Cybersecurity Education Based on the NICE Framework: Issues and Challenges

The need for cybersecurity professionals and skills is growing rapidly in the United States and around the world due to several factors, including the continuous growth of the Internet, online social networks, smartphones, e-commerce and other global issues, such as cyberhacking and terrorism. Several references indicate that there is a significant shortage in terms of quantity and quality of cybersecurity professionals. “The International Information System Security Certification Consortium Inc. (ISC)² survey states that the cybersecurity workforce gap is on pace to hit 1.8 million by 2022.”¹ US government-sponsored website Cyberseek² continuously advertises for cybersecurity job openings in the United States that can be searched by state, city, etc. New roles and jobs in cybersecurity arise beyond the typical job roles. More interactive information about the relationship between the US National Initiative for Cybersecurity Education (NICE) Framework and different work areas can be found on the NICE US Careers and Studies’ website.³

The NICE Cybersecurity Framework was proposed several years ago as part of an initiative to enhance cybersecurity education to accommodate industry or job needs. The NICE Framework comprises seven categories (Securely Provision, Operate and Maintain, Oversee and Govern, Protect and Defend, Analyze, Operate and Collect, and Investigate); specialty areas; work roles; tasks; and knowledge, skills and abilities (KSAs). Specialty areas include distinct cybersecurity work, while work roles are more specific than specialty areas and can be identified in the NICE framework with specific KSAs. Similar efforts are conducted by the Software Engineering Institute (SEI) and the US Office of Personal Management (OPM).

Cybersecurity Programs in Higher Education Institutes

Recent cybersecurity educational frameworks such as NICE, OPM and SEI resulted from the need to change current education methods in IT in general and in cybersecurity in particular. This quote from the OPM website helps demonstrate the actions used to fill this need: “The Cybersecurity Workforce Strategy supports the [Cybersecurity National Action Plan] CNAP initiatives that propose investing [US] $62 million in Fiscal Year (FY) 2017 funding to expand cybersecurity education across the Nation.”⁴ Many similar activities/initiatives were triggered by OPM since they were attacked in 2015.⁵

This article focuses on several factors that drive the need for such frameworks:

• The imbalance between theoretical knowledge and practical skills—Unlike most other higher education programs and courses, IT-related courses must have explicit skills components in addition to knowledge components. Programs that lack such balance may graduate students with limited skills for job readiness. As an alternative, many students may go through private training or obtain certificates after completing their degrees.
  In competency-based education (CBE), course material should be explicitly divided into three areas: knowledge, skills and experience (or ability). Classical education has no such explicit distinction, and, in many cases, the majority of the course material or content will be covered through learning, teaching and assessment methods (e.g., oral presentations and written or online exams). For IT majors in general and cybersecurity majors in particular, this can create a serious deficiency in graduated students and their ability to match required job skills. Dividing the course time and content explicitly into the three components (KSAs) can systematically ensure that students not only know their field or major subject areas, but they can also propose solutions, solve problems, test for vulnerabilities, analyze systems, etc.
• The gap between academia and the industry—Organizations, especially in the IT industry, frequently complain that university or college graduates not only lack required skills to do the job, but also lack the knowledge of some of the most recent technology products and advances. The speed of changing curriculum and course materials is usually slow if compared with how fast technology advances and new methods to test, analyze and discover vulnerabilities arise. Programs in this area should develop explicit methods to revise course materials in short time cycles.
• The lack of clear vision on how to evolve to accommodate job forecasts—While the NICE initiative and many other references show the need for a large spectrum of different job roles in cybersecurity fields, most cybersecurity programs still prepare students using a “one size fits all” model. Educational institutes have their own reasons and factors for using this model, including resource constraints.

General Issues With the NICE Framework

The next few sections explore some of the problems and difficulties with implementing the NICE Framework or using it to guide the design of a cybersecurity program, whether at the undergraduate or graduate level. Customized courses for different specialty areas may result in generally small class sizes and the need for many instructors with different qualifications. Both can be problematic for institutions from both budgeting and management perspectives.

For cybersecurity programs to be able to adopt or implement the NICE Framework, the framework should be decomposed into courses/programs. The NICE Framework discusses KSAs, work roles and specialty areas, but not courses or programs. Evaluating how NICE KSAs are used to map specialty areas and work roles, two KSA categories can be observed.⁶

Core KSAs
Core KSAs in NICE framework include the ones listed in many different work roles or specialty areas. For example, knowledge areas from K0001 to K0006 exist in all work roles and specialty areas (figure 1).

Those knowledge areas are included in all 52 specialty areas (33 main specialty areas, with several sub-specialty areas). Looking at the description of those knowledge competencies, it can be observed that they are very broad in nature. Each one of them can be covered within a course. This is probably why they are included in all work roles. From an education perspective, this means that they should be in a core course required for all majors. As those knowledge areas are included in all 52 specialty areas, they should be included separately in an introductory course that would be a prerequisite course to all other program courses. For core skills and abilities, a cut-off of seven or more was set. This means that a skill or ability can be seen as core if it is included in at least seven specialty areas. Figures 2 and 3 show the core skills and abilities based on this assumption.⁷

Similar to core knowledge competencies, it can be seen that core skills and abilities are constructed to be broad in content. This is why they are included in many specialty areas.

So the question is then, is this is the best/optimized set of KSAs to be considered in the NICE Framework, based on the level of abstraction or details? Should some of those core KSAs be decomposed? What would be the advantage or the drawback to doing so? There are many indications that the current set of KSAs is not final. The process is evolutionary, however, and the term “final set of KSAs” may not be seen any time soon. If the current set of KSAs looks applicable for the current state of cybersecurity jobs or industry, they may not be applicable to cybersecurity education (i.e., without proper tuning).

The framework is designed to find a unified or common language among organizations, job recruiters, students or job seekers, and education providers (e.g., colleges, universities, training centers). For education providers, KSAs have to map to courses/programs. How many KSAs from the framework to include in each course is the most difficult question to consider. There is no assessment in the NICE Framework on how broad each KSA can be or how much course time, grading, etc., each KSA should be allocated.

Work Role Special KSAs; KSAs Largely Listed for One Work Role
Cybersecurity programs should consider developing job-oriented courses, i.e., one or more courses to be developed explicitly to target one job role. The NICE Framework documentation describes different work roles and required KSAs for each one of those roles. This can serve organizations, job recruiters or job seekers. However, education course designers are interested in ensuring that KSAs are not repeated in different courses. Current higher education institutes are built around courses, as they are the smallest autonomous units. Students can be asked to take a course as a prerequisite, but they cannot be asked to take a KSA as a prerequisite.

Institutions will have to develop core courses (with common or core KSAs) that can fit first- or second-year cybersecurity students. However, higher-level courses should be more focused and, hence, should include unique KSAs. This article does not list KSAs in this category as they represent the majority of NICE framework KSAs.

KSA Issues
The followings are some issues with how KSAs are presented:

1. Not including the KSA in any work role or specialty area. Figure 4 shows the list of KSAs that are not currently included in any work role or specialty area.
   
   It is possible that those KSAs were removed (from roles) by mistake or removed from NICE new releases. For example, Knowledge: K0085 can be seen in version November 2016 (800-081),⁸ in securely provision, risk management, software development, strategic planning and policy development, vulnerability assessment and management (VA) modules or specialty areas, but not in the current NICE documents (i.e., Excel file or the final August 2017 version).⁹ The KSAs that do not exist in the most recent versions include: K0085, K0099, K0166, K0173, S0099, S0105, S0165, A0075, A0169.
   The KSAs were removed completely from the new framework releases without notice. This is in comparison with other KSAs that were removed and the new document made removal indications, as shown in figure 5. The new documents show that they were withdrawn and included in other KSAs.
2. Listed in the most recent framework documentations as belonging to a work type, but not in the most recent Excel file (A0162)¹⁰
3. Two KSAs with the same number and different descriptions:
   • A0162: Ability to ensure information system security, acquisition personnel, legal counsel, and other appropriate advisors and stakeholders are participating in decision making from system concept definition/review and are involved in, or approve of, each milestone decision through the entire system life cycle for systems
   • A0162: Ability to recognize the unique aspects of the Communications Security (COMSEC) environment and hierarchy

Implementing the NICE Framework in Cybersecurity Programs

The NICE Framework and similar efforts tried to proactively propose solutions to meet the needs of a large number of qualified and skilled cybersecurity professionals. The framework is considered a structured common model through which the industry, job recruits, students or job seekers, and academic institutions can have common language and terms through which to communicate with each other. After evaluating many recent cybersecurity job posts on different recruiting websites, it was noted that they have started using KSAs from the NICE Framework in their posts as part of the job description or requirements. Students can then easily relate to these KSAs and show with their degrees and certificates that they have completed courses and trainings or have certificates that cover such KSAs. Nonetheless, implementing or using such framework for all four user categories mentioned earlier (i.e., industry, recruiters, students and academic institutions) will present several challenges. The next section describes one challenge—level of details and granularity—that can be seen as a result of trying to find a unified framework among the different categories.

Level of Detail and Granularity of KSAs

Several articles and papers discuss issues related to the level of detail and granularity in the NICE KSAs (e.g., the Computer Science Resource Consortium [CSRC] 2016).¹¹ There are some KSAs that seem to have more details than others. On the other hand, KSAs can be subjective and can vary from one course to another or from one job description to another. While making a unified language between education and industry organizations is considered a strength in the NICE Framework, it does, however, have some drawbacks. For example, for Knowledge: K0001, “Knowledge of computer networking concepts and protocols, and network security methodologies,”¹² clearly the granularity of such a statement can vary widely from one scope to another. For the classical computer science education, this statement may be covered within up to three complete courses (i.e., computer networking 1 and 2 and network security). How much each cybersecurity-related work area or specialty will require from this KSA can clearly vary from one specialty to another or from one program to another.

KSA K0001 integrates two large knowledge areas: computer networking concepts and protocols, and network security methodologies. Considering the first knowledge area, some of the main subjects that can be covered under this short statement include: network topologies, local area networks (LANs), wide area networks (WANs), routing, switching, open systems interconnection (OSI) model, Transmission Control Protocol/Internet Protocol (TCP/IP) suite, many networking protocols and wireless. Those can be covered typically in one or two computer networking courses. There is no doubt that each knowledge component in this KSA is very large, regardless of how much an instructor condenses it. Additionally, there are several other issues with this knowledge competency, e.g., scope and time coverage. How much content should an educator use to cover this competency? All the NICE Framework KSAs are introduced without any reference to time, effort or resource estimations. This may mean it is better suited as a reference rather than a practical framework or model. In other words, while the framework requires that you should cover this competency, further details are left to the institution and/or instructor.

Conclusion

This article assessed the NICE Framework which was introduced to help accommodate rapid changes in cybersecurity. One of the main goals of the NICE Framework is to help the US market fill its need for cybersecurity professionals and provide a common language with which organizations, job recruiters and education institutes can communicate. There is no doubt about the reality and seriousness of these issues and that the NICE Framework was able to actively approach these issues. However, the framework is far from being complete/perfect or final, and some issues with the framework were illustrated from an education perspective throughout this article. That said, the NICE Framework can be used to guide the design of cybersecurity courses and programs.

Endnotes

¹ Morgan, S.; “Cybersecurity Jobs Report: A Special Report From the Editors at Cybersecurity Ventures,” Cybersecurity Ventures, 31 May 2017, http://cybersecurityventures.com/jobs/
² CyberSeek, http://cyberseek.org
³ National Initiative for Cybersecurity Careers and Studies, “NICE Cybersecurity Workforce Framework,” USA, 12 December 2017, http://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
⁴ Colbert, B.; “Strengthening the Federal Cybersecurity Workforce,” OPM.gov, 12 July 2016, http://www.opm.gov/blogs/Director/2016/7/12/Strengthening-the-Federal-Cybersecurity-Workforce/
⁵ Office of Personnel Management, “Cybersecurity Incidents,” USA, http://www.opm.gov/cybersecurity/cybersecurity-incidents
⁶ Newhouse, W.; S. Keith; B. Scribner; G. Witte; NIST Special Publication 800-181: National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, National Institute of Standards and Technology, USA, August 2017, http://doi.org/10.6028/NIST.SP.800-181
⁷ Ibid.
⁸ National Institute of Standards and Technology, NIST Special Publication 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, USA, August 2017, http://csrc.nist.gov/csrc/media/publications/sp/800-181/archive/2016-11-02/documents/sp800_181_draft.pdf
⁹ Op Cit Newhouse et al.
¹⁰ National Institute of Standards and Technology, NIST Special Publication 800-181, Supplemental Material: Reference Spreadsheet for NICE Framework (xls), USA, http://www.nist.gov/file/372581
¹¹ Communications Security, Reliability and Interoperability Council, “Working Group 7: Cybersecurity Workforce Status Update,” USA, 14 September 2016, http://transition.fcc.gov/bureaus/pshs/advisory/csric5/WG7_Presentation_091416.pptx
¹² Op cit National Institute of Standards and Technology, 201