Office, 2022. Uk national cyber strat- aspect of the security curriculum. In: SoutheastCon 2016. IEEE, pp. 1–7.
egy 2022–2025. https://assets.publishing.service.gov.uk/government/uploads/ Petersen, R., Santos, D., Smith, M., Witte, G., 2020. Workforce Framework for Cy-
system/uploads/attachment_data/file/1053023/national- cyber- strategy- amend. bersecurity (NICE Framework). Technical Report. National Institute of Standards
pdf. (Accessed on 03/20/2022). and Technology.
Hranický, R., Breitinger, F., Ryšavý, O., Sheppard, J., Schaedler, F., Morgenstern, H., Pranggono, B., Arabo, A., 2020. Covid-19 pandemic cybersecurity issues. Internet
Malik, S., 2021. What do incident response practitioners need to know? a Technology Letters.
skillmap for the years ahead. Forensic Science International: Digital Investiga- Przyborski, K., Breitinger, F., Beck, L., Harichandran, R.S., 2019. ‘Cyber-
tion 37, 301184. doi:10.1016/j.fsidi.2021.301184. https://www.sciencedirect.com/ World’ as a theme for a university-wide first-year common course. 2019
science/article/pii/S26662817210 0 0925 ASEE Annual Conference & Exposition (Presented at Cyber Technology)
IEEE Computer Society, ACM, 2017. Cybersecurity curricula 2017: Curriculum guide- https://peer.asee.org/31923.
lines for post-secondary degree programs in cybersecurty. Qian, K., Lo, C.-T.D., Guo, M., Bhattacharya, P., Yang, L., 2012. Mobile security labware
Irons, A., Savage, N., Maple, C., Davies, A., Turley, L., 2016. Cybersecurity learning. with smart devices for cybersecurity education. In: IEEE 2nd Integrated STEM
[Online]. Available at: https://www.bcs.org/content- hub/cybersecurity- learning/. Education Conference. IEEE, pp. 1–3.

20
Quezada, L.E., Aguilera, D.E., Palominos, P.I., Oddershede, A.M., 2021. An anp model Heba Saleous (PhD Student - Information Systems and Security) holds a B.Sc. in
to generate performance indicators for manufacturing firms under a balanced Computer Engineering from the American University of Sharjah in the United Arab
scorecard approach. Eng. Manage. J. 1–15. Emirates (UAE) and an M.Sc. in Information Security from the UAE University. She is
Raj, R.K., Parrish, A., 2018. Toward standards in undergraduate cybersecurity educa- currently an Information Security PhD candidate in UAE University under the super-
tion in 2018. Computer (Long Beach Calif) 51 (2), 72–75. vision of Dr. Marton Gergely. Her research interests include digital forensics, mal-
Sabillon, R., 1993. Cyber Security Auditing, Assurance, and Awareness Through ware, network security, security policies, and cybersecurity education. She is cur-
CSAM and CATRAM. IGI Global Information Science, USA. rently working to improve digital forensics education.
Santos, H., Pereira, T., Mendes, I., 2017. Challenges and reflections in designing cy-
ber security curriculum. In: 2017 IEEE World Engineering Education Conference Saed Alrabaee is currently an Assistant Professor at the department of Informa-
(EDUNINE). IEEE, pp. 47–51. tion Systems and Security in UAEU. Prior to joining UAEU, Dr. Alrabaee was a vis-
Sapolu, K., Haruna, S., Koyabe, M., Tambeayuk, F., Rigoni, A., Obiso, M., Weisser, C., iting assistant professor at the department of Electrical and Computer Engineering
Ciglic, K., Kaska, K., Silfversten, E., Satola, D., Sergeant, S., Barayre, C., 2018. and Computer Science at the University of New Haven (UNH), US. He is also a per-
Guide to developing a national cybersecurity strategy: Strategic engagement in manent research scientist at the Security Research Center, CIISE, Concordia Univer-
cybersecurity. Technical Report. International Telecommunication Union. sity, Canada. Dr. Alrabaee holds a Ph.D. degree in information system engineering
Sharevski, F., Trowbridge, A., Westbrook, J., 2018. Novel approach for cybersecu- from Concordia University in Montreal, Canada. His research and development ac-
rity workforce development: a course in secure design. In: 2018 IEEE Integrated tivities and interests focus on the broad area of reverse engineering, including, bi-
STEM Education Conference (ISEC). IEEE, pp. 175–180. nary authorship attribution and characterization, and malware investigation. In this
Shoemaker, D., Davidson, D., Conklin, A., 2017. Toward a discipline of cyber secu- domain, Dr Saed has published more than 30 articles in top tier journals and in
rity: some parallels with the development of software engineering education. prestigious conferences.
EDPACS 56 (5–6), 12–20.
Speckbacher, G., Bischof, J., Pfeiffer, T., 2003. A descriptive analysis on the imple-
mentation of balanced scorecards in german-speaking countries. Management Ezedin Barka is currently an Associate Professor at the United Arab Emirate Uni-
accounting research 14 (4), 361–388. versity. He received his Ph.D. in Information Technology from George Mason Uni-
Stange, M., Tang, C., Tucker, C., Servine, C., Geissler, M., 2019. Cybersecurity associate versity, Fairfax, VA in 2002, where he was a member of the Laboratory for Informa-
degree program curriculum. In: 2019 IEEE International Symposium on Tech- tion Security Technology (LIST). His current research interests include Access Con-
nologies for Homeland Security (HST). IEEE, pp. 1–5. trol, where he published a number of papers addressing delegation of rights using
Straub, J., 2018. Assessment of the educational benefits produced by peer learning RBAC. Other research areas include Digital Rights Management (DRM), Large-scale
activities in cybersecurity. 126th Annual Conference & Exposition. security architectures and models, Trust management, Security in UAVs, and Net-
Švábenskỳ, V., Čeleda, P., Vykopal, J., Brišáková, S., 2021. Cybersecurity knowledge work “Wired & Wireless” and distributed systems security. Dr. Barka has published
and skills taught in capture the flag challenges. Computers & Security 102, over 50 Journals and conference papers. Dr. Barka is an IEEE member, member of
102154. the IEEE Communications Society and member of the IEEE Communications & Infor-
The White house, Washington DC, 2018. National cyber strategy of the united states mation Security Technical Committee (CISTC). He serves on the technical program
of america. [Online]. Available at: https://www.whitehouse.gov/wp-content/ committees of many international IEEE conferences such as ACSAC, GLOBECOM, ICC,
uploads/2018/09/National- Cyber- Strategy.pdf. WIMOB, and WCNC. In addition, he has been a reviewer for several international
Thomas, L.J., Balders, M., Countney, Z., Zhong, C., Yao, J., Xu, C., 2019. Cybersecurity journals and conferences.
education: From beginners to advanced players in cybersecurity competitions.
In: 2019 IEEE International Conference on Intelligence and Security Informatics Frank Breitinger is an Associate Professor for Digital Forensic Science at the
(ISI). IEEE, pp. 149–151. University of Lausanne (CH). Before, he was an Assistant Professor at the Hilti
Thompson, M.F., Irvine, C.E., 2018. Individualizing cybersecurity lab exercises with Chair for Data and Application Security of the University Liechtenstein (6/2019
labtainers. IEEE Security & Privacy 16 (2), 91–95. to 4/2021) and at the University of New Haven (CT, US; 08/2014 to 08/2019)
Trilling, R., 2018. Creating a new academic discipline: Cybersecurity management where he also acted as the co-director of the University of New Haven Cyber
education. In: Proceedings of the 19th Annual SIG Conference on Information Forensics Research and Education Group (UNHcFREG,https://eur03.safelinks.
Technology Education, pp. 78–83. protection.outlook.com/?url=http%3A%2F%2Fwww.unhcfreg.com%2F&data=04%
UAE - Telecommunication Regulatory Authority, 2019. UAE national cyberse- 7C01%7Csalrabaee%40uaeu.ac.ae%7C0b50cffd6b22460011cb08d8f9e660c0%
curity strategy 2019. [Online]. Available at: https://u.ae/en/about- the- uae/ 7C97a92b044c8743419b08d8051ef8dce2%7C0%7C0%7C637534116383041468%
strategies- initiatives- and- awards/federal- governments- strategies- and- plans/ 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
national- cybersecurity- strategy- 2019. 1haWwiLCJXVCI6Mn0%3D%7C20 0 0&sdata=L2ar8afDe9yKuKKAktrVplGhiWo
UK (H.M) Government, 2016. National cybersecurity strategy 2016–2021. [On- 1Skb%2BoDc%2BTfg2gJE%3D&reserved=0). His teaching and research interests
line]. Available at: https://assets.publishing.service.gov.uk/government/uploads/ are cybersecurity and digital forensics. Additional information about him and
system/uploads/attachment_data/file/567242/national_cyber_security_strategy_ his work is on his website (https://eur03.safelinks.protection.outlook.com/?url=
2016.pdf. https%3A%2F%2Fwww.fbreitinger.de%2F&data=04%7C01%7Csalrabaee%40uaeu.
United Arab Emirates University, 2021. Master of science in informa- ac.ae%7C0b50cffd6b22460011cb08d8f9e660c0%7C97a92b044c8743419b08d8051ef8
tion security. https://www.uaeu.ac.ae/en/catalog/graduate/programs/ dce2%7C0%7C0%7C637534116383041468%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
master- of- science- in- information- security.shtml. (Accessed on 08/01/2021). MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C20 0 0
United Nations Institute for Disarmament Research, 2017. Cyber Policy Portal - Rus- &sdata=nabqC8DaZUYZ%2F04R44qJQdI54e3D8NKk5M9VkAtzopk%3D&
sian Federation. Technical Report. United Nations Institute for Disarmament Re- reserved=0).
search.
Urquía-Grande, E., Lorain, M.-A., Rautiainen, A.I., Cano-Montero, E.I., 2021. Balance Kim-Kwang Raymond Choo received the Ph.D. in Information Security in 2006
with logic-measuring the performance and sustainable development efforts of from Queensland University of Technology, Australia. He currently holds the Cloud
an npo in rural ethiopia. Eval Program Plann 87, 101944. Technology Endowed Professorship at The University of Texas at San Antonio
Wei, W., Mann, A., Sha, K., Yang, T.A., 2016. Design and implementation of a multi– (UTSA). He serves as the Department Editor of IEEE Transactions on Engineering
facet hierarchical cybersecurity education framework. In: 2016 IEEE Conference Management, and the Associate Editor of IEEE Transactions on Dependable and Se-
on Intelligence and Security Informatics (ISI). IEEE, pp. 273–278. cure Computing, and IEEE Transactions on Big Data. He is an ACM Distinguished
Yee-Ching, L. C., Shih-Jen, K. H., 1999. The use of balanced scorecard in canadian Speaker and IEEE Computer Society Distinguished Visitor (2021 - 2023), and in-
hospitals. cluded in Web of Science’s Highly Cited Researcher in the field of Cross-Field -
Yuan, D., 2017. Design and develop hands on cyber-security curriculum and labora- 2020. He is named the Cybersecurity Educator of the Year - APAC (Cybersecurity
tory. In: 2017 Computing Conference. IEEE, pp. 1176–1179. Excellence Awards are produced in cooperation with the Information Security Com-
Zahed, B.T., White, G., Quarles, J., 2019. Play it safe: An educational cyber safety munity on LinkedIn) in 2016, and in 2015 he and his team won the Digital Foren-
game for children in elementary school. In: 2019 11th International Confer- sics Research Challenge organized by Germany’s University of Erlangen-Nuremberg.
ence on Virtual Worlds and Games for Serious Applications (VS-Games). IEEE, He is the recipient of the 2019 IEEE Technical Committee on Scalable Comput-
pp. 1–4. ing Award for Excellence in Scalable Computing (Middle Career Researcher), the
Zeng, Z., Deng, Y., Hsiao, I., Huang, D., Chung, C.-J., 2018. Improving student learning 2018 UTSA College of Business Col. Jean Piccione and Lt. Col. Philip Piccione En-
performance in a virtual hands-on lab system in cybersecurity education. In: dowed Research Award for Tenured Faculty, the British Computer Society’s 2019
2018 IEEE Frontiers in Education Conference (FIE). IEEE, pp. 1–5. Wilkes Award Runner-up, the 2014 Highly Commended Award by the Australia New
Zealand Policing Advisory Agency, the Fulbright Scholarship in 20 09, the 20 08 Aus-
Saleh H. AlDa’ajeh received the B.S. degree in computer science from University of tralia Day Achievement Medallion, and the British Computer Society’s Wilkes Award
Petra, Amman, Jordan, in 2007 and his MSc. degree in software engineering from in 2008. He has also received best paper awards from the IEEE Consumer Electron-
the Blekinge Institute of Technology, Karlskrona, Sweden, in 2010. He is currently ics Magazine for 2020, EURASIP Journal on Wireless Communications and Network-
pursuing the Ph.D. degree in Information Security at the United Arab Emirates ing in 2019, IEEE TrustCom 2018, and ESORICS 2015; the Korea Information Process-
University, College of Information Technology, AlAin, UAE. From 2010 to 2016, he ing Society’s Journal of Information Processing Systems (JIPS) Outstanding Research
worked as a senior lecturer and curriculum developer for the Information Security Award (Most-cited Paper) for 2020 and Survey Paper Award (Gold) in 2019; the IEEE
Engineering Technology department, AD Polytechnic, Abu Dhabi, UAE. His research Blockchain 2019 Outstanding Paper Award; and Best Student Paper Awards from In-
interest are in the areas of Information security with focus on Reverse Engineer- scrypt 2019 and ACISP 2005.
ing, Reliability of Internet of Things, and Dependability Engineering in safety-critical
systems. Saleh AlDaajeh is an IEEE member.

21