3. The landscape of cyber security education and training programmes: The case of England (United Kingdom)

The provision of cyber security education and training programmes in England

In England, the provision of education and training programmes for developing cyber security skills for entry-level jobs (i.e. a job that typically does not require advanced levels of education and training in the field or many years of relevant work experience) takes multiple forms. Training programmes in this field can be offered through formal and non-formal education and training. Formal education, which leads to formal qualifications such as bachelor’s degrees, includes courses and programmes offered by Further Education (FE) and Higher Education (HE) institutions. For this study, programmes at the Master’s level and above are excluded from the analysis (see Box 3.1). Non-formal education and training includes courses outside the formal education system and not leading to a formal qualification but awarding certificates in some cases or, as in bootcamps, leading to a new job outcome.

Depending on where the training takes place, cyber security education and training programmes in England can be classified into work- and classroom-based (see Figure 3.1). Within formal education, the first group includes all the programmes with significant on-the-job training. The training content is typically employer-led, and the on-the-job training is complemented by learning activities offered by a college, university or other training providers. Programmes within this group include apprenticeships.

Figure 3.1. Formal education and training that cover cyber security skills in England

Note: This figure does not include graduate higher education programmes such as master’s and PhD. Qualifications are grouped into different levels. In England, there are nine different levels of qualifications: Entry level (Skills for life) and Levels 1 to 8. Mapped into the International Standard Classification of Education (ISCED), Level 2, Level 3, A-levels, T-levels, intermediate apprenticeships, and advanced apprenticeships correspond to ISCED 3 (i.e. upper secondary education); Level 4 and 5 qualifications correspond to ISCED 5 (i.e. short-cycle tertiary education); Bachelor’s degrees correspond to ISCED 6 (i.e. bachelor’s or equivalent level).

Source: Adapted from information received from the Department for Education.

The second group of programmes are predominantly delivered in school-based settings (including online provision), although they may include some short work placements. In the cyber security field, this group encompasses Level 3 Qualifications,1 T-Levels,2 Higher Technical Qualifications (HTQ),3 and bachelor’s programmes. More details about these programme types are provided in the remainder of this section.

The diversity in cyber security education and training in terms of qualifications, levels and providers allows learners to find the most suitable training for their learning needs. For example, learners with limited background in information and communication technology (ICT) can enrol in introductory training programmes in cyber security – offered mostly at Level 3 (equivalent to ISCED 3, i.e. upper-secondary education) but also including several programmes at Level 2 (equivalent to ISCED 3)4 in the ICT field that provide students with the foundations for engaging in more field-specific training in cyber security. In some cases, cyber security courses may include modules on basic digital skills relevant for progressing into the more advanced parts of the training. For more experienced learners, higher technical qualifications and higher education degrees at Levels 4 to 6 (equivalent to ISCED Levels 5 and 6, i.e. short-cycle tertiary education and bachelor’s programmes) provide various options for developing advanced cyber security skills.

Non-formal education programmes are also part of students’ options to engage in cyber security education and training. Bootcamps, for instance, are flexible courses of up to few weeks or few months, which can be offered by public or private training providers. The Department for Education offers Skills Bootcamps which can be fully funded by the government (these bootcamps supported by the Department for Education are referred to as “Skills Bootcamps” in the remainder of the chapter). These courses provide students with knowledge and skills currently relevant to priority sectors.

Figure 3.2 shows an overview of the provision of cyber security education and training in England, including formal education and training and Skills Bootcamps (non-formal). In 2022, around 890 Skills Bootcamps in digital skills were available, of which 77 were in cyber security (Department for Education, 2022[5]). Two of the 26 apprenticeship standards in digital occupations are specifically for cyber security. Level 3 and T-level qualifications in digital all include cyber security subjects in the core. Various HTQs and Bachelor’s degrees have cyber security content or a cyber security specialisation.

Figure 3.2. An overview of the main cyber security and digital programmes in England

Note: See Figure 3.1 for the details about the levels. All numbers refer to the offer in September 2022. There is no record on the supply of commercially delivered bootcamps, thus this table only includes information from the Skills Bootcamps offered by the Department for Education.

Source: List of Skills Bootcamps training providers from the Department for Education, https://www.gov.uk/government/publications/skills-bootcamps-training-providers; complemented with information from the Association of Colleges and information retrieved from Colleges’ websites on 17 October 2022 and the website ‘Find Apprenticeships’ of the UK Government, https://www.gov.uk/apply-apprenticeship.

Formal education and training: The role of further and higher education

Formal education and training programmes in the cyber security field include higher education programmes (HE) and further education (FE) programmes. FE includes any study after secondary education (post-16) that is not part of higher education (not taken as part of an undergraduate or graduate degree). FE programmes typically equip young people and adults with skills and qualifications that are immediately relevant for the labour market but also allow studying at higher education levels (including higher levels of FE and higher education). Especially in cyber security, FE’s role focuses on providing building blocks for more advanced programmes. Provided that learners have relevant foundational skills, they can progress throughout a cyber security training pathway, allowing them to engage with more complex issues and topics.

FE and HE institutions are essential in providing ICT education and training programmes. According to the Department for Education, there are 510 formal education and training providers in ICT, including FE colleges and HE institutions (Department for Education, 2022[9]). There are 226 different qualifications available in ICT, of which 89 are related to ‘ICT practitioners’ (i.e. a set of programmes within the ICT field providing practical knowledge, skills, capabilities and competencies on information technology, including cyber security)5 – including six that indicate having cyber security in the title. As shown in Figure 3.3, the total number of ‘ICT practitioner’ programmes offered across FE and HE providers amounts to around 2 000, of which only about 120 are in cyber security. The number of cyber security training programmes offered across institutions has slightly decreased compared to 2013-14, but enrolment went up (see next section). One possible explanation is the diversification of training. More and more formal and non-formal education institutions offer non-formal cyber security training, such as bootcamps, which may be correlated with the reduction of formal cyber security training (see below). Moreover, cyber security subjects may be included in broader fields such as computer science or network without being indicated in the programme’s title or qualification.

Figure 3.3. Provision of formal cyber security education and training programmes

Note: The number of programmes corresponds to the number of qualifications times the number of institutions offering them. Refers to programmes leading to a formal qualification only. Panel B is a zoom-in of Panel A focused on cyber security programmes. Cyber security programmes were identified based on the description of the qualification awarded. The programmes that have cyber security content or with cyber security titles are Computer science (cyber security), computing and ICT (cyber security), Technical level IT Networking (Cyber security), Computing (cyber security), Diploma in Information Technology (cyber), Digital and IT (cyber).

Source: OECD computations 2022 using data from the Department for Education, https://www.gov.uk/government/organisations/department-for-education/about/statistics.

Level 2 and 3 FE programmes

Cyber security training at Levels 2 and 3 in FE is typically an introduction to the cyber security field.6 Level 2 courses tend to be generalist in ICT or digital skills. but they include some elements of cyber security in the core content more focused on cyber awareness and cyber security and e-safety. However, some Level 2 courses dedicated to cyber security foundations exist. At Level 2 cyber awareness courses provide the learner with an introduction to cyber security covering areas such as computer systems and the impact of cyber security, information technology for business and the internet of everything, impact of cyber security in the business environment. Since 2020, the number of Level 2 courses in digital skills has increased, expanding students’ chances to engage with cyber security foundational training at an earlier stage (Department for Education, 2022[9]). Figure 3.4 shows a relatively large and growing number of learners in ICT practitioners programmes at that level. Level 3 courses are a common starting point for students to engage with cyber security training within the FE sector. There are a range of quals covering networking and cyber security in a more in depth and focussed way, offering the opportunity to cover areas such as applying networking and cyber security projects, and looking at issues around cloud based solutions, security solutions and surveillance software. These courses are subject-based qualifications equivalent to Advanced level qualifications (A-levels), generally taken after students finish their General Certificate of Secondary Education (GCSE). These courses provide young people and adults with the capabilities needed to be successful in the labour market or go on to study at a higher FE level or the HE level, for example, to pursue a degree at a university in a cyber security-related field.

Figure 3.4. Enrolment in FE programmes in ICT practitioners’ fields, by level

Number of FE students in ICT practitioners’ fields (including cyber security) in 2020-21 and change relative to 2016-17

Note: Volumes are rounded to the nearest 10. The figure does not show the Applicable/Not Known category, which includes qualifications with no level or taken at several levels. The data include Apprenticeships, Community Learning, and Education and Training provision at General Further Education Colleges (including Tertiary), Sixth Form Colleges, Special Colleges (Agricultural and Horticultural Colleges and Art and Design Colleges), Specialist Colleges and External Institutions. The number of students at Level 6 and Level 7 is 20.

Source: UK Education Statistics, https://explore-education-statistics.service.gov.uk/data-tables/permalink/27cbce98-f34f-4f6f-3300-08dac71eb496.

Table 3.2 shows a sample of the FE programmes for students at Levels 2 and 3. Most Level 2 and 3 programmes offer an “introduction”, “principles”, or “essentials” of cyber security, indicating that learners will develop foundational knowledge in the field. There are also a considerable number of Level 2 and 3 qualification courses that include cyber security as a module (e.g. computer science) (DCMS, 2019[7]), since programmes at these levels are typically meant to be broader and less specialised.

Introductory cyber security skills are also developed within T-level programmes. T-levels are two-year, career-focused qualifications and one of a number of post-16 education options in England, alongside A-levels and apprenticeships. T-level students spend 80% of the course in their learning environment, gaining the skills that employers need. The other 20% is a meaningful industry placement, where they put these skills into action (Department for Education, 2023[10]). T-levels are available at selected colleges, schools and other providers across England. The courses are usually developed in collaboration with employers and education providers, so the content meets the needs of industry and prepares students for entry into skilled employment or further learning (including apprenticeships or programmes in further or higher education). T-levels are relatively new in the English education system. In 2023, there are over 20 T-level subjects and more being rolled-out in future years. There are three Digital T-levels available “digital business services”, “digital production, design and development”, and “digital support services”. The digital support services T Level includes technical aspects of internet security, digital environment and cloud environments and security testing software as part of the core content. Career options upon completion might include becoming an infrastructure technician or a role in IT security support (HM Government, 2022[11]).

Table 3.2. Sample of Level 2 and 3 FE programmes in England
Programmes/course title	Description
Level 2 Principles of cyber security certificate	Qualification ideal for learners who wish to build a strong foundation of knowledge in cyber security. Among other topics, it covers an Introduction to cyber security, the terminology used in cyber security, common Threats and Maintaining.
Level 2 Certificate in Cyber Security and Digital Forensics	A practical and multi-modular course that covers many areas of new emerging technologies. Students learn by completing industry-focused digital projects while developing the technical and transferable skills required to work in this sector. Course topics include development, cyber security, networking, and cloud technologies.
Level 2 Certificate in the Principles of Cyber Security	This foundational online course is available for anyone looking to increase their understanding of computing, specifically how to keep themselves and their work secure.
Level 3 Northern Council for Further Education (NCFE) certificate in Cyber security basics	A qualification designed to provide learners with knowledge and skills in cyber security practices. Learners can develop knowledge and skills about cyber security practices to seek employment or further study.
Level 3 Certificate in Principles of cyber security	This qualification is designed to provide learners with sector awareness. It increases the knowledge and understanding of roles and issues relating to cyber security. This qualification aims to focus on the study of cyber security principles and offer breadth and depth of analysis, incorporating essential critical core of cyber security knowledge. The training covers Introduction to cyber security, relevant terminology, common threats and maintaining.
Level 3 Diploma in Networking and Cyber security	This course suits anyone looking to develop their understanding of Digital Technologies, specifically Networking and Cyber security. The course covers access control, data communications, ethical hacking, network management and network threats and vulnerabilities.
Source: Websites of the following FE colleges: Bath college (https://bathcollege.ac.uk/course/view/2720/principles-of-cyber-security-certificate-l2-22-23), Derwentside college (https://www.derwentside.ac.uk/school-leavers/courses/digital-technology/), Northhampton college (https://www.northamptoncollege.ac.uk/courses/computing-it/level-2-certificate-in-the-principles-of-cyber-security), East Sussex College (https://www.escg.ac.uk/courses/computing-ict/software-practice/cyber-security-basics-cert-l3-73973/), Macclesfield college (https://macclesfield.ac.uk/courses/certificate-in-the-principles-of-cyber-security/) and West Thames college (https://www.west-thames.ac.uk/courses/computing-and-ict/253-level-3/1617-gateway-level-3-diploma-in-networking-and-cybersecurity). Information accessed on 23 October 2022.

Higher technical education (Levels 4 and 5)

Higher technical education allows learners to develop cyber security skills at more advanced levels (Levels 4 and 5, equivalent to ISCED 5). As shown above, enrolment in Level 4 and 5 ICT programmes in FE is relatively low. In 2020, the DfE approved the higher technical education reform to improve the quality and labour-responsiveness of higher technical education (Department for Education, 2020[12]). As a result, in September 2022, the first cycle of new or existing Level 4 and 5 qualifications, meeting occupational standards for the digital sector, was approved by the Institute of Apprenticeships and Technical Education and launched as Higher Technical Qualifications (HTQs).

According to the Institute for Apprenticeships and Technical Education (IfATE), there are 31 HTQs in the digital field, of which 12 are offered in cyber security or include a cyber security specialisation (IfATE, 2022[13]). Table 3.3 shows a sample of HTQs in cyber security provided in England in the academic year 2022-23. The core content of the courses is more advanced and field-specific than the programmes at Levels 2 and 3. The courses cover computer forensics, networking and software systems, applied cryptography and information security management. Alongside these new HTQs, a range of other Level 4 and 5 qualifications exist, including some with a cyber security specialisation.

Table 3.3. Sample of cyber security-related Higher Technical Qualifications (Level 4 and 5) courses provided by FE Colleges and HE institutions
Programme/course title	Description
Level 5 Foundation degree in cyber security (HTQ)	This course emphasises the essential hands-on knowledge and skills demanded by employers. Learners can develop practical skills in computer forensics and implementing secure networks. Additionally, learners can explore networks and learn about scripting, ethical hacking, attacking and defending infrastructures and operating systems such as Linux.
Level 5 Foundation degree in Digital Technology (Cyber security) (HTQ)	This course provides an overview of computing and information security principles to support business needs using current, industry-standard technologies and approaches, with a strong focus on problem-solving. This course covers fundamentals of computer hardware, networking, and software systems to the organisational and legal aspects of managing information security, with practical, hands-on experience via our custom-designed virtual cyber security lab.
Level 4 in Computing (Cyber security) (HTQ)	This is a full-time programme which comprises eight modules studied over one year. Learners can develop a range of specialist skills to meet the demands of employers. The course covers computing fundamentals, programming, networking, professional practice, database design and development, security and planning a computing project. In addition, the system includes a mandatory specialist unit on cyber security.
BTEC Level 4 in computing (Cyber security) (HTQ)	This programme is a specialist pathway focused on Cyber security. Learners can achieve an industry-recognised HND, enhancing career prospects and employability. The course content includes programming, networking, professional practice, database design and development, security, planning a computing project, cyber security, website design and development, computing research project, business process support, applied cryptography in the cloud, forensics, and information security management. Upon completing this course, learners can use to study for an additional year to gain a full BSc (Hons) degree and progress to a university.
Source: Website of the following FE colleges: University Centre Leeds (https://ucleeds.ac.uk/), York College (https://www.yorkcollege.ac.uk/study/foundation-degree-fd-digital-technology-with-cyber-security), Tameside College (https://www.tameside.ac.uk/pages/course_info.aspx?x=178508), and Bedford College (https://bedfordcollegegroup.ac.uk/courses/computing-cyber-security-hnd-full-time-fa073/). Information retrieved on 30 October 2022. BTEC stands for the Business and Technology Education Council.

Higher technical education is delivered by FE and HE providers. In addition, Institutes of Technology (IoTs) play an important role in providing higher technical education and training across a range of STEM occupations and industries. IoTs are a collaboration between FE providers, HE institutions and employers. They specialise in delivering employer-led training programmes, reacting quickly to an area’s current and evolving technical skills needs. Among 15 specialisms, IoTs offer courses in digital and IT fields, including cyber security. Although most of the training programmes provided by IoTs are at Levels 4 and 5 (including HTQs), some of them also include courses at lower levels (T-levels and Levels 2 and 3) covering most of the FE training building blocks for the cyber security profession (see Table 3.4).

Table 3.4. A sample of cyber security-related courses offered by an Institute of Technology
Programme/course title	Description
T-Level in Digital Support Services	This T-Level in Digital Support Services is for those who want to progress to work in front-line technical or hardware and software support, cloud technologies, or data or IT business analysis.
Level 3 Advanced apprenticeship Information Communication Technician (including a cyber security specialised role)	This Information Communication Technician apprenticeship offers the opportunity to prepare for a role in the industry whilst gaining real-life experience in a working environment with an employer. The cyber security specialism covers the following subjects: Information technology systems, programming, introduction to networking and security management.
FdSc Cyber Security (HTQs)	The programme aims to meet the complex and organic needs of the computing and IT sector by providing appropriately trained, qualified and skilled staff with the requisite knowledge, competence and understanding of cyber security threats and protective measures.
Level 4 Higher Apprenticeship cyber security Technologist (Higher apprenticeships)	In this course, learners develop an understanding of cyber threats, hazards, risks, controls, measures and mitigations to protect organisations’ systems and people. This programme offers two roles for specialisation within the cyber security field: Technical role and risks analysis role. Students can progress to the BSc (Hons) Digital Technology Solutions (Top-up) degree apprenticeship or BSc (Hons) Cyber security (Top-up)
BSc (Hons) Cyber security (Top-up) (HE programme)	This programme is designed to provide learners with the skills and knowledge to become a professional computing practitioner specialising in Cyber Security. Learners will study Ethical Hacking, The Cyber Security Landscape, and Principles of Computer Forensics and will complete various projects.
Source: Website of the North East Institute of Technology (https://neiot.ac.uk/subjects/digital). Information retrieved on 11 November 2022.

Higher education degrees (Undergraduate programmes)

At the higher education (undergraduate) level, students can opt for a technical or non-technical route into cyber security. Within the technical route, which is the focus of this study, there are two broad options at the undergraduate or bachelor’s level: cyber security programmes (e.g. cyber security, cybernetics, digital forensics, etc.) or other programmes with a cyber security specialisation. The latter include, for example, programmes in computer science with cyber security specialisation (e.g. ‘Computer science with cyber security’), and other STEM programmes with a cyber security focus – the most common ones being mathematics or engineering (e.g. Engineering with cyber security) (DCMS, 2019[7]). Non-technical courses can offer a module or specialisation in cyber security, such as Management, Business Studies or Psychology in cyber security- these are outside the scope of this report.

Programmes vary in the extent to which the content is field-specific, providing a variety of options for students with different preferences, needs and backgrounds. Some programmes have a modular approach, covering a wide range of ICT-related topics and competencies in the first year to build the foundations for more specific (and advanced) cyber security subjects later on. At the University of Royal Halloway, for instance, students can undertake courses on generalist ICT subjects, including ‘software design’, ‘machine fundamentals’ and ‘operating systems’ during the first year, allowing them to develop the fundaments required for more specialised subjects covered during the second year. Some other programmes are heavily focused on cyber security from the start and cover more specialised cyber security subjects in the following years. For instance, at the University of Warwick, students can undertake foundational courses in the cyber security field, such as security and information risk management, during the first year already, and more advanced courses, such as ‘cyber security incident management’ and ‘data science and complexity in the cyber context’, during the last two years of study.

The cyber security field in higher education is a relatively new discipline (DCMS, 2019[7]). However, it is attracting more students every year. The number of undergraduate programmes in cyber security (96) compared to computer science (694) is low, as is the number of students enrolled in this field (see Table 3.5 and Figure 3.5). However, among all ICT fields, cyber security has the highest student growth rate. During 2020-21, 5 900 students pursued a cyber security higher education degree, 30% more than the previous academic year (see Figure 3.5).

Table 3.5. Number of cyber security and computer science programmes provided by universities in England (2022-23)
Number of programmes provided by universities by type of qualification
Qualifications	Computer science	Cyber security
Bachelor’s	620	78
Other qualifications	74	18
Total	694	96
Note: Numbers include all programmes offered by universities below the master level. Cyber security figures also include cyber crime and forensics and programmes in computer science with cyber security specialisation. Numbers are based on UCAS’ programme finder. Other qualifications include HND and HNC (Levels 4 and 5) offered by universities.
Source: Universities and Colleges Admission Service (UCAS), https://www.ucas.com/, (information retrieved on 11 November 2022).

Figure 3.5. Enrolment in ICT fields in higher education

Enrolment for the academic period 2020-21 and percentage change compared to 2019-20

Note: All students enrolled in higher education in programmes below the master’s level with HECoS codes between 100 358 and 100 378 (ITC fields) in England are included in this figure. Other ICT fields include information technology, applied computing, business computing, business information system, creative computing, web and multimedia design, geographical information system and internet technologies, which account for less than 5% of the total enrolment. Data refer to rounded totals.

Source: Higher Education Statistic Agency (HESA), https://www.hesa.ac.uk/data-and-analysis/students/table-52.

Apprenticeships

Apprenticeship is another option to prepare for entry-level cyber security jobs. Apprenticeships combine practical training on the job with off-the-job training, allowing apprentices to gain job-specific skills while working alongside experienced staff from the sector in addition to the more theoretical aspects of cyber security. Students can participate in apprenticeships at various levels – depending on their previous experience, their knowledge in the field, and -in some cases- their prior qualifications. There are three cyber security apprenticeship qualifications approved: Cyber security technician at Level 3 (intermediate), cyber security technologist at Level 4 (advanced) and cyber security technical professional at Level 6 (degree level).

FE providers and HE institutions provide the off-the-job component of the apprenticeship. Academic entrance requirements to apprenticeships are broadly similar to those of classroom-based FE or HE programmes, with typically additional criteria added by employers as part of the recruitment process. Table 3.6 shows some examples of apprenticeship postings in the cyber security field. Based on these examples, employers seek candidates with technical aptitude and good all-around skills, such as attention to detail, communication, problem-solving and work ethic, among others.

Table 3.6. A sample of cyber security apprenticeship openings (employer postings)
Programmes/course title	Sector	Apprenticeship posting information	Qualifications required
Level 3 Cyber security technician (Intermediate)	Finance	The Cyber and Security team are central to defending the bank, so the apprentice will have the opportunity to play a key part in keeping customers, clients and colleagues safe in a world entire of 21st-century digital threat. Defending the bank can be reactive or proactive. Whether placed in strategic intelligence, operational or tactical, the apprentice will be given all of the resources needed to kick-start a career in one of the most impactful areas of the bank.	5 GCSEs at A*-C (9-5), including Maths and English (or equivalent)
Level 4 Cyber security technologist qualification. (Advanced)	Social Service	Apprentices will be involved in all aspects of Cyber Security and be the escalation point for all Cyber Security-related issues. As the Cyber Security Analyst, the apprentice will undertake security assessments, manage any security Incidents, and be involved in all security-related tasks: Improving security for web applications, web servers, application technologies, frameworks and protocols concerning application development and deployment; and managing and advising on endpoint security and email filtering.	GCSE or equivalent Higher-Level Apprenticeship (Grade Level 2) desired
Level 6 cyber security technical professional. (Higher or Degree)	Media	Cyber security apprentices will advise on best practices, deal with threats, and manage potential cyber attacks across the company globally. Working with other teams, the apprentice will develop skills and knowledge to perform security risk assessments for a range of IT and Production systems and propose solutions jointly with other specialists.	A minimum of BBB A Levels or a DDM BTEC in a relevant subject; Maths and English GCSEs or Standard at 9-4 (A-C) or equivalent
Note: When retrieving the information from the UCAS website, there were 37 apprenticeship postings in cyber security fields. This table only presents one for each level of qualification.
Source: Universities and Colleges Admission Service (UCAS), https://www.ucas.com/ (information retrieved on 11 November 2022).

While apprenticeships in the cyber security field are available at different levels of qualification, most apprentices participate in higher programmes (Level 4 and above). Enrolment in apprenticeships increased strongly in the last five years (see Figure 3.6). In 2020-21, 4, 100 and 360 learners completed intermediate, advanced and higher apprenticeships, respectively, in this field. Additionally, the number of students in higher apprenticeships in cyber security has increased substantially compared to 2016-17 (by 2.5 times, see Figure 3.6). Nonetheless, the absolute numbers remain relatively low – especially at the intermediate-level. According to the University and College Admission Service (UCAS) portal, in November 2022, 37 cyber security apprenticeship positions were posted, of which only three were offered at an intermediate level.7

Figure 3.6. Apprenticeships starts in cyber security by the level of qualification

Number of apprenticeship starts in cyber security in 2016-17 and 2020-21

Note: Intermediate and Advanced apprenticeships in cyber security have only been on offer since 2018-19. The term ‘starts’ refer to number of new people starting an apprenticeship each year. More detailed information about the number apprenticeships starts can be found in this link: GOV.UK, Further education and skills statistics: methodology, Methodology: Explore education statistics, https://explore-education-statistics.service.gov.uk/methodology/further-education-and-skills-statistics-methodology.

Source: UK Education Statistics, https://explore-education-statistics.service.gov.uk/data-tables/permalink/765f8afa-19b3-4fb3-c74d-08dac7ae389f.

Non-formal training: The characteristics of training outside the formal education system

In addition to formal education and training, young people and adults in England can participate in cyber security training outside the formal education system. These non-formal courses do not lead to a formal qualification, although a certificate can be awarded in some cases. Bootcamps are one particular form of non-formal training in England, mostly offered by independent training providers but also by universities and further education colleges.

Bootcamps

Bootcamps are intensive skill development programmes that cover topics highly relevant to a specific sector, such as cyber security (Learn21, 2022[14]). These short courses can take a few weeks or a few months to complete and aim to provide training as a starting point for an absolute beginner or custom advanced learning for candidates through a selection process. Bootcamps are job-oriented and give the opportunity to build sector-specific skills and, in some cases, fast-track to an interview or progress in their current role. In England, cyber security bootcamps are offered by public and private training providers covering a wide range of topics at several difficulty levels. They can be fully funded by the government after meeting eligibility requirements (e.g. Department for Education Skills Bootcamps) or can be fully or partially covered by learners.

The Department for Education Skills Bootcamps (in the remainder of the chapter referred to as Skills Bootcamps) are free, flexible courses of up to 16 weeks at Levels 3-5, available in England, giving people the opportunity to build up sector-specific skills and fast-track to a job interview with a local employer once the training is completed (Department for Education, 2022[15]). The courses are open to adults aged 19+ who have the right to work in the United Kingdom, live in England and meet residency requirements. Some Skills Bootcamps have additional eligibility criteria. They are available in several subjects and sectors, including (as of January 2023) digital, technical, construction, logistics, and green skills, with the scope to expand into a wider range of sectors. Skills Bootcamps are designed for adults who want to upskill quickly to work in specific sectors (e.g. cyber security or construction) or for those who wish to gain in-demand skills applicable to multiple areas (e.g. digital skills). Skills Bootcamps are co-designed with employers, providers, and local authorities to respond to skills shortages, and course subjects vary according to needs in each local area. In 2021-22, 16 120 people participated in Skills Bootcamps, with further expansion of learner numbers planned in the coming years covering multiple subjects.

Skills Bootcamps in the digital field are delivered both online and in-person in a range of subjects, including digital marketing, software engineering, cloud services engineering, coding, social media and digital leadership and cyber security (Department for Education, 2021[16]). Further expansion is planned for digital Skills Bootcamps.

Within cyber security Skills Bootcamps, a range of subjects is covered, including ‘cyber technician’, ‘cyber security’, ‘cyber technologist’, ‘cyber security operations and technology’, ‘networking and cyber security’. This type of training aims to promote an understanding of the core principles and knowledge involved in providing a secured business, responding to cyber incidents, reducing the risk of data breaches or managing cyber threats (see some examples in Table 3.7). Cyber security Skills Bootcamps are available across the country, with the largest numbers being offered in the North-west (e.g. Chester) and West Midlands (e.g. Birmingham) and South-west (e.g. Cheltenham) (See Figure 3.7).

Table 3.7. A sample of Skills Bootcamps in cyber security available in 2022
Course	Description	Provider
Skills Bootcamp in cyber security fundamentals	A flexible 8-week course in cyber security fundamentals for learners looking to upskill or change their career path to a growing area by learning about the modern cyber security landscape. Learners will develop knowledge in areas such as the cyber threat landscape, organisational cyberculture, incident response, and digital forensics.	Aston University
Skills Bootcamp in cyber security	The primary objective of this Skills Bootcamp is to promote an understanding of the core principles, knowledge, behaviours and skills involved in providing, managing and sustaining an environment that facilitates Secure Business Operations. This Skills Bootcamp will also aim to focus on an awareness of the impact of Cyber Security issues on businesses, the communities in which they operate, and other more significant global problems.	Purple beard LTD
Skills Bootcamp in cyber security (cyberoperations)	This 16-week online course covers in-depth knowledge, hands-on experience and skills in Cyber Security. It is designed to help Security Analysts working in a Security Operations Centre successfully handle their tasks, duties and responsibilities. This Skills Bootcamp allows learners to understand different cyber security threats, reduce the risk of data breaches and device compromise, effectively use up-to-date cyber security protection mechanisms, and improve their cyber security practices.	Birmingham city university
Source: Websites of the following providers: Aston University (https://www.aston.ac.uk/study/courses/skills-bootcamp-cyber-security-fundamentals), Purple beard LTD (https://purplebeard.co.uk/individuals/skills-bootcamp/cyber-security/), and Birmingham city university (https://www.bcu.ac.uk/courses/cyber-security-short-course). Information retrieved on 30 October 2022.

Figure 3.7. Number of Skills Bootcamps in cyber security available in England, by region in 2022

Note: This figure includes in-person and online Skills Bootcamps. For online programmes, the region is defined by the provider’s location.

Source: Department for Education, https://www.gov.uk/government/publications/skills-bootcamps-training-providers.

Online learning and short courses

Beyond bootcamps, the non-formal education and training sector includes a wide range of low-cost or free online modules and courses that individuals can undertake in their own time. Whilst these modules may not always contain a direct certification, they provide interesting and accessible opportunities for skills development and could facilitate access to further training.

Universities and FE colleges have also expanded their portfolio of non-formal training programmes providing online or blended courses through their website (e.g. University of Manchester) or joining existing platforms (e.g. the University of London in Coursera), especially for courses on digital skills. The list of online courses on digital skills offered through online platforms is long, and a comprehensive overview of those courses falls outside the scope of this study. Nonetheless, Box 3.2 provides some insights based on information from the most popular e-learning platforms in the United Kingdom.

Further, many dedicated cyber security training organisations have been set up in the England in recent years to help grow the cyber security recruitment pool through non-formal training. For example, Immersive Labs provides an interactive training platform for cyber security skills, with hands-on gamified labs that enable new and experienced individuals to learn new capabilities (Immersivelabs, 2022[17]). Another example is CAPSLOCK, which offers a cyber academy model for re-training individuals in a new cyber security career. With an Income Share Agreement, individuals only have to repay their tuition costs once they earn over GBP 27 000 per annum. This model requires a 16-week full-time or 26-week part-time programme. In 2021, CAPSLOCK intended to reskill 200 adults into cyber security (CAPSLOCK, 2022[18]).

Box 3.2. Online courses in digital skills: Insights from e-learning platforms

Looking at the most popular e-learning online platforms in the United Kingdom (Coursera, EdX, LinkedIn Learning, Udemy, FutureLearn and Skillshare) (Hosting Data UK, 2022[19]), the number of online courses offered in digital skills or computer science reaches almost 20 000 (See Table 3.8). 40% of the total provision of online courses is in the digital field. In cyber security, the options are more limited. Udemy is the online platform that hosts most cyber security online courses (4 898 courses available at the moment of the search in September 2022), and they are available at different levels, prices, and estimated times for completion. Learners with no experience in the field can enrol in courses such as ‘The beginners guide to practical cyber hacking skills’ or ‘Essential concepts in cyber security’. For learners with more experience, there are options such as ‘Networking cyber security advanced’ or ‘Cyber security CCE certification’.

Table 3.8. Online short courses offered in English on a selected set of e-learning platforms
Online training provider / Platform	Total number of training courses (approx.) *	Total number of courses offered in digital skills and computer sciences	% Out of the total number of courses offered	Total number of courses offered in cyber security	% Out of the total number of courses offered in computer sciences
Coursera	4 600+	3 491	76	124	4
EdX	3 000+	349	12	58	17
LinkedIn Learning	16 000+	4 113	26	530	13
Udemy	97 000+	10 000	10	4 898	49
FutureLearn	3 100+	335	11	46	14
Skillshare	20 000+	960	5	NA	NA
Total*	143 700+	19 248	40	5 656	31
Note: The numbers for digital and computer science and cyber security were retrieved from each platform course finder. The filters available by default were used for the number of digital and computer science courses. For the number of cyber security courses, “cyber security” word combinations were used in each platform’s search engine after filtering by digital and computer science fields.
Source: Information collected online directly from providers’ platforms on 23 September 2022. The total number of training courses is taken from multiple websites: Coursera and Udemy information comes from https://www.thinkimpact.com/; Think Impact (2021[20]), Skillshare review, https://www.thinkimpact.com/skillshare-review/; EdX (2021[21]), Accelerating our movement: 2021 EdX impact report, https://www.edx.org/assets/2021-impact-report-en.pdf; and LinkedIn learning (2022[22]), Workplace Learning Report – The transformation of learning and development, https://learning.linkedin.com/resources/workplace-learning-report; information comes from their website and statistics reports.

The profiles of cyber security learners

Young and adult learners in cyber security programmes

Cyber security education and training programs are available for learners of all ages and with varying ICT skills and experience levels. Looking at the “ICT practitioners” field, which includes cyber security courses, much of the FE enrolment is concentrated among 19 to 24-year-olds (42% in 2020-21). Most of the learners from that age group are enrolled in programmes at Level 3, where this age group accounted for 80% of the total enrolment in 2020-21. As described above, these Level 3 programmes are more specialised than those offered at lower levels. Furthermore, young learners are more likely to engage with advanced ICT training in FE at Levels 4/5 and 6/7 than their older counterparts – although the absolute numbers remain very low. Among those who participate in more advanced FE ‘ICT practitioners’ training, 62% are young students (out of 130 learners).

Figure 3.8. Enrolment in ‘ICT practitioners’ FE programmes in 2020-21, by the level of qualification and age group

Note: Volumes are rounded to the nearest 10. The data include Apprenticeships, Community Learning, and Education and Training provisions taken at General Further Education Colleges (including Tertiary), Sixth Form Colleges, Special Colleges (Agricultural and Horticultural Colleges and Art and Design Colleges), Specialist Colleges and External Institutions.

Source: UK Department for Education, https://explore-education-statistics.service.gov.uk/data-tables/permalink/5ac27a8f-1413-4b14-c759-08dac7ae389f.

Compared to 2015-16, the number of young learners participating in FE ICT training programmes has increased by 15%, which may reflect the efforts of the UK Government to attract more young people into digital and cyber security careers (DCMS, 2018[23]). Since 2016, the DCMS, jointly with the National Cyber Security Centre (NCSC), has put in place initiatives for strengthening the national curriculum for 4-16 years old to provide young people with the initial building blocks required for more technical careers, developing broader digital skills that are increasingly vital to engaging and working in cyber security (DCMS, 2018[23]).

The vast majority of adults aged 25 or older are in FE training programmes offered at Level 1 and Level 2: in 2020-21, 8 820 adults aged 25 or older participated in ‘ICT practitioner’ courses, of which 65% in Level 1 and 2 training programmes (see Figure 3.8). Most courses offered at Levels 1 and 2 focus mainly on foundations in ICT – which can be essential for greater ownership of learning in higher-level courses. For example, Pearson Education Ltd., an independent training provider, offers an Introductory Information Technology course (Level 1), completion of which is a requirement for the Level 3 cyber security course offered by the same provider.

Enrolment in higher education undergraduate programmes in cyber security-related fields is more concentrated among older cohorts, possibly indicating the need for previous experience, knowledge or a specific level of ICT skills in the field. More than 9 500 students aged 25 or older enrolled in information technology programmes (which include cyber security), accounting for 67% of the entire enrolment in this field. This contrasts with what can be observed in other computing programmes, where the share of learners aged 25 or older in total enrolment equals 15% on average (see Figure 3.9). Programmes such as ‘computer science’ (57%) and ‘software engineering’ (52%) have a significantly higher proportion of young people (below 25) than information technology programmes (32%).

Figure 3.9. Enrolment in computing fields in higher education, by age group and field

Number of students in undergraduate computing programmes

Note: All students enrolled in higher education in programmes below the master’s level with Common Aggregation Hierarchy CAH equal to “11” referring to ‘Computing’ are included in this figure. ‘Information technology’ contains cyber security related fields.

Source: HESA, https://www.hesa.ac.uk/data-and-analysis/students/what-study/characteristics.

Bootcamps, in general, are designed particularly for individuals looking to upskill or reskill, including in cyber security. According to consulted stakeholders, the age profile of learners in these programmes is very diverse. Moreover, there is also large diversity in the occupational status of learners and their level of expertise. For instance, in cyber security Skills Bootcamp programmes provided by Generation, an independent training provider, most students are unemployed or with no experience in the cyber security sector but willing to acquire sector-relevant skills and participate in the recruitment process (Generation, 2022[24]). Conversely, SANS, an independent training provider, offers an “Upskill in cyber” bootcamp, a commercially delivered bootcamp in cyber security, to learners who are new to cyber security but have the knowledge and skills necessary for a practitioner in key areas of computer, information and software security (SANS, 2022[25])

The diversity of the learners in cyber security education and training programmes

Women and ethnic minorities are underrepresented in ICT education and training programmes, with cyber security programmes likely having a similar distribution as the broader ICT field. In FE, the proportion of females in the ICT field is only 21% (see Figure 3.10). ICT has the lowest share of female learners compared to other STEM fields. The share of Black and Asian learners in this field is 16% and 19%, respectively (see Panel B of Figure 3.10), which is relatively low compared to FE in general (18 and 23%, respectively, in 2021/22). Consulted stakeholders confirmed that cyber security education predominantly enrols white and male learners. This reflects the persistence of stereotypes and sociocultural factors that undermine cyber security roles among both girls (IET, 2018[26]) and young people of colour in the United Kingdom (Royal Society, 2020[27]), in addition to inequities that are perpetuated in the workplace through sizeable pay gaps between women and men in STEM jobs and across racial and ethnic groups (Fry, Kennedy and Funk, 2021[28]). It highlights the need to break stereotypes and tackle entry barriers (e.g. financial constraints).

Figure 3.10. Distribution of the enrolment in ‘ICT practitioners’ programmes in FE, by students’ characteristics in 2021/22

Note: The data include Apprenticeships, Community Learning, and Education and Training provision taken at General Further Education Colleges (including Tertiary), Sixth Form Colleges, Special Colleges (Agricultural and Horticultural Colleges, and Art and Design Colleges), Specialist Colleges and External Institutions.

Source: UK Department for Education, https://explore-education-statistics.service.gov.uk/data-tables/permalink/998fe7ef-45cc-44ab-c7ac-08dac7ae389f.

The lack of diversity in cyber security education and training enrolment is similar to what is observed in the related occupations in the labour market, especially for gender. The cyber security workforce in England is mostly male: in 2021, 78% of cyber security professionals were men. There is evidence that overall cyber security sector diversity has improved (both in terms of gender and ethnicity); however, it remains behind overall digital sector in this regard (DCMS, 2022[29]). The cyber security profession is becoming more diverse in multiple dimensions. The proportion of women, ethnic minorities and people from a low socio-economic background in the cyber security workforce has increased in recent years (See Box 3.3), mainly due to policies and strategies implemented by the UK Government. For instance, In 2021, the government mandated the creation of the UK Cyber Security council, an institution that has been focused in identifying and promoting best practices and policies to increase outreach and diversity in the cyber security profession (UK Cyber Security Council, 2023[30]).

Box 3.3. Diversity in the cyber security profession

In terms of gender diversity, the cyber security sector has improved over the course of the last three years in England (DCMS, 2022[29]). Yet, women remain underrepresented in this sector. In 2022, the share of female workers in the cyber security sector was 22%, higher than in 2020 (15%) (See Figure 3.11, Panel A). In terms of the senior workforce (i.e. with 6+ years of experience), the lacks gender diversity in the cyber security field is even more outspoken: only 13% of the senior professionals workers in this field are female. Cyber security remains behind other digital sectors regarding gender diversity(See Figure 3.11, Panel B), as the proportion of women working in the digital industry is 30%.

Figure 3.11. Share of female workers in the cyber security field

Source: DCMS (2022[29]), Cyber security skill in the UK labour market 2022, https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2022; DCMS (2021[31]), Sector Economic estimates 2021: Employment 2019 to June 2021, https://www.gov.uk/government/statistics/dcms-sector-economic-estimates-2021-employment-2019-to-june-2021.

With respect to other underrepresented groups, the proportion of ethnic minorities working in the cyber security sector has increased in recent years, going from 16% in 2020 to 25% in 2022. Notably, the cyber security sector has done a better job at integrating workers from ethnic minorities than the digital sector. The share of ethnic minorities in the digital sector workforce is only 15% (DCMS, 2022[29]). In terms of socio-economic diversity, in 2021, 16% of the cyber security workforce came from a background where they were eligible for free school meals (FSM). This is slightly lower than in 2020 (17%) (NCSC, 2021[32]).

Source: DCMS (2022[29]), Cyber security skill in the UK labour market 2022, https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2022; NCSC (2021[33]), Decrypting diversity: Diversity and Inclusion in cyber security, https://www.ncsc.gov.uk/files/KPMG-and-the-NCSC-Decrypting-Diversity-2021-report.pdf.

Enrolment in ICT fields in higher education echoes what is found in FE. Figure 3.12 shows the percentage of students who identify as female or as a particular race/ethnicity in the computer science field, which includes cyber security. The share of females participating in computer science (18% in 2020-21) is low compared to other fields (57% across all fields in 2020-21). Although the participation of female learners in the field has improved slightly in the last five years (1.3 percentage points more than in 2015-16), computer science is still male dominated. Racial/ethnic minorities account for 24% of total enrolment in computer science, in line with what is observed in other fields. The share of Asian learners is higher in computing programmes than on average across all programmes in HE institutions. Compared to the 2015-16 academic year, the percentage of racial/ethnic minorities has gone up, which may reflect the affirmative action policies implemented in the last years in higher education to expand diversity in computer science (Office for Students, 2022[34]). However, the lack of racial/ethnic diversity in FE and HE remains a challenge not only in the cyber security field but in the entire education system (Oxford University, 2019[35]).

Figure 3.12. Enrolment in computing programmes in higher education institutions, by students’ characteristics

Percentage of students in undergraduate programmes

Note: The residual category for gender is male and unknown; unknown accounts for less than 2%. The residual category for ethnicity is ‘white people’ and ‘unknown’; ‘Unknown’ accounts for less than 3%. All students enrolled in higher education in programmes below the master’s level are included in this figure.

Source: HESA, https://www.hesa.ac.uk/data-and-analysis/students/what-study/characteristics.

The lack of diversity in the field – particularly for gender – may reflect stereotypes embedded among young people at early ages. Such stereotypes and misconceptions about cyber security careers affect career expectations and, thus, career choice, which may perpetuate current figures in terms of gender diversity in the cyber security profession. Across OECD countries, 15-year-old old boys are more likely to expect to work in science and engineering than girls (OECD, 2019[36]). In 2018, on average across OECD countries, the ‘ICT professionals’ occupation was among the top three occupations aspired by 15-year-old boys, while for girls it was not among the top 10 (OECD, 2020[37]). These occupational expectation differences by gender have changed little since 2000 (OECD, 2019[36]).

Education and labour market outcomes of cyber security education and training programmes

Looking at computer science students’ outcomes, including cyber security programmes, 8 out of 10 students who enrol in computer science education and training complete their studies. Yet, completion rates vary according to the type of training; see Panel A of Figure 3.13. Computer sciences apprenticeships, for instance, have higher completion rates compared to more classroom-based programmes (Level 4/5 and undergraduate programmes). This highlights the relevance of work-based learning in the ICT sector, providing labour market-relevant knowledge and skills of technical and job-specific nature. Additionally, Level 4/5 and undergraduate computer science programmes have a lower completion rate than other ICT programmes. Results from a student survey suggest that the high dropout rate in this field compared to other ICT fields is mainly because students “feel they are not getting enough for their money”, lack of enjoyment studying the field, and the field being consider too hard (Tech target, 2019[38])

Figure 3.13. Completion and progression rate in computer science, by type and qualification level

Completion and progression rate during the academic period 2020-21 in England

Note: These figures include information from FE and HE institutions registered in OFS, which account for more than 750 providers in England. Computing contains cyber security programmes. The apprenticeship category consists of Level 4 and Level 6 apprenticeship programmes. The student outcomes data dashboard shows continuation, completion and progression outcomes. The completion measures count as positive outcomes for those students who have either: (a) Gained a higher education qualification from the provider at which they were previously identified as an entrant on or before the relevant census date; (b) –been recorded as actively studying for a higher education qualification at the same provider on the census date. The progression measures count as positive outcomes for those students who report in their response to the Graduate Outcomes survey 15 months after gaining their qualification: (a) paid worker, employer, self-employment, running business, voluntary/unpaid work if it is managerial or professional employment; (b) engaged in training, study or research, travel, caring for someone, or retired. Level 4 and 5 completion rate do not represent all Level 4 and 5 provision and tend to be disproportionately skewed towards higher education providers offering Level 4 and 5 programmes.

Source: Office for Students (OFS), Students outcome data dashboard, https://www.officeforstudents.org.uk/data-and-analysis/student-outcomes-data-dashboard/data-dashboard/.

In computer science in general, which includes cyber security education and training programmes, almost nine out of ten students, after completing their degree, enter the labour market or pursue further education. This ratio is the highest for students who complete apprenticeships (97%). Students who complete a first degree (undergraduate programme) have more chances to progress to a positive outcome than those who complete a Level 4 or 5 programme. This may reflect that employers value higher-level degrees more and/or are looking for workers with at least some prior experience in the sector (or related) – which is often a requirement in the Level 6 programmes.

Figure 3.14 shows the outcomes for those who graduated from higher education in 2018/19, approximately 15 months after they completed their studies (i.e. the responses can show activity between December 2019 and September 2020 – before and after the COVID-19 pandemic restrictions in the UK).8 These figures indicate that approximately 68% of cyber security graduates enter full- or part-time employment, with 12% blending employment and further study. This means that of the 3 600 students who graduated in cyber security courses in 2018/19, 80% were in employment 15 months after obtaining their degree.

Cyber security graduates are slightly more likely to engage with further study than graduates from other computer science courses (DCMS, 2019[7]), which may be linked to the need for regular updating of technical skills and knowledge in a rapidly-changing field in addition to the level of specialisation and specific training required for some of the job opportunities in this field. 18% of cyber security graduates pursue further study (6% full-time further study and 12% combined with employment) compared to 16% of their peers in computer science (see Figure 3.14). This proportion has increased compared to the previous year (15% in 2017-18).

Figure 3.14. Higher education graduate outcomes in cyber security in 2018-19

Distribution of graduates by destination after completing studies

Note: Graduates from programmes below the master’s level are asked for information about their activities approximately 15 months after they complete their studies, so the responses received can show activity taking place between December 2019 and September 2020.

Source: HESA, https://www.hesa.ac.uk/news/18-06-2020/sb257-higher-education-graduate-outcomes-statistics.

Looking at outcomes of recent graduates in computer sciences by level of qualification, which includes cyber security graduates, the share of Level 6 graduates in employment (including those in work and further study) is significantly higher (84%) than those from Level 4-5 programmes (65%) 15 months after obtaining their qualification (see Figure 3.15). Level 4-5 computer science graduates have more chances to pursue further studies (without work) (13%) than Level 6 graduates (6%) but are also more likely to be unemployed (12% vs 5%).

Figure 3.15. Higher education graduate outcomes in computer science, by level of qualification in 2018-19

Note: Graduates are asked for information about their activities approximately 15 months after they complete their studies, so the responses received can show activities taking place between December 2019 and September 2020.

Source: HESA, https://www.hesa.ac.uk/news/18-06-2020/sb257-higher-education-graduate-outcomes-statistics.

The earnings potential in this field is high, even at entry-level positions. This signals the high demand for professionals in the cyber security field. Figure 3.16 shows the evolution of the average annual earnings one year after finishing a Level 6 (first degree) training programme. According to these data, the yearly earnings of ICT graduates have increased by 54% between 2011 and 2019. In cyber security, this increase has been even stronger: since 2014, the annual earnings of recent graduates have doubled from GBP 15 000 per year in 2014 to GBP 32 000 in 2019. Cyber security salaries vary depending on experience level and role. Table 3.10 shows annual earnings for selected cyber security roles by years of experience. For instance, penetration testers have the lowest annual earnings among the ten cyber security roles with available data when workers have less than two years of experience (GBP 30 000), and at the same time have among the highest yearly earnings when workers have more than five years of experience (GBP 105 000).

Figure 3.16. Evolution of cyber security first-degree annual earnings compared to other fields

Median earnings of graduates one year after obtaining their first degree (Level 6) in GBP

Note: This figure shows median earnings (real wages) across HEIs one year after graduation of UK-domiciled male and female first-degree (Level 6) graduates from HEIs. Cyber security programmes were identified using HECoS codes for ‘Computer and information security’.

Source: UK Department for Education, https://explore-education-statistics.service.gov.uk/find-statistics/graduate-outcomes-leo-provider-level-data.

Information on outcomes of non-formal education and training is limited. However, since the introduction of Skills Bootcamps in September 2020, starting with the digital sector, the DfE has compiled some figures in this area. Out of 2 550 applicants, 822 learners participated in digital Skills Bootcamps, including cyber security courses, during the academic year 2020-21 (Department for Education, 2021[16]). Providers collected participation indicators, such as whether learners dropped out early or completed the course, completed all their assessments and assignments, and passed all their assessments. Table 3.11 shows that the average attendance rate of digital Skills Bootcamps was 64%. Nonetheless, 84% of learners completed all their assessments and assignments, and 81% successfully passed their assessments, meaning that even though attendance did not appear very high, a large proportion of learners still managed to complete their courses and meet the planned learning outcomes successfully. Even though most learners actively engaged with the assignments and passed their assessments, 11% dropped out of their courses before completion.

Digital Skills Bootcamps participants improve their outcomes after finishing their training on average (see Figure 3.17). At the start of the training, 27% of participants were unemployed, which fell to 21% once the course was completed – with a higher proportion of learners in employment (54%) and in training or education (4%). Among those who reported working after completing a course, the vast majority (89%) indicated their current job was the same as the one they held when they started the course, while 11% changed jobs.

Figure 3.17. Changes in employment status of digital Skills Bootcamps participants before and after the course (2021)

Note: Other category includes ‘Caring responsibilities’ and ‘Waiting to start work’. ‘Retired’ and ‘Not answered’. Based on the learner’s survey. The number of respondents was 354.

Source: Department for Education (2021[16]), Skills Bootcamps process evaluation, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1027163/Bootcamps_wave_1_final_evaluation_report.pdf.

Providing information and career guidance on cyber security programmes

Promoting participation in cyber security education and training requires people to be better informed about the field. Cyber security is a fairly complex and relatively new field; therefore, it requires more effort to inform (prospective) learners about what it entails. Effective career guidance enables people of all ages to develop informed, critical perspectives about the relationship between education and employment, helping them to visualise and plan their transitions through schooling or current jobs and into more attractive work opportunities (OECD, 2019[41]). As described in the previous Chapter, various cyber security roles exist and these can be found across various industries, and this requires supporting students to navigate them. This is especially relevant for newcomers in the field who may find it hard to understand the entry requirements and the competencies needed.

In England, several career guidance initiatives have been set up to support people interested in engaging in cyber security education and training. Some focus on providing targeted career guidance to introduce people from diverse backgrounds, mostly young people, to the cyber security world and the relevant learning opportunities in the field. At early ages, the efforts have been focused on raising awareness about cyber security issues in general and cyber security as a career.

The NCSC leads the implementation of the CyberFirst programmes, designed to identify and nurture a diverse range of talented young people into a cyber security career. CyberFirst includes multiple activities intended to inspire and encourage students from all backgrounds to consider a career in cyber security (NCSC, 2021[33]). This includes ‘CyberFirst courses’, which aim to introduce the young generation to the cyber security world and provide information on the relevant training pathways in this field (see Box 3.4). In 2020-21, more than 4 300 young students participated in these courses, of which 40% were ethnic minorities and 55% were females. For older cohorts, CyberFirst includes a scheme oriented to complement career education available in schools and colleges through the CyberFirst Schools/Colleges programme, which aims to encourage young people to engage with computer science and the application of cyber security in everyday technology use (see Box 3.4).

Multiple websites and platforms are available to provide young people and adults with relevant information about the cyber security sector. They play an important role in improving the understanding of the field and facilitating participation in cyber security learning opportunities (see Table 3.12). One interesting tool comes from the UK Cyber Security Council, the self-regulatory body for the UK’s cyber security profession that is in charge of developing, promoting, and awarding nationally recognised standards for cyber security in support of the UK Government’s National Cyber Security Strategy to make the UK the safest place to live and work online. The Council has developed a portal, ‘the careers route map’, which provides details about the 16 specialisations in cyber security and suggests pathways into, through and between them. Currently, the Council is mapping all the initiatives offered at the national and sub-national levels that seek to diversify the cyber security profession (including supporting more neurodiverse workers into the profession, increasing the number of women and facilitating non-traditional routes). The objective is to develop a website that centralises this information to make it accessible to users that can benefit from these initiatives.

Some initiatives take a more general approach by providing relevant labour market information about priority sectors – including cyber security – to inform young people and adults about jobs and learning. Several career guidance services in England, while typically sector and occupation agnostic, provide relevant information on labour market needs and training opportunities, especially at the local level. Since 2019, the National Careers Service has worked with Sector Delivery Lead (SDL) departments9 to provide information that best reflect labour market needs. A key principle of careers information, advice and guidance is that it works in the best interests of the individual, and the DfE’s National Careers Service and Careers & Enterprise Company can help industry sectors to disseminate key information to career leaders in schools/colleges and careers advisers in the community. This is a joint partnership as it requires input from industry to ensure that content is accurate and up to date. 

Moreover, the National Careers Service offers multiple industry- and occupation-specific resources and tools for youth and adults to make more informed education and training decisions. For example, the ‘explore careers’ portal provides detailed information by occupation, including cyber security professionals, on expected salary, the ways to get into this role and its skills requirements. The website also lists the current education and job opportunities available.

Overcoming barriers to increase diversity in the cyber security field

Addressing individuals’ financial and non-financial barriers is important to boost participation in cyber security education and training, especially among people from vulnerable backgrounds (OECD, 2019[49]).

Cyber security education can be expensive in England. For nationals, tuition fees of formal education courses can range between GBP 3 500 and GBP 9 250 per year depending on the type and level of programme, representing a significant share of individuals’ or households’ income. Multiple policies and initiatives have been implemented in England to help overcome financial constraints and support participation in cyber security education and training. For instance, high-performing students can apply for a CyberFirst bursary, a programme that provides financial assistance to students interested in studying undergraduate education in cyber security, which also covers cyber security training each summer to help them to start their career in cyber (see Box 3.4). Since 2015, more than 1 000 young people have benefited from this bursary. According to data from the summer training, 47% of beneficiaries identified as female, and 35% as Black, Asian or Mixed (DCMS, 2021[50]).

Subsidised training programmes are also available for adults (aged 19 or older) from diverse backgrounds across England. For example, Skills Bootcamps in the digital field, including cyber security, are offered at no cost to learners. For Skills Bootcamps in which an employer is training their employees, the employer contributes 30% (large businesses) or 10% (SMEs) to the cost of the course. Some commercially delivered bootcamps providers in cyber security implement specific funding schemes to remove financial barriers and expand the enrolment of more disadvantaged learners. For instance, at CAPSLOCK (i.e. a cyber security training provider), learners have the option to attend full or part-time courses and pay nothing up-front. Instead, learners are required to pay back a percentage of their income after completing the course, but only if they land a job with a good salary (See Box 3.5).

Various publicly-funded programmes exist to increase diversity in specific sectors, such as the digital sector. This is, for example, the case for the Mayor’s Academies Programme (MAP) developed by the Mayor’s Office of London as part of its London Recovery Programme. This initiative aims at supporting the learners who have been the hardest hit by the COVID-19 pandemic into good work in key sectors for recovery and long-term economic growth. The programme co-ordinates quality marks training in London and provides support to help newly skilled people to work in priority sectors. It also builds on the Mayor’s Workforce Integration Network (WIN) work to address structural barriers as part of the Mayor’s Strategy for Social Integration. The WIN programme supports young Black men aged 16 to 24 years into living wage employment in London. It currently focuses on the construction and digital sectors and will engage other sectors and groups over time.

Another common barrier to training participation is a lack of time due to work and family responsibilities. Such time constraints may affect learners’ chances to enrol in cyber security training and therefore call for training opportunities to be compatible with busy working or family life. For these reasons, in 2018, the DCMS launched the Cyber Skill Immediate Impact Fund (CSIIF), which is designed to encourage providers to develop and scale up effective and more suitable initiatives to identify, train and place untapped talent from different backgrounds into targeted cyber security roles quickly (DCMS, 2019[51]). For instance, the training provider QA has created a training programme with Women Tech Jobs to support women’s placement into cyber security roles. The programme focuses on women who are heads of household or with family responsibilities wanting to return to work; thus, the classroom training is blended with e-learning and complemented with additional guidance and support (see Box 3.6). Similarly, through CSIIF, the DCMS has also sponsored providers offering cyber security training suitable for neurodiverse learners. For example, Immersive labs, a training provider, has developed The Neurodivergent Digital Cyber Academy, designed to help neurodiverse candidates develop their cyber security skills through hands-on practical challenges and courses. Box 3.6 provides more details about these programmes as well as other examples.

Boosting employers’ participation in the design of cyber security programmes

Education and training providers in the cyber security field often work closely with employers to help students find career paths and benefit from their knowledge and other resources in delivering courses. Successful employer engagement is founded on long-lasting, mutually acceptable and beneficial relationships between schools and businesses. There are substantial advantages when these collaborations are systematic and scaled up as they bring coherence to education and training provision at a local and national level (Department for Business Innovation and Skills, 2015[54]).

Training providers are eager to include employers in the design of cyber security courses and modules so that they can meet employers’ skills requirements and provide students with jobs (DCMS, 2019[7]). The development of courses in industry liaison panels or advisory groups that guide course content are examples of this. For instance, De Montfort University has developed cyber security training programmes with Deloitte, Airbus, BT and Rolls-Royce, with students being assessed by cyber security professionals from the industry (DMU, 2018[55]).

Programs such as cyber security bootcamps typically have the active participation of employers in designing and establishing the structure and content of the programmes since the training aims to equip learners with the skills required to fill a specific cyber security position. For instance, Generation, a cyber security Skills Bootcamps provider, works with employers throughout the entire programme design, delivery and placement (see Box 3.7). Also, for apprenticeship employer engagement is crucial. Employers in England work with the Institute for Apprenticeships to create and develop occupational standards.10 These standards are the components of an apprenticeship, along with the End-point Assessment Plan (EPA) (i.e. assessment to evaluate apprentice performance) and a funding band (i.e. funds can be used to pay for apprenticeships training and assessment for apprentices) (IfATE, 2023[56]). Employers developed these standards to describe duties, and ‘Knowledge, Skills and Behaviours’ (KSBs). Employer groups (referred to as Trailblazer groups) participate actively in developing apprenticeships. For instance, IfATE approved the 2021 ‘cyber security technologist’, a Level 4 apprenticeship standard, which involved the participation of multiples employers such as QineitQ (i.e. high-tech company focused on defence), Siemens (i.e. company focused on industry, infrastructure, transport, and healthcare), FoxRedRisk (i.e. Information Security and Data Protection consultancy), as well as the DCMS (IfATE, 2021[57]). In 2018, Global Knowledge UK, a worldwide leader in IT and professional training, in partnership with relevant cyber security players, including QUFaro (i.e. IT training provider) and GKA (i.e. IT and business training provider), collectively formed a trailblazer group for creating a Level 3 apprenticeship standard to address the need for a broader choice of qualifications to fulfil the skills gap in the cyber security profession and meet the demands of employers (Global Knowledge, 2018[58]).

To some extent, the level of employer involvement is influenced by geography and the degree to which training providers are located in areas of England with strong technology-based firms. Having employers nearby helps to improve the links that training providers can develop with industry. For example, Nexus, an IT support and consulting company with headquarters in the outskirts of Exeter, has built a close relationship with Exeter College to engage with the design of cyber security undergraduate programmes, among other ICT programmes. Additionally, Nexus employees regularly go to the college to speak to students about ICT careers.

The extent of the links between industry and the FE and HE sectors also depends on the nature of employers’ activities. Not surprisingly, firms that specialise in providing cyber security services (IT companies, major consulting companies, etc.) have the closest links with training providers (DCMS, 2019[7]). However, companies in parts of the economy that are especially vulnerable to cyber attacks (e.g. financial services, advanced manufacturing, defence-related) are also major recruiters of cyber security graduates. There is a strong mutual interest in developing close links in those sectors. For example, the University of Warwick collaborates closely with Jaguar Land Rover and other automotive firms in the West Midlands for the design and delivery of its courses, including in cyber security (Warwick University, 2018[60]).

Cyber security clusters have an important role in promoting employer participation in cyber security learning opportunities in England. Sectorial clusters, in general, provide a networking environment that facilitates the interaction of all stakeholders – including training providers, think tanks, companies and regional and local authorities (The European watch on cyber security and privacy, 2022[61]). In cyber security, clusters of employers enhance co-operation and co-ordination of actions to establish synergies to move forward relevant matters and address issues that directly affect cyber security at the regional level. For instance, Cyber East, the East region cyber cluster in England, is an industry body that works alongside the government to develop the cyber security industry. Cyber East works with businesses across Norfolk, Suffolk, and Cambridgeshire and expands to other areas, encouraging collaboration with multiple stakeholders, including training providers. Co-operation among clusters also contributes to identifying and sharing good practices for managing cyber security skills shortage. For instance, UKC3, a cyber security cluster collaboration hub, supports cyber security clusters to drive growth in the sector within their nations and regions. UKC3 champions activities to support businesses, academia and other skills or talent development organisations to promote cyber skills development and careers in the cyber security industry (see Box 3.8).

Increasing the provision of work-based learning opportunities in cyber security

Employers have a key role in providing work-based learning opportunities in cyber security. Through apprenticeships, students can access training combining classroom and work-based learning, allowing them to acquire practical skills and knowledge relevant to employers in the sector (OECD, 2014[62]). Nonetheless, the number of cyber security apprentices remains low (see above). This may be due to multiple reasons. Learners may have limited awareness about the options available. Companies, especially SMEs, may need more support to provide apprenticeship opportunities, as implementing apprenticeships has time and cost implications. One barrier that is, in particular, important for SMEs is that assigning staff to oversee training impedes them from carrying out the core business activities related to cyber security – and this may be even more problematic in the cyber security sector than in other sectors given the prevailing labour shortages and associated risks.

In order for employers to see the value of offering apprenticeship opportunities, they need to be aware of their specific cyber security skills needs. On average, 54% of businesses in England report understanding at least reasonably well their cyber security training needs – but few outside the cyber security sector report they understand these need very well (14%) (DCMS, 2022[29]). Even though a higher proportion of businesses in the cyber security sector report understanding very well their cyber security training needs (68%), only 36% of SMEs in the cyber security sector do so (DCMS, 2022[29]). Companies’ limited understanding of their cyber skill requirements can hinder the implementation of cyber security apprenticeship programmes. The NCSC provides cyber security advice for businesses, charities, clubs and schools with up to 250 employees on many issues, including training delivery. Most of the resources available from the NCSC focus on assessing cyber security needs and identifying cyber security risks. SMEs can get access to the Small Business Guide and Exercise in a Box, tools that provide key information to identify the security bridges, evaluate the level of resilience to cyber attacks and determine the capacity of the organisation to deal with cyber threats with current resources (infrastructure and human capital).

Successfully engaging more employers is necessary for realising the potential benefits of work-based learning and making work-based learning accessible for young people and adults with diverse needs and aspirations, including those without jobs or learning opportunities (Kis, 2016[63]). In England, policy makers have implemented various strategies and policy tools to unlock engagement by shifting the cost-benefit balance for employers and making the provision of apprenticeships more attractive and manageable for businesses. Introduced in 2017, the apprenticeships levy is a government initiative to encourage companies to hire apprentices and help reduce skills gaps in the United Kingdom (see Box 3.9). The levy’s introduction has increased focus on training new and existing employees for the highly skilled roles the economy needs by covering the full cost of training and assessment for levy payers and covering partially for non-levy payers (covering 95% of tuition fees). Since 2022, a new portable flexi job apprenticeship-sharing arrangement has been piloted, allowing apprentices to undertake a series of shorter contracts with a number of employers while completing their training in preparation for end-point assessment. The pilot is running across 38 standards in the creative, digital, adult care and construction sectors. These Flexi-Job Apprenticeships have been designed to ensure that those sectors and occupations where short-term contracts or other non-standard employment models are the norms can access the benefits of apprenticeships.

Some training providers offer support to employers for effectively providing apprenticeship opportunities. For instance, CyberPro, an organisation grounded on providing accessible resources to individuals and companies interested in developing cyber security learning ecosystems, offers online information on how apprenticeships in this field are established and how to benefit from the different schemes and support provided by the government to fund the cyber security apprenticeships programmes. Similarly, some training providers provide key information and raise awareness about the benefits of employing a cyber security apprentice. Escalla, a global workplace and digital skills provider, is accompanying employers with guidance and information on apprenticeship benefits. It also supports employers on how to make the most of providing apprenticeship programmes in cyber security (Escalla, 2022[65]).

Additional initiatives come from joint efforts from trade associations and the higher education sector to increase the provision of apprenticeship programmes in the tech sector. For instance, Techskill, a partnership between employers and educators for developing digital since 2021, recognises talent from within the digital degree apprenticeship sectors through the National Tech Industry Gold Digital Degree Award. The objective of providing this recognition is to highlight employers and training providers that contribute to developing the relevant skills for sectors through apprenticeship programmes and incentivising more employers to deliver digital skills apprenticeship programmes. Some universities have started incorporating digital apprenticeships into their degree programmes in partnership with enterprise conglomerates. The curricula of higher-level digital apprenticeships typically cover a variety of digital skills, including cyber security, big data, software engineering, digital banking, IT skills for the automotive industry, etc. For example, Warwick Manufacturing Group, as part of the University of Warwick, provides degree-level apprenticeship modules embedded in undergraduate courses, including one in cyber security engineering (see Box 3.10). Another example is the partnership of J.P. Morgan, a multinational investment bank and financial services company, with the University of Exeter in October 2018 to offer the UK’s first degree apprenticeship programme in applied finance and cyber security. The programme covers areas ranging from securities to IT in investment operations and prepares apprentices to become financial services professionals with the essential skills for using digital banking products. A large proportion of the programme takes place at the workplace through projects linked to academic content, while some modules can also be completed by distance learning.

Tackling teacher shortage in cyber security education

Teachers in FE are unique in terms of how they are recruited and trained. They are expected to have not only the subject and pedagogical knowledge but, in many cases, work experience in their industry. Moreover, FE teachers’ skills can be in high demand in occupations other than teaching, making it harder to recruit and retain teachers in related subjects (OECD, 2021[67]). Given the shortages of skilled cyber security professionals, the cyber security field may be particularly difficult to attract and retain teachers.

Despite the relevance of understanding teacher shortages, regularly and systematically collected comprehensive data focused on FE teachers, including the number of teachers, hiring needs and shortages across OECD countries, is limited (OECD, 2021[67]). In England, the Staff Individualised Record (SIR) data has information on teachers in the FE sector. Table 3.15 shows that the proportion of staff teaching ICT subjects is 2.1%, which is low compared to other fields, and it is not aligned with the percentage of FE students in the field, potentially reflecting a lack of teachers and trainers in the field. However, information on teacher shortages by sector is not readily available. Teacher information for the narrow field of cyber security is particularly hard to come by, and the DCMS has already recommended collecting more data in this area to enhance cyber security training provision (DCMS, 2019[7]).

Teacher shortages can damage the stable provision of specific occupational courses and the sustainable supply of qualified workers for associated occupations (OECD, 2021[67]). Teacher shortages may also increase the costs of training provision. For instance, in England (ACL Consulting, 2020[68]), higher costs during times of FE teacher shortages may be driven by increased use of lower- or less-qualified teaching staff and temporary or agency staff – which is not always cheaper than hiring suitably qualified teachers – and can lead to increased workloads and stress for existing staff.

Signalling the quality of cyber security education and training programmes

The NCSC is the governmental body responsible for recognising and supporting the best cyber security education programs for students and employers. Since 2018, working in partnership with the DCMS, Cabinet Office (CO), UK Research and Innovation (UKRI), the NCSC certifies programmes across higher education institutions that best respond to cyber security standards established by CyBOK and the national cyber security priorities (Cabinet Office, 2022[69]). The NCSC certifies degree apprenticeships, Bachelor’s degrees and Integrated Master’s degrees in cyber security and closely related fields (see Table 3.16). For the certification of degree apprenticeships, NCSC follows apprenticeship standards established by the Institute for Apprenticeships to conduct the assessment (Institute for Apprenticeships and Technical Education, 2020[70]). Among bachelor’s degrees, NCSC assesses computer science for cyber security, computer science and cyber security, and computer science and digital forensics.

This certification process has a clear objective: to set the standard for good cyber security higher education in the United Kingdom and better alignment with the priority actions to strengthen the UK’s cyber ecosystem (Government, 2021[71]), which may positively affect all stakeholders. Recognition of cyber security education and training programmes benefits training providers, students and employers. For example, NCSC certification helps universities attract additional numbers of skilled students from the United Kingdom and abroad. Since navigating the range of cyber security degree programmes on offer in the United Kingdom may be difficult, NCSC certification can help students to choose a cyber security course which has been evaluated by the NCSC. Students from NCSC-certified degree programmes will be provided with an additional form of recognition (i.e. that the student has successfully completed an NCSC-certified degree), which will help employers distinguish between applicants’ qualifications.

Cyber security programme recognition is also granted to schools and colleges through the NCSC’s CyberFirst schools and colleges programme (see Box 3.4). Eligible secondary schools or colleges where CyberFirst operates can apply to be part of the CyberFirst Schools and Colleges scheme. Successful applicants receive NCSC recognition and are promoted as leaders committed to providing a structured approach to excellence in cyber security education. Schools and Colleges are certified to become part of the CyberFirst Education eco-system to promote cyber security education among young people.