​Cybersecurity competences — ​​research, development and innovation perspective

Globally cybersecurity is a rapidly growing and dynamic area both from the perspective of societal significance and business activity. While expertise in this area is increasingly sought after, less attention has been devoted to the actual cybersecurity competences, how the maturity of these competences can be measured at the national level and what the situation in terms of cybersecurity competences is in different countries. In this study, the authors investigate these questions by developing a framework of elements of cybersecurity competencies and presenting results from a case study of cybersecurity skills and competence base in Finland.

Go to the profile of Antti Pelkonen
Aug 30, 2017
Upvote 0 Comment

Author(s): Antti Pelkonen, Reijo Savola, Jarno Salonen


The cybersecurity domain is growing fast, not only in terms of business activities but also with respect to its societal importance. Spurred by digitalisation and increasing impact of cyber threats, there is a growing demand for cybersecurity expertise as companies, public sector authorities, universities, research institutes and vast range of other organisations in the society need professionals to protect their information and communication systems [1]. For instance, Frost & Sullivan [2] has recently estimated that there is a shortfall of 1.5 million experts in the global information security workforce in 5 years. At national and global levels, this situation poses important challenges for cybersecurity competences and skills development. As a consequence, governments and educational institutions around the world are exploring how the growing demand for cybersecurity competences can be met [3].

Moreover, while there is a lot evidence of a growing need for expertise and competencies in cybersecurity, less attention has been devoted to the details of cybersecurity competencies, i.e. what kinds of skills are particularly needed now and in the near future. Another related challenge concerns knowledge about the competence situation at the national level: how cybersecurity competences and their development can be measured at the national level and what the situation in terms of cybersecurity competencies is in different countries? While there are different types of cybersecurity rankings [4], usually they do not specifically address the skills and competence aspect in necessary detail. In this article, we tackle this lack of knowledge and develop a framework of key elements pertaining to cybersecurity competencies. While the framework can be applied to structure and assess cybersecurity competences and competence development at national level, our aim here is not to describe in detail the operationalisation of the framework. However, we provide some examples of indicators and metrics that can be used and illustrate the use of the framework by presenting a case study of cybersecurity skills and competence base in Finland. The purpose of the case study is not to provide a fully-fledged analysis based on the framework but rather to illustrate its potential application.

Cybersecurity competences

Cybersecurity is a multidisciplinary field that requires high-level competences based on higher education and professional training. It is also a domain that is increasingly in the national attention of governments world-wide. Governments, hence, have a growing interest towards situational awareness regarding the level of cybersecurity competences and capacities in the country. It is, however, often not very clear what constitutes cybersecurity competences, which factors affects the development of these competences and how the competences can be measured at national level. In academic and practice-oriented literature, the concept of cybersecurity competences (or skills or capacities) is generally weakly defined and developed.

There are a number of different types of cybersecurity assessment and maturity models that have resonance with our framework. However, what distinguishes our approach from other existing frameworks is that our model focuses explicitly on cybersecurity competences and competence development and their assessment at the national level. In contrast, most other assessment frameworks have different orientation. First, there are frameworks that focus on assessing cybersecurity preparedness (and normally do not pay particular attention on cybersecurity competences and competence development) such as the community cybersecurity maturity model [5]. Second type of assessment models are those that are intended to evaluate cybersecurity programmes and capabilities at organisation level, such as the cybersecurity capability maturity model (CMM) of the US Department of Energy [6]. Third, there are models that aim at assessing cybersecurity from a holistic perspective at a national level, which address the issue of competences but treat it in a relatively thin way. An example of this is the global cybersecurity index [7] which measures ‘capacity building’ in cybersecurity by using indicators related to standardisation, manpower development and professional and agency certification. Such indicators do not tell very much about the actual content of cybersecurity capacities. Professional certifications naturally measure content-oriented technical competences in a concrete way at individual level, but they do not describe broader national competence base. Moreover, and perhaps most importantly, these kinds of information sources do not tell us about how and to what extent the cybersecurity domain capacities are developed by educational institutions and the research and innovation system within a country.

Our framework has perhaps the most affinity with the cybersecurity CMM [8] developed by the Global Cyber Security Capacity Centre at University of Oxford as it addresses some of the same key framework conditions related to competence development such as cyber policy, strategy, culture and awareness and legal framework. However, from the perspective of assessing competence development, the CMM model neglects many critical aspects such as basic and applied research, business and entrepreneurship as well as networks and collaboration (cf. Fig 1). Of the central competence creation factors of our framework, the CMM addresses only cybersecurity training and education (i.e. higher education and continuing training in our terminology).

Fig 1: Cybersecurity competences, a conceptual approach

Fig 1 describes our conceptual framework of cybersecurity competences which aims to tackle the above-described deficiencies in our understanding and previous attempts of assessing cybersecurity competences. In our approach, we distinguish between three elements: (i) cybersecurity core competence areas (content-oriented core fields of expertise), (ii) factors (e.g. activities and policies) that impact upon the development of these competence areas and (iii) broader global contextual factors that affect the development of the cyber domain and hence also the competences (i.e. cyber threat landscape and technological development). In the following, we address each of these in more detail.

Cybersecurity core competence areas

As a high tech domain, core competence areas in cybersecurity relate to science and high technology areas such as information science and technology, telecommunications, programming, software development and mathematics. Cybersecurity competences in information science and technology relate mainly to information assurance, defined as ‘the technical and managerial measures designed to ensure the confidentiality, possession or control, integrity, authenticity, availability and utility of information and information systems’ [9]. More generally, information and communication technologies (ICTs) are key vehicles for digitalisation, used more and more widely in various domains of the society and business. Realisation of core technical cybersecurity solutions require knowledge of these technologies from a wide pool of designers and implementers.

Telecommunication has always been an important cybersecurity competence area and its importance is even growing these days as telecommunication networks are the channel for everyday communication in the modern society. The telecommunications competence area comprises of among others, knowledge of transmissions, but also operation of telecommunications systems including broadcasting, switching and control [10]. The role of programming and software development competencies in cybersecurity is another growing area as all the vehicles, machines and other devices around us consist mainly of software. Thus, relevant methodology like security by design, secure programming practices and similar standards or standard-like frameworks are generally adopted to provide a sufficient level of security and quality to software. Lastly, mathematics is a core competence for more technical cybersecurity work, and especially in cryptography which is also used for current application areas such as block chain. Mathematics plays an important role also in detecting forged or otherwise tampered data as well as providing protection from attacks to global positioning system systems.

Furthermore, as cybersecurity is increasingly penetrating the society [11] and the physical and virtual worlds are intertwining [12], competencies in broader fields of science are increasingly important with respect to cybersecurity. These include in particular competences in legal aspects and law, economics and management, human aspects and user perspective as well as psychology, political and sociological analysis. Such perspectives are indispensable in terms of understanding raising phenomena such as cybercrime and cyberterrorism for instance.

Factors impacting upon the development of cybersecurity competences

These can be divided into two groups: (i) competence creating factors and (ii) general framework conditions. In terms of competence creation, research, development and innovation activities as well as higher education are particularly significant due to the high-technology nature of cybersecurity, and they form largely the base of national capacities in cybersecurity. These can be justified as follows:

  • Basic and applied research: High-level basic research provides the basis for competence development, higher education and new innovations. Similarly, applied research is important in terms of bridging the gap between basic research and commercialisation, business activities and innovation. Particularly important is thus the level and quality of various types of research activities in the core technical competence areas related to cybersecurity such as mathematics, information technology, information systems and programming.
  • Higher education and continuing training: Higher education is particularly important in terms of development and continuity of competences as well as the amount of experts and the national competence pool. In practice, this refers in particular to the scope and quality of tertiary education and curricula in cybersecurity relevant subjects. In addition, also continuous training of information technology professionals is highly important [13]. Together with research and innovation activities, higher education is needed, not only for producing innovations as such, but also for developing absorptive capacity that enables the use, assimilation and application of knowledge produced elsewhere.
  • Business activities and entrepreneurship: The quantity, scope and quality of companies operating in the cybersecurity domain as well as their orientation with respect to product development, R&D activities, growth and exports are significant.
  • Networks and collaboration: Particularly important is collaboration and interaction between companies, universities, research institutes and public sector authorities, hence the degree to which these actors are able to form a well-functioning cybersecurity ‘ecosystem’. However, important in terms of cybersecurity competences are also various types of self-organising, open and collaborative ‘innovation networks’ where computer enthusiasts and hackers interact to develop their skills and new software and programs [14]. Such networks can, of course, be legitimate or criminal in nature.

The above-mentioned competence creating factors are crucial if one wants to measure cybersecurity competences at national level, and various types of indicators can be defined for the different dimensions (see case study below for illustration). For instance, the level of research can be measured by scientific publications, the composition of academic cybersecurity research groups (e.g. number of professors) and the orientation of research activities (research topics covered by the academic community). Similarly, business activities can be measured by, for example, the number of companies and their financial figures as well as patenting and innovation activity, R&D investments, and new products and innovations.

As general framework conditions, we regard especially the following factors:

  • Legislation: Legislation is important as it provides the overall context in which the cybersecurity domain actors operate. It may also affect directly competence development by, for example, regulating the information sharing about cyber threats and incidents and hence affecting the data researchers and companies may have in their use.
  • Public cybersecurity policy and strategy: The overall ‘orientation’ of the country towards cybersecurity has direct and indirect impacts on the competence development as it reflects the weight a country assigns to cybersecurity. This, in turn, is often linked to resources that are provided to the policy area in question.
  • General awareness and culture: General awareness is of great importance in terms of how the population at large regards cybersecurity issues and whether and to what extent young generations and for instance students become interested in the domain and in developing expertise in it.
  • Public R&D funding and innovation policy: Public innovation policy is significant in terms of supporting the competence creation through R&D at universities, companies and research institutes and promoting the interaction between the actors.

Global cybersecurity threat landscape

As cybersecurity is about securing information networks and data therein, cybersecurity and related competences are always developed in relation to certain threats or potential threats in the cyber domain. Hence, the threat landscape affects greatly the competences needed and these two are in interactive relationship. Threat landscape for a target system includes up-to-date information about cyber threats relevant to the target system, along with observed threat trends and threat agents. The threat landscape is displayed in the outermost part of Fig 1 and consists of among others network intrusion, common vulnerabilities and exploits, ransomware and extortion, espionage and evolving risks. In the following, we will describe the threat landscape in further detail and connect the relevant cybersecurity competences into the equation.

According to Akamai Technologies that is responsible of sharing 15–30% of network traffic globally, the number of distributed denial of service attacks has increased by 70% during the last year [15]. This displays the significance of network intrusion as a threat against the modern hyperconnected world. Network intrusion comprises breaking into organisations’ networks in order to acquire confidential information or other assets as well as blocking access to networks in terms of disrupting services or connections that are vital for businesses or even nations. The competences necessary to prevent or mitigate network intrusion relate to common ICT.

Cyber espionage or cyber spying means the act or practice of obtaining secrets without a permission of the holder of the information that can be a business, government or other. According to Hackmageddon, cyber espionage was ranked third among motivations behind cyber-attacks in their statistics in January 2016 [16]. The FBI stated already in 2015 that they have seen cyber espionage cases increased by 53% [17] and Verizon 2016 Data Breach Investigation Report stated that 90% of cyber espionage breaches capture trade secrets or other proprietary information [18]. Governments around the world are making or have already made changes to their legislation in order to provide protection against cyber espionage especially for companies and enable sanctions against cyber spies. The competences necessary for mitigating this threat are generally related to legal aspects and management, but espionage requires also ICT competences to provide technical measures at the system level, and human behaviour and psychology competences to analyse human weaknesses and prevent espionage in the non-technical areas.

Knowledge of common vulnerabilities and exploits are often considered as security basics and for example EU's General Data Protection Regulation (GDPR) that comes into force on 25 May 2018 has the purpose of enforcing companies to report breaches faster than before. After this date, companies in non-compliance will face heavy fines. One of the reasons behind GDPR is that organisations do not maintain up-to-date systems even though patches are being produced to software rather quickly after vulnerabilities are reported [19]. According to Verizon, the top ten known vulnerabilities accounted for 85% of successful exploits most of which could have been prevented by having the systems up-to-date [18]. The key cybersecurity competence related to this threat in addition to communication and information technology is management which is needed for planning the necessary update and recovery policies and providing the necessary monetary and other resources for ensuring up-to-date systems and other devices.

Ransomware and cyber extortion is another increasing cybersecurity threat. According to Researchscape International, the median amount of ransoms paid was $250 with 25% of the ransoms amounting over double than the previous amount [20]. The acceptance of bitcoin as a common form of payment seems to have had some influence in the growth of ransomware and, for example, the first ransomware ‘CryptoLocker’ developed into a ransomware service ‘ecosystem’ that even provided helpdesk services to the victims. The development of ransomware has also resulted into insurance companies offering cyber insurances and data breach policies [21]. The key cybersecurity competences related to ransomware and cyber extortion are mathematics (decryption of data) as well as ICT (prevention of illegal access and malicious information to the internal network).

Evolving cybersecurity risks consists of other already known and yet undiscovered threats that may affect the future hyperconnected society. One example is cyber sabotage (also known as cyber-mediated sabotage) with the purpose of disrupting an individual organisation, infrastructure or even nation. In some cases, cyber sabotage includes extortion or some level of espionage in which case it can be positioned in the previously described threat landscapes. However, the hacking of Ukraine power grid in December 2015 which temporarily disrupted electricity supply to end consumers seems to have had no other purpose than to disrupt the distribution of electricity. These kinds of attacks have occurred also elsewhere and even the US presidential elections in 2016 were accused of being interfered by foreign cyber-attacks. Despite of cyber sabotage being very difficult to prove and the motivation behind them difficult to understand, we can state that cyber sabotage is an evolving risk that might change the future cyber threat landscape. The biggest threat of such evolving risks is generally towards business continuity and thus competences related to risk management and strategic-level recovery plans are often required. This also requires comprehensive understanding of core systems and processes related to business operations and relates to most of the competences presented in Fig 1.

Case study: cybersecurity competencies in Finland

In the following, we apply the above-described framework and elements for studying cybersecurity competencies in Finland. From the perspective of cybersecurity, Finland presents an interesting case as it is a country well-known for its ICT industry and mobile technologies. Furthermore, Finland has recently set very ambitious targets in terms of cybersecurity: the national cybersecurity strategy, released in January 2013, stated that by 2016 Finland should become ‘a global forerunner in cyber threat preparedness and in managing the disturbances caused by these threats’. Furthermore, information security strategy, published in February 2016, puts forward a vision according to which ‘the world's most trusted digital business comes from Finland’. With these objectives as a background, it is relevant to examine the current situation in terms of cybersecurity competences and skills in the country.

The case study is based on a very extensive set of data, the main components of which are: (i) 21 personal interviews with key actors in Finnish cybersecurity area, (ii) three broad surveys to Finnish cybersecurity companies ( n = 61), researchers ( n = 77) and public organisations responsible for national cybersecurity ( n = 19), (iii) three workshops with cybersecurity experts from business, public sector and research, (iv) statistical information including publication (ISI Web of Science) and patent data (PatStat), VTT Sfinno™ innovation database which contains information on around 6600 commercialised Finnish innovations from 1945–2013, Orbis database on business figures and R&D funding statistics gained from the Academy of Finland and Tekes – Finnish Funding Agency for Innovation and (v) relevant document material including, e.g. strategies and previous studies and reports.

In the case study, we concentrate on the competence creation factors of our conceptual framework, and focus our analysis especially on the state of basic and applied research, higher education and continuing training as well as business and entrepreneurship. In addition, we pay attention to gaps in cybersecurity competences. Full description of the analysis can be found in Finnish in Pelkonenet al. [22].

Basic and applied research – growing but scattered technological research, multidisciplinarity lacking

Today's research and development activities can be seen largely as a result of choices made before. Finland has historically relatively strong competence base in engineering sciences, and as a part of that also in information technology. Research activities in information technology began in Finland in the 1950s, in the following decades first professorships in information technology were established [23]. In the 1970s and early 1980s, development in microelectronics was very fast, and research and development in these areas were broadly further developed in Finland. In the following decade, spurred by the demand raising from the fast rise of Nokia's mobile phone business, higher education in ICT-related fields was strongly increased [24]. Overall, Finnish research in computer and information science has been regarded high level, but recently, it also has been estimated that the quality of research has declined and risk is that it may not be at the level of world leading countries any more [25]. Similarly, Finnish research in mathematics has been considered of being of particularly high quality in international and national evaluations, especially with respect to the small population of the country and particularly in certain specific areas such as discrete mathematics and inverse research [26,27]. However, the same evaluations have stated that mathematical fields related to information technology such as algebra, cryptography and mathematics of signal processing have been relatively weakly developed in Finland. This is clearly a challenge to the Finnish education system and cybersecurity – more competence on mathematics is needed, to increase Finland's position as a high-tech technology developer.

Counted by the number of publications, majority of research related to cybersecurity in Finland indeed relates to computer and information sciences (50.1%) and mathematics (13.4%). Research related to cybersecurity has also significantly increased in Finland since the mid-1990s. In terms of scientific publications, for instance, the volume of research has quadrupled between mid-1990s and 2013 (Fig 2). Despite the growth, the volume of research is still relatively small: there are only a bit over ten university professors focusing on cybersecurity issues and the annual number of scientific publications is around 130. Furthermore, research activities are scattered around 16 universities, research institutes and polytechnics which imply that research units are small on average. Despite the relatively small overall volume, there are world-class research and narrow spearhead research areas, such as cryptology, vulnerability research, mobile security and information security management for instance. These are, however, often on a very narrow basis and based on the work a one or few leading researchers. This refers to certain vulnerability in the core competence base of the Finnish cybersecurity research.

Fig 2: Scientific publications in cybersecurity in Finland 1995–2013. Source: Web of Science

Overall, cybersecurity research in Finland is quite strongly technologically oriented and multidisciplinary and interdisciplinary perspectives to cybersecurity are less pronounced. As Fig 3 shows, there are quite many researchers studying technological research areas and topics such as network security and software and application security. In contrast, topics that are linked to social, legal, psychological and behavioural aspects of cybersecurity, such as cybercrime, user and human perspectives to cybersecurity and legal regulation, are substantially less frequently studied among Finnish researchers active in this field.

Fig 3: Content orientation of Finnish cybersecurity research. Source: Survey to cybersecurity researchers, n = 77

Higher education and continuing training – still needs for enlargement

In recent years, Finnish cybersecurity companies have emphasised the importance of cybersecurity education. Partly as a reaction to that, higher education activities related to cybersecurity have broadened in Finland. Currently there are 14 universities and polytechnics that provide education in cybersecurity-related themes [28]. In most universities, education in cybersecurity is organised as minor subjects or dedicated courses in subjects such as information technology, telecommunications and information systems. In two universities, there are specific master's programmes in cybersecurity. These two programmes are both recently established and have to some extent systematised education in the area. They are, however, relatively small in terms of student numbers as both programmes take in around 20 new students annually. As a comparison, in Estonia, which has less than quarter of the population of Finland, the Tallinn University of Technology alone takes 30 new students annually in the International Master's programme specialised in cybersecurity and digital forensics. In addition to the university degree courses, there are some continuing training courses in the field and other training activities such as, for example, an ongoing joint effort by the University of Helsinki and cybersecurity company F-Secure to run a MOOC (massive open online course) on cybersecurity.

Despite the recent increases in the higher education supply, our surveys indicate that higher education would still need to be broadened. Seventy per cent of companies responded to our survey and 60% of cybersecurity researchers were of the opinion that there is no sufficient amount of high-level education in the area. A large share of cybersecurity companies (60%) also considered that skilled labour force in the cybersecurity domain is not well available in Finland. While these findings showing shortages of education and workforce are consistent with studies done in other countries [29], in practice they translate into recruitment problems for companies and other organisations. Many companies have indeed experienced such challenges, e.g. related to cryptology, specific programming skills and identity and access management. Similarly, many of the public sector authorities responsible for cybersecurity issues have also experienced challenges in recruiting experts. In the public sector, the challenge is more complicated because public sector organisations are not able to compete with the private sector in terms of salaries. Challenges in public sector recruitments have been in areas such as cryptography, strategic and broad-based cybersecurity competences (experts with technical expertise and strategic understanding of cybersecurity) and expertise related to investigating information security breaches for instance.

Business and entrepreneurship – strong company base, threats of competencies leaking abroad

Cybersecurity business started to develop in Finland in the 1990s and the development took off especially around three companies: Data Fellows (established in 1988, currently F-Secure) which focuses on anti-virus products, Stonesoft (established in 1990, currently part of Intel) which concentrates on firewalls and SSH Communications (established in 1995) which focuses on cryptography products. In the area of consulting and services, Nixu, established in 1988, has been a frontrunner in Finland. Along with these dedicated cybersecurity companies, Nokia has also played an important role in the emergence of Finnish cybersecurity cluster as it had a relatively small but significant information security research group until early 2010s. The importance of Nokia is easily visible, for example, in cybersecurity-related patents: of all US cybersecurity patents granted to Finnish organisations between 1995 and 2013 Nokia accounts for 67%. In addition, Nokia's significance can also be seen in the scientific side as it has been the fifth most active organisation in Finland in terms of scientific publications in the area, only surpassed by three universities and a technical research centre. In addition, Nokia has also been an important customer for a number of cybersecurity companies.

Overall, Finland has currently relatively strong and broad business sector in the cybersecurity area: there are ∼80–90 companies whose core business deals with cybersecurity and, in addition to that, a large number of other ICT and telecommunications companies which have business and expertise in cybersecurity while their core business is in other areas. In relation to population, Finland has relatively large cybersecurity business sector in international terms. Yet, there are still countries with larger cybersecurity company base per capita, like Israel for instance. With respect to the business sector, also a remarkable recent challenge in Finland for the competence development and continuity has been fact that several Finnish core companies in the area have been sold to foreign companies. While this has at least not yet implied that competencies and R&D activities would have drained out of Finland, it presents a potential threat for the future development.

There are strong areas of competence in the Finnish business sector such as anti-virus expertise, identity and access management, firewalls, testing, and information and cybersecurity services for instance. The sector is also growing strongly: over the period of last 3 years, turnover of the companies in the sector has grown by 26% on average. In 2014, Finnish cybersecurity companies employed ∼4500 people and had a turnover of over 1 billion euros. Large part of the Finnish companies are, however, relatively small in size which is a challenge for instance in terms of internationalisation and export activities. Similarly, the small size of the companies is reflected in their absolute R&D investments which are, for a large share of the companies, less than 100 000 euros (Fig 4). However, if a company is small, even 100 000 euros investment in R&D may be a very significant amount.

Fig 4: Annual R&D budget of Finnish cybersecurity companies, euros. Source: Survey to cybersecurity companies, n = 61

Yet, despite relatively small R&D investments, Finnish cybersecurity companies clearly have potential and ability to innovate: in our survey nearly 40% of the companies (23/60) responded that they had introduced globally new innovations during the last 5 years (Fig 5). This is quite a large share as globally new innovation implies that similar product or services has not been available in any market world-wide. In addition, over half of the companies had introduced new to market or new to the company innovations.

Fig 5: Number of companies who have introduced innovations during the last 5 years. Source: Survey to Finnish cybersecurity companies

Three broad areas of competence gaps

Above we have already referred to some specific skills domains where Finnish organisations have experienced recruitment challenges in cybersecurity. In addition to those, we can identify three broad areas where there are particular gaps or shortages of expertise in Finland. First area of competence gap is cryptography and in particular theoretical cryptology. As a matter of fact, cryptography is, somewhat paradoxically, currently both a strength and a weakness in Finland: there is very high-level expertise in the area but it is on a very narrow basis. Second area where there are fewer competences in Finland is non-technological, multidisciplinary expertise related to cybersecurity. While technical expertise is broadly in a high level in Finland, broad-based and multidisciplinary perspective in cybersecurity issues is more vaguely developed. This includes, for instance, areas such as human and user aspects, behavioural perspective, as well as economic, legal and strategic aspects related to cybersecurity. These are particularly important dimensions, as along with the deepening digitalisation it apparently becomes increasingly important to gain a more profound understanding of the cyber space and its security. Similar observations have also been made in other countries, such as Canada for instance [30]. Technological expertise hence needs to increasingly be supplemented by non-technological expertise.

The third area of competence gap in Finland also deals with a non-technological domain: marketing, commercialisation, sales and export skills related to cybersecurity. This actually concerns a ‘traditional’ competence shortage in Finland as Finns are known to be good engineers and product developers but not as good in marketing, selling and branding the products. This situation is clearly visible also in the cybersecurity area. For instance, many experts interviewed maintained that Finnish solutions and products often are at least as good as products that have been successful in the world market, and that the difference is made in the ability to sell and market the products. In addition to these three broad areas, other, more specified areas, with fewer competencies can be identified such as digital forensics and cyber-attacks.

Future competence needs are extremely difficult to anticipate due to the fast technological development in the cybersecurity area. Skills that are needed are unquestionably vast and diverse and will comprise technological but also increasingly non-technological competencies. The breakthrough of Internet of Things, emergence of cloud services, the development of 5G technologies and quantum computing, and the increasing significance of big data and mobile robots present technological developments that will increase cyber risks and hence undoubtedly be significant also for cybersecurity competence needs [31]. Given the expanding nature of cybersecurity domain and its increasing significance, competences that are related to broad-based, comprehensive and strategic perspective on cybersecurity issues will probably be more important. Similarly, the understanding of cybersecurity aspects in the top management of organisations and higher hierarchies of political decision making will gain more significance.


Cybersecurity is a rapidly growing area of expertise with an increasing importance in terms of business as well as for the societies as a whole. It is also a domain that requires different types of competencies. In this article, we have presented a framework of cybersecurity competencies and proposed an approach of how to study cybersecurity competencies at the national level. We have also presented a case study where we analysed the state of cybersecurity competencies in Finland. On the basis of our conceptual development and the case study, we would like to highlight four main conclusions. First, by focusing explicitly on competences and competence development our framework makes a contribution with respect to existing cybersecurity capacity maturity models and indexes where competence creation factors have been only vaguely addressed. We highlight the need to pay attention, for instance, to the national research base, business sector and networks and collaborative structures when assessing national cybersecurity competences and competence development potential. In addition, at conceptual level our framework also makes a connection between cybersecurity threats and competence development which is often also lacking in existing frameworks.

Second, an important area of cybersecurity competence which currently tends to have growing weight concerns multidisciplinary and strategic expertise. Cybersecurity is easily regarded as technical subject matter, which is, of course, natural regarding the main characteristics of the field. However, along with digitalisation the societal significance of cybersecurity will probably further increase and cybersecurity increasingly penetrate the society. This will increasingly require that technical cybersecurity competencies are complemented with expertise from other disciplines and domains. Hence, the demand will probably grow for experts with technical cybersecurity competences but also related broader, strategic, managerial, legal and social scientific competences. Such trend is most probably not limited to any particular country but is of broader significance.

Another key competence area concerns marketing and commercialisation skills related to cybersecurity technologies. Our study revealed that in Finland a large part of the cybersecurity companies are small and they experience particular difficulties in expanding their operations to new geographical markets. At the same time the domestic market is small and it is vital for the companies to be able to export products and services. Although there are some big players, in the European scale many promising companies in the sector are relatively small, and domestic markets in European countries are often limited in size. Hence, the ability to sell, market and, especially, export is increasingly significant for many of the sector's companies across different countries.

Fourth, in the cybersecurity area the threat landscape and technologies evolve continuously and technological change is fast. This means that also the needed skills and expertise profiles change over time, and as a matter of fact, they may actually change rapidly. In this situation it is relevant to ask how it is possible to guarantee that suitable expertise is available, taking especially into account the aspect of business continuity. One answer would be that there should be regular foresight and assessment exercises to examine the evolution of the field, the related future competence needs and the change that is taking place in terms of skill demand. Given the fast pace of technological progress, another answer would be that it is important to make sure that competencies in the basic ‘domains’ of cybersecurity, such as mathematics, programming and computer science, are kept on a high level. If the foundations are on solid ground, it is easier to move to new areas and applications according to the upcoming demand.


The authors are grateful to Arho Suominen for the analysis concerning Finnish scientific publications and patents in cybersecurity. This work was supported by funding from Finnish Prime Minister's Office for the project Cybersecurity competencies in Finland – Current State and Roadmap for the Future.


  1. Cisco: ‘Mitigating the cybersecurity skills shortage’. Available at http://www.cisco.com/c/dam/en/us/products/collateral/security/cybersecurity-talent.pdf, accessed December 2016.
  2. Frost & Sullivan: ‘The 2015 (ISC) global information security workforce study’. Available at https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)%C2%B2-Global-Information-Security-Workforce-Study-2015.pdf, accessed December 2016.
  3. ‘The Whitehouse, Strengthening the Federal Cybersecurity Workforce’. Available at https://www.whitehouse.gov/blog/2016/07/12/strengthening-federal-cybersecurity-workforce, accessed November 2016.
  4. Gehem M. Usanov A. Frinking E. et al.: ‘Assessing cyber security. A meta-analysis of threats, trends, and responses to cyber attacks’ (The Hague Centre for Strategic Studies, 2015) .
  5. White G.: ‘The community cyber security maturity model’. Proc. of the 40th Hawaii Int. Conf. on Systems Sciences, 2007.
  6. Department of Energy: ‘Cybersecurity capability maturity model (C2M2)’. Available at https://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf, accessed March 2017.
  7. ‘Global Cybersecurity Index’: http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx, accessed December 2016.
  8. Global Cyber Security Capacity Centre: ‘Cyber security capability maturity model (CMM) – V1.2.’. Available at https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CMM%20Version%201_2_0.pdf.
  9. PC Magazine Encyclopedia 2016. Available at http://www.pcmag.com/encyclopedia/term/44936/information-assurance, accessed January 2017.
  10. ‘Competency Model for Cybersecurity’: https://www.chcoc.gov/content/competency-model-cybersecurity, accessed January 2017.
  11. Heidenreich G. Gray D.: ‘Cyber-security: the threat of the internet’, Glob. Secur. Stud., 2014, 5, (1), pp. 17–26.
  12. Neely E.: ‘Intertwining identities: why there is no escaping physical identity in the virtual world’. The Int. Association for Computing and Philosophy, Annual Meeting, July 2013.
  13. Le Clair J. Abraham S. Shih L.: ‘An interdisciplinary approach to educating effective cyber security workforce’. Proc. 2013 Information Security Curriculum Development Conf., Kennesaw, USA, 12 October 2013.
  14. Tovstiga G. Tulugurova E. Kozlov A.: ‘Innovation dynamics and capability in open collaborative cyber communities: implications for cybersecurity’, Int. J. Bus. Gov. Ethics, 2010, 5, (12), pp. 76–86 (doi: 10.1504/IJBGE.2010.029557).
  15. Akamai: ‘Akamai's state of the internet security. Q3 2016 report’. Available at https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-state-of-the-internet-security-report.pdf, accessed January 2017.
  16. ‘Hackmageddon January 2016 Cyber Attacks Statistics’. Available at http://www.hackmageddon.com/2016/02/16/january-2016-cyber-attacks-statistics, accessed January 2017.
  17. ‘FBI sees Chinese involvement amid sharp rise in economic espionage cases’. Available at http://edition.cnn.com/2015/07/24/politics/fbi-economic-espionage, accessed January 2017.
  18. Verizon: ‘2016 data breach investigations report’. Available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/, accessed January 2017.
  19. ‘Should companies be fined for not doing cyber security basics?’. Available at http://www.cbronline.com/news/cybersecurity/breaches/companies-fined-cyber-security-basics, accessed January 2017.
  20. Researchscape: ‘Crypto ransomware survey of IT experts’. Available at https://www.intermedia.net/resource/crypto-ransomware-survey, accessed January 2017.
  21. ‘Ransomware and cyber extortion are on the rise – what can be done?’. Available at http://www.claimsjournal.com/news/national/2016/06/27/271786.htm, accessed January 2017.
  22. Pelkonen A. Ahlqvist T. Leinonen A. et al.: ‘Kyberosaaminen Suomessa – Nykytila ja tiekartta tulevaisuuteen (2016). Available at http://tietokayttoon.fi/julkaisu?pubid=9301, accessed December 2016.
  23. Pelkonen A.: ‘Tieto- ja viestintäteknologia teknologiavetoisen yhteiskunnan rakentajana ja yhteiskuntapolitiikan välineenä’.Politiikka, 2003, 45, (1), pp. 50–61.
  24. Ali-Yrkkö J. Hermans R.: ‘Nokia Suomen innovaatiojärjestelmässä’ (Yliopistopaino, 2002).
  25. Academy of Finland: ‘Computer and information science. Background report to state of scientific research in Finland 2012 report’. Available at http://www.aka.fi/fi/tiedepoliittinen-toiminta/tieteen-tila/aiemmat-arvioinnit/tieteen-tila-2012/, accessed November 2016.
  26. Academy of Finland: ‘Evaluation of Finnish mathematics. Report of the evaluation panel.’ (Edita, 2000).
  27. Academy of Finland: ‘Mathematics and statistics. Background report to State of Scientific Research in Finland 2012 Report’. Available at http://www.aka.fi/fi/tiedepoliittinen-toiminta/tieteen-tila/aiemmat-arvioinnit/tieteen-tila-2012/, accessed November 2016.
  28. Lehto M. Kähkönen A.: ‘Kyberturvallisuuden kansallinen osaaminen’ (2015). Available at www.jyu.fi/it/tutkimus/202015_Kyber_kansallinen_osaaminen_VERKKO.pdf, accessed November 2012.
  29. Center for Strategic and International Studies: ‘Hacking the skills shortage’. Available at http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf, accessed December 2016.
  30. Bailetti T. Craigen D. Hudson D. et al.: ‘Developing an innovation engine to make Canada a global leader in cybersecurity’,Technol. Innov. Manage. Rev., 2013, pp. 5–14.
  31. Dupont B.: ‘Cybersecurity futures: how can we regulate emergent risks?’, Technology Innovation Management Review, July 2013, pp. 6–11.


Go to the profile of Antti Pelkonen

Antti Pelkonen

Senior scientist, VTT

No comments yet.