The Knowledge, Skills, and Abilities Used by Penetration Testers: Results of Interviews with Cybersecurity Professionals in Vulnerability Assessment and Management

Abstract: There is a growing need for cybersecurity professionals with the knowledge, skills and abilities (KSAs) necessary for risk and vulnerability analysis of security incidents. Currently, little is known about the relative importance of KSAs or tools used in vulnerability assessment and management, which leads to inefficiencies in education, personnel selection, and research. We interviewed 38 cybersecurity professionals to determine which KSAs are most important in Vulnerability Assessment and Management work. Of… Show more

“…While the NIST and NISA frameworks identify specialty areas and roles for a cybersecurity workforce, the importance of which knowledge, skills, and abilities are important is not specified (Armstrong et al, 2018). Recent research has begun to identify how KSAs can be integrated into cybersecurity training.…”

“…This was done by asking cybersecurity experts in different fields. Armstrong et al (2018) interviewed specific roles, penetration testers, and found that more technical aspects (i.e., penetration testing principles and tools, and system robustness, are more important, while understanding social engineering techniques were not that important. However, the Armstrong et al (2018) study used NICE KSA for Vulnerability Assessment and Management Jobs which has no defined soft skill markers.…”

“…Armstrong et al (2018) interviewed specific roles, penetration testers, and found that more technical aspects (i.e., penetration testing principles and tools, and system robustness, are more important, while understanding social engineering techniques were not that important. However, the Armstrong et al (2018) study used NICE KSA for Vulnerability Assessment and Management Jobs which has no defined soft skill markers. Also performing a search for the soft skill terms such as social engineering, communication, and psychology in the NIST framework provided only one hit (social engineering), therefore, the NIST framework is missing human behavioral aspects that have been identified as important.…”

Application of intervention mapping in cybersecurity education design

“…While the NIST and NISA frameworks identify specialty areas and roles for a cybersecurity workforce, the importance of which knowledge, skills, and abilities are important is not specified (Armstrong et al, 2018). Recent research has begun to identify how KSAs can be integrated into cybersecurity training.…”

“…This was done by asking cybersecurity experts in different fields. Armstrong et al (2018) interviewed specific roles, penetration testers, and found that more technical aspects (i.e., penetration testing principles and tools, and system robustness, are more important, while understanding social engineering techniques were not that important. However, the Armstrong et al (2018) study used NICE KSA for Vulnerability Assessment and Management Jobs which has no defined soft skill markers.…”

“…Armstrong et al (2018) interviewed specific roles, penetration testers, and found that more technical aspects (i.e., penetration testing principles and tools, and system robustness, are more important, while understanding social engineering techniques were not that important. However, the Armstrong et al (2018) study used NICE KSA for Vulnerability Assessment and Management Jobs which has no defined soft skill markers. Also performing a search for the soft skill terms such as social engineering, communication, and psychology in the NIST framework provided only one hit (social engineering), therefore, the NIST framework is missing human behavioral aspects that have been identified as important.…”

Application of intervention mapping in cybersecurity education design

“…Some researchers have also discussed the reasons for the significant shortage of cybersecurity specialists. In one such study, Armstrong et al (2018) reported that the lack of qualified professionals to guide high school and college students on pursuing cybersecurity as a career is a significant contributor to the shortage. They found qualified cybersecurity professionals to act as mentors and advisors to the younger generation of children interested in cybersecurity.…”

“…For instance, Smith (2018) posited that the limited number of specialists and the skill shortage in cybersecurity limited the knowledge pool that could develop a robust cybersecurity curriculum for high school and college students. Armstrong et al (2018) reiterated that the cybersecurity courses and training offered to students were of low quality and did not match the skills required by employers in the cybersecurity sector. The employment rejection suffered by cybersecurity graduates discouraged others from enrolling in cybersecurity courses and programs.…”

Addressing Cybersecurity Challenges in Education

The Pitfalls of Evaluating Cyber Defense Techniques by an Anonymous Population