The Cyber Security Body of Knowledge project recently released two draft Knowledge Areas for comment, addressing Network Security along with Security Operations & Incident Management.
These join the Issue 1.0 knowledge areas of Cryptography and Software Security.
Led by Professor Awais Rashid at the University of Bristol with support from leading academics, a professional advisory board, an academic advisory board and input from the UK, US, Germany, Belgium, Australia and beyond, the project aims to create a vendor-neutral, academically grounded body of knowledge for the Cyber Security space covering 19 key knowledge areas:
- Risk Management & Governance
- Human Factors
- Privacy & Online Rights
- Law & Regulation
- Security Operations & Incident Management
- Adversarial Behaviors
- Malware & Attack Technologies
- Operating Systems & Virtualization Security
- AAA (Authentication, Authorization and Accounting)
- Distributed Systems Security
- Hardware Security
- Network Security
- Web & Mobile Security
- Cyber-Physical Systems Security
- Physical Layer & Telecommunication Security
- Software Security
- Secure Software Lifecycle
Image credit: www.cybok.org
An increasing political, societal and economic concern, cyber-attacks cost an estimated $400 billion (according to Lloyds) to global economies. The scale of the issue was further highlighted recently when the Bulletin of the Atomic Scientists factored cyber-attacks into their decision to move the symbolic Doomsday Clock closer to midnight.
However, there is a long-recognized skills gap within the cybersecurity sector, an issue that experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field.
Mature scientific disciplines, such as mathematics, physics, chemistry, and biology have a long-established foundational knowledge and clear learning steps from pupils studying GCSEs at secondary school to undergraduate degrees at university, and beyond.
The overall aim of the CyBOK project is to codify the foundational and generally recognized knowledge in the expanding area of cyber security following a broad community engagement with the UK and internationally. The knowledge will be augmented with additional data, concerning the knowledge dependencies for particular learning pathways.
Why Does it Matter?
Ultimately, the growth and recognition of Cybersecurity as a profession, with globally agreed standards for knowledge, competence, conduct, and ethics will allow the same level of assurance for clients, customers and stakeholders as is gained from engaging professionals in other disciplines like accounting, engineering, medicine, law and so on.
The consequences of poor cybersecurity are far-reaching in terms of financial impact, political impact, personal impact and even threats to life. Responsible leadership from governments, industry, academics and the profession itself will help shape the skills and competencies required to meet the next wave of challenges.