A Framework for Mapping Organisational Workforce Knowledge Profile in Cyber Security
Lata Nautiyal, Awais Rashid
TL;DR
The paper addresses the lack of a standardized method to map an organisation's cyber security knowledge to a baseline reference. It proposes a knowledge profiling framework that maps individual employees' knowledge to CyBOK via four components (CER, TRA, EXP, RES) and aggregates these into an organisational knowledge profile denoted as $KP_{ORG}=\bigcup\{KP_{EMP1},...,KP_{EMPN}\}$, leveraging $CYB=\{KA_1,KA_2,\dots,KA_n\}$ and a mapping $C_{<KA,t,d>}\leftarrow Map(CYB)$ to CyBOK. The framework was developed through three UK case studies and refined in practitioner workshops, demonstrating how coverage and currency analyses can guide targeted recruitment, training, or outsourcing decisions, including assessment of third-party knowledge capabilities. Practically, the approach provides versatile graphical representations for decision-makers and supports currency tracking through a time-aware function $T_d\leftarrow v(x)$ to reflect knowledge validity at current time $T_c$. Overall, the framework offers a rigorous, extensible method to align organisational cyber security knowledge with CyBOK, enabling strategic talent development and risk-aware outsourcing while highlighting areas for automation in future work.
Abstract
A cyber security organisation needs to ensure that its workforce possesses the necessary knowledge to fulfil its cyber security business functions. Similarly, where an organisation chooses to delegate their cyber security tasks to a third party provider, they must ensure that the chosen entity possesses robust knowledge capabilities to effectively carry out the assigned tasks. Building a comprehensive cyber security knowledge profile is a distinct challenge; the field is ever evolving with a range of professional certifications, academic qualifications and on-the-job training. So far, there has been a lack of a well-defined methodology for systematically evaluating an organisation's cyber security knowledge, specifically derived from its workforce, against a standardised reference point. Prior research on knowledge profiling across various disciplines has predominantly utilised established frameworks such as SWEBOK. However, within the domain of cyber security, the absence of a standardised reference point is notable. In this paper, we advance a framework leveraging CyBOK, to construct an organisation's knowledge profile. The framework enables a user to identify areas of coverage and where gaps may lie, so that an organisation can consider targeted recruitment or training or, where such expertise may be outsourced, drawing in knowledge capability from third parties. In the latter case, the framework can also be used as a basis for assessing the knowledge capability of such a third party. We present the knowledge profiling framework, discussing three case studies in organisational teams underpinning its initial development, followed by its refinement through workshops with cyber security practitioners.