Diversity and Cyber Security Expertise: Policy report
Matt Spencer 
Carlos Cámara-Menoyo
Timothy Monteath
Executive summary
Our society is deeply and increasingly reliant on cyber security practitioners to ensure that digital services are dependable, critical infrastructure is resilient and sensitive data is protected. Their success depends on diverse ways of thinking, diverse skillsets, perspectives and backgrounds. Today, the profession is being transformed, with standardised categories of specialism, new certifications and evolving governance structures. While this process of professionalisation is driven by the need to better support practitioners and their employers, it is vital to understand any unintended consequences that may be emerging. We focus here on potential negative impacts on diversity, a topic that must be carefully addressed to ensure that cyber security remains an attractive field to work in, to support the legitimacy of professional institutions and to enhance the efficacy of the field.
We developed methodologies for analysing the alignment of practitioners with new classifications of cyber security specialisms, and for analysing the alignment of specialisms with cyber security problems. We tested these approaches using data from a small exploratory survey. We found that there is profound uncertainty about the impacts of professionalisation on diversity. This is rooted in a lack of data and a lack of theoretical analysis. This report takes a small step to correct this issue.
Recommendations
Surveys on diversity in cyber security (Decrypting Diversity) should be revived to ensure good quality data is available. They should be extended to gather more detailed data on respondents’ expertise, for example using the CyBOK (Cybersecurity Body of Knowledge) framework1. This would enable evidence to be gathered about correlations between diversity characteristics and the alignment of professionals with the UK Cyber Security Council Cyber Careers Framework specialisms. Regular surveys would enable the analysis of how this alignment is changing over time.
The UK Cyber Security Council should commence work on new candidate specialisms to address the current lack of coverage of security human factors and security awareness. The latter could be based on the European Cybersecurity Skills Framework ‘Cybersecurity educator’ role2.
Future iterations of CyBOK should be informed by research into expertise diversity, to ensure that the value of the humanities and social sciences within cyber security is better reflected. Humanities and social science researchers in the cyber security field should engage more closely with the CyBOK community to support this.
The UK Cyber Security Council’s Cyber Career Framework’s cross-reference of specialisms with CyBOK knowledge areas should be refined and validated through qualitative studies of cyber security problem scenarios.
About
This Cyber Expertise Diversity Survey was run by the Centre for Interdisciplinary Methodologies (CIM) in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS), led by Matt Spencer, RISCS Senior Fellow and Associate Professor at CIM.
Other CIM staff involved in putting the survey together and analysing the data include Carlos Cámara-Menoyo and Timothy Monteath.
The survey aims to inform cyber policy discussions by generating new insights into the value and distribution of cyber expertise.
Citing
You are free to reuse this report (fully or partially) under the Licence conditions. If you use it in your work, please cite it as below:
Spencer, M., Cámara-Menoyo, C., & Monteath, T. (2025). Diversity and Cyber Security Expertise: Policy report. University of Warwick. https://warwickcim.github.io/cyberexpertisediversity_survey/, https://doi.org/10.5281/zenodo.17659435
For your convenience, we have also included a CITATION.bib file you may want to use to import it to your Reference Manager.
@techreport{spencerCyberExpertiseDiversity2025,
title = {Diversity and {{Cyber Security Expertise}}: {{Policy}} Report},
author = {Spencer, Matt and {C{\'a}mara-Menoyo}, Carlos and Monteath, Timothy},
year = {2025},
month = sep,
institution = {University of Warwick},
langid = {english},
url = {https://warwickcim.github.io/cyberexpertisediversity_survey/},
doi = {10.5281/zenodo.17659435}
}
License
Text and images are licensed under a Creative Commons Attribution 4.0 International License.
Diversity and Cyber Security Expertise: Policy report © 2025 by Matt Spencer, Carlos Cámara-Menoyo and Timothy Monteath is licensed under CC BY 4.0
