The current issue and full text archive of this journal is available on Emerald Insight at:

https://www.emerald.com/insight/2056-4961.htm

Systematic
Key competencies for critical literature
infrastructure cyber-security: review

a systematic literature review

Nabin Chowdhury and Vasileios Gkioulos 697
Department of Information Security and Communication Technology, NTNU,
Trondheim, Norway Received 17 July 2020
Revised 22 September 2020
13 November 2020
Accepted 13 November 2020

Abstract
Purpose – The purpose of this paper can be encapsulated in the following points: identify the research
papers published on the topic: competencies and skills necessary for critical infrastructure (CI) cyber-security
(CS) protection; determine main focus areas within the identified literature and evaluate the dependency or
lack thereof between them: make recommendations for future research.
Design/methodology/approach – This study is based on a systematic literature review conducted to
identify scientific papers discussing and evaluating competencies, skills and essential attributes needed by
the CI workforce for CS and preparedness to attacks and incidents.
Findings – After a comparative analysis of the articles reviewed in this study, a variety of skills and
competencies was found to be necessary for CS assurance in CIs. These skills have been grouped into four
categories, namely, technical, managerial, implementation and soft skills. Nonetheless, there is still a lack of
agreement on which skills are the most critical and further research should be conducted on the relation
between specific soft skills and CS assurance.
Research limitations/implications – Investigation of which skills are required by industry for specific
CS roles, by conducting interviews and sending questionnaire\surveys, would allow consolidating whether
literature and industry requirements are equivalent.
Practical implications – Findings from this literature review suggest that more effort should be taken to
conciliate current CS curricula in academia with the skills and competencies required for CS roles in the
industry.
Originality/value – This study provides a previously lacking current mapping and review of literature
discussing skills and competencies evidenced as critical for CS assurance for CI. The findings of this research
are useful for the development of comprehensive solutions for CS awareness and training.
Keywords Skills, Review, Competencies, Critical infrastructure, Cyber-security
Paper type Literature review

1. Introduction
Critical infrastructures (CI) are paramount to the sustained functioning of most sectors of
modern societies, to the point where having a robust network of CIs and providing services
through this network has become one of the metrics of judgment for quality of life in
advanced nations (Hashim, 2011). However, the disruption of any CI and their supported
social functions can result in devastating financial losses and safety breaches to both

Compliance with ethical standards

Funding: This study was funded by the Norwegian University of Science and Technology (NTNU), Information & Computer Security
Vol. 29 No. 5, 2021
as part of research for the CybWin project. pp. 697-723
Ethical approval: This article does not contain any studies with human participants or animals © Emerald Publishing Limited
2056-4961
performed by any of the authors. DOI 10.1108/ICS-07-2020-0121
ICS individuals and communities. These security concerns have urged nations to make
29,5 significant investments in protecting CIs. While physical protection of CIs used to be the top
priority a few years past, nowadays these infrastructures are equally or arguably more,
threatened by cyber-attacks (Hurst et al., 2014). To combat this threat, many security
standards and guidelines have been developed (Leszczyna, 2018) and organizations are
adopting an increasing number of security measures, including firewalls, virtual networks,
698 computer forensics tools (Sklyar, 2012), intrusion detection and prevention systems (IDS)
(Ghafir et al., 2014) and other cybersecurity tools (Ghafir et al., 2016). Unfortunately, this has
not stopped many malicious parties from conducting successful cyber-attacks on CI.
It has been reported that in 2019 more than half of US organizations have faced
successful phishing or ransomware attacks (Davis, 2020), with many of them losing data,
facing account compromises and providers facing downtimes. The success of these attacks
has often not been linked to inadequate implementation or lack of security tools but to user
unawareness and personnel lack of training (Davis, 2020; Ghafir et al., 2016). In a 2015 study,
it has been noted how 20% of security breaches in the same year were the result of
infrastructure assets misuse and 31% were due to human errors (IRM, 2015). Another study
has found that the root cause of 80% of data breaches can be attributed to stolen data, often
obtained through social engineering attacks such as e-mail phishing (Chris, 2015). These
types of incidents and data have highlighted how the human factor can have as significant
of an impact as technical factors (Ani et al., 2019) and that a systems’ security is as weak and
vulnerable as the workforce that develops and operates it (Ani et al., 2019).
Improving the security of CI, thus means effectively improving the workforce’s security
capacity. This can be achieved by increasing the awareness, knowledge, skills and
competencies (Ani et al., 2019) of the personnel, by offering targeted and tailored educational
and training modules. To effectively develop successful training programs and other types
of educational offerings, it is fundamental to understand which type of competencies and
skills are to be developed by the workforce, additionally to knowledge requirements. This
means taking into consideration sector and role-specific requirements, as well as individual
human traits and behaviors that may influence the ability to respond to incidents and other
cyber security duties (Gratian et al., 2018).
In this work, we conduct a systematic literature review (SLR) with the intent of mapping
skills and competencies required by cyber-security (CS) personnel to deal with security
attacks and threats, with a focus on CI.

2. Related work
To the best of the author’s knowledge, an SLR that analyzes and reviews competencies,
skills and other necessary attributes specific to CI CS has not been conducted yet.
Nevertheless, several reviews and surveys have been conducted focusing on CI, industrial
control systems (ICS) and smart grid security measures. These articles have provided useful
insight into the state of art regarding CI CS, with some providing comprehensive-related
work sections and evaluation methodologies that were partially integrated into this work.
Dawson and Thomson (2018) review current research that has been conducted on cyber
expertise and which attributes individuals operating in the cyber domain need. In their
work, they discuss both technical and social-related skills needed by the CS workforce.
Different skills are associated with the different roles that each individual may cover in their
work environment. In the review, it is argued that certain personality traits may play a role
in the fitness of personnel for specific roles and responsibilities. The authors provide a
detailed argumentation for promoting further research in understanding the role of human
behavioral traits in CS assurance. In particular, they show that current frameworks for CS
awareness and training, such as the National Cybersecurity Workforce framework, Systematic
are lacking when it comes to dealing with non-technical aspects of training for the literature
CS workforce.
A similar conclusion was also reached by Jacob et al. (2018). In their work, the authors
review
argue that for less technological-related roles in CS, the framework does not provide
sufficient job descriptions for specific work roles, provides inadequate competencies and
training and career guidance, no predictable outcomes or metrics to determine the
effectiveness and has other lackluster areas.
699
Leszczyna (2018), in his study, seeks to identify all standards that define CS
requirements applicable to smart grids. The author identifies 17 standards and
analyzes the relationship between the standards to find points of overlap or
independency. The author’s study was produced according to an SLR based on the
approach by Webster and Watson (2002).
The review was composed of the following three main parts: literature search, literature
analysis and standards selection. The standards’ selection was based on a secondary
literature search on evaluation criteria of standards, which identified the following criteria:
scope, type applicability, range and publication. The author concludes that the requirements
specified by different standards differ mostly by the level of technical detail and thematic
coverage. Some standards are found to be complementary to each other while others are
independent. He also observes that specific standards are applicable to multiple components
of smart grids while others are limited to one. He finally identifies NISTIR (2014) to be the
standard that amalgamates the most requirements and is applicable to a broader range of
smart grid components.
Yan et al. (2012) survey the most common solution on CS for smart grid communications. The
author lists the major security requirements in privacy, availability, authentication, integrity,
authorization, auditability, non-repudiation, third-party protection, trust components for smart
grids and high-level security requirements. After identifying current challenges in smart grid CS,
the authors survey existing solutions for smart grid communications in each area previously
mentioned. The author concludes that solutions for smart grid communication security require a
holistic approach that includes traditional schemes, trusted computing elements and
authentication mechanisms based on industry standards. Additionally, he highlights the need for
cohesive standards and requirements, suggesting to continue the work currently being conducted
by the Natoinal Institute of Standards and Technology (NIST) project.
Hurst et al. (2014) survey current and future CI security strategies. The author discusses
the defense-in-depth strategy as the most adopted solution for CI protection (CIP). The
strategy involves the implementation of multiple layers of security so that even if an attack
penetrates one layer, there will be other layers of protection. Finally, the author concludes
that integrating conventional security strategies with innovative mechanisms is the only
option to avoid attacks from having devastating effects.
Knowles et al. (2015) surveyed the most recent methodologies and research for managing
and measuring risk in ICS CS. The authors discussed six areas covered by literature on
managing risk as follows: maturity model framework approaches for securing ICS through
component and architectural design, security evaluation tools, standards and best practices
for ICS security, standards and guidelines applicable to specific processes and technologies
and finally an examination of security metrics. The author also analyzes the publication.
The analysis tries to identify metrics and the extent to which the safety and security
relationship is covered. Finally, the author uses the results obtained by the survey and
analysis of literature to produce two crucial outputs as follows: the concept of functional
ICS assurance to bring together safety and security requirements and an agenda for future
29,5 research related to ICS security metrics.
Igor et al. (2018) presented in their work the design and results of a survey conducted to
identify the CS competence centers in Europe. The goal of the survey was to contact and
register all CS competence centers across the European Union, also sharing information about
their work and expertise. The survey was composed of 27 questions, divided in the following
700 five sections:
(1) General information;
(2) CS expertise;
(3) Sectors, applications and technologies;
(4) International collaborations and joint programs; and
(5) Confirmation and agreement with the privacy policy.

The survey has been completed a total of 665 times, with 61 centers providing supporting
documents. Of particular interest is the analysis of the domains of research of the responders,
which shows education and training together with data security and privacy being the two
domains covered by most centers. As it can be noted, all these works provide analysis of
technical requirements and standards that are either adopted or should be adopted for CIP.
What is neglected or not given enough detail on are the non-technical skills and competencies
that need to be directly acquired by CI personnel for effective CS?
Abd Rahim et al. (2015) have conducted a systematic review of approaches to assess CS
awareness. The review collected key findings regarding three fundamental aspects of these
approaches, namely, methodologies, target audiences and scope of assessment of these
approaches. The author narrowed down the review to 23 pertinent articles, which were
divided and reviewed based on which of the aspects previously mentioned they focused on.
The author concluded that although there are several suitable methodologies for CS
awareness, there is still a lack of flexibility with using multiple methodologies when
conducting one single study. Regarding the audience, the author finds that categorizing
users when developing CS messages is fundamental to guarantee reaching the right
audiences. Finally, regarding scope, the author identified areas with high potential of
research output, which are currently underdeveloped. In his analysis, the author does not
provide a categorization of the various assessment methods analyzed based on the industry
sectors of application, leaving unspecified whether the methods would be sufficient for CI CS
and which sectors or roles of CI they would be best suited for.

3. Motivation
What motivated the development of this work is the lack of scientific articles determining
and reviewing competencies and skills needed for CI CS. As it can be noted in Section 2,
current literature does not provide reviews or surveys that are focused on both CI CS and
evaluate human competencies specifically instead of technical requirements. Such an
evaluation would allow to determine and characterize critical skills for CI CS, based on
methodology, application sector, audience and scope. Accordingly, this would permit the
development of effective training modules and programs to increase CS awareness and
preparedness of the future CS workforce.

4. Research method
This work is based on an SLR conducted to identify scientific papers discussing and
evaluating competencies, skills and essential attributes needed by CI staff for CS and
preparedness to attacks and incidents. The literature review was conducted based on the Systematic
approach presented by Okoli and Schabram (2010). According to this method, the literature literature
review should be divided into the following eight major steps:
review
(1) Establishing the purpose of the literature review;
(2) Protocol and training (for any review that uses more than one reviewer);
(3) Searching of the literature;
(4) Practical screen;
701
(5) Quality appraisal;
(6) Data extraction;
(7) Synthesis of studies; and
(8) Writing the review.

4.1 Purpose of the review

The purpose of the review can be summarized as identify and analyze essential competencies
and skills required by CI personnel in CS roles. More specifically, the objectives of the
literature review can be encapsulated in the following points:

Identify the research papers published on the topic: competencies and skills
necessary for CI CS protection;

Analyze and evaluate research papers that conduct reviews or surveys on the topic
of skills and competencies for CI CS and summarize the methodology and result in a
related work section;

Determine main focus areas within the identified literature and evaluate the
dependency or lack thereof between them; and

Make recommendations for future research.

4.2 Protocol and training

Before commencing the SLR, an analysis of the most appropriate methodology was
conducted. Several scientific papers that followed Okoli’s approach had been consulted. It
was found that the methodology adopted by Yamin et al. (2020) shared research and
methodology requirements that were aligned with the objectives of our literature review.
Accordingly, this work’s methodology has been based on the methodology of their work and
adapted to our scope and evaluation criteria. As one sole reviewer conducted the literature
review, there had been no need for training of other individuals to ensure protocol
conformity.

4.3 Searching for the literature

As indicated in Section 4.1, the first task to be completed for this literature review was to
identify and gather the appropriate papers. To identify and collect scientific articles to be
evaluated, the following databases were consulted for extraction of related literature: IEEE
Xplore, Association for Computing Machinery Digital Library, ResearchGate, Google
Scholar, ScienceDirect, Scopus, ProQuest and Semantic Scholar. Different combinations of
the following keywords were used to maximize the search output: skills, competencies,
cyber security (or cybersecurity), CI, energy, nuclear and aviation. While the initial focus of
ICS this research was to investigate skills and competencies for CS in the three previously
29,5 mentioned sectors of CI (energy, aviation and nuclear), the low amount of research found
that focused on these fields and the compatibility of CS skills for these sectors with general
skills for CS motivated the expansion of the research focus. The following conditional logic
statement describes how the keywords were combined to create the search combinations:
([Cyber-security OR Cybersecurity] AND [Critical Infrastructure OR Aviation OR Energy
702 OR Nuclear] AND [Skills OR Competencies]). This produced a total of 16 keyword
combinations. Examples of possible combinations of keywords used for the literature search
are the following:

Skills þ cyber security þ CI; and

Competences þ cybersecurity þ energy.

Although we expected this high number of keyword combinations to produce an elevated

number of results, with a high likeliness of duplicates, unrelated articles and poor-quality
articles, this was necessary to avoid omitting any relevant article as part of the review.
Articles that were found to be non-valuable to the research were omitted during the next
steps. The total number of papers that were found using the keywords combinations was
28,100.

4.4 Practical screening

A set of inclusion and exclusion rules was put in place to screen the result of the literature
search as follows:

Only articles written in English were selected;

Duplicates found through multiple databases were excluded;

Articles before the year 2000 were excluded, to avoid the use of antiquated data;

Only scientific articles published in conferences, workshops and journals were
selected; and

Articles that were not accessible to the author.

Only articles that followed the complete list of rules were selected, although not all the
results of the screening were used for the SLR, as many were discarded in the next steps.

4.5 Quality appraisal

At this point, two more exclusion rules were set to facilitate the selection of papers.
Articles that did not include any combination of keywords in their title, abstract or
introduction were discarded. The second round of exclusion was conducted to eliminate
further articles that did not contribute to the initial goal as follows: “Identify key
competencies and other attributes necessary by CS personnel for CIP.” This was done
because many of the articles found focused on topics unrelated to this goal or did not
provide a comprehensive section or discussion of skills and competencies for CI CS. In
fact, many of the results focused on statistical data on CS workforce and threats, CS
incident prediction and prevention in the form of software or other tools’ usage, CS
training and awareness solutions without comprehensive discussions on skills and
competencies required and other topics outside of the original scope. For this, articles
that did not adequately focus on discussing competencies and skills necessary
specifically for CS fields were excluded.
4.6 Data extraction Systematic
To extract and map the key findings of each paper that were used in this review, a data literature
extraction review form was created. This form was organized as a table with eight columns
representing key attributes that were deemed necessary and sufficient to identify and
review
summarize each paper as follows:

Title and year: title of the paper and year of publishing;

Authors: list of contributing authors; 703

Competencies and skills: any competency and skill specific to CI CS or in some cases
general to CS described in the content of the paper;

Target: a group of individuals that are in need of the competencies and skills
mentioned. This usually included the CS workforce and students;

Areas: fields of study, CS and industry areas that the research focuses on or
identifies;

Skill acquisition methods: methods and tools discussed or developed in the research
conducted in each individual paper that can aid in acquiring the skills and
competencies that are discussed. The vast majority of studies reported some
methods or programs that could be of use, with the exception of a few papers;

Description: a brief description of the content of the paper;

Conclusions: final conclusions and outputs discussed by the authors of the papers;
and

Discussion: our personal discussion and evaluation of the content of the individual
paper. This includes any criticism or any unique findings.

4.7 Synthesis of studies

For the synthesis of the studies, we used the qualitative material collected in the data
extraction and in the writing of the reviews. The data was later used to map skills and
competencies in Section 6. Observations on each category of this mapping are then given in
the same sections, followed by general recommendations regarding both individual and
groups of skills and competencies.

4.8 Writing the review

Writing this SLR has been conducted in accordance with the standard principles for writing
research articles, using the method described by Okoli and Schabram (2010). After the initial
search, a total of 28,100 articles that satisfied the search criteria was found. This was
followed by rounds of practical screenings, to eliminate any non-English results, duplicates,
articles before 2000 and other articles that did not respect the criteria described in Section
4.4. This greatly reduced the number of articles to 2,331. After the practical screening,
quality appraisal of the remaining articles was conducted with the two rounds described in
Section 4.5 done in the same order as in the description. The first round of quality appraisal
reduced the number of articles down to 129. After the second round of quality appraisal, the
number of articles, which also composed the final literature review, came down to 29, with
an additional 8 articles discussed in the related work section. Additionally, another 32 works
were consulted for the purpose of the review and for additional information regarding CI CS.
These included articles that provided descriptive or statistical information about CI CS
(Davis, 2020; Ghafir et al., 2016; Sklyar, 2012; Ani et al., 2019; Luiijf et al., 2011),
ICS articles regarding methodologies for SLR (Okoli and Schabram, 2010; Yamin et al., 2020) or
29,5 other articles referenced by the ones present in our literature review that provided more
detail about specific topics.

5. Literature review
In this section, to answer the second objective of this work shown in Section 4.1, the results
704 of the literature review are shown. As mentioned in Section 4, the literature review is
comprising 29 articles, discussing skills, competencies and knowledge required by CS
personnel for CIP. Before commencing the analysis of the articles, an important clarification
must be made. This review will be focusing on articles discussing skills, competencies and
abilities needed by CS workers in CI and not behaviors and personal traits. Multiple studies
ütçü et al., 2016) have shown
(Lebek et al., 2014; Padayachee, 2012; Shropshire et al., 2015; Ög
how certain personality and cognitive traits (employees’ intentions, attitudes, motivations or
satisfaction, etc.) may influence employees security behaviors. Although mentions of these
factors and possible interdependencies with specific competencies and skills are presented
in this work, when discussed by articles analyzed in the following, it is out of the scope of
this work to conduct a comprehensive analysis and mapping of these factors. Additionally,
it must be noted that due to the lack of articles that specifically referred to sectors of CI,
articles that discussed skills and competencies for CS assurance in broader terms were
included, if the skills described were deemed applicable to CI domains. To evaluate whether
skills were applicable to CI domains, articles that discussed explicitly skills for CI CS were
prioritized and articles that showed correlations with the findings of the former group were
added. Many of the articles introduced skills and competencies as part of proposed solutions
for CS awareness and training, often in the form of training frameworks and modules.
Proposed solutions, when available, are also mapped later in Section 6, to determine trends
when it comes to skill acquisition methods found in the literature.
An example of this is the work conducted by Foo et al. (2013). The authors propose a
post-graduate curriculum that tries to close the gap between the thinking of control system
engineers and information technology (IT) professionals. The curriculum consists of the
following three sessions: an initial theoretical session, a hands-on practical session and a
final debriefing session. The initial course has four main aims as follows: raise awareness of
information security issues and how they relate to control systems; raise awareness of issues
within control systems; raise awareness in control system engineers of the dangers of cyber-
attacks and the capabilities of attackers in this area; raise awareness of the particular
requirements of deploying information security remediation in the control systems arena.
For the practical sessions, intensive five-day courses are proposed. Each course has a
different focus, such as system audit, vulnerability analysis, penetration testing, forensic
analysis and incident response. While the curriculum proposed by the authors offers a
detailed and comprehensive set of interdisciplinary education and various training modules,
the lack of evaluation of the curriculum leaves its effectiveness uncertain. Evaluation is
especially important for the hands-on exercises, as it may reveal the need to concentrate
some effort in enhancing communication skills and other competencies that are not
identified in the initial sessions.
Turkanovic et al. (2019) present an overview of a CS education model, which is shaped
after the recommendations of the joint task force on CS education and the expectations of the
Slovene industry. The author identifies a set of interdisciplinary skills not only in various
technical domains and fields but also in non-technical, more human-related skills (such as
insider attacks and ethics) that are required by the CS workforce. The model consists of
education modules for different Bologna levels, each focusing on a different set of skills and
knowledge. The offerings include both lectures and lab work. The primary focus areas of the Systematic
model are information security and digital forensic fundamentals, which are followed by literature
specialized education and training. The overall format and teachings offered in the model
review
are well encompassing. The author states that further research will be conducted to evaluate
the model by adapting it to local university programs. The results of this future analysis will
be of great interest to compare the effectiveness of their model to the other proposed models.
LeClair et al. (2013) propose both an interdisciplinary approach to cybersecurity
education and best practices for integrating advanced instructional technologies into online
705
cybersecurity education. Online education, in particular, is discussed as one of the more
effective and future-oriented methods of education, as it is analyzed to be both effective and
approachable by a larger audience than class-bound education. One interesting observation
made by the author is the need to motivate the targets to participate in the learning process
actively. Project-based learning is suggested as an effective way of addressing this issue.
Other benefits of online training are discussed, such as an increase in critical thinking and
participation. The author identifies the following three pillars when it comes to CS
education: technology, processes and people. Overall, the author identifies a multi-
dimensional process that needs to be incorporated into CS education. This process needs to
focus both on technical and non-technical aspects. The skills and competencies identified by
the author should be implemented into a concrete framework to offer a realistic solution for
CS training and education.
Sobiesk et al. (2015) discuss a role appropriate, multi-level, multi discipline approach to
cyber education. The authors start by providing a definition and examples of what
constitutes cyber and cyber-space. The multi-level offering discussed by Sobiesk et al. is
composed of the following five levels: cyber in general education, cyber electives, cyber
threads, cyber minors and cyber-related majors. Each of these levels offers a different type
of cyber-related education, with an increasing amount of specialization in each subsequent
level. The model presented by the authors has been adopted by West Point University,
located in the USA. Feedback from the students that have completed the education program
or are currently in the completion process would allow for the improvement of the modules
and integration of any missing training.
König and Wolf (2018) discuss a competence developing game named GHOST for CS
awareness training of businesses. The authors start by analyzing the requirements of a
successful CS training program. They identify three main motivations for personnel training
as follows: development of employee skills, increasing employee motivation and job
satisfaction and strengthening the employee company relation. No time available to
dispense employees and to miss internal capacity or funds to organize training is identified
as the major reason that forces companies not to conduct training. Due to the attributes of a
game-based approach, these limitations would be addressed. The authors focus on
discussing which is the most optimal configuration and interaction system for the game. A
touch-based interaction that supports three different points of view is agreed to be optimal.
The game consists of five different mini-games. Each of these has a different focus. Some
examples of topics tackled are as follows: handling of foreign flash drives, phishing emails,
backups, mobile devices and many others. This type of approach has multiple benefits, most
of which are stated by the authors. From ease of use to low cost, using a game-based
approach can be useful in many scenarios, but mostly in company-oriented training. Key
limitations to this type of approach are the relatively low number of topics that can be
addressed in a game-based scenario and the limitations that come with the type of interface
used.
ICS Luallen and Labruyere (2013) develop a CI and control system cybersecurity curriculum.
29,5 The program, targeted at graduate and undergraduate students. One interesting aspect of
the author’s research is the use of questionnaires to assess the skill set of the participants
and their respective expectations. The course consists of in-class lecture material and pre-
class video assignments. Two existing textbooks have been suggested to support the
teaching of more theoretical aspects. These lectures are supported by hands-on laboratory
706 exercises listed below:

PLC relay logic;

Attack a PLC;

Wireshark analysis of communication between a PLC and HMI; and

Attack control system communication and operator console.

To give additional hands-on experience, students were also assigned CI testbed exercises.
Overall, the curriculum offered by the author is quite extensive in both technical and
practical content. The curriculum has been positively adapted and refined using the
participants’ feedback and results. This type of continuous updating is key for guaranteeing
a model or a curriculum’s validity over the years against new threats and new technologies.
Evans and Reeder (2010) discuss the importance of having well trained and educated
personnel for each key role of CI security. They envision an all-encompassing career path
and curriculum, starting from early education to training for experts in the sectors. This
type of curriculum would start by providing education in core CS skills (hardware [HW],
software [SW], networking and business) and expand to later hands-on experience
consisting of specialized training and work-related missions. In their proposal they suggest
that the following solutions enhance current proposals in CS workforce education:

Encouraging younger students to pursue education and training in quantitative
fields of science;

Develop more rigorous curricula in computer-related disciplines; and

Automate daily tasks in CS.

The authors refer to multiple initiatives and programs that are currently being offered to
enhance CS skills for students and the workforce. Unfortunately, they do not go into further
detail in discussing the specific skills and competencies needed and whether the current
offerings were valid and efficient. State-of-the-art laboratory facilities, with the required
systems and testbeds, are also discussed by the author.
Mao et al. (2017) propose an infrastructure and curriculum design to support practical
experimentation in CS training. Because of a collaboration with the University of Singapore,
they successfully built and implemented physical labs, designed for open experiments. For
the curriculum design, the focus was kept in three areas, namely, system security, network
security and web security. The curriculum has been implemented for five years. The
received feedback from students has been overall positive, although not much further details
are given. The article lacks detail when it comes to the description of the single offerings.
Additionally, the initial courses are structured, given the assumption that students do not
know the subjects. An initial survey or more differentiation between offerings may allow for
better efficiency in the teachings.
Švábenský et al. (2018) present two courses and an educational game in a cyber range, to
aid students in adversary thinking. The course follows guidelines and standards set by the
National Security Agency/Department of Homeland Security Center of Academic Excellence
and the NIST National Cybersecurity Workforce (NICE from NIST). The major competencies Systematic
targeted are cyber defense, cyber threats, networking concepts, network defense and literature
penetration testing. The first exercise tests students in their ability to develop a game in a
review
topic related to cyber-attack simulation. The objective of this exercise is to allow students to
develop skills in performing penetration testing focused on a particular threat or
vulnerability and using a cyber range both as a learner and as a designer of games running in
it. The second exercise requires students to develop a tutorial on how to secure particular 707
network services. The results of the courses and exercises are later tested in in-class
presentations and consultations and test runs. The approach designed by the authors has
multiple benefits, such as motivating students to engage in practical CS activities and
allowing them to receive expert reviewing. The downside of this type of exercise is the
limited amount of hands-on tests that can be conducted and developed by the students
during the duration of the course. An approach that relied on laboratories exercises
simulating common CS scenarios would allow for more practical testing.
Assante and Tobey (2011) discuss the best approaches to make sure that a higher
number of CS experts, with the necessary skills and knowledge for their role, is produced
each year. This demand is due to the increase in positions that require CS expertise. Skills in
forensics, operational response and risk management are defined as critical for the new
workforce. Due to the dynamicity of the cyber-field, traditional backward-facing protection
methods should be substituted with new practices. Moreover, advanced collaboration skills
and a more rigid definition of roles should be promoted as well. The author identifies three
main components that define an individual’s talent: knowledge, skill and ability The use of
new methods in cognitive science to assess and measure skill and to distinguish knowledge
from skill better are also suggested. The author characterizes skill as a rapid and consistent
response, increased situational awareness and resilience to uncertainty, distraction and
distress. When it comes to training and simulation, the author states that all the following
guidelines should be respected:

Address the human factors;

Focus on all phases of the end-to-end workforce development cycle;

Develop ground truth expertise; and

Define the ladder of expertise by distinguishing professionals at each stage of
development and providing feedback at an individual level to aid in professional
development.

Additionally, they cite the Ground Truth Expertise Development model proposed by
researchers at the National Board of Information Security Examiners as a base roadmap to
develop an effective CS workforce. The authors should conduct experimental research to
support their study and validate their results.
Igor et al. (2018) conduct a survey to identify the CS research centers in Europe. The
survey contained 27 open-ended and close-ended questions and was composed of five
sections as follows:
(1) General information;
(2) Cyber-security expertise;
(3) Sectors, applications and technologies;
(4) International collaborations and joint programs; and
(5) Confirmation and agreement with the privacy policy.
ICS The survey has been completed a total of 665 times, with results coming from 61 European
29,5 centers. Of the domains identified in the survey, all of them were well covered by the results,
with education and training, data security and privacy, network and distributed systems
showing the greatest coverage. On the other end, trust management, assurance and
accountability and theoretical foundations of security analysis and design showed the
lowest coverage. The survey also presents findings regarding the number of publications
708 published from each center and the domains of the publications. These results show a strong
correlation with the previous findings. Based on ulterior results from the survey, the author
notes that although there is a stake coverage of domains all across the centers, the real
coverage of sub-domains is jeopardized, with only a few of them being realistically covered.
Interestingly, many of the sub-domains that show lower coverage pertain to trust and trust
management.
Curtis and Mehravari (2015) describe the CS capability maturity model (C2M2) and two
tailored versions of the model for the energy sector and the oil and natural gas sector. The
model includes 10 domains and for each domain, it contains a structured set of CS practices.
Some of the major domains included are risk management, identity and access management,
situational awareness, information sharing, incident and event response, workforce
management and CS program management. The model defines four maturity indicator
levels, MILO (equivalent to not performed status) through MIL3 (equivalent to a managed
status). These indicators are used to evaluate and rate the organization and institutional
progress in each domain. The evaluation conducted through the model allows to identify
gaps and institute and perform solution plans. The comprehensiveness and continuous
evolution of the models have made them a proven tool of evaluation for CS maturity. One
development that should be explored further is the adaptation of the model to more sectors
of CI and industry.
Yoon et al. (2016) provide a framework for evaluating the readiness of cyber first
responders responsible for CIP. The evaluation criteria are based on NFPA1410 standards.
A scenario-based evaluation is used for specific objectives. A list of the proposed scenario is
found below:

Gain remote access and exfiltrate data;

System denial-of-service attack;

System crash;

Repeated reboot attack; and

Covert manipulation of control.

Time and completeness and successfulness of the team are used as the main factors of
evaluation. The model has been demonstrated to be better suited at evaluating practical
abilities and skills of CS first responders than exam-based certifications. The author notes
that further research should be conducted to create environments that are adequate for
training evaluation. Hoffman et al. (2011) propose a holistic approach to develop the CS
workforce that considers technical and non-technical disciplines needed to produce CS
professionals.
Evans et al. (2016) try to identify elements of CS that may need further research.
Additionally, they propose a framework for CS assurance for human behavior. During their
literature research, the authors found that many individuals are willing to take risky actions
and undertake risky behavior, mostly due to the low level of awareness or weight given to
the vulnerabilities they may be exposed to. The fear appeal has been reported as one of the
better countermeasures to this type of behavior. The proposed framework is based upon
defined and repeatable quantification. This quantification is related to the range of human Systematic
aspect tasks that provide or are intended not to affect CS posture negatively. The framework literature
should build upon defined techniques such as human reliability assessment and statistical
quality control. To address human-related vulnerabilities, a scoring system is proposed,
review
which is based upon the previous considerations on human-related risks. While this
approach is innovative in its objectives and initial considerations, not complementing it with
a complete and effective educational model on technical skills would still leave the future CS
workforce with gaps in their fundamental knowledge. 709
Ani et al. (2016) present a workforce cyber security capability evaluation model used to
ensure that human personnel is not suffering knowledge and skills deficiencies. The authors
define CS assurance as a combination of technology, processes and people. The interaction
of the user with technology to manage system processes is highlighted as the risk factor that
creates vulnerabilities in a system. A system to evaluate the awareness and knowledge of
the workforce is argued to be a better tool for CS assurance. The evaluation model proposed
by the authors categorizes workers in the following three main groups: IT security experts,
engineers/field operators/technicians and corporate managers. For the purpose of the
evaluation with the model, they define skill as the ability to use accumulated knowledge either
from experience or training to spot or detect cyber-attack attempts, patterns and techniques
and the degree, to which the user can respond timely with appropriate countermeasures (Ani
et al., 2016). Knowledge is instead defined as the measure of information and theoretical
understanding about recurrent cyber threats, vulnerabilities, attack patterns and impacts to
the target system that a user, employee or operator is working with (Ani et al., 2016). The
evaluation, which can be conducted at both an individual level or at an organizational level,
consists of five different methods, namely, questionnaires, interviews, observations, attack
simulations (Penetration Testing) and gamification. The validation of the model developed
by the authors is conducted only theoretically, with a randomly generated vector consisting
of values of skill and knowledge assigned to the generated sample. Naturally, such a type of
validation does not take into account many of the nuances that come with a realistic
evaluation of the workforce.
In a later work, Ani et al. (2019) design an approach to evaluate the skill and capacity of
the CS workforce in the ICS. Through the use of statistical data, the authors identify the
most susceptible groups of personnel and the skill and knowledge required by them to
prevent incidents. Cognitive capabilities, human error, proficiency in IDS and other tools
usage are some of the main factors listed by the authors. The proposed model, which is an
extension of their previous work (Ani et al., 2016), uses the same type of testing and
parameters of the older version. The main shrewdness in the newer model is that individuals
are not noted as a harmonized point of the whole workforce, but as single-entry points
characterized by a specific set of vulnerabilities. This correction makes the model more in
line with the reality of the human workforce, which is also supported by the results of the
test-based scenarios conducted by the authors.
Boyce et al. (2011) research and identify the main areas of CS regarding human
performance that are currently lacking in depth. One of the observations made by the
authors concerns the usability of the software. In particular, they note that having different
users, with different necessities, using a multitude of software increases user dissatisfaction
and creates a less safe environment. Authentication, risk awareness and other skills are also
listed as contributing factors to incident prevention. Overall, the findings of the authors are
in line with previous work. Their surface-level research is rather shallow in details and
would require further work to identify additional factors, the difference in requirements
between roles and preventive measures.
ICS Rowe and Lunt (2012) map current efforts in CS research in various disciplines. Their
29,5 two-factor mapping shows the relationship between a scale of theoretical development
(theories, principles, innovation) to more applied development (application, deployment,
configuration) and computing programs. In particular, the following programs are
identified: organizational issues and information systems, application technologies, software
methods and technologies, system infrastructure. CS is defined as an overlaying layer over
710 the five pillars of IT (programming, networking, human-computer interactions, databases,
web systems), which connects all their body of knowledge. When it comes to CI, the authors
list the following as the major challenges to overcome:

Aging legacy infrastructure;

Lack of standardization;

Internet connectivity;

Real-time industrial processes;

Lack of security awareness among ICS1 designers and operators; and

Lack of ICS awareness among computing professionals.

Paulsen et al. (2012) give an overview of NICE, one of the major national initiatives for CS
education. The initiative has four components, namely, awareness, formal education,
training and professional development and workforce structure. While the first three
components target the general population, the last one is reserved for more specialized
personnel. One of the major efforts made by the program is to develop a framework that
divides CS workers into 7 high-level categories and recognizes 31 specialty areas.
Newhouse et al. (2017) provide more detail about the content and achievements of NICE.
More detail is given about the target audience, which includes as follows: employers, current
and future CS workers, educators and trainers and lastly technology providers. Knowledge,
skills and abilities (KSA) are defined for the 31 specialty areas. Additionally, tasks are
identified. A combination of tasks goes into forming a piece of work associated with a
specific specialty area. A detailed table is given listing all of the single tasks, the skills and
knowledge required for completion, the role of the personnel in charge of completion and the
area associated with the task. This level of detail allows for the formulation of targeted
training frameworks.
Mishra et al. (2015) discuss a flexible training framework for CS training for CIP. The
approach incorporates both the NICE and NIST guidelines for the protection of CI for
managing risks relating to CS. The proposed framework is built on self-contained
instructional modules. These modules can be either standalone classes or incorporated into
CS training courses. The modules consist of both theoretical and practical training, followed
by an evaluation.
Choi et al. (2013) examined the effect of user computer self-efficacy, CS countermeasures
awareness and CS skills on users’ computer misuse intention at a government agency.
User’s CS awareness on topics such as ethical conduct, trust, risk and privacy is identified as
having a positive impact on computer misuse intention. CS computing skills are defined by
the authors as the knowledge, ability and experience of an individual to use protective
applications to protect computers, computer networks and Infromation Systems (IS). CS
initiative skills are instead defined as the knowledge, ability and experience needed to seek
out, as well as take advantage of security software and best security practices. Finally, CS
action skill is defined as the knowledge, ability and experience an individual has to commit to
objectives to meet security compliance (Levy, 2005). Based on the author’s research about the
relation between user awareness of computer monitoring and CS computing skills and
computing skills, they note a negative correlation, which may support the idea that Systematic
monitoring of employees should either not be conducted or not be made public to the literature
employees, at least at the initial stage. Further research should be conducted on this
correlation.
review
Oltramari et al. (2015) evaluate the use of trust as a human factor in holistic CS risk
assessment, in an effort to develop a holistic and predictive CS risk assessment model. The
proposed CS Risk Framework would consist of the following three main parts: system-level
metrics (evaluated at the full system), policy-related metrics (evaluating the risks associated 711
with the policies that govern the network and network assets) and asset-related metrics
(evaluated at the asset level, such as metrics to assess risks associated with specific
machines, a virtual network or an operating system). When discussing an ontological way of
weighting trust, the authors suggest using behavioral characteristics, knowledge and skill
characteristics, situational characteristics and traits that influence behavior as measures.
The authors’ work highlights the very urgent necessity to offer a modern and accurate
framework to evaluate human-related factors, which are often harder to translate in
numerical values. Incorporating such a type of ontology to a more technical standard should
provide a comprehensive set of guidelines for CS assurance.
Henry (2017) discusses the gap between the current teachings in cybersecurity curricula
and the requirements for the CS workforce in the industry. To achieve this goal, the authors
conduct a literature review to build a new multi-level matrix, Cyberspace Education
Framework. The utility of the framework comes from allowing them to understand the
purpose of each education program and whether this purpose is aligned with the industry’s
needs. Additionally, the authors investigate whether generalist programs are more
advantageous than focused courses and finally compare the outcome of current educational
offerings to the KSA set out in the US Government’s work standards document as a proxy
for what would be required major cyber work roles in Australia.
Figure 1 shows the structure of the framework proposed by the authors to map different
CS educational offerings. The authors note that in many cases, there is a significant gap in
KSA required for positions in the industry and the final output of the current CS educational
programs. Additionally, these programs have been noted for offering little hands-on
experience, which is a very crucial requirement for future CS expert’s preparedness (Henry,
2017). The authors conclude by mapping possible skills and areas to include in current
offerings to make them more aligned with the industry’s requirements and other areas that
should be the focus of further research. While the framework proposed by the authors can be
of use to evaluate an educational program’s comprehensiveness, the authors do not delve
into more depth regarding both knowledge and skills that should be integrated to current
programs. A study on these two attributes would also allow for the extension of the
proposed framework as a tool for the improvement and optimization of current programs.

Figure 1.
Cyberspace education
framework
components,
proposed by Henry
(2017)
ICS Potter and Vickers (2015) conduct a similar analysis as Henry (2017), by investigating
29,5 industry requirements for CS, by interviewing professionals and analyzing current job
listings. The authors noted that in most job listings, the skills that were required for the
positions were often generic soft skills. Examples of the skills listed include the ability to
work independently, process skills, leadership, presentation skills, time management, risk
management, analysis, communication and problem-solving skills. Technical requirements
712 were often summed up as the need for certifications and technical skills. The authors
identified additional skills through a questionnaire that was sent to CS experts. Some of the
significant skills identified through the questionnaire include the ability to learn, leadership,
management, problem-solving, communication, the ability to deal with people, analysis and
motivation, experience and technical expertise. Moreover, job-specific skills were also
identified. Many of these skills were shared between various positions, but a number of
individuals, job-specific skills were also found. The findings of the authors’ research provide
an interesting input in the discussion of skills and competencies’ requirements for CS
expertise. These results should be integrated with the current research or to future work on
the technical requirements for CS expertise in different fields and for different roles.
A more recent mapping of KSA for CS curriculum needed by students, based on data
collected from interviews with CS professionals was conducted by Jones et al. (2018). A total of
44 CS professionals were interviewed by the authors, with questions concerning demographics,
32 KSAs related to cyber-defense and other open-ended questions. Participants rated how
important each KSA was to their job and indicated where they had learned that KSA.
Interestingly, for 31 of the 32 KSAs, participants indicated that they had learned the
most about them directly from their job, indicating that very little practical skills or in-
depth knowledge are acquired during their academic education. Participants were also
asked what skills they had wished they had learned during their academic formation.
The most common answers included as follows: recovery tasks, scanning skills, use of
IDS tools, network traffic analysis, packet-level analysis and penetration testing. In
total, 15 of the KSAs listed in the questionnaire were rated as being of significant
importance, indicating a need for prioritization for that specific subset. Results from the
tests and from the open-ended questions indicate that KSAs in the following areas are
the most important for CS students after graduation: networks, vulnerabilities,
programming and communication. The results obtained by the authors provide a great
indicator of which KSAs should be integrated and prioritized in current CS curricula.
As the authors note, further research is required in understanding how to best integrate
these KSAs to modern curricula and also to verify the findings with some practical
experimentation.
Carlton (2016) design, develop and empirically test a set of hands-on tasks set to measure
the cybersecurity skills level of non-IT professionals. The list of skills used for the
experimentation was extracted from previous work that defined an individual’s technical
knowledge, ability and experience surrounding the HW and SW required to execute IS
security to mitigate cyber-attacks as skills requirements (Axelrod, 2006; Boyatzis and Kolb,
1991; Choi et al., 2013). Furthermore, the authors tried to determine whether there are any
significant differences to cybersecurity skills levels based on gender, age, level of education,
job function, primary online activity, hours accessing the internet and experience using
technology. The results suggest that level of education and experience using technology
may make a difference in the level of vulnerabilities and breaches caused by an employee.
While the type of work duties performed, neither the number of hours nor the activity
completed online does not appear to make any difference on a non-IT professional’s
cybersecurity skills level.
6. Mapping of results Systematic
In the following section, a mapping of the results of the literature review will be conducted to literature
highlight common findings between the reviewed articles and establish prevalent attributes
in terms of targets, areas and disciplines and skills and competencies.
review
Table 1 shows a summary of the main target groups indicated in each research. Targets
have been grouped into two major categories, namely, the cyber workforce and students.
The cyber workforce includes any individual that is in charge of tasks pertaining to
the use, protection and maintenance of cyberspace-related functions. This includes 713
not only both CS personnel but also individuals that cover different other roles.
Additionally, the table provides information about the methods and solutions
proposed by the authors to aid in achieving the skills and competencies that are
reported in their research.
The table shows that 16 of the papers discuss skills and competencies for the cyber
workforce, 4 for students and 9 for both the cyber workforce and students. It is important to
note that while a majority of papers indicate their targets to be the broader range of cyber

Work Target Suggested method

Evans and Reeder (2010) Cyber workforce and students Professional certification for CS proficiency
Foo et al. (2013) Cyber workforce and students Local training program
Boyce et al. (2011) Cyber workforce and students X
Newhouse et al. (2017) Cyber workforce and students Framework for improving CI CS
Paulsen et al. (2012) Cyber workforce and students Program for CS awareness, education and
training
Choi et al. (2013) Cyber workforce and students User computer self-efficacy
Jones et al. (2018) Cyber workforce and students X
Henry (2017) Cyber workforce and students Cyberspace education framework
Potter and Vickers (2015) Cyber workforce and students X
Turkanovic et al. (2019) Cyber workforce CS education model
LeClair et al. (2013) Cyber workforce Inter disciplinary approach to CS education
König and Wolf (2018) Cyber workforce Competence developing game
Assante and Tobey (2011) Cyber workforce X
Igor et al. (2018) Cyber workforce X
Curtis and Mehravari (2015) Cyber workforce C2M2
Yoon et al. (2016) Cyber workforce Cyber training exercise
Hoffman et al. (2011) Cyber workforce Holistic approach to developing the CS
workforce
Evans et al. (2016) Cyber workforce Novel CS framework
Ani et al. (2016) Cyber workforce WCSC capability evaluation model
Ani et al. (2019) Cyber workforce Scenario-based testing
Rowe and Lunt (2012) Cyber workforce X
Mishra et al. (2015) Cyber workforce Flexible, modular training framework
Dawson and Thomson (2018) Cyber workforce CS development plan
Oltramari et al. (2015) Cyber workforce Holistic CS risk framework human factor
ontology Table 1.
Carlton (2016) Cyber workforce CS skills index Targets and methods
Luallen and Labruyere (2013) Students CS course curriculum proposed for skill
Mao et al. (2017) Students Scenario-based experiments and competencies
Svabensky et al. (2018) Students Two-course models
Sobiesk et al. (2015) Students Multi-level, multi-discipline approach to
acquisition, identified
cyber education from the articles
analyzed in the
Note: WCSC – Human Capability Evaluation Approach for Cyber Security literature review
ICS personnel, several articles indicate specialized roles. For example, Curtis and Mehravari
29,5 (2015) focus on research operators and owners of electrical and oil and gas CI. Newhouse
et al. (2017) indicate that programs should be developed separately to train and develop
educators, trainers and security providers. Hurst et al. (2014) state that managers and key
executives should also have a background in CS and focuses their research in the study of
skills that need to be acquired by individuals in this role. A few considerations can be made
714 on the papers based on the target of their analysis as follows:

6.1 Cyber workforce and students as targets

This sub-set of papers can be further distinguished in papers that discuss skills and
competencies for both targets in general terms and papers that use data collected on skills
for the cyber workforce to discuss the landscape of current CS curricula available for
students. This latter case is more interesting as it often produced more significant results,
providing more detail on skills developed or required for both targets. It is also more
demanding work, as it requires a focused study on both domains. Potter and Vickers (2015),
Henry (2017) and Jones et al. (2018) all discuss ways to improve current CS curricula based
on data collected through studies, questionnaires and interviews with CS experts. A shared
conclusion raised by the authors is that many modern curricula do not focus enough on
acquiring skills and knowledge through practical experience, which was supported to be the
most effective way for training (McCrohan et al., 2010). Additionally, it was also noted that
many of the curricula offer more generalistic knowledge and skills, although in the industry
there is a stronger need for focused technical and practical skills (Jones et al., 2018; Henry,
2017). Developing effective ways to integrate the missing skills and competencies in current
CS curricula should be the next step in the research direction, as it would allow for the
effective development and training of future CS personnel.

6.2 Cyber workforce as targets

Papers that only have a cyber workforce as a target discuss either current needs for CS
personnel in terms of KSA or possible solutions to develop KSAs that are lacking or limited
in development. When it comes to solutions offered for skill acquisition or development,
many different proposals have been found in the literature, including as follows: educational
and training frameworks and programs, serious games, self-assessment modules, maturity
models, scenario-based tests and exercises and other interactive training solutions. Studies
focused on understanding the effectiveness of certain CS awareness and training solutions
(Tioh et al., 2017) and also works comparing the efficacy of different strategies (Luiijf et al.,
2011) have been conducted over the years. Nonetheless, due to the novelty of the approaches
proposed by some of the works in this literature review and also the implementation of skills
and knowledge not present in previous training programs, research should be conducted to
investigate on the comparative effectiveness of these solutions in instilling future CS
workforce with new skills and knowledge.

6.3 Students as targets

A relatively low number of papers has been found discussing students as the only target. All
of these papers discuss and propose skill acquisition methods either as a stand-alone or to be
integrated with current CS curricula. These approaches include fully-developed curricula,
multi-discipline approaches, courses, modules and exercises. A limitation of these papers,
which the first sub-set of papers discussing both cyber-workforce and students as targets
overcame, is that they do not compare or analyzes in depth the requirements with current
industry needs for CS workforce to the material presented in their solutions. Integrating this
type of comparison would allow both to validate their results in terms of future Systematic
requirements and make their solutions more attractive to institutions. literature
review
7. Skills and competencies for critical infrastructure cyber-security
As evidenced by the literature review in Section 5, there is not a universally agreed selection
of skills and competencies needed for CI CS or CS assurance. Nonetheless, general trends
and commonalities can be seen between the different proposals made over the years. CS 715
skills and competencies can be grouped in the following categories:

7.1 Technical skills

Technical skills include a vast array of competencies and knowledge that may be needed for
CS assurance. Specific skills often depend on the role of an individual inside a firm.
Technical skills may relate to, namely, architecture, administration and management of
operating systems, networking, virtualization software and other fields. Additionally, to
combat specific threats, personnel may need knowledge relating and exclusive to the single
threat. This means that with new threats being continually developed, there is a constant
need for an update in the type of knowledge and technical skills required to defend against
attacks.

7.2 Soft skills

Soft skills include a large number of skills and dispositions. Communication skills, both as a
listener and as a speaker, trustworthiness, work habits are some of the skills that can
influence an individual’s ability to perform in CS tasks. While in the past, less focus was put
in understanding the relationship between soft skills and CS assurance, recent research (Ani
et al., 2019) has shown a very strong correlation between the two. This motivated the
inclusion of training modules for soft skills in many recent proposals for CI CS education
and training programs.

7.3 Implementation skills

Implementation skills are what often distinguish junior CS experts to seniors. This set of
skills allows studying the architecture of systems and networks, then use that information
to identify the security controls in place and how they are used. Same with weaknesses in
databases and app deployment.

7.4 Management skills

Management skills are usually required by chief personnel in charge of organizing and
coordinating technical vulnerability assessments (systems and network vulnerability
assessments and other types of vulnerability assessment), penetration testing, web-
application assessments, social engineering assessments, physical security assessments,
wireless security assessments and implementing secure infrastructure solutions.
The skills and competencies that have been found in the literature review have been
summarized and mapped in Table 2. The mapping consisted in grouping each skill in one of
the following four categories identified previously: technical skills, soft skills
implementation skills and management skills.
A few observations can be made from the mapping of the skills in Table 2. First, it can be
noticed from the table that the majority of skills and competencies reported could be defined
as general skills (Potter and Vickers, 2015). In this work, this definition is interpreted as
“skills that combine either interdisciplinary or area-specific knowledge, to perform a learned
ICS Skills mapping table
29,5 Technical skills Soft skills Implementation skills Management skills

1. Understanding of 1. Information sharing 1. Threat and 1. Risk management;

digital security and communications; vulnerability 1.Identity and access
concepts; 2. Public speaking and assessment and management;
2. Understanding of presentation skills; management; 2. Asset, change and
716 evolving threats; 3. Situational 2. Event and incident configuration
3. Understanding of awareness; response; management;
attack intelligence; 4. Cognitive and 3. Continuity of 3. System
4. Penetration testing behavior analysis; operations; administration;
skills; 5. Ability to work 4. Workforce
5. Cryptology knowledge; independently; management;
6. SW and HW security 6. Trust management; 5. CS program
skills; 7. Teamwork; management;
7. Network security skills; 8. Motivation; 6. Supply chain and
8. Computer forensics 9. Time management; external
skills; 10. Networking; dependencies
9. Programming skills; 12. Confidence; management;
Table 2.
10. Data analytics skills; 13. Work habits 7. Evaluation of
Mapping of skills 11. Information security policies
and competencies for skills; effectiveness;
CIP found in the 12. Wireless security skills; 8. Project planning
literature review 13. Ability in using IDS tools

psychomotor act or an observable behavior (Newhouse et al., 2017) required for multiple, if
not the majority of roles in CS.” To determine which of the skills that are defined in the
literature are general, the findings of the literature review were used either directly or in the
form of quantitative data, together with the documentation for the NICE framework
(Newhouse et al., 2017) and later frameworks based on NICE. This information was used to
establish which skills were considered critical for CS expertise and skills that encompassed
a broad range of knowledge or combined other individual skills. In the NICE framework, a
significantly higher number of skills and abilities is listed, many of which could be defined
as specialized skills. Specialized skills are differentiated from general skills due to being
required for specific roles or missions in CS. In the framework, specialized skills are
associated with specialty areas and tasks that have been identified as being part of a
cybersecurity work role. The NICE framework identifies a total of 630 knowledge areas, 374
skills and 176 abilities that CS workers should possess depending on their roles. These
KSAs are later mapped in the same documentation to 51 individual roles in CS-related fields.
While this mapping is undoubtedly comprehensive, this high level of granularity is not
always advantageous, as it can become detrimental in many cases, some of which are
discussed in detail below.
Research has shown that for the education and training of students for specific CS roles,
generalist programs are less effective than mission-specific programs (Henry, 2017). For
example, Henry (2017) has shown how a master course in forensic computing and cyber-
crime investigation from the University College Dublin covered almost all KSAs reported by
CS experts in this role while equivalent generic programs offered a significantly lower level
of coverage. The master course offered at the University College Dublin offered more
specialized units of studies, such as mobile devices investigation, Linux for investigators,
live data forensics, data and database forensics, online fraud investigations, legislation and
financial fraud investigation, along with other units. The units in the generalistic programs
instead covered broader topics such as information security, programming, project Systematic
management, wireless security and data analytics. The specialization of the former units is literature
what rendered the first program more effective for the roles in computer forensic and cyber-
crime investigations.
review
On the other side, generalization and highlighting of KSAs that are valued more for CS
purposes are essential not only for the development of introductory courses to CS but also to
develop multi-role/mission courses. Such courses would allow students to develop
interdisciplinary skills needed for multiple positions in the CS work sphere.
717
In (Potter and Vickers, 2015), through the analysis of multiple job advertisements in
different CS-related positions, the authors found that a number of skills were highly sought
after for multiple different roles. In particular, soft skills such as teamwork and
communication skills were shared as requirements for most positions.
Jones et al. (2018) has also shown that certain KSAs should be prioritized over other, more
specialized KSAs. After asking 44 participants to rate from 1 to 6 the importance of given
KSAs, 3 received a mean rating over 5, another 11 received a rating between 5 and 4.5 while
all the others received a lower rating. The 14 KSAs that received the highest scores are
reported in Table 3. This shows a general consensus from CS experts when it comes to
defining KSAs that should be prioritized during training.
One other criticism for the mapping used in the NICE framework is detailed in the work
of Jacob et al. (2018). As previously stated in Section 2, the authors argue that for less
technological-related roles in CS, the framework provides poor job descriptions for specific
work roles, inadequate competencies and training and career guidance, no predictable
outcomes or metrics to determine effectiveness, etc. Providing a general mapping of skills
and competencies for the CS workforce has the advantage of facilitating the development of
introductory or general courses and programs, for the development and training of future CS
experts. Moreover, the higher focus given in mapping key soft skills also provides a
beneficial input from this work, compared to the data contained in the NICE documentation.
As anticipated, many of the soft skills identified in the literature are usually general skills
needed by most CS workers. In particular, developing good communication and teamwork

Most valuable KSAs table

m>5 4.5 < m < 5

How traffic flows across the network Basic system administration, network and operating system
hardening techniques
Network protocols Network security architecture concepts
System and application security threats General attack stages
and vulnerabilities
Different classes of attacks and recovery concepts and tools
Recognizing and categorizing types of vulnerabilities and
associated attacks
Conducting vulnerability scans and recognizing vulnerabilities Table 3.
in security systems KSAs with a mean
Computer network defense policies, procedures and regulations score m higher than 5
Securing network communications
on the left and with a
Programming language structures and logic
Information assurance principles and organizational score between 4.5
requirements and 5 on the right, as
What constitutes a network attack and the relationship to both reported by Jones
threats and vulnerabilities et al. (2018)
ICS skills is fundamental to increase the effectiveness and efficiency of incident prediction and
29,5 prevention actions (Švábenský et al., 2018; Mishra et al., 2015). Simulation exercises and
interactive, team-based solutions are often suggested as possible methods for building better
team-working and communication abilities (Švábenský et al., 2018). Other soft skills, such as
trust management, can pose more of a challenge, both in terms of definition and
development.
718 Oltramari et al. (2015) aggregate multiple concepts such as competence, benevolence,
integrity, predictability, attitude, intention, behavior, reliability, dependability and faith as
defining characteristics to building trust. While some of these characteristics can be
developed through experience and knowledge acquisition, others are dependent on
individuals’ behavioral characteristics (Oltramari et al., 2015). This adds a human-
dependent factor to CS assurance, which is often exploited during cyber-attacks, as it
represents one of the weakest points of CIP (U. Ani et al., 2019). In fact, a significant
number of successful attacks against CI involve the use of social engineering
techniques (Conteh and Schmick, 2016). While in most cases, non-security experts or
staff not involved in CS or other technical positions that require digital expertise are the
most susceptible to these attacks, it is not uncommon for CS personnel to be also
exploited (Conteh and Schmick, 2016). Development of future training frameworks and
programs for CIP should thus consider including modules finalized in educating staff to
detect and prevent such attacks.
As mentioned in their definition, both implementation and management skills are often
required by senior CS experts or by individuals covering specific roles, including leadership
positions, but are often not required by many other roles in CS. This caused the development
of only a selected number of curricula and training frameworks for the advancement of these
competencies (Curtis and Mehravari, 2015; Boyce et al., 2011; Knowles et al., 2015). These
programs usually can only be completed if a lengthy number of technical pre-requisites have
already been acquired by the individuals or are taught during long-lasting teachings and
courses preceding the ones for management or implementation skills development.
Although there is less concentration of studies and methods for the development of these
skills, having qualified key figures in managerial positions and CS experts lead large-scale
implementation projects is crucial for the longevity of any CI architecture. Additionally,
many of the managerial and implementation competencies required by CS professionals can
only be acquired if a solid technical background is already present. Threat and vulnerability
management, for example, requires not only the implementation of plans and procedures to
detect and counter threats but also the installation and use of technologies and software to
identify, analyze, manage and respond to CS threats (Curtis and Mehravari, 2015). Similarly,
asset, change and configuration management requires HW and SW knowledge to manage
the organization’s IT and operations assets (Curtis and Mehravari, 2015). Many of these
skills require advanced technical knowledge, in addition to experience in the position.
Finally, it must be noted that with the exception of most soft skills, other skills require
continuous updating in the content and amount of knowledge required to achieve them. This
is mainly caused by the fast pace of innovation of technologies and the landscape of new
attack vectors. For this reason, detailed mappings of skills and competencies to their
respective body of required knowledge should be mostly evaluated based on their
publication period and not used as definitive standards.

8. Conclusions and future work

The level of knowledge and skills necessary from current CS workers involved in CIP
has significantly increased in recent years. Some of the identified causes that induced
this increase include continuous innovation in the digital technology sector and CI sectors Systematic
(Yan et al., 2012; Hsu and Marinucci, 2013), development of new attacks vectors and literature
discovery of new CS threats (Jang-Jaccard and Nepal, 2014), increase in attacks targeting
humans as the vulnerable factor (Conteh and Schmick, 2016; Abraham and Chengalur-Smith,
review
2010) and results from multiple studies showing a strong correlation between CS assurance
and human-related attributes, such as behavioral and cognitive abilities (Ani et al., 2019;
Assante and Tobey, 2011; Evans et al., 2016; Ani et al., 2019). Due to this continuous need for
updates and additions to CS curricula, mapping skills, competencies and other requirements
719
for CI cyber security is a challenging task. Nonetheless, having a current mapping of the
most crucial skills is advantageous, as it allows for the development of comprehensive
training programs and frameworks for CI CS.
In this work, we conducted an SLR to identify scientific papers discussing and
evaluating competencies, skills and essential attributes needed by CI staff for CS assurance.
The identified skills have been mapped to establish categories of belonging and to highlight
shared attributes. Results from the review show that a wide array of skills are needed for CS
CIP. While some of the findings included skills in narrow fields, discussed by only seldom
articles, many of the skills identified where commonly agreed as fundamental by multiple
authors. Nonetheless, the relevance of the former skills should not be dismissed, as they can
be critical for correct and comprehensive CS assurance.
It has been noticed that there is often a lack of conciliation between the skills and
competencies taught in academia and the ones required for the jobs available in the current
market. Current educational curricula should be re-adapted, when necessary, to reflect
current needs in CS roles.
During this review, it was found that in recent years more effort has been taken to
include the training of soft skills for CS preparedness. Nonetheless, further research is still
required to understand how each of these skills affects various aspects of CS assurance. One
area where research is still somewhat lacking is the relation between behavioral and
cognitive abilities and CS efficacy. Although a number of studies had shown how certain
behavioral predispositions could influence an individual’s ability in CS assurance, more
research is needed to clarify this link further and to understand how future solutions should
address the issue.
During the comparative analysis of the articles, it was noted that many different
solutions for CS awareness and training have been developed over the years. Nonetheless,
there is still no agreement on what are the best procedures to integrate the training of these
skills to existing offerings or how to develop effective new solutions. Further work will be
conducted to evaluate current solutions for CS training and establish the most effective
ways to provide comprehensive and effective methods for CS training of the skills collected
and described in this work.

References
Abd Rahim, N.H., Hamid, S., Mat Kiah, M.L., Shamshirband, S. and Furnell, S. (2015), “A systematic
review of approaches to assessing cybersecurity awareness”, Kybernetes., May, Vol. 44 No. 4,
doi: 10.1108/K-12-2014-0283.
Abraham, S. and Chengalur-Smith, I. (2010), “An overview of social engineering malware: trends,
tactics, and implications”, Technology in Society, Vol. 32 No. 3, pp. 183-196.
Ani, U., He, H. and Tiwari, A. (2019), “Human factor security: evaluating the cybersecurity capacity of
the industrial workforce”, Journal of Systems and Information Technology, Vol. 21 No. 1, doi:
10.1108/JSIT-02-2018-0028. November
ICS Ani, U.P.D., Mary He, H. and Tiwari, A. (2016), “Human capability evaluation approach for cyber
security in critical industrial infrastructure”, Advances in Human Factors in Cybersecurity,
29,5 Springer, Cham, pp. 169-182.
Assante, M.J. and Tobey, D.H. (2011), “Enhancing the cybersecurity workforce”, IT Professional,
Vol. 13 No. 1, pp. 12-15.
Axelrod, C.W. (2006), “Cybersecurity and the critical infrastructure: looking beyond the perimeter”,
Information Systems Control Journal, Vol. 3, p. 24.
720
Boyatzis, R.E. and Kolb, D.A. (1991), “Assessing individuality in learning: the learning skills profile”,
Educational Psychology, Vol. 11 Nos 3/4, pp. 279-295.
Boyce, M.W., Duma, K.M., Hettinger, L.J., Malone, T.B., Wilson, D.P. and Lockett-Reynolds, J. (2011),
“Human performance in cybersecurity: a research agenda”, Proceedings of the Human Factors
and Ergonomics Society Annual Meeting, Vol. 55 No. 1, pp. 1115-1119, SAGE Publications Sage
CA: Los Angeles, CA.
Carlton, M. (2016), “Development of a cybersecurity skills index: a scenarios-based, hands-on measure
of non-IT professionals' cybersecurity skills”, Doctoral dissertation, Nova Southeastern
University.
Choi, M.S., Levy, Y. and Hovav, A. (2013), “The role of user computer self-eficacy, cybersecurity
countermeasures awareness, and cybersecurity skills inuence on computer misuse”, Proceedings
of the Pre-International Conference of Information Systems (ICIS) SIGSEC – Workshop on
Information Security and Privacy (WISP).
Chris, D. (2015), “Preventing cyberattacks and data breaches via employee awareness training and
phishing simulations”, schneiderdowns. February, available at: www.schneiderdowns.com/our-
thoughts-on/
Conteh, N.Y. and Schmick, P.J. (2016), “Cybersecurity: risks, vulnerabilities and countermeasures to
prevent social engineering attacks”, International Journal of Advanced Computer Research,
Vol. 6 No. 23, p. 31.
Curtis, P.D. and Mehravari, N. (2015), “Evaluating and improving cybersecurity capabilities of the
energy critical infrastructure”, 2015 IEEE International Symposium on Technologies for
Homeland Security (HST), IEEE, pp. 1-6.
Davis, J. (2020), “Ransomware, phishing attacks compromised half US orgs in 2019”, Ed. By
Healthysecurity.com. [Online; posted 28-January-2020]. January, available at: https://health
itsecurity.com/news/ransomware-phishing-attacks-compromised-half-us-orgs-in-2019
Dawson, J. and Thomson, R. (2018), “The future cybersecurity workforce: going beyond technical skills
for successful cyber performance”, Frontiers in Psychology, June,, Vol. 9, p. 744, doi: 10.3389/
fpsyg.2018.00744.
Evans, M., Maglaras, L.A., He, Y. and Janicke, H. (2016), “Human behaviour as an aspect
of cybersecurity assurance”, Security and Communication Networks, Vol. 9 No. 17,
pp. 4667-4679.
Evans, K. and Reeder, F. (2010), A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters,
CSIS.
Foo, E., Branagan, M. and Morris, T. (2013), “A proposed Australian industrial control system
security curriculum”, 2013 46th HI International Conference on System Sciences. IEEE,
pp. 1754-1762.
Ghafir, I., Husák, M. and Prenosil, V. (2014), “A survey on intrusion detection and prevention systems”,
In Proceedings of student conference Zvule, IEEE/UREL. Brno University of Technology,
Vol. 1014.
Ghafir, I., Prenosil, V., Svoboda, J. and Hammoudeh, M. (2016), “A survey on network security
monitoring systems”, 2016 IEEE 4th International Conference on Future Internet of Things and
Cloud Workshops (FiCloudW), IEEE, pp. 77-82.
Gratian, M., Bandi, S., Cukier, M., Dykstra, J. and Ginther, A. (2018), “Correlating human traits and Systematic
cyber security behavior intentions”, Computers & Security, Vol. 73, pp. 345-358.
literature
Hashim, M.S. (2011), “Malaysia’s national cyber security policy: the country’s cyber defense
initiatives”, Proceedings of the Second Worldwide Cybersecurity Summit, available at: www.
review
cybersecurity.my/
Henry, A. (2017), “Mastering the cyber security skills crisis: realigning educational outcomes to
industry requirements”, ACCS discussion paper 4.
Hoffman, L., Burley, D. and Toregas, C. (2011), “Holistically building the cybersecurity workforce”,
721
IEEE Security and Privacy Magazine, Vol. 10 No. 2, pp. 33-39.
Hsu, D.F. and Marinucci, D. (2013), Advances in Cyber Security: Technology, Operation, and
Experiences, Fordham Univ Press.
Hurst, W., Merabti, M. and Fergus, P. (2014), “A survey of critical infrastructure security”, Critical
Infrastructure Protection VIII, in Butts, J. and Shenoi, S. (Eds), Springer Berlin Heidelberg,
Berlin, Heidelberg, pp. 127-138. isbn: 978-3-662-45355-1.
Igor, N.F., Neisse, R., Lazari, A. and Ruzzante, G.-L. (2018), Cybersecurity Competence Survey, doi:
10.2760/42369, available at: https://ec.europa.eu/jrc/en/publication/european-cybersecurity-
centre-expertise-cybersecurity-competence-survey
IRM (2015), “Amateyrs attack technology. Professional hackers target people”, available at: www.
irmplc.com, www.irmplc.com/issues/human-behaviour
Jacob, J., Wei, W., Sha, K., Davari, S. and Yang, T. (2018), “Is The NICE Cybersecurity Workforce
Framework (NCWF) Effective For A Workforce Comprised Of Interdisciplinary Majors?”,
Proceedings of the International Conference on Scientific Computing (CSC), The Steering
Committee of The World Congress in Computer Science, Computer Engineering and Applied
Computing (WorldComp), pp. 124-130.
Jang-Jaccard, J. and Nepal, S. (2014), “A survey of emerging threats in cybersecurity”, Journal of
Computer and System Sciences, Vol. 80 No. 5, pp. 973-993.
Jones, K.S., Siami Namin, A. and Armstrong, M.E. (2018), “The core cyber-defense knowledge, skills,
and abilities that cybersecurity students should learn in school: results from interviews with
cybersecurity professionals”, ACM Transactions on Computing Education ( Education), Vol. 18
No. 3, pp. 1-12.
Knowles, W., Prince, D., Hutchison, D., Disso, J.F. and Jones, K. (2015), “A survey of cyber security
management in industrial control systems”, International Journal of Critical Infrastructure
Protection, Vol. 9, pp. 52-80.
König, J.A. and Wolf, M.R. (2018), Cybersecurity Awareness Training provided by the Competence
Developing Game GHOST.
Lebek, B., Uffen, J., Neumann, M., Hohler, B. and Breitner, M.H. (2014), “Information security awareness
and behavior: a theory-based literature review”, Management Research Review, Vol. 37 No. 12.
LeClair, J., Abraham, S., (2013), and L. and Shih, “An interdisciplinary approach to educating an
effective cyber security workforce”, Proceedings of the 2013 on InfoSecCD’13: Information
Security Curriculum Development Conference, pp. 71-78.
Leszczyna, R. L. (2018), “A review of standards with cybersecurity requirements for smart grid”,
Computers and Security, Vol. 77, pp. 262-276, issn: 0167-4048, doi: 10.1016/j.cose.2018.03.011.,
available at: www.sciencedirect.com/
Levy, Y. (2005), “A case study of management skills comparison in online and on-campus MBA
programs”, International Journal of Information and Communication Technology Education
(IJICTE), Vol. 1 No. 3, pp. 1-20.
Luallen, M.E. and Labruyere, J.P. (2013), “Developing a critical infrastructure and control systems
cybersecurity curriculum”, 2013 46th HI International Conference on System Sciences. IEEE,
pp. 1782-1791.
ICS Luiijf, H.A.M., Besseling, K., Spoelstra, M. and De Graaf, P. (2011), “Ten national cyber security
strategies: a comparison”, International Workshop on Critical Information Infrastructures
29,5 Security, Springer, Berlin, Heidelberg, pp. 1-17.
McCrohan, K.F., Engel, K. and Harvey, J.W. (2010), “Inuence of awareness and training on cyber
security”, Journal of Internet Commerce, Vol. 9 No. 1, pp. 23-41.
Mao, J., Chua, Z.L. and Liang, Z. (2017), “Enabling practical experimentation in cybersecurity
722 training”, In 2017 IEEE Conference on Dependable and Secure Computing, IEEE, August,
pp. 516-517.
Mishra, S., Raj, R.K., Romanowski, C.J., Schneider, J. and Critelli, A. (2015), “On building cybersecurity
expertise in critical infrastructure protection”, 2015 IEEE International Symposium on
Technologies for Homeland Security (HST), IEEE, pp. 1-6.
Newhouse, W., Keith, S., Scribner, B. and Witte, G. (2017), “National initiative for
cybersecurity education (NICE) cybersecurity workforce framework”, NIST special publication,
Vol. 800, p. 181.
NISTIR (2014), “NISTI7628 7628 rev. 1 guidelines for smart grid cybersecurity”, National Institute of
Standards and Technology, available at: https://csrc.nist.gov/publications/detail/nistir
gütçü, G., Müge Testik, Ö. and Chouseinoglou, O. (2016), “Analysis of personal information security
Ö
behavior and awareness”, Computers and Security, Vol. 56, pp. 83-93.
Okoli, C. and Schabram, K. (2010), “A guide to conducting a systematic literature review of information
systems research”, SSRN Electronic Journal, May, Vol. 10, doi: 10.2139/ssrn.1954824.
Oltramari, A., Henshel, D.S., Cains, M. and Hoffman, B. (2015), “Towards a human factors ontology for
cyber security”, STIDS, pp. 26-33.
Padayachee, K. (2012), “Taxonomy of compliant information security behavior”, Computers and
Security, Vol. 31 No. 5, pp. 673-680.
Paulsen, C., et al. (2012), “NICE: creating a cybersecurity workforce and aware public”, IEEE Security
and Privacy Magazine, Vol. 10 No. 3, pp. 76-79.
Potter, L.E. and Vickers, G. (2015), “What skills do you need to work in cyber security? A look at the
Australian market”, Proceedings of the 2015 ACM SIGMIS Conference on Computers and People
Research, pp. 67-72.
Rowe, D.C. and Lunt, B. (2012), “Mapping the cyber security terrain in a research context”, Proceedings
of the 1st annual conference on Research in Information Technology, pp. 7-12.
Shropshire, J., Warkentin, M. and Sharma, S. (2015), “Personality, attitudes, and intentions:
predicting initial adoption of information security behavior”, Computers and Security,
Vol. 49, pp. 177-191.
Sklyar, V. (2012), “Cyber security of safety-critical infrastructures: a case study for nuclear facilities”,
Information and Security: An International Journal, January, Vol. 28, pp. 98-107, doi: 10.11610/
isij.2808.
Sobiesk, E., Blair, J., Conti, G., Lanham, M. and Taylor, H. (2015), “Cyber education: a multi-level, multi-
discipline approach”, Proceedings of the 16th Annual Conference on Information Technology
Education, pp. 43-47.
Švábenský, V., Vykopal, J., Cermak, M. and Laštovička, M. (2018), “Enhancing cybersecurity skills by
creating serious games”, Proceedings of the 23rd Annual ACM Conference on Innovation and
Technology in Computer Science Education, pp. 194-199.
Tioh, J.N., Mina, M., (2017), and D.W. and Jacobson, “Cyber security training a survey of serious games
in cyber security”, 2017 IEEE Frontiers in Education Conference (FIE). IEEE, pp. 1-5.
Turkanovic, M., Welzer, T. and Hölbl, M. (2019), “An example of a cybersecurity education model”,
2019 29th Annual Conference of the European Association for Education in Electrical and
Information Engineering (EAEEIE), pp. 1-4.
Webster, J. and Watson, R.T. (2002), “Analyzing the past to prepare for the future: writing a literature Systematic
review”, MIS quarterly, pp. 13-23.
literature
Yamin, M.M., Katt, B. and Gkioulos, V. (2020), “Cyber ranges and security testbeds: scenarios,
functions, tools and architecture”, Computers and Security, Vol. 88, pp. 101636, issn: 0167-4048, review
doi: 10.1016/j.cose.2019.101636, available at: www.sciencedirect.com/
Yan, Y., Qian, Y., Sharif, H. and Tipper, D. (2012), “A survey on cyber security for smart grid
communications”, IEEE Communications Surveys & Tutorials, Vol. 14 No. 4, pp. 998-1010.
Yoon, J., Dunlap, S., Butts, J., Rice, M. and Ramsey, B. (2016), “Evaluating the readiness of cyber first
723
responders responsible for critical infrastructure protection”, International Journal of Critical
Infrastructure Protection, Vol. 13, pp. 19-27.

Corresponding author
Nabin Chowdhury can be contacted at: nabin.chowdhury@ntnu.no

For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com