Cybersecurity education: evolution of the

discipline and analysis of master programs

Krzysztof Cabaja, Dulce Domingosb*, Zbigniew Kotulskic, Ana
Respíciod

a
Institute of Computer Science, Warsaw University of Technology,
ul. Nowo-wiejska 15/19, 00-665 Warsaw, Poland, Email address:
kcabaj@elka.pw.edu.pl.;

b*
LASIGE, Faculdade de Ciências, Universidade de Lisboa, Campo
Grande, 1749-016 Lisboa, Portugal, Email address:
mddomingos@fc.ul.pt, Orcid 0000-0002-5829-2742;

c
Institute of Telecommunications, Warsaw University of Technology,
ul. Nowowiejska 15/19, 00-665 Warsaw, Poland, Email address:
zkotulsk@tele.pw.edu.pl, Orcid 0000-0002-1149-7863;

d
Departamento de Informática, and CMAFCIO - Centro de
Matemática, Aplicações Fundamentais e Investigação Operacional,
Faculdade de Ciências, Universidade de Lisboa, 1749-016 Lisboa,
Portugal, Email address: alrespicio@fc.ul.pt, Orcid 0000-0003-
2758-7035

*
LASIGE, Faculdade de Ciências, Universidade de Lisboa, Campo
Grande, 1749-016 Lisboa, Portugal. Phone number: +351 21 750
05 24, Email address: mddomingos@fc.ul.pt

© 2018. This manuscript version is made available under the Elsevier user license
http://www.elsevier.com/open-access/userlicense/1.0/
2

Cybersecurity education: evolution of the

discipline and analysis of master programs

Abstract
As the amount of information, critical services, and interconnected computers
and 'things' in the cyberspace is steadily increasing, the number, sophistication,
and impact of cyberattacks are becoming more and more significant. In the last
decades, governmental and non-governmental organisations have become aware
of this problem. However, the existing cybersecurity workforce has not been suf-
ficient for satisfying the increasing demand for qualified cybersecurity profession-
als, and the shortfall will increase in the nextyears. Meanwhile, to address the in-
creasing demand for cybersecurity professionals, academic institutions have been
establishing cybersecurity programs, particularly, cybersecurity master programs.
This paperaims atanalysing which cybersecuritytopics are covered by existing
cybersecurity master programs of top universities and how these topics are dis-
tributedthrough courses. It starts by reviewingthe evolution and maturation ofthe
cybersecurity discipline, focusing on the ACM efforts, which include the earlyad-
dition of the Information Assurance and Security Knowledge Areas to the com-
puter science curricula and, more recently, the development of curricular recom-
mendations to support the definition of post-secondary cybersecurity programs.
These latest guidelines are used to analyse and review 21 cybersecurity master
programs, focusing on the contents of their courses, structure, admission require-
ments, duration, requirements forcompletion, and evolution.

Keywords
cybersecurity master programs; cybersecurity discipline evolution; graduate
cybersecurity education; comparative study

1 Introduction
The need for cybersecurity appeared in the early years of the digital era, when
the first mainframe computers were developed. As networked computers and sys-
tems have progressively come to dominate computing and communication plat-
forms, the volume and severity of cybercrimes have increased to an extentthatcy-
bersecurity is now an underpinning area of computer systems. Owing to the huge
impact cybercrime has in the economy and safety of organisations and countries,
the importance of cybersecurityhas grownto such alevelthat it is now considered
an independentdiscipline.
 3

Currently, there is a growing concern among governmentsthatthe cyberspace

will become the next theatre of warfare. Despite the disparate increasing promi-
nence of the discipline, the existing cybersecurity workforce cannot satisfy the in-
creasing demand for qualified cybersecurity professionals. While the number and
sophistication of cyberattacks increase, the shortfall is expected to worsen in the
next years 'the demand forthe (cybersecurity) workforce is expected to rise to 6
million (globally) by 2019, with a projected shortfall of 1.5 million' stated Mi-
chael Brown, (former) CEO of Symantec (Setalvad 2015; Cisco 2015; Frank
2016; Randstad Technologies 2016). Aware of this problem, severalacademic in-
stitutions worldwide have started to define and offer cybersecurity programs to
address the shortage of cybersecurity professionals. In particular, ACM has under-
taken special initiatives to develop educational programs in cybersecurity on the
post-secondarylevel.
This paper aims at framing the requirements for cybersecurity master studies
facing present security challenges as wellas providing foundationaland technical
knowledge for future security professionals. The paper starts by reviewing the
progression and maturation of the cybersecurity discipline to envisage a frame-
work forthe required analysis. This review focuses on the ACM efforts, which in-
clude the early addition of the Information Assurance and Security (IAS)
Knowledge Areas (KAs) tothe computer science curriculaand, more recently, the
promotion of the Joint Task Force (JTF) on Cybersecurity Education to advance
curricular guidelines supporting the definition of cybersecurity post-secondary
programs (JTF on Cybersecurity Education, 2017a, 2017b). We selecta sample of
cybersecurity master programs from top-ranking worldwide universities and pro-
ceed with the analysis of these programs, considering their formal requirements,
educationalcontents, structure, and evolution.
The paper is organised as follows. After the introductory section that presents
the motivation for our work, we give a brief presentation ofrelated work concern-
ing investigations on master study programs in cybersecurity. The third section
describes the evolution of cybersecurity as a domain of education. The fourth sec-
tion presents the analysis of selected master programs in cybersecurity. First, we
listthe selected universities andthen we provide a comparative description oftheir
master programs, including admission requirements, duration of studies, and de-
scription of the course of studies (such as the program structure and specific
courses, requirements for completion, and evolution). The last section concludes
the paper with a summary of findings.

2 Related Work
The related work in the area of deploymentand analysis of curricula of master
programs in cybersecurity is scarce. Hence, this section surveys the literature re-
garding cybersecurity master programs as wellas undergraduate programs.
In 2013, the conclusions of the report of the workshop on cybersecurity educa-
tion and training already stated that graduates of computer science programs
4

should have taken at least one cybersecurity course (McGettrick 2013). Taking a
step forward, Harris and Patten (2015) described the strategy they used to include
emerging cybersecurity topics within the information technology program, with-
out increasing the creditrequirements. Their strategy wasto move most of the IAS
topics, which weretaught in a single advanced security course, to introductoryand
intermediate courses. This way, the advanced security course could then cover
emerging cybersecuritytopics.
The report of McGettrick (2013) also emphasized the importance of master
graduates to the cybersecurity workforce. In the same year, Chen, Maynard, and
Ahmad (2013) compared graduate security programs offered by top universities in
China and in the United States of America (USA). They concluded thatthe main
differences between the programs in these two countries are thatthe programs in
China emphasizedtelecommunications security, whereasthe programs in the USA
assigned more importance to enterprise-levelsecurity strategy, security policy, se-
curity management, and cyber law. In addition, Malhotra (2015) stressed the
growing importance of cyber risk management.
In 2014, McDuffie and Piotrowski (2014) pointed out that, despite more than
182 colleges and universities in the USA have been designated as Centers of Aca-
demic Excellence in Information Assurance Education (CAE/IAE), there are only
afew specific cybersecurity baccalaureate-leveldegree programs, andthese do not
offer consistentcurricula. Most of these colleges offer computer science programs
with some elective cybersecurity courses as a securitytrack. To overcome the lim-
itations on resources and expertise, Albert etal. (2015) reported the experience of
four universities in the University of Maine system that worked together to
achieve the designation of a National Centerof Excellence in Cybersecurity Edu-
cation and to define a multi-university program. Mew (2016) described the three-
year-long evolution of an undergraduate information security program of a small
liberalarts college. To keep the initial investment as low as possible, the program
started by using the courses of the already existing information systems program
and creating only one additional course. The interest of the students justified the
evolution through the addition of other new courses and modifications of the core
ones.
Grover, Reinicke, and Cummings (2016) analysed the Information Technology
degree programs offered by the University of North Carolina education system,
with focus on security. They pairwise compared the contents of courses in Infor-
mation Technology programs, the ACM curricula guidelines (Sahami et al. 2013),
and the requirements on the most popular certifications in security-related fields.
They aimed at assessing if IT programs metthe needs of the security field as well
as if the ACM curricula guidelines met the skill/knowledge requirements of those
certifications. Yang and Wen (2017) proposed a cybersecurity curriculum model
based onthe mostcommon core courses of 27 undergraduate cybersecurity-related
programs.
Bicak, Liu, and Murphy (2015) presented a study of adding three specialties to
the master in cybersecurity program at their university. Their objective was to
 5

handle emergingtopics as wellas to provide students witha more specialised cur-

riculum. Based on the CAE focus areas, they proposed the following specialties:
cybersecurity dataanalysis, cyber intelligence, and healthcare information security
and privacy.
Within a related security area, Yuan, Yang, Jones, Yu, and Chu (2016) sur-
veyed existing efforts and resources in secure software engineering education on
the graduate level. This work reviewed the proposal of a Common Body of
Knowledge, areference curriculum, and otherresources.
Currently, there is a gap in the literature with regard to cybersecurity master
programs; therefore, before analysing the existing programs, in the next section,
we review the evolution ofthe cybersecuritydiscipline.

3 Evolution of the Cybersecurity Discipline

Since 2011, the National Initiative for Cybersecurity Education (NICE) has
been focused on defining the NICE Cybersecurity Workforce Framework
(NCWF) to provide the cybersecurity audience with a common language to define
cybersecurity work and the set of tasks and skills it requires (Newhouse, Keith,
Scribner, & Witte 2016).
In 2013, for the first time, the ACM/IEEE computer science curricula guide-
lines (CS2013) includedthe IAS KA (Sahami et al. 2013). These guidelines divid-
ed IAS topics intotwo groups: a group of topics thatare onlyrelevantto IAS and
a group of topics that are distributed through other KAs. The topics in the first
group were organised in eleven knowledge units (KUs), which are listed in the
first column of Table 1. Table 1 also shows the distribution of hours throughout
coretier-1 and coretier-2 topics. The guidelines recommendthat programs should
include all core tier-1 topics, all or almost all core tier-2 topics, and a significant
number of electivetopics. In sum, coretier-1 topics are covered with atotalof 3 h,
which represents 1.8% of the totalnumber of hours, whereas coretier-2 topics are
covered with 6 h, representing 4.2% ofthe program.

Table 1 - IAS KUs andtheir distribution into coretier-1 and coretier-2 hours.

IAS KUs Core tier-1 Core tier-2 Includes elec-

hours hours tives
Foundational Concepts in Security 1 N
Principles of Secure Design 1 1 N
Defensive Programming 1 1 Y
Threatsand Attacks 1 N
Network Security 2 Y
Cryptography 1 N
Web Security Y
Platform Security Y
6

Security Policy and Governance Y

Digital Forensics Y
Secure Software Engineering Y

Table 2 lists the other KAs through which IAS topics were distributed. These
KAs are covered with additionallecturing hours: 32 h (19.4% of total) forcoreti-
er-1 topics and 31.5 h (22% oftotal) forcoretier-2 topics.

Table 2 - KAs which address IAS topics andtheir distribution into core tier-1 and coretier-2 lec-
turing hours.

KA Core tier-1 Core tier-2 Incudes elec-

hours hours tives
Architectureand Organization 1.5 Y
Human Computer Interaction 1 Y
Information Management 0.5 0.5 Y
Intelligent Systems Y
Networking and Communications 1.5 5
Operating Systems 3 7.5 Y
Platform-based Development Y
Paralleland Distributed Computing 3 1 Y
Programming Languages 2.5 6 Y
Software Development Fundamentals 9
Software Engineering 2 6.5 Y
Systems Fundamentals 4.5 3
Social Issues and Professional Practice 5 0.5 Y

In 2013, the recommendations in the report of the workshop on cybersecurity

education andtraining statedthatthe Core Leadership Group (with one dissention)
felt that it was premature to produce curriculum guidelines beyond CS2013, as
they considered that cybersecurity was an immature and ill-defined subjectatthat
time (McGettrick 2013; McGettrick, Cassel, Dark, Hawthorne, & Impagliazzo
2014).
Meanwhile, to promote higher education and research in cyber defence, andto
train professionals with cyber defence expertise, the National Security Agency
(NSA) and the Department of Homeland Security (DHS) through the National In-
formation Assurance Education and Training Programs defined the requirements
that should be met by academic programs seeking to receive the designation of a
National Center of Academic Excellence in Cyber Defense Two-Year Education
Program (CAE2Y) or the designation of a National Center of Academic Excel-
lence in Cyber Defense Education Program (CAE-CDE). They defined core for
two-year-long programs as well as core and optional KUs for four-year-long pro-
grams (NSA/DHS, 2013). In addition, they defined focus areas (with a set of op-
 7

tional KUs), which institutions couldtake advantage ofto differentiatethemselves

(NSA/DHS, 2013a).
Table 3 outlines how the core topics of the ACM IAS KUs are covered by the
CAE-CDE core KUs. The topics of both sets of KUs were analysed to determine
the CAE-CDE KUs that cover each ACM IAS KU topic. For instance, five core-
tier-1 topics of the Foundational Concepts in Security IAS KU are covered by
three CAE-CDE core KUs: the IA Fundamentals which covers three topics, the
Cyber Defense which covers one, and the Policy, Legal, Ethics, and Compliance
which covers another one. Allthe CAE-CDE core KUs presented in Table 3 are
included in the CAE2Y program curriculum, except the Network Defense KU,
which belongs tothe CAE-CDE program.

Table 3 - IAS KUs of ACM vs. CAE-CDE core KUs.

ACM IAS KUs with core-tier-1 and core- CAE-CDE core KUs
tier-2 topics
IAS/FoundationalConcepts in Security IA Fundamentals (3 core-tier-1 topics)
(5 core-tier-1 topics) Cyber Defense (1 core-tier-1 topic)
Policy, Legal, Ethics, and Compliance (1
core-tier-1 topic)
IAS/Principles of Secure Design Fundamental Security Design Principles (5
(7 core-tier-1 topics + 6 core-tier-2 topics) core-tier-1 topics + 3 core-tier-2 topics)
IAS/Defensive Programming Basic Scripting or Introductory Programming
(5 core-tier-1 topics + 2 core-tier-2 topics) (1 core-tier-1 topic)
Systems Administration (1 core-tier-2 topic)
IAS/Threatsand Attacks Cyber Threats (4 core-tier-2 topics)
(4 core-tier-2 topics)
IAS/Network Security Cyber Defense (2 core-tier-2 topics)
(4 core-tier-2 topics) Network Defense (1 core-tier-2 topic)
IAS/Cryptography Introto Cryptography (3 core-tier-2 topics)
(3 core-tier-2 topics)

By analysing this table, we conclude that the core topics of three ACM IAS
KUs aretotallycovered by the CAE-CDE KUs, whereasthe topics oftwo of them
are almost covered. However, the CAE2Y and CAE-CDE curricula do not in-
clude, in a meaningful way, the IAS/Defensive Programming KU. Indeed, despite
the factthat Basic Scripting and Programming KUs cover some of its topics, this
coverage is not sufficiently deep. This drawback can, however, be minimised
through optional KUs, which are listed in Table 4. In fact, the topics of the
IAS/Defensive Programming KU are scattered over the following optional KUs:
Secure Programming Practices, Database Management Systems, Operating Sys-
tems Theory, and Supply Chain Security.
8

Table 4 - Optional KUs.

Advanced Cryptography Intrusion Detection
Advanced Network Technologyand Protocols Life-Cycle Security
Algorithms Low-Level Programming
Analog Telecommunications Mobile Technologies
Cloud Computing Network Security Administration
Cybersecurity Planning and Management Operating Systems Hardening
Data Administration Operating Systems Theory
Data Structures Overview of Cyber Operations
Database Management Systems Penetration Testing
Digital Communications QA / FunctionalTesting
Digital Forensics (Device Forensics, Host Fo- RF Principles
rensics, Media Forensics, Network Forensics) Secure Programming Practices
Embedded Systems Security Program Management
Forensic Accounting Security Risk Analysis
Formal Methods Software Assurance
Fraud Prevention and Management Software Reverse Engineering
Hardware Reverse Engineering Software Security Analysis
Hardware/Firmware Security Supply Chain Security
IA Architectures Systems Programming
IA Compliance Systems Certification and Accreditation
IA Standards Systems Security Engineering
Independent/Directed Study/Research Virtualisation Technologies
Industrial ControlSystems Vulnerability Analysis
Introto Theory of Computation Wireless Sensor Networks

Finally, Table 5 liststhe focus areas defined by NSA/DHS. Each focus area has
a set of required optional KUs. For instance, the Secure Software Development
focus area requires the following optional KUs: Algorithms, Data Structures,
Formal Methods, Secure Programming Practices, Software Assurance, Software
Security Analysis, and Vulnerability Analysis.

Table 5 - NSA/DHS focus areas.

Cyber Investigations Secure Embedded Systems

Data Management Systems Security Secure Mobile Technology
Data Security Analysis Secure Software Development
Digital Forensics Secure Telecommunications
Health Care Security Security Incident Analysis and Response
Industrial ControlSystems - SCADA Security Security Policy Developmentand Compliance
Network Security Administration Systems Security Administration
 9

Network Security Engineering Systems Security Engineering

Secure Cloud Computing

In 2015, the ACM Education Board recognised the urgent need to define a cy-
bersecurity curricular guidance and promoted the Joint Task Force (JTF) on Cy-
bersecurity Education, which puttogetherthe major international computing soci-
eties: Association for Computing Machinery (ACM), IEEE Computer Society
(IEEE CS), Association for Information Systems Special Interest Group on Secu-
rity (AIS SIGSEC), and International Federation for Information Processing
Technical Committee on Information Security Education (IFIP WG 11.8). In
2017, the JTF published the Cybersecurity Curricula 2017 - Curriculum Guide-
lines for Post-Secondary Degree Programs in Cybersecurity (CSEC2017) (JTF on
Cybersecurity Education, 2017a, 2017b).
The CSEC2017 defines cybersecurity as 'a computing-based discipline involv-
ing technology, people, information, and processes to enable assured operations in
the context of adversaries. It involves the creation, operation, analysis, andtesting
of secure computer systems. It is an interdisciplinary course of study, including
aspects oflaw, policy, humanfactors, ethics, andrisk management'.
The CSEC2017 defines six KAs: Data security, Software Security, System Se-
curity, Human Security, Organizational Security, and Societal Security. These
KAs are aligned with the entities to be protected: data (atrest and in transit), soft-
ware, systems, individuals, organisations, and society.
The Data Security KA is focused on achieving confidentiality of information
and on preserving data and origin integrity. Its KUs include cryptography, confi-
dentiality, and data integrity. This KA includes allthe topics (core and electives)
of two CS2013 IAS KUs: Foundational Concepts in Security and Cryptography
(as shown in Table 6). Compared with the CAE-CDE, the Data Security KA also
covers all of the topics of three of its KUs: IA Fundamentals, Introduction to
Cryptography, and Advanced Cryptography (as shown in Table 7).
The Software Security KA aims at developing and using software applications
that preserve the security properties of the information and systems they protect.
This area covers high-assurance software, secure software development, deploy-
ment, and maintenance, software reverse engineering, and malware analysis. This
KA includes almost all of the topics (core and electives) that are scattered
throughoutthree of the CS2013 IAS KUs: Principles of Secure Design, Defensive
Programming, and Secure Software Engineering (Table 6). However, it does not
mention the 'Correct usage of third-party components' and 'Effectively deploying
security updates' topics of the Defensive Programming KU. Considering CAE-
CDE KUs, the Software Security KA comprises the topics of three KUs: Funda-
mental Security Design Principles, Secure Programming Practices, and Software
Assurance (Table 7). In addition, this KA includes the topics of Exception Han-
dling, Error Handling, and Randomness.
The main goal ofthe System Security KA is to establish and maintain the secu-
rity properties of systems, including those of interconnected components. Its KUs
10

include: availability, authentication, access control, secure system design, reverse

engineering, cyber physical systems, digital forensics, supply chain management,
and computer network defense. This KA covers the topics of the following
CS2013 IAS KUs: Network Security (onlythe core topics) and Digital Forensics
(this KU only has elective topics), as presented in Table 6. It also includes two ad-
ditionaltopics: reverse engineering, and cyber physical systems. Moreover, all of
the topics of the System Security KA are covered by CAE-CDE KUs, although
distributed overalarger set of KUs (Table 7).
While these three KAs provide a more technical perspective, the other three
KAs make evident the interdisciplinary nature of cybersecurity by including as-
pects oflaw, policy, human factors, ethics, andrisk management.
The Human Security KA is focused on protecting personaldata of individuals,
and it includes identity management, social engineering, privacy, and security on
social networks. The Organizational Security KA comprises subjectsrelatedtothe
protection of organisations from cybersecurity threats and to risk management. It
includes risk management, mission assurance, disasterrecovery, business continu-
ity, security evaluations and compliance, organisational behaviour as it relates to
cybersecurity, employee training, and intelligence. The Societal Security KA co-
vers aspects of cybersecurity that can affect society and it comprises cybercrime,
cyber law, ethics, policy, intellectual property, professional responsibility, social
responsibility, and cultural and international considerations. It is in these three
KAs that it is possible to observe a more significant evolution. Despite the fact
that CS2013 already covers some of these topics, they are scattered over KUs of
different KAs, such as the Security Policy and Governance IAS KU, the Security
Policies, Laws and Computer Crimes KU of the Social Issues and Professional
Practice (SP) KA, and the Human Factors and Security KU of the Human Com-
puter Interaction (HCI) KA. In addition, some topics, such as security of social
networks, analyticaltools, cybersecurity planning, andrisk management, are miss-
ing from KUs of CS2013. Consideringthe KUs of CAE-CDE, the situation is sim-
ilar but they already include the topics of cybersecurity planning, and risk man-
agement (Table 6 and Table 7 presentthese mappings).
The contents of the Threats and Attacks CS2013 IAS KU are scattered
throughoutthe various CSEC2017 KAs. For instance, the System Security KA in-
cludes attacks toavailability, whereas the Human Security KA includes social en-
gineering. Finally, the Web Security and the Platform Security 2013 IAS KUs are
not explicitly included in any CSEC2017 KA although their contents are partially
covered bythe firstthree CSEC2017 KAs in Table 1Table 6.

Table 6 - CSEC 2017 KAs vs. CS2013 KA/KU.

CSEC2017 KAs CS2013 KA/KU

Data Security IAS/FoundationalConcepts in Security
 11

IAS/Cryptography
Software Security IAS/Principles of Secure Design
IAS/Defensive Programming
IAS/Secure Software Engineering
System Security IAS/Network Security
IAS/Digital Forensics
Human Security IAS/Security Policyand Governance
SP/Security Policies, Laws and Computer Crimes
HCI/Human Factorsand Security
Organizational Security IAS/Security Policyand Governance
SP/Security Policies, Laws and Computer Crimes
Societal Security IAS/Security Policyand Governance
SP/Security Policies, Laws and Computer Crimes

Table 7 - CSEC 2017 KAs vs. CAE-CDE KUs.

CSEC2017 KAs CAE-CDE KUs

Data Security IA Fundamentals
Introductionto Cryptography
Advanced Cryptography
Software Security Fundamental Security Design Principles
Secure Programming Practices
Software Assurance
System Security IA Fundamentals
IA Architectures
Intrusion Detection/Prevention Systems
Cyber Defense
Software Reverse Engineering
Digital Forensics
Industrial ControlSystems
Human Security Vulnerability Analysis
Cyber Threats
Organizational Security Policy, Legal, Ethics and Compliance
Cybersecurity Planning and Management
Security Program Management
Security Risk Analysis
Societal Security Policy, Legal, Ethics, and Compliance

In the next section, we analyse cybersecurity master programs and howthey are
organisedtotrainthe cybersecurity workforce.
12

4 Analysis of Cybersecurity Master Programs

Masterlevel programs in cybersecurity are now widely offered by universities
worldwide. However, their target candidates as well as duration and program
structure slightlydiffer, as shown bythe analysis that is presented in this section.

4.1 Sample selection

This study was based on 21 master programs, whose selection criteria were: the
designation of the master program includes the keywords cybersecurity or 'Cyber
Security', the programs are led by universities belonging to the top 700 universi-
ties according tothe 2017 ranking of QS World Ranking of Universities (QS Top
Universities, 2017), and the universities are spread across different countries.
Thus, in our analysis we considered seven universities from the top hundred, six
from the second hundred, two from the third hundred, four from the fourth hun-
dred, and two from the seventh hundred. Concerning geographical locations, ten
universities were from the USA, five from the United Kingdom (UK), and one
from each of the following countries: Australia, New Zealand, Estonia, the Neth-
erlands, Israel, and Spain.
The universities that were considered in our study, together with links to the
webpages oftheir master programs in cybersecurity, were:
4TU, which is a consortium of four leading universities in
the Netherlands: Delft University of Technology, Univer-
sity of Twente, Wageningen University and Eindhoven
University of Technology (4TU.Federation, 2017);
The Ben-Gurion University of the Negev, which is an inter-
disciplinary research university in Israel (Ben-Gurion
University of the Negev, 2017);
Boston University, which is more than 150 years old uni-
versity in the USA (BU Computer Science, 2017);
Charles III University of Madrid, which is a relatively
small, innovative, and public university in Spain (Univer-
sidad Carlos III de Madrid, 2017);
City, University of London, which is a university in the
United Kingdom, 'committed to academic excellence, fo-
cused on business and the professions' (City, University of
London, 2017);
The George Mason University, which is the largest public
research university in the state of Virginia in the USA
(George Mason University, 2017);
The Johns Hopkins University, which is ' e-
search university', located in Baltimore, state of Mary-
land in the USA (Johns Hopkins, 2017);
 13

Lancaster University, which is ranked among the top 10 of

all three major UK universities league tables (Lancaster
University, 2017);
New York University (Polytechnic School of Engineering),
which is one of the largest private universities in the USA,
founded in 1831 (New York University, 2017);
Pennsylvania State University, which is an over 150-year-
old university in the state of Pennsylvania in the USA
(PennState, 2017);
, which belongs to the UK top
ten research-intensive ,
2017). Its Centre for Secure Information Technologies
(CSIT) is responsible for cybersecurity teaching (Centre
for Secure Information Technologies, 2017);
Tallinn University of Technology, which is the only tech-
nological university in Estonia (Tallinn University of
Technology, 2017);
The George Washington University, which is a research
university located in Washington, DC, USA (The George
Washington University, 2017);
The University of Waikato in New Zealand, which belongs
to the 100 'most international' universities in the world
(The University of Waikato, 2017);
The University of Warwick in the UK, which was estab-
lished in 1961 and received its Royal Charter of Incorpo-
ration in 1965 (The University of Warwick, 2017);
The University of Maryland, College Park, which was
founded on 6 March 1856 as Maryland Agricultural Col-
lege (University of Maryland, 2017);
The University of South Australia, which was initiated in
1991 on a basis of the South Australian Institute of Tech-
nology, located in Adelaide and Whyalli (University of
South Australia, 2017);
The University of Southampton, which is a research-
intensive university in the UK (University of Southampton,
2017);
The University of Southern California, which is one of the

the heart of Los Angeles (University of Southern Cali-

fornia, 2017);
The University of York, UK, which was opened in 1963 (Uni-
versity of York, 2017);
14

Washington University in St. Louis, USA, founded in 1853,

which is now a partner of 30 research universities around
the world (Washington University in St. Louis, 2017).
Our analysis ofthe master programs in cybersecurity offered by these universi-
ties starts with the analysis of their admission requirements, as described in the
next section.

4.2 Admission requirements

Almostallofthe analysed master programsrequired candidatesto have a bach-
elor degree in computer science or equivalent, such as information systems, soft-
ware engineering, computer engineering, mathematics, or statistics. The multidis-
ciplinary nature of cybersecurity master programs justifies the admission of
candidates with different backgrounds (see for instance the admission require-
ments of the Pennsylvania State University). In addition, Ben-Gurion University
of The Negev , the Univer-
sity of Waikato, and the George Washington University, for instance, define re-
quirements on the minimalgrades candidates should have.
Some universities go a step forward and state the required background
knowledge. It may include algebra, calculus, computer programming, networks,
theory of computation, operating systems, and Linux. The Johns Hopkins Univer-
sity presents detailed information on background requirements: prior education of
candidates should include one year of calculus; one mathematics course beyond
calculus (e.g. discrete mathematics, linear algebra, or differential equations); a
programming course in Java or C++; a course in data structures; and a course in
computer organisation. Despite the requirements of the Johns Hopkins University
being focused on academic knowledge that is obtained through courses, almostall
the analysed universities state that they will also consider applicants who gained
knowledge through professional experience. Indeed, professional experience is
generally considered and it can even be usedto justifythe admission of candidates
with bachelor degrees in other areas. The Pennsylvania State University and the
George Mason Universityrecommend a minimum of five years ofrelevant profes-
sional experience.
City, University of London, the 4TU.Federation, and the Johns Hopkins Uni-
versity offer alternatives for candidates who do not satisfy their admission re-
quirements, such as completing specific undergraduate courses.
Finally, proficiency in the Englishlanguage is a prerequisite foralluniversities.
To sum up, master programs in cybersecurity are very specialised programs
and to be able to focus on security aspects applicants should have background
knowledge in mathematics and computer science, which can be obtained bytaking
academic courses orthrough professional experience.
 15

4.3 Duration of programs

Consideringthe set of master programs we analysed, almostallofthem last for
onetotwo years, on a full-time basis. Exceptions are Washington University in St.
Louis, which offers a part-time master program thatlasts atleasttwo years and a
half, and the Pennsylvania State University that also offers a part-time program
withtwo years. The Queen's University Belfasthas one yearandtwo-yearoptions,
depending on whetherthe studentsare engaged in a professional internship.
As universities structure their master programs by defining the number of
points, units, or ECTS that should be obtained by students, the duration of pro-
grams is not mandatory. Some universities offera part-time option, which in prac-
tice, is materialised as alowerfee. However, some universities definethe maximal
allowable durations of studies for completingtheir programs. For instance, Boston
University states that its program should be completed within three years, whereas
the Johns Hopkins University defines thatthe 10 courses of the program must be
completed within five years.

4.4 Structure of programs

Almostallthe analysed master programs have 60 ECTS or 30 American credits
per year, approximately. The number of courses varies from 6 to 14, excludingthe
individual research project. The Queen's University Belfast offers one-year-long
master program with six courses, which can be extended with a Professional In-
ternship to a two-year-long full-time program, while the two-year-long master
program of the University of South Australia includes 14 courses. However, most
ofthe analysed master programs have between 8 and 10 courses, per year.
When analysingthe flexibility of study plans, they mainly differ in the percent-
age of core courses. For instance, the University of York, the Queen's University
Belfast, the Lancaster University, the George Washington University, and the
University of South Australia have master programs that only include core cours-
es, giving no choice to students. However, master programs of Washington Uni-
versity in St. Louis and Boston University have no core courses. Students define
their study plans, choosing courses from pre-defined sets and ensuringthey satisfy
the program requirements. Between extremes, we can find master programs that
include core and elective courses. This way, one can assure the program character
through the subjects all students learn in core courses, while enabling students to
complement or specialise their knowledge by choosing elective courses. Indeed,
some universities explicitly define the specialisations or tracks students can take
by choosing a set of elective courses. For instance, in the Tallinn University of
Technology, students can choose different elective courses to specialise in organi-
sational (law, organisation, psychology, and standards) ortechnological (network-
ing, attack/defence technology, and cryptography) aspects of security. Instead of
specialisations, the University of Warwick offers two different master programs,
the master in Cyber Security Engineering and the master in Cyber Security and
Management. The Johns Hopkins University requires students to choose a track
16

(analysis, networks, or systems) andtotake atleastthree courses from the selected

track. Finally, the Charles III University of Madrid definestworoutesand students
choose elective courses depending on the route they prefer. The Systems Security
Engineering route focuses on the specification, design and development, imple-
mentation and maintenance of secure systems, whereas the Cybersecurity Analyst
route focuses onthe systems securityanalysis.
Considering final projects (thesis or capstone projects), our sample includes
master programs with mandatory final projects, as wellas master programs where
students can attend one or more courses instead of executingthe final project. The
workload of final projects varies from three American creditsto 45 ECTS. In City,
University of London, final projectslast 14 weeks (or 600 h). However, their dura-
tion can be extendedto up to six months in casethey performed in industrialorre-
search placements. In the -year-
long master programs with professional internship can perform a professional in-
ternship for one year. Nonetheless, the mostcommon duration of final projects of
the analysed master programs is one semester, the third one, which is the summer
semester in one-year-long master programs. In City, University of London and in
, final projects of master programs can be per-
formed in industry.

4.5 Contents of courses

The analysis we present in this section is organised accordingtothe CSEC2017
KAs andtheir respective KUs.
The Data Security KA includes cryptography, confidentiality, and data integri-
ty, as KUs. Almost all the analysed master programs have a course to cover the
topics of these KUs, whose designation is cryptography, applied cryptography, or
data protection. The other ones include the topics of these KUs in wider courses,
such as, for instance, the course on the Information, Security and Privacy of the
New York University, which also covers operating systems security, malicious
code, security-policy formation and enforcement, vulnerability analysis, and sys-
tem security evaluation. More advanced topics of this KA, such as quantum cryp-
tography, are covered within optionaladvanced cryptography courses.
The Software Security KA has four KUs: high assurance software, secure soft-
ware development, deployment, and maintenance, software reverse engineering,
and malware analysis. The secure software development KU includes topics on
defensive programming and secure software engineering. Considering the wide
range oftopics in this KA, they are covered by four main subjects/courses:
defensive programming - this topic is covered, for in-
stance, by the Software Security mandatory course of
the 4TU.Federation and by the Software Systems Exploi-
tation mandatory course of the Charles III University of
Madrid. In addition, focusing on one language, the New
York University offers the Application Security manda-
 17

tory course on writing secure distributed programs in Ja-

va and the University of Maryland offers the Secure Pro-
gramming in C mandatory course.
secure software engineering this topic can be included
as a mandatory course (for instance, the software assur-
ance course offered by ,
as a mandatory course only for one of the specialities of
the master program (in the Charles III University of Ma-
drid, the system security engineering course is mandato-
ry only for the secure system route), or simply as an op-
tional course.
reverse engineering - only three master programs of the
analysed sample offer a specific course in this KU. In the
4TU.Federation and in the University of Maryland pro-
grams, these are elective courses, whereas in the Johns
Hopkins University program, the course is mandatory on-
ly for the analysis track. George Mason University has a
course that includes both reverse engineering and mal-
ware.
malware there are five master programs that offer
courses on malware, namely Boston University, the
Charles III University of Madrid, the Queen's University
Belfast, the Tallinn University of Technology, and the
University of York.
The System Security KA is considered a broad area and includes KUs, availa-
bility, authentication, access control, secure system design, reverse engineering
(which is also a KU of the Software Security KA), cyber physical systems, digital
forensics, supply chain management, and computer network defence. The most
common course that covers topics in this KA is network security. Most master
programs also include a digitalforensics course. In addition, we find many differ-
ent courses covering topics in systems security, such as cyber physical systems,
identification and authentication, biometrics, security of operating systems, mobile
security, intrusion detection, and defensive hacking or penetrationtesting. Most of
these courses are offered as elective courses or as mandatory courses only in a
specifictrack orroute.
The Human Security KA is focused on aspectsrelatedto privacy of individuals.
Its KUs are: identity management, social engineering, privacy, and security of so-
cial networks. Within the analysed master programs, we only find two specific
courses on privacy whose contents intersectwith the topics in this KA: the Priva-
cy-Enhancing Technologies course offered by the 4TU.federation and the Privacy
in the Digital Age course offered by the Washington University in St. Louis. De-
spite the fact that none of them explicitly include aspects related to social engi-
neering and socialnetwork, they cover, for instance, the subjectof anonymity.
18

Whilethe Human Security KA focuses on protecting individuals, the Organiza-

tional Security KA focuses on protecting organisations. Its KUs are risk manage-
ment, mission assurance, disaster recovery, business continuity, security evalua-
tions and compliance, organisational behaviour as it relates to cybersecurity,
employee training, and intelligence. Within the analysed master programs, we find
different ways to organise these KUs in courses. For instance, the Pennsylvania
State University offers the Information Security Management course that covers
almost all of these KUs. In addition, there are courses focusing on some specific
topics, such as risk management (the Cyber Risk Management course offered by
the 4TU.Federation and the Information System Risk Management course offered
by the Lancaster University), disasterrecovery, business continuity, security eval-
uations and compliance (the Cyber Security Management and Administration
course offered bythe Charles III University of Madrid and the Information System
Security Management course offered by the Lancaster University), and data ana-
lytics (the Cyber Data Analytics course offered by the 4TU.Federation). The ex-
amples of courses listed are not exhaustive.
Finally, the Societal Security KA includes the following KUs: cybercrime,
cyber law, ethics, policy, intellectual property, professional responsibility, social
responsibility, and global impacts. Almost all of the master programs include a
course that covers the KUs in this KA. Considering more specific courses, for in-
stance, the 4TU.Federation and the George Washington University offer elective
courses on cyber law, and the George Washington University also offers an elec-
tive course on ethics, policy, and intellectual property. In addition, the Tallinn
University of Technology offers a course named 'History of Artof War: From An-
cient World to Network-Centric Warfare', and the University of Southampton of-
fers an elective course 'Criminal Behaviour - Applied Perspectives' (cyber securi-
ty).
When considering cybersecurity master programs without a specific focus
(such as those on network security) that include mainly core courses on security,
we concludethat most ofthem have two semesters withlessons andtheir program
structure includes:
One core course from the Data Security KA, the cryptog-
raphy course;
One or two core courses from the Software Security KA,
from the following list: defensive programming, secure
software engineering, and malware;
One or two core courses from the System Security KA,
with preference to network security, followed by the
digital forensics course;
One or two courses from the Organizational Security KA,
with no course preference; and
One course from the Societal Security KA.
 19

4.6 Requirements for completion

In most of the analysed master programs, there are two requirements that must
be fulfilled to achieve graduation. The first is associated with completion of the
appropriate number of courses. For example, at Boston University, the specialisa-
tion in cybersecurity requires eight graduate courses, 32 credits, including atleast
five core courses, meeting the same requirements as those of the Master in Com-
puter Science. In addition, amongthe grades received forthe five core courses, the
number of B- grades must not be greaterthan the numberof B+ grades or higher.
No grade lowerthan B- may be used for graduate credits. In the George Mason
University, the program requires 30 credits, comprising nine credits for core
courses, 18 credits for concentration courses, and three credits for a capstone
course.
The second requirement for completion relates to the preparation of some kind
of writtenreportorthesis. In most cases, students atthe end ofthe program should
prepare a masterthesis concerning studied subjects. This work is done undera su-
pervision of a university faculty staff and must be approved by the university.
However, some programs, especiallythese directedto cybersecurity professionals,
introduce other possibilities to end the course by doing research projects, without
writing a dedicated thesis. In some cases, these projects could be performed in
places otherthan the degree-granting university. For example, City, University of
London allowsto perform projects in industry or otherresearch organisations. The
minimal project should last 600 h; however, if performed in the industry it could
be extended up to six months.

4.7 Evolution
To analyse the evolution of the programs, we followed three strategies: 1) we
contacted, by email, the directors of the programs and asked them to answer some
questions related to the evolution of their programs; 2) we visited the websites of
the programs between April 2017 and May 2017 and again in September 2017, to
assess recent program changes; and 3) we collected information about past ver-
sions of program webpages by querying an Internet archive
(https://archive.org/).
The inquiry was aimed at obtaining the following information: year
ofthe program creation; motivation for creatingthe program; restructurings (num-
ber, time, motivation, and scope); evolution of course contents; and the number of
students enrolled in the program. We received seven responses to our inquiries,
which formed the basis of our analysis, complemented with the information we
extracted from websites (currentand past versions).
Our analysis allows to conclude that most of these programs were created re-
cently, between 2013 and 2015, with a few exceptions, the oldest program being
originated in 2007 (Johns Hopkins University). Some programs emerged astracks
in previously existing programs in computer science or information systems (for
instance, Johns Hopkins University), whereas others were designed from scratch
20

(for instance, Charles III University of Madrid, George Mason University, Lancas-
ter University, and the Pennsylvania State University). Four directors mentioned
that the creation of their programs was motivated by the existence of significant
expertise in the field affiliated with the department. This is the case of the Infor-
mation Sciences and Technology Department at George Mason University, where
cybersecurity was always one of the main research fields. The same happened
with City, University of London. Market demand was another reason given as a
motivation for creation ofthese programs.
Two types of program revisions were identified: revisions of the courses con-
tents and revision of the program structure. The contents of courses were revised
to follow recent developments in the field, to adjust the taught material, orto re-
duce the amount of overlapping material. For instance, at the Ben-Gurion Univer-
sity ofthe Negev, onlyrevisions ofthe courses contents have been made.
Revisions of the programs structure were less substantial, such as adding or
removing elective courses, or more substantial, such as changing core courses.
A common observation for programs including elective courses is that their
catalogues were often updated every year/semester, as was the case withthe mas-
ter program offered by the Boston University, as announced on the
website. This may happen in accordance withthe catalogue of elective courses of-
fered by the department leading the program or other collaborations, which often
depends on the availability of faculty members and their sabbatical leaves. As a
new trend in cybersecurity courses, the subject Quantum Computation has
emerged, being offered as an elective course atthe Johns Hopkins University and
atthe 4TU.Federation.
At City, University of London, the program was revised in its third running
year 2016/2017 to include more security elective choices, while removing one of
the core modules. The program offered by the Pennsylvania State University, cre-
ated in 2009, already sufferedtwo revisions, and is currently in the third one, slat-
edto be effective forfall 2018.
The reasons forrestructuration were diverse: for accreditation (Lancaster Uni-
versity), to take into account feedback from the students and external examiners
(City, Universityof London), ortotake advantage of facultyresearch interestsand
expertise.
Concerning the number of students enrolled in the programs, we observed that
these numbers areratherdifferent. Nevertheless, alltherespondentdirectors stated
thatthe demand has been continuously increasing.

5 Conclusion
The increasing need for cybersecurity workforce, today, is an unavoidable
problem. In the last years, we have witnessed the evolution and maturation of the
discipline of cybersecurity, as we can perceive, for instance, by the ACM efforts
since the inclusion of the Information Assurance and Security KA into the com-
puter science curricula guidelines until the recent definition of the cybersecurity
 21

curriculardraftguidance. Meanwhile, universities have proposed undergraduateas

wellas graduate cybersecurity programs.
Considering the relevance of more specialised higher education programs in
cybersecurity, we analysed cybersecurity master programs of top-ranking univer-
sities to identify, mainly, which cybersecurity topics they coverand how they dis-
tribute these topics through courses. In addition, we reviewed the cybersecurity
discipline to reachthe baseline of ouranalysis. Within this review, we noticed the
increasing importance of less technological areas, such as the KAs of human, or-
ganisational, and societal security this is one of the main conclusions of our
work.
Another main conclusion of our findings is thatthe broad-spectrum cybersecu-
rity master programs that include mainly core courses on securityare in alignment
with the 2017 JTF curriculum guidelines for cybersecurity post-secondary pro-
grams, including atleast one or two courses from the six ACM KAs. In addition,
some programs offera personalised curriculum throughthe selection of more spe-
cialised or advanced elective courses. Some elective courses are very peculiar, for
example, the course History of Art of War: from Ancient World to Network -
Centric Warfare, offered by the Tallinn University, the course Criminal Behaviour
- Applied Perspectives (Cyber Security), offered by the University of Southamp-
ton, orthe course Industrial Espionage and Counterfeiting, offered by the Univer-
sity of Warwick. Moreover, new elective courses are used to cover more topical
subjects, such as Quantum Computation or, predictably, soon, Blockchain and
Distributed Ledger Technology.
To remain up to date with the developments in the area and market needs, cy-
bersecurity master programs evolve, which includes updating the contents of their
courses as wellas changing the structure of programs to incorporate more specific
security courses intothe set of core courses andto offer more elective courses. We
point outthatthis evolution has been aligned withthe available facultyand exper-
tise.
To conclude, we elaborate onthe currentlabour market for master cybersecuri-
ty specialists and their future expectations. First, even more than other fields, the
market is characterised by employee mobility andremote work. Second, many cy-
bersecurity experts and remote workers serve in geographical areas and countries
other than those of their native universities. The core knowledge obtained during
studies is universaland suitable forany professionaland forany geography. How-
ever, there are some topics, such as cybersecurity legal regulations, private data
protection rules, protection of intellectual property, and ethical hacking legal as-
pects, that can vary widely across countries. Because cybersecurity specialists in
their professional work are often approaching the thin line between legaland ille-
gal activities, moving between countries, (and legalregulatory systems), they can
easily fall into trouble. Finally, master studies in cybersecurity, in additionto gen-
eral academic and practical professional skills and competences in the domain
(Furnell etal., 2017) t-
edtoa wider security culture.
22

As faras we know, our work is the firstthatanalyses the evolution and matura-
tion of the cybersecurity discipline (from higher education needs point of view)
and that fillsthe gap in the literature regarding the analysis of existing cybersecu-
rity master programs and their alignment with the ACM and the JTF curriculum
guidelines.

Acknowledgments
We would like to thank program directors who kindly answered our inquiry
andreviewers fortheir comments.
This work was supported by the European Commission [grant number 2014-1-
LU01-KA203-000034] and by FCT [grant numbers UID/MAT/04561/2013,
UID/CEC/00408/2013].

References
4TU.Federation (2017). Cyber Security. https://www.4tu.nl/cybsec/en/. Accessed 15 March
2017.
Albert, R. T., Bennett, C., Briggs, D., Ebben, M., Felch, H., Kokoska, D., et al. (2015). Experi-
ences with establishment of a multi-university center of academic excellence in information
assurance/cyber defense. In Proceedings of the International Conference on Security and
Management (SAM), Las Vegas.
Ben-Gurion University of the Negev (2017). M.Sc. in Information Systems Engineering with
Specialization in Cyber Space Security. http://in.bgu.ac.il/en/engn/ise/Pages/
Cyber_Space_Security_En.aspx. Accessed 15 March 2017.
Bicak, A., Liu, X. M., & Murphy, D. (2015). Cybersecurity Curriculum Development: Introduc-
ing Specialties in a Graduate Program. Information Systems Education Journal, 13(3), 99.
BU Computer Science (2017). MS in CS with a specialization in cyber security. Retrieved from
http://www.bu.edu/cs/ms-in-cs-with-a-specialization-in-cyber-security. Accessed 15 March
2017.
Centre for Secure Information Technologies (2017). Msc Applied Cyber Security.
http://www.csit.qub.ac.uk/EducationatCSIT/MSc-Applied-Cyber-Security. Accessed 15
March 2017.
Chen, H., Maynard, S. B., & Ahmad, A. (2013). A comparison of information security curricula
in China andthe USA. Proceedings of the 11th Australian Information Security Management
Conference, Perth, Australia.
Cisco (2015). Mitigating the Cybersecurity Skills Shortage Top Insights and Actions from Cisco
Security Advisory Services. http://www.cisco.com/c/dam/en/us/products/collateral
/security/cybersecurity-talent.pdf. Accessed 15 March 2017.
City, University of London (2017). Cyber Security. http://www.city.ac.uk/courses/postgraduate/
cyber-security. Accessed 15 March 2017.
Frank, H. (2016). Q1 Cybersecurity snaphot: Cyber security marketreport market sizing & pro-
jections. https://www.linkedin.com/pulse/cyber-security-snapshot-hope-frank. Accessed 15
March 2017.
growing need for cyber-
security skills. Computer Fraud & Security, vol.2017, no.2, pp.5-10.
George Mason University (2017). Applied Information Technology, Cyber Security Concentra-
tion (MS). http://masononline.gmu.edu/programs/applied-information-technology-cyber-
security-concentration-ms. Accessed 15 March 2017.
 23

Grover, M., Reinicke, B., & Cummings, J. (2016). How secure is education in Information
Technology? A method for evaluating security education in IT. Information Systems Educa-
tion Journal, 14(3), 29-44.
Harris, M. A., & Patten, K. P. (2015). Using Bloom's and Webb's taxonomies to integrate emerg-
ing cybersecurity topics into a computing curriculum. Journal of Information Systems Educa-
tion, 26(3), 219-234.
Johns Hopkins (2017). Cybersecurity. https://ep.jhu.edu/programs-and-courses/programs/cyber
security. Accessed 15 March 2017.
JTF on Cybersecurity Education (2017a). Cybersecurity Curricula 2017 - Curriculum Guidelines
for Undergraduate Degree Programs in Cybersecurity. Version 0.5 Report. ACM, IEEE, AIS,
IFIP. http://www.csec2017.org. Accessed 8 September 2017.
JTF on Cybersecurity Education (2017b). Cybersecurity Curricula 2017 - Curriculum Guidelines
for Post-Secondary Degree Programs in Cybersecurity. Version 0.75 Report. ACM, IEEE,
AIS, IFIP. http://www.csec2017.org. Accessed 8 September 2017.
Lancaster University (2017). Cyber Security MSc. http://www.lancaster.ac.uk/
scc/postgraduate/taught-masters/courses/cyber-security-msc. Accessed 15 March 2017.
Malhotra, Y. (2015). Bridging Networks, Systems and Controls Frameworks for Cybersecurity
Curricula & Standards Development. NY Cyber Security & Engineering Technology Associ-
ation Conference, Oct. 22, 2015 Rochester Institute of Technology, Rosica Hall, NTID,
Rochester, New York.
McDuffie, E. L., & Piotrowski, V. P. (2014). The future of cybersecurity education. Computer,
47(8), 67-69.
McGettrick, A. (2013). Toward Curricular Guidelines for Cybersecurity: Report of a Workshop
on Cybersecurity Education and Training. ACM. http://www.acm.org/education/TowardCur
ricularGuidelinesCybersec.pdf. Accessed 15 March 2017.
McGettrick, A., Cassel, L. N., Dark, M., Hawthorne, E. K., & Impagliazzo, J. (2014). Toward
curricularguidelines forcybersecurity. In Proceedings ofthe 45th ACM technical symposium
on Computer science education (pp. 81-82). ACM.
Mew, L. (2016). The Information Security Undergraduate Curriculum: Evolution of a Small
Program. In Proceedings of the EDSIG Conference, Las Vegas, Nevada.
http://proc.iscap.info/2016/pdf/4071.pdf. Accessed 15 March 2017.
New York University (2017). Cybersecurity Online. http://engineering.nyu.edu/academics/
online/masters/cybersecurity. Accessed 15 March 2017.
Newhouse, B., Keith, S., Scribner, B., and Witte, G. (2016). NICE Cybersecurity Workforce
Framework (NCWF), National Initiative for Cybersecurity Education (NICE), Draft NIST
Special Publication 800-181. http://csrc.nist.gov/nice/framework/. Accessed 15 March 2017.
NSA/DHS (2013). National Centers of Academic Excellence in Cyber Defense: Knowledge
Units. https://www.iad.gov/NIETP/CAERequirements.cfm. Accessed 15 March 2017.
NSA/DHS (2013a). National Centers of Academic Excellence for Cyber Defense: Focus Areas.
https://www.iad.gov/NIETP/CAERequirements.cfm. Accessed 15 March 2017.
PennState (2017). Master of Professional Studies in Information Sciences - Cybersecurity and
Information Assurance. http://www.worldcampus.psu.edu/degrees-and-certificates/infor
mation-sciences-masters/overview. Accessed 15 March 2017.
QS Top Universities (2017). QS World University Rankings. https://www.topuniversities.com/
qs-world-university-rankings. Accessed 15 March 2017.
Applied Cyber Security. http://www.csit.qub.ac.uk/EducationatCSIT/
MSc-Applied-Cyber-Security/. Accessed 15 March 2017.
Randstad Technologies (2016). Cybersecurity Workforce Report: 12 Markets with High Demand
for Top Talent. https://www.randstadusa.com/corp/technologies/randstad_cybersecurity_report_
2016.pdf. Accessed 15 March 2017.
Sahami, M., Danyluk, A., Fincher, S., Fisher, K., Grossman, D., Hawthorne, E., Katz, R., Le-
Blanc, R., Reed, D., Roach, S. and Cuadros-Vargas, E. (2013). Computer Science Curricula
2013: Curriculum Guidelines for Undergraduate Degree Programs in Computer Sci-
24

ence. Association for Computing Machinery (ACM)-IEEE Computer Society.

http://www.acm.org/education/CS2013-final-report.pdf. Accessed 15 March 2017.
Setalvad, A. (2015). Demand to fill cybersecurity jobs booming. Peninsula press.
http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth. Accessed 15 March 2017.
Tallinn University of Technology (2017). Cyber Security. https://www.ttu.ee/studying/masters/
masters_programmes/cyber-security/?id=84572. Accessed 15 March 2017.
The George Washington University (2017). Master of Science in Cybersecurity in Computer Sci-
ence. https://www.cs.seas.gwu.edu/master-science-cybersecurity-computer-science. Accessed
15 March 2017.
The University of Waikato (2017). Master of Cyber Security. http://www.waikato.ac.nz/
study/qualifications/master-of-cyber-security. Accessed 15 March 2017.
The University of Warwick (2017). Cyber Security MSc Programmes.
http://www2.warwick.ac.uk/fac/sci/wmg/education/wmgmasters/courses/cyber_security/.
Accessed 15 March 2017.
Universidad Carlos III de Madrid (2017). Master in Cybersecurity.
http://www.uc3m.es/ss/Satellite/Postgrado/en/Detalle/Estudio_C/1371209197821/137121963
3369/Master_in_Cybersecurity. Accessed 15 March 2017.
University of Maryland (2017). Cybersecurity. http://advancedengineering.umd.edu/programs/
cybersecurity/masters/courses. Accessed 15 March 2017.
University of South Australia (2017). Master of Cybersecurity.
http://programs.unisa.edu.au/public/pcms/program.aspx?pageid=5882&sid=10377. Accessed
15 March 2017.
University of Southampton (2017). MSc Cyber Security. http://www.ecs.soton.ac.uk/programmes
/msc-cyber-security#modules. Accessed 15 March 2017.
University of Southern California (2017). Cyber Security Engineering (MS).
http://catalogue.usc.edu/preview_program.php?catoid=2&poid=1523&returnto=440. Ac-
cessed 15 March 2017.
University of York (2017). Msc in Cyber Security. https://www.cs.york.ac.uk/postgraduate/
taught-courses/msc-cybersecurity/#tab-2. Accessed 15 March 2017.
Washington University in St. Louis (2017). Cyber Security Management Curriculum.
https://sever.wustl.edu/degreeprograms/cyber-security-management/Pages/Cyber-Security-
Management-Curriculum.aspx. Accessed 11 May 2017.
Yang, S. C., & Wen, B. (2017). Toward a cybersecurity curriculum model for undergraduate
business schools: A survey of AACSB-accredited institutions in the United States. Journal of
Education for Business, 92(1), 1-8.
Yuan, X., Yang, L., Jones, B., Yu, H., & Chu, B. T. (2016). Secure Software Engineering Educa-
tion: Knowledge Area, Curriculum and Resources. Journal of Cybersecurity Education, Re-
search and Practice, 2016(1), Article 3.