Abstract
UW CIAC’s inter-collegiate research team has extended the World of Work Inventory (WOWI) to four specific job roles that incorporate penetration testing: Cybersecurity Defense Analyst, Cybersecurity Defense Infrastructure Responder, Cybersecurity Incident Responder, and Vulnerability Assessment Analyst. Identification of these statistically validated profiles can support methodologically based recruitment of high prospective candidates from diverse backgrounds and can inform career guidance protocols for these roles. The WOWI is a statistically validated multi-dimensional career assessment tool. Training data is gathered from a sample of people currently working in the roles, and the instrument identifies profiles for predicting successful candidates across aptitude, personality types, and interests. For this research, we selected the four roles that utilize the task of penetration testing within the category Protect and Defend, in the NIST NICE 800-818 Cybersecurity Workforce Framework. [1] Penetration testing is a skill that is in high demand in career pathways within government, industry and the military.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Background
Projections based on “A Human Capital Crisis in Cybersecurity” [2] in 2010 are being dwarfed by current projections for skilled cybersecurity professionals [3]. Recent projections by Tech Republic and Forbes indicate global projections of 1.8 million to 2.0 million unfilled cybersecurity jobs by 2022 [4, 5]. While IT has been traditionally considered the entry way into cybersecurity positions, the existing IT workforce and current IT-based programs are inadequate to meet the growing demand for workforce and professional development in cybersecurity.
Capacity is not the only challenge. The nature of cybersecurity careers and consequently the curricula for the training programs is shifting as well. As we transition from the Information Age into the Cyber-Mental Age [6] cybersecurity has to be fully integrated into all aspects of modern day society. Securing the Internet of Things and intelligent machines will require cross-disciplinary skills and knowledge beyond IT skills.
As NICE works to define cybersecurity pathways, UW CIAC has begun developing career guidance tools for use by candidates, counselors, academics, and practitioners. These career guidance tools estimate the multi-disciplinary aptitudes, soft skills, and character considerations, since integrity, trust and productive workplace behavior are important considerations for professionals with access to high value information.
2 Professionalization of Cybersecurity: Career Profiling and Professional Development
Initiatives to professionalize cybersecurity are underway. Research by Dr. Diana Burley of George Washington University proposes cybersecurity workforce development benchmarked against professionalization of the medical profession [7]. Building upon the medical model analogy, the UW CIAC team adapted research methodology building a psychological profile for Surgical Burn Unit residents as a protocol for selecting talent into cybersecurity.
In 2010 a team of psychologists published the “Psychological Profile of Surgeons and Surgical Residents” [8] a research project to ultimately increase retention of surgical residents. The project utilized two of three components of a validated assessment tool and focused on the Psychological Profile component. One scale, Career Aptitude, was not engaged for surgeons and surgical residents given the rigor required to progress through medical school into residency status and beyond. Cybersecurity leaders and employers emphasize the need to identify fundamental qualities that underlie reliability, ethics and trustworthiness to build a strong cyber workforce. Deficiencies in these qualities of character result in ‘insider threat’ concerns, which are a concern across all sectors. Trade journals and industry publications document the high cost of counterproductive workplace behavior when employees are not screened for honesty, integrity, positive fiscal attitudes and pro-social behavior. [9,10,11] Integrity First assesses five factors driving an individual’s integrity-related behavior in the workplace, which ultimately impacts an organization’s ROI [12]. A more detailed description of the dimensions of both tools, WOWI and Integrity First, is provided below.
A literature review of psychological career profiling across the medical field revealed a body of knowledge delineating differences between dermatologists, surgeons, radiologists, internists, family practice etc. [13, 14]. Following this example, we would ultimately like to profile all 35 career pathways within the field of cybersecurity. For the scope of this initial research project, we select two job roles to adapt the methodological approach from a mature profession like medicine to the emerging profession of cybersecurity.
The UW CIAC Research team reviewed the seven career pathways listed in the NIST NICE Cybersecurity Workforce Framework (‘Framework’) [15].
The interactive tool www.cyberseek.org provides an interactive heat map of supply and demand in 340 markets within the United States. The research team used the heat map for supply and demand, interviews with hiring managers, and consideration of the knowledge unit (KU) maps, to select the two job roles to study. Penetration testing was selected based upon the high demand for this specific skill set. 2017 witnessed the acceleration of ransom ware and increasing attacks from global cyber actors, escalating individuals with penetration testing skills as the most desired cybersecurity workers [4] (Table 1).
For the second job role, we selected careers that emphasized the communication, business, and policy aspects of cybersecurity [4]. Leaders also remain in high demand in cybersecurity, so we selected the category Oversight and Governance as the second career pathway. This part of the research study is the topic of another paper.
To study penetration testing, we selected all four specialty areas under the category Protect and Defend, in the Framework [16]. The Framework does not presently contain a specific job description for penetration tester. It identifies four specialty areas within the Protect and Defend category in which penetration testing is listed as a task: Cybersecurity Defense Analyst (CDA), Cybersecurity Defense Infrastructure Support (INF), Incident Response (CIR) and Vulnerability Assessment and Management (VAM).
Moreover, organizations have not yet fully adopted the Framework. Consequently, penetration testers’ actual job descriptions had to be collected and analyzed against the four Protect and Defend job roles to align results across the four work roles within Protect and Defend described in Table 2 [16].
3 Materials and Methods
3.1 Participants and Site Selection
Cybersecurity professionals from an array of Pacific Northwest corporations, state and municipal government, and the Washington Air National Guard 252nd Cyberspace Operations Group are scheduled to complete the assessment instruments in early 2018.
Site selection is based upon multiple factors. Organizational support, manager and subjects’ understanding how their contribution impacts the professionalization and quality development of cybersecurity talent are key factors. Criteria selection identified organizations with mature penetration testing functions. Departments with a sufficient number of employees, ideally more than eight, functioning primarily as penetration testers, or working within the four job titles identified by NICE, have been recruited to ensure that normative scaling can be accomplished. Confidentiality of subjects is a requirement in this study
Diversity of organizations provided another selection criteria. Initial outreach to the National Guard provided multi-dimensional aspects. Team members included in the National Guard sites are ‘traditional’ service members who attend monthly drill week-ends and, in most situations hold civilian positions in a variety of industries. Additional diversity of organization selection includes telecommunications, software development, health care, travel, aerospace, retail and government. On-site proctored data collection of the assessment tool is scheduled during the first quarter of 2018. Statistical analysis of data is scheduled for second quarter 2018 with dissemination of results being prepared and delivered in third quarter 2018.
3.2 Assessment Tools
Two validated on-line instruments were utilized to measure cybersecurity professionals. Assessment tools generally capture aptitude or interest; but rarely are psychological profiles combined in the same instrument. The World of Work Inventory (WOWI) collects data from subjects in all three dimensions. Measuring integrity is the fourth dimension incorporated through the Tescor Survey, also known as Integrity First.
4 The World of Work Inventory
The WOWI provides three subscales measuring career training potential (CTP), Job Satisfaction Indicators (JSI) and Career Interest Activities (CIA). Using a nomothetic approach, CTP assesses verbal, numerical, learning style, spatial ability, mechanical electrical and organizing skills with an added feature of this comparison scale also measures for subject’s motivational levels in each of these seven areas. (Table 3) [17].
The second and third subscales, JSI and CIA utilize ideographic scales. The JSI subscales measure twelve characteristics comprising psychological workstyle preferences (Table 4).
The CIA subscale measures 17 Career Interest Activities corresponding to Table 5:
5 Integrity First
Integrity First is used during recruitment to identify and remove candidates with Counterproductive Workplace Behavior (CWB) from the hiring process. [18] This assessment adds a dimension not covered within career aptitude, psychological and interest assessments. Businesses desire ethical behavior and integrity in their employees; cybersecurity managers, military and civilian, deem ethics, integrity and positive workforce behavior essential when assembling cybersecurity pen testing teams. CWB falls into four fundamental categories: employee theft, hostility, drug abuse and hostility. Using overt testing methods, candidates chose one of four answers to direct questions regarding attitudes and high risk workplace behavior [19]. A more comprehensive list of CWB is provided in Table 6 [20]. The UW CIAC research team acknowledged there is a gap in career instruments including the WOWI, to overtly measure characteristics of integrity and ethics.
6 Conclusion
6.1 Participants and Site Selection Revisited
Organizational culture impacts data collection. Washington’s Air National Guard, government agencies and universities conduct annual performance reviews; but not all of these organizations rank and stack employee perfor. Military organizations have ingrained merit and ranking systems and conduct structured performance reviews. Government and academic organizations, while annual reviews are conducted, no merit ranking system is utilized.
Corporations in the Pacific Northwest, for the most part, migrated from strict adherence to a military merit rating system in favor of talent development and performance appraisals [20] based upon on-going adaptation of Douglas McGregor’s Theory X and Y
[21] Employees are assessed from multiple perspectives, personal and team interaction and contributions to corporate success are acknowledged, in some corporations, by bonuses [22]. This metric may supplant managerial ranking. Managerial ranking is being reviewed and compared to a revised Performance Appraisal system identifying end-of-year bonuses as a performance metric.
6.2 Hypothesis
Talent identification in cybersecurity informs the hypothesis that there are statistically significant profiles across measures of aptitude, personality type indicators, interests, and integrity such that (a) these profiles are a reliable predictor of success in careers within the Protect and Defend category in the NICE Workforce Framework and (b) the measuring instruments for these profiles are robust against biased inputs.
Initial research results focus on CTP, JSI, CIA and results from CWB defining profiles of high performing Protect and Defenders with an emphasis on the four job titles encompassing penetration testing proclivities. Additional research targeting specific job roles in Oversight and Governance, planned for later in 2018, provides the opportunity to compare profile results. Based upon the findings, additional research may be warranted.
References
Newhouse, W., Keith, S., Scribner, B., Witte, G.: National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2017). https://doi.org/10.6028/NIST.SP.800-181
Evans, K., Reeder, F.: Human Capital Crisis in Cybersecurity: Technical Proficiency Matters, Center for Strategic Initiatives (2010)
Suciu, P.: Tech: Cyber security’s ever-growing brain drain. Fortune (2015). http://fortune.com/2015/09/09/cybersecuritys-ever-growing-brain-drain/
DeNisco-Rayome, A.: The 3 most in-demand cybersecurity jobs of 2017. TechRepublic. (2017). https://www.techrepublic.com/article/the-3-most-in-demand cybersecurity -jobs-of-2017
Kauflin, J.: Forbes. The Fast-Growing Job With A Huge Skills Gap: Cyber Security (2017). https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#716cca2a5163
Gordon, E.E.: Praeger Future Jobs: Solving the Employment and Skills Crisis (2013). ISBN-13:978-1440829338
Hoffman, L., Burley, D.L., Toregas, C.: Holistically building the cybersecurity workforce. Commun. IEEE Secur. Priv. 10(2), 33–39 (2011)
Foster, K.N., Neidert, G.P.M., Brubaker-Rimmer, R., Artalejo, D., Caruso, D.M.: Psychological profile of surgeons and surgical residents. APDS Spring Meeting (2010). http://www.wowi.com/about/Psych_Profile_of_Surgeons_and_Surgical_Residents.pdf
Durbin, S.: Recode. Insiders are today’s biggest security threat (2016). https://www.recode.net/2016/5/24/11756584/cyber-attack-data-breach-insider-threat-steve-durbin
Beek, C., McFarland, C., Samani, R.: McAffe Health Warnings, Cyberattacks are targeting the health care industry (2016). https://www.mcafee.com/us/resources/reports/rp-health-warning.pdf
Tuutti, C.: Nextgov: The Insider Threat: A Historical Perspective (2016). http://www.nextgov.com/cybersecurity/2016/09/insider-threat-historical-perspective/131613
Sturman, M.C., Sherwyn, D.J.: The Utility of Integrity “Testing for Controlling Workers’ Compensation Costs”, Cornell University, Cornell Hospitality Quarterly, 2009, November [13.14] [15 – Workforce framework] (2009)
Maron, B.A., Fein, S., Maron, B.J., Hillel, A.T., El Bagdadi, N.M.: Ability of prospective assessment of personality profiles to predict the practice specialty of medical student. Proc. (Bayl. Univ. Med. Cent.). 20(1), 22–26 (2007)
Borges, N., Savickas, M.L.: Personality and medical specialty choices: a Literature review and integration. Career Assess 10, 362–380 (2002)
Newhouse, W., Keith, S., Scribner, B., Witte, G.: National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, pp. 11–32 (2017). https://doi.org/10.6028/NIST.SP.800-181
Newhouse, W., Keith, S., Scribner, B., Witte, G.: National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2017). https://doi.org/10.6028/NIST.SP.800-181. Reference Spreadsheet for NIST Special Publication 800-181 https://www.nist.gov/file/372581
Neidert, G.P.M.N., Ortman, N.I.: Interpretation Manual for the World of Work Inventory, 5th edn. World of Work Inc., Tempe (2001)
Johnson, R.: Integrity Testing: Why and How to Implement Integrity Testing as an Important Part of your Talent Management Cycle. Merchants Informations Solutions, Inc. (2013)
Cullen, M.J., Sackett, P.R.: Personality and Counterproductive Workplace Behavior, Chap 6 150–160 Personality and Work Reconsidering the Role of Personality in Organizations 440 p. (2004)
Cappelli, P., Tavis, A.: The Performance Management Revolution. Harvard Business Review, October 2016
Kopel, R.D., Prottas, D.J., Davis, A.L.: Douglas McGregor’s theory X and Y: toward a construct-valid measure. J. Managerial Issues 20(2), 255–271 (2008). http://www.jstor.org/stable/40604607
Hearn, S.: Ditch Annual Appraisals: Continuous Performance Management is the Way Forward. Entrepreneur (2017). https://www.entrepreneur.com/article/290900
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Zantua, M.A., Popovsky, V., Endicott-Popovsky, B., Holt, F.B. (2018). Discovering a Profile for Protect and Defend: Penetration Testing. In: Zaphiris, P., Ioannou, A. (eds) Learning and Collaboration Technologies. Learning and Teaching. LCT 2018. Lecture Notes in Computer Science(), vol 10925. Springer, Cham. https://doi.org/10.1007/978-3-319-91152-6_41
Download citation
DOI: https://doi.org/10.1007/978-3-319-91152-6_41
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-91151-9
Online ISBN: 978-3-319-91152-6
eBook Packages: Computer ScienceComputer Science (R0)