Cyber Florida’s Lessons and Recommendations for Strengthening Education, Awareness, and Workforce Development Programs
A Report for Cybersecurity Program Managers, HR Professionals, Policymakers, and Leaders
Cyber Florida: The Florida Center for Cybersecurity University of South Florida February 2026
The Problem
Cyber threats are evolving rapidly. In 2024 alone, the U.S. reported over $50.5 billion in losses and 4.2 million cybercrime complaints. Florida ranked third nationwide - behind only California (1st) and Texas (2nd) - in both complaints and financial losses (FBI, 2024). These threats impact not only the government, but also businesses, nonprofits, families, and individuals across communities.
Today’s risks include social engineering, phishing/spoofing , ransomware, extortion, data breaches, and increasingly Artificial Intelligence (AI) attacks such as deepfakes and automated intrusions. These tactics threaten not just infrastructure, but also public trust and operational continuity. Yet many local, state, and federal employees still lack access to effective cybersecurity education and awareness training. Existing initiatives often measure success through certificates, digital badges, or job placement, but rarely assess real-world performance, behavior change, or mission readiness. As a result, public-sector agencies remain vulnerable.
This report identifies key challenges in cybersecurity education and awareness programs for state and local government employees and presents strategies to help build cyber-literate and resilient communities across Florida - at work, in public service, and beyond.
1. Certifications ≠ Capability: Credentials open doors, but don’t guarantee readiness. Many certified public employees still feel unprepared for real-world cybersecurity incidents.
2. Lack of metrics, strategy & accountability: Many cybersecurity programs don’t report pass/fail rates, job placements, or behavior change. Without shared metrics, it’s hard to assess effectiveness - especially across noncredit programs for adult learners. Clear benchmarks will enable progress tracking, investment, and accountability in cybersecurity education and awareness programs.
3. Outdated “one-size-fits-all” models fail: Traditional, lecture-based, and slide-heavy compliance training models often lead to disengagement and security fatigue among employees. Today’s adult learners benefit more from mentorship, gamified learning, and hands-on experiences.
4. Cyber is a human issue & not just a tech problem: Modern cyber threats target human behavior as much as technical systems. In today’s AI-driven landscape, cybersecurity awareness is essential for all staff (not just IT), including executives, managers, general personnel, and technical teams.
5. Rural and small agencies are falling behind: These agencies face similar levels of threat but often lack broadband access, sufficient funding, and tailored cybersecurity education and awareness training.
Recommendations for Action
✓ Mandate transparent metrics: Track certifications and badges, job outcomes, and behavioral change at the workplace.
✓ Redefine success: Focus on long-term resilience , not just completion or credentials (certifications and digital badges).
✓ Design human-centered cyber education and training: Use mentorship, flexible, modern delivery formats, and real-world engaging scenarios.
✓ Expand access: Support rural and small agencies with cyber education and awareness training that meets their needs.
✓ Fund evaluation from day one: Let metrics guide strategy and improvement.
Conclusion
Cybersecurity readiness can’t be achieved through a weekend bootcamp or proven by a badge. It requires hands-on learning, mentorship, behavioral change, and time. In an age of AI-driven threats, cybersecurity education must be transparent, multidisciplinary, comprehensive, and built for long-term resilience.
The Challenge
Cyber threats are growing in scale and sophistication. AI-powered attacks, deepfakes, and emerging communication technologies now threaten not only cybersecurity and IT systems, but also public trust, data integrity, and operational continuity at every level of state, local, and federal government. Yet many publicly funded cybersecurity education and awareness programs still define “readiness” by certificates and badges, rather than by applied skills, behavior change, or mission resilience.
This report examines the challenges of nontraditional cybersecurity education and awareness programs for adult learners. While the cybersecurity workforce shortage deepens, many certified professionals remain underprepared.
• Drawing on a 50-state policy review and a literature review of 80+ sources, Cyber Florida proposes a hands-on, learner-centered, holistic approach that focuses on long-term impact in cybersecurity education and awareness.
• This report is intended for decision-makers, funders, HR, and program leaders aiming to build a more resilient cybersecurity workforce in Florida and beyond.
• Certifications ≠ Operational readiness: Credentials alone don’t build the critical and analytical thinking or real-time skills needed in modern cyber operations.
• Lack of outcome metric tracking: Few cybersecurity programs report pass/fail rates, job placement, or behavior change, limiting accountability and progress tracking in cybersecurity education and awareness programs.
• Fast-track models undermine retention: Without scenario-based learning, adult learners struggle to apply cybersecurity education and awareness training in real-world contexts.
• Cyber threats target everyone: All personnel, not just cyber and IT, need cybersecurity education and awareness training. From leadership, managers, technical staff, to general employees.
• Tech outpaces training: Cybersecurity education and awareness programs must evolve with AI, phishing, and emerging threats through multidisciplinary approaches.
• Holistic approaches work: Cybersecurity strategies that support people over time are more effective than one-time programs focused only on rules and compliance.
• Linear progress is a myth: Many adult learners improve gradually or contribute in nontraditional ways, yet those outcomes go unmeasured.
• Cyber fatigue is real: When cybersecurity education is repetitive and disconnected from real tasks, it can cause disengagement, and that puts public and private organizations at greater risk.
• Design & Instruction matters: Screening, mentorship, soft skills, and applied practice are essential for success in cybersecurity education, especially in noncredit programs for transitioning and adult learners professionals.
• Rural agencies are under-resourced: Gaps in broadband access, resources, cybersecurity-trained leadership, staffing, and funding limit resilience in small communities.
Cyber Florida introduces two models for cybersecurity education and awareness, tailored to meet the needs of non-traditional adult learners and cyber program managers.
1. Holistic Model for Cybersecurity Education and Awareness Programs
a. A human-centered model designed for program managers to holistically support adult learners by bridging theory, practice, and real-world demands in cybersecurity.
b. A long-term approach to learning that goes beyond certification, focusing on sustained growth, applied skills, and learner resilience.
2. Six-Phase Cybersecurity Education & The Multi-Stage Success Tracking Models
a. A practical roadmap that guides program development from screening to adult learner follow-up.
b. Supports program managers in strategically designing, implementing, and evaluating cybersecurity education initiatives through clear metrics and intentional planning.
Recommendations for Action
✓ Require transparent reporting: Track enrollment, certification, job placement, and learner feedback and progress.
✓ Redefine success: Prioritize confidence, behavioral change, and community impact, not just test scores, and certification attainment.
✓ Build for learners, not exams: Use mentorship, simulations, microlearning, and comprehensive relevant methods.
✓ Expand access in rural regions: Offer flexible training models tailored to rural employees’ needs.
✓ Fund evaluation from day one: Require unbiased assessment and evaluation to measure program success and community impact. cyber education and awareness training that meets their needs.
Cybersecurity education and awareness must evolve. In the aftermath of the COVID-19 pandemic and amid the rise of AI-powered threats, it’s no longer enough to simply check compliance boxes. Organizations must foster meaningful behavior change, provide hands-on learning experiences, and build long-term resilience. A human-centered, mission-aligned strategy is therefore critical not only for national security and public trust, but also for equipping employees with the knowledge, awareness, and skills necessary to responsibly protect sensitive systems and data.
This report is aimed at leaders, funders, policymakers, program managers, instructional designers, and decision-makers involved in shaping the future of cybersecurity education and workforce development, especially within the public sector. It is particularly important for state and local government officials, cybersecurity education providers, workforce boards, HR departments, and agencies that want to:
• Strengthen cybersecurity education and awareness strategies for both technical and non-technical roles within their organizations.;
• Reduce operational and organizational risks caused by human error and lack of preparedness.;
• Build long-term cyber resilience among diverse and distributed public-sector teams.
Based on a literature review, insights from Cyber Florida’s statewide initiatives, and an analysis of publicly funded programs across all 50 states, this report offers practical guidance for designing and enhancing cybersecurity learning pathways. This report emphasizes the importance of going beyond mere compliance and credentials to focus on real-world readiness, behavioral change, and sustainable impact.
The purpose of this report is to examine the effectiveness of noncredit, government-funded cybersecurity education and awareness programs targeting adult learners, particularly those in public-sector roles. It responds to an urgent national need: while the demand for cybersecurity professionals continues to grow, many certified professionals, especially those trained through fast-track or nontraditional programs, report feeling unprepared for real-world cyber threats. To examine this challenge, Cyber Florida conducted a two-phase research study that included:
• A literature review of over 80 national and international sources published between 2015 and 2025.;
• A 50-state analysis of no-cost cybersecurity initiatives offered to state and local government employees.
The scope of this report includes nondegree cybersecurity education programs, especially those focused on workforce development, transitioning adult learners, and practical readiness. Degree-granting academic programs and highly technical specialist training models are excluded unless explicitly linked to public-sector education efforts.
By focusing on what is measurable, replicable, and responsive to today’s cyber landscape, this report aims to provide a blueprint for state and local leaders to invest in scalable, comprehensive, and human-centered models of cybersecurity education that align with operational needs and national resilience goals.
Cyber Florida approaches this work holistically.
Our mission is not only to educate state and local cybersecurity and IT professionals, but also to equip government leaders, general staff, and all individuals who interact with digital systems and sensitive information with the knowledge and tools they need to operate securely. Achieving this requires designing tailored learning pathways that account for diverse roles, varying levels of digital fluency, and the rapidly evolving demands introduced by AI and emerging communication technologies.
Our hope is that this report becomes a resource for program managers, instructional designers, policymakers, and decision-makers committed to building a stronger, more cyber-resilient public workforce, not only in Florida but across the nation. Together, we can foster a safer digital environment for everyone.
• Grounded in research and fieldwork, support continuous improvement of Cyber Florida’s cybersecurity education and awareness programs by examining what works and addressing areas for growth.
• Advance the national dialogue on building a sustainable, comprehensive, and hands-on cyber workforce that prioritizes real-world readiness over industry certifications or microcredentials alone.
Since its establishment in 2014, Cyber Florida has explored critical questions regarding the future of cybersecurity education and workforce development. Key inquiries include whether earning a cybersecurity certification is sufficient or if agencies require a more comprehensive, hands-on approach that equips both technical and non-technical personnel with the necessary practical skills, analytical thinking, and situational awareness to protect public systems.
The urgency of these questions has increased in response to the evolving landscape of cyber threats, including cyberattacks, advanced deepfakes, social engineering, and AI-driven risks. Current education and awareness training programs, such as fast-track bootcamps and certification courses, often promote rapid certification achievement, promising potential job placement in cybersecurity. Many programs are marketed with bold promises such as:
“Earn your certification in four to ten weeks, pass your exam, and land a cybersecurity job.”
Despite the existence of over 514,000 cybersecurity job openings nationwide, with 23,792 in Florida (CyberSeek, July 2025), many certified professionals face challenges entering the field. Within government agencies, numerous employees are obtaining cybersecurity badges and certificates (or microcredentials) while lacking practical opportunities to apply this knowledge in real-world environments. This disconnect can diminish their effectiveness in protecting public systems and weaken overall organizational readiness.
In response to these circumstances, this report addresses several key challenges:
➞ Are badges and certifications sufficient to prepare the public-sector workforce?
➞ What elements are lacking in current cybersecurity education and awareness models?
➞ What are the observed certification pass rates for adult learners pursuing recognized industry credentials?
➞ How can support be improved for nontraditional adult learners and public-sector professionals, especially in municipal and rural communities with limited access to resources, infrastructure, and professional development?
These questions are central to Cyber Florida’s efforts to connect state-level initiatives to national research, providing data-driven insights, practical lessons, and proven strategies to inform the future of cybersecurity education and workforce development in Florida and beyond.
Cyber risks are increasingly recognized as multifaceted and not solely technical in nature. The integration of social engineering, AI, and emerging technologies into governmental operations has introduced a rise in complex cybersecurity threats. State, local, and federal agencies are frequently targeted, raising concerns that without enhanced cyber resilience measures, sensitive data may be exposed, and critical public services may be disrupted (Frandell & Feeney, 2022).
Cybersecurity is fundamentally connected to human behavior, trust, and organizational culture. Research indicates that cyber threats frequently exploit human vulnerabilities before attempting to target system flaws, highlighting that cybersecurity cannot rest solely on the IT and cyber department’s responsibilities (Colabianchi et al., 2025). Non-technical personnel, such as administrative staff, managers, executives, temporary employees, and contractors, are increasingly targeted by phishing, social engineering, and insider threats.
To effectively address these issues, cybersecurity education and awareness initiatives should reach all levels of government. Comprehensive training must be provided to technical teams as well as executives, managers, general staff, interns, and temporary workers. This approach is intended to minimize human error and enhance organizational and individual resilience. As noted by Singer and Friedman (2013)
“If a network has any kind of sensitive information in it, all users need to be regularly certified in cybersecurity basics. This means everyone, from junior staff all the way up to the leadership” (p. 65).
The findings detailed in this report aim to contribute to ongoing discourse around the preparation of public-sector organizations in the context of cybersecurity education and awareness. This is crucial for equipping both Florida and the nation to effectively face evolving threats using comprehensive, hands-on, and measurable strategies.
Cyber threats are not slowing down. Neither should Florida’s response.
In 2024, Cyber Florida launched this study in response to growing concerns about the overemphasis on industry certifications and the increasing popularity of short-term, certification-driven cybersecurity programs (e.g., bootcamps, online prep courses, and fast-track training workshops). While these models may support career development or advancement, we sought to answer a more urgent question:
What truly helps state and local public-sector employees not just pass an exam, but grow, adapt, and succeed in today’s cybersecurity landscape?
This study is grounded in the belief that cybersecurity education and awareness training must go beyond credentialing. It must offer holistic, comprehensive, and role-relevant learning experiences tailored to the demands of government work, the realities of nontraditional adult learners, and the evolving nature of cyber threats.
To guide our analysis, we structured this study around three key research questions (RQ):
RQ1: Is certification pass rate a valid measure of program success? What do current national data reveal about certification outcomes and job readiness?
RQ2: How can cybersecurity education and awareness programs better serve state and local government employees - from general staff to executives?
RQ3: What does an effective cybersecurity education model look like for nontraditional adult learners with varied technical backgrounds and limited time?
These research questions informed every element of this study, from literature review and nationwide cybersecurity program analysis to the findings and final recommendations.
Between April 2024 and February 2025, we conducted a comprehensive literature review of over 80 sources published between 2015 and 2025. These included peer-reviewed journals, case studies, dissertations, industry reports, government documents, and national cybersecurity workforce initiative materials. We focused on three core areas:
• Cybersecurity workforce development programs for adult learners and transitioning professionals
• The relationship between certification preparation methods, pass rates, and job readiness
• Best practices in cybersecurity education and awareness for nontraditional adult learners
Priority was given to national and international sources, with special attention to programs serving public-sector professionals through no-cost or community-based initiatives. Findings from this phase and field experience shaped the holistic framework and strategic lens presented in this report.
From September 2024 to January 2025, we conducted a 50-state analysis of publicly available cybersecurity education and awareness initiatives targeting state and local government employees and adult learners. This review focused on five key areas:
• Program structures
• Intended audiences (technical, non-technical, or mixed)
• Curriculum and instructional strategies
• Public reporting of outcomes (e.g., pass rates, learner engagement, evaluation results)
• Communication and marketing practices
Programs were included if they met all three of the following conditions:
• Offered at no cost to adult learners, although some included small conditional fees or reimbursement agreements to encourage completion and maintain eligibility (e.g., pay-for-performance strategies).
• Sponsored or administered by a state or local government entity.
• Publicly advertised through official state, local agencies, or institutional channels.
This report faced several challenges during the review and analysis process. First, the field of cybersecurity is still rapidly evolving, and much of the available research is centered on related areas such as Information Security. In addition, many of the studies reviewed focus on specific educational models, such as micro-credentials or Career and Technical Education (CTE), particularly within community colleges (Varadarajan et al., 2023).
Meanwhile, research focused on nontraditional adult learners transitioning into cybersecurity - including veterans, law enforcement officers, first responders, displaced workers, mid-career career changers, and government employees without technical backgrounds - remains limited, especially for those in state and local government roles.
Because of this variation in program type and terminology, it was difficult to make direct comparisons across states or institutions. It also made it challenging to locate consistent national data on key indicators like certification pass rates, job placement outcomes, and learner preparedness. These inconsistencies limited the ability to draw broad conclusions and highlight the need for consistent data collection, especially for cybersecurity programs targeting nontraditional adult learners outside of degree-granting pathways.
A second major challenge was the lack of transparent outcome reporting. Few nationwide cybersecurity programs, particularly noncredit and workforce development initiatives, publicly shared data such as certification pass/ fail rates, learner satisfaction, or post-program evaluations. This lack of accessible data makes it difficult for researchers, cyber program managers, cyber educators, and policymakers to evaluate program effectiveness, compare curriculum models, and establish national cybersecurity benchmarks for success.
Despite these limitations, the study identified several high-impact programs that demonstrated a commitment to transparency by reporting both successes and challenges. These examples provided valuable insights and confirmed that many of the barriers faced by Cyber Florida reflect broader challenges across the public-sector cybersecurity education landscape. The insights gathered across both phases of this study form the foundation for the findings and recommendations that follow. Our goal is not only to share what we discovered, but also to inform and strengthen future efforts to build more resilient, comprehensive, and outcomes-focused cybersecurity learning opportunities for nontraditional adult learners and public-sector professionals.
At the same time, these limitations present important opportunities for further research. In particular, more work is needed to deepen our understanding of noncredit cybersecurity education pathways, especially those designed
for adult learners and public-sector professionals transitioning into the cybersecurity field. Advancing research in this area can help close persistent knowledge gaps, improve data collection practices, and support the development of more effective and comprehensive cyber workforce strategies across varied learner populations.
This report was developed through original research, including a comprehensive literature review, a nationwide analysis of publicly available programs, and field experience in cybersecurity workforce development. To support clarity, coherence, and accessibility for a broad audience, standard digital tools were used during the editing and visual design process. All findings, models, and interpretations reflect the authors’ independent analysis, subject-matter expertise, and practice-based insight.
Beyond the Badge: Industry Certifications Alone Are Not Enough Certification ≠ Competence
• Certifications alone do not ensure job readiness in public-sector cybersecurity roles.
• State and local employees frequently feel unprepared despite completing the required education.
• Agencies prioritize credentialing but overlook practical performance and real-world response skills.
• Rural and under-resourced governments face the greatest vulnerability due to lack of mentorship, tools, and hands-on opportunities.
In cybersecurity, digital badges, short online courses (microlearning), and fast-track industry certifications are often promoted as accessible ways to upskill or enter the field (Varadarajan et al., 2023; Pike et al., 2020).
These micro-credentials offer educational value - especially for adult learners - but they can also create a false sense of preparedness when not paired with hands-on practice (Gauthier, 2020).
Even high-quality certification programs must be reinforced with applied learning to produce workforce-ready results. (Gerontakis et al., 2023). Without real-world experience, certified individuals may struggle to detect and respond effectively to cyber threats. This readiness gap is particularly concerning in the public sector, where employees often earn micro credentials but lack consistent opportunities to apply what they’ve learned. Without practical application, certifications and digital badges alone fall short of building true cyber resilience, leaving governmental agencies vulnerable to attacks.
Recent studies show that U.S. local governments are increasingly targeted by cyberattacks. Norris and Mateczun (2025) report that some state and local agencies face daily and even hourly attempted breaches. Frandell and Feeney (2022) complement this by highlighting that state and city agencies are often not prepared to combat these attacks, creating a series of issues such as the “shutdown of school systems, pipelines, large city governments, and water treatment facilities” (p. 558). These incidents result in financial losses, damage to public trust, and harm to the agencies’ reputations. Even though these attacks continue, many public organizations still do not have enough trained staff, tools, or resources to detect, track, or respond effectively. As a result, key services such as finance, education, and healthcare are still at great risk (Analyst, 2025).
In 2023 alone, public agencies reported more than 32,211 cybersecurity incidents, ranging from data breaches and denial-of-service attacks to ransomware and business email compromise (U.S. Government Accountability Office - GAO, 2023). State and local governments are attractive targets because they manage vast amounts of sensitive data, including Social Security numbers, health records, and driver’s license information (Norris & Mateczun, 2022). The 2023 GAO analysis found that the most common incident types in the U.S. government agencies included:
• Improper system use (38%)
• Phishing (19%)
• Unsafe web access (11%)
• Lost or stolen government equipment (10%)
These statistics point to a structural problem: many government employees complete cybersecurity education and awareness programs but still feel unprepared to recognize and respond effectively. Even as participation in fast-track cybersecurity programs grows; a gap remains between course completion and real-world readiness While tools like the NICE Workforce Framework for Cybersecurity offer guidance, implementation at the state and local level remains inconsistent. Barriers include:
• Limited internal communication
• Unclear reporting procedures
• Outdated technologies and infrastructure
• Cultural resistance to change
• Budget constraints and
• Lack of access to hands-on cybersecurity education (Norris et al., 2018)
Rural agencies and small towns face even greater risks. According to Hossain et al. (2025), many smaller agencies lack dedicated IT or cybersecurity staff, leadership support, and access to up-to-date systems. Institutional resistance, outdated equipment, and under-resourced environments make it difficult to adopt even the most basic best cybersecurity practices. While overreliance on credentials introduces vulnerabilities, certifications still
have value - when paired with applied learning. The next section explores how certification plays a double-edged role in workforce development.
While Section 1.1 explored how overreliance on credentials contributes to organizational gaps, similar challenges persist at the individual level. Many employees earn badges or certifications, yet still struggle to identify cyber threats. Others, particularly newcomers to the field, lack advancement opportunities not because of motivation, but due to insufficient hands-on experience in their programs and a lack of mentorship and guidance.
A growing body of research affirms that certifications can enhance job prospects, support career transitions, and increase earning potential - especially when compared to professionals without formal higher education or credentials. For example, Äijälä (2018) found that certification led to greater job mobility, higher salaries, and improved professional credibility. These findings are echoed in Skillsoft’s 2024 report, which highlights that certified professionals are more likely to experience:
• Higher salaries and job security
• Increased confidence and productivity
• Greater promotion and leadership opportunities
Notably, 94% of technology professionals surveyed by Skillsoft held at least one certification. However, certifications alone are rarely decisive in hiring. While lacking a certification can disqualify a candidate, simply having one is not enough. Employers also seek real-world problem-solving skills to move a candidate forward (Äijälä, 2018; (ISC)2, 2022; 2023). Most studies emphasize that certifications are most effective when embedded within practice-based education models, including virtual lab simulations, gamification, cyber ranges, Capture the Flag (CTF) competitions, Incident Response Drills, security internships, red team/blue team exercises, and virtual home labs (Hussain et al., 2024). Additionally, a strong understanding of local, national, and international policies and standards, such as the NIST Cybersecurity Framework and the General Data Protection Regulation (GDPR), is important for success in the field.
This disconnect is reflected in the persistent gap between job openings and job-ready applicants. The Cyber Unicorn Study (Burley et al., 2025), featuring interviews with Florida state and local HR and cybersecurity managers, found that most hiring managers in the local and state government prioritize hands-on experience over credentials. While certifications help candidates pass initial screenings, decision-makers are often reluctant to hire individuals who cannot demonstrate real-world collaboration, problem-solving, or incident response abilities. Systemic barriers reinforce this challenge. These include:
• Local, state, and federal limited budgets for entry-level staff
• Lack of trust granting newcomers access to sensitive systems
• Outdated technologies
• Few experienced professionals available to serve as mentors
Fast-track bootcamp programs focused solely on exam preparation often reinforce the myth that certification equals readiness. Yet, as Jarocki and Kettani (2019) explain, theoretical knowledge alone is not sufficient for today’s cybersecurity roles. (ISC)2 (2022) and Morris et al. (2023) emphasize that performance-based assessments and hands-on learning must become central pillars of cybersecurity education.
While certifications alone may not fully prepare individuals for real-world cybersecurity challenges, they remain a necessary requirement for certain roles, especially within federal government and defense sectors, where professionals may have access to sensitive, unclassified, and high-value information such as intellectual properties (Department of Defense, 2025; Magnotti, 2017; Bruce, 2023). In such contexts, certifications serve as a standardized measure of competence and are often mandated by compliance frameworks and security clearance protocols. The Department of Defense (DoD) 8570.01M directive outlines that individuals applying for Information Assurance Technician (IAT) Levels 1, 2, or 3 must hold approved industry certifications to be eligible for employment (RAMPS Colorado Springs, 2019). These mandates ensure compliance with federal security standards and streamline the hiring process. As a result, many government employers require proof of certification upfront to avoid eligibility issues during onboarding (Dobrydney, 2020).
Mandatory certifications also help reduce organizational risks. In several documented incidents, hackers exploited temporary or undertrained workers, such as contractors or short-term hires, to breach government systems (SecurityScorecard, 2024). Requiring that all personnel, including temporary staff, meet baseline cybersecurity competency standards is a critical safeguard against these vulnerabilities. Although certification alone does not guarantee readiness, it serves as a baseline filter for high-risk environments where access to sensitive systems is non-negotiable.
While industry certifications are not the ultimate indicator of job readiness, they remain a valuable tool for employers seeking candidates with up-to-date technical awareness. Most cybersecurity certifications now require renewal every two or three years - a process designed to ensure that professionals stay informed on emerging threats, evolving technologies, and changing compliance standards (Knapp et al., 2017; Davri et al., 2021). For many employers, the certification renewal cycle provides a baseline assurance that a candidate’s knowledge remains current. In this context, certifications function as a credibility and validity filter. In fast-moving environments where employers cannot assess every skill firsthand, a current certification signals that the candidate has at least engaged with recent trends, cyber frameworks, or tools in the cybersecurity field.
While conducting the literature review for this study, we identified several articles and reports highlighting current certification trends. Given the focus of this report, we find it important to include this information. To
better support both workforce entry and long-term career progression, it is essential to understand which certifications are most in demand and how they align with specific cybersecurity roles. The following section presents key certification trends and workforce insights based on 2025 nationwide labor market data.
For those entering the cybersecurity workforce, choosing the right certification pathway is critical for career advancement. While credentials such as CompTIA Security+ and CISSP are widely recognized, not all certifications carry equal weight across job roles. Drawing from post-COVID labor market trends and employer demand data, the following figure summarizes the most pursued certifications and highlights the mismatch between certification holders and employer demand.
This chart compares the number of professionals holding key cybersecurity certifications to the number of job postings requesting each certification. Key insights include:
• CompTIA Security+ is the most widely held certification in the U.S. (~265,992 holders), but there are only ~70,019 job postings requesting it. While CompTIA Sec+ has a valuable entry-level credential, competition for roles requiring it is intense.
• Certified Information Systems Security Professional (CISSP) shows strong demand relative to supply: ~91,765 holders vs. ~82,494 job postings. This certification remains essential for mid- and senior-level roles.
• Certified Information Systems Auditor (CISA) and Global Information Assurance Certification (GIAC) are in solid demand, with job openings outpacing the number of certified professionals indicating promising opportunities.
• Certified Information Security Manager (CISM) and Certified Information Privacy Professional (CIPP) have fewer holders and job postings overall but represent emerging growth areas in cybersecurity management and privacy law.
This data reinforces the need to align certification strategies with labor market demand. For professionals, and the programs that support them, understanding which certifications are truly valued by employers is key to staying competitive in a rapidly evolving field.
According to the CyberSN U.S. Cybersecurity Job Posting Data Report (2025), four broad job categories consistently led the hiring landscape between 2022 and 2024:
1. Defense
2. Product Security
3. Governance, Risk, and Compliance (GRC)
4. Management
These areas reflect the growing demand for cybersecurity professionals who can combine technical expertise with organizational oversight, policy development, and risk management.
The graph on page 19 offers a snapshot of current workforce priorities helping programs, funders, and job seekers align with evolving talent needs in the cybersecurity space. Among specific roles, Security Engineer was the most frequently advertised position in 2024, with over 64,000 job postings. Roles such as Security Analyst and DevSecOps Specialist also ranked highly, highlighting the industry’s focus on secure systems design, threat analysis, and integrated security practices. In addition, emerging leadership roles such as Cybersecurity Manager and Cybersecurity/Privacy Attorney reflect the increasing need for professionals with cross-cutting expertise in law, compliance, and strategic risk management. This figure also illustrates growth in certain roles and a decline in others, offering valuable insights into shifting cyber workforce trends.
Closing cybersecurity readiness gaps requires more than just collecting credentials. Digital badges, industry certifications, and fast-track programs can be useful starting points, but they are not enough on their own.
True public-sector resilience depends on building hands-on, real-world capabilities that help employees think critically, respond effectively, and adapt to evolving threats. The following are practical, evidence-informed strategies designed to support that goal:
• Implement performance-based assessments to evaluate employees’ real-world ability to detect and respond to threats - moving beyond simple course completions.
• Develop role-specific learning experiences aligned to employees’ daily responsibilities, avoiding generic, one-size-fits-all content.
• Promote a supportive, blame-free reporting culture to encourage early disclosure of threats or errors, improving incident detection and organizational learning.
• Create targeted initiatives for small and rural agencies, addressing challenges such as outdated infrastructure, limited staffing, and lack of leadership support.
• Integrate short and continuous cybersecurity refreshers into daily routines to build and reinforce practical skills without disrupting workflows.
• Track long-term learner outcomes beyond certification, including job placement, retention, and post-program performance to assess real program impact.
• Establish mentorship models and peer-learning cohorts to support early-career professionals and help them develop critical, experience-based skills in real-world environments.
Rethinking Bootcamps & Cyber Education Metrics
• Most public-sector and certification programs lack transparent outcome data.
• Bootcamps are accessible but often don’t prepare learners holistically for real-world cybersecurity roles.
• Certification passing rates are difficult to verify due to lack of reporting from major organizations.
• Stronger tracking, independent evaluation, and multi-stage measurement are essential for accountability and improvement of cybersecurity education.
Today, the field of cybersecurity education, especially when it comes to fast-track bootcamps, lacks consistent and transparent outcome data - both qualitative and quantitative. Certification pass rates, program completion statistics, participants’ feedback, and job placement outcomes are often unavailable or inconsistently reported. This leaves policymakers and cyber program managers with limited evidence to guide informed decisions about cybersecurity education and workforce (Clumper & Lewis, 2019). As demand grows for faster and more affordable cybersecurity pathways, bootcamps are often promoted as efficient solutions for adult learners. These programs are marketed as gateways to both employment and certification success. However, without clear and reliable reporting, it is difficult to evaluate whether these programs deliver on their promises or truly prepare participants for long-term cyber workforce readiness.
In response to growing concerns from cybersecurity leaders and funders about the effectiveness of these models, we conducted a literature review and a 50-state analysis of publicly funded cybersecurity programs. Our goal was to understand whether programs report certification pass rates and other key outcome metrics. We found that most programs do not publicly report certification pass/fail rates, creating a significant gap in national visibility and challenging many assumptions about noncredit cybersecurity program effectiveness.
In recent years, cybersecurity bootcamps have emerged as one of the most widely promoted models in workforce development (Karlsson, 2024), particularly for nontraditional adult learners. Scholars and industry reports describe this growth as part of a broader trend toward accelerated, skills-based training and a tool for improving local economic development (Price & Dunagan, 2019; Course Report, 2018; Fisher, 2019).
Because of their speed and accessibility, bootcamps are often viewed as efficient alternatives to traditional degree programs. For many adult learners, they offer a flexible and affordable entry point into cybersecurity. This is especially true for professionals who did not have access to higher education. Research suggests that these programs can support career advancement and provide opportunities for continuing learning outside of formal
academic institutions. However, their accelerated nature can also present challenges. Due to the compressed timelines, participants may not have enough time to fully process complex content or gain confidence in applying what they have learned (Bell & Sarlo, 2020). Several studies point out that while bootcamps often succeed in teaching technical skills, they may overlook critical and analytical thinking, mentorship, or the soft skill development that is essential for long-term success in the cybersecurity field (Waguespack et al., 2018).
As Waguespack and colleagues explain, “bootcamps generally lack oversight from federal or state agencies or accrediting bodies” (p. 49). During our analysis, we found that many of the reported outcomes appear to be drawn from internal marketing materials rather than from independent, unbiased evaluations. In other words, the data shared publicly often seems tailored to serve promotional marketing goals rather than to support transparent, objective assessment, and program effectiveness and quality. Waguespack et al. (2018) also note that cybersecurity bootcamp programs frequently focus on the technical “how” while neglecting the “why,” a gap that limits participants’ ability to engage in effective, real-world problem-solving in a constantly evolving field. Although many bootcamps emphasize certification attainment and job placement in their promotional content, the accuracy of these claims remains difficult to verify. This issue is examined in greater detail in the following sections.
To better understand the national cybersecurity education landscape, we reviewed local and state-sponsored noncredit cybersecurity programs across all U.S. states. Our focus was specifically on no-cost, government-funded initiatives designed for adult learners. This scan included an analysis of program websites, official reports, marketing materials, published peer-reviewed case studies, and independent evaluations. We examined curriculum content, delivery formats, and any publicly available certification outcome data.
What we found was striking. Most of these noncredit public-sector programs do not publicly report key outcome metrics, such as enrollment numbers, certification pass/fail rates, or completion statistics. Even in states with multiple free programs, such as Maryland, California, New Jersey, Illinois, and Ohio, reporting practices varied significantly. In many cases, the data was incomplete, difficult to access, or entirely unavailable. It is also important to note that in some states, we were unable to identify any cybersecurity programs specifically designed for state and local government employees. This gap is especially concerning given the rising number of cyberattacks targeting state, local, and federal agencies.
One notable exception was the state of Virginia, which has shown a stronger commitment to research and program evaluation. For instance, a study by Fisher (2019) analyzed a short-term, noncredit program designed to help adults earn industry-recognized credentials and improve their employment prospects. The program served 13,691 participants across various industries, not limited to IT or cybersecurity. While 93.8 percent of participants completed the course, only 68 percent passed the certification exam. In tech-focused tracks, only 19 percent earned an industry credential. Fisher’s findings reveal a misalignment between cybersecurity curriculum design, labor market, and the
demands of certification exams. These barriers are especially pronounced for learners from under-resourced communities, where economic hardship and family competing responsibilities can significantly limit opportunities for study, testing, and sustained participation.
A more recent study by Tessler et al. (2024) examined one of Virginia’s noncredit CompTIA A+ certification initiatives. Of 905 adult learners enrolled, only 23 percent passed the exam, representing the lowest success rate among all tracked certifications. The researchers emphasized that many adult learners benefit from more flexible exam timelines. Because certification exams are expensive and most government programs cover only one attempt, learners face added pressure to succeed on the first try. Some who complete their coursework still choose not to take a test at all because they do not feel adequately prepared. In these cases, fear of failure, imposter syndrome, or lack of confidence prevents many nontraditional adult learners from even attempting the industry credential exam provided at no-cost (Haber et al., 2022; Adams, 2024).
This insight is especially important for program managers, cybersecurity educators, mentors, and funders. It reinforces the need to track not only pass/fail rates but also the financial and psychological factors that affect adult learners’ ability to persist through cybersecurity industry certification. Stronger IT and cybersecurity education models must reflect these realities and design support systems for nontraditional adult learners.
Adding to these concerns, major industry certifying bodies such as CompTIA do not release annual pass rates, retake data, or region-specific performance metrics. This ongoing lack of data and consistent outcome reporting makes it nearly impossible to establish national benchmarks or evaluate whether noncredit, government-sponsored cybersecurity education programs are truly achieving their goals. As Prough (2020) emphasizes, cybersecurity workforce programs must adopt strategic and validated data collection practices. Without consistent, third-party reporting, it is nearly impossible to evaluate program effectiveness, make data-informed improvements, or create accountability across the sector.
Despite the challenges discussed, bootcamps and accelerated learning models can provide meaningful opportunities, particularly for nontraditional learners. Reports by Course Report (2018) and Caliskan & Vaarandi (2020) indicate that some participants experience higher salaries and improved job mobility after completing these programs.
However, these outcomes are not consistent across all models or learner populations. Bray (2020), for example, documented low Security+ certification pass rates in Army-sponsored education programs, which prompted significant structural changes. Without consistent and transparent data, it remains difficult to compare results, identify effective practices, or ensure that education and awareness programs are meeting the needs of all participants.
In cybersecurity education, transparency is more than a numbers issue. It is a matter of trust. When decision-makers invest in public-sector education and awareness programs based on reported success rates, there must be a shared and verifiable understanding of what success means. Without a national benchmark, it becomes difficult to know whether certification outcomes reflect true program success and quality, or simply promotional marketing framing. Empirical, transparent and standardized outcome reporting is essential for building a more resilient cybersecurity workforce and for guiding smarter investments in public education and awareness initiatives.
As this finding has shown, one of the most urgent challenges in public-sector cybersecurity education is the lack of transparent outcome reporting. Without standardized metrics, it becomes difficult to assess effectiveness, identify gaps in learner support, or guide improvements across cybersecurity programs (Crabb et al., 2024; Prümmer et al., 2024; Chaudhary et al., 2022). To enhance quality and accountability across the field, we offer the following three recommendations:
Recommendation 1: Require Transparent Reporting at the Program Level
Public-sector cybersecurity education and training programs should implement consistent reporting practices that include:
• Enrollment and completion rates
• Certification pass/fail rates, including number of exam attempts
Time to completion for both programs and certifications
• Access to learner support services (e.g., mentoring, tutoring, coaching)
• Employment outcomes after program completion
• Learner satisfaction and retention
Transparent reporting at the program level enables meaningful comparisons across initiatives, helps identify best practices, and equips funders and agencies with the data needed to measure long-term impact.
Recommendation 2: Coordinate
While program-level reporting is essential, broader coordination is needed to track outcomes across multiple departments and agencies. State and local governments should invest in centralized systems that:
• Aggregate employee participation and certification data
• Verify learner completion and exam results
• Capture structured learner feedback
• Track employment, advancement, or ongoing education
• Align with national cybersecurity workforce goals
While building statewide tracking systems is a complex process, this recommendation is achievable through funding, leadership support, and strategic planning. States like Texas - through its Statewide Cybersecurity Awareness Training Program - have already implemented centralized reporting models for cybersecurity awareness training, demonstrating that scalable, cross-agency coordination is possible. Other states can begin by piloting tracking efforts within selected departments and gradually expanding them. Over time, this coordinated approach can lead to more consistent and transferable improvements in public-sector cybersecurity education. It also offers a valuable mechanism for measuring how many state and local employees are receiving proper and verified cybersecurity education and awareness training.
We recommend that cybersecurity programs include dedicated resources for third-party evaluation and long-term outcome tracking. Independent and neutral evaluation helps ensure that reported outcomes are unbiased and aligned with actual program impact. As Chaudhary et al. (2022) stated, “this lack of metrics has become a major reason for organizations’ struggle to determine and measure the effectiveness of their cybersecurity awareness (CSA) program” (p. 2).
However, based on Cyber Florida’s ten years of experience, tracking adult learners after they complete a cybersecurity awareness program remains a significant challenge. Many participants move, change careers, or disengage from follow-up efforts, making it difficult to assess long-term success.
• Contracting neutral evaluators to analyze program outcomes
• Including six-month and one-year follow-up checkpoints (or more)
• Measuring job placement, promotion, credential attainment, and ongoing learner changes in behaviors
• Comparing reported success rates with actual outcomes over time
Effective evaluation is not just about compliance. It is about learning what works, improving support, and ensuring that public investments deliver long-term value to learners and employers alike.
Making Cybersecurity Education Meaningful for Adult Learners
Key Takeaway
Despite increased investments in cybersecurity education and awareness, many public and private organizations continue to use passive, outdated methods that fail to engage employees or change behavior.
Across the U.S. and globally, our analysis reveals a common challenge: organizations continue to rely on traditional cybersecurity education and awareness methods that are largely passive, generic, and compliance-focused. This applies across sectors, from state and local governments to private companies. Many programs are implemented primarily to fulfill regulatory security requirements, resulting in low employee engagement and minimal innovation. These findings confirm previous studies, such as Haney and Lutters (2024), who documented that compliance-driven training programs often fail to change employee behavior, and Abrahams et al. (2024), who argued that low engagement and absence of accountability are common outcomes of traditional cybersecurity awareness efforts.
Several recurring issues contribute to this problem, such as limited budgets and staff capacity; a compliance-driven culture that values completion over hands-on comprehension; lack of in-house expertise in adult learning and cybersecurity education; and misplaced confidence that technology alone can reduce risks. Hossain and colleagues (2024) add that other barriers in the local government include the rapid and increasing sophistication of cyber threats, inadequate understanding of virtual environments, lack of investment in research and development, compatibility issues with legal systems, absence of clear policies, strategies, and regulations, weak oversight and enforcement, lack of collaboration within organizations, and a general reluctance to adopt cybersecurity strategies until after a cyberattack has occurred (Hossain et al., 2024, p. 16).
These factors have contributed to a widespread issue called cybersecurity fatigue . When employees are repeatedly exposed to unengaging or irrelevant cybersecurity content, they often become desensitized or disengaged. As Reeves et al. (2021) explain, this fatigue undermines the very awareness these programs aim to foster. Singer and Friedman (2013) highlight the disconnect between investments in cybersecurity tools and the underinvestment in preparing employees to use those tools effectively. Even after completing required modules, earning digital badges, or achieving industry certifications, many employees still lack the applied skills and critical thinking needed to respond to real-world cyber threats.
This gap is particularly dangerous as cyber threats continue to evolve. Emerging technologies such as AI-generated phishing, deepfakes, and ransomware demand that employees make real-time analytical and critical judgment calls, skills that cannot be effectively taught through static slide decks or generic online cybersecurity courses. According to a 2022 study by the National Institute of Standards and Technology/NIST (Haney et al., 2022), many government employees reported that their cybersecurity training felt generic and disconnected from their actual job responsibilities. This disconnect was especially pronounced in rural agencies and smaller agencies, where staff described the training content as frustrating and irrelevant to their day-to-day work.
Importantly, disengagement is not limited to frontline employees. Executives and managers frequently delay or deprioritize cybersecurity modules until deadlines approach. This behavior places additional pressure on compliance teams and sends the message to the organization that cybersecurity is not a priority for leadership.
Flostrand et al. (2025) refer to this as the “illusion of superiority,” where cyber leaders overestimate their understanding and undervalue security protocols, thereby increasing organizational risk.
Traditional cybersecurity education often relies on outdated, one-size-fits-all content that fails to engage learners. The graphic on page 27 highlights common pitfalls in current cybersecurity education and awareness practices that contribute to cybersecurity fatigue and reduce employee effectiveness.
Generic, one-size-fits-all content
• No differentiation by role or experience
Disconnected from organizational context
• Not accessible for remote workers
• Passive, lecture-style delivery
• No real-life context
• Compliance-focused with no personal meaning
One-time, seasonal training
• Minimal engagement or motivation
Information overload
• Communication fatigue
• Text-heavy presentations
No performance tracking or feedback
• Cultural and language barriers
• Ignores role, experience, and organizational context
• Feels repetitive or irrelevant to experienced staff
• Lacks relevance to daily tools or tasks
• Limits participation in rural or hybrid environments
Same content regardless of threat
• Low engagement and retention
Concepts feel abstract and hard to apply
• Viewed as a checkbox task, not meaningful learning
• Leads to boredom and disengagement
No reinforcement = poor long-term retention
• Hands-off formats limit learning impact
Long sessions overwhelm learners
• Excessive alerts and emails reduce attention
• Discouraging for visual or hands-on learners
• No data to improve future training
• Excludes non-native English speakers and diverse team
Limitations of Traditional Cybersecurity Education Approaches
Research shows that adults learn best when they understand why a topic matters, how it applies to their daily lives, and when they can actively participate in the learning process (Prough, 2020; Ahmed et al., 2024). Yet most cybersecurity awareness programs fail to apply these foundational adult learning principles, especially in programs for general staff. Studies by Chowdhury & Gkioulos (2021) and Alnajim et al. (2023) confirm that adult learners are more likely to adopt cybersecurity best practices when the content is relevant to both their work and personal lives. Generic, one-size-fits-all content may meet compliance requirements, but it rarely changes real behavior.
When employees feel that cybersecurity is just another task to click through, they disengage. Even more concerning, when they are overwhelmed or uncertain, many choose not to report mistakes or incidents for fear of being blamed. A 2022 study by Tessian and Stanford University found that common errors, such as sending emails to the wrong recipient or opening suspicious attachments, often go unreported. The study also identified generational patterns: younger employees were more susceptible to phishing emails, while older employees were more vulnerable to smishing (text-based scams). These findings suggest that cybersecurity education and awareness programs should be tailored to account for the age range and learning preferences of employees. The report also shows that contributing factors such as stress, multitasking, burnout, and tight deadlines increase the likelihood of human error across all age groups.
Maurer and Skoudis (2024) and Khando et al. (2021) emphasize that insider threats, often caused by human error, remain among the most serious risks organizations face. No software tool can fully prevent these incidents. Only well-designed, behavior-focused education and awareness programs can reduce them. Furthermore, organizational culture plays a critical role in strengthening cybersecurity awareness and response. When employees feel unsupported or fear the consequences of admitting mistakes, they are far less likely to report cyber incidents. In many cases, employees worry that their actions could lead to disciplinary action, damage the organization’s reputation, or even result in financial penalties or loss of client trust. These fears often lead to silence or cover-up, which increases organizational risk (Tessian, 2020; Hadlington, 2017). Grounded on this finding, creating a culture of psychological safety, where employees feel empowered to report issues without fear of punishment, is essential for improving incident response and reducing overall cyber vulnerability.
Prümmer et al. (2024), in their systematic review of 142 studies, emphasized that cybersecurity education must be relevant to employees’ work contexts and daily experiences. When training is overly generic or disconnected from real-world problems and tasks, it leads to a lack of motivation, poor knowledge retention, and limited behavioral change, making their organization more vulnerable to cyber-attacks. Conversely, content tailored to specific roles, tools, and real-world scenarios is more likely to foster engagement and encourage secure behavior. In short, cybersecurity education is most effective when it feels useful, not just mandatory for compliance purposes.
Effective cybersecurity education programs today are behavior-based, personalized, and aligned with the specific roles, tools, and responsibilities of employees. Rather than relying on one-size-fits-all modules, these programs prioritize real-world relevance, interactivity, and continuous reinforcement. Informed by Prümmer et al. (2024) and Chowdhury & Gkioulos (2021), Table 1 outlines key elements that contribute to impactful cybersecurity education and awareness strategies.
Effective Educational Strategies Real-World Example
Customized, RoleBased Learning
Educational and Awareness programs tailored to users' backgrounds (e.g., phishing, deepfakes, personal device safety)
Micro-learning 5-minute lessons delivered monthly via email or app.
Hands-on, Scenario-Based Simulations
Just-in-Time Learning
Game-Based Learning & Recognition
Feedback-Driven Improvement
Realistic phishing drills and cyber threat simulations.
Alert-triggered micro-lessons when risky behavior is detected.
Escape rooms, quizzes, rewards for phishing detection.
Personalized dashboards showing behavior gaps and follow-up modules.
Platform-Specific Training Training focused on Teams, Zoom, SharePoint, Social Media Platforms, etc.
Accessible Content Visuals, plain language, closed captions, and multilingual formats.
Leadership Participation
Culture-Based Integration
Discussion-Based Peer Learning
Case Studies & Storytelling
Repetition with Variation
Executives complete training and promote secure behavior.
Posters, lunch-and-learns, daily tips.
Peer debriefs, small group reflection, collaborative exercises.
Real breach scenarios, tied to company impact and lessons learned.
Revisit key concepts in multiple formats and times.
Improves relevance and engagement; prevents "one-size-fits-all" fatigue.
Easy to maintain, fits busy schedules, and supports long-term retention.
Builds decision-making confidence through experiential learning.
Corrects risky behavior at the moment; minimize security threats.
Increases motivation and encourages safe behaviors through competition.
Empowers self-correction and helps track behavioral progress.
Ensures secure practices are learned in the context of daily work tools.
Ensures everyone regardless of technical background can participate, understand, and engage.
Creates a culture of accountability and shows top-down commitment.
Reinforces cybersecurity as part of organizational culture.
Builds trust, strengthens understanding, and fosters collective responsibility.
Makes lessons memorable and relevant to your environment.
Enhances retention and adapts to different learning styles.
Effective Elements of Cybersecurity Education and Awareness
Post-pandemic changes have changed how adults learn, emphasizing the importance of practical, real-world relevance (Zhou et al., 2023). Cybersecurity programs that incorporate real-life scenarios like phishing simulations, gamification, or job-specific case studies significantly increase participant engagement and responsibility toward cybersecurity (Sharma & Thapa, 2023).
As cyber threats evolve and become increasingly sophisticated, particularly with the integration of AI, traditional methods and models quickly become outdated (Jimmy, 2021; Elkhodr & Gide, 2025; Mukherjee et al., 2024). Programs must adopt hands-on, scenario-driven approaches that directly reflect current threats. Moreover, certifications alone are not sufficient for adequate preparation. Jarocki & Kettani (2019) and Dobrydney (2020) emphasize that while certifications enhance employability, true cybersecurity preparedness requires practical skills, mentorship, experiential learning, and continuous professional development.
Recommendation
Organizations need to treat cybersecurity education and awareness programs as an ongoing investment rather than just a compliance requirement. By focusing on role-relevant, inclusive, and behavior-focused learning environments, all employees - from frontline workers to executives - gain the tools to recognize, prevent, and respond to cyber risks. Cultivating a culture of awareness, trust, and continuous learning is essential for fostering long-lasting resilience in the workforce.
Recommendation 2: Incorporate Behavior-Based Metrics
Move beyond tracking course completions by using more meaningful metrics such as phishing simulation results, employee-reported incidents, and post-education behavior assessments. These metrics evaluate real-world readiness and enable organizations to adjust their programming based on actual employee behavior and the effectiveness of the training.
Recommendation 3: Reinforce Cybersecurity with Continuous Micro-Learning
Replace one-time annual cybersecurity training modules with short, frequent lessons tailored to different job functions. This approach improves knowledge retention, builds habits over time, and keeps employees engaged with emerging cybersecurity threats.
Recommendation 4: Differentiate Learning Paths Based on Experience
Avoid one-size-fits-all education models by assessing employees’ roles, prior knowledge, and past training to deliver relevant, personalized content. This is especially important for long-term employees who may be retaking outdated or redundant modules. Tailored learning increases engagement and helps prevent cybersecurity fatigue, leading to better outcomes in training programs.
Success in cybersecurity education for nontraditional adult learners cannot be defined by certification or job placement alone. Programs must adopt a human-centered, multi-stage model that values behavioral change, diverse forms of achievement, persistence, and resilience, especially for those without a background in cybersecurity.
Many transitioning adult learners succeed on a delayed timeline, such as passing certification exams after multiple attempts or securing jobs months (or years) after concluding their noncredit programs. These delayed outcomes, along with confidence-building, hands-on contributions, and real-world application, are equally critical indicators of program impact.
4.1
In reviewing cybersecurity education initiatives - including those led by Cyber Florida - we found that many programs continue to struggle with how they define and measure success. Too often, success is equated with course completions, immediate job placement, or certification pass rates, overlooking the broader, more complex experiences of transitioning adult learners.
Our findings show that success in nontraditional adult education is rarely immediate or linear (Conklin et al., 2014). Learners often juggle jobs, caregiving responsibilities, health concerns, career transitions, financial stress, and self-doubt. These challenges have only intensified in the post-COVID era, with rising reports of imposter syndrome, burnout, and emotional fatigue. Beyond these personal and social stressors, broader structural and socioeconomic barriers, including labor market saturation and shifting workforce dynamics like tech layoffs, add further uncertainty during upskilling and employment efforts.
Real-world case studies illustrate this complexity. In Virginia’s statewide cybersecurity education programs, even highly motivated participants often delayed certification exams due to stress, lack of childcare, family responsibilities, or low confidence (Fisher, 2019). Similarly, Gallagher’s (2016) study of the Department of Defense’s Cyber Operations Academy found that half of the participants chose not to attempt certification after completing the course, mainly due to the exam’s difficulty, confidence gaps, and competing life priorities. Gallagher noted, “Learning to be a cybersecurity operator requires problem-solving ability, perseverance, motivation, and passion, and is not something that can be adequately trained in a linear traditional model” (p. 10).
Cyber Florida’s own program data reinforces this reality. Many nontraditional adult learners who initially failed their industry certification exams later succeeded on their second or third attempt. Several did not secure jobs in cybersecurity immediately but made meaningful contributions through education and community out-
reach - particularly in K–12 settings. Some veterans, though not employed directly by cybersecurity companies, became cybersecurity educators in their communities or supported youth programs such as CyberPatriot. Others applied to numerous positions, continued building hands-on experience through mentorship and training, and ultimately secured employment up to two years after completing their cybersecurity program.
This pattern reinforces the importance of measuring persistence, resilience, and delayed success - not just immediate outcomes. As Jayatilaka et al. (2021) and Haney & Lutters (2024) emphasize, effective program evaluation must go beyond compliance metrics to capture long-term behavioral change, confidence, and real-world applications. These examples show that traditional pass/fail frameworks often miss deeper forms of progress. To address this, modern cybersecurity initiatives should adopt evaluation methods that assess how learners internalize and apply their knowledge. Chaudhary et al. (2022), in their analysis of 32 studies, emphasize that true impact includes behavior-based outcomes. Success isn’t just about gaining knowledge - it’s about using it: changing habits, improving attitudes, increasing competence, and long-term engagement. According to their analysis, additional success indicators in cybersecurity education include:
• Reachability: How many people the program reaches
• Usability: How accessible and engaging the program is (curriculum, instruction, mentorship, real-world application)
• Value Added: The relevance and quality of the curriculum and its impact on practices
• Continuous Feedback: Insights gathered throughout the training, not just at the end
• Behavioral Metrics: Fewer phishing clicks, more security incident reports, post-training confidence, and voluntary engagement in additional learning
To see the full picture, program managers should combine qualitative and quantitative data and use pre- and post-assessments to capture both short-term learning and long-term impact. Since no single metric tells the whole story, a variety of measures ensures programs stay learner-centered and responsive to the changing cybersecurity landscape.
In the Conclusion session of this report, we offer three practical models to help programs more effectively define, support, and evaluate success in real-world terms. These models are grounded in field experience and research and are designed to guide emerging cybersecurity education efforts toward greater impact and inclusivity.
Recommendations
Recommendation 1: Redefine Success to Reflect Adult Learner Realities
Programs must move beyond narrow metrics like immediate certification or job placement. Instead, include:
• Delayed certification (e.g., second or third attempts)
• Employment secured post-program (even months, 1 and/or 2 years later)
• Community and education contributions (e.g., community outreach, K-12 education, and others)
• Growth in digital confidence, literacy, and behavior
This comprehensive lens better reflects real nontraditional adult learner outcomes and aligns with long-term expectations.
Recommendation 2: Embed Multi-Stage Evaluation Models from the Start Programs should implement a multi-stage, data-driven evaluation model that tracks program and learner progress over time, not just final outcomes. This framework helps:
• Identify critical support points (e.g., exam readiness, mentorship,)
• Support timely intervention and guidance
• Improve data quality for grant reporting and strategic decisions
• Reflect non-linear success patterns typical of adult learners
By structuring metrics across key phases - from application to long-term retention - programs can generate more meaningful insights and deliver more effective support. Practical evaluation models to support this approach are provided in the Conclusion.
Recommendation 3: Use Mixed-Methods and Intentional Evaluation Strategies
Program managers must be intentional in how they measure program impact. A single data point does not tell the full story. Instead, programs should integrate:
• Quantitative metrics: enrollment rates, retention, voucher usage, pass/fail data, job placement
• Qualitative feedback: participant interviews, learner reflections, open-ended surveys, focus groups feedback, behavioral changes at work and at home.
This mixed-methods approach captures nuanced learner experiences, behavioral shifts, and confidence-building that quantitative data alone may miss. It also empowers programs to remain adaptive and responsive to evolving cybersecurity workforce needs.
1It is also important for program managers to develop intentional strategies for maintaining contact with participants after program completion. Due to life challenges, shifting priorities, and personal circumstances, many learners may be difficult to reach through traditional follow-up methods such as surveys. As a result, post-program engagement is often inconsistent. Program teams should proactively consider alternative follow-up mechanisms such as periodic check-ins, alumni networks, or incentives for participation to ensure continued data collection and long-term outcome tracking.
Drawing from Cyber Florida’s decade of experience supporting non-traditional adult learners, this report introduces three models designed to holistically support learners while strengthening cybersecurity education programs in Florida and beyond. These models offer guidance to emerging noncredit program managers and workforce leaders on how to measure both program effectiveness and learner progress. They reflect the lessons we’ve learned, challenges encountered, and best practices identified across a range of educational initiatives. Cyber Florida’s experience has made one thing clear:
Building a resilient cybersecurity workforce is not a quick fix – it requires long-term commitment, thoughtful curriculum design, meaningful metrics, and sustained investment.
As outlined throughout this report, many fast-track programs are launched without a clearly defined long-term strategy (Caposell, Paris, & Isnor, 2021; Mukherjee et al., 2024). Often, they lean too heavily on best practices, certifications, and compliance checklists, assuming these alone prepare learners for the evolving cybersecurity threat landscape. However, our findings and growing national evidence make it clear: certifications and traditional cybersecurity education and training are not enough.
While industry credentials can help applicants get through the first round of employment interviews, they do not equip learners with the hands-on fluency, adaptability, and real-world readiness that cybersecurity roles demand (technical and non-technical). Nontraditional adult learners, many of whom juggle caregiving responsibilities, full-time work, and financial constraints, require more than test prep. They need supportive, comprehensive systems that build confidence and offer experiential learning, and promote long-term career growth.
Across Florida and nationwide, programs often rely on narrow metrics, leaving learners underprepared despite passing exams. Some drop out before certification due to imposter syndrome, lack of mentorship, hands-on experience, or insufficient support. These are not solely individual failings; rather, they reflect broader systemic challenges in how cybersecurity programs are designed, implemented, and measured, as well as the need to empower adult learners to take ownership and agency over their learning, seek support, and persist through obstacles (Stavrou & Piki, 2024).
Employers have noticed. Many early-career professionals arrive with credentials but lack the practical experience and critical thinking needed to secure systems or respond to real-world cyber incidents. This gap is not about talent, but about alignment. When programs prioritize checkboxes over competence, they produce graduates who qualify on paper but struggle to deliver in practice. This disconnect contributes to a national paradox: despite thousands of unfilled roles, many certified professionals remain unemployed (CyberSeek, 2025).
Employers often seek the elusive “cyber unicorn,” a highly idealized candidate who possesses a rare blend of technical proficiency, real-world experience, strategic thinking, and high communication skills from day one (Burley et al., 2025; Ramezan, 2023). These expectations are unrealistic, especially for career changers or entry-level professionals from under-resourced communities who have not yet had the opportunity to engage in a comprehensive cybersecurity learning experience.
Making the challenge even more urgent, AI-enabled threats are rapidly evolving. Cybercriminals are now leveraging generative AI to develop advanced malicious software that continually mutates to evade detection called as polymorphic malware, as well as hyper-realistic deepfake videos, synthetic voice messages and phone calls, AI-driven social engineering tactics, and hyper-personalized phishing campaigns. Large language models (LLMs) are being repurposed to generate malicious code and simulate real-time phishing conversations (IBM, 2025; Ratnawita, 2025). As automated attack capabilities grow, traditional defenses and training models quickly become outdated. Cybersecurity professionals must now be multidisciplinary, human-centered, and capable of rapid response and critical thinking - not just certified but strategically prepared for varied forms of cyber threats.
In response to the challenges identified, we present a holistic cybersecurity education and awareness model developed as part of Cyber Florida’s broader workforce development efforts. The model supports a more applied, sustainable, and learner-centered approach to cybersecurity education aligned with the complex realities of today’s workforce.
This report does not end with critique. It offers a practical, field-tested response. At the heart of this conclusion is Cyber Florida’s core belief: cybersecurity education must be grounded in the real needs of adult learners and connected to the realities of the cybersecurity field. Bridging the gap between theory and practice is essential for preparing a workforce that can succeed in the face of a complex and evolving threat landscape, rapid technological change, shifting workforce needs, evolving industry standards, and government regulations (Knapp et al., 2017).
To address this need, we developed the Holistic Cybersecurity Learner Model, a practical framework designed to support individuals entering, upskilling, reskilling, or advancing within the cybersecurity field. This model is rooted in the understanding that certification is just one piece of the workforce readiness puzzle. Long-term success requires an integrated and comprehensive approach, one that nurtures not only technical proficiency, but also personal development (including soft, critical, and analytical skills), behavioral change, and overall professional preparedness.
This model draws inspiration from Caulkins et al. (2016), who emphasize incorporating human factors into cybersecurity education, and Mukherjee et al. (2024), who advocate for strategic, learner-centered design. It also builds on the foundational work of scholars championing holistic approaches to cybersecurity education, awareness, and training (e.g., Hoffman et al., 2011; Endicott-Popovsky & Popovsky, 2014; Elmelhem et al., 2018; Wang & Sbeit, 2020; among others).
What distinguishes this model is its foundation in real-world implementation, shaped by Cyber Florida’s direct experience working with early-career transitioning professionals and the urgent need for adaptable, human-centered approaches to cybersecurity workforce development.
Cyber Florida’s Holistic Cybersecurity Learner Model
The Holistic Cybersecurity Learner Model places adult learners at the center of a dynamic cybersecurity ecosystem. It emphasizes the following interconnected components:
• Hands-on learning through labs, gamification, simulations, and real-world tasks (see Finding 3 for more examples of hands-on experience)
• Development of behavioral and soft skills, such as communication, analytical and critical thinking, resilience, flexibility, and decision-making (see Stavrou & Piki, 2024)
• Structured mentorship to support professional growth and long-term retention (see Wang & Sbeit, 2020)
• Foundational knowledge of cyber ethics, governance, and policy
• Multidisciplinary fluency, Bid Data, and Artificial Intelligence (AI) literacy to address emerging and complex cyber threats
• Opportunities for networking and exposure to industry and government environments
These elements are essential not only for certification readiness but for career longevity and real-world preparedness. They reflect a shift from transactional education and awareness training (short-term goals and speed over depth) to transformational learning (Jacobsen et al., 2022), supporting learners not just to pass exams, but to grow into confident, capable cyber professionals. This model serves as the foundation for the two practical models that follow: a multi-stage tracking model for evaluation and a six-phase design model for implementation.
While the Holistic Learner Model defines the values and core components of learner-centered cybersecurity education, the Six-Phase Cybersecurity Education Model provides a practical, implementation-oriented roadmap. It translates philosophy into action by guiding program managers through the full lifecycle of noncredit cybersecurity education - from recruitment to follow-up. This model is particularly useful for program designers and instructors, offering structure, tools, and sequencing to support program delivery in alignment with the needs of nontraditional adult learners.
The Six-Phase Cybersecurity Education Model was developed in response to recurring challenges encountered during the implementation of noncredit, grant-funded cybersecurity programs. Over time, these challenges pointed to broader structural issues, not unique to Cyber Florida’s programs, but common across the national workforce development landscape. Key challenges included:
• Participants who completed the program received free certification vouchers and did not take the industry certification exam.
• High dropout rates due to responsibilities such as work, caregiving, and financial stress , are often paired with limited support and engagement.
• Low response rates to post-program surveys, limiting the ability to assess learner outcomes or guide program improvements.
• Designing a screening process that reliably identifies motivated and prepared participants, without creating access barriers for those from nontraditional backgrounds, remains a complex and ongoing challenge.
Grounded in these lessons and shaped by insights from both fieldwork and national research data analysis, the Six-Phase Cybersecurity Education Model provides a flexible yet structured roadmap for building more effective cybersecurity training programs. It supports not only certification readiness but also long-term progress in real-world cybersecurity roles.
This model emerged from years of practice, trial, reflection, and evaluation. While every program has unique elements, this model is intended as a practical, adaptable tool to help program managers design, support, and evaluate cybersecurity education in ways that are strategic, responsive, and impactful.
The following table outlines each phase, its core goal, key actions, and suggested tools to support implementation.
Screen Participants Select learners who demonstrate readiness and commitment.
Review applications; conduct interviews; apply inclusion criteria.
Virtual interview platform, Interview script, Scoring rubric, Eligibility checklist, Learner contract or Memorandum of Understanding (MOU), Program handbook, Welcome packet, Welcome Day workshop (virtual or in-person)
Phase 2: Assess Technical & Behavioral Readiness
Understand learners’ technical and behavioral readiness and align supports.
Certification pre-assessment, soft/hard skills checklist, Self-assessment survey form, digital learner tracking system Six Phases of the Cybersecurity Education Model: Program Goals, Actions, and Tool
Pre-assessment: soft skills inventory; learner progress monitoring
Phase 3: Deliver Holistic Program
Provide comprehensive, career-aligned cybersecurity education and awareness training.
Deliver technical curriculum
Provide hands-on labs combining theory with practice
Phase 4:
Post-Program Assessment & Readiness
Measure readiness before certification.
Offer career readiness workshops
Provide weekly mentorship or peer mentorship sessions
Track learner progress and engagement
Facilitate industry and government engagement
Incorporate soft skills and professional behavior
Introduce AI, cyber ethics and policy frameworks
Conduct mid-program feedback surveys or focus groups
Administer internal readiness assessment
Determine voucher eligibility
Provide targeted support for non-passers
Reassess resume and soft skill improvements
Measure individual program
Identify potential attrition points and re-engage learners
Resume templates, LinkedIn mentorship materials, mock interview resources, elevator pitch
Mentor guide, matching process, meeting tracker, feedback post- mentorship
Weekly attendance sheet, milestone log
Guest speaker calendar, capstone project rubric
Behavioral skill-building activities, teamwork modules, communication workshops
Ethics case studies, policy brief assignments
Anonymous survey form, focus group protocol, feedback from participants
Practice certification test Practice certification exam, internal scoring system (minimum 85% benchmark)
Voucher distribution protocol
Tutoring referral list, one-on-one coaching, peer-mentoring, progress dashboard
Resume rubric, mock interviews, peer or mentor feedback
Pre/post skills comparison dashboard, learner profile updates
Attendance alerts, student check-in tracker
Phase 5:
Certification, Voucher & Support Support voucher recipients and those still preparing.
Phase 6:
Follow-Up & Evaluate
Track long-term outcomes and improve program quality.
Distribute certification vouchers to eligible participants
Provide preparation resources
Offer continued support for learners not yet ready
Track employment and certification outcomes
Collect learner and employer feedback
Use data to improve programming
Engage alumni and highlight success stories
Conduct internal team debrief on lessons learned
Voucher tracking log, exam scheduling guide
Study guide, practice question bank, test-taking strategies sheet
Individual mentorship sessions, skill refresher workshops, tutoring list
Follow-up surveys (3, 6, and 12 months), alumni tracking sheet
Post-program evaluations, exit interviews, employer input forms
Internal review meetings, program improvement action log, feedback summary reports
Alumni spotlight series, testimonial tracker
End-of-program meeting, reflection log
Note on Voucher Distribution: Industry certification exam vouchers are awarded only to learners who meet internal benchmarks designed to assess technical readiness and career preparedness. This approach supports comprehensive outcomes and encourages learners to take the exam when they are most prepared.
To more accurately reflect how success evolves over time, especially for nontraditional adult learners, cybersecurity education programs should adopt a multi-stage evaluation model. Rather than relying solely on pass/fail metrics or immediate job placement outcomes, this approach tracks learner progress across ten strategic phases, from initial engagement to long-term behavioral change and career development milestones.
Drawing from cybersecurity education literature, evaluation reports, and Cyber Florida’s experiences supporting our adult learners through programs such as CyberWorks and FirstLine, this structured yet flexible model helps capture nuanced learner trajectories. It identifies key intervention points, reveals patterns of persistence and attrition, and evaluates the real-world impact of alternative cybersecurity education and training environments.
This model is especially valuable for program managers and grant-funded initiatives that require transparent, credible reporting and effective support strategies. Designed to be actionable, scalable, and adaptable, it reflects years of iterative development informed by both challenges and successes in the field.
New and emerging noncredit cybersecurity programs are strongly encouraged to embed intentional, evidence-based evaluation frameworks from the outset. As Caposell et al. (2020) note, decision-making in cybersecurity programs is often based on intuition or anecdotal feedback, rather than strategic data collection. This limits the ability to track learner outcomes accurately or address program gaps over time. By embedding stage-based tracking, programs can generate meaningful data to:
• Guide instructional design and learner support strategies
• Improve credibility with funders and stakeholders
• Inform policy and curricular decisions
• Better reflects the nonlinear journeys of nontraditional adult learners
Ultimately, programs that align their evaluation strategies with real-world learner experiences will be better equipped to design responsive, comprehensive, and future-ready curricula, helping build a more resilient cybersecurity workforce.
Step 1: Applications Received & Review Applications
Step 2: Program Enrollment
Step 3: Program Launch
Step 4: Mid-Program Evaluation
Step 5: Program Completion
Step 6: Certification Voucher Issued
Step 7: Exam Pass/Fail/Not Taken Rates (Industry Certifications)
Measures total interest in the program. Serves as a baseline for evaluating outreach effectiveness and recruitment visibility.
Screens and selects participants through virtual interviews, ensuring alignment with program goals and readiness to participate.
Tracks the number of participants who officially begin the program.
Implements checkpoints to monitor engagement and collect feedback via surveys, assessments, and progress tracking
Measures the number of learners who complete all instructional components, regardless of whether they pursue certification.
Tracks participants eligible for a certification voucher, including those who opt out due to exam-readiness concerns.
Tracks participants who pass (including after multiple attempts), fail, or choose not to take the exam. Helps identify barriers to readiness and evaluate overall exam preparedness.
Multi-Stage Metrics for Measuring Cybersecurity Program Success
Step 8: Employment Outcomes
Step 9: Confidence & Retention
Assesses job applications, employment in cybersecurity or adjacent fields, promotions, or salary increases.
Evaluates learner confidence and retention to determine if participants feel prepared to apply for cybersecurity jobs, improve their skills, or pursue advancement.
Note: This model enables program managers to identify points of intervention such as tutoring, mentorship, or career support where learners may need more support. It also facilitates more credible reporting to funders and stakeholders by capturing longitudinal success.
These three interconnected models form a comprehensive foundation for effective cybersecurity education. The Holistic Learner Model defines a learner-centered approach that prioritizes human development alongside technical skills. This method directly informs the Six-Phase Implementation Model , which provides program managers with a structured roadmap for designing and delivering effective, comprehensive instruction. The 9-Step Tracking Model complements these efforts by offering a clear framework for evaluating learner progress and program outcomes over time.
Unlike traditional approaches that focus solely on one-time certification metrics, this integrated model emphasizes readiness, retention, and long-term career advancement. It guides not only what to teach, but also how to support learners - before, during, and after the program. A key innovation is the use of internal readiness benchmarks prior to issuing industry certification vouchers, shifting the focus from passive completion to active preparedness.
Together, these models foster a culture of continuous improvement, recognizing that cybersecurity education must evolve with emerging threats, technologies, and workforce demands (Knapp et al., 2017). By aligning strategic design with human-centered practices, this approach strengthens program quality while building learner confidence, resilience, and real-world readiness.
Cybersecurity resilience begins with human resilience. The future of workforce development lies not in faster bootcamps or a checklist of credentials, but in thoughtful, learner-centered, and evidence-informed education that equips real people to respond to real-world threats.
We encourage program managers, funders, educators, and public-sector leaders to view this report not only as a reference, but as a starting point for innovation, strategic planning, and collaborative redesign. The nation needs cybersecurity programs that go beyond the badge, but holistic programs that foster critical thinking, responsible action, and the confidence to thrive in an ever-changing digital landscape.
Dr. Michelle Angelo-Rocha is a Cyber Research Analyst at Cyber Florida, the Florida Center for Cybersecurity at the University of South Florida (USF). She authored this report and led its conceptualization, research design, analysis, synthesis, and writing. Drawing on over seven years of experience designing and implementing cybersecurity education, workforce, and mentorship programs for nontraditional adult learners, as well as her work on grant-funded cybersecurity initiatives, Dr. Angelo-Rocha conducted the literature review, guided the analysis of the 50-state program, and developed the integrated models presented in the study. Her work advances human and behavior-centered, evidence-informed approaches to cybersecurity education and workforce development, with particular attention to nontraditional adult learners, public-sector readiness, and the growing role of Artificial Intelligence (AI) in cybersecurity education and workforce development.
Eniola Shofolawe-Bakare is a graduate of the Master of Science in Marketing program at the University of South Florida (USF), where she specialized in Digital Marketing and Brand Management. During the period of this study, she served as a research assistant and led a comprehensive 50-state scan of publicly funded cybersecurity education and awareness programs, which contributed to the empirical foundation of the report. Her work involved the systematic identification, review, and coding of program documentation, websites, and public reports across all U.S. states to examine program structures, target audiences, and publicly reported outcomes. She also supported the literature review and contributed to the synthesis of cross-state trends, gaps, and implications for future cybersecurity workforce development efforts.
References
Abrahams, T. O., Farayola, O. A., Kaggwa, S., Uwaoma, P. U., Hassan, A. O., & Dawodu, S. O. (2024). Cybersecurity awareness and education programs: a review of employee engagement and accountability. Computer Science & IT Research Journal, 5(1), 100-119.
Adams, E. (2024). See Yourself in Cyber: Security Careers Beyond Hacking. John Wiley & Sons.
Ahmed, A., Watterson, C., Alhashmi, S., & Gaber, T. (2024). How universities teach cybersecurity courses online: a systematic literature review. Frontiers in Computer Science, 6, 1499490.
Äijälä, T. (2018). Certified Information Systems Security Professional (CISSP): A qualitative study on motivations and experiences of certified professionals (Master’s thesis, Laurea University of Applied Sciences).
Alnajim, A.M. ; Habib, S.; Islam, M.; AlRawashdeh, H.S.; Wasim, M. Exploring Cybersecurity Education and Training Techniques: A Comprehensive Review of Traditional, Virtual Reality, and Augmented Reality Approaches. Symmetry 2023, 15, 2175. https:// doi.org/10.3390/sym15122175
Analyst 1 (2025). Ransomware & Extortion Activity in 2024: A Year of Review: Ransomware & Extortion Activity in 2024: A Year in Review | Analyst1
Bell, L., & Sarlo, R. (2020). Those boots need more support: the boot camp model lacks what many students need. Reflections: Narratives of Professional Helping, 26(4), 16-24.
Bray, T. (2020). Military information technology certification training addressing implementation procedures against cyber-attacks: An exploratory case study (Doctoral dissertation, University of Phoenix). ProQuest Dissertations Publishing.
Bruce, G. J. (2023, July). Cybersecurity compliance requirements for USA Department of Defense Contractors-Dragons at the gate. In International Conference on Human-Computer Interaction (pp. 290-308). Cham: Springer Nature Switzerland.
Burley, D.; O’Connell; S.; Angelo-Rocha, M. (2025). The Search for the Cyber Unicorn: Perspectives from HR on Filling Entry-Level Cybersecurity Positions.
Caliskan, E., & Vaarandi, R. (2020). Career development in cyber security: Bootcamp training programs. In International Conference on Cyber Warfare and Security. Taltech, Tallinn, Estonia. https://www.proquest.com/openview/ c6f247a11bf60223d72370c9f9fc52ee/1.pdf?pq-origsite=gscholar&cbl=396500
Caposell, M., Paris, C., & Isnor, M. (2021). Tips to Run an Interagency Work Group More Effectively: Lessons from the Field of Cyber Workforce Planning. Cybersecurity and Infrastructure Security Agency (CISA).
Caulkins, B. D., Badillo-Urquiola, K., Bockelman, P., & Leis, R. (2016, October). Cyber workforce development using a behavioral cybersecurity paradigm. Presented at the IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems.
Chaudhary, S., Gkioulos, V., & Katsikas, S. (2022). Developing metrics to assess the effectiveness of cybersecurity awareness program. Journal of Cybersecurity, 8(1), tyac006.
Chowdhury, N., & Gkioulos, V. (2021). Cybersecurity training for critical infrastructure protection: A literature review. Computer Science Review, 40, 100361.
Crabb, J., Hundhausen, C., & Gebremedhin, A. (2024, March). A critical review of cybersecurity education in the United States. In Proceedings of the 55th ACM Technical Symposium on Computer Science Education V. 1 (pp. 241-247).
Crumpler, W., & Lewis, J. A. (2019). The Cybersecurity Workforce Gap
Colabianchi, S., Costantino, F., Nonino, F., & Palombi, G. (2025). Transforming threats into opportunities: The role of human factors in enhancing cybersecurity. Journal of Innovation & Knowledge, 10(3), 100695. Course Report (2018) Coding Bootcamp Market Size Study, https://www.coursereport.com/reports/2018-codingbootcamp-market-size-research.
CyberSeek. (July, 2025). Cybersecurity supply and demand heat data: Certification holders vs. job postings [Labor market analytics dashboard]. https://www.cyberseek.org/heatmap.html
Conklin, W. A., Cline, R. E., & Roosa, T. (2014, January). Re-engineering cybersecurity education in the US: an analysis of the critical factors. In 2014 47th Hawaii international conference on system sciences (pp. 2006-2014). IEEE. CyberSN. (2025). U.S. Cybersecurity Job Posting Data Report 2025. https://cybersn.com/cybersecurity-job-posting-data-report-2025/
Davri, E.-C., Darra, E., Monogioudis, I., Grigoriadis, A., Iliou, C., Mengidis, N., Tsikrika, T., Vrochidis, S., Peratikou, A., Gibson, H., Haskovic, D., Kavallieros, D., Chaskos, E., Zhao, P., Shiaeles, S., Savage, N., Akhgar, B., Bellekens, X., & Ben Farah, M. A. (2021). Cyber security certification programmes. In Cyber Security Certification Department of Defense. (2025). CMMC Model. https://dodcio.defense.gov/cmmc/About/ Dobrydney, D. (2020). The relationship between DoD 8570.01-M certification and cybersecurity job performance in U.S. Department of Defense organizations (Doctoral dissertation, Capella University).
Elmelhem, J., Bouras, A., & Ghemri, F. (2018, December). Towards a Holistic Approach of Cybersecurity. In 2018 3rd Technology Innovation Management and Engineering Science International Conference (TIMES-iCON) (pp. 1-4). IEEE.
Elkhodr, M., & Gide, E. (2025). Integrating Generative AI in Cybersecurity Education: Case Study Insights on Pedagogical Strategies, Critical Thinking, and Responsible AI Use. arXiv preprint arXiv:2502.15357.
Endicott-Popovsky, B. E., & Popovsky, V. M. (2014). Application of pedagogical fundamentals for the holistic development of cybersecurity professionals. ACM Inroads, 5(1), 57-68.
FBI. (2024). Bureau of Investigation. Internet Crime Report. https://www.ic3.gov/AnnualReport/Reports/2024_ IC3Report.pdf
Fisher, R. (2019). The credentialed workforce: Examining success rates across short-term noncredit training programs aligned with industry credentials. James Madison University
Flostrand, A., Park, A. ,Demetis, D., Kietzmann, J., Pitt, L., McCarthy, I. (2025). The Case for Lean Cybersecurity Leadership. MITSloan. Management Review. The Case for Lean Cybersecurity Leadership - MIT SMR Store
Frandell, A., & Feeney, M. (2022). Cybersecurity threats in local government: A sociotechnical perspective. The American Review of Public Administration, 52(8), 558-572.
Gauthier, T. (2020). The value of microcredentials: The employer’s perspective. The Journal of Competency‐Based Education, 5(2), e01209.
Gallagher, P. S., & Alexandria, V. A. (2016). Assessing Performance in an Innovative Cybersecurity Pilot Course.
Guembe, B., Azeta, A., Misra, S., Osamor, V. C., Fernandez-Sanz, L., & Pospelova, V. (2022). The emerging threat of ai-driven cyber attacks: A review. Applied Artificial Intelligence, 36(1), 2037254
Gerontakis, G., Yannakopoulos, P., & Voyiatzis, I. (2023). Evaluating cybersecurity certifications: A framework for extracting educational scenarios in cybersecurity training. In Proceedings of the 27th Pan-Hellenic Conference on Progress in Computing and Informatics (pp. 243-248).
Haber, M. J., Chappell, B., & Hills, C. (2022). Imposter Syndrome. In Cloud Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Cloud Resources (pp. 413-415). Berkeley, CA: Apress.
Hadlington, L. (2017). Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, 3(7).
Haney, J., Jacobs, J., Furman, S., & Barrientos, F. (2022). Approaches and challenges of federal cybersecurity awareness programs. National Institute of Standards and Technology (NIST) Internal Report 8420A.
Haney, J. and Lutters, W. (2024), From Compliance to Impact: Tracing the Transformation of an Organizational Security Awareness Program, Cyber Security: A Peer-Reviewed Journal, [online], https://doi.org/10.69554/NJYA9034, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=935669
Hoffman, L., Burley, D., & Toregas, C. (2011). Holistically building the cybersecurity workforce. IEEE Security & Privacy, 10(2), 33-39.
Hossain, S.T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2025). Cybersecurity in local governments: A systematic review and framework of key challenges. Urban Governance, 5, 1–19. https://doi.org/10.1016/j.ugj.2024.12.010
Hossain, S. T., Yigitcanlar, T., Nguyen, K., & Xu, Y. (2024). Local government cybersecurity landscape: A systematic review and conceptual framework. Applied Sciences, 14(13), 5501.
Hussain, S. M., Tummalapalli, S. R. K., & Chakravarthy, A. S. N. (2024). Cyber Security Education: Enhancing Cyber Security Capabilities, Navigating Trends and Challenges in a Dynamic Landscape. Advances in Cyber Security and Digital Forensics, 9-33. (ISC)2. (2022). Cybersecurity hiring managers guide: Best practices for hiring and developing entry- and junior-level cybersecurity practitioners. https://cloud.connect.isc2.org/Cybersecurity-Hiring-Managers-Guide?utm_source=facebook&utm_medium=organicsocial&utm_campaign=GBL-cyberhiringebook&utm_term=OCT24&utm_content=ebook (ISC)2. (2023). Cybersecurity Workforce Study. https://www.isc2.org/Research/Workforce-Study IBM Security. (2025). IBM X-Force threat intelligence index 2025. IBM Corporation. https://www.ibm.com/reports/ threat-intelligence
Jacobsen, C. B., Andersen, L. B., Bøllingtoft, A., & Eriksen, T. L. M. (2022). Can leadership training improve organizational effectiveness? Evidence from a randomized field experiment on transformational and transactional leadership. Public Administration Review, 82(1), 117-131.
Jayatilaka, A., Beu, N., Baetu, I., Zahedi, M., Babar, M. A., Hartley, L., & Lewinsmith, W. (2021). Evaluation of security training and awareness programs: Review of current practices and guideline. arXiv preprint arXiv:2112.06356.
Jarocki, S., & Kettani, H. (2019). Examining the efficacy of commercial cybersecurity certifications for information security analysts. In 2019 4th International Conference on Information Systems Engineering (ICISE) (pp. 1-5). IEEE. https://doi.org/10.1109/ICISE.2019.00008
Jimmy, F. (2021). Emerging threats: The latest cybersecurity risks and the role of artificial intelligence in enhancing cybersecurity defenses. Valley International Journal Digital Library, 1, 564-74.
Karlsson, G. (2024, May). From Campus to Boot Camp- Lessons from Extramural Teaching in Cybersecurity. In 2024 IEEE Global Engineering Education Conference (EDUCON) (pp. 1-8). IEEE.
Khando, K., Gao, S., Islam, S. M., & Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers & security, 106, 102267.
Knapp, K. J., Maurer, C., & Plachkinova, M. (2017). Maintaining a cybersecurity curriculum: Professional certifications as valuable guidance. Journal of Information Systems Education, 28(2), 101-114.
Maurer, P. J., & Skoudis, E. (2024). The code of honor: Embracing ethics in cybersecurity. John Wiley & Sons. Magnotti, E. (2017). Cybersecurity Compliance and DoD Contractors.
Morris, M., Spires, R., Hammon, J., Marin, M., Coombs, L., Nicol, F., & Anderson, K. (2023). The landscape of performance-based assessments in cybersecurity: A green paper from the NICE Community Coordinating Council.
Morris, S., et al. (2023). Performance-based learning in cybersecurity: A NICE framework perspective. National Initiative for Cybersecurity Education (NICE) Green Paper.
Mukherjee, M., Le, N. T., Chow, Y.-W., & Susilo, W. (2024). Strategic approaches to cybersecurity learning: A study of educational models and outcomes. Information, 15(117). https://doi.org/10.3390/info15020117
NICE Workforce Framework for Cybersecurity. (2025). NICE Framework. https://niccs.cisa.gov/tools/nice-framework
Norris, D. F., Mateczun, L., Joshi, A., & Finin, T. (2018). Cybersecurity at the grassroots: American local governments and the challenges of internet security. Journal of Homeland Security and Emergency Management, 15(3), 20170048
Norris, D. F., & Mateczun, L. K. (2022). Cyberattacks on local governments 2020: findings from a key informant survey. Journal of Cyber Policy, 7(3), 294-317.
Norris PhD, D. F., & Mateczun JD, L. K. (2025). Managing cybersecurity in local governments: 2022. Journal of Cybersecurity Education, Research and Practice, 1
Pike, R. E., Brown, B., West, T., & Zentner, A. (2020). Digital Badges and E-Portfolios in Cybersecurity Education. Information Systems Education Journal, 18(5), 16-24.
Price, R., & Dunagan, A. (2019). Betting on Bootcamps: How Short-Course Training Programs Could Change the Landscape of Higher Ed. Clayton Christensen Institute for Disruptive Innovation.
Prough, L. M. (2020). Education theories applied to a cybersecurity bootcamp (Doctoral dissertation). ProQuest Dissertations Publishing.
Prümmer, J., van Steen, T., & van den Berg, B. (2024). A systematic review of current cybersecurity training methods. Computers & Security, 136, 103585.
Ramezan, C. A. (2023). Examining the cyber skills gap: An analysis of cybersecurity positions by sub-field. Journal of Information Systems Education, 34(1), 94-105.
RAMPS Colorado Springs. (2019). Cybersecurity Skills, Certification & Employers: Assessing the Skills Gap in the Colorado Springs MSA. https://www.nist.gov/system/files/documents/2019/07/10/ramps_western_region_final_report_-_may_2019.pdf
Ratnawita, R. (2025). Cybersecurity in the AI Era Measures Deepfake Threats and Artificial Intelligence-Based Attacks. Journal of the American Institute, 2(2), 180-189.
Reeves, A., Delfabbro, P., & Calic, D. (2021). Encouraging employee engagement with cybersecurity: How to tackle cyber fatigue. SAGE open, 11(1), 21582440211000049.
Stavrou, E., & Piki, A. (2024). Cultivating self-efficacy to empower professionals’ re-up skilling in cybersecurity. Information & Computer Security, 32(4), 523-541.
SecurityScorecard. (2024). 58% of breaches impacting leading U.S. federal contractors caused by third-party vulnerabilities. https://securityscorecard.com/company/press/58-percent-of-breaches-impacting-leading-us-federal-contractors-caused-by-third-party-attack-vectors
Sharma, R., and S. Thapa. “Cybersecurity awareness, education, and behavioral change: strategies for promoting secure online practices among end users.” Eigenpub Review of Science and Technology 7.1 (2023): 224-238.
Skillsoft. (2024). IT Skills and Salary Report. https://insight.skillsoft.com/it-skills-and-salary-report
Tessian. (2022). The psychology of human error 2022 [White paper]. Standford University. https://f.hubspotusercontent20.net/hubfs/1670277/%5BCollateral%5D%20Tessian-Research-Reports/%5BTessian%20Research%5D%20 Psychology%20of%20Human%20Error%202022.pdf
Tessler, B., Brown, K., & Xu, D. (2024). Noncredit career and technical education programs in Virginia: Early findings from the FastForward study. MDRC.
Texas Statewide Cybersecurity Awareness Training. (2025) Texas Department of Information Resources. https://dir. texas.gov/information-security/statewide-cybersecurity-awareness-training
U.S. Government Accountability Office. (2023) An overview of cyber challenges facing the nation, and actions needed to address them. https://www.gao.gov/cybersecurity
Varadarajan, S., Koh, J. H. L., & Daniel, B. K. (2023). A systematic review of the opportunities and challenges of micro-credentials for multiple stakeholders: learners, employers, higher education institutions and government. International Journal of Educational Technology in Higher Education, 20(1), 13.
Zhou, X., Smith, C. J. M., & Al-Samarraie, H. (2023). Digital technology adaptation and initiatives: A systematic review of teaching and learning during COVID-19. Journal of computing in higher education, 36(3), 813-834.
Wang, P., & Sbeit, R. (2020). A comprehensive mentoring model for cybersecurity education. In 17 th International Conference on Information Technology–New Generations (ITNG 2020) (pp. 17-23). Springer International Publishing.
Waguespack, L. J., Babb, J. S., & Yates, D. J. (2018). Triangulating Coding Bootcamps in IS Education: Bootleg Education or Disruptive Innovation?. Information Systems Education Journal, 16(6), 48-58.
Additional Readings Not Cited
Ajayi, F. A., & Udeh, C. A. (2024). Review of workforce upskilling initiatives for emerging technologies in IT. International Journal of Management & Entrepreneurship Research, 6(4), 1119-1137.
AlDaajeh, S., Saleous, H., Alrabaee, S., Barka, E., Breitinger, F., & Choo, K. K. R. (2022). The role of national cybersecurity strategies on the improvement of cybersecurity education. Computers & Security, 119, 102754.
Alshaikh, M., Naseer, H., Ahmad, A., & Maynard, S. B. (2019). Toward sustainable behaviour change: an approach for cyber security, education, training and awareness.
Anderson, A., Ahmad, A., & Chang, S. (2024). Case-based learning for cybersecurity leaders: A systematic review and research agenda. Information & Management, 61, 104015.
Armistead, E. L., Guess, R. C., & Blevins, S. R. (2018). Cyber apprenticeship: A traditional solution to a vexing new problem. Journal of Information Warfare, 17(1), 87–98. https://www.jstor.org/stable/10.2307/26504131
Bada, Maria, Angela M. Sasse, and Jason RC Nurse. “Cyber security awareness campaigns: Why do they fail to change behaviour?.” arXiv preprint arXiv:1901.02672 (2019).
Barker, M. D. (2023). Alternative credential training in cybersecurity: An exploratory study of the Nexus Certificate and Degree in Cybersecurity. Middle Georgia State University.
Beason, R. E., Phelan, M., Devine, S., Aiken, M., & Orban, J. (2021). Evaluation of Hands-on Cybersecurity Skills Development (No. INL/EXT-21-64359). Idaho National Laboratory (INL), Idaho Falls, ID (United States).
Chatfield, A. T., & Reddick, C. G. (2017, June). Cybersecurity innovation in government: A case study of US Pentagon’s vulnerability reward program. In Proceedings of the 18th Annual International Conference on Digital Government Research (pp. 64-73).
D’Hoinne, J., Litan, A., & Firstbrook, P. (2023, June 29). 4 ways generative AI will impact CISOs and their teams. Gartner Research
Dobran, B. (2018). Start a security awareness training program your staff can‘t ignore. https://phoenixnap.com/ blog/security-awareness-training
He, W., & Zhang, Z. (2019). Cybersecurity training for employees: A review of effectiveness. Journal of Organizational Computing and Electronic Commerce, 29(1), 23-45.
Hodge, T. D. (2018). A qualitative case study in professional information assurance workforce practices demonstrated through the Department of Defense. Prescott Valley, AZ: Northcentral University.
Hollister, J. M., Spears, L. I., Mardis, M. A., Lee, J., McClure, C. R., & Liebman, E. (2017). Employers’ perspectives on new information technology technicians’ employability in North Florida. Education + Training, 59(9), 929-945. https://doi. org/10.1108/ET-02-2017-0019
Hozza, D. (2024). Entering the cybersecurity workforce: Certification vs. college degree. In J. M. Carroll (Ed.), Innovative Practices in Teaching Information Sciences and Technology: Further Experience Reports and Reflections (pp. 221-230). Springer Nature Switzerland AG. https://doi.org/10.1007/978-3-031-61290-9
Lightcast. (2023). CareerSource Florida credential review and analysis report
Liu, F., & Tu, M. (2020). An analysis framework of portable and measurable higher education for future cybersecurity workforce development. Journal of Education and Learning, 14(3), 322-330. https://doi.org/10.11591/edulearn. v14i3.15810
Marquardson, J., & Elnoshokaty, A. (2020). Skills, certifications, or degrees: What companies demand for entry-level cybersecurity jobs. Information Systems Education Journal, 18(1), 22-33.
Nweke, L. O., Bokolo, A. J., Mba, G., & Nwigwe, E. (2022). Investigating the effectiveness of a HyFlex cybersecuritytraining in a developing country: A case study. Education and Information Technologies. https://link.springer.com/ article/10.1007/s10639-022-11038-z
O‘Reilly, P. D., K. G. Rigopoulos, G. A. Witte, and L. Feldman (2018). 2017 NIST/ITL cybersecurity program: Annual report. https://www.nist.gov/publications/2017-nistitl-cybersecurity-program-annual-report
Pandasecurity (2017). 3 Ways to minimize “Security Fatigue” among employees. https://www.pandasecurity.com/ en/mediacenter/minimize-security-fatigue/
Singer, P. W., & Friedman, A. (2013). Cybersecurity and Cyberwar: What Everyone Needs to Know® . Oxford University Press.
Smith, L. B. (2014). A study of the relationship between program accreditation and certification exam passage rates in health information technology workforce training programs (Doctoral dissertation, Capella University). ProQuest.
Spohn, R. (2021). Factors associated with successfully passing health information certification exams (Doctoral dissertation, University of South Dakota). ProQuest.
Stavrou, E., & Piki, A. (2024). Cultivating self-efficacy to empower professionals’ re-upskilling in cybersecurity. Information and Computer Security, 32(4), 523-541. https://doi.org/10.1108/ICS-02-2024-0038
SunSpec Alliance. (2023). Cyberguardians and STEM Warriors: Final technical report (DE-EE0008759).
Taherdoost, H. (2024). A critical review on cybersecurity awareness frameworks and training models. Procedia Computer Science, 235, 1649-1663.
Tapis, G. P., Church, K. S., & Webb, T. Z. (2020). Preparing for the hybridization of the accounting profession: A CISA boot camp case study. AIS Educator Journal, 15(1), 25-58.
Tran, B., Benson, K. C., & Jonassen, L. (2023). Integrating certifications into the cybersecurity college curriculum: The efficacy of education with certifications to increase the cybersecurity workforce. Journal of Cybersecurity Education, Research and Practice, 2023(2). https://doi.org/10.32727/8.2023.19
U.S. Government Accountability Office (2024). Cybersecurity: Implementation of Executive Orde Requirements is essential to address key actions. https://www.gao.gov/assets/gao-24-106343.pdf
iPhishing: A hacker sends a fake message (such as an email or text) pretending to be someone you trust, like your bank, to trick you into giving away passwords or other personal information.
Spoofing: The fake message looks real because the attacker makes it seem like it came from a trusted email address, phone number, or website. Spoofing is often used to make phishing attempts more convincing.
iiCybersecurity resilience refers to an organization’s capacity to maintain operational continuity, safeguard essential data, and swiftly recover following a cyberattack, system breakdown, or security breach.