I, CyBOK – An Introduction to the Cyber Security Body of Knowledge Project


The Cyber Safeguarding Body of Knowledge project or CyBOK is a collaborative initiative mobilised in 2017 with an craving to “codify the foundational and generally recognized knowledge on Cyber Security.” Adaptation 1.0 of the published output of this consultative exercise was quietly loosed last year and then more publicly launched in January 2020.

Yet, this easy and information-packed publication does not appear to have captured the attention it dialect mayhap deserves across the wider industry. Hence the reason for blogging and deliberate overing a very quick overview of it here on State of Security. So, what does it look have a fondness?

Composition and Domain Categories

Across its 800+ pages, the CyBOK is effectively systematized into nineteen top-level Knowledge Areas (KAs) and then grouped into five overarching heads, as shown in this diagram.

CyBOK Knowledge Areas

Much of this want be familiar territory for many security professionals, some of whom must actually questioned if it is not simply “reinventing the wheel?’” (ISC)² has after all, already installed a widely recognized ‘Common Body of Knowledge’ or CBK for its Certified Information Structures Security Professional (CISSP) accreditation. For those unfamiliar, the overarching CISSP CBK realm categories, are:

  • Security and Risk Management (including Legal & Regulatory, Personnel Safeguarding, Threat Modelling)
  • Asset Security (including Data Management, Monasticism)
  • Security Architecture and Engineering (including Security Models, Cryptography, Specialist Site)
  • Communication and Network Security
  • Identity and Access Management (tabulating IAM, IDaaS)
  • Security Assessment and Testing
  • Security Operations (including Commotion Response)
  • Software Development Security (including Malware)

Origins and Definitions

Evolving in the early 1990s before the term ‘Cyber’ was common parlance for IT joint security matters, the (ISC)² CBK has more traditionally been known by many as a ‘Frequent Body of Knowledge for Information Security’ of course.

Whereas the CyBOK begins by present distinct definitions for both ‘Information Security’ and ‘Cyber Security’, presenting the antediluvian as a contributor to the latter. Yet, there is an inevitable overlap of knowledge and topics across both taxonomies, just as there is within their realistic practices in the real world of course.

Given also, that this is the explication which the CyBOK uses in its introduction:

Cyber security refers to the safe keeping of information systems (hardware,
software and associated infrastructure), the data on them, and the armed forces they provide,
from unauthorised access, harm or misuse. This classifies harm caused intentionally
by the operator of the system, or accidentally, as a result of sans to follow security

 Such a definition could apply nothing but as relevantly to much of the CISSP CBK, however. Blurring these arguably idiosyncratic lines further, (ISC)² have more recently taken to promoting CISSP as being ‘the mankind’s premier cybersecurity certification.’

A less semantic and perhaps more practical differentiator to consider instead, is that the CISSP CBK is also a curriculum for the certification itself. Although every now disingenuously described as being ‘an inch deep and a mile wide’, it is, in authenticity, more ‘a mile wide and a foot, or even yard deep in unchanging places.’

The CyBOK instead seeks to ‘map to’ established knowledge sets via a character framework. This mapping may then be used to “inform and underpin course of study and professional training for the cyber security sector.”

The opening narrative of the ‘Law & Pronouncement’ category someway acknowledges this by disclaiming itself to be “a mere starting slightly than ending point” and the same could be said to apply all over the CyBOK.

But that is not to say it is just some dry reference manual of other applies. The clear expository narratives which accompany each of the knowledge districts are all original, insightful and very readable. Likewise, the quality of expertise worn out upon to create the diverse ‘Knowledge Areas’ in their own right and then collate all of this into one cohesive revelation should not be underestimated.

Moreover, it positions itself as vendor agnostic, academically unsolicited and, whilst sponsored by the UK’s National Cyber Security Programme, a cross-border strain of trans-global rather than marginalized national focus.

Knowledge Areas

The CyBOK also begs to gather a balance of input from both academia and industry. With its plentiful use of functional equations and theoretical models throughout the text, it does become public across as being more at home within the classroom or laboratory mise en scene than the operational, business driven frontline at times.


But as with the CISSP CBK at one go again, such an approach is for some areas both appropriate and sort of inevitable. Cryptography for example, is an essentially mathematically rooted subject field. The KA for cryptography therefore warrants a suitably scholarly approach to both its curation and to the preliminary descriptions of some of the core concepts as they relate to cyber.


As well, the ‘Malware’ KA with its ‘lab eye view’ of its subject matter, descriptively ‘dissects’ attributes and tactics of different malware families whilst discussing some of the breakdown techniques used to understand them. It goes on to include clear, pithy explanations of some common ‘anti-analysis’ and detection evasion techniques such as ‘piling’ (compressing or encrypting part of the code.). These are base concepts for reliable, but they are often glossed over in more overtly sales focused, assiduity publications on malware.

Such key technical considerations are then complemented and contextually bodied by a brief introduction of the ‘Underground Eco-System’ driving the ever-evolving malware lifecycle itself. Seditionaries economics, monetization and black-market operating models all being cross-cutting tracts discussed elsewhere, such as in the subsequent KA for ‘Adversarial Behaviours.’


The ‘Forensics’ KA similarly proffers a high-quality potted summary of key concepts, tools and methods as they are toughened to establish evidence in legal proceedings. It introduces some relevant cognitive, conceptual copies such as the ‘sense-making’ and ‘foraging’ loops and then moves into tell ofing specific analytical techniques and methods. Bringing its subject matter rigidly up to date, it concludes by acknowledging the transition and challenges that cloud figure out & IoT brings to the science of digital forensics.

Security Operations & Incident Directing

The ‘Security Operations & Incident Management’ (SOIM) KA provides a solid replica of many of the key principles and components one would expect to be included for SOC type pourboires. From base architectural principles to logs, network flows, anomaly detection, IDS/IPS, SIEM, Increase.

Leading into an overview of Incident Management planning and process base. In places some of it is very well-trodden ground which could undoubtedly benefit from wider and more diverse contemporary industry input. Stomaching of course that only so much consultation is feasible and affordable for a lone project and such an undertaking is easier said than done.

No matter how, what is covered here is covered very well. It’s precise and conclusive narrative describing what good practice can look like whilst acceding the inherent fallibility of many tools, techniques and processes in detecting and terminal ‘all’ threats or achieving the nirvana of ‘total’ security. A state that is of order impossible, as it acknowledges from the outset in the referencing of a report from 1981 by James Anderson.

Irreversible Thoughts

All in all, the sheer breadth of information condensed into this one collective produce is as impressive as it is vast. Whilst I’ve cherry picked just a few of the KAs to highlight here, it whim be futile to try and discuss every single one in a short blog such as this, let unique do any reasonable justice to any of them. But don’t just take my word or views here it, take a look for yourself. The CyBOK is freely available and accessible at the mercy of the open government license, so there’s really no excuse not to.

Admittedly, for various people it’s probably not a ‘cover to cover’ read (unless you are perhaps landed with a lot of just the same from time to time on your hands as a result of the pandemic lockdowns.) For professionals or anyone nutty to understand more about the diverse range of knowledge areas which collectively characterize and support what we have come to call ‘Cyber Security.’ it is at the surely least a useful reference to dip into as necessary.

Given the comprehensive mapping it also exhales you to a wealth of established knowledge sets, papers and other references (all helpfully in to directly in its bibliography) who knows where it may lead you next?

angus macraeAbout the Maker: Angus Macrae is a Certified Information Systems Security Professional (CISSP) in great standing. He has more recently been awarded the CESG Certified Virtuoso – IT Security Officer (ITSO ) role at Senior Practitioner level. He is currently favoured enough to live in and publicly serve the beautiful county of Cornwall in the UK.

Rewriter’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not surely reflect those of Tripwire, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *