NATIONAL CYBERSECURITY
QUALIFICATIONS FRAMEWORK
JUDR. PAVEL LOUTOCKÝ, PH.D., BA (HONS)
BASIC AIM OF THE PROJECT
• The main target of the project is research
aimed at creating a universal and holistic
qualification framework in the Czech
Republic in the field of cybersecurity
• The framework will classify the individual
qualifications and professional roles of
cybersecurity personnel
• It should describe their required education,
skills and will serve as a single basis for the
development of capacities in this area in the
Czech Republic
DIFFERENT AVAILABLE
SCHEMES 
• Not all of them are purely focused on qualification frameworks
• Overlapping with existing educational schemes
• What do we have now?
▪ 1) NICE (NIST)
▪ 2) ENISA (more focused on education than
positions)
▪ 3) Cybersecurity Curricular Guideline by ACM
(educational and scientific computing society,
uniting educators, researchers and
professionals)
1) NICE (NIST)
• National Initiative for Cybersecurity Education lead by National
Institute of Standards and Technology
• Detailed material and the describtion of knowledge base of
each area of cysec employee
• Detailed structure from general to specific
• Starting with general categories (7) moving to more detailed
describtions:
• NICE Framework Workforce Categories
• NICE Framework Specialty Areas
• NICE Framework Work Roles
• NICE Framework Tasks
• NICE Framework Knowledge Descriptions
• NICE Framework Skills Descriptions
• NICE Framework Ability Descriptions
1) NICE (NIST)
1) NICE (NIST)
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.80
0-181.pdf
P. 20 et seq.
2) ENISA
• European Union Agency for Network and Information
Security
• Roadmap for NIS education programmes in Europe
• Not focused on qualifications so far
• Offering roadmap for education (2014)
• Other materials, but not always important for the project
2) ENISA
• Roadmap for NIS education programmes in Europe
• Mapping available courses, programes
• Mapping available materials, databases, educational
information
• Identyfiing gaps in education
• Teachers (mainly basic, high schools)
• Healthcare Scenarion
• Data protection officers
• SME scenario
• Digital Forensics
https://www.enisa.europa.eu/publications/roadmap-for-nis-ed
ucation-programmes-in-europe
3)  ACM CYBERSECURITY 
CURRICULAR GUIDELINE
• Very detailed material on personal aspects and areas (qualification)
• Many described curricular guidences are interconnected in more
fields below (all is related to all)
• CSEC2017 v1.0 manual was developed through the leadership of
the Joint Task Force on Cybersecurity Education and the contributions
of educators, industry professionals, and government
representatives from around the globe.
• It includes 4 components:
1. an overview of the cybersecurity discipline to frame the curricular
model,
2. a presentation of the curricular framework and outline of the
recommended curricular content,
3. a highlight of industry perspectives on cybersecurity, and
4. a discussion of issues related to the educational practice,
suggestion for a process to develop roadmaps that link the
curricular model to workforce frameworks, and references that
highlight how global institutions could implement the curricular
guidelines.
3)  ACM CYBERSECURITY CU
RRICULAR GUIDELINE
• Positions devided into 8 groups
1. Data Security (e.g. legal issues, digital forensics, evidence secure
design, authentication)
2. Software Security (e.g. modularity, security features, testing,
patching, SW documentation)
3. Component Security (e.g. components integrated in larger systems,
supplies, software reverse engineering)
4. Connection Security (e.g. sharing of data, standards, hardwarem,
network monitoring)
5. System Security (e.g. policy models, insider threat, identity,
recovery, attacs)
6. Human Security ( e.g. identity services, social engineering attacs,
psychological level of employees, systém misuse, cyber hygien,
social aspects, )
7. Organizational Security (e.g. risk management, privacy, ethics,
security governance, cloud administration)
8. Societal Securtity (e.g. cyber law – personal data, privacy, digital
evidence, contracting; dilpomacy, breaches connected to legal
aspects)
3)  ACM CYBERSECURITY CU
RRICULAR GUIDELINE
https://www.acm.org/binaries/content/assets/education/curricula-rec
ommendations/csec2017.pdf
P. 24 et seq.
BASIC CORNERSTONES
OF OUR PROJECT
1. Creating a taxonomy of qualifications - analysis of existing
solutions and research results abroad, investigation of needs within
the security forces in the Czech Republic and identification of the
character and structure of relevant entities in the Czech Republic.
The necessary qualifications in both technical and non-technical
fields at the level of both private organizations and the state will be
offered in a structured manner.
2. Design of Competency Model - professional competencies will
be assigned to the individual roles / qualifications – those should
be concerned as prerequisite for performing the appropriate role in
cybersecurity.
3. Cybersecurity Qualifications Framework - the Qualifications
Framework will include proposed taxonomy and competencies of
individual qualifications, extended in the manner to identify the
required training capacities based on the existing demand for
qualifications.
BASIC CORNERSTONES
OF OUR PROJECT
4. Analysis of available education in the Czech Republic - based on
surveys and questionnaires, the current offer of available educational
programs, courses and exercises in the field of cybersecurity will be
identified, which can be used to build the necessary capacities described
in the framework.
5. GAP analysis - the training requirements described in the framework
with the existing offer will be compared. Based on this comparison
quantitative and qualitative gaps in terms of available cybersecurity
education should be identified.
6. Action plan on building educational capacities - in order to effectively
implement the results of the project, the aim will also be to develop an
action plan to inform users and target groups about the practical
application of research results at the level of support and development of
cybersecurity training, recruitment and evaluation.
7. Interactive Software for Qualifications Framework - in order to
effectively implement the Qualifications Framework, an interactive
software tool will be created to provide knowledge databasis.
4 PHASES
1. initial research will be conducted to identify the available
approaches to the taxonomy of roles / qualifications in
cybersecurity.
2. individual qualifications will be described by the general
information on the role and will be shared between qualifications to
ensure the substitutability of individual roles.
3. then it will focus on putting previous results into practice. To this
end, an action plan will be developed which will propose systematic
actions that can be taken at the level of the state, private
organizations and research institutions to support the development
and application of the available cybersecurity workforce.
4. an information system will be developed to work with the taxonomy
and qualifications framework. The proposed software will allow the
expert public to access, systematically search and use the
qualification database to achieve the objectives specified in their
project. It will also allow to manage, maintain, add more
qualifications to this system.
FURTHER PLANS
1. Language mutations (CZ and ENG)
2. Database of qualifications
3. Inspiration for education…
4. … and more
Inspiration in other shcemes:
https://www.sans.org/cyber-security-skills-roadmap
QUESTIONS?
THANK YOU FOR YOUR ATTENTION