Training platform for the development of cybersecurity competences

Why did I get into product development?

We are responding to the issue of insufficient training of cybersecurity personnel in companies and institutions. We have capitalized on the know-how of the development team at FEE CTU and developed a training platform that will help with the development of cybersecurity competencies.

What problems does it solve for its customers?

The platform is currently targeted mainly at the government or non-profit sector, which falls under the Cybersecurity Act. It is a universal platform, so it allows testing for both specialists and end users/regular employees of a given organization.

It allows scenario preparation for the area being trained (i.e., the "body" of the program), as content can be flexibly modified within the platform.

A key advantage of the platform is the method of training (engaging) "ordinary" employees of companies and institutions together with their cyber-specialists in the form of modern methods of medium- or long-term adult education, which are completely lacking on the market.

The platform implements current knowledge from effective adult education, adapting game-based approaches to non-game environments. The training is not only focused on deepening professional competences (technical knowledge), the emphasis is on deepening personal competences - responsibility, creativity, problem-solving skills and teamwork.

Product development phase

The training platform can be deployed in practice. Basic training scenarios are ready. The platform makes it possible to create faithful copies of the customer's environment. The level of complexity of the scenarios depends only on the availability of resources.

Commercialisation method

The platform is offered for use directly by CTU. The platform itself is built on open source code and if the solution team is involved in the creation of training scenarios, its use is offered free of charge. As noted below, the greatest value for subsequent collaboration comes from the solution team in terms of designing the content and how each training session is executed.

We are also not opposed to working with a licensing partner who will provide promotion of the platform, creation of scenarios and training of participants with support from CTU.

Technical specifications

The training platform is entirely built on virtualization and uses a cloud-based solution. No HW acquisition will be required on the customer's side. If the customer requires the creation of a training arena that reflects the company's environment as closely as possible, it is necessary for the customer to provide appropriate licenses or images of the software they are using.

During the practical implementation of the education system into the offered platform, in the area of information security, we base ourselves on the US recommendation NIST SP 800-16[1], which defines the so-called "learning continuum" (Learning Continuum) for the individual roles that employees hold within the organization.

It is clear that in order for employees to successfully fulfill their roles within an organization, they must have the right tools and training. That is, in addition to the tools they use to do their job, the right combination of security awareness, skills, practical knowledge and abilities that are needed for each role.

For our system, we offer content creation according to each level of the model in the figure below.

Cybersecurity Learning Continuum by NIST[2]

We are then able to tailor training scenarios and provide training for each level. We propose the focus of the scenarios according to each level as follows:

We recommend that the "Security awareness" level be implemented for all employees within the organization. The training here is focused on common cybercrime attempts that an ordinary employee may encounter within the  operation of the organisation.

"Cybersecurity Essentials" is designed for those employees, including contractor employees, who interact with information systems in any way. This type of training provides a foundation for mastering important security terms, concepts and principles, etc.

"Role Based Training" focuses on the acquisition of specific knowledge and skills that an employee needs, within his/her role, to perform his/her job. At this level of training, it also respects the differences between the competences required of the individual participants.

The highest level of 'Education' then focuses on developing the ability to work in a multidisciplinary environment, to solve problems in a collaborative team and to deepen skills in their specialisation. At this level, our platform serves as a suitable complement for hands-on training while studying long-term educational programs within internationally recognized certifications.

[1] NIST, Information technology security training requirements: A Role -Based Model for Federal Information Technology/Cybersecurity  Training SP 800-16, USA [online]. Available from: https://csrc.nist.gov/CSRC/media/Publications/sp/800-16/rev-1/draft/documents/sp800_16_rev1_3rd-draft.pdf

[2] ZAHRI YUNOS, People factors in cyber resilience: creating the need for cybersecurity experts, [online]. Available from:  https://slideplayer.com/slide/13731024/