Paper ID #36857

The Role of Ethical Hacking and Penetration Testing in

Cybersecurity Education
Te-shun Chou (Professor)
Dr. Te-Shun Chou is a Professor in the Department of Technology Systems (TSYS) within College of Engineering and
Technology (CET) at East Carolina University (ECU). He serves as the program coordinator of the Master program in
Network Technology for the TSYS and the lead faculty of Digital Communication Systems concentration for the
Consortium Universities of the Ph.D. in Technology Management. He is also the point of contact for The Center of
Academic Excellence in Cyber Defense (CAE-CD) at ECU. He has published articles in the fields of cybersecurity,
intrusion detection, machine learning, and technology education. Dr. Chou has experience in supervising both graduate
and undergraduate student thesis, practicum, and grant project research.

Tijjani Mohammed (Chairperson)

© American Society for Engineering Education, 2022

Powered by www.slayte.com
The Role of Ethical Hacking and Penetration Testing in
Cybersecurity Education
Abstract

No mater individuals or organizations are inevitable to be targets by hackers. Data breaches of

sensitive data happen every day. It has become an emergency task to take necessary steps to
ensure the data secure from cyberattacks. Penetration testing uses best knowledge and finest
techniques and methodologies to conduct exploits, find system vulnerabilities, and assess system
defensive strength. By doing such measurements, systems can therefore be hardened to against
cyberattacks launched from hackers. It plays a crucial role in maximizing cybersecurity to
prevent data losses caused from cybercrimes. In this paper, the importance of penetration testing
to cybersecurity education is discussed. Best practices of penetration testing education are also
presented.

Keywords: Cybersecurity; ethical hacking; penetration testing; cybercrime; cyberattack

1. Introduction

Damage resulting from cybercrime worldwide is growing every day and as a result, it has
become an emergency task to educate more well-trained cybersecurity professionals for
protecting the Nation’s critical infrastructure. An effective cybersecurity professional should
possess technical knowledge and skills to identify weaknesses in an organization's information
infrastructure and implement adequate preventive measures. For example, the responsibilities of
an information security analyst include security monitoring and analysis, incident response,
intrusion prevention, and penetration testing. According to an estimate from the U.S. Bureau of
Labor, the employment of information security analysts is projected to grow 31 percent from
2019 to 2029 - a growth rate much faster than the average for all occupations [1]. Hence, it has
become an urgent task to educate more well-trained cybersecurity professionals working in
cybersecurity roles to adequately meet our current and future workforce.

Presently, cybersecurity education has put a lot of effort on the protection of information
infrastructure, but much less on the perspective of cyberattack modelling and ethical hacking
strategies. However, we believe the study of attack should be considered as equally important as
defense. As Sun Tzu articulated 1,500 years ago in his seminal book, The Art of War: “Know the
enemy and know yourself; in a hundred battles you will never be in peril.” Following his logic,
we must first understand the attackers’ behavior in order to deploy a good defense strategy in
response.

Hence, penetration testing and ethical hacking should not be excluded in the cybersecurity
curriculum. It is necessary to teach students from the hackers’ perspective to enhance their
identification of system vulnerabilities. In doing so, they will become better equipped to apply
the appropriate mechanisms to harden computer information systems.

This paper is organized as follows: Section 2 introduces Cyber Crime. Section 3 describes the
Ethical Hacking and Penetration Testing Education. Section 4 presents Penetration Testing Career
Paths. Finally, we conclude our work in the last section.
2. Cyber Crime

According to the Internet Crime Report published by the Internet Crime Complaint Center (IC3),
Federal Bureau of Investigation (FBI), IC3 received over 790,000 complaints of cybercrime from
the American public in 2020 with the amount of monetary damage exceeding $4.1 billion, up
from 17.8 million in 2001 [2]. In the past, hackers have been trying to use various hacking
techniques to gain access to organizations and steal money/information or modify/destroy data.
Among all the victims, private industry is the most common target and has experienced huge
losses in both revenue and reputation from security breaches. For example, Yahoo suffered the
biggest data breaches of the 21st century, in which 3 billion user accounts (names, dates of birth,
email addresses, and passwords) were compromised in 2013 and 2016. Alibaba and LinkedIn
rank numbers 2 and 3 in top data breaches of the 21st century in private industry, respectively.
Alibaba’s Taobao shopping platform suffered a data leak that exposed over 1.1 billion pieces of
user data (IDs and phone numbers) by a software developer using web-crawling software in
November 2019. LinkedIn’s 700 million users (92% of total users) were posted on a dark web
forum for sale in June 2021. The database is for sale with records including phone numbers,
physical addresses, geolocation data, and inferred salaries [3].

Hackers also target government agencies to achieve their own illegal goals. From federal
government and state agencies to municipal government in US, no governmental agency is
exempt to become a victim of cyber attackers. For example, hackers launched a cyberattack to
US government agencies in 2020 and the attack could be the largest government hack since the
Obama administration [4]. Multiple agencies’ digital files were accessed and over 18,000
government and private computer networks were affected by a hidden virus.

Not only are private industry and government agencies vulnerable to cyberattacks, but higher
education has also become a victim of cyberattacks. Based on the report from Comparitech, US
K–12 school districts and colleges/universities have leaked 24.5 million records in over 1,327
data breaches since 2005 [5]. In 2020 alone, there were at least 84 cybersecurity incidents
involving the education sector and therefore schools had to cancel classes [6]. For example, The
University of California, San Francisco paid the hackers after The School of Medicine in The
University of California, San Francisco (UCSF) had to cease operations after a cyberattack in
July 2020. Moreover, UCSF had to pay a ransom of $1.14 million in order to get their data
decrypted from a ransomware attack [7].

3. Ethical Hacking and Penetration Testing Education

The only way to fight against cybercrime is to foster more well-trained professionals to protect
the nation's information technology infrastructure. National Initiative for Cybersecurity Careers
and Studies (NICCS) says “We must teach science, technology, engineering and math (STEM),
and other cyber concepts to all students, and educate all students on the secure use of today’s
ever-evolving technologies.” [8]. However, the number of skilled cybersecurity professionals is
far less than the workforce needs. The number of unfilled cybersecurity jobs is expected to reach
3.5 million in 2021 and fewer than one in four are even qualified among those candidates who
apply, based on the MIT Technology Review [9].
Three main cybersecurity areas (confidentiality, integrity, and availability) cover many focus
areas, such as offensive operation, security architecture, policy management, data loss
prevention, risk and compliance, access control, cyber defense, ethics, law & policy, incident
response, intrusion detection, digital forensic, cloud security, ICS/SCADA security, IoT security,
mobile security, application security, secure software development, threat intelligence,
vulnerability management, and so on. The following discusses the best practices in promoting
and expanding education in the field of penetration testing.

3.1. Cybersecurity Competitions

As a means to foster tomorrow's cybersecurity professionals, cybersecurity competitions have

become a popular way to promote interest in cybersecurity and train cybersecurity professionals
in a controlled network environment. During the competition, individual participants or teams
use their knowledge and skills to resolve cybersecurity issues they might encounter in the real-
world. The challenges provide opportunities to help them strengthen their problem solving and
decision-making abilities.

There are a wide variety of local, state, regional, national, and international cybersecurity
competitions held in the formats of face-to-face, virtual, or a combination of both. The
competitions may focus on different fields of cybersecurity, however, penetration testing plays a
crucial role because well equipping IT professionals’ knowledge is the best strategy to ensure an
organization can operate without interruption and guarantee good defense mechanisms can be
deployed.

In general, the competitions can be classified into four major models: network defense
competition, computer forensics competition, penetration testing competition, and Capture the
Flag (CTF) competition. Below shows details of the four competition models.

3.1.1. Network Defense Competition

This type of competition focuses on administrative tasks and defensive duties for a made-up
corporate network. During the competition, teams need to perform daily tasks, such as
responding to business requests (e.g. the addition or removal of additional services) and to keep
the business services running (e.g. mail and web servers). Also, teams need to detect simulated
cyberattacks and make proper response to protect their networks. Teams are assessed based on
how well they do in threat detection, network protection, service maintenance, business request
respondence, and balance between security and business needs. Both National Collegiate Cyber
Defense Competition (NCCDC) [10] and National Cyber League (NCL) Competition [11] are
this type of competition.

3.1.2. Computer Forensics Competition

Forensic evidence, such as network traffic and data contained in electronic media, will be
provided in this type of competition. The participating teams need to use forensics tools to
analyze those evidence and furthermore, recognize malicious activities. The challenge tasks
include network packet and log analysis, stenography, data carving, data recovery, and
cyberattack identification. Examples of this type of competition are NYU High School Forensics
Challenge [12] and Cyber Quests [13].

3.1.3. Penetration Testing Competition

The main purpose of this type of competition is to test participants’ offensive security skills.
Each team is provided with a real-world simulated commercial environment with critical security
vulnerabilities. During the competition, teams use their knowledge and skills of penetration
testing to discover weaknesses in other teams’ environments and furthermore gain access to their
systems. Global Collegiate Penetration Testing Competition (CPTC) [14] and Global
Cyberlympics Security Competition [15] are examples of this type of competition.

3.1.4. CTF competition

Usually, CTF competitions are held in three formats: Jeopardy, attack-defense, or mixed
competitions [16]. The Jeopardy style is similar to the TV show Jeopardy, which consists of
multiple categories with technical questions (tasks). Depending on the technical difficulties of
questions, different points are assigned to questions. Normally, more points are assigned to more
complicated tasks. Team get points for every solved question. The winner will be selected from
the team who get the most points at the end of competition. An example of this style of
competition can be seen from Defcon CTF Quals [17].

For attack-defense style competition, each team is given an isolated virtualization network that
includes multiple virtual machines with vulnerable services. Before the competition starts, each
team has time to fix system vulnerabilities and develop exploits. Then, the organizer connects all
the teams together and starts the competition. Points are assigned to teams who successfully
secure their services and successfully attack other team’s machines. DefCon CTF is this type of
competition [18].

Mixed competitions are a combination of Jeopardy and Attack-Defense style competitions.

During the competition, the participating teams need to strategically assign their time in
maintaining their own systems from other teams’ attacks, while simultaneously hacking other
teams’ vulnerable systems. Example of such competition is The International Capture the Flag
(iCTF) Competition [19].

3.2. Penetration Testing Certifications

The goal of penetration testing certifications is to examine whether a person attains enough
knowledge and skills in the subjects of penetration testing, including reconnaissance,
weaponization, exploitation, assessment, legal issues, data analysis, compliance requirements,
report, and communication.

There are lots of certifications that focus on different areas of cybersecurity, such as mobile
applications, Internet of Things, cloud, and web applications. Also, different levels of
certifications are designed for testers to select. Generally, the certifications can be classified into
entry level, intermediate level, and expert level. For example, EC-Council offers the entry level
Certified Ethical Hacker (CEH) certification. CompTIA offers PenTest+ intermediate
certification. The Information Assurance Certification Review Board (IACRB) offers various
penetration testing related certifications from entry to expert levels, which includes Certified
Penetration Tester (CPT), Certified Expert Penetration Tester (CEPT), Certified Red Team
Operations Professional (CRTOP), Certified Cloud Penetration Tester (CCPT), and Certified
Mobile and Web Application Penetration Tester (CMWAPT). The organization that issues the
certificate normally offers courses for testers to acquire essential knowledge for passing the
certification examination. The following table lists some of popular certifications.

Table 1. Penetration Testing Certifications

Exam
Name Price Exam Type Focus
Time
CEH - Certified $1,199 4 hours 125 questions • Analysis/Assessment
Ethical Hacker • Security tools/Systems/Programs
Certification1 • Procedures/Methodology
• Regulation/Policy
• Ethics
GPEN - GIAC $2,499 3 hours 82-115 • Comprehensive penetration testing planning, scoping, and
Penetration Tester2 multiple-choice reconnaissance
questions • In-depth scanning, exploitation, post-exploitation, and
pivoting, password attacks and App penetration testing
CMWAPT - $499 2 hours 50 multiple- • Mobile and web application penetration testing process and
Certified Mobile choice methodology
and Web App questions • Web application vulnerabilities and attacks
Penetration Tester3 • Android application components and attacks
• iOS application components and attacks
• Secure coding principles
GXPN - GIAC $2,499 3 hours 55-75 • Network Attacks, Crypto, Network Booting, and Restricted
Exploit Researcher questions Environments
and Advanced • Python, Scapy, and Fuzzing
Penetration Tester4 • Exploiting Windows and Linux for penetration testers
CRTOP - Certified $499 2 hours 50 multiple- • Red team roles, responsibilities, assessment methodology,
Red Team choice and reporting
Operations questions • Physical and digital reconnaissance tools and techniques
Professional5 • Vulnerability identification and mapping
• Social engineering
CPT - Certified $499 2 hours 50 multiple- • Penetration testing methodologies
Penetration Tester6 choice • Network protocol reconnaissance and attacks
questions • Vulnerability identification
• Windows and Unix/Linux exploits
• Covert channels & rootkits
• Wireless security flaws
• Web application vulnerabilities
CEPT - Certified $499 2 hours 50 multiple- • Penetration testing methodologies
Expert Penetration choice • Network reconnaissance and attacks
Tester7 questions • Windows and Linux/Unix shellcode
• Reverse engineering
• Memory corruption/buffer overflow vulnerabilities
• Exploit creation: Windows and Linux/Unix architecture
CompTIA $370 2.75 hours 85 practical & • Planning and scoping
PenTest+8 multiple-choice • Penetration testing tools
questions • Information gathering and vulnerability identification
• Reporting and communication
• Attacks and exploits
 OSCP - Offensive $999 24 hours Practical exam • Bash scripting
Security Certified • Command line
Professional9 • Tools
• Information gathering
• Vulnerability scanning
• Cyberattack simulation
• System exploitation
CPENT - The $2,199 24 hours Practical exam • Open source
Certified • Penetration testing: social engineering, network, web
Penetration application, wireless, IoT, SCADA, and cloud
Testing • Binary analysis and exploitation
Professional10 • Report writing and post testing actions
Note. 1. CEH - Certified Ethical Hacker Certification. https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
2. GPEN - GIAC Penetration Tester. https://www.giac.org/certification/penetration-tester-gpen
3. CPT - Certified Penetration Tester. https://www.iacertification.org/cpt_certified_penetration_tester.html
4. CMWAPT - Certified Mobile and Web App Penetration Tester.
https://www.iacertification.org/cmwapt_certified_moible_and_web_app_penetration_tester.html
5. GXPN - GIAC Exploit Researcher and Advanced Penetration Tester. https://www.giac.org/certification/exploit-
researcher-advanced-penetration-tester-gxpn
6. CRTOP - Certified Red Team Operations Professional.
https://www.iacertification.org/crtop_certified_red_team_operations_professional.html
7. CEPT - Certified Expert Penetration Tester.
https://www.iacertification.org/cept_certified_expert_penetration_tester.html
8. CompTIA PenTest+. https://www.comptia.org/certifications/pentest
9. OSCP - Offensive Security Certified Professional. https://www.offensive-security.com/pwk-oscp/
10. CPENT - The Certified Penetration Testing Professional. https://www.eccouncil.org/programs/certified-penetration-
testing-professional-cpent/

3.3. The National Centers of Academic Excellence in Cybersecurity (NCAE-C) program

NCAE-C program is jointly sponsored by the Department of Homeland Security and the
National Security Agency. The goal of the program is to promote higher education and research
in cyber defense and to equip professionals with cyber defense expertise for the Nation. There
are three types of CAE Program Designation: The Cyber Defense Education (CAE-CDE)
Designation, The Cyber Research (CAE-R) designation, and The Cyber Operations (CAE-CO)
designation [20]. Designations are awarded to accredited academic institutions offering
cybersecurity degrees and/or certificates at the Associates, Bachelors and graduate levels. So far,
over 300 colleges and universities across 48 states, the District of Columbia, and the
Commonwealth of Puerto Rico are designated as NCAEs in Cybersecurity.

In order to become designated as a NCAE-C institution, the applicant must demonstrate that it
actively is involved in community engagement, educational teaching and research activities, and
Institutional practices in cybersecurity. Currently, the application process includes two phases:
Program of Study (PoS) Validation and CAE Designation [21]. During the first phase, one of the
requirements is to identify cybersecurity relevant courses to Knowledge Units (KUs) designed by
the NCAE-C program.

There are 69 KUs are grouped into four categories: Foundational (3 KUs), Technical Core (5
KUs), Non-Technical Core (5 KUs), and Optional (56 KUs) [22]. Within these KUs, the
Penetration Testing (PTT) KU encompasses both outcomes and learning topics directly related to
ethical hacking and penetration testing. Additionally, lots of KUs are associated with
cyberattacks, assessment, and vulnerability testing, which include Cybersecurity Foundations
(CSF), Security Risk Analysis (SRA), Basic Cyber Operations (BCO), Vulnerability Analysis
(VLA), Cybersecurity Principles (CSP), Basic Cryptography (BCY), Network Defense (NDF),
Cyber Threats (CTH), IT Systems Components (ISC), Cloud Computing (CCO), Web
Application Security (WAS), Hardware/Firmware Security (HFS), Life-Cycle Security (LCS),
Operating Systems Hardening (OSH), Network Security Administration (NSA), QA/Functional
Testing (QAT), Secure Programming Practices (SPP), Software Security Analysis (SSA),
Systems Security Engineering (SSE), Software Assurance (SAS), Advanced Cryptography
(ACR), Hardware/Firmware Security (HFS), Web Application Security (WAS), and Cyber
Threats (CTH). Clearly, the knowledge and skills of vulnerability assessment, penetration
testing, awareness of regulatory legal, and ethical issues are very important subjects in
cybersecurity education. Both theoretical learning and practical application of these subjects
should be offered in higher education.

4. Penetration Testing Career Paths

The National Initiative for Cybersecurity Education (NICE) clearly defines seven categories in
the cybersecurity workforce framework: Securely Provision (SP), Operate and Maintain (OM),
Oversee and Govern (OV), Protect and Defend (PR), Analyze (AN), Collect and Operate (CO),
and Investigate (IN). Each Category is comprised of Specialty Areas and Work Roles [23]. There
are 32 Specialty Areas in National Cybersecurity Workforce Framework version 2.0. They
represent fields of functions within cybersecurity and each consists of a set of Work Roles. Each
Work Role include a list of attributes required to perform that role. The attributes are
Knowledge, Skills, and Abilities (KSAs) and Tasks.

While serving in a cybersecurity work role, the professional must encompass required
knowledge and skills; and many roles are related to penetration testing attributes, such as
cyberattacks, vulnerability identification and analysis, ethical hacking, penetration testing, and
security threats, shown in Table 2. Table 3 shows the Work Roles that need one of more of the
attributes listed in Table 2.

Table 2. KSAs and Tasks related to ethical hacking and penetration testing
Knowledge (K) Skills (S) Abilities (A) Tasks (T)
K0013, K0040, K0070, K0106, K0119, K0144, S0001, S0051, A0001, A0015, T0028, T0124, T0163,
K0147, K0160, K0161, K0162, K0177, K0191, S0078, S0081, A0092, A0149, T0171, T0181, T0229,
K0206, K0234, K0272, K0296, K0310, K0314, S0137, S0167, A0155 T0236, T0266, T0292,
K0339, K0342, K0362, K0367, K0373, K0375, S0242, S0269 T0298, T0545, T0549,
K0402, K0408, K0436, K0440, K0523, K0536 T0606, T0616, T0724

Table 3. Work Roles need knowledge of ethical hacking and penetration testing
NICE
Framework Specialty Areas Work Role Names
Categories
Technology R&D Research and Development Specialist
Enterprise Architect
Securely Systems Architecture
Security Architect
Provision
Systems Development Information Systems Security Developer
Risk Management Authorizing Official
 Security Control Assessor
Software Developer
Software Development
Secure Software Assessor
Technology R&D Research and Development Specialist
Knowledge Management Knowledge Manager
Operate and
Systems Analysis Systems Security Analyst
Maintain
Network Services Network Operations Specialist
Cybersecurity Management Information Systems Security Manager
Cybersecurity Management Communications Security Manager
Legal Advice and Advocacy Cyber Legal Advisor
Oversee and Cyber Instructor
Training, Education, and Awareness
Govern Cyber Instructional Curriculum Developer
Cyber Policy and Strategy Planner
Strategic Planning and Policy Development
Cyber Workforce Developer and Manager
Executive Cyber Leadership Executive Cyber Leadership
Vulnerability Assessment and Management Vulnerability Assessment Analyst
Protect and Incident Response Cyber Defense Incident Responder
Defend Cyber Defense Infrastructure Support Cyber Defense Infrastructure Support Specialist
Cyber Defense Analysis Cyber Defense Analyst
Exploitation Analysis Exploitation Analyst
Target Developer
Targets
Target Network Analyst
Analyze Mission Assessment Specialist
All-Source Analysis
All-Source Analyst
Warning/Threat Analysis Threat/Warning Analyst
Language Analysis Multi-Disciplined Language Analyst
All Source-Collection Manager
Collection Operations
All Source-Collection Requirements Manager
Collect and Cyber Intel Planner
Operate Cyber Operational Planning Cyber Ops Planner
Partner Integration Planner
Cyber Operations Cyber Operator
Law Enforcement/Counterintelligence Forensics Analyst
Digital Forensics
Investigate Cyber Defense Forensics Analyst
Cyber Investigation Cyber Crime Investigator

5. Conclusions

Properly designed penetration testing activities can provide valuable insight to both computer
systems and networks. Vulnerabilities can be identified ahead of time and appropriate
mechanisms can be correctly implemented to harden the information systems. As hacking
techniques advance, the knowledge of penetration testing should be educated to protect critical
information technology infrastructures from cyberattacks. Hence, promoting and expanding
penetration testing education has become an important task. By doing so, more well-trained
penetration testing professionals working in cybersecurity roles can be deployed for current and
future workforce.

References

1. “Summary of Information Security Analysts,” Occupational Outlook Handbook, U.S. Bureau of Labor.
https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
2. Joseph Johnson, “IC3: total damage caused by reported cyber crime 2001-2020,” Statista, March 2021.
Retrieved from: https://www.statista.com/statistics/267132/total-damage-caused-by-by-cyber-crime-in-the-us/
3. Michael Hill and Dan Swinhoe, “The 15 biggest data breaches of the 21st century,” CSO, July 2021. Retrieved
from: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
4. Bill Whitaker, “SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce
Departments,” CBS News, July 2021. Retrieved from: https://www.cbsnews.com/news/solarwinds-hack-russia-
cyberattack-60-minutes-2021-07-04/
5. Sam Cook, “US schools leaked 24.5 million records in 1,327 data breaches since 2005,” Comparitech, July
2020. https://www.comparitech.com/blog/vpn-privacy/us-schools-data-breaches/
6. Emsisoft Malware Lab, “The State of Ransomware in the US: Report and Statistics 2020,” January 2021.
Retrieved from: https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-
2020/
7. Joe Tidy, “How hackers extorted $1.14m from University of California, San Francisco,” BBC News, June 2020.
Retrieved from: https://www.bbc.com/news/technology-53214783
8. “Furthering Cybersecurity Education,” National Initiative For Cybersecurity Careers and Studies (NICCS).
Retrieved from: https://niccs.cisa.gov/formal-education
9. Erin Winick, “A cyber-skills shortage means students are being recruited to fight off hackers,” MIT Technology
Review, October 2018. Retrieved from https://www.technologyreview.com/2018/10/18/139708/a-cyber-skills-
shortage-means-students-are-being-recruited-to-fight-off-hackers/
10. National Collegiate Cyber Defense Competition (NCCDC). https://www.nationalccdc.org/
11. National Cyber League (NCL) Competition. https://nationalcyberleague.org/competition
12. NYU High School Forensics Challenge. https://www.competitionsciences.org/competitions/nyu-high-school-
forensics-challenge/
13. Cyber Quests. https://uscc.cyberquests.org/
14. Global Collegiate Penetration Testing Competition (CPTC). https://globalcptc.org/
15. Global Cyberlympics Security Competition. https://www.cyberlympics.org/
16. What is Capture The Flag? CTF-TIME. https://ctftime.org/ctf-wtf/
17. Defcon CTF Quals. https://oooverflow.io/dc-ctf-2021-quals/
18. DefCon CTF. https://defcon.org/html/links/dc-ctf.html
19. The International Capture the Flag (iCTF) Competition. https://shellphish.net/ictf/
20. “What is a National Center of Academic Excellence in Cybersecurity (NCAE-C)?” National Security Agency
Central Security Service. Retrieved from: https://www.nsa.gov/resources/students-educators/centers-academic-
excellence/
21. Application Process and Adjudication Rubric (APAR) and Working Group (WG), “CAE 2020 Proposed
Designation Requirement and Application Process,” National Center of Academic Excellence in Cybersecurity,
September 2020. Retrieved from: https://www.ncyte.net/images/downloads/CAE-
CD/CAE2020_Proposed_Designation_Requirements_20200929_.pdf
22. “2020 Knowledge Units,” Retrieved from https://www.iad.gov/NIETP/documents/Requirements/CAE-
CD_2020_Knowledge_Units.pdf
23. W. Newhouse, S. Keith, B. Scribner, and G. Witte, “National Initiative for Cybersecurity Education (NICE)
Cybersecurity Workforce Framework”, NIST Special Publication 800-181, August 2017. Retrieved from
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf