Fighting the Cyber-skills Shortage – A Deep Dive into the Learning Pathway

Cybersecurity is one of the fastest growing professions in Europe’s job market. As the cyber industry continues to expand, and given the increasingly aggressive cyber-landscape we face, it’s fundamental for businesses of all size - and society in general - to be able to count on highly-skilled, cybersecurity professionals qualified in a variety of disciplines.

This is where comes into play. Our vision is to develop innovative tools and comprehensive training and performance measurement materials for the provision of cybersecurity training scenarios and exercises, and cyberattack and defence simulations. Learning Pathway has developed a unique, risk-centric learning pathway to train both users with little knowledge of cyber risks and their socio-economic impacts, and users who are familiar with cybersecurity and want or need to attain a higher level of skill. The main characteristic of the risk-centred approach is that training activities articulate around cyber-risk.
Designed to align with the internationally recognised ISO 27001 and ISO 27005 security standards which are used in both industry and academia, the learning pathway incorporates a cybersecurity awareness element and more complex concepts which are introduced in the advanced offering levels.
The learning pathway consists of four main parts:

  1. Cybersecurity and risk awareness
  2. Context establishment
  3. Cyber risk assessment
  4. Cyber risk treatment and cost/benefit analysis

Although these parts are shown as consecutive steps, they do not have to be carried out consecutively. Depending on their previous knowledge and skills, participants may choose to obtain training in one or more parts of the learning pathway by selecting appropriate courses.

Part 1, Cybersecurity and risk awareness aims to make participants aware of common cybersecurity risks. The other three parts match corresponding steps in ISO 27005 and are typically referred to collectively as cyber-risk analysis.
Context establishment defines and describes the target of analysis, including its scope and focus.
Cyber-risk assessment covers risk identification and includes vulnerabilities and unwanted incidents, risk estimation, and risk evaluation.
Cyber-risk treatment and cost/benefit analysis covers treatments/countermeasures and their economic effects as well as their impact on the cyber-risk picture.

With respect to the training materials, the Consortium is currently developing courses and supporting training material for the first two (of four) offering levels, Primer and Basic.

Primer is the first offering level and will be accessible free of charge from the website. Primer targets a very broad audience and offers basic information, with the objective to raise cybersecurity ad risk awareness.
Basic targets users familiar with cybersecurity and willing to test and improve their skills on a more sophisticated level.

Deliverable 4.1 "Training material, initial version" describes seven courses for the Primer level and four courses for the Basic level. Primer Offering Level

Basically, five of the seven courses for the Primer level focus on creating awareness of five common cybersecurity risks. The remaining two focus on an introduction to cyber-risk analysis, cyber-risk assessment and cybersecurity.

Courses about cybersecurity and risk awareness   Offering level
Introduction to cyber-risk analysis and cybersecurity                   Primer
Awareness of Phishing Primer
Awareness of Password Weaknesses Primer
Awareness of Ransomware Primer
Awareness of Data Leakage Primer
Awareness of Insider Threat Primer
Introduction to cyber-risk assessment Primer Basic Offering Level

The Basic courses focus on various aspects of context establishment and cybersecurity-risk identification. Students also get a first look at the cyber-range training with simple, pre-defined training scenarios created to simulate real use cases.

Courses about context establishment Offering level
Describe target of analysis, level 1 Basic
Identify and describe security assets, level 1 Basic
Identify and describe threat profiles and high-level risks, level 1 Basic
Courses about cyber-risk assessment Offering level
Identify risks, level 1                                                                                   Basic
Courses about cybersecurity and risk awareness Offering level
Awareness of Password Weakness with hands-on training               Basic


In the coming months, the Consortium will work in parallel on both technical development and the creation of more advanced courses to complete the suite of offerings.