Stocktaking of information security training needs in critical sectors

Back to News

Cybersecurity awareness raising trainings are lagging behind. There is currently a shortage of trainings in specific threats encountered in different (sub)sectors and of trainings in the area of decision making as a result of data leakages or privacy incidents.

Cybersecurity awareness raising trainings are lagging behind. There is currently a shortage of trainings in specific threats encountered in different (sub)sectors and of trainings in the area of decision making as a result of data leakages or privacy incidents.

Although the EU cybersecurity training field is extensive and diversified, it hardly addresses the issue of raising the critical infrastructures’ cyber-resilience. Critical Infrastructure Protection (CIP) related trainings are still a niche. There is a shortage of specialized trainings in the field of Industrial Control Systems - Supervisory Control and Data Acquisition, which is an essential element in countering operational threats.

Furthermore, in light of the upcoming entering into force of the General Data Protection Regulation (GDPR), there is a high demand for specialised trainings, particularly since the new regulation sets out sanctions for any potential breach of personal data. 

These are the key findings of ENISA’s stocktaking study performed in the context of the ‘Directive on security of network and information systems’ (NIS Directive). The study is focused on assessing the current state-of-play and on determining if there are any training needs specific to each of the critical sectors that the NIS Directive puts an emphasis on.  

Over the past 10 years, the EU Cybersecurity ENISA has developed a wide range of cybersecurity trainings. Therefore, the study is set to evaluate the effectiveness of ENISA’s training portfolio, and to determine how to best adjust its training capabilities to the existing needs.

In this regard, the study sets forth the following conclusions:

  • trainings should be tailored, presenting the context of threats and risks related to each sector. In particular, dependencies and mutual influence of infrastructures operating in different sectors should be explained, along with their possible impact on cybersecurity issues concerning for example global payments or air traffic control;
  • trainings should be provided in more languages;
  • it is recommended to see if ‘cyber-range’ and gamification based trainings may provide a more effective approach than traditional trainings;
  • on-demand training accessibility is gaining in importance.

Finally, it is advised to organise a pilot study in all critical sectors to further gauge the results of this study and develop implementable proposals on how to improve the training situation in that sector.

According to the NIS Directive, the critical sectors are energy, transport, banking, financial markets, healthcare, water and digital infrastructure. The NIS Directive states that “network and information systems and services play a vital role in society”, and that “magnitude, frequency and impact of security incidents are increasing, and represent a major threat”.

The protection of the seven critical sectors must have the highest priority within the EU. If these sectors are threatened, the functioning of society itself and the health and well-being of its citizens are under threat. An important part of that priority is to increase the competences of cybersecurity personnel. This requires the availability of high-quality trainings across the board, accessible to all critical sectors.

To download the full report: Stocktaking of information security training needs in critical sectors