Mitigating the cyber security skills shortage: The influence of national skills competitions on cyber security interest
Lead Research Organisation:
University of Oxford
Department Name: Education
Abstract
There is a shortage of cyber security professionals in the current labour market, which is detrimental to countries' economic development and national security. Governments have attempted to deal with this issue by designing policies targeting both the supply and demand of cyber security skills. Among these policies, national cyber security skills competitions (NCSSCs) have been widely implemented to increase the pipeline of students entering the cyber security labour market. However, scientific studies on these interventions are scarce, and many questions are still unanswered: How do participants develop an interest in cyber security before joining a NCSSC? Do NCSSCs influence participants' interest in cyber security as a topic and as a career? What factors contribute the most to influence their interest? By answering these questions, this thesis aims to discuss the role of national skills competitions as a public policy to mitigate the lack of cyber security workers.
This research used the Italian NCSSC, the CyberChallenge.IT (CCIT), as a case study as it is the skills competition in Europe that provides cyber security training to the largest number of participants. This research employed a before and after design, collecting data from non-randomised comparison groups. Data were gathered following a mixed-method approach: quantitative data were collected through two online surveys and qualitative data through 50 interviews with competition participants.
This study found that CCIT students became interested in cyber security through a mix of "triggers," most notably curiosity, formal and informal coursework, and the CCIT itself. Moreover, the CCIT increased interest in both cyber security as a topic and as a career. However, participants differentiated between the two, suggesting that theory should further investigate the relationship between interest development and vocational interest. Finally, this research recommends going beyond the concept of interest to fully appreciate NCSSCs' impact, particularly by including other relevant outcome variables, such as educational and career planning, key choices, and competing interests.
This thesis argues that NCSSCs organized and implemented like the CCIT could be a valuable solution to mitigate the lack of cyber security professionals. However, on its own, a skills competition programme is unlikely to achieve what a concert of policies might in dealing with the shortage. As the shortage issue has several roots, there are limits to what a NCSSC alone can do. However, it would lay a strong foundation for other policies to further steer students into the cyber security sector.
This thesis contributes to important debates such as interest theory, the relationship between skills competitions and interest, the design and implementation of NCSSCs and ultimately cyber security education and skills policy.
EPRSC Remit
This project falls within the EPSRC Digital Economy research area, where "Trust, identity, privacy and security" is one of the themes or research areas listed on this website https://www.epsrc.ac.uk/research/ourportfolio/themes/.
This research used the Italian NCSSC, the CyberChallenge.IT (CCIT), as a case study as it is the skills competition in Europe that provides cyber security training to the largest number of participants. This research employed a before and after design, collecting data from non-randomised comparison groups. Data were gathered following a mixed-method approach: quantitative data were collected through two online surveys and qualitative data through 50 interviews with competition participants.
This study found that CCIT students became interested in cyber security through a mix of "triggers," most notably curiosity, formal and informal coursework, and the CCIT itself. Moreover, the CCIT increased interest in both cyber security as a topic and as a career. However, participants differentiated between the two, suggesting that theory should further investigate the relationship between interest development and vocational interest. Finally, this research recommends going beyond the concept of interest to fully appreciate NCSSCs' impact, particularly by including other relevant outcome variables, such as educational and career planning, key choices, and competing interests.
This thesis argues that NCSSCs organized and implemented like the CCIT could be a valuable solution to mitigate the lack of cyber security professionals. However, on its own, a skills competition programme is unlikely to achieve what a concert of policies might in dealing with the shortage. As the shortage issue has several roots, there are limits to what a NCSSC alone can do. However, it would lay a strong foundation for other policies to further steer students into the cyber security sector.
This thesis contributes to important debates such as interest theory, the relationship between skills competitions and interest, the design and implementation of NCSSCs and ultimately cyber security education and skills policy.
EPRSC Remit
This project falls within the EPSRC Digital Economy research area, where "Trust, identity, privacy and security" is one of the themes or research areas listed on this website https://www.epsrc.ac.uk/research/ourportfolio/themes/.
Planned Impact
It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
People |
ORCID iD |
| Ewart Keep (Primary Supervisor) | |
| Tommaso De Zan (Student) |
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/P00881X/1 | 01/10/2016 | 31/03/2023 | |||
| 1938110 | Studentship | EP/P00881X/1 | 02/10/2017 | 30/09/2021 | Tommaso De Zan |
| Description | 1.1 A system of triggers to develop cyber security interest This research found that interest in cyber security is the culmination of many years of interest development in technology. Six main factors contributed to the development of CCIT participants' interest in computer science, namely: • Gaming • Early school activities involving IT tools • Desire to understand how a computer works • Parental support to pursue computer science • Programming and experimentation • Self-learning In this context, there are several "triggers" that elicited interest specificially in cyber security, including: 1. Personal curiosity (60.3%) 2. Formal coursework (42.8%) 3. The CCIT (36.2%) 4. Encouragement coming from a professor (25.6%) 5. TV shows (20.5%) 6. Reading technical documentation (14.1%) 7. Capture the Flag competitions (13.6%) 8. Friends and family (13.1%) 9. Victim of cyber crime (1.5%) 10. Other (1,5%) 11. Not interested in cyber security (1.3%) 1.2 The outcomes of national cyber security skills competitions There are several outcomes this thesis can report on: - 71% of participants stated that the CCIT had increased interest in cyber security as a topic. This occurred in the whole population, even among those students who did not undergo the training. This was unexpected, as it was hypothesized that non-admitted students would have shown dissatisfaction towards the CCIT and the cyber security. - The three-month cyber security training was the most positive aspect of the CCIT and the reasons why interest in cyber security increased among CCIT participants. Students particularly enjoyed receiving good foundational knowledge, the practical lab-based exercises and the willingness to help of their instructors. This is the first study that links cyber security interest with cyber security training. - 49% of participants declared that the CCIT had increased interest in cyber security as a career. Hence, the CCIT increased interest in cyber security as a topic more than interest in cyber security as a career. There are at least three explanations 1) interest in a topic is not perfectly correlated with interest in a career, which is a central finding of this research; 2) the CCIT career-awareness activities were less effective than the cyber security training 3) students were not looking for a job. - Only a minority of students (16%) seemed to be solely interested in cyber security; instead, most students (51%) were interested in cyber security and other topics at the same level; 25% were more interested in other topics than in cyber security. Artificial intelligence and generic programming/software engineering were the most popular alternatives to cyber security. - Despite showing a clear interest in cyber security, CCIT participants were often unable to articulate ideas or plans on how they wished to bring this interest forward. Students showed little awareness of the cyber security sector: 45% of respondents were not aware of any cyber security degree to enrol in, and 55% did not know of any particular job role within the cyber security sector. - Among the students who changed their status between September and October 2020, 49% said they had been "influenced" by the CCIT in their choice. |
| Exploitation Route | DCMC can review its current cyber security skills strategy |
| Sectors | Education,Government, Democracy and Justice |
| Description | Preliminary findings have been cited in the "White Paper: Task Force on Cybersecurity Professional Training and Development" by the Global Forum on Cyber Expertise |
| First Year Of Impact | 2020 |
| Sector | Digital/Communication/Information Technologies (including Software),Education,Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Policy & public services |
| Description | Global Cyber Security Center (GCSC) |
| Organisation | Global Cyber Security Center |
| Country | Italy |
| Sector | Charity/Non Profit |
| PI Contribution | Produced two reports in the context of PhD summer mini-projects |
| Collaborator Contribution | GCSC provided funding and published the reports online |
| Impact | Two reports: https://gcsec.org/wp-content/uploads/2019/02/cyber-ebook-definitivo.pdf https://gcsec.org/wp-content/uploads/2019/05/casoIta-ebookENG.PDF |
| Start Year | 2018 |
| Description | GFCE |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Membership to the Global Forum on Cyber Expertise's Working Group on Cyber Security Culture and Skills |
| Year(s) Of Engagement Activity | 2019,2020 |
| URL | https://www.ctga.ox.ac.uk/article/tommaso-de-zan-presents-cybersecurity-skills-shortage |