computers & security 75 (2018) 24–35

Available online at www.sciencedirect.com

ScienceDirect

j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / c o s e

Cybersecurity education: Evolution of the

discipline and analysis of master programs

Krzysztof Cabaj a, Dulce Domingos b,*, Zbigniew Kotulski c, Ana Respício d

a
Institute of Computer Science, Warsaw University of Technology, ul. Nowowiejska 15/19, 00-665 Warsaw, Poland
b
LASIGE, Faculdade de Ciências, Universidade de Lisboa, Campo Grande, 1749-016 Lisboa, Portugal
c
Institute of Telecommunications, Warsaw University of Technology, ul. Nowowiejska 15/19, 00-665 Warsaw, Poland
d
CMAF-CIO, Faculdade de Ciências, Universidade de Lisboa, 1749-016 Lisboa, Portugal

A R T I C L E I N F O A B S T R A C T

Article history: As the amount of information, critical services, and interconnected computers and “things”
Received 30 June 2017 in the cyberspace is steadily increasing, the number, sophistication, and impact of cyberattacks
Received in revised form 29 are becoming more and more significant. In the last decades, governmental and non-
December 2017 governmental organisations have become aware of this problem. However, the existing
Accepted 17 January 2018 cybersecurity workforce has not been sufficient for satisfying the increasing demand for
Available online 31 January 2018 qualified cybersecurity professionals, and the shortfall will increase in the next years. Mean-
while, to address the increasing demand for cybersecurity professionals, academic institutions
Keywords: have been establishing cybersecurity programs, particularly, cybersecurity master programs.
Cybersecurity master programs This paper aims at analysing which cybersecurity topics are covered by existing
Cybersecurity discipline evolution cybersecurity master programs of top universities and how these topics are distributed through
Graduate cybersecurity education courses. It starts by reviewing the evolution and maturation of the cybersecurity disci-
Comparative study pline, focusing on the ACM efforts, which include the early addition of the Information
Cybersecurity curricula Assurance and Security Knowledge Areas to the computer science curricula and, more re-
cently, the development of curricular recommendations to support the definition of post-
secondary cybersecurity programs. These latest guidelines are used to analyse and review
21 cybersecurity master programs, focusing on the contents of their courses, structure, ad-
mission requirements, duration, requirements for completion, and evolution.
© 2018 Elsevier Ltd. All rights reserved.

has in the economy and safety of organisations and coun-

1. Introduction
The need for cybersecurity appeared in the early years of the
digital era, when the first mainframe computers were devel-
oped. As networked computers and systems have progressively
come to dominate computing and communication plat-
forms, the volume and severity of cybercrimes have increased
to an extent that cybersecurity is now an underpinning area
of computer systems. Owing to the huge impact cybercrime
tries, the importance of cybersecurity has grown to such a level
that it is now considered an independent discipline.
Currently, there is a growing concern among governments
that the cyberspace will become the next theatre of warfare.
Despite the disparate increasing prominence of the disci-
pline, the existing cybersecurity workforce cannot satisfy the
increasing demand for qualified cybersecurity professionals.
While the number and sophistication of cyberattacks in-
crease, the shortfall is expected to worsen in the next

* Corresponding author.
E-mail addresses: kcabaj@ii.pw.edu.pl (K. Cabaj), mddomingos@fc.ul.pt (D. Domingos), zkotulsk@tele.pw.edu.pl (Z. Kotulski), alrespicio@
fc.ul.pt (A. Respício).
https://doi.org/10.1016/j.cose.2018.01.015
0167-4048/© 2018 Elsevier Ltd. All rights reserved.
 computers & security 75 (2018) 24–35
years—‘the demand for the (cybersecurity) workforce is ex-
pected to rise to 6 million (globally) by 2019, with a projected
shortfall of 1.5 million’—stated Michael Brown, (former) CEO
of Symantec (Cisco, 2015; Frank, 2016; Setalvad, 2015; Randstad
Technologies, 2016). Aware of this problem, several academic
institutions worldwide have started to define and offer
cybersecurity programs to address the shortage of cybersecurity
professionals. In particular, ACM has undertaken special ini-
tiatives to develop educational programs in cybersecurity on
the post-secondary level.
This paper aims at framing the requirements for
cybersecurity master studies facing present security chal-
lenges as well as providing foundational and technical
knowledge for future security professionals. The paper starts
by reviewing the progression and maturation of the
cybersecurity discipline to envisage a framework for the re-
quired analysis. This review focuses on the ACM efforts, which
include the early addition of the Information Assurance and
Security (IAS) Knowledge Areas (KAs) to the computer science
curricula and, more recently, the promotion of the Joint Task
Force (JTF) on Cybersecurity Education to advance curricular
guidelines supporting the definition of cybersecurity post-
secondary programs (JTF on Cybersecurity Education, 2017a,
2017b). We select a sample of cybersecurity master programs
from top-ranking worldwide universities and proceed
with the analysis of these programs, considering their
formal requirements, educational contents, structure, and
evolution.
The paper is organised as follows. After the introductory
section that presents the motivation for our work, we give a
brief presentation of related work concerning investigations
on master study programs in cybersecurity. The third section
describes the evolution of cybersecurity as a domain of edu-
cation. The fourth section presents the analysis of selected
master programs in cybersecurity. First, we list the selected uni-
versities and then we provide a comparative description of their
master programs, including admission requirements, dura-
tion of studies, and description of the course of studies (such
as the program structure and specific courses, requirements
for completion, and evolution). The last section concludes the
paper with a summary of findings.
2. Related work
The related work in the area of deployment and analysis of
curricula of master programs in cybersecurity is scarce. Hence,
this section surveys the literature regarding cybersecurity master
programs as well as undergraduate programs.
In 2013, the conclusions of the report of the workshop on
cybersecurity education and training already stated that gradu-
ates of computer science programs should have taken at least
one cybersecurity course (McGettrick, 2013). Taking a step
forward, Harris and Patten (2015) described the strategy they
used to include emerging cybersecurity topics within the in-
formation technology program, without increasing the credit
requirements. Their strategy was to move most of the IAS topics,
which were taught in a single advanced security course,
to introductory and intermediate courses. This way, the
25
advanced security course could then cover emerging
cybersecurity topics.
The report of McGettrick (2013) also emphasized the im-
portance of master graduates to the cybersecurity workforce.
In the same year, Chen et al. (2013) compared graduate secu-
rity programs offered by top universities in China and in the
United States of America (USA). They concluded that the main
differences between the programs in these two countries are
that the programs in China emphasized telecommunications
security, whereas the programs in the USA assigned more im-
portance to enterprise-level security strategy, security policy,
security management, and cyber law. In addition, Malhotra
(2015) stressed the growing importance of cyber risk
management.
Few years ago, McDuffie and Piotrowski (2014) pointed out
that, despite more than 182 colleges and universities in the
USA have been designated as Centers of Academic Excel-
lence in Information Assurance Education (CAE/IAE), there
are only a few specific cybersecurity baccalaureate-level degree
programs, and these do not offer consistent curricula. Most
of these colleges offer computer science programs with some
elective cybersecurity courses as a security track. To over-
come the limitations on resources and expertise, Albert et al.
(2015) reported the experience of four universities in the Uni-
versity of Maine system that worked together to achieve the
designation of a National Center of Excellence in Cybersecurity
Education and to define a multi-university program. Mew
(2016) described the three-year-long evolution of an under-
graduate information security program of a small liberal arts
college. To keep the initial investment as low as possible, the
program started by using the courses of the already existing
information systems program and creating only one addi-
tional course. The interest of the students justified the evolution
through the addition of other new courses and modifications
of the core ones.
Grover et al. (2016) analysed the Information Technology
degree programs offered by the University of North Carolina
education system, with focus on security. They pairwise com-
pared the contents of courses in Information Technology
programs, the ACM curricula guidelines (Sahami et al., 2013),
and the requirements on the most popular certifications in
security-related fields. They aimed at assessing if IT pro-
grams met the needs of the security field as well as if the ACM
curricula guidelines met the skill/knowledge requirements of
those certifications. Yang and Wen (2017) proposed a
cybersecurity curriculum model based on the most common
core courses of 27 undergraduate cybersecurity-related
programs.
Bicak et al. (2015) presented a study of adding three spe-
cialties to the master in cybersecurity program at their
university. Their objective was to handle emerging topics as
well as to provide students with a more specialised curricu-
lum. Based on the CAE focus areas, they proposed the following
specialties: cybersecurity data analysis, cyber intelligence, and
healthcare information security and privacy.
Within a related security area, Yuan et al. (2016) surveyed
existing efforts and resources in secure software engineering
education on the graduate level. This work reviewed the pro-
posal of a Common Body of Knowledge, a reference curriculum,
and other resources.
26 computers & security 75 (2018) 24–35

Currently, there is a gap in the literature with regard to

Table 2 – KAs which address IAS topics and their
cybersecurity master programs; therefore, before analysing the
distribution into core tier-1 and core tier-2 lecturing
existing programs, in the next section, we review the evolu- hours.
tion of the cybersecurity discipline.
KA Core tier-1 Core tier-2 Includes
hours hours electives
Architecture and 1.5 Y
3. Evolution of the cybersecurity discipline Organization
Human–Computer 1 Y
Since 2011, the National Initiative for Cybersecurity Educa- Interaction
tion (NICE) has been focused on defining the NICE Cybersecurity Information Management 0.5 0.5 Y
Workforce Framework (NCWF) to provide the cybersecurity au- Intelligent Systems Y
Networking and 1.5 5
dience with a common language to define cybersecurity work
Communications
and the set of tasks and skills it requires (Newhouse et al., 2016).
Operating Systems 3 7.5 Y
In 2013, for the first time, the ACM/IEEE computer science Platform-based Y
curricula guidelines (CS2013) included the IAS KA (Sahami et al., Development
2013). These guidelines divided IAS topics into two groups: a Parallel and Distributed 3 1 Y
group of topics that are only relevant to IAS and a group of Computing
topics that are distributed through other KAs. The topics in the Programming Languages 2.5 6 Y
Software Development 9
first group were organised in eleven knowledge units (KUs),
Fundamentals
which are listed in the first column of Table 1. Table 1 also shows Software Engineering 2 6.5 Y
the distribution of hours throughout core tier-1 and core tier-2 Systems Fundamentals 4.5 3
topics. The guidelines recommend that programs should include Social Issues and 5 0.5 Y
all core tier-1 topics, all or almost all core tier-2 topics, and a Professional Practice
significant number of elective topics. In sum, core tier-1 topics
are covered with a total of 3 h, which represents 1.8% of the
total number of hours, whereas core tier-2 topics are covered
with 6 h, representing 4.2% of the program. expertise, the National Security Agency (NSA) and the Depart-
Table 2 lists the other KAs through which IAS topics were ment of Homeland Security (DHS) through the National
distributed. These KAs are covered with additional lecturing Information Assurance Education and Training Programs defined
hours: 32 h (19.4% of total) for core tier-1 topics and 31.5 h (22% the requirements that should be met by academic programs
of total) for core tier-2 topics. seeking to receive the designation of a National Center of Aca-
In 2013, the recommendations in the report of the work- demic Excellence in Cyber Defense Two-Year Education Program
shop on cybersecurity education and training stated that the (CAE2Y) or the designation of a National Center of Academic
Core Leadership Group (with one dissention) felt that it was Excellence in Cyber Defense Education Program (CAE-CDE). They
premature to produce curriculum guidelines beyond CS2013, defined core for two-year-long programs as well as core and
as they considered that cybersecurity was an immature and optional KUs for four-year-long programs (NSA/DHS, 2013). In
ill-defined subject at that time (McGettrick, 2013; McGettrick addition, they defined focus areas (with a set of optional KUs),
et al., 2014). which institutions could take advantage of to differentiate
Meanwhile, to promote higher education and research in themselves (NSA/DHS, 2013a).
cyber defence, and to train professionals with cyber defence Table 3 outlines how the core topics of the ACM IAS KUs
are covered by the CAE-CDE core KUs. The topics of both sets
of KUs were analysed to determine the CAE-CDE KUs that cover
Table 1 – IAS KUs and their distribution into core tier-1 each ACM IAS KU topic. For instance, five core-tier-1 topics of
and core tier-2 hours. the Foundational Concepts in Security IAS KU are covered by
IAS KUs Core tier-1 Core tier-2 Includes three CAE-CDE core KUs: the IA Fundamentals which covers
hours hours electives three topics, the Cyber Defense which covers one, and the Policy,
Legal, Ethics, and Compliance which covers another one. All
Foundational Concepts 1 N
in Security
the CAE-CDE core KUs presented in Table 3 are included in the
Principles of Secure 1 1 N CAE2Y program curriculum, except the Network Defense KU,
Design which belongs to the CAE-CDE program.
Defensive Programming 1 1 Y By analysing this table, we conclude that the core topics of
Threats and Attacks 1 N three ACM IAS KUs are totally covered by the CAE-CDE KUs,
Network Security 2 Y
whereas the topics of two of them are almost covered. However,
Cryptography 1 N
the CAE2Y and CAE-CDE curricula do not include, in a mean-
Web Security Y
Platform Security Y ingful way, the IAS/Defensive Programming KU. Indeed, despite
Security Policy and Y the fact that Basic Scripting and Programming KUs cover some
Governance of its topics, this coverage is not sufficiently deep. This draw-
Digital Forensics Y back can, however, be minimised through optional KUs, which
Secure Software Y are listed in Table 4. In fact, the topics of the IAS/Defensive Pro-
Engineering
gramming KU are scattered over the following optional KUs:
 computers & security 75 (2018) 24–35 27

Table 3 – IAS KUs of ACM vs. CAE-CDE core KUs.

ACM IAS KUs with core-tier-1 and core-tier-2 topics
IAS/Foundational Concepts in Security (5 core-tier-1 topics)
IAS/Principles of Secure Design (7 core-tier-1 topics + 6
core-tier-2 topics)
IAS/Defensive Programming (5 core-tier-1 topics
+ 2 core-tier-2 topics)
IAS/Threats and Attacks (4 core-tier-2 topics)
IAS/Network Security (4 core-tier-2 topics)
IAS/Cryptography (3 core-tier-2 topics)
CAE-CDE core KUs
IA Fundamentals (3 core-tier-1 topics)
Cyber Defense (1 core-tier-1 topic)
Policy, Legal, Ethics, and Compliance (1 core-tier-1 topic)
Fundamental Security Design Principles (5 core-tier-1 topics + 3
core-tier-2 topics)
Basic Scripting or Introductory Programming (1 core-tier-1 topic)
Systems Administration (1 core-tier-2 topic)
Cyber Threats (4 core-tier-2 topics)
Cyber Defense (2 core-tier-2 topics)
Network Defense (1 core-tier-2 topic)
Intro to Cryptography (3 core-tier-2 topics)

Secure Programming Practices, Database Management Systems,

Table 5 – NSA/DHS focus areas.
Operating Systems Theory, and Supply Chain Security.
Finally, Table 5 lists the focus areas defined by NSA/DHS. Cyber Investigations
Each focus area has a set of required optional KUs. For in- Data Management Systems
stance, the Secure Software Development focus area requires Security
Data Security Analysis
the following optional KUs: Algorithms, Data Structures, Formal
Digital Forensics
Methods, Secure Programming Practices, Software Assur-
Health Care Security
ance, Software Security Analysis, and Vulnerability Analysis.
In 2015, the ACM Education Board recognised the urgent need Industrial Control
to define a cybersecurity curricular guidance and promoted the Systems – SCADA Security
Joint Task Force (JTF) on Cybersecurity Education, which put Network Security Administration
together the major international computing societies:
Network Security Engineering
Secure Cloud Computing
Secure Embedded Systems
Secure Mobile Technology
Secure Software Development
Secure Telecommunications
Security Incident Analysis and
Response
Security Policy Development
and Compliance
Systems Security
Administration
Systems Security Engineering

Table 4 – Optional KUs.

Advanced Cryptography
Advanced Network Technology
and Protocols
Algorithms
Analog Telecommunications
Cloud Computing
Cybersecurity Planning and
Management
Data Administration
Data Structures
Database Management
Systems
Digital Communications
Digital Forensics (Device
Forensics, Host Forensics,
Media Forensics, Network
Forensics)
Embedded Systems
Forensic Accounting
Formal Methods
Fraud Prevention and
Management
Hardware Reverse Engineering
Hardware/Firmware Security
IA Architectures
IA Compliance
IA Standards
Independent/Directed Study/
Research
Industrial Control Systems
Intro to Theory of Computation
Intrusion Detection
Life-Cycle Security
Low-Level Programming
Mobile Technologies
Network Security Administration
Operating Systems Hardening
Operating Systems Theory
Overview of Cyber Operations
Penetration Testing
QA/Functional Testing
RF Principles
Secure Programming Practices
Security Program Management
Security Risk Analysis
Software Assurance
Software Reverse Engineering
Software Security Analysis
Supply Chain Security
Systems Programming
Systems Certification and
Accreditation
Systems Security Engineering
Virtualisation Technologies
Vulnerability Analysis
Wireless Sensor Networks
Association for Computing Machinery (ACM), IEEE Computer
Society (IEEE CS), Association for Information Systems Special
Interest Group on Security (AIS SIGSEC), and International Fed-
eration for Information Processing Technical Committee on
Information Security Education (IFIP WG 11.8). In 2017, the JTF
published the Cybersecurity Curricula 2017 – Curriculum Guide-
lines for Post-Secondary Degree Programs in Cybersecurity
(CSEC2017) (JTF on Cybersecurity Education, 2017a, 2017b).
The CSEC2017 defines cybersecurity as “a computing-
based discipline involving technology, people, information, and
processes to enable assured operations in the context of ad-
versaries. It involves the creation, operation, analysis, and testing
of secure computer systems. It is an interdisciplinary course
of study, including aspects of law, policy, human factors, ethics,
and risk management”.
The CSEC2017 defines six KAs: Data Security, Software Se-
curity, System Security, Human Security, Organizational Security,
and Societal Security. These KAs are aligned with the entities
to be protected: data (at rest and in transit), software, systems,
individuals, organisations, and society.
The Data Security KA is focused on achieving confidenti-
ality of information and on preserving data and origin integrity.
Its KUs include cryptography, confidentiality, and data integ-
rity. This KA includes all the topics (core and electives) of two
CS2013 IAS KUs: Foundational Concepts in Security and Cryp-
tography (as shown in Table 6). Compared with the CAE-CDE,
the Data Security KA also covers all of the topics of three of
its KUs: IA Fundamentals, Introduction to Cryptography, and
Advanced Cryptography (as shown in Table 7).
28 computers & security 75 (2018) 24–35

availability, authentication, access control, secure system

Table 6 – CSEC2017 KAs vs. CS2013 KA/KU.
design, reverse engineering, cyber physical systems, digital
CSEC2017 KAs CS2013 KA/KU forensics, supply chain management, and computer
Data Security IAS/Foundational Concepts in Security network defence. This KA covers the topics of the following
IAS/Cryptography CS2013 IAS KUs: Network Security (only the core topics)
Software IAS/Principles of Secure Design and Digital Forensics (this KU only has elective topics), as
Security IAS/Defensive Programming
presented in Table 6. It also includes two additional topics:
IAS/Secure Software Engineering
System Security IAS/Network Security
reverse engineering, and cyber physical systems. Moreover,
IAS/Digital Forensics all of the topics of the System Security KA are covered by
Human Security IAS/Security Policy and Governance CAE-CDE KUs, although distributed over a larger set of KUs
SP/Security Policies, Laws and Computer Crimes (Table 7).
HCI/Human Factors and Security While these three KAs provide a more technical perspec-
Organizational IAS/Security Policy and Governance
tive, the other three KAs make evident the interdisciplinary
Security SP/Security Policies, Laws and Computer Crimes
nature of cybersecurity by including aspects of law, policy,
Societal Security IAS/Security Policy and Governance
SP/Security Policies, Laws and Computer Crimes human factors, ethics, and risk management.
The Human Security KA is focused on protecting personal
data of individuals, and it includes identity management,
social engineering, privacy, and security on social networks.
The Software Security KA aims at developing and using soft-
The Organizational Security KA comprises subjects related to
ware applications that preserve the security properties of the
the protection of organisations from cybersecurity threats
information and systems they protect. This area covers high-
and to risk management. It includes risk management, mission
assurance software, secure software development, deployment,
assurance, disaster recovery, business continuity, security evalu-
and maintenance, software reverse engineering, and malware
ations and compliance, organisational behaviour as it relates
analysis. This KA includes almost all of the topics (core and
to cybersecurity, employee training, and intelligence. The So-
electives) that are scattered throughout three of the CS2013 IAS
cietal Security KA covers aspects of cybersecurity that can
KUs: Principles of Secure Design, Defensive Programming, and
affect society and it comprises cybercrime, cyber law, ethics,
Secure Software Engineering (Table 6). However, it does not
policy, intellectual property, professional responsibility, social
mention the “Correct usage of third-party components” and
responsibility, and cultural and international considerations.
“Effectively deploying security updates” topics of the Defen-
It is in these three KAs that it is possible to observe a more
sive Programming KU. Considering CAE-CDE KUs, the Software
significant evolution. Despite the fact that CS2013 already
Security KA comprises the topics of three KUs: Fundamental
covers some of these topics, they are scattered over KUs of
Security Design Principles, Secure Programming Practices,
different KAs, such as the Security Policy and Governance
and Software Assurance (Table 7). In addition, this KA in-
IAS KU, the Security Policies, Laws and Computer Crimes KU
cludes the topics of Exception Handling, Error Handling, and
of the Social Issues and Professional Practice (SP) KA, and the
Randomness.
Human Factors and Security KU of the Human Computer
The main goal of the System Security KA is to establish
Interaction (HCI) KA. In addition, some topics, such as secu-
and maintain the security properties of systems, including
rity of social networks, analytical tools, cybersecurity planning,
those of interconnected components. Its KUs include:
and risk management, are missing from KUs of CS2013.
Considering the KUs of CAE-CDE, the situation is similar but
they already include the topics of cybersecurity planning,
Table 7 – CSEC2017 KAs vs. CAE-CDE KUs.
and risk management (Table 6 and Table 7 present these
CSEC2017 KAs CAE-CDE KUs mappings).
Data Security IA Fundamentals The contents of the Threats and Attacks CS2013 IAS KU are
Introduction to Cryptography scattered throughout the various CSEC2017 KAs. For in-
Advanced Cryptography stance, the System Security KA includes attacks to availability,
Software Security Fundamental Security Design Principles whereas the Human Security KA includes social engineering.
Secure Programming Practices
Finally, the Web Security and the Platform Security 2013 IAS
Software Assurance
System Security IA Fundamentals
KUs are not explicitly included in any CSEC2017 KA although
IA Architectures their contents are partially covered by the first three CSEC2017
Intrusion Detection/Prevention Systems KAs in Table 1, Table 6.
Cyber Defense In the next section, we analyse cybersecurity master pro-
Software Reverse Engineering grams and how they are organised to train the cybersecurity
Digital Forensics
workforce.
Industrial Control Systems
Human Security Vulnerability Analysis
Cyber Threats
Organizational Policy, Legal, Ethics and Compliance
Security Cybersecurity Planning and Management 4. Analysis of cybersecurity master programs
Security Program Management
Security Risk Analysis Master level programs in cybersecurity are now widely offered
Societal Security Policy, Legal, Ethics, and Compliance
by universities worldwide. However, their target candidates as
 computers & security 75 (2018) 24–35
well as duration and program structure slightly differ, as shown
by the analysis that is presented in this section.
4.1. Sample selection
This study was based on 21 master programs, whose selec-
tion criteria were: the designation of the master program
includes the keywords cybersecurity or “Cyber Security”, the
programs are led by universities belonging to the top 700 uni-
versities according to the 2017 ranking of QS World Ranking
of Universities (QS Top Universities, 2017), and the universi-
ties are spread across different countries. Thus, in our analysis
we considered seven universities from the top hundred, six from
the second hundred, two from the third hundred, four from
the fourth hundred, and two from the seventh hundred. Con-
cerning geographical locations, ten universities were from the
USA, five from the United Kingdom (UK), and one from each
of the following countries: Australia, New Zealand, Estonia, the
Netherlands, Israel, and Spain.
The universities that were considered in our study, to-
gether with links to the webpages of their master programs
in cybersecurity, were:
– 4TU, which is a consortium of four leading universities in
the Netherlands: Delft University of Technology, Univer-
sity of Twente, Wageningen University and Eindhoven
University of Technology (4TU.Federation, 2017);
– The Ben-Gurion University of the Negev, which is an inter-
disciplinary research university in Israel (Ben-Gurion
University of the Negev, 2017);
– Boston University, which is a more than 150 years old uni-
versity in the USA (BU Computer Science, 2017);
– Charles III University of Madrid, which is a relatively small,
innovative, and public university in Spain (Universidad Carlos
III de Madrid, 2017);
– City, University of London, which is a university in the United
Kingdom, “committed to academic excellence, focused on
business and the professions” (City, University of London,
2017);
– The George Mason University, which is the largest public
research university in the state of Virginia in the USA (George
Mason University, 2017);
– The Johns Hopkins University, which is “America’s first re-
search university”, located in Baltimore, state of Maryland
in the USA (Johns Hopkins, 2017);
– Lancaster University, which is ranked among the top 10 of
all three major UK universities league tables (Lancaster
University, 2017);
– New York University (Polytechnic School of Engineering),
which is one of the largest private universities in the USA,
founded in 1831 (New York University, 2017);
– Pennsylvania State University, which is an over 150-year-
old university in the state of Pennsylvania in the USA
(PennState, 2017);
– Queen’s University Belfast, which belongs to the UK top ten
research-intensive universities (Queen’s University, 2017).
Its Centre for Secure Information Technologies (CSIT) is re-
sponsible for cybersecurity teaching (Centre for Secure
Information Technologies, 2017);
29
– Tallinn University of Technology, which is the only tech-
nological university in Estonia (Tallinn University of
Technology, 2017);
– The George Washington University, which is a research uni-
versity located in Washington, DC, USA (The George
Washington University, 2017);
– The University of Waikato in New Zealand, which belongs
to the 100 “most international” universities in the world (The
University of Waikato, 2017);
– The University of Warwick in the UK, which was estab-
lished in 1961 and received its Royal Charter of Incorporation
in 1965 (The University of Warwick, 2017);
– The University of Maryland, College Park, which was founded
on 6 March 1856 as Maryland Agricultural College (University
of Maryland, 2017);
– The University of South Australia, which was initiated in
1991 on a basis of the South Australian Institute of Tech-
nology, located in Adelaide and Whyalli (University of South
Australia, 2017);
– The University of Southampton, which is a research-
intensive university in the UK (University of Southampton,
2017);
– The University of Southern California, which is one of the
world’s leading private research universities located in the
heart of Los Angeles (University of Southern California, 2017);
– The University of York, UK, which was opened in 1963
(University of York, 2017);
– Washington University in St. Louis, USA, founded in 1853,
which is now a partner of 30 research universities around
the world (Washington University in St. Louis, 2017).
Our analysis of the master programs in cybersecurity offered
by these universities starts with the analysis of their admis-
sion requirements, as described in the next section.
4.2. Admission requirements
Almost all of the analysed master programs required candi-
dates to have a bachelor degree in computer science or
equivalent, such as information systems, software engineer-
ing, computer engineering, mathematics, or statistics. The
multidisciplinary nature of cybersecurity master programs jus-
tifies the admission of candidates with different backgrounds
(see for instance the admission requirements of the Pennsyl-
vania State University). In addition, Ben-Gurion University of
The Negev, George Mason University, Queen’s University Belfast,
the University of Waikato, and the George Washington Uni-
versity, for instance, define requirements on the minimal grades
candidates should have.
Some universities go a step forward and state the re-
quired background knowledge. It may include algebra, calculus,
computer programming, networks, theory of computation, op-
erating systems, and Linux. The Johns Hopkins University
presents detailed information on background requirements:
prior education of candidates should include one year of cal-
culus; one mathematics course beyond calculus (e.g. discrete
mathematics, linear algebra, or differential equations); a pro-
gramming course in Java or C++; a course in data structures;
and a course in computer organisation. Despite the require-
ments of the Johns Hopkins University being focused on
30 computers & security 75 (2018) 24–35
academic knowledge that is obtained through courses, almost
all the analysed universities state that they will also consider
applicants who gained knowledge through professional expe-
rience. Indeed, professional experience is generally considered
and it can even be used to justify the admission of candi-
dates with bachelor degrees in other areas. The Pennsylvania
State University and the George Mason University recom-
mend a minimum of five years of relevant professional
experience.
City, University of London, the 4TU.Federation, and the Johns
Hopkins University offer alternatives for candidates who do
not satisfy their admission requirements, such as complet-
ing specific undergraduate courses.
Finally, proficiency in the English language is a prerequi-
site for all universities.
To sum up, master programs in cybersecurity are very spe-
cialised programs and to be able to focus on security aspects
applicants should have background knowledge in mathemat-
ics and computer science, which can be obtained by taking
academic courses or through professional experience.
4.3. Duration of programs
Considering the set of master programs we analysed, almost
all of them last for one to two years, on a full-time basis. Ex-
ceptions are Washington University in St. Louis, which offers
a part-time master program that lasts at least two years
and a half, and the Pennsylvania State University that also offers
a part-time program with two years. The Queen’s University
Belfast has one-year and two-year options, depending on
whether the students are engaged in a professional internship.
As universities structure their master programs by defin-
ing the number of points, units, or ECTS that should be obtained
by students, the duration of programs is not mandatory. Some
universities offer a part-time option, which in practice, is
materialised as a lower fee. However, some universities define
the maximum allowable durations of studies for completing
their programs. For instance, Boston University states that its
program should be completed within three years, whereas the
Johns Hopkins University defines that the 10 courses of the
program must be completed within five years.
4.4. Structure of programs
Almost all the analysed master programs have 60 ECTS or 30
American credits per year, approximately. The number of
courses varies from 6 to 14, excluding the individual research
project. The Queen’s University Belfast offers one-year-long
master program with six courses, which can be extended with
a Professional Internship to a two-year-long full-time program,
while the two-year-long master program of the University of
South Australia includes 14 courses. However, most of the
analysed master programs have between 8 and 10 courses, per
year.
When analysing the flexibility of study plans, they mainly
differ in the percentage of core courses. For instance, the Uni-
versity of York, the Queen’s University Belfast, the Lancaster
University, the George Washington University, and the Univer-
sity of South Australia have master programs that only include
core courses, giving no choice to students. However, master pro-
grams of Washington University in St. Louis and Boston
University have no core courses. Students define their study
plans, choosing courses from pre-defined sets and ensuring they
satisfy the program requirements. Between extremes, we can
find master programs that include core and elective courses.
This way, one can assure the program character through the
subjects all students learn in core courses, while enabling stu-
dents to complement or specialise their knowledge by choosing
elective courses. Indeed, some universities explicitly define the
specialisations or tracks students can take by choosing a set
of elective courses. For instance, in the Tallinn University of
Technology, students can choose different elective courses to
specialise in organisational (law, organisation, psychology, and
standards) or technological (networking, attack/defence tech-
nology, and cryptography) aspects of security. Instead of
specialisations, the University of Warwick offers two differ-
ent master programs, the master in Cyber Security Engineering
and the master in Cyber Security and Management. The Johns
Hopkins University requires students to choose a track (analy-
sis, networks, or systems) and to take at least three courses
from the selected track. Finally, the Charles III University of
Madrid defines two routes and students choose elective courses
depending on the route they prefer. The Systems Security En-
gineering route focuses on the specification, design and
development, implementation and maintenance of secure
systems, whereas the Cybersecurity Analyst route focuses on
the systems security analysis.
Considering final projects (thesis or capstone projects), our
sample includes master programs with mandatory final proj-
ects, as well as master programs where students can attend
one or more courses instead of executing the final project. The
workload of final projects varies from three American credits
to 45 ECTS. In City, University of London, final projects last 14
weeks (or 600 h). However, their duration can be extended to
up to six months in case they performed in industrial or re-
search placements. In the Queen’s University Belfast, students
of the two-year-long master programs with professional in-
ternship can perform a professional internship for one year.
Nonetheless, the most common duration of final projects of
the analysed master programs is one semester, the third one,
which is the summer semester in one-year-long master pro-
grams. In City, University of London and in the Queen’s
University Belfast, final projects of master programs can be per-
formed in industry.
4.5. Contents of courses
The analysis we present in this section is organised accord-
ing to the CSEC2017 KAs and their respective KUs.
The Data Security KA includes cryptography, confidential-
ity, and data integrity, as KUs. Almost all the analysed master
programs have a course to cover the topics of these KUs, whose
designation is cryptography, applied cryptography, or data pro-
tection. The other ones include the topics of these KUs in wider
courses, such as, for instance, the course on the Information,
Security and Privacy of the New York University, which also
covers operating systems security, malicious code, security-
policy formation and enforcement, vulnerability analysis, and
system security evaluation. More advanced topics of this KA,
 computers & security 75 (2018) 24–35
such as quantum cryptography, are covered within optional ad-
vanced cryptography courses.
The Software Security KA has four KUs: high assurance soft-
ware, secure software development, deployment, and
maintenance, software reverse engineering, and malware analy-
sis. The secure software development KU includes topics on
defensive programming and secure software engineering. Con-
sidering the wide range of topics in this KA, they are covered
by four main subjects/courses:
– defensive programming – this topic is covered, for in-
stance, by the Software Security mandatory course of the
4TU.Federation and by the Software Systems Exploitation
mandatory course of the Charles III University of Madrid.
In addition, focusing on one language, the New York Uni-
versity offers the Application Security mandatory course on
writing secure distributed programs in Java and the Uni-
versity of Maryland offers the Secure Programming in C
mandatory course.
– secure software engineering – this topic can be included as
a mandatory course (for instance, the software assurance
course offered by the Queen’s University of Belfast), as a
mandatory course only for one of the specialities of the
master program (in the Charles III University of Madrid, the
system security engineering course is mandatory only for
the secure system route), or simply as an optional course.
– reverse engineering – only three master programs of the
analysed sample offer a specific course in this KU. In the
4TU.Federation and in the University of Maryland pro-
grams, these are elective courses, whereas in the Johns
Hopkins University program, the course is mandatory only
for the analysis track. George Mason University has a course
that includes both reverse engineering and malware.
– malware – there are five master programs that offer courses
on malware, namely Boston University, the Charles III Uni-
versity of Madrid, the Queen’s University Belfast, the Tallinn
University of Technology, and the University of York.
The System Security KA is considered a broad area and in-
cludes KUs, availability, authentication, access control, secure
system design, reverse engineering (which is also a KU of the
Software Security KA), cyber physical systems, digital foren-
sics, supply chain management, and computer network defence.
The most common course that covers topics in this KA is
network security. Most master programs also include a digital
forensics course. In addition, we find many different courses
covering topics in systems security, such as cyber physical
systems, identification and authentication, biometrics, secu-
rity of operating systems, mobile security, intrusion detection,
and defensive hacking or penetration testing. Most of these
courses are offered as elective courses or as mandatory courses
only in a specific track or route.
The Human Security KA is focused on aspects related to
privacy of individuals. Its KUs are: identity management, social
engineering, privacy, and security of social networks. Within
the analysed master programs, we only find two specific courses
on privacy whose contents intersect with the topics in this KA:
the Privacy-Enhancing Technologies course offered by the 4TU.
Federation and the Privacy in the Digital Age course offered
by the Washington University in St. Louis. Despite the fact that
31
none of them explicitly include aspects related to social en-
gineering and social network, they cover, for instance, the
subject of anonymity.
While the Human Security KA focuses on protecting indi-
viduals, the Organizational Security KA focuses on protecting
organisations. Its KUs are risk management, mission assur-
ance, disaster recovery, business continuity, security evaluations
and compliance, organisational behaviour as it relates to
cybersecurity, employee training, and intelligence. Within the
analysed master programs, we find different ways to organ-
ise these KUs in courses. For instance, the Pennsylvania State
University offers the Information Security Management course
that covers almost all of these KUs. In addition, there are courses
focusing on some specific topics, such as risk management (the
Cyber Risk Management course offered by the 4TU.Federation
and the Information System Risk Management course offered
by the Lancaster University), disaster recovery, business con-
tinuity, security evaluations and compliance (the Cyber Security
Management and Administration course offered by the Charles
III University of Madrid and the Information System Security
Management course offered by the Lancaster University), and
data analytics (the Cyber Data Analytics course offered by the
4TU.Federation). The examples of courses listed are not
exhaustive.
Finally, the Societal Security KA includes the following KUs:
cybercrime, cyber law, ethics, policy, intellectual property, pro-
fessional responsibility, social responsibility, and global impacts.
Almost all of the master programs include a course that covers
the KUs in this KA. Considering more specific courses, for in-
stance, the 4TU.Federation and the George Washington
University offer elective courses on cyber law, and the George
Washington University also offers an elective course on ethics,
policy, and intellectual property. In addition, the Tallinn Uni-
versity of Technology offers a course named “History of Art of
War: From Ancient World to Network-Centric Warfare”, and the
University of Southampton offers an elective course “Crimi-
nal Behaviour – Applied Perspectives” (Cyber Security).
When considering cybersecurity master programs without
a specific focus (such as those on network security) that include
mainly core courses on security, we conclude that most of them
have two semesters with lessons and their program struc-
ture includes:
– One core course from the Data Security KA, the cryptogra-
phy course;
– One or two core courses from the Software Security KA, from
the following list: defensive programming, secure soft-
ware engineering, and malware;
– One or two core courses from the System Security KA, with
preference to network security, followed by the digital fo-
rensics course;
– One or two courses from the Organizational Security KA,
with no course preference; and
– One course from the Societal Security KA.
4.6. Requirements for completion
In most of the analysed master programs, there are two re-
quirements that must be fulfilled to achieve graduation. The
first is associated with completion of the appropriate number
32 computers & security 75 (2018) 24–35
of courses. For example, at Boston University, the specialisation
in cybersecurity requires eight graduate courses, 32 credits,
including at least five core courses, meeting the same require-
ments as those of the Master in Computer Science. In addition,
among the grades received for the five core courses, the number
of B− grades must not be greater than the number of B+ grades
or higher. No grade lower than B− may be used for graduate
credits. In the George Mason University, the program re-
quires 30 credits, comprising nine credits for core courses, 18
credits for concentration courses, and three credits for a cap-
stone course.
The second requirement for completion relates to the prepa-
ration of some kind of written report or thesis. In most cases,
students at the end of the program should prepare a master
thesis concerning studied subjects. This work is done under
a supervision of a university faculty staff and must be ap-
proved by the university. However, some programs, especially
these directed to cybersecurity professionals, introduce other
possibilities to end the course by doing research projects,
without writing a dedicated thesis. In some cases, these proj-
ects could be performed in places other than the degree-
granting university. For example, City, University of London
allows to perform projects in industry or other research
organisations. The minimal project should last 600 h; however,
if performed in the industry it could be extended up to six
months.
4.7. Evolution
To analyse the evolution of the programs, we followed three
strategies: 1) we contacted, by email, the directors of the pro-
grams and asked them to answer some questions related to
the evolution of their programs; 2) we visited the websites of
the programs between April 2017 and May 2017 and again in
September 2017, to assess recent program changes; and 3) we
collected information about past versions of programs’
webpages by querying an Internet archive (https://archive.org/).
The directors’ inquiry was aimed at obtaining the follow-
ing information: year of the program creation; motivation for
creating the program; restructurings (number, time, motiva-
tion, and scope); evolution of course contents; and the number
of students enrolled in the program. We received seven re-
sponses to our inquiries, which formed the basis of our analysis,
complemented with the information we extracted from web-
sites (current and past versions).
Our analysis allows to conclude that most of these pro-
grams were created recently, between 2013 and 2015, with a
few exceptions, the oldest program being originated in 2007
(Johns Hopkins University). Some programs emerged as tracks
in previously existing programs in computer science or infor-
mation systems (for instance, Johns Hopkins University),
whereas others were designed from scratch (for instance,
Charles III University of Madrid, George Mason University, Lan-
caster University, and the Pennsylvania State University). Four
directors mentioned that the creation of their programs was
motivated by the existence of significant expertise in the field
affiliated with the department. This is the case of the Infor-
mation Sciences and Technology Department at George Mason
University, where cybersecurity was always one of the main
research fields. The same happened with City, University of
London. Market demand was another reason given as a mo-
tivation for creation of these programs.
Two types of program revisions were identified: revisions
of the courses’ contents and revision of the program struc-
ture. The contents of courses were revised to follow recent
developments in the field, to adjust the taught material, or to
reduce the amount of overlapping material. For instance, at the
Ben-Gurion University of the Negev, only revisions of the
courses’ contents have been made.
Revisions of the programs’ structure were less substan-
tial, such as adding or removing elective courses, or more
substantial, such as changing core courses.
A common observation for programs including elective
courses is that their catalogues were often updated every year/
semester, as was the case with the master program offered by
the Boston University, as announced on the university’s website.
This may happen in accordance with the catalogue of elec-
tive courses offered by the department leading the program
or other collaborations, which often depends on the availabil-
ity of faculty members and their sabbatical leaves. As a new
trend in cybersecurity courses, the subject Quantum Compu-
tation has emerged, being offered as an elective course at the
Johns Hopkins University and at the 4TU.Federation.
At City, University of London, the program was revised in
its third running year 2016/2017 to include more security elec-
tive choices, while removing one of the core modules. The
program offered by the Pennsylvania State University, created
in 2009, already suffered two revisions, and is currently in the
third one, slated to be effective for fall 2018.
The reasons for restructuration were diverse: for accredi-
tation (Lancaster University), to take into account feedback from
the students and external examiners (City, University of
London), or to take advantage of faculty research interests and
expertise.
Concerning the number of students enrolled in the pro-
grams, we observed that these numbers are rather different.
Nevertheless, all the respondent directors stated that the
demand has been continuously increasing.
5. Conclusion
The increasing need for cybersecurity workforce, today, is an
unavoidable problem. In the last years, we have witnessed the
evolution and maturation of the discipline of cybersecurity, as
we can perceive, for instance, by the ACM efforts since the in-
clusion of the Information Assurance and Security KA into the
computer science curricula guidelines until the recent defini-
tion of the cybersecurity curricular draft guidance. Meanwhile,
universities have proposed undergraduate as well as gradu-
ate cybersecurity programs.
Considering the relevance of more specialised higher edu-
cation programs in cybersecurity, we analysed cybersecurity
master programs of top-ranking universities to identify, mainly,
which cybersecurity topics they cover and how they distrib-
ute these topics through courses. In addition, we reviewed the
cybersecurity discipline to reach the baseline of our analysis.
Within this review, we noticed the increasing importance
of less technological areas, such as the KAs of human,
 computers & security 75 (2018) 24–35
organisational, and societal security – this is one of the main
conclusions of our work.
Another main conclusion of our findings is that the broad-
spectrum cybersecurity master programs that include mainly
core courses on security are in alignment with the 2017 JTF
curriculum guidelines for cybersecurity post-secondary pro-
grams, including at least one or two courses from the six ACM
KAs. In addition, some programs offer a personalised curricu-
lum through the selection of more specialised or advanced
elective courses. Some elective courses are very peculiar, for
example, the course History of Art of War: from Ancient World
to Network – Centric Warfare, offered by the Tallinn Univer-
sity, the course Criminal Behaviour – Applied Perspectives (Cyber
Security), offered by the University of Southampton, or the
course Industrial Espionage and Counterfeiting, offered by the
University of Warwick. Moreover, new elective courses are used
to cover more topical subjects, such as Quantum Computa-
tion or, predictably, soon, Blockchain and Distributed Ledger
Technology.
To remain up to date with the developments in the area
and market needs, cybersecurity master programs evolve.
Their evolution includes updating the contents of their courses
as well as changing the structure of programs to incorporate
more specific security courses into the set of core courses
and to offer more elective courses. We point out that this
evolution has been aligned with the available faculty and
expertise.
To conclude, we elaborate on the current labour market
for master cybersecurity specialists and their future expecta-
tions. First, even more than other fields, the market is
characterised by employee mobility and remote work. Second,
many cybersecurity experts and remote workers serve in geo-
graphical areas and countries other than those of their native
universities. The core knowledge obtained during studies is
universal and suitable for any professional and for any geog-
raphy. However, there are some topics, such as cybersecurity
legal regulations, private data protection rules, protection of
intellectual property, and ethical hacking legal aspects that
can vary widely across countries. Because cybersecurity spe-
cialists in their professional work are often approaching the
thin line between legal and illegal activities, moving between
countries, (and legal regulatory systems), they can easily fall
into trouble. Finally, master studies in cybersecurity, in addi-
tion to general academic and practical professional skills
and competences in the domain (Furnell et al., 2017), must
not forget about students’ social competences connected to
a wider security culture.
As far as we know, our work is the first that analyses the
evolution and maturation of the cybersecurity discipline (from
higher education needs point of view) and that fills the gap
in the literature regarding the analysis of existing cybersecurity
master programs and their alignment with the ACM and the
JTF curriculum guidelines.
Acknowledgements
We would like to thank program directors who kindly an-
swered our inquiry and reviewers for their comments.
33
This work was supported by the European Commission
[grant number 2014-1-LU01-KA203-000034] and by FCT [grant
numbers UID/MAT/04561/2013, UID/CEC/00408/2013].
REFERENCES
4TU.Federation. Cyber security; 2017. Available from: https://
www.4tu.nl/cybsec/en/. [Accessed 15 March 2017].
Albert RT, Bennett C, Briggs D, Ebben M, Felch H, Kokoska D, et al.
Experiences with establishment of a multi-university center
of academic excellence in information assurance/cyber
defense. In: Proceedings of the international conference on
Security and Management (SAM). Las Vegas; 2015.
Ben-Gurion University of the Negev. M.Sc. in information
systems engineering with specialization in cyber space
security; 2017. Available from: http://in.bgu.ac.il/en/engn/ise/
Pages/Cyber_Space_Security_En.aspx. [Accessed 15 March
2017].
Bicak A, Liu XM, Murphy D. Cybersecurity curriculum
development: introducing specialties in a graduate program.
Inf Syst Educ J 2015;13(3):99.
BU Computer Science. MS in CS with a specialization in cyber
security; 2017. Available from: http://www.bu.edu/cs/ms-in
-cs-with-a-specialization-in-cyber-security. [Accessed 15
March 2017].
Centre for Secure Information Technologies. MSc applied cyber
security; 2017. http://www.csit.qub.ac.uk/EducationatCSIT/
MSc-Applied-Cyber-Security. [Accessed 15 March 2017].
Chen H, Maynard SB, Ahmad A. A comparison of information
security curricula in China and the USA. In: Proceedings of
the 11th Australian information security management
conference. Perth, Australia: 2013.
Cisco. Mitigating the cybersecurity skills shortage top insights
and actions from Cisco Security Advisory Services; 2015.
Available from: http://www.cisco.com/c/dam/en/us/products/
collateral/security/cybersecurity-talent.pdf. [Accessed 15
March 2017].
City, University of London. Cyber security; 2017. Available from:
http://www.city.ac.uk/courses/postgraduate/cyber-security.
[Accessed 15 March 2017].
Frank H. Q1 Cybersecurity snaphot: cyber security market report
market sizing & projections; 2016. Available from: https://
www.linkedin.com/pulse/cyber-security-snapshot-hope
-frank. [Accessed 15 March 2017].
Furnell S, Fischer P, Finch A. Can’t get the staff? The growing
need for cyber-security skills. Comput Fraud Secur
2017;2017(2):5–10.
George Mason University. Applied information technology, cyber
security concentration (MS); 2017. Available from: http://
masononline.gmu.edu/programs/applied-information
-technology-cyber-security-concentration-ms. [Accessed 15
March 2017].
Grover M, Reinicke B, Cummings J. How secure is education in
Information Technology? A method for evaluating security
education in IT. Inf Syst Educ J 2016;14(3):29–44.
Harris MA, Patten KP. Using Bloom’s and Webb’s taxonomies to
integrate emerging cybersecurity topics into a computing
curriculum. J Inf Syst Educ 2015;26(3):219–34.
Johns Hopkins. Cybersecurity; 2017. Available from: https://
ep.jhu.edu/programs-and-courses/programs/cybersecurity.
[Accessed 15 March 2017].
JTF on Cybersecurity Education. Cybersecurity curricula 2017 –
curriculum guidelines for undergraduate degree programs in
cybersecurity. Version 0.5 Report. ACM, IEEE, AIS, IFIP; 2017a.
Available from: http://www.csec2017.org. [Accessed 8
September 2017].
34 computers & security 75 (2018) 24–35
JTF on Cybersecurity Education. Cybersecurity curricula 2017 –
curriculum guidelines for post-secondary degree programs in
cybersecurity. Version 0.75 Report. ACM, IEEE, AIS, IFIP; 2017b.
Available from: http://www.csec2017.org. [Accessed 8
September 2017].
Lancaster University. Cyber security MSc; 2017. Available from:
http://www.lancaster.ac.uk/scc/postgraduate/taught
-masters/courses/cyber-security-msc. [Accessed 15 March
2017].
Malhotra Y. Bridging networks, systems and controls
frameworks for cybersecurity curricula & standards
development. NY Cyber Security & Engineering Technology
Association Conference, Oct. 22, 2015 Rochester Institute
of Technology, Rosica Hall, NTID, Rochester, New York;
2015.
McDuffie EL, Piotrowski VP. The future of cybersecurity
education. Computer 2014;47(8):67–9.
McGettrick A. Toward curricular guidelines for cybersecurity:
report of a workshop on cybersecurity education and training.
ACM; 2013.
McGettrick A, Cassel LN, Dark M, Hawthorne EK, Impagliazzo J.
Toward curricular guidelines for cybersecurity. In:
Proceedings of the 45th ACM technical symposium on
computer science education. ACM; 2014. p. 81–2.
Mew L. The information security undergraduate curriculum:
evolution of a small program. In: Proceedings of the EDSIG
conference. Las Vegas, Nevada; 2016. Available from:
http://proc.iscap.info/2016/pdf/4071.pdf. [Accessed 15 March
2017].
New York University. Cybersecurity online; 2017. Available from:
http://engineering.nyu.edu/academics/online/masters/
cybersecurity. [Accessed 15 March 2017].
Newhouse B, Keith S, Scribner B, Witte G. NICE Cybersecurity
Workforce Framework (NCWF), National Initiative for
Cybersecurity Education (NICE). Draft NIST special
publication 800-181; 2016. Available from: http://csrc.nist.gov/
nice/framework/. [Accessed 15 March 2017].
NSA/DHS. National centers of academic excellence in cyber
defense: knowledge units; 2013. Available from: https://
www.iad.gov/NIETP/CAERequirements.cfm. [Accessed 15
March 2017].
NSA/DHS. National centers of academic excellence for cyber
defense: focus areas; 2013a. Available from: https://
www.iad.gov/NIETP/CAERequirements.cfm. [Accessed 15
March 2017].
PennState. Master of professional studies in information
sciences – cybersecurity and information assurance; 2017.
Available from: http://www.worldcampus.psu.edu/degrees
-and-certificates/information-sciences-masters/overview.
[Accessed 15 March 2017].
QS Top Universities. QS world university rankings; 2017. Available
from: https://www.topuniversities.com/qs-world-university
-rankings. Accessed 15 March 2017.
Queen’s University. Applied cyber security; 2017. Available from:
http://www.csit.qub.ac.uk/EducationatCSIT/MSc-Applied
-Cyber-Security/. Accessed 15 March 2017.
Randstad Technologies. Cybersecurity workforce report: 12
markets with high demand for top talent; 2016. Available
from: https://www.randstadusa.com/corp/technologies/
randstad_cybersecurity_report_2016.pdf. Accessed 15 March
2017.
Sahami M, Danyluk A, Fincher S, Fisher K, Grossman D,
Hawthorne E, et al. Computer science curricula 2013:
curriculum guidelines for undergraduate degree programs in
computer science. Association for Computing Machinery
(ACM)-IEEE Computer Society; 2013. Available from: https://
www.acm.org/binaries/content/assets/education/
cs2013_web_final.pdf. [Accessed 15 March 2017].
Setalvad A. Demand to fill cybersecurity jobs booming.
Peninsula Press; 2015. Available from: http://peninsulapress
.com/2015/03/31/cybersecurity-jobs-growth. [Accessed 15
March 2017].
Tallinn University of Technology. Cyber security; 2017. Available
from: https://www.ttu.ee/studying/masters/masters
_programmes/cyber-security/?id=84572. [Accessed 15 March
2017].
The George Washington University. Master of Science in
cybersecurity in computer science; 2017. Available from:
https://www.cs.seas.gwu.edu/master-science-cybersecurity
-computer-science. Accessed 15 March 2017.
The University of Waikato. Master of cyber security; 2017.
Available from: http://www.waikato.ac.nz/study/
qualifications/master-of-cyber-security. [Accessed 15 March
2017].
The University of Warwick. Cyber security MSc programmes;
2017. Available from: http://www2.warwick.ac.uk/fac/sci/
wmg/education/wmgmasters/courses/cyber_security/.
[Accessed 15 March 2017].
Universidad Carlos III de Madrid. Master in cybersecurity; 2017.
Available from: http://www.uc3m.es/ss/Satellite/Postgrado/
en/Detalle/Estudio_C/1371209197821/1371219633369/
Master_in_Cybersecurity. [Accessed 15 March 2017].
University of Maryland. Cybersecurity; 2017. Available from:
http://advancedengineering.umd.edu/programs/
cybersecurity/masters/courses. [Accessed 15 March 2017].
University of South Australia. Master of cybersecurity; 2017.
Available from: http://programs.unisa.edu.au/public/pcms/
program.aspx?pageid=5882&sid=10377. [Accessed 15 March
2017].
University of Southampton. MSc cyber security; 2017. Available
from: http://www.ecs.soton.ac.uk/programmes/msc-cyber
-security#modules. [Accessed 15 March 2017].
University of Southern California. Cyber security engineering
(MS); 2017. Available from: http://catalogue.usc.edu/preview
_program.php?catoid=2&poid=1523&returnto=440. [Accessed
15 March 2017].
University of York. MSc in cyber security; 2017. Available from:
https://www.cs.york.ac.uk/postgraduate/taught-courses/msc
-cybersecurity/#tab-2. [Accessed 15 March 2017].
Washington University in St. Louis. Cyber security management
curriculum; 2017. Available from: https://sever.wustl.edu/
degreeprograms/cyber-security-management/Pages/Cyber
-Security-Management-Curriculum.aspx. [Accessed 11 May
2017].
Yang SC, Wen B. Toward a cybersecurity curriculum model for
undergraduate business schools: a survey of AACSB-
accredited institutions in the United States. J Educ Bus
2017;92(1):1–8.
Yuan X, Yang L, Jones B, Yu H, Chu BT. Secure software
engineering education: knowledge area, curriculum and
resources. J Cybersecur Educ Res Pract 2016;2016(1):Article 3.
Krzysztof Cabaj holds an M.Sc. (2004) and a Ph.D. (2009) in com-
puter science from Faculty of Electronics and Information
Technology, Warsaw University of Technology (WUT). Cabaj is an
Assistant Professor at WUT and Instructor of Cisco Academy courses:
CCNA, CCNP and NS at International Telecommunication Union In-
ternet Training Centre (ITU-ITC). His research interests include:
network security, honeypots and data-mining techniques. He is the
author or the co-author of over 40 publications in the field of in-
formation security.
Dulce Domingos is an Assistant Professor at the Informatics De-
partment of the Faculty of Science of the University of Lisbon and
a senior researcher of the Large Scale Computer Systems Labora-
tory (LaSIGE). Her current research interests include security,
 computers & security 75 (2018) 24–35
business processes, and Internet of Things (IoT). She is the
coordinator of the master program in information security of Faculty
of Science of the University of Lisbon.
Zbigniew Kotulski is a Professor at the Institute of Telecommuni-
cations of the Faculty of Electronics and Information Technology,
Warsaw University of Technology, Poland. He received his M.Sc. in
applied mathematics from the Warsaw University of Technology
and Ph.D. and D.Sc. Degrees from the Institute of Fundamental Tech-
nological Research of the Polish Academy of Sciences. Zbigniew
35
Kotulski is the author and co-author of 5 books and over 200
research papers on applied probability, cryptographic protocols and
network security.
Ana Respício is an Assistant Professor in the Informatics Depart-
ment at Faculty of Science of the University of Lisbon and a senior
researcher of CMAF-CIO. Her research interests include decision
support (theory and technologies), cybersecurity risk management,
and optimization. She is vice-Chair of the IFIP WG8.3 on DSS and
Associate Editor of the Journal of Decision Systems (Taylor & Francis).