WHAT THE PROFESSION OF CYBERSECURITY NEEDS TO KNOW AND DO

ABSTRACT

Presently, 71% of annual losses are due to failures in the physical and human attack domains, while electronic breaches account for roughly 29%. While the lowest percentage of losses (29%) falls into the area of the classic technology-based attacks, unfortunately these are often the only kind of attacks factored into an organization’s cybersecurity planning. Surprisingly, in most organizations, human or physical types of threats are simply not part of traditional cyberdefense thinking. Most active cyberdefense solutions do not consider embodying integrated and well-defined behavioral controls into the cybersecurity process. And as a result, well executed attacks against the non-electronic attack surface are almost certain to succeed. We argue that the profession must find ways to ensure that the real-world practice of cybersecurity involves the creation and adoption of a complete, correct, and highly effective set of well-defined and commonly accepted controls; ones that are capable of closing off every feasible type of adversarial action. To be completely effective, the solution must amalgamate all of the essential concepts of cyberdefense into a single unifying practice model, one that has real-world currency. Professional societies help to serve as the developers and sanctioners of the fundamental ideas in their respective fields and the creation of the CSEC2017 document provides an authoritative statement of the elements of the field of cybersecurity for a broad array of practitioners. This paper discusses the CSEC2017 thought model and outlines the eight knowledge areas specified for the discipline to represent the complete body of knowledge within the field.

Disclosure statement

No potential conflict of interest was reported by the authors.

Additional information

Notes on contributors

Dan Shoemaker

Daniel P Shoemaker, PhD, is principal investigator and senior research scientist at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan has served 30 years as a professor at UDM with 25 of those years as department chair. He served as a co-chair for both the Workforce Training and Education and the Software and Supply Chain Assurance Initiatives for the Department of Homeland Security, and was a subject matter expert for the NICE Workforce Framework 2.0. Dan has coauthored six books in the field of cybersecurity and has authored over one hundred journal publications. Dan earned his PhD from the University of Michigan.

Anne Kohnke

Anne Kohnke, PhD, is an associate professor of IT at Lawrence Technological University and teaches courses in both the information technology and organization development/change management disciplines at the bachelor through doctorate levels. Anne’s research focus is in the areas of cybersecurity, risk management, threat modeling, and IT governance. After a 25-year career in IT, Anne transitioned from a Vice President of IT and Chief Information Security Officer (CISO) position into full-time academia in 2011. She earned her PhD from Benedictine University.

Ken Sigler

Ken Sigler, MS, is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. His primary research is in the areas of software management, software assurance, and cloud computing. He developed the college’s CIS program option entitled “Information Technologies for Homeland Security.” Until 2007, Ken served as the liaison for the college to the International Cybersecurity Education Coalition (ICSEC), of which he is one of three founding members. Ken is a member of IEEE, the Distributed Management Task Force (DMTF), and the Association for Information Systems (AIS).