Cybersecurity Study Programs: What's in a Name?

TL;DR

This study analyzes 101 cybersecurity programs worldwide, revealing gaps in curriculum content and experiential learning, and offers recommendations to enhance program quality and alignment with industry needs.

Contribution

It provides a comprehensive analysis of global cybersecurity programs, highlighting deficiencies and proposing best practices for curriculum development and experiential learning.

Findings

Many top universities' programs lack essential cybersecurity elements.

Most programs do not sufficiently cover law, policies, or risk management.

Experiential learning opportunities are often missing from curricula.

Abstract

Improving cybersecurity education has become a priority for many countries and organizations worldwide. Computing societies and professional associations have recognized cybersecurity as a distinctive computing discipline and created specialized cybersecurity curricular guidelines. Higher education institutions are introducing new cybersecurity programs, attracting students to this expanding field. In this paper, we examined 101 study programs across 24 countries. Based on their analysis, we argue that top-ranked universities have not yet fully implemented the guidelines and offer programs that have "cyber" in their name but lack some essential elements of a cybersecurity program. In particular, most programs do not sufficiently cover non-technical components, such as law, policies, or risk management. Also, most programs teach knowledge and skills but do not expose students to experiential learning outside the traditional classroom (such as internships) to develop their competencies. As a result, graduates of these programs may not meet employer expectations and may require additional training. To help program directors and educators improve their programs and courses, this paper offers examples of effective practices from cybersecurity programs around the world and our teaching practice.