Defining cyber security: Staying relevant and robust by meeting the sector’s evolving needs

Defining cyber security: Staying relevant and robust by meeting the sector’s evolving needs

Published: 5 Jun 2023, 7:30 a.m.

Despite the increasing global relevance of cyber security, the field lacked a definitive framework of understanding up until fairly recently. Thanks to CyBOK, everyone from academics, researchers and students, to business professionals and recruiters, now have a codified and consolidated set of resources that can reliably guide their work. Since its beginnings in 2017, the Body of Knowledge has evolved and now provides a comprehensive set of resources alongside the core information chapters. As one of the original Executive Board members, Professor Andrew Martin reflects on how CyBOK grew out of a need to fill a gap in the sector, and is continuing to evolve in a way that will ensure its relevance as an indispensable reference tool.

You’ve been involved with the CyBOK from the outset. How did the project transpire, what was the original intention behind it?

People have been using the term ‘cyber security’ for some time, but if you drill down into what the term means, there wasn’t really a shared definition or understanding about what it is, particularly in terms of what it includes or what it doesn’t.

That was the motivation behind creating CyBOK; to get beyond the one-sentence descriptions of cyber security and come up with a definitive framework and articulation of what it is and what it covers. The need for such an in-depth description had come up in discussions even before the National Cyber Security Centre (NCSC) was officially set up. Eventually the NCSC asked for bids and our idea was formalised, based on discussions between myself, Awais at Bristol, and colleagues from Imperial, UCL and the University of York.

Not only did CyBOK win the original NCSC bid, its reach and influential has grown and keeps growing. Why do you think that is?

In the cyber security community, we remain fairly unique. There are other cyber security frameworks and course accreditation frameworks but whereas they tend to focus on what you can do with cyber security, or what skills you need, CyBOK is arguably the most comprehensive resource and provides a definition on what cyber security actually is.

That didn’t exist before CyBOK and was clearly needed. While people might have a broad understanding of what cyber security is, in terms of protecting digital assets against harms arising from a number of different sources, the technical, human-centric and legal aspects had not really been delineated. That was part of the task we were undertaking in putting the CyBOK together.

Cyber security has become a big issue, almost out of nowhere in one sense. The way that technology has developed, for good or ill, has meant that bad actors and adversaries have equally developed ways that they want to exploit the technology for malicious gain. In some sense, cyber security is a response to these parallel rapid developments. CyBOK provides a framework that supports the efforts to build a safe, inclusive and happy technological society.

The creation and ongoing development of CyBOK has involved a large community of people, both from academia and the wider cyber security community. What is the advantage of working in that way?

Gathering a broad community was absolutely crucial from the outset. In creating a definition, we needed a wide consensus. It’s also the case that cyber space is a matter of international interest, so we needed to gather a community of people who could help to ensure that what we created was robust and relevant.

When we began, we conducted a long scoping exercise over about nine months where we sought perspectives from different people about what our focus should be. We looked at everything from textbooks to conference materials and our own work. We also held a number of community workshops that led to some interesting and tangential conversations. Eventually, we had a mass of evidence from which we pulled out the themes that eventually became the Knowledge Areas. Once the community agreed with the list we ended up with, we were able to commission people to write those KAs.

Part of the original vision was to make CyBOK open access so that it would have value to as many people as possible. Both in our approach and the resources we’ve created, there has been a deliberate focus on ensuring that a broad range of people can participate and make use of it in whatever way they see fit. That includes academics who teach cyber security and other related subjects, as well as people who work in business or recruitment. It also provides a framework for conversations between scientists, policy makers and government bodies.

What is the most notable difference you’ve observed across the different sectors that work with cyber security, as a result of them using CyBOK?

One of the major contributions is how CyBOK has helped to articulate the fact that cyber security is a very big topic, wherein you can specialise in one aspect whilst gaining an understanding of the other core elements.

From an education and training perspective, it has given people a comprehensive and flexible way of visualising and mapping academic courses. People can see quite clearly which courses, for instance, focus on the human aspects of cyber security or the legal, or on secure software development, and so make their choices accordingly.

How do you see CyBOK evolving in the future?

When we first set out, we were aware that it couldn’t be a single, perfect body of knowledge because knowledge is constantly advancing. By concentrating on established knowledge rather than what’s on the cutting edge, we don’t need to rewrite it every month.

On the other hand, it does and will change over time as knowledge continues to grow and mature. We have processes in place to make sure we review the content and check that the breakdown of Knowledge Areas remains relevant. In that sense, the core will continue to evolve and over time it will gradually get new parts, such as the additional teaching resources that we are now commissioning. As a structured way of thinking about the cyber security, CyBOK is a solid anchor for multiple sectors involved in the field and will continue to be so.

Andrew Martin is a member of the CyBOK Executive Board member and Professor of Systems Security at the University of Oxford