Cybersecurity Knowledge Requirements for Strategic Level Decision Makers

Assuring an organization's cyber security posture requires the active involvement of decision makers at all levels, particularly strategic level decision makers such as C-level executives. These leaders have the primary responsibility of initiating security programs, publishing organization-wide security policies and are responsible for the oversight of security policy implementation. It is necessary for these executives to be properly informed, trained, and being provided with the tools required to fulfil their strategic management responsibilities. This study aims to provide a list of topics that would serve as knowledge requirements to be used as a basis for training or cyber exercises addressing strategic level decisionmakers who do not have IT or security background, which is the case in most organizations. First, we conducted a literature review to identify an initial topic list. Then, this list was processed in a card sorting survey in which professionals in the roles of CTO, CIO or CISO were requested to determine the required level of knowledge strategic leaders should ideally have on each topic. The results indicate survey participants are more prone to not excluding any topic regardless of its level of technical expertise. They believe strategic leaders should have, at least, a general understanding and awareness of the topics chosen, even if the topics represent a more technical perspective. A general trend was found wherein topics in which business knowledge intersects with security knowledge were consistently ranked with a higher knowledge requirement, mainly relating to business impact.