Critical infrastructure protection: emploeyer expectations for cyber security education in Finland

In the human factor of cyber security, high level technical experts are considered as multidisciplinary technical gurus who are familiar with every aspect of IT environments including operating systems, code languages and protocols. University curricula and guiding frameworks, such e.g. NICE Cyber Security Workforce Framework, are designed to produce professionals to match the endless needs of working life. The cornerstones of achieving good working results can be considered as the level of expertise competence of the employee performing the task, as well as combining personal skills and abilities with the competence profile of the given task. Does the cyber domain need slightly lower educated, vocational level employees? As part of the National Security Policy in Finland, the vocational qualification in information and communications technology has recently started to produce suitable workforce for cyber labor on the European Qualifications Framework level 4 (EQF-4). In this research paper we answer the question how well the vocational education meets the demands of the employers as suitable workforce in cyber security in Finland. The study also investigated what kind of cyber security employees the Finnish employers currently need; what is the required level of education, level of experience and direction of competence. The research data was collected through a structured questionnaire survey, which was directed to critical national infrastructure protection companies such as Finnish telecom operators, ICT service providers, defense sector, and other governmental actors. The questionnaire results were examined with quantitative methods. Based on our results, regarding the content of education at EQF4-level, employers believe that the emphasis should be placed on basic technical skills and adherence to guidelines, while choosing more detailed specific areas of expertise is less important at this level of education. Based on the responses, in general cyber security related work has higher education level requirements than EQF4-level could provide. The results of the study can be used as guidelines for the development of the future curricula and in the strategic leadership of companies employing cyber security professionals