Professional Competencies Level Assessment for Training of Masters in Information Security

Abstract

The peculiarities of assessing the level of professional competency formation in information security (IS) are discussed. The approach described uses the levels of mastering of specific disciplines forming this competency. Professional competencies in the field of information security and their levels are defined. The paper explains how these competencies can be formed. Metrics for the level of mastery of the discipline are introduced. The competencies level assessment model is proposed. The model application to the “Business Continuity and Information Security Maintenance” program for Masters at the NRNU MEPhI is shown. Important notes on using the model are given in conclusion.

1 Introduction

A professional in any field of activity must have specific qualifying characteristics. This is also true for the sphere of information security (IS). The modern approach to the determination of qualifying characteristics is based on the definition of professional competencies (further competencies) as a professional’s capacity to solve given problems and to perform specific work within his/her sphere of activity [1–3].

Qualifying characteristics for IS specialists can be presented as a set of their competencies in the field of IS (further IS competencies). They are used while implementing organizational personnel policy (including the role identification and assignment, the personnel recruitment and placement) and training (including the definition of requirements that the educational institutions’ graduates must meet, and the implementation of an educational process that meets these requirements). Joint efforts of organizations’ personnel departments and educational institutions together with the existence of some unified set of competencies will definitely enable coordination of their activities in order to best meet the staffing needs.

A problem of assessing the level of competencies (CL) formed in the implementation of a specific curriculum in the field of IS arises while conducting personnel training in this area. Two approaches are applicable for assessing this level:

1. 1.

   Assessment at the training completion (can be done via one single examination on all aspects related to a specific IS competency);

2. 2.

   Assessment of the levels of mastery of all specific disciplines forming one IS competency.

This paper describes a model that enables us to implement the second approach, which, from our point of view, is more interesting than the first. The remainder of the paper is organized as follows. Professional IS competencies and their levels are defined in Sect. 2. Section 3 explains how these IS competencies can be formed. Section 4 introduces metrics to measure the mastery level of the disciplines. The CL assessment model is proposed in Sect. 5. The model application to the “Business Continuity and Information Security Maintenance” program for Masters at the NRNU MEPhI is shown in Sect. 6. Some important notes on using the model are given in conclusion.

2 Information Security Competencies and Their Levels

Competencies support definitions of job classifications/occupational group profiles, roles and responsibilities, position descriptions, duty statements, etc. [3]. A competency is traditionally defined as a combination of observable and measurable knowledge, abilities and skills (Fig. 1) (as well as individual attributes and work experience) that contribute to enhanced employee performance and ultimately result in organizational success [3, 4].

Fig. 1.

Three competency’s parameters

Knowledge is the cognizance of facts, truths and principles gained from formal training and/or experience.

A skill is a developed proficiency or dexterity in mental operations or physical processes that is often acquired through specialized training; using these skills results in successful performance.

Ability is the power or aptitude to perform physical or mental activities that are often affiliated with a particular profession.

Hence, knowledge, abilities and skills levels are three integral parameters (attributes) of a specific competency, which are necessary to perform a job successfully. In our case this competency is related to the field of IS.

For recruitment it is important not only to formulate all the parameters of a certain competency, but also to determine the necessary levels of these parameters. At present it seems reasonable to use the US Government IS Workforce Development Model defining the following levels of competency [3].

Level 0 (Not Applicable). The knowledge, abilities and skills levels within the framework of this IS competency are unrelated to the requirements set either by an organization engaged in recruitment for a certain employment or by an institution at a student’s training completion.

Level 1 (Entry-Level). The level corresponds to the presence of only basic knowledge in the area of professional activity to which this competency is related (basic understanding of IS concepts, common knowledge and its application to computer systems architecture) and limited experience (gained in a classroom and/or experimental scenarios or as a trainee on-the-job) that partially meets the requirements of abilities and skills. A professional has the ability to understand and discuss terminology, concepts and principles, and issues related to this competency. Help or mentoring is needed in performing these skills. The focus is on learning and development of on-the-job experience. When hiring a professional with such CL it is required to provide some mechanism to increase this level. These measures may include training at the workplace under the supervision of experienced staff members or requiring additional training (in the form of retraining courses). In an institution of higher education this level can be raised to the minimum needed to meet the requirements, which characterizes the final level of formation of a specific IS competency.

Level 2 (Intermediate). A professional possessing the IS competency of this level demonstrates solid IS knowledge and skills necessary to successfully solve typical professional tasks within the competency and with minimal guidance. He is able to understand and discuss the competency context and implications of changes to processes, policies and procedures in the professional field. Help or mentoring from an expert may be required from time-to-time (to handle novel or more complex, atypical situations), but the skills can be implemented independently. The focus is on applying and enhancing the levels of IS knowledge and skills. In an educational institution this level characterizes a basic understanding of a specific IS competency.

Level 3 (Advanced). A professional possessing the IS competency of this level has expert understanding, wide knowledge and abilities within that competency. Further, he or she can apply this competency in new or complex situations in related IS areas. He demonstrates expert knowledge of laws, regulations, policies and procedures, and standards in the area of his/her professional activity, including the ability to interpret and to translate subject matter to various audiences and for different applications. This allows him/her to take part in the development of various organizational documents and to focus on broad organizational/professional issues, including participation in senior and executive level discussions regarding this competency. The actions associated with these skills can be performed without assistance and are aimed at solving wide professional and organizational tasks with a focus on well-organized and accurate work in a team to implement the modern ideas. This professional provides consistent, practical and relevant ideas and perspectives on process or practice improvements, which may easily be implemented. He is a recognized authority within the organization. He is able to coach and mentor others in applying this IS competency by translating complex nuances into easy to understand terms in various business and technology contexts. In an institution this level characterizes an advanced, final level of gaining competency in a specific IS competency.

This paper is focused on solving the problem of assessing the level of IS competency, developed by the students of the higher education institutions.

3 Information Security Competencies Formation

To train IS professionals in an educational institution means to develop the students’ IS competencies in a particular area of their professional activity. The existence of such IS competencies when training is complete means the graduate has the ability to perform his job successfully and to solve practical tasks assigned to him by his employer.

Traditional competencies’ formation is mastery of a specific number of educational disciplines (further disciplines). In general, they include training courses, various practices (practical works) and completion of a final qualifying work (FQW). One particular institution combined these disciplines to define specific features of an educational program leading to a Bachelor’s or Master’s degree, or a Specialist diploma, in the IS field [1].

Implementation of a specific programme (for example, for Masters in IS) usually aims to develop some number of students’ competencies CJ (Fig. 2). A predetermined number M of disciplines \( \left[ {\varvec{D}_{\varvec{m}} } \right]\,\left( {\varvec{m} = \varvec{1},{\mathbf{ \ldots }},\varvec{M}} \right) \) is involved in the formation of each IS competency. A few disciplines directly form a specific competency (e.g. competency \( \varvec{C}_{\varvec{j}} \)). The rest of the disciplines are designed to create the required levels of IS knowledge, abilities and skills, necessary for mastering of disciplines, directly forming all necessary IS competencies. As an example, Fig. 2 shows that N disciplines \( \left[ {\varvec{D}_{{\varvec{mn}}} } \right]\,\left( {\varvec{n} = \varvec{1}, \ldots ,\varvec{N}} \right) \) providing the knowledge, skills and abilities for the discipline \( \varvec{D}_{\varvec{m}} \).

Fig. 2.

Diagram of IS competencies’ formation

Thus, the levels of attributes of a specific IS competency are formed directly and indirectly by the levels of IS knowledge, abilities and skills, obtained by mastering of a set of disciplines.

To determine the levels of competency in the various attributes making up IS, we have to measure the levels of mastery of disciplines making up that competency. We must also assess the contribution of each discipline to achieving IS competency.

4 Metrics for the Levels of Mastery of the Discipline

Different scales can be used to assess the level of mastery of the discipline (DML). It may be a mark in points from 0 to 100 (Fig. 3a) or 0 to 10 (Fig. 3b), a literal indexing from J to A (Fig. 3c) or a mixed form (Fig. 3d) from 1 (“very bad”) to 5 (“excellent”). There are also other assessment scales.

Fig. 3.

Levels of mastery of the IS disciplines

To assess DMLs using CL it is necessary to select a single scale. This paper uses a point scale – from 0 to 100 (Fig. 3a). Converting the measurement of a DML from one scale to another does not pose difficulties in any particular case (Fig. 3 can be used as an example for that purpose).

The assessment of a specific IS DML for \( \varvec{D}_{\varvec{m}} \) designated here as \( \varvec{DA}_{\varvec{m}} \) should integrate the assessments of the level of gained IS knowledge \( \varvec{KD}_{\varvec{m}} \), the level of formed IS abilities \( \varvec{AD}_{\varvec{m}} \) and the level of acquired IS skills \( \varvec{SD}_{\varvec{m}} \), developed by mastery of this discipline. Then

$$ \varvec{DA}_{\varvec{m}} =\varvec{\alpha}_{{\varvec{km}}} \varvec{KD}_{\varvec{m}} +\varvec{\alpha}_{{\varvec{am}}} \varvec{AD}_{\varvec{m}} +\varvec{\alpha}_{{\varvec{sm}}} \varvec{SD}_{\varvec{m}} , $$

(1)

where \( \varvec{\alpha}_{{\varvec{km}}} \varvec{ },\varvec{\alpha}_{{\varvec{am}}} \varvec{ },\varvec{ \alpha }_{{\varvec{sm}}} \varvec{ } \) are the weights of the contribution of the attributes (knowledge, abilities and skills) into DML. These attributes must satisfy the condition \( \varvec{\alpha}_{{\varvec{km}}} +\varvec{\alpha}_{{\varvec{am}}} +\varvec{\alpha}_{{\varvec{sm}}} = {\mathbf{1}} \).

The levels \( \varvec{KD}_{\varvec{m}} \varvec{ },\varvec{ AD}_{\varvec{m}} \varvec{ },\varvec{ SD}_{\varvec{m}} \), which the students develop while mastering specific IS disciplines, are defined during the testing of their progress. Students are evaluated in some way, for example by examination. In that case, the control questions for progress testing should be formulated in such a way that these levels can be clearly assessed based on responses to them.

The following features associated with the peculiarities of a specific IS discipline can also be considered. For example, if the discipline is a training course, its curriculum can be implemented using various forms of training: lectures, seminars, and labs. Lectures mainly form the knowledge level, seminars – abilities level and labs – skills level.

If the discipline consists only of the lectures (e.g. a more theoretical discipline studying international law or explaining how to write IS policies), then \( \varvec{\alpha}_{{\varvec{km}}} = {\mathbf{1}} ,\varvec{\alpha}_{{\varvec{am}}} = {\mathbf{0}},\varvec{\alpha}_{{\varvec{sm}}} = {\mathbf{0}} \).

In case of seminars (e.g. with an assignment to write a specific private IS policy), then \( \varvec{\alpha}_{{\varvec{km}}} \ll\varvec{\alpha}_{{\varvec{am}}} , \varvec{\alpha}_{{\varvec{km}}} \le\varvec{\alpha}_{{\varvec{sm}}} , \varvec{\alpha}_{{\varvec{am}}} \ge\varvec{\alpha}_{{\varvec{sm}}} \).

If nothing but labs (e.g. how to detect network intrusions using IDS predefined for a student or a group of students), then \( \varvec{\alpha}_{{\varvec{km}}} \ll\varvec{\alpha}_{{\varvec{sm}}} , \varvec{\alpha}_{{\varvec{km}}} \le\varvec{\alpha}_{{\varvec{am}}} , \varvec{\alpha}_{{\varvec{am}}} \le\varvec{\alpha}_{{\varvec{sm}}} \).

In case of practices and FQW, then \( \varvec{\alpha}_{{\varvec{km}}} \le\varvec{\alpha}_{{\varvec{am}}} , \varvec{\alpha}_{{\varvec{km}}} \ll\varvec{\alpha}_{{\varvec{sm}}} , \varvec{\alpha}_{{\varvec{am}}} \le\varvec{\alpha}_{{\varvec{sm}}} \).

The values of \( \varvec{\alpha}_{{\varvec{km}}} \varvec{ },\varvec{\alpha}_{{\varvec{am}}} \varvec{ },\varvec{ \alpha }_{{\varvec{sm}}} \) for a specific discipline can be determined by an expert, who can be a professor/instructor/tutor conducting studies on the discipline. For example, these values for a discipline being a training course can be determined based on analysis of the work involved in a discipline (we call it a discipline laboriousness) expressed in credits or time of classes’ duration in academic hours \( \varvec{T}_{{\mathbf{0}}} \) in view of duration of lectures \( \varvec{T}_{\varvec{k}} \), seminars \( \varvec{T}_{\varvec{a}} \) and labs \( \varvec{T}_{\varvec{s}} \):

$$ \varvec{\alpha}_{{\varvec{km}}} = \frac{{\varvec{T}_{\varvec{k}} }}{{\varvec{T}_{0} }} ;\varvec{\alpha}_{{\varvec{am}}} = \frac{{\varvec{T}_{\varvec{a}} }}{{\varvec{T}_{0} }} ;\varvec{\alpha}_{{\varvec{sm}}} = \frac{{\varvec{T}_{\varvec{s}} }}{{\varvec{T}_{0} }} ; \varvec{T}_{0} = \varvec{T}_{\varvec{k}} + \varvec{T}_{\varvec{a}} + \varvec{T}_{\varvec{s}} . $$

(2)

5 Information Security Competencies Level Assessment Model

In the introduction we emphasized that we will assess a specific IS competency \( \varvec{CA}_{\varvec{j}} \) and its attributes’ values (the levels of IS knowledge \( \varvec{KC}_{\varvec{j}} \), abilities \( \varvec{AC}_{\varvec{j}} \) and skills \( \varvec{SC}_{\varvec{j}} \)) using the second approach. That approach is based on the characteristics of disciplines forming this competency (DML \( \varvec{DA}_{\varvec{m}} \), the levels \( \varvec{KD}_{\varvec{m}} \), \( \varvec{AD}_{\varvec{m}} \) and \( \varvec{SD}_{\varvec{m}} \)).

Let us set the following assumptions for the model.

1. 1.

   Some disciplines \( \varvec{D}_{{\varvec{mn}}} \) are essential for disciplines \( \varvec{D}_{\varvec{m}} \). These disciplines \( \varvec{D}_{\varvec{m}} \) directly form some IS competency \( \varvec{C}_{\varvec{j}} \) (Fig. 2). Thus, the disciplines \( \varvec{D}_{{\varvec{mn}}} \) indirectly determine the characteristics of the competency \( \varvec{C}_{\varvec{j}} \). Due to length limits of the paper, we do not consider the characteristics of the underlying disciplines \( \varvec{D}_{{\varvec{mn}}} \).

2. 2.

   The results of mastering a specific discipline \( \varvec{D}_{{\varvec{mn}}} \) can be used in the formation of each IS competency \( \varvec{C}_{\varvec{j}} \) connected with this discipline. Therefore, the differentiation of the contribution of a particular discipline into the formation of different competencies is not taken into account.

3. 3.

   We weight the contributions of a discipline \( \varvec{D}_{\varvec{m}} \) to the formation of a specific IS competency \( \varvec{C}_{\varvec{j}} \varvec{ } \). For \( \varvec{D}_{\varvec{m}} ,\,\varvec{m} = \varvec{1},{\mathbf{ \ldots }},\varvec{M}; \) and \( \varvec{M} \) is the number of disciplines \( \varvec{D}_{\varvec{m}} \) forming the competency \( \varvec{C}_{\varvec{j}} \), these weights are \( \varvec{\beta k}_{{\varvec{jm}}} \) for the levels of knowledge, \( \varvec{\beta a}_{{\varvec{jm}}} \) for the abilities, and \( \varvec{\beta s}_{{\varvec{jm}}} \) for the skills. The weights \( \varvec{\beta k}_{{\varvec{jm}}} \varvec{ } \), \( \varvec{\beta a}_{{\varvec{jm}}} \), \( \varvec{\beta s}_{{\varvec{jm}}} \) are defined by experts. From our point of view for the weights’ values it is easy to use 11-points range (from 0 to 10 like in Table 1 from Sect. 5). It is not so important what range the experts will choose, because while assessing the attribute values for \( \varvec{C}_{\varvec{j}} \) the levels \( \varvec{KD}_{\varvec{m}} \), \( \varvec{AD}_{\varvec{m}} \) and \( \varvec{SD}_{\varvec{m}} \) with these weights are normalized by their sums as it is shown further (expressions (3), (4), (5)).

   Table 1. Initial data for competency assessment modeling

4. 4.

   The single points scale from 0 to 100 is used to assess the level of competencies, their attributes and characteristics of disciplines. The transition from this scale to four-level IS competency assessment (Sect. 2) is done in accordance with Fig. 4.

   Fig. 4.

   

   Linking of scales for competency assessment

The IS competencies level assessment model is shown in Fig. 5.

Fig. 5.

Diagram of IS competencies level assessment model

Initial data for the model are the following:

1. 1.

   a set of IS disciplines \( \varvec{D}_{\varvec{m}} \) (where \( \varvec{m} = \varvec{1,}{\mathbf{ \ldots }}\varvec{,M;} \, \varvec{M} \) is a number of disciplines), directly forming the selected IS competency \( \varvec{C}_{\varvec{j}} \);

2. 2.

   DML assessments \( \varvec{DA}_{\varvec{m}} \,\left( {\varvec{m} = \varvec{1,}{\mathbf{ \ldots }}\varvec{,M}} \right) \) and the levels \( \varvec{KD}_{\varvec{m}} \), \( \varvec{AD}_{\varvec{m}} \) and \( \varvec{SD}_{\varvec{m}} \));

3. 3.

   the coefficients for each discipline \( \varvec{\alpha}_{{\varvec{km}}} \varvec{ },\varvec{\alpha}_{{\varvec{am}}} \varvec{ },\varvec{ \alpha }_{{\varvec{sm}}} \,\left( {\varvec{m} = \varvec{1,}{\mathbf{ \ldots }}\varvec{,M}} \right); \)

4. 4.

   the weights \( {\mathbf{\upbeta k}}_{{{\mathbf{jm}}}} {\mathbf{ }} \), \( {\mathbf{\upbeta a}}_{{{\mathbf{jm}}}} {\mathbf{ }} \) and \( {\mathbf{\upbeta s}}_{{{\mathbf{jm}}}} \,\left( {\varvec{m} = \varvec{1,}{\mathbf{ \ldots }}\varvec{,M}} \right) \) for attributes’ assessment for \( \varvec{C}_{\varvec{j}} \).

The main expressions for the model are the following.

1. 1.

   Assessment of attribute value for \( \varvec{C}_{\varvec{j}} \), determining the IS knowledge level:

   $$ \varvec{KC}_{\varvec{j}} = \sum\nolimits_{{\varvec{m} = {\mathbf{1}}}}^{\varvec{M}} {\left( {{\varvec{\upbeta}}{\mathbf{k}}_{{{\mathbf{jm}}}} \varvec{ KD}_{\varvec{m}} } \right)} /\sum\nolimits_{{\varvec{m} = {\mathbf{1}}}}^{\varvec{M}} {\left( {{\varvec{\upbeta}}{\mathbf{k}}_{{{\mathbf{jm}}}} } \right).} $$

   (3)
2. 2.

   Assessment of attribute value for \( \varvec{C}_{\varvec{j}} \), determining the IS abilities level:

   $$ \varvec{AC}_{\varvec{j}} = \sum\nolimits_{{\varvec{m} = {\mathbf{1}}}}^{\varvec{M}} {\left( {{\varvec{\upbeta}}{\mathbf{a}}_{{{\mathbf{jm}}}} \varvec{ AD}_{\varvec{m}} } \right)} /\sum\nolimits_{{\varvec{m} = {\mathbf{1}}}}^{\varvec{M}} {\left( {{\varvec{\upbeta}}{\mathbf{a}}_{{{\mathbf{jm}}}} } \right)} . $$

   (4)
3. 3.

   Assessment of attribute value for \( \varvec{C}_{\varvec{j}} \), determining the IS skills level:

   $$ \varvec{SC}_{\varvec{j}} = \sum\nolimits_{{\varvec{m} = {\mathbf{1}}}}^{\varvec{M}} {\left( {{\varvec{\upbeta}}{\mathbf{s}}_{{{\mathbf{jm}}}} \varvec{ SD}_{\varvec{m}} } \right)} /\sum\nolimits_{{\varvec{m} = {\mathbf{1}}}}^{\varvec{M}} {\left( {{\varvec{\upbeta}}{\mathbf{s}}_{{{\mathbf{jm}}}} } \right)} . $$

   (5)
4. 4.

   Assessment of IS competency level \( \varvec{CA}_{\varvec{j}} \) according to the points scale. The following options are possible here.

Option 1. If the contributions of attributes into \( \varvec{CA}_{\varvec{j}} \) are equal, then the assessment of \( \varvec{CA}_{\varvec{j}} \) is calculated as:

$$ \varvec{CA}_{\varvec{j}} = \varvec{ }(\varvec{KC}_{\varvec{j}} + \varvec{ AC}_{\varvec{j}} + \varvec{ SC}_{\varvec{j}} ){\mathbf{/3}}. $$

(6)

Option 2. If the contributions of attributes into \( \varvec{CA}_{\varvec{j}} \) are not equal, then it is necessary to introduce \( {\mathbf{\uplambda k}}_{\varvec{j}} \varvec{ },{\mathbf{\uplambda a}}_{\varvec{j}} \varvec{ },\varvec{ }{\mathbf{\uplambda s}}_{\varvec{j}} \) (\( {\mathbf{\uplambda k}}_{\varvec{j}} + \varvec{ }{\mathbf{\uplambda a}}_{\varvec{j}} \varvec{ } + \varvec{ }{\mathbf{\uplambda s}}_{\varvec{j}} \varvec{ } = \mathbf{1}) \) (like for \( \varvec{\alpha}_{{\varvec{km}}} \varvec{ },\varvec{\alpha}_{{\varvec{am}}} \varvec{ },\varvec{ \alpha }_{{\varvec{sm}}} \) from Sect. 4) determined by experts and to assess \( \varvec{CA}_{\varvec{j}} \) as:

$$ \varvec{CA}_{\varvec{j}} = \varvec{ }{\mathbf{\uplambda k}}_{\varvec{j}} \varvec{KC}_{\varvec{j}} + \varvec{ }{\mathbf{\uplambda a}}_{\varvec{j}} \varvec{ AC}_{\varvec{j}} + \varvec{ }{\mathbf{\uplambda s}}_{\varvec{j}} \varvec{ SC}_{\varvec{j}} \varvec{ }. $$

(7)

Option 3 (called frontier). It is based on the transition from points to levels (Fig. 4). The assessment of \( \varvec{CA}_{\varvec{j}} \) is done by the following rules:

«0», if at least one attribute is at this level;

«1», if at least one attribute is at this level and the rest are at the higher levels (2, 3);

«2», if at least one attribute is at this level and the rest are at the higher level (3);

«3», if the values of all competency attributes are at the same level (3).

Option 4. If DMLs \( \varvec{DA}_{\varvec{m}} \) (forming \( \varvec{C}_{\varvec{j}} \)) are known and the contributions of these disciplines into competency formation \( \upmu_{{\varvec{jm}}} \varvec{ }\left( {\varvec{m} = \varvec{1,}{\mathbf{ \ldots }}\varvec{,M}} \right) \) are defined, then the assessment of \( \varvec{CA}_{\varvec{j}} \) is calculated as:

$$ \varvec{CA}_{\varvec{j}} = \sum\nolimits_{{\varvec{m}{\mathbf{ = 1}}}}^{\varvec{M}} {\left( {{{\upmu}}_{{\varvec{jm}}} \varvec{ DA}_{\varvec{m}} } \right)} /\sum\nolimits_{{\varvec{m}{\mathbf{ = 1}}}}^{\varvec{M}} {\left( {{{\upmu}}_{{\varvec{jm}}} } \right)} . $$

(8)

If weights \( {\mathbf{\upbeta k}}_{{{\mathbf{jm}}}} {\mathbf{, \upbeta a}}_{{{\mathbf{jm}}}} {\mathbf{ , \upbeta s}}_{{{\mathbf{jm}}}} {\mathbf{ }} \) are defined, then values \( \upmu_{{\varvec{jm}}} \) can be calculated as:

$$ {{\upmu}}_{{{\varvec{jm}}}} {\mathbf{ = \upbeta k}}_{{{\mathbf{jm}}}} {\mathbf{ + \upbeta a}}_{{{\mathbf{jm}}}} {\mathbf{ + \upbeta s}}_{{{\mathbf{jm}}}} {\mathbf{ }}{\mathbf{.}} $$

(9)

6 Model Usage Example

The IS competencies assessment model described above is based on the system of assessing the levels of mastery of disciplines forming a specific IS competency. This model was used at the “Cybernetics and Information Security” Faculty of the National Research Nuclear University “MEPhI” (Moscow Engineering Physics Institute) (Russia) at the implementation of the “Business Continuity and Information Security Maintenance” (BC&ISM) program for Masters [5].

The requirements of the Federal State Educational Standard (FSES) of training Masters in IS were taken into account in developing the curriculum for this program. FSES defines the area and professional activities, for which Masters should be trained. It also lists the professional activities and tasks that Masters graduates should be able to solve. The basic IS competencies are defined for each type of professional activities.

An educational institution has the right to work out its own curriculum (to choose specific disciplines) and to add more IS competencies reflecting the specific program. When a graduate masters the Masters’ program, he/she will have developed additional competencies defined by the institution [5]. At the completion of training they must be able to fulfill the following activities:

• to analyze and to investigate models of systems ensuring business continuity (BC) and models of IS maintenance (\( \varvec{C}_{{\mathbf{1}}} \));

• to practically implement the standards relating to BC&ISM (\( \varvec{C}_{{\mathbf{2}}} \));

• to conduct IS risk assessment for the purpose of IS maintenance (\( \varvec{C}_{{\mathbf{3}}} \));

• to carry out the synthesis and analysis of design projects on BC&ISM for their organization where they work (O’s) (\( \varvec{C}_{{\mathbf{4}}} \));

• to ensure the effective usage of O’s IT resources to meet BC&ISM requirements (\( \varvec{C}_{{\mathbf{5}}} \));

• to participate in the design and operation of O’s IS incident management system (\( \varvec{C}_{{\mathbf{6}}} \));

• to participate in the design and operation of O’s BC&ISM system (\( \varvec{C}_{{\mathbf{7}}} \));

• to conduct technical auditing (monitoring) of O’s information protection (\( \varvec{C}_{{\mathbf{8}}} \));

• to develop proposals for improving O’s BC&ISM system (\( \varvec{C}_{{\mathbf{9}}} \));

• to establish and effectively implement a set of measures (rules, procedures, practical methods, guidelines, methods, tools) for BC&ISM (\( \varvec{C}_{{{\mathbf{10}}}} \)).

All these competencies are developed during the implementation of a specific curriculum, which includes the specific IS disciplines [5].

The paper considers the formation of only one competency \( \varvec{C}_{{\mathbf{7}}} \) as an example, when a graduate should be able to participate in the design and operation of O’s BC&ISM system.

Based on an analysis of the curriculum, ten IS disciplines \( \varvec{D}_{\varvec{m}} ,\left( {\varvec{m} = \varvec{1,}{\mathbf{ \ldots }}\varvec{,M}} \right) \), form this IS competency [5]:

• 6 training courses, namely:

  • “Protected IT” (abbreviation PIT),

  • “IS Management” (ISM),

  • “IS Risk Management Basics” (ISRMB),

  • “IS Incident Management Basics” (ISIMB),

  • “IT Security Assessment” (ITSA),

  • “Business Continuity Management” (BCM),

• Practical Works during Semesters 1, 2 and 3 (P1, P2, P3), and

• Completion of a FQW (FQW).

Initial data for the IS competency assessment model are shown in Table 1. It should be noted that:

• \( \varvec{\alpha}_{{\varvec{km}}} \varvec{ },\varvec{\alpha}_{{\varvec{am}}} \varvec{ },\varvec{ \alpha }_{{\varvec{sm}}} \) for the contributions of knowledge, abilities and skills levels into the level of mastery of the particular discipline (6 training courses) were determined on the basis of work involved in mastering the discipline (expression (2)) (\( \varvec{T}_{{\mathbf{0}}} \varvec{ },\varvec{ T}_{\varvec{k}} ,\varvec{ T}_{\varvec{a}} ,\varvec{ T}_{\varvec{s}} \)), taken from the curriculum [5];

• \( \varvec{\alpha}_{{\varvec{km}}} \varvec{ },\varvec{\alpha}_{{\varvec{am}}} \varvec{ },\varvec{ \alpha }_{{\varvec{sm}}} \) for the contributions of knowledge, abilities and skills levels into the level of mastery of the particular discipline (P1, P2, P3 and FQW) were determined by experts. The following peculiarities were taken into account: the contributions of the levels of gained knowledge \( \varvec{KD}_{\varvec{m}} \) and formed abilities \( \varvec{AD}_{\varvec{m}} \) decrease during the training, and the contribution of acquired skills \( \varvec{SD}_{\varvec{m}} \) increases;

• the levels \( \varvec{KD}_{\varvec{m}} \), \( \varvec{AD}_{\varvec{m}} \) and \( \varvec{SD}_{\varvec{m}} \) were defined along a 100 point scale during progress testing (exams) for a particular student;

• the assessments of DML \( \varvec{DA}_{\text{m}} \) were determined according to the expression (1);

• the weights’ values for \( \varvec{C}_{{\mathbf{7}}} \) attributes (\( {\mathbf{\upbeta k}}_{{{\mathbf{7}}{\mathbf{m}}}} \), \( {\mathbf{\upbeta a}}_{{{\mathbf{7}}{\mathbf{m}}}} \) and \( {\mathbf{\upbeta s}}_{{{\mathbf{7}}{\mathbf{m}}}} \)) were determined by experts.

The attribute values assessments for \( \varvec{C}_{{\mathbf{7}}} \) can be determined using data from Table 1:

(1) for the knowledge level (expression (3)) \( \varvec{KC}_{{\mathbf{7}}} = {\mathbf{68}}; \)

(2) for the abilities level (expression (4)) \( \varvec{AC}_{{\mathbf{7}}} = {\mathbf{76}}; \)

(3) for the skills level (expression (5)) \( \varvec{SC}_{{\mathbf{7}}} = {\mathbf{84}} \).

Within the framework of the model let us define competency \( \varvec{C}_{{\mathbf{7}}} \) level assessment \( \varvec{CA}_{{\mathbf{7}}} \) for four options.

Option 1. When the contributions of competency attributes to the level of competency is equal, then the competency level assessment will be determined by the expression (6) as \( \varvec{CA}_{{\mathbf{7}}} = {\mathbf{76}} \). The competency level assessment will refer to the second (intermediate) level in accordance with the scale from Fig. 4.

Option 2. When the contribution of competency attributes to the level of competency is unequal, then it is necessary to introduce \( {\mathbf{\uplambda k}}_{{\mathbf{7}}} \varvec{ },{\mathbf{\uplambda a}}_{{\mathbf{7}}} \varvec{ },\varvec{ }{\mathbf{\uplambda s}}_{{\mathbf{7}}} \).

If the knowledge level is more important (e.g., \( {\mathbf{\uplambda k}}_{{\mathbf{7}}} { = }{\mathbf{0}},{\mathbf{8}}; \) \( {\mathbf{\uplambda a}}_{{\mathbf{7}}} = {\mathbf{0}},{\mathbf{1}} \); \( {\mathbf{\uplambda s}}_{{\mathbf{7}}} = {\mathbf{0}},{\mathbf{1}}) \), then according to the expression (7) \( \varvec{CA}_{{\mathbf{7}}} = {\mathbf{71}} \), which corresponds to the second (intermediate) level from Fig. 4.

If the abilities and skills levels are more important (e.g., \( {\mathbf{\uplambda k}}_{{\mathbf{7}}} = {\mathbf{0}},{\mathbf{1}} \); \( {\mathbf{\uplambda a}}_{{\mathbf{7}}} = {\mathbf{0}},{\mathbf{45}} \); \( {\mathbf{\uplambda s}}_{{\mathbf{7}}} = {\mathbf{0}},{\mathbf{45}}) \), then according to the expression (7) \( \varvec{CA}_{{\mathbf{7}}} = {\mathbf{79}} \), which also corresponds to the second (intermediate) level from Fig. 4.

Option 3. For frontier approach \( \varvec{CA}_{{\mathbf{7}}} = {\mathbf{68}} \), which corresponds to the first (entry-level) level from Fig. 4.

Option 4. Using the expression (9) and data from Table 1 for \( {{\upmu}}_{{\varvec{jm}}} \varvec{ }\left( {\varvec{m} = \varvec{1,}{\mathbf{ \ldots }}\varvec{,M}} \right) \), it is possible to use expression (8) to determine the competency level assessment as \( \varvec{CA}_{{\mathbf{7}}} = {\mathbf{77}} \), corresponding to the second (intermediate) level from Fig. 4.

7 Conclusion

The model presented in this paper allows the assessment of the level of any professional competency in the IS field. It also allows the assessment of the values of the competency’s attributes according to the assessment characteristics of the disciplines that form this competency. The above example uses the model to assess one of the competencies in the IS Masters programme, confirming the usefulness and efficiency of the proposed model.

We note that using this model requires changes in the way one assesses mastery of a specific discipline. It is necessary to assess not only the entire discipline in general, but also to separately assess the levels of knowledge, abilities and skills developed by the students as they master the discipline. In addition, the values of some of the model’s parameters should be determined by experts.

Approaches that have been used in this model can be applied to construct another model, which solves the inverse task. If the required IS competency level, its attributes and their assessment are known, then the actual problems are the selection and determination of the list of disciplines forming the specific competency, determination of their characteristics (the list and the level of knowledge, skills and abilities to be developed at the training completion), and formulating the initial data for a particular IS professional training curriculum and training courses. But the development of an inverse model is more complicated problem because it should use different synthesis methods. This requires solving a few optimization problems with predefined criteria.