Table of Contents
Fetching ...

CurricuLLM: Designing Personalized and Workforce-Aligned Cybersecurity Curricula Using Fine-Tuned LLMs

Arthur Nijdam, Harri Kähkönen, Valtteri Niemi, Paul Stankovski Wagner, Sara Ramezanian

TL;DR

CurricuLLM addresses the misalignment between cybersecurity curricula and workforce demands by automating curriculum analysis and design with a two-tier LLM pipeline (PreprocessLM and ClassifyLM). It maps course content to CSEC2017 Knowledge Areas and NICE Knowledge Descriptions, derives role-based KA distributions, and optimizes elective selections to align with target job profiles using a constrained optimization that minimizes the deviation between the curriculum distribution and the target $T$ with binary decisions $x_i$. The framework is validated against expert annotators on real programs (KTH, NTU, CMU) and KD data, showing expert-like reliability and scalable curriculum analysis from course level to entire programs. The approach supports workforce alignment with the 2025 NICE framework and provides practical, data-driven guidance for personalized cybersecurity education.

Abstract

The cybersecurity landscape is constantly evolving, driven by increased digitalization and new cybersecurity threats. Cybersecurity programs often fail to equip graduates with skills demanded by the workforce, particularly concerning recent developments in cybersecurity, as curriculum design is costly and labor-intensive. To address this misalignment, we present a novel Large Language Model (LLM)-based framework for automated design and analysis of cybersecurity curricula, called CurricuLLM. Our approach provides three key contributions: (1) automation of personalized curriculum design, (2) a data-driven pipeline aligned with industry demands, and (3) a comprehensive methodology for leveraging fine-tuned LLMs in curriculum development. CurricuLLM utilizes a two-tier approach consisting of PreprocessLM, which standardizes input data, and ClassifyLM, which assigns course content to nine Knowledge Areas in cybersecurity. We systematically evaluated multiple Natural Language Processing (NLP) architectures and fine-tuning strategies, ultimately selecting the Bidirectional Encoder Representations from Transformers (BERT) model as ClassifyLM, fine-tuned on foundational cybersecurity concepts and workforce competencies. We are the first to validate our method with human experts who analyzed real-world cybersecurity curricula and frameworks, motivating that CurricuLLM is an efficient solution to replace labor-intensive curriculum analysis. Moreover, once course content has been classified, it can be integrated with established cybersecurity role-based weights, enabling alignment of the educational program with specific job roles, workforce categories, or general market needs. This lays the foundation for personalized, workforce-aligned cybersecurity curricula that prepare students for the evolving demands in cybersecurity.

CurricuLLM: Designing Personalized and Workforce-Aligned Cybersecurity Curricula Using Fine-Tuned LLMs

TL;DR

CurricuLLM addresses the misalignment between cybersecurity curricula and workforce demands by automating curriculum analysis and design with a two-tier LLM pipeline (PreprocessLM and ClassifyLM). It maps course content to CSEC2017 Knowledge Areas and NICE Knowledge Descriptions, derives role-based KA distributions, and optimizes elective selections to align with target job profiles using a constrained optimization that minimizes the deviation between the curriculum distribution and the target with binary decisions . The framework is validated against expert annotators on real programs (KTH, NTU, CMU) and KD data, showing expert-like reliability and scalable curriculum analysis from course level to entire programs. The approach supports workforce alignment with the 2025 NICE framework and provides practical, data-driven guidance for personalized cybersecurity education.

Abstract

The cybersecurity landscape is constantly evolving, driven by increased digitalization and new cybersecurity threats. Cybersecurity programs often fail to equip graduates with skills demanded by the workforce, particularly concerning recent developments in cybersecurity, as curriculum design is costly and labor-intensive. To address this misalignment, we present a novel Large Language Model (LLM)-based framework for automated design and analysis of cybersecurity curricula, called CurricuLLM. Our approach provides three key contributions: (1) automation of personalized curriculum design, (2) a data-driven pipeline aligned with industry demands, and (3) a comprehensive methodology for leveraging fine-tuned LLMs in curriculum development. CurricuLLM utilizes a two-tier approach consisting of PreprocessLM, which standardizes input data, and ClassifyLM, which assigns course content to nine Knowledge Areas in cybersecurity. We systematically evaluated multiple Natural Language Processing (NLP) architectures and fine-tuning strategies, ultimately selecting the Bidirectional Encoder Representations from Transformers (BERT) model as ClassifyLM, fine-tuned on foundational cybersecurity concepts and workforce competencies. We are the first to validate our method with human experts who analyzed real-world cybersecurity curricula and frameworks, motivating that CurricuLLM is an efficient solution to replace labor-intensive curriculum analysis. Moreover, once course content has been classified, it can be integrated with established cybersecurity role-based weights, enabling alignment of the educational program with specific job roles, workforce categories, or general market needs. This lays the foundation for personalized, workforce-aligned cybersecurity curricula that prepare students for the evolving demands in cybersecurity.
Paper Structure (33 sections, 1 equation, 9 figures, 15 tables)

This paper contains 33 sections, 1 equation, 9 figures, 15 tables.

Figures (9)

  • Figure 1: CurricuLLM applied to the KTH MSc in Cybersecurity (Case Study in Section \ref{['sec:example']}). Knowledge Area distributions are indicated as pie charts, following the color scheme as displayed in the legend on the top right of the figure. Each possible recommended elective is shown on the top left, the aggregated KA distribution of the mandatory part of the curriculum is shown in the center, as well as the required KA distribution for the Vulnerability Analyst job role. The KA labeling process is illustrated in greater detail for the Building Networked Systems Security course on the bottom of the figure. The selected elective courses and the final KA composition of the program are listed on the right.
  • Figure 2: The prompt template used for PreprocessLM to extract subtopics from a larger piece of text. The placeholders {topic} and {description} are replaced by the Knowledge Unit (or course title) and its corresponding detailed description, respectively.
  • Figure 3: Computation of the Knowledge Area distribution for individual job roles within the NICE framework. The figure illustrates the hierarchical mapping from job categories to job roles and a representative subset of Knowledge Descriptions associated with the Vulnerability Analysis role. These KDs are labeled with KAs using ClassifyLM and aggregated to derive the corresponding KA distribution.
  • Figure 4: Comparison of Expert Group X ($X_1$, $X_2$, and $X_3$), the Control Group (Control A), and the proposed CurricuLLM model, evaluated on three randomly selected courses from each of the curricula of KTH, NTU, and CMU. Values for Control Group A represent the average over three annotators.
  • Figure 5: Comparison of Expert Group X ($X_1$, $X_2$, and $X_3$), the Control Group (Control B), and the proposed CurricuLLM model, evaluated on 50 Knowledge Descriptions extracted from the NICE 2025 framework. Values for Control Group B represent the average over five annotators, for a subset of 15 KDs (indicated with $*$).
  • ...and 4 more figures