Framework, Tools and Good Practices for Cybersecurity Curricula

Cybersecurity education and training are essential prerequisites of achieving a secure and privacy-friendly digital environment. Both professionals and the general public widely acknowledge the need for high-quality university education programs and professional training courses. However, guides, recommendations, practical tools, and good examples that could help institutions design appropriate cyber-security programs are still missing. In particular, a comprehensive method to identify skills needed by cybersecurity work roles offered on the job market is missing. This paper aims to provide practical tools and strategies to help higher education providers design good cybersecurity curricula. First, we analyze the content of 89 existing study programs worldwide, collect recommendations of renowned institutions within and outside the EU, and provide a comprehensive survey accompanied by a dynamic web application called Education Map. Based on the knowledge about the current state in cybersecurity education, we design the SPARTA Cybersecurity Skills Framework that provides the currently missing link between work roles and required expertise and shows how to develop a curriculum that reﬂects job market requirements. Finally, we provide a practical tool that implements the framework and helps education and training providers design new study programs and analyze existing ones by considering the requirements of cybersecurity work roles.


I. INTRODUCTION
The labour market lacks qualified cybersecurity professionals.This fact is stated in official reports, unofficial surveys among employers and easily visible in job databases.For instance, the cybersecurity Workforce Study 2019 [16] estimates that there is a shortfall of 4.07 million cybersecurity experts.Moreover, ENISA [13] affirms that current training courses do not sufficiently address different cybersecurity sub-sectors such as the critical infrastructures and the implementation of the General Data Protection Regulation (GDPR).One solution to these problems is to enhance cybersecurity education and training so that more cybersecurity experts can fill in the vacancies.Indeed, many curricula focused on cybersecurity are currently emerging.However, these new degrees are often viewed as an add-on to computer science ones and fail to realize the critical importance of the interdisciplinary nature of this area [12].This paper presents the methodology for creating cybersecurity study curricula for higher education.The presented methodology is based on (1) a mapping of expected capabilities of the cybersecurity workforce, (2) a deep analysis of existing recommendations for curricula designs (including recommendations from computing associations and national guidelines), and (3) an analysis of existing study programs covering 89 undergraduate and graduate programs in total and their mapping to work role requirements.
We design our methodology using the Cybersecurity Skills Framework [27] developed within the Strategic Programs for Advanced Research and Technology in Europe (SPARTA).Through it, we make it possible for different universities and training institutions to define their study programs according to their needs and capabilities.Our idea is that by using the same framework, the universities will share the same taxonomy of courses and the common procedure for selecting Knowledge, Skills and Abilities (KSA) required for particular work roles, i.e., positions on the job market, at which graduates are aiming.
We further support our methodology by proposing a web application, called Curricula Designer, to assist with the creation of study programs (Section V-C).Its main feature is to simplify the design of a study program composed of courses that match particular cybersecurity work roles requirements.
By providing a unified approach for designing the curricula, showing the good-practice curricula and developing a practical software tool usable for curricula design, we hope to boost new cybersecurity study programs at universities and training institutions while emphasizing the interdisciplinary nature of cybersecurity.Furthermore, we hope that the new programs will be designed according to specific rules and standardized approaches reflecting the actual requirements of particular cybersecurity positions.

A. OUR CONTRIBUTION
Our contribution is threefold.Firstly, this article revises the existing curricular recommendations from renowned institutions dealing with cybersecurity training and education.Secondly, using the SPARTA Cybersecurity Skills Framework (CSF) we have linked the cybersecurity skills to work roles recognized on a job market.The established links enable us to analyze a sample of 89 study programs and provide an overview of the current cybersecurity education status.Finally, our analyses are an instrument and a stimulus for designing higher-education study programs in cybersecurity through a cybersecurity curricula designer tool.
Moreover, the collected data are visualized in a dynamic web application to help students search for a cybersecurity study program.
The rest of the paper is organized as follows.Section II reviews related work on cybersecurity education.Section III summarizes the cybersecurity skills framework used to define good-practice cybersecurity curricula.Section IV provides the analysis of existing cybersecurity Bachelor's and Master's study programs.Section V shows the methodology for creating novel curricula, the good-practice curricula, and the web application for designing cybersecurity curricula.The final section contains our conclusions.
This article summarises and builds upon the results of research activities conducted within the SPARTA project [31].Extended description of the methods and tools presented in this paper, in particular the SPARTA Cybersecurity Skills Framework and Good-Practice Cybersecurity Curricula, is available in our technical reports on SPARTA CSF [27] and Curricula Descriptions [28].

II. RELATED WORK
The purpose of this section is to provide the initial mapping of the existing curricular recommendations from renowned institutions dealing with cybersecurity training and educa-tion.The analysis serves as the input to the further activities, in particular to the design of our curricula design methodology and good-practice curricula.By reviewing the current recommendations, we also aim to grasp how primary subjects (e.g.mathematics) can be linked to the KSAs expected by the practitioners in the field of cybersecurity, as skills frameworks usually are not reflecting fundamental subjects.
Nowadays, new cybersecurity courses are developed by academics in response to real world needs both in the public and private sectors.However, there is no consolidated common approach to define the requirements of a cybersecurity curriculum, in particular, which skills need to be taught and which areas of expertise need to be covered.For this reason, many academics, computing societies, and governmental organizations have proposed educational frameworks that include recommendations, guidelines, and practises to drive the creation of new cybersecurity curricula.These frameworks help curriculum designers to understand the requirements of cybersecurity disciplines and to define topics and themes that are considered fundamental.Although significant differences arise among these frameworks, they seem to agree on the fundamental cybersecurity topics.Especially, the common aspect is that they identify "interdisciplinarity" as the key term in determining the best security program: cybersecurity courses of study should offer classes in different areas of computer science, engineering, management and law. Figure 1, taken from CyBOK [25], summarises the areas of interest of the cybersecurity field and highlights orthogonality of different areas and multi-disciplinarity.However, the emphasis given to each topic varies among the various educational frameworks.
In this section we provide a short survey of those framewroks we consider the most relevant proposals and recommendations for establishing security courses of study.

A. JOINT TASK FORCE GUIDELINE
At the end of 2017, the first set of global curricular recommendations in cybersecurity education has been released by the Joint Task Force on Cybersecurity Education (CSEC2017 JTF).
This task force is an outcome of The Cyber Education Project (CEP) [11] 1 , an initiative supported by academic institutions, governments and industries in the USA, to (1) develop undergraduate curriculum guidelines for educational programs in the Cyber Sciences, and (2) establish a case for the accreditation of educational programs.The term Cyber Sciences refers to all disciplines that involve technology, people, and processes to enable assured operation in the presence of risks and adversaries.
The mission of the CSEC2017 JTF is to devise curricular recommendations and to produce a volume [1] that structures the cybersecurity discipline and drives institutions to develop or modify a broad range of programs in Cyber Sciences.The CSEC2017 volume highlights the interdisciplinary nature of a course of study, and stresses that, although fundamentally computing-based, the studies need to include aspects of law, policy, human factors, ethics, and risk management.In particular, the CSEC2017 volume advocates for curricula to include: • A computing-based foundation (e.g., computer science, information technology); • Concepts that are crosscutting and broadly applicable across the range of specializations (e.g., cybersecurity's inherent adversarial mindset); • Essential cybersecurity knowledge and skills; • An emphasis on the ethical conduct and professional responsibilities in the field.
Furthermore, the CSEC2017 volume suggests that cybersecurity programs need to provide content that includes the theoretical and conceptual knowledge essential to understanding the discipline, and activities to develop the practical skills by application of the theoretical knowledge.CSEC2017 is organized around the idea of Knowledge Areas (KAs).Collectively, KAs represent the full body of knowledge within the field of cybersecurity.Thus, the goal is that essential concepts of each KA capture the cybersecurity proficiency that every student needs to achieve.KAs are structured in Knowledge Units (KUs), e.g.thematic groupings of related topics.
The thematic topics do not cover the actual content of a course but they must be instantiated to the specific material that the course wants to cover.For example, in the Data Security KA there is a KU about Access Control that reports several types of controls.The specific system to be presented in the course is left to the course designer.Furthermore, KUs do not necessarily correspond to courses or course units, but courses typically contain topics from multiple KUs.Furthermore, KAs are not mutually exclusive, because KUs are relevant for, and logically placed in, multiple knowledge areas.
The document introduces eight KAs: For overview of the content for each KA, reporting the essential concepts students should learn and the KUs, we refer the reader to the CSEC2107 volume [1].

B. AUSTRALIAN COMPUTER SOCIETY GUIDELINE
Australian Computer Society (ACS) [3], the largest professional body in Australia representing the Information and Communication Technology (ICT) sector, started offering Specialist Accreditation in Cyber Security for courses that prepare graduates for specialist roles in cybersecurity [17].Although ACS does not formally provide curricula guidelines, the requirements for accreditation can be used as best practices.In addition, programs seeking specialist accreditation in Cyber Security are also required to meet the ACS criteria for ICT accreditation.
These criteria are based on the Skills Framework for the Information Age (SFIA) [26].The framework is used as a model for describing and managing skills and competencies for ICT professionals.It consists of professional skills with seven levels of responsibility and competence, and describes the professional skills required at the various levels.The levels that are relevant for the ACS accreditation in cybersecurity are level 3 and level 5. Level 3 requires that the IT professional is able to complete work packages, escalate problems under his own discretion, work with suppliers and customers and have some supervisory responsibility.Level 5 requires that the Information Technology (IT) professional is able to decide broad direction and supervisory, to set objectives, to influence organizations, to be self sufficient in business skills.Level 3 is required for Professional Specialist Accreditation in Cyber Security: this accreditation seems requiring professionals to show a certain level of autonomy in completing tasks but that are not required to have any management skills.Level 5 is required for Advanced Professional Specialist Accreditation in Cyber Security that demands professionals to show a good level of management and supervisory skills.
Furthermore, the ACS criteria require specific courses for teaching cybersecurity topics.The criteria do not explicitly define these topics but they specify only that they should be compatible with Core Body Of Knowledge (CBoK) for ICT professionals [2].The CBoK describes the essential ICT knowledge required for any ICT professional and it is structured in knowledge areas that include: 1) ICT Professional Knowledge (ethics, professional expectations, teamwork concepts and issues, interpersonal communication, societal issues/legal issues/privacy and understanding the ICT profession); 2) ICT Problem Solving; Technology Resources ( hardware and software fundamentals, data and information management, networking); Technology Building (human factors, programming, systems development, systems acquisition); 3) ICT Management (IT governance and organisational issues, service and project management, security management).The ACS proposes two kinds of accreditations: Professional Specialist Accreditation in Cyber Security (PSACS) and Advanced Professional Specialist Accreditation in Cyber Security (APSACS).
• Degree programs that aim at PSACS must identify a specific Cyber Security professional role they want to train for.Then, they need to address SFIA skills at level 3 by focusing on those that are specific for the professional role they identified; finally, the course of study must contain at least 8 subjects drawn from an appropriate Cyber Security body of knowledge compatible with CBoK.• Degree programs that aim at APSACS must first identify a specific Cyber Security professional role they want to train for.Then, they need to address SFIA skills at level 5 by focusing on the skills required for the identified role.Finally, the course of study must contain at least 8 subjects drawn from an appropriate Cyber Security body of knowledge compatible with CBoK.

C. UK CYBERSECURITY CENTRE GUIDELINE
The UK government has established the National Cybersecurity Centre (NCSC) [30].The NCSC understands cybersecurity, and distils its knowledge into practical guidance; it uses industry and academic expertise to secure public and private sectors.It also certifies bachelor and master degrees in cybersecurity and closely related fields.Although it does not explicitly provide an official educational framework, requirements can be implicitly interpreted as guidelines for defining high-level curricula in cybersecurity.
At the bachelor's level, NCSC provides three types of certification (called pathways) for "Bachelor's degrees with Honours in Computer Science" [19] that: 1) address underpinning computer science topics relevant to cybersecurity (pathway A), 2) provide a general, broad foundation in cybersecurity (pathway B), 3) provide a foundation in Digital Forensics (pathway C).For each pathway, NCSC indicates the topics that the syllabus is expected to cover; the number of credits in Higher Education Credit Framework for England (HEI) reserved for each specific topic; and the skills that students are expected to master when they finish their studies.The topics include basics of computer science and foundations of cybersecurity.
The certification prescribes the skills that students should have upon graduation, thus, it defines the learning outcomes of a certified Bachelor's degree.In particular, students must be able to: • demonstrate a sound understanding of the main areas of knowledge in cybersecurity and to exercise critical judgement; • critically analyse and apply essential concepts to defined scenarios, selecting and using effective tools and techniques; • analyse, design and develop a system, showing problem solving and evaluation skills; demonstrate generic skills about work organization as an individual and as a team member and with minimum guidance; • apply appropriate practices within a professional, legal and ethical framework; identify mechanisms for continuing professional development and lifelong learning; • be creative and innovative in their application of the principles covered in the curriculum; • be able to exercise critical evaluation and review of both their own work and the work of others.
Universities that want to certify their Bachelor's degrees should select one of the available pathways to apply.Depending on the pathway NCSC defines specific subjects areas that degrees should fully or partially cover.
For Pathway A, the syllabus of a candidate degree must provide from total 360 credits a minimum of 270 HCI (Human Computer Interface) credits in computer science, where at least 240 can be mapped to specific topics detailed below.For Pathways B and C, a candidate degree must have a minimum of 160 HCI credits in computer science, where at least 135 must cover specific topics detailed below.
In particular, each pathway requires that candidates degrees meet the following specific constraints: • For pathway A, a Bachelor's degree must cover in good breadth and depth topics from basics of computer science, like software engineering and system fundamentals.It must also cover fundamental concepts of security, as well as more advanced security topics like low level techniques and tools, and secure programming.Moreover, students must undertake an individual project and a dissertation relevant to cybersecurity for 20/40 credits.• For pathway B, a Bachelor's degree is required to have a minimum of 90 credits on topics related to cybersecurity, not necessarily specific for computer science, like information security management, information assurance methodologies and incident management.Furthermore, topics related to computer science must be covered in good breadth and depth.These topics include software engineering, computer networks and operating systems.Finally, students must undertake an individual project and a dissertation on a topic relevant to cybersecurity for 20 and 40 credits.• Pathway C is about Digital Forensics.A Bachelor's degree to be accredited must must provide 90 HCI credits in topics related to digital forensics.These topics must include the theoretical fundamentals of digital forensics with its applications and tools (covered in good breadth and depth), information security, and all the aspects relevant to the legal process.Furthermore, it has to cover also topics related to computer science, like software engineering, computer networks and operating systems.Finally, students must undertake an individual project and a dissertation on a topic related to digital forensics.

D. USA NATIONAL CENTERS OF ACADEMIC EXCELLENCE
The  CAE-R) for those institutions that do research in cybersecurity.All regionally accredited two-year, four-year, and graduate level institutions in the US can apply to become a CAE-CD school and receive the designation if they meet specific criteria.Since we are interested in educational guidelines, we omit any discussion about CAE-R.For the designation of Bachelor, Master, and Doctoral, applicants must be a regionally accredited four-year college or graduatelevel university.Besides an evaluation concerning organizational aspects (see CAE-CDE Criteria [22]), it is required that institution's curricula adhere to CAE-CD Knowledge Units.These Knowledge Units describe the topics to be covered and the goals they have to achieve.In particular, the program must be mapped to the Foundational, Core and selected Optional KUs.
The CAE-CO program is a technical education program firmly grounded in computer science, computer engineering, and/or electrical engineering disciplines.It complements CAE-CD, putting specific emphasis on technologies and techniques.Programs must meet a set of academic requirements and programmatic criteria which measure the depth and maturity of the programs.A CAE-CO program must include knowledge units that cover a specific quantity of mandatory academic content, like low level programming languages, operating systems, etc., and a minimum of 10 of the 17 optional academic content, e.g., wireless security.

E. NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (NICE)
The National Initiative for Cybersecurity Education (NICE) is a U.S. partnership between government, academia and private sector led by the National Institute of Standards and Technology (NIST).Its main goal is to support U.S. cybersecurity training and education providers through the introduction of new standards and best practices.Besides other documents, NICE created the NICE Framework that has been already standardized as the NIST Special Publication 800-181 revision 1, the Workforce Framework for Cybersecurity (NICE Framework) [20].The NICE Framework provides detailed description of main building blocks, i.e.Knowledge, Skills and Tasks of cybersecurity Work Roles.Using the NICE Framework, it is possible to easily identify what knowledge and skills are required by particular work roles available on the cybersecurity job market.Besides the standard, NICE initiative also published a supplemental document called Reference Spreadsheet [21] that covers the mapping between Work Roles and Tasks, Knowledge and Skills.

F. THE CYBER SECURITY BODY OF KNOWLEDGE
The CyBOK [25] is a project funded by the National Cyber Security Programme and led by the University of Bristol whose goal is to codify the foundational and generally recognised knowledge on cybersecurity.The problem the project is trying to address is the fragmented and incoherent foundational knowledge for the cybersecurity field.It takes inspiration from mature scientific disciplines, such as mathematics, physics, chemistry, and biology that have long-established foundational knowledge and clear learning steps from secondary school to undergraduate degrees at university, and beyond.Its long-term goal is to be a guide to the body of knowledge and to work as the basis on which educational programs, ranging from secondary and undergraduate education to postgraduate can then be developed.
The knowledge that it codifies already exists in literature such as textbooks, academic research articles, technical reports, white papers and standards.The focus is, therefore, on mapping established knowledge and not fully replicating everything that has ever been written on the subject.
The CyBOK project managed to identify 19 Knowledge Areas (KAs) and to organize them into coherent framework.The KAs are not orthogonal, indeed there are a number of dependencies across them.Moreover, they are grouped into five broad categories, as summarized visually in Figure 1.These five categories are: 1) Software and Platform Security; 2) Systems Security; 3) Attacks and Defences; 4) Infrastructure Security; 5) Human, Organisational, and Regulatory Aspects.
Furthermore, the CyBOK was used by Hallet et al. [18] as the basis for comparing different cybersecurity curricular frameworks.In particular, they compared four curricular frameworks and for each of them they mapped its topics and learning outcomes onto CyBOK knowledge areas.
Their analysis shows that, although the different frameworks consider a common corpus of topics, they differ in the emphasis put on each topic.For example, CSEC 2017 JTF (see Section II-A) focuses more on Human, Organisational, and Regulatory Aspects.The reader is referred to [18] for details on the comparisons.

G. ENISA'S CYBERSECURITY SKILLS DEVELOPMENT IN THE EU
In this subsection, we consider a document from ENISA [14], which deals with CyberSecurity Skills Shortage (CSSS).The main goal of this report is to identify the main reasons of skill shortage, considered not just an EU problem, but a worldwide one.The report focuses on the status of the cybersecurity education system and on the mismatch of expectations between the main stakeholders, namely industry, academia, and government.ENISA acknowledges that cybersecurity skills shortage is a multidimensional policy issue and argues that today's educational systems are unable to attract more students to cybersecurity studies and to produce graduates with "the right set of cybersecurity skills and knowledge".According to ENISA, actions must be taken in order to form these graduates and effectively solve, even if only partially, the CSSS issue.
As part of their analysis, ENISA dedicates attention to four states -Australia, France, United Kingdom, and the United States, which have approached the problem by proposing certification of cybersecurity degrees.Based on this data and other relevant sources like statistics, governmental statements from European Economic Area (EEA) countries and relevant quotes from firms in the industry (e.g.Kaspersky Lab), ENISA provides recommendations and considerations for the main stakeholders and outlines their possible role in helping with CSSS.
As an outcome of the analysis of the existing certification procedures of cybersecurity degrees, ENISA listed six major requirements that are recurrent and states that any higher education cybersecurity degree should have: 1) enough specific credits dedicated to cybersecurity courses and activities, 2) a structured curriculum, possibly including a practical/training component or specific types of examinations and activities such as cybersecurity competitions, 3) a high-quality teaching faculty, which might include lecturers from the industry, 4) a broader multi-/inter-disciplinary focus, 5) outreach activities and collaborations with the rest of the national cybersecurity ecosystem, 6) information on academic and employment outcomes.Furthermore, in order to promote cybersecurity education and help with solving CSSS, ENISA has created the Cy-bersecurity Higher Education Database [15], which aims to become the main reference for all persons looking to improve their cybersecurity knowledge and skills.

H. SUMMARY ON EXISTING GUIDELINES
We presented some of the most relevant curricular guidelines for cybersecurity studies.These guidelines constitute requirements that courses of study must meet to receive an accreditation by governments or computing societies.These accreditation programs aim at certifying that the content of a course of study and the skills acquired by graduates meet the expected standards.
Although significant differences arise among these frameworks, especially regarding the emphasis to put on each topic, they seem to agree on the fundamental choices about what to teach to train cybersecurity experts.Furthermore, they identify "interdisciplinarity" as one of the key terms for cybersecurity education.They agree on the fact that cybersecurity courses of study should offer classes in different areas ranging from computer science to management, and from engineering to law.In addition, hands-on training, use of cyber ranges, tight connections to industry, and gamification are aspects that resonate through multiple frameworks and recommendations.

III. CYBERSECURITY SKILLS FRAMEWORK
Efforts to fill the skills gap requires EU, governments, academia, industry, as well as societies and professionals to take an active role.To undertake such concerted efforts, however, will require a common language which would allow for productive cybersecurity-related skills discussions across the Member States, industry, academia and professionals, so that actors can unambiguously understand each other.
So, the SPARTA project designates its efforts to analyse the state of knowledge on skills management, reviewing best practices and proposing the way forward with the development of an EU based cybersecurity skills framework.
The SPARTA CSF [27] is based on the structure of the NICE Framework [20], and takes into account the following dimensions: • Work Roles: general groupings of cybersecurity and related requirements which include a list of attributes in the form of knowledge, skills, abilities (KSAs) and tasks required to perform these roles.• Knowledge, Skills, and Abilities (KSAs): the attributes required to perform work roles, generally demonstrated through relevant experience, education and training [20].• Tasks: specifically defined pieces of work that, combined with other identified Tasks, form the work in a specific specialty area or work role.
In addition to the main structure of the Framework, KSAs are also linked to the competences in the secondary components of the NICE Framework.There are four Competence Groups: Each Competence Group is associated with a Competence Level, providing a direct link to the KSAs.In this way, competencies can also be linked to other components of the Framework structure.Table 1 shows the list of NICE competencies divided according to the group they belong to.
Clearly, technical competencies are dominating, being cybersecurity a highly technical field.
Possible applicability of SPARTA CSF for Academia is described fully in D9.1 Chapter 6.2 Use of the Framework [27].Here, we provide the main activities to be executed: • Evaluate -the right granularity of requested knowledge/skills/abilities allows education and training providers to review their curricula in a structured and systematic manner.They have a recognised framework to be used as the main benchmark instrument.• Improve -can be done based on the evaluation exercise.This is especially important considering the emerging needs of practitioners.The Framework is able to transmit arising requests at an early stage, providing Academia with the foresight to improve and develop their curricula further.• Focus -education provided by universities may differ in the way they address core competencies.Some might be more focused on specific technological subjects, some on law, others on forensics, etc.Having an integrated Framework to work with, they can map their core competencies onto various subject areas, important for defined roles.This enables the institution to develop more effective targeted programs in house around the main competencies.
At this point it is important to describe the Framework and its relationship to professional training and education.
Professional training providers can use the Framework directly, as they are aware of the KSAs required by practitioners and how those are interlinked with the work roles performed.
Links with Education are less obvious, as the Framework  describes KSAs requested within a context of associated activities, but it does not provide any indication of how those links can be established.Education institutions compose their curricula considering the complete path -they start with the fundamental capabilities that are required for the individual to learn as a basis for the next set of follow-on subjects.This is reflected in the SPARTA Topics (see Fig. 2) proposed as the result of the analysis of current Education programs.SPARTA Topics include all subjects required to get individuals ready to enter the professional workforce, including fundamental Topics, cyber security Topics and technology-related Topics.Distribution of subjects within specific categories is obtained through the following steps: 1) All subjects are classified as belonging to either Fundamental, Cyber Security or New Trends categories.Fundamental subjects are those not directly linked to the Framework, but which serve as a prerequisite for further studies.Some Fundamentals can have a link to the competence block, but thereby only depict the relevant link to further studies.For example, Fundamental Cryptology is the prerequisite for Cryptanalysis or Advanced Cryptology; Number Theory is necessary for most intermediate and advanced computer related subjects.
2) The identified Cyber Security specific subjects are linked to the competencies of the Framework according to the content of the individual subjects.This mapping reveals the exact competencies to be stressed or considered.Since competencies are linked to KSAs within the Framework, it is possible to obtain a detailed list of KSAs expected by practitioners.In this way, the Framework helps to structure the topic for a better fit to the expected activities.
3) New trends are identified.Some of the Educational subjects might be based on specific technologies like, e.g., quantum computing ones.However, SPARTA CSF does not specify any particular technology, which may be listed in a format of explanation of KSAs in some cases only, or may be described in the New Trends category.We now provide an example of SPARTA Topics and SPARTA CSF mapping, followed by some insights for the development of curricula.The mapping is obtained by the three steps descrived below.

STEP 1: DIVISION OF TOPICS
All Topics are divided into three groups: Fundamental, Cyber Security and New Trends, see Figure 2.
As mentioned, Fundamental Topics do not have a direct link with SPARTA CSF competencies, but they serve as a necessary prerequisite for other Topics.Some of the Fundamental subjects have links to NICE competencies (demonstrated by dashed arrows in Figure 3), aiming to show further links, and areas for additional focus.
While developing the curricula, insights on what the Fundamental subject should include to serve as a solid background for further studies content should also be provided.

STEP 2: MAPPING OF SPARTA TOPICS TO SPARTA CSF COMPETENCIES
As cybersecurity is mainly considered as a technical discipline (this is also demonstrated by the SPARTA CSF competence structure), the mapping is made using only Technical and Operational Competencies (provided in Table 1).Professional and Leadership Competence groups are outside the domain of current SPARTA Topics and refer more properly to teaching methods, and additional modules offered to cybersecurity students.
Figure 3 provides an overall mapping of what SPARTA CSF competencies should be included in SPARTA Topics.(The Topics that have no links are considered Fundamental or New Trends.)Each Topic in Figure 3 can be linked to a KSA in the SPARTA CSF.This is illustrated by an example: • SPARTA Topic -Probability and Statistics • Linked with CSF competence -Modeling and Simulation and Data Analysis The NICE list of KSAs gives a very detailed and extensive listing of expected outcomes.It clearly shows how this can guide the development of general and topic specific curricula.
In addition, links to roles and other components of the Framework can be determined, if needed.

STEP 3: NEW TRENDS
Quantum computing and Post-quantum cryptography are topics not directly reflected in the Framework, as they are technology specific.Integration of emerging KSAs into the Framework is in progress and will be described separately.
Using the link in Figure 3 between Topics and competencies (and thus between Topics and KSAs and work roles), we are now able to analyze the existing study programs (Section IV) and propose new good-practice curricula (Section V).

IV. MAPPING HIGHER EDUCATION PROGRAMS IN CYBERSECURITY
Many cybersecurity study programs are nowadays offered around the world.Depending on the expertise of the managing group and country environment, the curricula can be substantially different.
In this section, we summarize data which cover 89 highereducation cybersecurity curricula (19 bachelors and 70 masters) spread over 19 countries, 5 of which are non-European.These data are used to produce an educational world map which is presented in Section IV-C.

A. METHODOLOGY
We start with a brief summary on how the data were collected.Three documents were produced in order to simplify the review: • List of Topics, • First Analysis Template, • University Template.The List of Topics was compiled using the SPARTA CSF. Figure 2 shows the SPARTA Topics covering the most relevant areas of interest in cybersecurity.Figure 3 depicts the link between SPARTA Topics and the NICE competencies.
The First Analysis Template document allows to classify the subjects of a study program according to their belonging to either one or more cybersecurity areas.Figure 4 depicts the "Master in Mathematics of Cybersecurity" study program analysis [10].This study program is taught at Bristol University, United Kingdom.
If we consider, for instance, the "Introduction to Mathematical Cybersecurity" subject which is described by: "this unit will cover the following topics: how the internet works; computer security and encryption; vulnerabilities and cyber attacks; understanding the data; mathematical models such as graphs and point processes; probabilistic reasoning", and its aim is "students will gain literacy in mathematical aspects of fundamental cybersecurity concepts, and gain the ability to convert these ideas into mathematical descriptions", then this subject covers three areas: cryptography, mathematics and security.Moreover, it gives more importance to mathematical models, therefore the main area is mathematics.In Figure 4, 0.25 point is assigned to both cryptography and security, while 0.5 is assigned to mathematics.The sum of the values per row has to be 1 for each subject.
This document also states whether a subject is mandatory and, therefore, considered of main importance for a cybersecurity study program by the university.Moreover, it also shows if practical lectures (laboratories) are offered during the courses.For instance, the "Data Science Toolbox" subject is marked as practical (as reflected by the 1 in the Practical Lecture column in Figure 4) since it requires the use of particular languages like R and Python and software like Hadoop and Spark.
Finally, the University Template Document synthesizes the main information about the university and the related study program that was collected from the web page of each university: • the study program language, • its ECTS credits, • its cost.The document also shows the covered topics and a summary of the subjects analyses done in the first analysis template document.
Instructions were provided to data suppliers (universities) for filling of the documents as shown at the bottom of Figure 4.
It is important to note that there is a large number of curricula that only partially focus on cybersecurity and present few courses on this topic.To avoid considering too general curricula, the selection proceeded as follows: at first, a search in the Internet per country was run looking for study programs that have in the title either "security", "cybersecurity", "cryptography", "cryptology" or "privacy" words.Then, if more than 6 curricula appeared in the search, universities were sorted using the Times Higher Education World University Rankings [29] and the first 6 higher ranked where considered.Assuming that the country's leading universities are more likely to represent the best proposals.
This collection was meant to produce a representative sample of the current university offers in cybersecurity.For the sake of time and resources, covering all existing curricula was not feasible.

1) EU Countries
In the following, we summarize the results of the collected data over 61 European cybersecurity curricula.In particular, 15 bachelors and 46 masters curricula were meeting the constrains identified in Section IV-A.A list of the study programs split by country can be found in Table 9 in Appendix A.
These study programs are spread over 14 European coun-tries and run by 38 different universities.Table 2 counts which faculties/departments/schools are mainly involved in teaching cybersecurity.Some curricula are jointly taught by different entities in the same university, therefore, the total number of providers is not proportional to the number of involved universities.Table 3 shows the number of study programs in English, their ECTS credits and their average cost.Bachelor curricula  " stands for computer science area, "Crypto" for cryptology area, "Humanistic" for humanistic and social science area, "Math" for mathematics area, "Security" for security area, and "Privacy" for privacy area.
are taught in the native language of the country, in fact the 2 bachelors in English are taught in the United Kingdom.Masters are split according to their duration: 1 and 2 years.This differentiation is important since masters in 1 year are normally thought as specialization post-master (the 2 years ones) and they are not sufficient for entering a Ph.D. study program.
In theory, the ECTS number should be 180 for bachelors, 120 for 2-years masters, and 60 for 1-year masters.Germany has 5 bachelors of 210 ECTS, 1 2-year master of 180, and 1 1-year master of 90 ECTS since they last 1 semesters more than the usual programs.Moreover, in the United Kingdom all the considered 6 masters account for 90 ECTS.
Regarding the cost of a study program, the range starts from free of charge in countries like Czech Republic, Denmark and Norway, passes to countries that charge for a symbolic payment (mostly for the enrollment) as Germany, and finishes with countries, like the United Kingdom, where a 2-year master can cost as much as 33,300 Euro.

2) European Lectures Analyses
Here, we show the results of the statistical analyses we performed on the collected subjects of European study programs.Among the 6 considered European countries, only 14 curricula passed the criteria for being used in the statistical analyses.Moreover, 11 analyzed countries have a master curricula and only 44 curricula are eligible for statistical analyses (the total number of curricula can be found in Table 9 in Appendix A).
Indeed, in order to be used in analyses, a curriculum must offer compulsory subjects and must not be too general.
For each study program, the total percentages computed in "first analysis template" document are considered (see Section IV-A for more details).These percentages give an idea of how the mandatory subjects are divided among the identified cybersecurity areas, which are computer science, cryptography, humanistic and social science, mathematics, privacy, and security.
The focus is on mandatory subjects since these are the ones considered of main importance for a cybersecurity study program.In fact, depending on the department (or faculty) the offer of elective subjects (when present) can be really different and makes the curriculum more specialized in the areas of interest of the hosting department.Accordingly, since we want to identify the basic knowledge that needs to be taught in a cybersecurity curriculum, this more detailed information is not relevant for our preliminary study.
Figures 5 and 6 depicts the statistical analyses for European bachelor and master curricula divided by country and then summarized in the "Europe" chart.For instance, in Figure 5 the "United Kingdom" chart shows the mean of the areas percentage of the 2 bachelor curricula taught in this country, while the "Europe" chart shows the mean of all the collected European bachelor study programs.These plots show how the areas percentages change depending on the country.However, we are mostly interested in the general behaviour which is represented in the "Europe" charts.Here, computer science area is clearly considered the main basis of cybersecurity bachelors, followed by security.
The situation changes slightly if we compare this figure with Figure 6 on master curricula, where security and humanities grow at the expense of mathematics and computer science.This is due to the fact that mathematics and computer science are the basic skills necessary for the comprehension of any cybersecurity knowledge, and therefore, they are expected to be taught in bachelors and to be assumed as known in masters.In all the charts, a small portion of the teaching is dedicated to privacy topics in bachelor curricula, but it increases in masters.
Finally, Table 4 shows the percentage of mandatory practical lectures given in each study program (i.e. the columns values "NA" and from "0" to "100").In particular, this is a lower bound of the total taught practical lectures.This value is calculated in the "Practical Lecture" cell of the "first analysis template" document and rounded to the lower value among 0, 25, 50, 75 and 100%.For instance, a calculated 33% becomes 25%.When this information is not available, the related study program is labeled as "NA".Moreover, the last column of the table shows the average percentage among the available data.
Practical lectures are present in all study programs and, in fact, they are of vital importance for cybersecurity.Master study programs have higher average of practical lectures compared to bachelors ones.

3) Non-EU Countries
In the following section, we summarize the results of the collected data from 26 non-European cybersecurity curricula.In particular, 4 bachelors and 22 masters meet the constrains identified in Section IV-A.A list of the study programs split by country can be found in Table 11 in Appendix A. These study programs are spread over 5 non-European countries and offered by 21 different universities.Table 10 in Appendix A lists which faculties/departments/schools are manly involved in teaching cybersecurity.Some curricula are jointly taught by different entities in the same university, therefore, the total number of providers is not proportional to the number of involved universities.
In Table 10 in Appendix A, no multi-university curricula were found among the collected data.Moreover, the column "Other" covers 1 Department of Professional Studies for a bachelor curriculum (USA) and 5 cybersecurity institu-FIGURE 6. Analysis of European cybersecurity master study programs."Computer Sc." stands for computer science area, "Crypto" for cryptology area, "Humanistic" for humanistic and social science area, "Math" for mathematics area, "Security" for security area, and "Privacy" for privacy area.tions/laboratories.Note that, like in Europe, departments of Computer Science are the main offerer of cybersecurity curricula.A difference between European and non-European offerers is that the Faculty of Social Science is present in Table 2 but not in Table 10 in Appendix A, where School of Business took its place.
It is important to notice that the duration of the 4 bachelors is not fixed to 3 years as in European ones.It could be 6 months (USA), 2 years (Canada), and 4 years (Canada and Japan).Moreover, 3 masters have no specified duration and the 2-years masters cover a duration of 16 to 24 months.
Table 5 shows the number of study programs in English, their ECTS credits and their average cost.Unluckily, the information was harder to find, therefore, our collected data has more "NA".For instance, since ECTS is a European standard, this field is empty in all programs.Moreover the language as well as the cost of the 3 South-Korean masters is not available on their web pages.Finally, the duration of 2 USA masters is not available on their web pages and therefore they could not be classified in Tables 5 and 6.
The cost of a study program is really higher with respect to the European proposals (see Table 3 for more details).In VOLUME 4, 2016 FIGURE 7. Analysis of non-European cybersecurity bachelor study programs."Computer Sc." stands for computer science area, "Crypto" for cryptology area, "Humanistic" for humanistic and social science area, "Math" for mathematics area, "Security" for security area, and "Privacy" for privacy area.particular, we could not find free-of-charge study programs.In the bachelor average, the 6-months curriculum is not counted because the information was not available.

4) Non-European Lectures Analyses
In the following section, we show the results of the statistical analyses we carried out on the collected subjects of non-European study programs.Among the considered non-European countries, all curricula are eligible for statistical analyses.The methodology of the analyses is the same as described in Section IV-A2.Therefore, percentages are computed on mandatory subjects and are divided among the identified cybersecurity areas, which are computer science, cryptography, humanistic and social science, mathematics, privacy, and security.
Figures 7 and 8 depicts the statistical analyses for non-European bachelor and master curricula divided by country and then unified in the "Non-Europe" chart.These plots show how the areas percentages change depending on the country.However, we are mostly interested in the general behaviour which is represented in "Non-Europe" charts.Here, the security area is clearly considered the main basis of cybersecurity bachelors, followed by computer science.Note that in the European analyses, computer science and security are also of main interest, see Figure 5.
Figure 6 depicts the master curricula analyses, where security and humanities grow at the expense of mathematics and computer science with respect to bachelors charts.The same behaviour can be found in the European charts, see Figure 6 for more details.At last, Table 6 shows the percentage of mandatory practical lectures given in each study program, i.e. the columns values "NA" and from "0" to "100".In particular, this is a lower bound of the total taught practical lectures, see Section IV-A2 for more details.In case, this information is not available, the related study program is labeled as "NA".Moreover, the last column of the table shows the average percentage among the available data.Here the difference is substantial with respect to the European proposals where more importance is given to practical lectures.

B. SUMMARY OF EXISTING PROGRAM ANALYSIS
The collected 89 cybersecurity curricula (19 bachelors and 70 masters) offer a first glimpse at the current world offer in cybersecurity education.The study shows how cybersecurity education is still not standardized and strictly depending on countries and universities.In several cases, curricula are jointly taught by different departments/faculties which is due to the interdisciplinary nature of cybersecurity that requires involving several areas.Therefore, interdisciplinary curricula should be encouraged." stands for computer science area, "Crypto" for cryptology area, "Humanistic" for humanistic and social science area, "Math" for mathematics area, "Security" for security area, and "Privacy" for privacy area.
Furthermore, there is a lack of bachelor study programs focused on cybersecurity.In fact, among 89 cybersecurity curricula, only 19 bachelors had been found.In order to train cybersecurity experts, the students should have the possibility to study cybersecurity subjects from the first year of their studies.It is important to notice that all the analyzed bachelors are taught in the native language of the country, therefore, an internationalization of these curricula is also necessary.
Regarding cybersecurity areas and topics, computer science has a primary position among the necessary basic knowledge.In particular, the analyses of European and non-European bachelors lectures highlight computer science topics as the main fundamental background, followed by humanistic and social science, and mathematics.Moreover, security is also a significant component of the training, particularly in non-European curricula.In case of masters curricula, humanistic and social science, security and cryptology are strong components in both European and non-European programs.It is important to notice that privacy still remains an area only partially covered in most of the programs.
No substantial difference between European and non-European proposals has been encountered.Among the European universities, the diversity of the curricula depends on the leading department more than on the country itself.Furthermore, Table 7 shows how much a topic is taught as a percentage of the collected data.In this case, all (mandatory and optional) subjects are considered.In particular, each subject description (when available) was analyzed to see if a topic was at least partially covered.Table "Topics" in Figure 4 collects this information for one study program.Note that more topics can belong to the same subject.
Checking the percentages, a bachelor should include "Computer Networks", "Computer Systems" and "Fundamental of Cryptography" topics (strongly recommended), and also consider "Theoretical Computer Science", "Algebra and Discrete Mathematics" and "Probability and Statistics" (suggested).Moreover, the first consideration of security topics is suggested.In case of masters, recommendations are more dependent on the specialization that the study program follows.However, "Hardware and Software Security", "Network Security" "System Security" and "Security Management and Risk Analysis" are a good starting points for a master in cybersecurity (see Table 7 for additional details).
Last but not least, a solid cybersecurity study program should provide ample space for practical lectures.In fact, practical lectures are already strongly present in the analyzed European curricula, where each study program has on average 30% practical lectures for bachelors and 40% for masters.In particular, several universities (i.e. 4 over 15 bachelors and 9 over 23 2-year masters) have more than 75% of practical lectures.Reflecting the need for practical training, we identify cyber ranges as a promising new technology which gives students access to virtual environments where they can train.Note: Cyber Threat Intelligence Topic was added to the SPARTA CSF Topics later, thus is not considered in this analysis.

C. EDUCATION MAP
This subsection describes the process of creation of a dynamic web application for the visualization of data describing existing study programs focused on cybersecurity.This application was developed as a part of the existing study programs mapping activity.The web application contains the list of universities and their study programs and provides users with the functionality for viewing, filtering using specific criteria and localization of programs/universities on a map.The web application also contains the administration part, which can be used by the administrators to add and modify the records about the study programs and universities.The web application is split into two parts: a client and a server.The client is realized as a front-end Javascript application for data view.Data are collected from the server part through the HTTP (Hypertext Transfer Protocol) requests.
Compared to only PDF reports, the interactive map represents a more interactive and comprehensive way of results presentation.The app is publicly available at https://www.sparta.eu/study-programs/and is currently distributed to university students, , mostly Erasmus, interested in international study programs.The home page is shown in Figure 9.

V. METHODOLOGY AND RECOMMENDATIONS ON CREATING CYBERSECURITY CURRICULA
In this section, we describe the methodology for designing higher-education study programs in cybersecurity, provide sample study programs for bachelor's and master's degree and give recommendations on creating curricula.These guidelines are aimed to support universities in creating their own cybersecurity study programs and serve as a good practice for such activities.Furthermore, the outputs include the SPARTA Curricula Designer Tool, a software that enables universities to adapt and build their own customized study programs in cybersecurity and evaluate their validity with respect to the requirements of specific cybersecurity work roles.

A. DESIGN METHODOLOGY
Design of cybersecurity curricula is strongly linked to previous activities dealing with SPARTA CSF design and with work by key EU institutions, such as ENISA, European Cyber Security Organization (ECSO), and relies also on inputs from other Cyber Competence Network (CCN) pilots.The methodology is depicted in Figure 10, identifying the inputs, the main activity and the outcomes.
The inputs significantly influence the design process and are described in details.The Curricula Design task involves the selection of the topics needed for curricula reflecting the actual KSA and their integration into courses to be included in the study programs.The outcomes are good-practice curricula, i.e. the recommendation on courses to be included in the study programs and their composition into bachelor's and master's degree programs.

1) Design Inputs
The inputs that significantly influenced the curricula design and selection of topics/subjects are the following:

SPARTA Cybersecurity Skills Framework
The framework links KSA with work roles, thus defines the necessary topics for students planning to work in the cybersecurity area.During the creation of the curricula, we used the pivot concepts of work roles, identifying the typical positions on the job market, and competencies, grouping the KSA necessary for work on cybersecurity positions.Using the CSF, it is possible to easily identify the KSAs necessary for individual positions to be included in the study programs.Furthermore, the usage of work roles makes it easier to  focus study programs on certain areas in cybersecurity and build customized curricula according to the university profile and specific needs.As the university study programs often have to remain general (in contrast to focused professional training) and to cover also fundamental subjects, we do not use competencies directly, but rather work with SPARTA Topics, which include also fundamental subjects such as electrical engineering information theory.The SPARTA Topics are mapped to competencies as de-scribed in Section III.

Existing programs analysis
In section IV, an extensive analysis of existing study programs worldwide was delivered.This analysis had significant conclusions which affect the curricula design.The key findings are: • Cybersecurity education has a multidisciplinary nature, thus various fields should be covered, including technical, humanistic and social sciences.• Most of the existing study programs in cybersecurity are realized at the master's level.The bachelor's programs are less frequent, though cybersecurity is a complex area deserving focus from the first year of education.• On the bachelor's level, usually fundamental and more generic courses (such as programming, network security, cryptography) are included, while master's level allows for more specialization.• The practical education including hands-on experience plays an important role in the design of curricula, though only 30% -40% of existing courses have some form of practical education.• Most EU universities are using the European ECTS credit system requiring 180 credits for the bachelor's degree and 120 credits for the master's degree.In our recommendation, we will follow these guidelines.

Curricula Recommendations VOLUME 4, 2016
There already exist recommendations for creating cybersecurity curricula, such as the Australian Computer Society Guideline, guidelines from UK's NCSC, CyBOK or recommendations from computing associations (Section II).However, some of these recommendations are from regions outside EU and need at least some adaptation to the EU environment (e.g., reflecting the EU ECTS system, different legal environment and industry composition).

Related Program Analysis
The analysis of related programs identified supporting tools that would make cybersecurity programs more visible, attractive to students and that have the potential to enhance education and training with new activities.As examples of emerging tools, we would like to mention the Bug Bounty platforms, e.g., Intigriti2 , YesWeHack3 , that may motivate students to do practical exercises involving modern tools and technologies.Furthermore, the Massive Open Online Courses (MOOC) can be seen as a suitable supplement to traditional education methods.To stimulate students and make them aware of cybersecurity study programs, competitions should be considered, as they proved very useful in largescale deployments, such as Italian CyberChallenge.it. 4ecommendations from key institutions During the curricula creation, recommendations from key EU partners, such as ENISA and ECSO, have been considered.In particular, the recommendations included in the ENISA Cybersecurity Skills Development in the EU report [14] and the outcome of ECSO Results of Simulation-based Competence Development Survey [9] were considered.Namely, we explicitly reflected the recommendations on enough credits dedicated to cybersecurity courses, gamification of education, presence of lectures from industry representatives, interdisciplinarity, international collaboration and prioritisation of hands-on practical training.Besides EU recommendations, the NIST NICE initiative [20] served as an important source of information.

New trends, tools and opportunities
In addition to the recommendations and the analysis of existing programs, new trends in cybersecurity and training were also identified and reflected during the curricula design.
Modern curricula should reflect current research and development trends in cybersecurity and integrate topics such as quantum technologies, critical infrastructure protection, IoT technologies, industrial networks, fake news, privacyenhancing technologies and more.We used the official EU's strategic documents [5] and Horizon Europe/Digital Europe program plans [6], [7] for the identification of new trends for our good-practice curricula, but this task needs to be run individually for each new study program at the actual time of its design.
Furthermore, a successful study program must also involve modern technologies for education and training.In particular, considering cyber ranges for practical training played a significant role during the design of our good-practice curricula.The virtualization technologies and training methods based on games, involving CTF, Red Blue teaming or table-top exercises should be considered as significant enhancements of existing training methods and could provide hands-on experiences not only for pure technical courses but also for courses focused, e.g., on legal or social aspects of cybersecurity.Another new trend in training is the use of "bug bounty" programs, where cybersecurity trainees are motivated to find security vulnerabilities in existing software/hardware and thus improve their skills and knowledge about these systems.

Practical Aspects
University study programs are usually not designed from scratch, they are often reusing existing study courses, building upon specific expertise of professors and utilizing particular existing equipment of laboratories.Rather than completely new composition of courses, the cybersecurity study programs are often created as modifications and updates of existing study programs in computer science, electrical engineering, etc.While this decision is not perfect for the course composition, we need to consider this pragmatic approach as it has been identified during our discussion with universities, training institutions and even reviewers as the dominant approach.
Using our methodology based on SPARTA CSF, it is possible to start with an incomplete backbone consisting of existing courses and then add new courses reflecting the needs of particular work roles to which the study program aims.The whole process of curricula creation is depicted in Figure 11 and described by the following steps: In this section, the process of designing cybersecurity bachelor's and master's study programs is described.This process leads to a dynamic application which allows any university to generate a cybersecurity curriculum from scratch or from an existing one.The application permits to analyze and link subjects to cybersecurity SPARTA Topics which are identified as basic cybersecurity knowledge, see Section IV-A for more details.Moreover, SPARTA Topics are linked to NICE competencies and therefore, to NICE work roles, see Section III for more details.This last feature allows curricula developers to target their curricula to the desired work role.
Our application can also be used to analyze an existing study program and understand the missing cybersecurity topics.It can thus be used as a tool to transform general study programs into cybersecurity ones.
As shown in Section IV, there is a lack of bachelor study programs focused on cybersecurity (only 19 bachelors over 89 analyzed cybersecurity curricula).Therefore, bachelor's programs are of our particular interest.
The analyses of bachelors' topics shows that computer science is a fundamental component, followed by humanities, social science, and mathematics.These areas are particularly important in bachelor's curricula since they cover the basic skills necessary for the understanding of any future cybersecurity study.Accordingly, an appropriate balance between these topics should be considered when designing a study program.
Our proposal of a good-practice curricula and its analysis are presented in several figures and tables: • Tables 12, 13 and 14 in Appendix B depict the curriculum, filled with 1 st , 2 nd and 3 rd year courses.This curriculum has been created taking into account all the factors described in Section II and including the analyses from Section IV. • Figure 8 shows the percentage of SPARTA Topics covered by the study program and their linking to NICE competencies.Note that NICE competencies can be connected to NICE work roles and vice versa.Therefore, students and universities may, for instance, know the Topics necessary to become a "Security Architect".The connection between NICE competencies and NICE work roles is fully described in SPARTA D9.1 [27].As shown in Table 12, the second column of the template is filled with the desired curriculum subjects, which are five and all compulsory for the "1 st year, Winter".Optional subjects (if any) can be listed after the mandatory ones.For instance, the "Language" subject is optional in the "1 st year, Summer".One or more SPARTA Topics can be assigned to each subject.The assignment will reflect the knowledge (abilities, skills) covered.The points assigned to each subject is exactly 1 and this value can be split into several SPARTA Topics assigning them 0.25, 0.5, 0.75 or 1.These values represent the subject ratio dedicated to the related SPARTA Topic.For instance, the "Mathematics 1" subject equally covers "Algebra and Discrete Mathematics" and "Topology and Analysis" Topics.
The third column in the table allows to assign the ECTS credits to each subject.Following the European standard, a bachelor study program should have 180 credits, and therefore around 30 credits per semester.
Tables 13 and 14 depict 2 nd and 3 rd years of our goodpractice bachelor program .In particular, Table 14 has the summary of the assigned ECTS credits to each SPARTA Topic and according to the SPARTA Area.In particular, the row "Total" collects the ECTS credits of each SPARTA Topic and the related percentage.
Note that the ECTS credits are assigned in 20% to Humanistic and Social Science, 16% to Computer Science, and 17% to Mathematics according to the suggested balance among these main areas as shown in Section IV-B.Furthermore, the Security area strictly follows with 16%.
The total proportion between compulsory and optional subjects is also of relevance.In this case, a total of 78% of ECTS credits are compulsory and 22% are left as elective among the subjects taught.As in many study programs, once the basic knowledge is acquired, students have the possibility to partially direct their study towards a specific cybersecurity area, and therefore towards the desired work role.In fact, the application also allows to see which Topics need to be covered in order to acquire certain NICE competencies, and therefore the desired NICE work role.An example analysis for the Database Administrator Work Role is shown in Figure 13 based on the requirements from the NICE Framework shown in Figure 14 in Appendix A.

C. CURRICULA DESIGNER
To make the design of cybersecurity curricula easier, a dynamic web application for the individual study curricula was developed within the SPARTA project.The web application allows users to add their own study courses and then, using the drag and drop method, compose the curricula of a Bachelor's degree program.Besides the study program composition, the application provides statistical data about the coverage of SPARTA Topics and, more importantly, about the work roles supported by the study program.Using the tool and its internal evaluation methods based on the SPARTA tal for a cybersecurity carrier.Moreover, it permits comparing existing study programs, improving them, and producing guidelines for the creation of new cybersecurity curricula.Indeed, a sample of 89 cybersecurity study programs was analyzed in order to produce an overview of cybersecurity disciplines and topics.The analyses show that 23% of the curricula are taught jointly and involve multiple faculties.This collaboration is due to the interdisciplinary nature of cybersecurity.Furthermore, we have argued that there is a lack of Bachelor's study programs focused on cybersecurity (just 19 of the 89 courses we have considered).In order to train more cybersecurity experts, a more significant number of students need to have the possibility to study cybersecurity subjects from the first year of their careers.
Moreover, a tool for visualizing the collected data in an interactive map has been developed.Our dynamic web application can help students when looking for a cybersecurity study program.Finally, related program analysis, SPARTA CSF, and curricula recommendations are used to design good-practice higher-education study programs in cybersecurity and propose a cybersecurity curricula designer tool.The tool automatically analyses curricula and discovers missing topics and/or unsupported work roles and thus helps program administrators to design study programs reflecting the cybersecurity job market requirements.
In the future, we would like to continue to update the SPARTA CSF to reflect new trends and directions in cybersecurity.A batch of new competencies will be added to reflect also interdisciplinary aspects.Furthermore, we plan to extend the tools, and specifically the Curricula Designer, to support more Cybersecurity Skills Frameworks (hopefully the EU CSF when it is ready) and to add functionality for professional training design.

FIGURE 1 .
FIGURE 1.The 19 Knowledge Areas in the CyBOK.

FIGURE 3 .
FIGURE 3. Links between SPARTA Topics and SPARTA CSF Technical and Operational competencies.

FIGURE 4 .
FIGURE 4. First analysis template Excel file for the "Master in Mathematics of Cybersecurity" study program, Bristol University, United Kingdom.

FIGURE 5 .
FIGURE 5. Analysis of European cybersecurity bachelor study programs."Computer Sc." stands for computer science area, "Crypto" for cryptology area, "Humanistic" for humanistic and social science area, "Math" for mathematics area, "Security" for security area, and "Privacy" for privacy area.

FIGURE 8 .
FIGURE 8. Analysis of non-European cybersecurity master study programs."Computer Sc." stands for computer science area, "Crypto" for cryptology area, "Humanistic" for humanistic and social science area, "Math" for mathematics area, "Security" for security area, and "Privacy" for privacy area.

FIGURE 11 .
FIGURE 11.Cybersecurity program creation using SPARTA CSF and existing courses.

FIGURE 13 .
FIGURE 13.SPARTA Topics and NICE competencies necessary to become a Database Administrator marked in blue and red.Red competencies and topics are the ones to be added to "Information Security" bachelor curriculum in order to become a Database Administrator.
SARA RICCI is a postdoctoral researcher at Brno University of Technology, Czech Republic.She accomplished her M.Sc.degree in Mathematics at University of Pisa, Italy and her PhD studies in Computer Engineering and Mathematics Security at Universitat Rovira i Virgili, Spain.Her research interests are theoretical cryptography, in particular lattice-based and elliptic curve cryptography, and data privacy and security.She is also focused on the design of new privacy-preserving cryptographic protocols and their security analyses.EDMUNDAS PIESARSKAS is an expert in different management aspects of cyber security, ininnovation governance and skills management, working in the Lithuanian Cybercrime Center of Excellence for Training, Research & Education (L3CE), a non-profit NGO which invests in technology, conducts research, and manages projects focusing on illegal interference incidents -related to data, systems and operation of computers -affecting a wide range of foreign countries.OLIVIER LEVILLAIN is an associate professor in cybersecurity at Télécom SudParis.Before that, he has been in charge of the cybersecurity training center at ANSSI (the French cybersecurity agency).He also used to work in ANSSI laboratories on various subjects, ranging from attacks on low-level hardware mechanisms to public key infrastructures.More recently, he has been working on secure network protocols and on programming languages.LETTERIO GALLETTA is Assistant Professor at IMT School for Advanced Studies and a member of CINI National Laboratory for Cybersecurity.Previously, he was a postdoc at the Department of Computer Science, University of Pisa.His research activity mainly focuses on language-based security, i.e., using techniques from programming languages, compilers and formal verification to address security problems.He applied these techniques to different fields like adaptive software, the Internet of Things, more recently, secure compilation, firewalls and smart contracts.ROCCO DE NICOLA is a full professor at IMT School for Advanced Studies Lucca.He has been working at Università di Firenze, Sapienza Università di Roma and IEI-CNR in Pisa, and has been visiting professor at Ecole Normale Supérieure in Paris and at Ludwig Maximilian University of Munich.De Nicola is a member of the Academia Europaea and has been appointed "Commander of the Order of Merit of the Italian Republic" by the President of the Italian Republic.His research is concerned with the foundations of distributed computing, the formal specification and checking of qualitative and quantitative properties of systems, and the protection of distributed systems and computer networks and has led to more than 250 publications in journals or books.Currently De Nicola is vice director of CINI National Laboratory for Cybersecurity.APPENDIX B: GOOD-PRACTICE CURRICULA

TABLE 1 .
Competence list of the NICE / SPARTA CS Frameworks.
• Technical Competence Group -compiles the instrumental KSAs and covers the "what is to be done" aspect within the Framework; • Operational Competence Group -compiling KSAs from other critical areas, defining "how activities should be done"; • Professional Competence Group -compiling expected "soft skills"; • Leadership Competence Group -compiling KSAs needed for the managerial part of the organization.

TABLE 2 .
Higher-education entities that run a study program in cybersecurity in Europe.

TABLE 3 .
Study programs features: language, ECTS credits and cost in Europe.

TABLE 4 .
Practical lectures in Europe."NA" stands for not available.

TABLE 5 .
Study programs features: language, ECTS credits and cost in non-European countries."NA" stands for not available and "y." for year.The average cost is given in euro.

TABLE 6 .
Non-European Practical lectures."NA" stands for not available.

TABLE 7 .
Topics analysis on all the collected curricula."B." stands for bachelor and "M." stands for master.

TABLE 12 .
Example of 1 st year of bachelor study program.

TABLE 13 .
Example of 2 nd year of bachelor study program.

TABLE 14 .
Example of 3 rd year of bachelor study program.