Importance of Cybersecurity Competencies in Higher Education and for Employers

Abstract

The global shortage of qualified cybersecurity professionals continues to intensify, underscoring the need for targeted and practice-oriented education and training. This study examines and compares the cybersecurity competencies emphasized in higher education with those prioritized by employers. The findings reveal notable discrepancies between academic and industry expectations. Employers, particularly larger organizations, assign the greatest importance to competencies related to organizational and human security, whereas higher education institutions tend to prioritize technical cybersecurity domains. These insights provide a foundation for designing more comprehensive and industry-aligned cybersecurity curricula and can support the development of educational pathways tailored to specific learner groups and workforce needs.

1. Introduction

The world is facing a large shortage of cybersecurity professionals. The Cybersecurity Workforce Study 2024 from ISC2 [1] estimated the global cybersecurity workforce at 5,468,173 employees, with a 0.1% increase from 2023. In the same time period, the workforce gap has risen by 19.1% to 4,763,963 people. The gap is, therefore, almost as large as the current workforce. Also concerning is the trend of slowed-down recruitment of new professionals (it was 8.7% in 2022 to 2023) and increased gap growth (it was 12.6% between 2022 and 2023). According to the report, Europe was one of the worst-hit major regions in terms of widening the gap in the last year. The workforce gap in Europe was estimated at 392,320, while some estimates reached 883,000 [2]. Respondents in the ICS2’s Cybersecurity Workforce Study [1] have listed budgeting as the number one reason for their gaps, while the inability to find the talent or skills they needed to succeed has slipped to second place. The cybersecurity skills gap is another similar issue, but it refers to a lack of appropriate skills in the workforce to perform specific cybersecurity tasks. ENISA discussed Europe’s skills and workforce gap in its report, “Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education” [3].

At the same time, the EU and much of the rest of the world are prioritizing and investing in digital transformation. The two, however, do not go well together. The growth of digitalization drives the need for more cybersecurity professionals. On the other hand, development without proper security support could bring significant consequences in the future. Different legislations (e.g., NIS2 in the EU) also have the potential to increase demand for cybersecurity professionals, as they raise the minimum common level of cybersecurity and privacy, forcing organizations to spend more effort on cybersecurity. All of this culminates in Gartner’s [4] predictions that, by 2025, over half of significant cyber incidents will be due to a shortage of cybersecurity professionals or human error. In response to this situation, significant support has been provided to educational institutions, with the expectation of expanded and/or new Cybersecurity Study Programs that would produce larger numbers of cybersecurity professionals to help overcome the existing workforce gap [5,6,7].

This paper investigates which cybersecurity competencies are the most important. We will look at their importance from two perspectives. The first will be higher education (HE), where we will examine existing study programs at universities in the EU. Every course in the selection of Study Programs will be analyzed, and the knowledge students gain from each course will be recorded. As a result, we will get a good overview of which cybersecurity competencies are being focused on in higher education and, consequently, which skills most students will have as they finish their education. The second perspective will be employers with cybersecurity requirements in their organizations. From such Slovenian employers, we will collect data on which competencies are the most valuable to them and their organizations. The two approaches should give us a clear overview of which cybersecurity competencies are most important. Educational institutions can apply the results of this study to develop reliable, high-quality new study programs. The results can also be applied to existing programs to make them comparable to the average cybersecurity curricula in the EU or to address labor-market requirements.

For the cybersecurity skills taught in higher education, we have used a selection of study programs from ENISA’s CyberHEAD [8]. The competencies taught were extracted from the study programs’ course descriptions. The same competencies were also used to gauge the labor market’s cybersecurity competence requirements. Finally, we compare and contrast the results from the two environments and compare them with those from similar prior studies.

Based on the presented context, we have formed the research questions (RQ) that we will address in this paper:

• RQ1: Which cybersecurity competencies are considered the most important by higher education institutions (based on the content of their study programs)?
• RQ2: Which cybersecurity competencies are considered the most important by employers (based on their reporting)?
• RQ3: To what extent are the cybersecurity competencies taught in higher education aligned with those prioritized by employers?

In addition to the analysis of cybersecurity competencies, the employer survey also briefly examines current workforce capacity, how employers would like to grow their cybersecurity staff, and the difficulty of finding new cybersecurity professionals. This research was limited to the HE institutions in the European Union and employers from Slovenia. While covering only Slovenia is a limiting factor, it is a very average EU country [9,10,11,12], so the results should be representative of a wider environment. This research was also only interested in cybersecurity-specific competencies and skills and did not consider other “soft” skills (e.g., communication, teamwork, etc.). Another big limitation is the different methods (chosen for their ability to collect the best data from a given environment) of collecting data from HE and employers, which means that while results from either (i.e., ranked lists of competencies by their importance) can be compared between the two, the measurements of the collected data cannot.

The rest of this paper is structured as follows. Section 2 introduces related research on measuring cybersecurity skill focus in education and industry. Section 3 introduces the framework for classifying cybersecurity-related knowledge, competencies, and skills. Section 4 and Section 5 explain the processes for data collection and the data collected in higher education and from employers. Section 5 also introduces some demographic information and data on the general state of cybersecurity staffing in Slovenia, gathered from the employer survey. Section 6 presents the most important cybersecurity competencies according to higher education study programs and employers. In the same section, we also contrast them and, finally, compare the results of this paper with previous research. Section 7 concludes the paper with a summary of the results.

2. Related Research

The research included in this section can be related to this paper from the perspective of analyzing cybersecurity competencies taught in educational institutions, and/or from the point of view of industry (i.e., researching industry requirements for cybersecurity competencies, or their importance to employers). The purpose of this section is to find out how others have tackled the problem of establishing a definitive set of cybersecurity skills and estimating their value. Secondly, the goal is to learn what methods have been used to measure the importance of cybersecurity skills.

The Cabaj et al. [13] offer a very high-level overview of Cybersecurity Master Programs. On the topic of programmers’ content, the paper concludes that Master’s Programs give increasing importance to less technological areas, such as the knowledge areas of human, organizational, and societal security. Even though such content may be increasing, Vykopal et al. [14] analyzed study programs from 101 universities worldwide and found a lack of non-technical (human, societal, and organizational security) skills in curricula. They made a 10-step checklist to enhance existing programs. The main improvements focused on increasing the number of internships and hands-on courses. Dragoni et al. [15] also analyzed the contents of the cybersecurity-related Master of Science (M.Sc.) study programs in Europe. In their classification of knowledge/skills, they used a slightly modified version of cybersecurity skills from The Cybersecurity Curriculum 2017 (CSEC2017). A produced a list of the ten most covered knowledge units in higher education (i.e., Cryptography, Data Integrity and Authentication, Secure Communication Protocols, Access Control, Network Defense, System Access, System Control, Network Architecture, Data Privacy and Risk Management). Related research performed as part of the same project was published by Budde et al. [16]. The same modified CSEC2017 knowledge framework was used to define the required knowledge and skills for six cybersecurity-related job profiles. Based on the feedback, the authors identified some differences in academic and industry priorities, which are somewhat similar to the research conducted in this paper (although our research is not focused on a set of specific profiles). They also produced a list of the cybersecurity skills relevant to most cybersecurity positions (i.e., Network Defense, Network Architecture, System Control, System Access, Fundamental Principles, Secure Communication Protocols, and Incidents and Continuity) and identified a series of “transversal” skills relevant to all job profiles.

Jones et al. [17] used cyber professionals to gather information on how crucial knowledge, skills, and abilities (including soft skills) related to cyber defense are to their jobs and where they learned them. Among the possible knowledge, skills, and abilities, all were marked as important (the average was above neutral evaluation—we will see a similar result in this paper); however, fifteen were significantly higher than neutral importance. Armstrong et al. [18] surveyed cybersecurity professionals to gather the importance and difficulty of learning individual knowledge, skills, and abilities, with an emphasis on providing feedback for inclusion in education.

Švábenský et al. [19] mapped knowledge and skills obtained in Capture the Flag (CTF) challenges to see how well they match formal cybersecurity curricula. They did that by analyzing the keywords in write-ups from CTF challenges. Cybersecurity topics are unevenly represented in CTF challenges. The results show that cybersecurity topics are represented unevenly, with the most commonly covered knowledge areas in jeopardy CTFs being data security, connection security, and system security, while component security, human security, and especially societal security, are included much less. For attack-defense CTFs, connection security was the most important domain, followed by data and software security.

Haqaf and Koyuncu [20] used a Delphi method to identify and develop the key skills required for information security management positions. The result was a list of 16 key skills scored as the most important. The two most valued skills were understanding of information security issues from a management point of view and identifying the best information security practices for risk management. They also analyzed the inclusion of the 16 skills in the CISSP, SSCP, CISA, CISM, CAP, and CSSLP certifications. A paper by Hajny et al. [21] presented another research that focused on providing guidance for designing cybersecurity curricula. They also analyzed a large sample of cybersecurity study programs; however, on a higher level than will be presented in this paper. The authors also developed a tool to analyze a given curriculum and automatically identify missing topics and/or unsupported work roles, aiding the design of a new or the redesign of an existing study program.

Brooks et al. [22] analyzed security–specific job advertisements (in the United States of America) to obtain the most sought-after and required skills for the information systems security positions. The analysis identified domain-related education, certification, and/or soft skills; the latter were most commonly listed. The most common domain-related skills tended to represent competency areas, such as standards, networks, policies, control, risk, etc. Bukauskas et al. [23] also analyzed job postings, but also performed a public survey, a large-scale survey of company executives, and an exploratory cybersecurity expert survey. The paper’s main findings confirmed their suspicions that, in a small EU country environment, with mostly smaller organizations, cybersecurity specialists must perform multiple roles. Therefore, they proposed their own simplified, professional cybersecurity framework.

Ball et al. [24] analyzed the most employer-valued cybersecurity skills by conducting a survey among senior executives responsible for an organization’s cybersecurity. They found network and cloud security to be the most important skills among employers and noted that while artificial intelligence (AI) and machine learning (ML) for the purposes of cybersecurity are not the most valued fields, they are among the hardest to find new employees for. Among the non-technical skills, the most sought-after were critical thinking/problem solving, verbal communication, and teamwork competence. Recommendations for educational institutions include more hands-on learning, the inclusion of AI and ML to future-proof students’ education, and greater collaboration with industry partners to provide better feedback on skill requirements and practical experiences.

Table 1. Cybersecurity skill frameworks used in related research.

Framework	Papers
The Cybersecurity Curriculum 2017 (CSEC2017)	[13,15,16,19]
The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework	[17,18,21,23]
European Cybersecurity Skills Framework (ECSF)	[23]
Research specific	[20]

collects the frameworks used in related research to define cybersecurity skills.

The research presented in this paper is distinct from previous research on multiple counts. Firstly, it presents a comparison of results from higher education and employers, whereas most research focuses on only one of the two. This research differs from those that directly collect and compare results from both environments in its data-collection methodology, focusing on more objective data collection and a larger sample size than related research. This includes collection from study programs based on their course descriptions, without using automated tools that search for keywords, but with expert analysis of content and data collection from a wide range of industry organizations and staff types (i.e., managerial and technical staff) to represent broad industry requirements. The paper also includes a comparison with the results from [15,16], where we will go into some more detailed differences in research and results.

3. Cybersecurity Competencies Framework

A Cybersecurity Competence Framework lists and maps the current and emerging cybersecurity skills, and often other related information (job roles, responsibilities, career paths, etc.). Skill frameworks can help identify cybersecurity competencies, knowledge, relevant roles, and the skills needed to perform those roles. There are quite a few cybersecurity competence frameworks. They are briefly introduced below; however, most of the section is devoted to an introduction to the chosen framework from the Cybersecurity Curriculum 2017.

The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework [25] was developed by the US National Institute of Standards and Technology (NIST) in collaboration with other partners from academia, industry and government, with the primary purpose of providing a common terminology or understanding of cybersecurity concepts, to communicate cybersecurity work and the skills of the cybersecurity workforce consistently and clearly. As can be seen from Table 1, the NICE framework is very popular and used often; however, it is focused on connecting knowledge, skills, and abilities to roles and is therefore more often used in research with specific cybersecurity profiles. The Joint Research Center has prepared a study on the harmonization of terminology, definitions, and cybersecurity domains, entitled “A Proposal for a European Cybersecurity” [26]. The study proposes a common taxonomy that takes into account the different dimensions of the Cybersecurity domain. The alternative framework from Europe is the European Cybersecurity Skills Framework (ECSF) [27]. ECSF defines a set of 12 cybersecurity roles, each with descriptions of their tasks and required competencies, skills, and knowledge. In its role-centric view, it is similar to the NICE framework. The Cyber Security Body Of Knowledge (CyBOK) [28] was produced by the National Cyber Security Center of the United Kingdom of Great Britain and Northern Ireland and aims to create an exhaustive overview of the existing cybersecurity knowledge—it not only classifies the different competencies, but actually explains cybersecurity concepts. The CIISec Skills Framework [29], developed by the Chartered Institute of Information Security (CIISec), similarly to the NICE Framework, focuses primarily on workforce competencies. The ASD Cyber Skills Framework [30] was developed by the Australian Signals Directorate for the purpose of assessing, maintaining, and monitoring the skills and knowledge of its employees. The ASD Cyber Skills Framework is based partly on the CIISec Skills Framework.

Finally, there is the Cybersecurity Curriculum 2017 (CSEC2017) [31], which provides the framework used in this research. It was published by The Joint Task Force on Cybersecurity Education, which includes major international computing societies: Association for Computing Machinery (ACM), IEEE Computer Society (IEEE CS), Association for Information Systems Special Interest Group on Security (AIS SIGSEC), and the International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8). CSEC2017 provides a framework of cybersecurity domains and skills, along with recommendations for higher education programs. The framework defines a comprehensive set of cybersecurity knowledge units grouped into knowledge areas. The framework also includes options to support the exploration of links between domains and topics, and the identification of disciplines on which cybersecurity education programs can be developed.

This framework was chosen for several reasons. It is well-documented, and (in our opinion) includes the most comprehensive classification of cybersecurity skills in the presented selection of frameworks. Although the classification provides a very good global overview across the main cybersecurity Knowledge Areas (KAs), it is also granular, as the main areas are further subdivided into 55 Knowledge Units (KUs), which are then subdivided into 288 topics, each of which is also described. The CSEC2017 framework is also commonly used in related research.

CSEC2017 defines eight KAs: Data Security^A, Software Security^B, Component Security^C, Connection Security^D, System Security^E, Human Security^F, Organizational Security^G, and Societal Security^H. The full list of the 55 KUs and KAs they belong to is given in

Table 2. Cybersecurity knowledge areas and their knowledge units, as defined by CSEC2017 [31].

Knowledge Area (KA)	Knowledge Unit (KU)
Data SecurityA	CryptographyA, Digital ForensicsA, Data Integrity and AuthenticationA, Access ControlA, Secure Communication ProtocolsA, CryptanalysisA, Data PrivacyA, Information Storage SecurityA
Software SecurityB	Fundamental PrinciplesB, DesignB, ImplementationB, Analysis and TestingB, Deployment and MaintenanceB, DocumentationB, EthicsB
Component SecurityC	Component DesignC, Component ProcurementC, Component TestingC, Component Reverse EngineeringC
Connection SecurityD	Physical MediaD, Physical Interfaces and ConnectorsD, Hardware ArchitectureD, Distributed Systems ArchitectureD, Network ArchitectureD, Network ImplementationsD, Network ServicesD, Network DefenseD
System SecurityE	System ThinkingE, System ManagementE, System AccessE, System ControlE, System RetirementE, System TestingE, Common System ArchitecturesE
Human SecurityF	Identity ManagementF, Social EngineeringF, Personal Compliance with Cybersecurity Rules/Policy/EthicalF, Awareness and UnderstandingF, Social and Behavioral PrivacyF, Personal Data Privacy and F, Usable Security and PrivacyF
Organizational SecurityG	Risk ManagementG, Security Governance & PolicyG, Analytical ToolsG, Systems AdministrationG, Cybersecurity PlanningG, Business Continuity, Disaster Recovery, and Incident ManagementG, Security Program ManagementG, Personnel SecurityG, Security OperationsG
Societal SecurityH	CybercrimeH, Cyber LawH, Cyber EthicsH, Cyber PolicyH, PrivacyH

. Cybersecurity KAs and their KUs are marked with a letter (knowledge areas have superscripted letters and knowledge units have the corresponding letter subscripted) to make it easier to recognize and connect knowledge units to their respective areas throughout the paper.

4. Importance of Cybersecurity Competence in Higher Education

Different job profiles require different skills, and certain skills are in greater demand or required in greater quantity. Higher education institutions consider these factors when designing their Study Programs and adapt the content accordingly. On the other hand, Study Programs are, in some measure, obliged to focus on the elemental principles of the subjects they cover. Analyzing the study programs provided information on the cybersecurity content taught in an average cybersecurity study program.

The study programs used in this research were extracted from the CyberHEAD [8], a database of HE studies programs in the field of Cybersecurity in Europe, managed by the European Union Agency for Cybersecurity (ENISA). At the time of collection, the database included 142 Bachelor’s and Master’s programs. A simple random sampling was used with twelve programs selected and 184 courses evaluated. The only limiting factor we considered in our selection was the availability of outlines or descriptions of individual courses (some programs only list courses, which is not enough information), to classify the knowledge obtained in the courses according to the CSEC2017 knowledge framework. For the courses to be evaluated, they had to be on the topic of cybersecurity (that is why joint degrees have fewer relevant courses) and also have fixed content (i.e., we exclude Bachelor’s Theses and similar from analysis, because they do not have fixed content, but are specific for each student). The twelve selected study programs are presented in

Table 3. List of study programs whose courses have been classified according to their content.

University	Program	Degree	Credits
Laurea University of Applied Sciences (Finland)	Business Information Technology, Cyber Security	Bachelor’s Degree	210 (45) ECTS
Lucerne University of Applied Sciences and Arts (Switzerland)	Information & Cyber Security	Bachelor’s Degree	180 (78) ECTS
Masaryk University (Czech Republic)	Cybersecurity	Bachelor’s Degree	180 (54) ECTS
ETH Zurich (Switzerland)	Cyber Security	Master’s Degree	120 (89) ECTS
BA School of Business and Finance (Latvia)	Cybersecurity Management	Master’s Degree	120 (57) ECTS
University College London (UK)	Information Security	Master’s Degree	Equivalent to 90 (90) ECTS
TU Darmstadt (Germany)	IT security	Master’s Degree	120 (196) ECTS
JAMK University of Applied Science (Finland)	Cyber Security	Master’s Degree	60 (20) ECTS
University of Aveiro (Portugal)	Master in Cybersecurity (https://www.ua.pt/en/curso/462, accessed on 4 December 2025)	Master’s Degree	120 (84) ECTS
International Hellenic University (Greece)	Cybersecurity	Master’s Degree	60 (54) ECTS
University of Applied Sciences Vienna (Austria)	IT security	Master’s Degree	120 (89) ECTS
FH JOANNEUM University of Applied Sciences (Austria)	IT & Mobile Security	Master’s Degree	120 (40) ECTS

. The table includes the program names, the educational institutions, the degree, the links to the Study Programs, and the number of ECTS (European Credit Transfer System) credits. The ECTS points listed outside the brackets represent the value of the ECTS points required by the students to complete each program, while the value in brackets is the total value for all the courses we have evaluated for each study program (896 ECTS credits altogether). There can be a significant difference between the two values if only a part of a study program covers cybersecurity content (e.g., a multidisciplinary study program), or if the program is modular, or offers a lot of optional courses (it is therefore possible to analyze courses with more ECTS credits than are required for the degree).

We chose to analyze study programs by examining their course descriptions, which offers an advantage over a questionnaire like that used by Dragoni et al. [15] because it removes participants’ subjective opinions about the programs they are part of. On the other hand, the chosen method is much more time-intensive, and we were able to include only study programs with clear online descriptions of their programs and courses.

For each cybersecurity-related course in each study program, one of the authors marked all the KUs covered in the course. Each course was assigned the same number of points as its number of ECTS credits. The points were distributed equally among all the KUs contained in the course. Any more fine-grained differentiation is not possible (i.e., differences in the distribution of effort between KUs, perceived or hidden, were not adjusted for, but they should average out over the many courses) because course descriptions are not detailed enough. KAs were scored by combining the points of all the KUs belonging to a specific KA. This means that, as more topics are covered in a course, a smaller proportion of points is attributed to each KU contained in the course. As a result, general subjects contribute smaller proportions of points to a large number of KUs, and highly focused or specialized subjects contribute a large proportion of points to a small number of competences (i.e., spending more time on a specific topic means that it was addressed in more detail and depth than in the case of more general courses where time is distributed among many topics). Having the number of points distributed within each course equal to its ECTS credits ensures that the results scale with the course’s size and scope. This normalization was introduced to account for the fact that two courses with, for example, 2 and 10 ECTS credits that cover the same subject matter cannot address the topic at the same level of detail. Courses with more ECTS credits are expected to be much more detailed and elaborate in their explanations of the topics than courses with fewer ECTS, which require much less time and effort from students. Using these two methods to balance the collected data and averaging the results across many study programs ensures representative results. The analysis results are presented in a later section, along with industry results.

5. Importance of Cybersecurity Competencies to Employers

In addition to reviewing the relevance of cybersecurity skills covered in HE courses, the goal was to also measure how relevant and crucial specific competencies are for the labor market. To this end, we developed a survey for employees and/or managers working in cybersecurity, asking them about the importance of individual competencies (as defined by the CSEC2017’s KUs) for the work their organization does. This part of the research was done on Slovenian employers. While we have shown in the introduction that Slovenia is a fairly average EU country, some caution is warranted when generalizing these results.

The anonymous questionnaire, designed to capture the interviewees’ opinions on the importance of cybersecurity skills to their organization, consisted of 20 questions. The first six questions were general questions about the respondent and the organization they come from; the next five were about their (current and future/desired) cybersecurity staff, followed by eight questions about the importance of specific competencies or skills (one question for each of the KAs that was subdivided to include all of the area’s KUs); and a final open question where respondents could tell us anything they wanted about the related issues or the survey itself. The respondents provided their opinions on the relevance of each of the 55 competencies (i.e., KUs) to their organization. They could mark each KU on a Likert scale, with five levels, ranging from not at all important (value 1) to very important (value 5). Given the number of KUs to evaluate, we used the Linker’s scale to avoid ballooning the question volume that would come with comparative methods and to make the survey familiar and easy for respondents, thereby reducing participant attrition. The respondents were also given the option to select “Cannot rate” if they felt that they could not rate the value of a particular competence/skill for any reason. These responses were not considered in the analysis.

The survey was advertised to people in cybersecurity through various associations, clubs, and other community organizations that are in contact with organizations that use cybersecurity professionals. The survey was active for three months, during which time it was accessed 358 times. However, we did not include the results of incomplete surveys, because the respondents always had the option to bypass a question if they did not have an answer or did not want to answer it (as such, we assume some respondents either came back at a later time with additional information and re-did the survey, or they did not want to participate anymore). In total, 45 fully completed questionnaires were analyzed. The completion rate of the survey was, therefore, 13%, which is within the expected range when dealing with external surveys [32].

Survey Respondents

Most respondents (44.8%) were from the organizations with lower annual revenues (up to 700 thousand euros), followed by organizations with up to 8 million euros in revenues (37.9%), while 17.2% of the participating organizations had annual revenues of more than 40 million euros. Non-profit organizations, like public sector organizations, could skip this question, so these data only cover 29 responses.

As shown in

Table 4. Types of personnel participating in the survey and organization sizes.

	Number of Employees
	≤100	>100	Total
Management staff	8	12	20
ICT technical staff	8	12	20
Other	2	3	5

, the respondents to the survey were split evenly between managerial (44.4%) and ICT (Information and Communications Technology) technical staff (44.4%). They were also split evenly by the size of the organizations they came from, with 100 employees as the dividing line between smaller and larger organizations.

Table 5. Number of employees and cybersecurity professionals.

	Number of Employees in the Organization	Number of Cybersecurity Professionals Employed	Plan for Employing New Cybersecurity Professionals in the Next 5 Years
N	45	41	40
Mean	1686.67	5.07	4.97
Std. Deviation	3097.28	11.71	11.21
Min/Max	1/9000	0/50	0/50

provides information on the number of employees in participating organizations, the number of employees working in cybersecurity, and the number of cybersecurity professionals the organizations intend to recruit or want to recruit over the next five years. The organizations ranged in size from one to 9000 employees. The average organization had almost 1700 employees, although only 10 (22.2%) organizations had more than 1000 employees. The majority of the participating organizations had one person working on cybersecurity, but the average across all participating organizations was just over 5. This means that, on average, 1 in 365 employees (i.e., 0.27%) is working in cybersecurity. What is most interesting, however, are the figures for future recruitment plans for cybersecurity staff. Employers’ intention/ambition over the next 5 years is to practically double the current number of cybersecurity staff. Not only are the mean values between current cybersecurity staffing and future hiring very similar (Table 5), but their distributions are also remarkably similar (see Figure 1). This shows that it is not just one organization’s desire to expand its cybersecurity staffing, but that the trend of increasing cybersecurity staffing is widespread across employers.

Although organizations are very keen to increase the number of staff working on cybersecurity, they are clearly struggling to do so. The survey showed (see Figure 2) that more than 70% of the responding organizations have large or major difficulties in recruiting new staff in this field. Only one organization did not report having problems in this respect.

6. Results and Discussion

Higher education’s (HE) focus on cybersecurity competencies, and the cybersecurity competencies most valued/required by employers, were measured for each individual KU from CSEC2017. To gain a broader view, those results were combined into the KAs (Knowledge Areas). The reported values (i.e., the SUM points in

Table 6. Results for knowledge areas for higher education and employers.

#	SUM Points	Higher Education (HE)	Employer	AVG Rating
1	31.00	Data SecurityA	Human SecurityF	4.654
2	18.37	Societal SecurityH	Organizational SecurityG	4.514
3	18.02	Connection SecurityD	Software SecurityB	4.439
4	15.63	Software SecurityB	Data SecurityA	4.411
5	13.89	System SecurityE	Societal SecurityH	4.372
6	12.86	Organizational SecurityG	Connection SecurityD	4.328
7	10.35	Human SecurityF	System SecurityE	4.326
8	4.31	Component SecurityC	Component SecurityC	4.273

) were averaged to account for differences in the number of KUs per KA (preventing areas with more units from having artificially inflated values).

The AVG rating determined the importance of the KAs to cybersecurity professionals’ employers. The AVG rating is the average rating that KUs belonging to each KA received in the employer survey (i.e., the AVG rating in Table 6). The rating was done on a scale from 1 to 5, and the results for individual KUs are shown in

Table 7. Results for knowledge units for higher education and employers.

#	SUM Points	Higher Education (HE)	Employer	AVG Rating
1	81.72	CryptographyA	Identity ManagementF	4.82
2	46.17	Network DefenseD	Personal Data Privacy and SecurityF	4.82
3	44.58	System ControlE	Information Storage SecurityA	4.80
4	43.01	Data Integrity and AuthenticationA	Secure Communication ProtocolsA	4.73
5	34.85	Analysis and TestingB	Data PrivacyA	4.73
6	34.58	CryptanalysisA	Awareness and UnderstandingF	4.71
7	33.02	DesignB	Data Integrity and AuthenticationA	4.68
8	24.91	Cyber LawH	Access ControlA	4.68
9	23.37	Risk ManagementG	Business Continuity, Disaster Recovery, and Incident ManagementG	4.67
10	22.90	CybercrimeH	Usable Security and PrivacyF	4.66
11	22.46	Network ArchitectureD	Network ServicesD	4.65
12	21.41	Security Governance & PolicyG	Personal Compliance with Cybersecurity Rules/Policy/Ethical NormsF	4.64
13	21.37	Cyber PolicyH	Security Governance & PolicyG	4.64
14	19.19	System ThinkingE	PrivacyH	4.64
15	19.14	Access ControlA	System ControlE	4.61
16	18.95	Secure Communication ProtocolsA	Personnel SecurityG	4.60
17	18.80	Fundamental PrinciplesB	Network DefenseD	4.59
18	18.78	Digital ForensicsA	System ManagementE	4.59
19	18.46	Network ServicesD	Risk ManagementG	4.58
20	17.53	Cybersecurity PlanningG	Systems AdministrationG	4.58
21	16.21	Data PrivacyA	EthicsB	4.55
22	16.13	Awareness and UnderstandingF	Cybersecurity PlanningG	4.55
23	15.59	Information Storage SecurityA	Social EngineeringF	4.54
24	15.13	Hardware ArchitectureD	System AccessE	4.52
25	14.90	Cyber EthicsH	Fundamental PrinciplesB	4.50
26	14.34	Common System ArchitecturesE	Cyber EthicsH	4.50
27	14.13	Distributed Systems ArchitectureD	DesignB	4.45
28	13.96	Analytical ToolsG	Analysis and TestingB	4.45
29	13.83	ImplementationB	ImplementationB	4.44
30	12.42	Usable Security and PrivacyF	Network ImplementationsD	4.44
31	12.34	Identity ManagementF	System TestingE	4.42
32	12.21	Network ImplementationsD	Component TestingC	4.40
33	11.84	Business Continuity, Disaster Recovery, and Incident ManagementG	Network ArchitectureD	4.40
34	10.51	Social EngineeringF	DocumentationB	4.39
35	10.12	Physical Interfaces and ConnectorsD	Social and Behavioral PrivacyF	4.39
36	9.07	Personal Data Privacy and SecurityF	Security Program ManagementG	4.36
37	8.93	Security Program ManagementG	Component DesignC	4.35
38	8.81	System AccessE	System ThinkingE	4.35
39	8.06	Component DesignC	Security OperationsG	4.35
40	7.93	Systems AdministrationG	CybercrimeH	4.35
41	7.77	PrivacyH	Analytical ToolsG	4.30
42	7.76	Personal Compliance with Cybersecurity Rules/Policy/Ethical NormsF	Deployment and MaintenanceB	4.29
43	7.71	Security OperationsG	Component ProcurementC	4.28
44	7.08	System ManagementE	Distributed Systems ArchitectureD	4.27
45	5.46	Physical MediaD	Cyber PolicyH	4.23
46	5.17	Component TestingC	Hardware ArchitectureD	4.17
47	4.25	Social and Behavioral PrivacyF	CryptographyA	4.14
48	4.21	Deployment and MaintenanceB	Cyber LawH	4.14
49	4.00	Component Reverse EngineeringC	Component Reverse EngineeringC	4.06
50	3.21	System TestingE	Physical MediaD	4.05
51	3.04	Personnel SecurityG	Physical Interfaces and ConnectorsD	4.05
52	2.35	EthicsB	Common System ArchitecturesE	3.98
53	2.33	DocumentationB	Digital ForensicsA	3.90
54	0.00	Component ProcurementC	System RetirementE	3.81
55	0.00	System RetirementE	CryptanalysisA	3.63

as the AVG rating.

The diagram in Figure 3 presents the process of data collection and results calculation for HE and employers (a longer explanation was given in Section 4 and Section 5), where KA^X is a specific area, and KU_X is a knowledge unit within that area.

The importance of competencies in HE and for employers was determined by different methodologies, and, therefore, the values SUM points and AVG rating (in both Table 6 and Table 7) are not comparable. These values were included to give the reader a better overview of how large the divergence between KAs or KUs is within either HE or employer priorities, but the values themselves are not comparable between HE and employers. That is why we only compared the results between HE and employers based on the ranks (# in Table 6 and Table 7).

6.1. Knowledge Areas for HE and Employers

The importance of knowledge areas for HE and employers is presented in Table 6. The table lists the eight KAs from the most important to the least important. The differences between the results for HE and employers are considerable. The KA Data Security^A, which is by far the most focused area of cybersecurity in HE, is only in fourth place for employers. Societal Security^H, Connection Security^D, and System Security^E are also given much more attention in HE than employers value them. Meanwhile, the employers rated Human Security^F and Organizational Security^G KAs as the most important for their organizations, but they were, in HE, only ranked seventh and sixth, respectively. Component Security^C was ranked as the least important in both cases (and with a meaningful margin). Looking at the AVG rating, we also notice that all KAs received very high ratings, considering that they were marked on a scale from 1 (not important at all) to 5 (very important). The participants almost never ranked any of the KUs as “Not important” or “Not important at all”.

6.2. Knowledge Units for HE and Employers

Table 7 shows the KUs’ importance in descending order, along with their scores for HE (i.e., SUM points) and employers (i.e., AVG rating). The SUM points value represents how many points each individual KU has received during the data collection on HE courses (see Figure 3). All the SUM points totaled 896, which is the total number of ECTS credits for all the evaluated courses. The AVG rating is the average rating survey respondents gave to the importance of each KU, on a scale from 1 (“Not important at all”) to 5 (“Very important”).

From Table 7, we notice that Human Security^F KUs are much higher in the employers’ list than is the case for HE. There are four KUs from Human Security^F in the employers’ top 12 most important competencies, while in HE, the highest-scoring Human Security^F KU is only in the 22nd spot. Clearly, Human Security^F is very important for employers, especially Identity Management_F and Personal Data Privacy and Security_F (first and second spots on the list, respectively), while it is not a significant priority in HE.

The KUs from Data Security^A, appear to be very high in the list of both HE and employers; however, closer inspection revealed significant differences (which were already implied in Table 6, where Data Security^A was the most important area in HE, but only 4th for employers). We notice that Cryptography_A, which was, by a large margin, the most important unit in HE, was very low on the list for employers (only #47). The same was true for Cryptanalysis_A, which went from 6th place to dead last. Employers appreciate some of the KUs from Data Security^A, but, overall, the area is not nearly as important as it is in HE, where all the Data Security^A KUs were in the top half of the list.

We can notice a very similar thing happening with Organizational Security^G, only this time, it is the employers that hold the associated KUs in much higher regard. While at the very top of the list, the KUs from Organizational Security^G were placed similarly for HE and employers (even though they were not the same KUs), they consistently ranked lower on the HE side of the table afterwards. This explains the disparity in Table 6, where Organizational Security^G is placed as the 2nd most important KA for employers, but only 6th for HE. The most interesting KU from Organizational Security^G is probably Business Continuity, Disaster Recovery, and Incident Management_G, which is the most important KU from this KA for employers (#9); however, it is low on the HE list (only #33). Similarly, Personnel Security_G was relatively important for employers (#16), but very close to the bottom for HE (#51).

Employers also highly valued competencies in Personal Data Privacy and Security_F (#2) and Privacy_H (#14), which are listed much lower in HE (#42 and #41, respectively). We wonder if the evident importance of this knowledge among employers has been caused by the increased regulation (e.g., General Data Protection Regulation (GDPR)). With the exception of Privacy_H, the employers did not seem to have much interest in Societal Security^H, whereas Privacy_H was the least covered KU from Societal Security^H in HE.

Table 7 also shows a relatively small difference between the employers’ ratings. The difference between the highest-rated Identity Management_F (AVG rating of 4.82) and the lowest-rated Cryptanalysis_A (AVG rating of 3.63) was less than 30%. The lowest-rated KU was still well above the mean value of 3 (i.e., “Neither important nor unimportant”). A potential explanation is that the importance of all skills is quite uniform across the labor market, but this is not a realistic assumption in our view, and we see the lack of differences as mainly due to participants’ reluctance to label any skill as less important. This view is also supported by the modus (i.e., the most frequently chosen rating), which was, for 83.6% of the KUs, the best possible rating of 5 (i.e., very important). For example, the Cyber Law_H, although not the primary domain of technical staff and relevant to only a relatively small number of cybersecurity profiles, was not rated lower than 3 (i.e., “Neither important, nor unimportant”) by any of the respondents. While this is an interesting observation on its own, it raises the issue of confidence in the resulting differences in the importance of KUs. Luckily, here we are primarily looking at rankings, which should not be affected (since the inflation of individuals should still be consistent), while the relative distance between KUs (i.e., the AVG rating) is very likely not proportional because of the inflated importance of the large majority of KUs. Ultimately, we can still confidently claim that one KU is more important for employers than another, but we cannot be overly sure by how much.

On the other hand, the problem of everything being important for employers cannot be seen in HE, where the KUs that are not considered important or are too niche were hardly covered, or not covered at all (as can be seen in the tail-end of Table 7). This brings us to what we think is the fundamental reason why it is normal for there to be significant differences between what HE is focused on (i.e., on the education of their students) and what competencies employers find important. Of course, educational institutions (HE or otherwise) should provide their students with knowledge that is relevant and in demand by the industry; however, it is not feasible for these institutions to teach their students everything they might potentially need to know one day, and they must therefore prioritize, while employers value everything, at least on some level. Additionally, by teaching cybersecurity competencies to their students (often alongside computer and/or information technology knowledge), HE institutions must start with the basics and build advanced cybersecurity knowledge on top of that over time. Meanwhile, employers are usually interested in the more advanced and/or applicable knowledge (while refusing to rate any competencies as unimportant). For this reason, we believe that KUs like Cryptography_A, Network Defense_D, Network Architecture_D, etc., which represent foundational knowledge that many other KUs rely on, receive significant attention in HE, while they are considerably less relevant to industry. It also appears that HE, at least on some level, prioritizes more technical skills and maybe places less emphasis on social areas (e.g., Human Security^F).

6.3. Knowledge Units Between Different Employers

In addition to comparing the competencies focused on by HE institutions and employers, we were also interested in whether (and how) the results differed for employers based on the type of staff surveyed (management staff and ICT technical staff) and the employer’s size.

Some differences are evident when comparing managerial and ICT technical staff. The managerial staff puts more weight on skills in Organizational Security^G, while the ICT technical staff has Data Security^A at the top of the list. This difference seems to be, at least to some extent, linked to their job tasks—the managerial staff is more concerned and focused on organization and management, while the technical staff is more focused on technology and practical security. In both cases, Human Security^F KUs were also very high on the list. In addition, managers ranked Societal Security^H higher than ICT technical staff, who, in turn, ranked selected Connection Security^D and Software Security^B KUs higher.

A very similar distribution of competence importance is observed between smaller (40% of included organizations) and larger (60%) organizations. Organizations with 100 or fewer employees were considered small. Responses from smaller companies placed greater emphasis on technical skills, similar to those of ICT technical staff. Thus, skills in Data Security^A, Software Security^B, and selected units in Connection Security^D were valued highly. Even though Organizational Security^G was, overall, the second most important area for employers, smaller organizations did not value Organizational Security^G nearly as much. To a lesser extent, the same was also true for KUs in Human Security^F (which was the most important KA for employers overall). For companies with more than 100 employees, the trend reversed, resembling that of managers. Larger organizations valued the skills in Human Security^F and Organizational Security^G, while Data Security^A, Software Security^B, and Connection Security^D ranked lower than average. It is worth noting that the similarities shown between staff and organization size are not the result of a poor distribution of respondents (i.e., the possibility that the survey would have included predominately managers from larger organizations and ICT technicians from smaller companies), as the distribution of both types of staff in the survey was the same for both sizes of organizations, as we have already shown in Table 4.

6.4. Final Composite Importance of Knowledge Units

Table 8. Top 20 most important Knowledge Units based on the results from higher education and employers.

#	Knowledge Unit (KU)
1	Data Integrity and AuthenticationA
2	System ControlE
3	Network DefenseD
4	Secure Communication ProtocolsA
5	Access ControlA
6	Security Governance & PolicyG
7	Information Storage SecurityA
8	Data PrivacyA
9	Awareness and UnderstandingF
10	Risk ManagementG
11	Network ServicesD
12	Identity ManagementF
13	Analysis and TestingB
14	DesignB
15	Personal Data Privacy and SecurityF
16	Usable Security and PrivacyF
17	Business Continuity, Disaster Recovery, and Incident ManagementG
18	Cybersecurity PlanningG
19	Fundamental PrinciplesB
20	Network ArchitectureD

lists the most important KUs, combining the results from HE and employers. Because the importance of KUs in HE and among employers was measured in ways that cannot be aggregated or normalized in an impartial way, we chose to combine the KUs based on their ranks (column # in Table 7). This means the construction process does not account for whether there are large or small differences between KUs (it just considers their ranks), but it should still provide a broad overview of the most important KUs.

The final list in Table 8 includes the 20 KUs with the lowest combined rank. To avoid a longer table, we limited ourselves to the top 20, but all the rankings can be calculated from the data in Table 7.

Most of the KAs are represented in the final list. The exceptions are Component Security^C and Societal Security^H. System Security^E is also represented poorly, with only one KU (i.e., System Control_E). The most significantly represented and high on the list are the KUs from Data Security^A, which is understandable, because they include base knowledge for many other KAs/KUs. In our opinion, the KUs that are, most surprisingly, missing from the top 20, are Cryptography_A, Privacy_H, Social Engineering_F, Systems Administration_G, and System Access_E.

6.5. Comparison with Related Research

In the related research section, we have noted research that has previously examined similar approaches to assessing the importance and relevance of cybersecurity competencies. Here, we compare two of those most similar to our research. Both are similar in the framework used to classify competencies and sectors they analyzed (i.e., HE and industry).

Dragoni et al. [15] analyzed cybersecurity-related M.Sc. study programs, by contacting program representatives, and used a very slightly modified CSEC2017 framework (that is still wholly comparable to the “stock” framework used in our research). Meanwhile, in our research, we analyzed course descriptions to identify the knowledge units covered by courses and, consequently, by education programs. This should be a better method because it removes the bias introduced by study program representatives rating their own programs. Dragoni et al.’s research also differentiated between mandatory and non-mandatory courses when discussing coverage of knowledge units, whereas we chose to treat both types of courses equally because, in our opinion, the main thing is the option for a student to obtain the knowledge. Unfortunately, Dragoni et al. did not state which study programs they analyzed, but their supplement sources list the universities from which they received feedback. Based on that data, their and our studies most likely included the same study program from Masaryk University and JAMK University of Applied Science, but the remaining programs analyzed should be unique to each of the studies.

In general, the results of Dragoni et al. [15] matched very well with the HE results presented in this paper. Dragoni et al. found Data Security^A and Connection security^D to be the two most covered KAs. Our results agreed, but put Societal Security^H between the two, whereas Dragoni et al.’s results did not consider Societal Security^H important. We also agreed that System Retirement_E and Component Procurement_C are two of the least-covered KUs in HE. Dragoni et al. also produced a list of the 10 most covered KUs according to their survey (also presented in

Table 9. Top ten Knowledge Units in Dragoni et al., Budde et al. and this research.

#	Dragoni et al. [15]	Budde et al. [16]	This Research (Table 8)
1	CryptographyA	Network DefenseD	Data Integrity and AuthenticationA
2	Data Integrity and AuthenticationA	Access ControlA	System ControlE
3	Secure Communication ProtocolsA	Fundamental PrinciplesB	Network DefenseD
4	Access ControlA	Secure Communication protocolsA	Secure Communication ProtocolsA
5	Network DefenseD	Network ArchitectureD	Access ControlA
6	System AccessE	Risk ManagementG	Security Governance & PolicyG
7	Access ControlA	Business Continuity, Disaster Recovery, and Incident ManagementG	Information Storage SecurityA
8	Network ArchitectureD	Information Storage SecurityA	Data PrivacyA
9	Data PrivacyA	Data Integrity and AuthenticationA	Awareness and UnderstandingF
10	Risk ManagementG	Common System ArchitecturesE	Risk ManagementG

). The KUs are listed here as they appear in their list (from the most covered to the 10th), with the spot they took in our HE research (from Table 7) in brackets: Cryptography_A (also #1 in our study), Data Integrity and Authentication_A (#4), Secure Communication Protocols_A (#16), Access Control_A (#15), Network Defense_D (#2), System Access_E (#38), System Control_E (#3), Network Architecture_D (#11), Data Privacy_A (#21), and Risk Management_G (#9). The results were complementary, with significant overlap; however, there were some differences, with the most significant outlier being System Access_E, which was much less common in the study programs we analyzed.

Budde et al. [16] used a survey distributed among industry (comparable to our employer survey) and academia (comparable to our HE analysis) to evaluate the cybersecurity skills required to perform six different cybersecurity-related jobs. They collected responses from 60 participants (50 from academia and 10 from industry). The competence collection was done for six specific roles, from which the results were extracted. This is different from our research, where we focused on the most important cybersecurity competencies for organizations rather than collecting data for specific roles, which could make the data less generalizable. Additionally, specifically for the industry/employers’ side of the research, this paper uses a larger sample size, providing additional assurance.

Budde et al. [16] identified seven KUs they named “transversal”, which were relevant to most job profiles included in their analysis. They were Network Defense_D (#3 in our Table 8), Fundamental Principles_B (#19), Secure Communication Protocols_A (#4), Business Continuity, Disaster Recovery, and Incident Management_G (#17), Network Architecture_D (#20), System Control_E (#2), and System Access_E (#34).

Budde et al. [16] also compiled a list of the top 10 most important cybersecurity skills according to the feedback they received. In their list, they combined the responses from academia and industry, similarly to what we have done in Table 8, where we combined the results from HE and employers. The top 10 skills, according to Budde et al., are presented in Table 9, together with the results from Dragoni et al. and this research (from Table 8). Note that Dragoni et al.’s list is based on data from HE only, while Budde et al. and this research combine the results from HE and industry. When looking at Table 9 overall, there are a lot of KUs from Data Security^A. There are five KUs that are present in all three top 10 lists. They are Data Integrity and Authentication_A, Secure Communication Protocols_A, Access Control_A, Network Defense_D, and Risk Management_G. One KU from System Security^E, is in each of the three top 10 lists, but it is a different one each time. Software Security^B and Human Security^F each contain only one KU across all three lists, while Societal Security^H and Component Security^C have none.

When comparing the results from Budde et al. [16] and the results from this paper (in Table 9), the overlap of skills is significant (six out of the ten KUs are in both lists); however, there are some exceptions. They are Business Continuity, Disaster Recovery, and Incident Management_G (which was #17 in our overall list of KU importance), Fundamental Principles_B (#19), Network Architecture_D (#20), and Common System Architectures_E (#45). Most of them are still within our top 20, although the KU from System Security^E, was not considered important in our research at all.

Budde et al. [16] also compared their results from academia and industry.

Table 10. Knowledge Area (KA) comparison between our results and Budde et al. results.

#	Higer Education (HE)	Budde et al. Academia [16]	Employer	Budde et al. Industry [16]
1	Data SecurityA	Data SecurityA	Human SecurityF	Societal SecurityH
2	Societal SecurityH	System SecurityE	Organizational SecurityG	Software SecurityB
3	Connection SecurityD	Connection SecurityD	Software SecurityB	Data SecurityA
4	Software SecurityB	Organizational SecurityG	Data SecurityA	Organizational SecurityG
5	System SecurityE	Software SecurityB	Societal SecurityH	Human SecurityF
6	Organizational SecurityG	Human SecurityF	Connection SecurityD	Connection SecurityD
7	Human SecurityF	Societal SecurityH	System SecurityE	System SecurityE
8	Component SecurityC	Component SecurityC	Component SecurityC	Component SecurityC

lists the KAs by importance, based on our and Budde et al.’s research results. The results show that the two studies’ results matched well, but some meaningful differences exist. The biggest difference between HE and Academia is Societal Security^H, which are almost on the completely opposite sides of the lists, with it being ranked as the second most important in our research and second least important by Budde et al. The second major difference is the System Security^E, which is much less relevant according to this research than theirs. Data Security^A has been the most focused KA in academia/HE across all three studies we have compared (Dragoni et al. [15], Budde et al. [16], and our research). In the result comparison for employers/industry, the lower part of the lists matches very well; however, there are significant differences in the results for Human Security^F, which was the most important in this research but considerably lower (#4) on theirs, and vice versa for Societal Security^H. The only consistent data point across all studies (including Dragoni et al.) was Components Security, which was considered the least important in all of them.

Finally, Budde et al. [16] also created the top 10 most relevant skills for academia and industry. Their results from academia matched very well with their top 10 overall most required skills (only one KU was missing from the academia list that was on the overall top 10 list, and many of them were in the same order of importance). Considering these results and the difference between the number of respondents from academia and industry, Budde et al.’s top 10 most important skills (listed in Table 9) appear to be skewed heavily towards academic results. Meanwhile, the industry results included only four KUs in the top 10 overall. They included Fundamental Principles_B, which was the only different KU between the academia’s top 10 and overall top 10. The second most important KU, according to the industry, was Documentation_B. Here, it is important to remember that both these KUs are a part of Software Security^B KA (i.e., they relate to fundamental principles in designing and implementing software and software documentation), which would be required knowledge mainly by developers (which was not a profile that was included in Budde et al.’s research). We suspect that the survey participants might have been misguided by these very broadly named KUs, misunderstood their purpose, and, ultimately, applied them to profiles that did not necessarily need them. This would have skewed the results, and it explains the very high placement of Software Security^B among other KAs. While Software Security^B is important, the majority of the industries that need cybersecurity are not developing their own solutions; therefore, it does not make sense for Software Security^B to be at the top of the list for the general importance of cybersecurity skills. It should be noted that a similar problem caused by the general naming of KUs (e.g., Documentation_B) could also have skewed the results of this research. However, we had foreseen this problem and tried to reduce this risk as much as possible by describing each of the KUs in our survey. It is hard to be sure that it was enough to eliminate the problem entirely, but, at the very least, the effect does not appear to have been as significant as it appeared in Budde et al., as the highest-ranked KU from Software Security^B was Ethics_B in 21st place (for employers). The results from HE should not be affected, as they were marked by paper authors who understood the KUs’ context.

7. Conclusions

In this study, we have investigated which cybersecurity skills receive the most attention in higher education and which competencies are most important to employers of cybersecurity professionals. Using the Cybersecurity Curricular Framework (CSEC2017), we classified the content of 12 higher education cybersecurity study programs in the EU to determine which knowledge receives the most attention in education. At the same time, we also evaluated which cybersecurity competencies are the most important to employers. To measure it, we asked Slovenian employers to rate knowledge units according to their importance to their organization and its mission.

The collected results were used to answer three research questions.

RQ1: Which cybersecurity competencies are considered the most important by higher education institutions (based on the content of their study programs)?

The results from the higher education programs show that most effort is spent on core knowledge and competencies, with a large emphasis on data security, followed by societal security and connection security, as presented in Table 6 and Table 7.

RQ2: Which cybersecurity competencies are considered the most important by employers (based on their reporting)?

Overall, we found the most relevant skills for employers to be those in the area of human and organizational security, as presented in Table 6 and Table 7. However, we also noticed large differences depending on the type of staff who completed the employer survey and the organization’s size. Participants in technical staff considered data security comparatively more important, while managerial staff gave greater weight to competencies in organizational security. Similar results were observed between smaller and larger organizations. Smaller organizations placed greater importance on technical skills (e.g., data security, software security, and network security), whereas larger organizations valued skills in human and organizational security more highly.

RQ3: To what extent are the cybersecurity competencies taught in higher education aligned with those prioritized by employers?

The results show that higher education and employers prioritize different competencies, which is at least partly understandable and likely necessary. This stems from the fact that educational institutions have to build students’ knowledge from more basic concepts to more specific and advanced knowledge, while employers tend not to care as much about the building blocks on which advanced knowledge is based.

The results of the research were also compared with previous similar studies, in which we observed a level of harmony, with some specific differences, and we identified potential problems in previous research that could have skewed the results.

Given the cybersecurity workforce gap, the race to produce more competent cybersecurity professionals is underway. Consequently, more cybersecurity study programs and education in other forms (e.g., workshops, micro-credentials, certifications, etc.) are being developed. The results of this study can be useful for designing new cybersecurity programs and updating existing ones, as well as for other types of training. Based on the results, study programs can be designed or updated to better reflect what typical modern cybersecurity programs cover in their curricula (by mimicking the average HE structure of covered KUs), focus on underdeveloped competencies (finding the most important KUs for employers, that are also very badly covered by the HEs, e.g., personal data privacy and security), or be better aligned with industry needs (by increasing the inclusion of human and organizational security in the curricula).