IGF 2018 WS #323
Global Cybersecurity Education Needs: Outcomes of Inaction

Organizer 1: Kerry-Ann Barrett, Organization of American States
Organizer 2: Carolin Weisser, Global Cyber Security Capacity Centre

Speaker 1: Kerry-Ann Barrett, Intergovernmental Organization, Latin American and Caribbean Group (GRULAC)
Speaker 2: Kaja Ciglic, Private Sector, Eastern European Group
Speaker 3: Sadie Creese, Technical Community, Western European and Others Group (WEOG)
Speaker 4: Oscar Noe Avila, Private Sector, Latin American and Caribbean Group (GRULAC)
Speaker 5: Maarten van Horenbeeck, Technical Community, Western European and Others Group (WEOG)

Moderator

Carolin Weisser, Global Cyber Security Capacity Centre, University of Oxford

Online Moderator

Barbara Marchiori, Organization of American States

Rapporteur

Carolin Weisser, Global Cyber Security Capacity Centre, University of Oxford

Format

Panel - 90 Min

Interventions

Speakers for the proposed session have be selected to ensure multi-stakeholder and differentiated geographic representation and can provide solutions and lessons learn from different communities. As with all forms of education and training, the successful development and continuation of a thriving knowledge base occurs when government, private sector, and civil society are all interconnected to ensure educational outcomes and research priorities will best prepare students to tackle the challenges of real world practice.

Whilst the proposed topic is a global issue, there are of course, regional differences in both the challenges and faced and capacity building and education and training requirements to address these. As such, drawing in speakers with both global and regional perspectives, is crucial to effectively reflect the current state of play in cybersecurity education and training.

Diversity

The speakers represent the different stakeholder groups and their perspectives: government/international organisation, private sector, and academia/civil society. Three of them are female and are mid-career and senior experts, origin from the US, Latin America and Europe (Western and Eastern).

The session will be structured into two parts, first analysing the current need for cybersecurity capacity building in terms of education, and secondly discussing the need to reconsider our approach to cybersecurity education and training.

Part one: Need for cybersecurity education and training
Significant improvements in the way the global community approaches the education and training of cybersecurity competencies and professionals is required in order to begin to close the skills deficit.
Panellists will briefly discuss the increasing risk of cybersecurity and the role of education. Each speaker will describe the challenges in their stakeholder group/communities in terms of cybersecurity training and education and the consequences. Panellists will highlight the evidence relating to the global cybersecurity skill shortage, taking both global and regional perspectives and looking at the impact of such gaps on nations at various stages of economic development.
The GCSCC will provide a reflection on the lessons that have already been learnt at the Capacity Centre from the research related to the CMM and the CHF, and critiquing the need for an analysis of the full spectrum of cybersecurity educational requirements, and the development of a template national education strategy that countries can easily adopt and adapt as they seek to mature aspects of their national cybersecurity capacity
Part Two: Ideas and opportunities for action

This will be followed by a discussion on the integration of cybersecurity capacity building and education (?) into international development projects, including barriers to integration, connection of cybersecurity to the United Nations Sustainable Development Goals (SDGs) and linking to the World Summit on the Information Society (WSIS) Action Lines.

Panellists will further discuss the role of education and training in National Cybersecurity Strategies and will provide examples for building action plans to build a national cybersecurity worksforce. Different cooperation examples will be presented including national, regional and approaches for education and trainings including public-private partnerships and research collaborations.

Discussion will be moderated by Carolin Weisser, Global Cyber Security Capacity Centre, University of Oxford. Sadie Creese will introduce the session, and for both part one and part two, provide examples of evidence relating to global cybersecurity capacity building and global cybersecurity education and training needs, before challenging panellists to comment and provide solutions on how such issues can be addressed.

Given the holistic nature and global reach of the issue, it is expected that both audience and online participants with have strong views and ideas on how such issues are resolved, and integration of such input will be prioritise in a manner that ensures differentiated geographic and stakeholder group representation.

The cybersecurity skills shortage represents an existential threat to developed nations that rely on technology as the backbone of their economy, critical infrastructure, and society at large.”
According to the World Economic Forum’s Global Risk Report 2018, cybersecurity risks are growing, both in their prevalence and in their disruptive potential. In order to tackle this issue, there needs to be a significant improvement in the way the global community approaches the education and training of cybersecurity competencies and professionals. Currently the world is faced with an immense skills deficit when it comes to cybersecurity. Failure to address this will result in wide ranging and globally reaching barriers to the achievement of the Sustainable Development Goals. Such disruption will hinder the global communities’ ability to both harness and share in the benefits of technological development. As such, this session will explore global cybersecurity education and training needs, and highlight the consequences of inaction in addressing such skills deficits.

Such discussion will be informed by the work of the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford including research related to the Cybersecurity Capacity Maturity Model for Nations (CMM), of which ‘Education, Training and Skills’ is one of five dimensions crucial for a country’s cybersecurity capacity, and the Cyber Harm Framework (CHF).

Cybersecurity Capacity Maturity Model for Nations (CMM)

The Cybersecurity Capacity Maturity Model for Nations (CMM) considers national cybersecurity capacity across five dimensions. These five dimensions cover the broad expanse of areas that make up the essential national cybersecurity capacity. They consist of a number of factors, and all factors are considered
with respects to five levels of maturity. The CMM outlines what a country
should expect to be able to do in each factor of each dimension, for each level
of maturity, and so the evidence that is required to convince that a level has
been achieved. It is a guided self-assessment model that can help a country
understand both its current maturity in each dimension, and also the types of
capacity-building that would need to be undertaken to further mature capacity
in any area, as prescribed by the model. Countries are then able to prioritise
capacity-building investments, according to their needs, the harms they wish
to address, and the risks that concern them most.
In order for a country to develop capabilities across all five dimensions, education and training will be critical. Firstly, there is a need to ensure that the government’s own education and training programmes can connect all of this information together and convert it into appropriate content and channels to meet their local context most effectively. Secondly, specific education and training requirements are needed to support the development of maturity within and across all dimensions of the CMM for all stakeholders involved in delivering the national capacity. Here lessons can be drawn from Dimension 3 of the CMM, “Cybersecurity Education, Training and Skills”, which provides an insight into types of national cybersecurity capacity-building requirements.
Cyber Harm Framework (CHF)
The GCSCC is in the process of developing a holistic and robust model for understanding the harm experienced by nations as a result of a lack of capacity, and how this can be reduced. The initial focus-groups and interview results suggest that an overwhelming majority of research participants (85% of them) identified education as a fundamental area where capacity-building is required. There is an educational need across the full range of possible stakeholders affected by cyber-harm, specifically for groups of people who hold key roles in their organisations (board members and managers) as well as more vulnerable groups (such as teenagers and elderly people).
Apart from training courses in cybersecurity and general education regarding phishing emails and other trending threats, it is also evident from our research that cyber-risk is underestimated. Risk appetites are socially determined, and unless cybersecurity risk becomes part of the mainstream, people will continue to overlook it. Therefore, educational efforts should focus on making these risks more tangible to individuals. Developing education courses focusing on understanding harm, and proposing effective channels to communicate its effects to a wider public are essential. For these education topics, in many cases the knowledge already exists, but needs to be developed into an educational offering. In other cases, there is a knowledge gap that will require research before educational offerings can be designed. One clear priority area for research is in the area of understanding harm arising from cyber-attacks or a lack of cybersecurity.
The session will be structured into two parts, first analysing the current need for cybersecurity capacity building in terms of education, and secondly discussing the need to reconsider our approach to cybersecurity education and training.

Part one: Need for cybersecurity education and training
Significant improvements in the way the global community approaches the education and training of cybersecurity competencies and professionals is required in order to begin to close the skills deficit.
Panellists will briefly discuss the increasing risk of cybersecurity and the role of education. Each speaker will describe the challenges in their stakeholder group/communities in terms of cybersecurity training and education and the consequences. Panellists will highlight the evidence relating to the global cybersecurity skill shortage, taking both global and regional perspectives and looking at the impact of such gaps on nations at various stages of economic development.
The GCSCC will provide a reflection on the lessons that have already been learnt at the Capacity Centre from the research related to the CMM and the CHF, and critiquing the need for an analysis of the full spectrum of cybersecurity educational requirements, and the development of a template national education strategy that countries can easily adopt and adapt as they seek to mature aspects of their national cybersecurity capacity
Part Two: Ideas and opportunities for action

This will be followed by a discussion on the integration of cybersecurity capacity building and education (?) into international development projects, including barriers to integration, connection of cybersecurity to the United Nations Sustainable Development Goals (SDGs) and linking to the World Summit on the Information Society (WSIS) Action Lines.

Panellists will further discuss the role of education and training in National Cybersecurity Strategies and will provide examples for building action plans to build a national cybersecurity worksforce. Different cooperation examples will be presented including national, regional and approaches for education and trainings including public-private partnerships and research collaborations.

Online Participation

Inclusive online participation in the proposed workshop will be encouraged before and during the session through the strategic use of Facebook Live and Twitter during the workshop. In advance, the opportunity for online participation will be promoted on all available channels of the participating organizations, including email, telephone, mailing lists, and social media. The three core parts of the communication will be the importance of online participation for the outcomes of the IGF, the invitation to submit questions in advance which will be discussed and prioritised in the session, and technical information how online participation via the WebEx platform works. During the session the moderator will explicitly ask online participants to take part in the debate and the online moderator will ensure that their contributions and questions are prioritised.