University of Southern California Dissertations and Theses

Identifying diversity solutions for the cybersecurity workforce shortage: a phenomenological qualitative study

(USC Thesis Other)

Identifying diversity solutions for the cybersecurity workforce shortage: a phenomenological qualitative study

PDF

Download a page range

Download transcript

Copy asset link

Request this asset

Transcript (if available)

Content Identifying Diversity Solutions for the Cybersecurity Workforce Shortage:
A Phenomenological Qualitative Study
Rosielle Vengua
Rossier School of Education
University of Southern California
A dissertation submitted to the faculty
in partial fulfillment of the requirements for the degree of
Doctor of Education
August 2024

© Copyright by Rosielle Vengua 2024
All Rights Reserved

The Committee for Rosielle Vengua certifies the approval of this Dissertation
Richard Grad
Anthony Maddox
Patricia Tobey, Committee Chair
Rossier School of Education
University of Southern California
2024

iv
Abstract
The cybersecurity landscape is facing a formidable challenge as the high demand for skilled
professionals continues to outpace the cybersecurity workforce. The U.S. cybersecurity
workforce gap has reached an estimated all-time high of 750,000 unfilled positions in 2024. The
U.S.’s current cybersecurity workforce consists of only 26% identifying as non-White minorities,
while only 24% identify as female. This highlights the untapped potential in reaching out to the
U.S.’s diverse groups and communities to address the ever-growing cybersecurity shortage.
Also, there is an underlying need to understand the importance of diverse perspectives in
cybersecurity to bring forth the necessary creative solutions to defend against the diverse
cybercriminal threat. Organizations must gain broader insights into potential vulnerabilities and
effective defense strategies from their workforce as a countermeasure to this threat. However,
limited data exists on the identification and understanding of men and women of color and White
women’s barriers and motivations in cybersecurity. As a result, this study used Eccles et al.’s
expectancy value theory (EVT) to explore 17 diverse participants’ cybersecurity career journeys.
EVT suggests that people’s expectations of success and the value they associate with those
outcomes influence their choices and behaviors. When applied to career choice, this theory
provided the framework to identify and understand commonalities in motivations, barriers, and
expectancy in career longevity across the participants of this study. These findings fueled my
recommendations for change at the industry and organizational levels, such as reframing what
cybersecurity is and leveraging the understanding of diverse cybersecurity professionals’
personality traits and influences. Furthermore, organizations need to change their hiring and
recruiting practices and transform into a culture of belonging to retain their cybersecurity talent. I
recommend implementing these changes using the awareness, desire, knowledge, ability, and
reinforcement (ADKAR) change management method to help manage people’s experiences
and expectations.

v
Keywords: cybersecurity workforce shortage, cybersecurity diversity recruiting, retaining
cybersecurity talent, belonging, NICE Framework, skills-based hiring, changing cybersecurity
toxic work environments, diversity, equity, and inclusion (DEI) in cybersecurity, cybersecurity
talent pipeline

vi
Acknowledgements
I would like to express my gratitude to my fellow Cohort 21 members for the edification
and deep discussions that broadened my views and understanding of diversity, equity,
inclusion, and belonging. Your perspectives, along with our professors’ expertise, during our
program have given me tools to critically appraise systems of power that exist in the policies,
standards, and procedures effecting our everyday lives and future generations. To my
professors, thank you for your pearls of wisdom that I will use as a change agent and leader of
technical innovations. To my dissertation chair, Dr. Patricia Tobey, thank you for your kindness
and support as you guided me through this research journey. Thank you to my dissertation
committee, Dr. Anthony Maddox and Dr. Richard Grad, for expanding how I view my problem of
practice to be more inclusive of alternative perspectives. To Dr. Richard Grad, thank you for
your recommendation to thread my conceptual framework throughout my literature review. Your
insight has made my dissertation more cohesive. You have a superpower in the speed at which
you provide meaningful and thorough feedback.
To my mom, dad, and brother, thank you for always believing in me and supporting my
family while I completed this doctoral program and dissertation. Your help through my young
family’s U.S. military deployments while I worked full-time and attended classes is priceless.
Words cannot express my deepest gratitude and appreciation.
To my husband, Colonel Aaron Cronin D.Sc., PA-C; thank you for your academic attention
to detail, ability to wordsmith and simplify the most complex topics, and demonstrated publicspeaking skills in presenting controversial topics in a way that facilitated and engaged all
learners. Your expertise, skills, and support helped me through the ups and downs of this
academic journey. Most of all, thank you for your partnership in raising our sons, Asher and
Gideon, as I completed this program. Boys, Mom has finally finished, and I promise to take an
educational break for at least 2 years. Your patience and maturity far exceed your ages of 14
and 11. I am so proud of both of you!

vii
Finally, I acknowledge the countless individuals whose direct or indirect contributions
have helped shape this dissertation. Your support has not gone unnoticed, and I am truly
grateful.

viii
Table of Contents
Abstract ........................................................................................................................................iv
Acknowledgements ......................................................................................................................vi
List of Tables .................................................................................................................................x
List of Figures...............................................................................................................................xi
Chapter One: Overview of the Study............................................................................................ 1
Context and Background of the Problem.......................................................................... 1
Purpose of the Project and Research Questions ............................................................. 3
Importance of the Study.................................................................................................... 4
Overview of Theoretical Framework and Methodology .................................................... 4
Definitions......................................................................................................................... 5
Organization of the Dissertation ....................................................................................... 8
Chapter Two: Literature Review................................................................................................... 9
Solving the Cybersecurity Workforce Shortage................................................................ 9
Meritocracy ..................................................................................................................... 27
Diversity in Technology................................................................................................... 30
Conceptual Framework................................................................................................... 39
Summary ........................................................................................................................ 46
Chapter Three: Methodology...................................................................................................... 48
Research Questions ....................................................................................................... 48
Overview of Design......................................................................................................... 49
Research Setting ............................................................................................................ 50
The Researcher.............................................................................................................. 50
Data Sources.................................................................................................................. 51
Method............................................................................................................................ 51
Validity and Reliability..................................................................................................... 53

ix
Credibility and Trustworthiness....................................................................................... 54
Ethics.............................................................................................................................. 55
Limitations and Delimitations.......................................................................................... 55
Chapter Four: Findings............................................................................................................... 57
Demographics................................................................................................................. 57
Participant Profile............................................................................................................ 59
Participant Education...................................................................................................... 62
Research Question 1...................................................................................................... 65
Summary of RQ 1........................................................................................................... 75
Research Question 2...................................................................................................... 77
Summary of RQ2............................................................................................................ 86
Research Question 3...................................................................................................... 90
Summary of RQ3............................................................................................................ 93
Summary of Findings...................................................................................................... 94
Chapter Five: Discussion and Recommendations ..................................................................... 95
Summary of Findings...................................................................................................... 95
Recommendations for Practice..................................................................................... 101
Implementation of Recommendations .......................................................................... 106
Recommendation for Future Research......................................................................... 115
Conclusion.................................................................................................................... 116
References ............................................................................................................................... 118
Appendix A: Eligibility Survey................................................................................................... 135
Appendix B: Interview Protocol: Active Cybersecurity Professional......................................... 138
Appendix C: Interview Protocol: Inactive Cybersecurity Professional ...................................... 143
Appendix D: A Priori Coding Sheet .......................................................................................... 148

x
List of Tables
Table 1 NIST (2023) Proposed Work Role Category Descriptions ............................................ 21
Table 2 U.S. Diversity Stats for Tech ......................................................................................... 28
Table 3 EEOC’s (2014) Women/Men and Non-Whites/Whites in EEO Occupations ................ 29
Table 4 Pew Research Center’s (2021) Who Owns Cell Phones and Smartphones................. 32
Table 5 Data Sources................................................................................................................. 49
Table 6 Participants’ Demographic Information ......................................................................... 58
Table 7 Participants’ Education and Emphasis of Study............................................................ 64
Table 8 Summary of Internal Personality Traits Quotes............................................................. 76
Table 9 Summary of External Influences Quotes....................................................................... 77
Table 10 Summary of Barriers Quotes....................................................................................... 88
Table 11 Summary of Constant Risks Quotes ........................................................................... 89
Table 12 Summary of Career Longevity–Themed Quotes......................................................... 93
Table A1 Eligibility Survey........................................................................................................ 135
Table B1 Active Interview Protocol........................................................................................... 139
Table C1 Inactive Interview Protocol........................................................................................ 144
Table D1 Codes for RQ1.......................................................................................................... 149
Table D2 Codes for RQ2.......................................................................................................... 150
Table D3 Codes for RQ3.......................................................................................................... 151

xi
List of Figures
Figure 1 2017 NICE Framework Cybersecurity Work Categories.............................................. 18
Figure 2 Sussman’s (2021) Adaptation of NICE 2017 Workforce Framework ........................... 19
Figure 3 NIST (2024) Work Role Categories ............................................................................. 20
Figure 4 Petersen et al.’s (2020) NIST Work Roles’ Relationship to Building Blocks ................ 23
Figure 5 Lim et al.’s (2019) Structure of Data-enabled Marketing Process................................ 36
Figure 6 Lim et al.’s (2019) Illustration of Microtargeting ........................................................... 37
Figure 7 Eccles et al.’s (1983) EVT Model ................................................................................. 40
Figure 8 Wigfield et al.’s (2017) Value Components and Cost Influence ................................... 42
Figure 9 Interpretation of Eccles et al.’s (1983) EVT Model....................................................... 44
Figure 10 Conceptual Framework .............................................................................................. 45
Figure 11 Prosci’s (n.d.) ADKAR Diagram ............................................................................... 107
Figure 12 Argo and Sheikh’s (2023) Belonging Barometer Survey.......................................... 111
Figure 13 Argo and Sheikh’s (2023) Survey Results Explanation............................................ 112

1
Chapter One: Overview of the Study
The cybersecurity landscape is facing a formidable challenge as the high demand for
skilled professionals continues to outpace the available cybersecurity workforce. The U. S.
cybersecurity workforce gap has reached an estimated all-time high of 750,000 unfilled
positions in 2024, a 40% increase from 2022 (Giacomarra, 2024; Lake, 2022; Morgan, 2023;
Weigand, 2022). By 2025, it is estimated 3.5 million cybersecurity positions will remain unfilled
globally (Lake, 2022; Morgan, 2023; Weigand, 2022). Amidst this concerning shortage of
cybersecurity professionals, it is imperative to explore the factors that have contributed to this
shortfall. In the United States, one significant, potential factor requiring attention is lack of
diversity in cybersecurity. The U.S. historical and ongoing lack of diversity in cybersecurity
perpetuates existing inequalities and exacerbates the shortage of skilled cybersecurity
professionals (Allen, 2022; Andress, 2022; de Magalhães, 2022). The underrepresentation of
diversity groups, such as women, racial and ethnic minorities, and individuals from marginalized
backgrounds, hinders the U.S. cybersecurity industry’s ability to tap into a broader talent pool
and perspectives (Allen, 2022; Brenner, 2022; Check, 2023). My problem of practice in this
study is the lack of diversity in the cybersecurity field, contributing to the shortage of
cybersecurity professional workforce. By understanding the underlying factors and exploring
potential solutions, this study seeks to promote inclusivity and diversity in the cybersecurity
workforce for the purpose of ultimately bridging the gap between the demand and supply of
skilled professionals.
Context and Background of the Problem
Amongst the U.S. current cybersecurity workforce, only 26% of the U.S. cybersecurity
workforce identify as non-White minorities, and only 24% identify as female (Osborne, 2022;
Reed & Acosta-Rubio, 2018; Sganga, 2022). The evidence highlights the untapped potential in
reaching out to the U.S.’s diverse groups and communities to address the ever-growing

2
cybersecurity shortfall. Furthermore, the lack of ethnic, gender, and racial workforce diversity
limits responding to cybercrime with homogeneous solutions (Donegan, 2020).
Although cyberattacks are the fastest-growing crime and have cost U.S. citizens $10
billion in 2022 (Medsger, 2023), a shortage of cybersecurity professionals continues to exist
(Riley, 2021) since 2004 (International Information System Security Certification Consortium
[ISC2], 2017). The projected growth for entry-level cybersecurity analysts through 2031 in the
United States is 35%, according to the U.S. Bureau of Labor Statistics (2022). Globally, the
demand for cybersecurity professionals will likely continue to grow, considering 79% of the
3,876 surveyed business and technology executives in the 2024 Global Digital Trust Insights
Survey will increase their cybersecurity budget (PricewaterhouseCoopers [PwC], 2024). I posit
the lack of cybersecurity professionals, both within the United States and globally, with diverse
backgrounds, experiences, and perspectives has limited both the number of professionals and
the potential of creative and innovative cybersecurity solutions against complex and diverseorigin cybercrimes (Sucui, 2022; Tucker, 2022). This problem is critical to address because a
diverse workforce brings different perspectives, thereby increasing the possibilities of creative
and innovative solutions against complex cybercrimes (Rankin, 2019; Tucker, 2022). A current
example that may benefit from different perspectives is addressing the complexity and
sophisticated use of generative artificial intelligence and machine learning in cyberattacks, such
as deepfakes of artificial images or videos (Dessai, 2024; University of Virginia, n.d;
Yampolskiy, 2024).
As the reliance of technology grows in all private and public sectors, government,
academia, and non-profit, the American society can benefit from an increasingly diverse
cybersecurity workforce reflective of the population. The benefit is developing creative solutions
that meet the needs to protect all types of data for most people, such as intellectual property
and personally identifiable data, and to reduce financially and non-financially (i.e., cyberstalking
and cyberbullying) motivated cybercrime (Palmer, 2021; Tucker, 2022). Furthermore, the most

3
impacted by cybercrime and in need of cybersecurity education are marginalized groups such
as women, people of color, older individuals, and those from low-income backgrounds (D. Klein,
2021). Lastly, history has proven innovative breakthroughs often happen at the intersection of
diverse disciplines and fields, such as the European Renaissance period between the 14th and
17th centuries (Britannica, 2023; Dyer et al., 2019). It took bringing artists, philosophers, poets,
and architects together in Florence, Italy to develop new ideas in their respective fields (Dyer et
al., 2019). These ideas blossomed throughout Europe and gave society the inventions and
artistry of Leonardo di Vinci, Michelangelo, Shakespeare, and Machiavelli, to name a few
(Britannica, 2023). Therefore, as an industry, cybersecurity needs to bring in more diverse
people in a wide range of disciplines and fields to bring in ideas that are normally considered
unrelated to cybersecurity. The potential of using diversity to solve the cybersecurity workforce
shortage to develop creative solutions significantly increases.
Purpose of the Project and Research Questions
Although discussions exist on the lack of diversity and shortage of cybersecurity
professionals, there is limited information on why diverse groups choose to enter and leave
cybersecurity. In other words, there is a lack of perspective and a general knowledge gap. Few
studies have addressed the costs and barriers to entry for marginalized groups, specifically men
and women of color and White women. Furthermore, literature is limited or non-existent on
whether the industry has collaborated with these communities’ leaders to develop recruitment
programs for men and women of color and White women. The information that is available
demonstrates that cybersecurity industry is not welcoming, is toxic, and is highly exclusionary
toward underrepresented groups (Champlain College, 2021; Merkel, 2022). Finally, there is a
paucity of directly causative evidence linking increased cybersecurity performance and a
diverse cybersecurity workforce (Amos, 2022; Sakpal, 2019). As a result, there is an opportunity
to conduct research with current men and women of color and White women cybersecurity
professionals to identify improved reach-out and recruitment strategies. The study’s purpose is

4
to learn more about the motivational and decision-making process of men and women of color
and White women regarding their careers in the cybersecurity industry via the following
research questions:
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?
Importance of the Study
The execution of this study provided vital data regarding influences, barriers in the
profession, and documented diverse cybersecurity professionals’ perspectives. Although some
data exists that examines barriers to entry in cybersecurity, such as evidence of high
expectations of prior training, lack of diversity and inclusion, and toxic work environments and
cultures (de Magalhães, 2022), identification and understanding of men and women of color and
White women’s barriers in the profession are needed. Furthermore, because the cybersecurity
shortage is an ongoing multi-generational problem, a multi-generational strategy is needed to
address the cumulative talent pipeline problem today, in the next 1 to 5 years, and beyond 5
years (Decrosta, 2021; ISC2, 2019). Finally, there is an overarching need to understand the
importance of diverse perspectives in cybersecurity to bring forth the necessary creative
solutions to defend against the diverse cybercriminal threats with different motivations
worldwide (Allen, 2022; Andress, 2022).
Overview of Theoretical Framework and Methodology
To analyze and address my problem of practice, I used expectancy value theory (EVT)
as my theoretical framework in this qualitative research. Eccles et al. (1983) developed EVT to
understand gender differences, such as why high school girls choose not to take science,

5
technology, and math (STEM) classes despite receiving similar successes and failures as boys
in those subjects in elementary and middle school (O’Dea et al., 2018). Eccles et al. (1983)
developed their model with the assumption that children’s past successes or failures do not
determine their future expectancies, values, and behavior. Instead, it is a child’s interpretation
and perception of their current and ongoing reality that influences achievement outcomes and
future goals, such as friends’ and family’s (socializers) beliefs and behaviors, gender identity
roles (e.g., stay-at-home moms while dad is employed), and stereotypical characteristics
(masculine/feminine) of tasks (Eccles et al., 1983). Because EVT suggests that individuals’
behaviors and choices are driven by their expectation of success and their value on those
outcomes, EVT provided a comprehensive understanding of how men and women of color and
White women cybersecurity professionals decided to pursue careers in the field or not (Eccles
et al., 1983). EVT imparted insight into individuals’ motivation, their expectation of success, the
value placed on their cybersecurity careers, and the associated costs involved (Eccles et al.,
1983; Wigfield et al., 2017). Gathering this information from men and women of color and White
women cybersecurity professionals for this study will further illuminate the factors contributing to
the diversity workforce shortage and the interventions to potentially improve recruitment and
reach-outs.
Definitions
Attainment Value
Refers to the meaningfulness of a task towards goals (Rosenzweig et al., 2019).
Cost
Refers to the cost benefit analysis in EVT that comprises of loss of valued alternatives,
sunk cost, financial cost, social cost, effort required, emotional cost, and psychological cost
(Wigfield et al., 2017).

6
Cybercrime
According to Encyclopedia Britannica, refers to “the use of a computer as an instrument
to further illegal ends such as committing fraud, trafficking in child pornography and intellectual
property, stealing identities, or violating privacy” (Dennis, 2023, para. 1).
Cybersecurity
Refers to the practice of preventing and defending computers, servers, mobile devices,
electronic systems, networks, and data from malicious attacks. It is also known as information
security (infosec) and information technology security (Cybersecurity and Infrastructure Security
Agency [CISA], 2021a).
Cybersecurity Workforce/Cybersecurity Professionals
Refers to people working in the cybersecurity field which spans a number of different
roles (U.S. Department of Defense Chief Information Officer [DoD CIO], n.d.) across multiple
industries and disciplines such as government, financial, retail, etc. Examples include but are
not limited to cybersecurity analyst, cybersecurity engineer, computer forensics specialist,
security consultants, and network security engineer.
Diversity
For the purposes of this study, refers to the inclusion of individuals from different cultural
and ethnic backgrounds, genders, and races.
Effort Required (Cost)
Refers to the amount of effort needed to succeed (Eccles et al., 1983).
Emotional Cost
Refers to the high levels of negative feelings towards task engagement (Robinson et al.,
2019).
Expectancy Value Theory
Postulates achievement-related choices and performance are motivated by a person’s
expectations of success and subjective task value (Eccles et al., 1983).

7
Expectation of Success (Expectancy)
A component of EVT comprised of past experiences and environmental factor that
determines an individual’s belief and confidence on their likelihood to succeed (Eccles et al.,
1983).
Financial Cost
Refers to the financial burden incurred through spending time and energy on a task
(Wang & Xue, 2022).
Generation Z
People born between 1997 and 2007 (Medina et al., 2007).
Intrinsic Value
Refers to the enjoyment of a task towards goals (Rosenzweig et al., 2019).
Loss of Valued Alternatives (Cost)
Refers to an individual’s loss of time that could be used to engage in other valued
activities (Eccles et al., 1983).
Problem of Practice
Refers to the lack of diversity in the cybersecurity field, contributing to the shortage of
cybersecurity professional workforce.
Psychological Cost
Refers to consequences of task engagement such as the anticipated anxiety and stress
of failure (Eccles & Wigfield, 2020).
Subjective Task Value (Value)
A component of EVT comprised of intrinsic value, attainment value and utility value while
also influenced by the cost (Eccles et al., 1983).
Sunk Cost
Refers to the money, time, and effort spent towards task engagement (Gould, 2023).

8
Utility Value
Refers to the usefulness of a task towards goals (Rosenzweig et al., 2017).
Organization of the Dissertation
This dissertation comprised of five chapters. Chapter 1 introduces my problem of
practice, the context and background of the study, the purpose of the study and the research
questions, an overview of the theoretical framework, and pertinent definitions. Chapter 2
presents the conceptual framework as well as the literature review containing the historical
context, challenges in changing recruitment in cybersecurity, lessons learned in diversity
recruitment in other industries, and reasons underlying my problem of practice. Chapter 3
provides an overview of the study’s design, data collection, data sources, validity and reliability,
ethics, and limitation and delimitation. Chapter 4 documents the findings of each research
question. Lastly, Chapter 5 discusses the summary of findings, commonalities between the
findings and the literature review, recommendations for practice, implementation of
recommendations, recommendations for future research, and the conclusion.

9
Chapter Two: Literature Review
As society increasingly relies on technology, cybersecurity has transformed into a
dynamic landscape encompassing various threats and challenges that necessitate diverse
viewpoints for effective defense (Donegan, 2020; Zurkus, 2016). As a result, the demand for
skilled cybersecurity workers has surged beyond technical skills and capabilities, such as a
positive attitude, adaptability, teamwork, people skills, and communication skills (Haney &
Lutters, 2017; Zurkus, 2016).
In this chapter, I delve into the extensive body of literature surrounding three critical
aspects in solving the U.S. cybersecurity workforce shortage: current solutions, the impact of
meritocratic ideals on the industry, and existing diversity problems within the field. In addition, I
provide insight on how the U.S. military has approached recruitment when faced with problems
in diversity and a workforce shortage. In the latter part of the chapter, I discuss EVT as my
study’s conceptual framework and apply it to the cybersecurity workforce shortage to analyze
how individuals decide to pursue careers in the field.
Solving the Cybersecurity Workforce Shortage
There are three prominent recommendations to solve the cybersecurity workforce
shortage: K–12 education recommendation, post-secondary education partnerships
recommendation, and government and employer responsibilities recommendation. These
recommendations have merit but have several issues requiring resolutions prior to becoming
solutions to the cybersecurity workforce shortage problem.
K–12 Education Recommendation
Eccles et al.’s (1983) EVT study found that parents’ and educators’ beliefs and attitudes
strongly influenced children’s achievement-related beliefs, expectancies, and plans (Owusu et
al., 2021). Therefore, leveraging educators’ influence on students is a valuable strategy to solve
the cybersecurity workforce shortage. Many have suggested improving the K–12 STEM
programs to promote careers in cybersecurity, emphasizing the importance of recruiting girls

10
into STEM, and exposing students to different cybersecurity professions and cybersecurity
concepts (Accenture, 2020; Decrosta, 2021; EdWeek Research Center, 2020). These
suggestions and recommendations are critical in promoting the cybersecurity profession in K–12
because they provide opportunities to show students how cybersecurity has meaning
(attainment value), potential for fun (intrinsic value), and usefulness (utility value). However,
foundational changes need to occur for these programs to thrive, such as educators’ lack of
cybersecurity knowledge, the existence of digital deserts, and the growing cyberattacks in K–12
schools.
K–12 Cybersecurity and Technology Knowledge
The COVID-19 pandemic accelerated the reliance and usage of technology in K–12
programs (Bushweller, 2020). Despite the uptick in technology, educators still need training and
professional development to promote technology usage and integration into their classrooms
(Bushweller, 2020). As a result, educators have limited technical knowledge to include
cybersecurity, where 44% of K–12 and college educators have not had basic cybersecurity
training and another 8% were unsure if they received any cyber training (EdWeek Research
Center, 2020; A. Klein, 2021; Rahman et al., 2020). Yet, there is a societal expectation for K–12
programs to provide children with cybersecurity education to protect themselves from cyber
threats, foster digital citizenship, and promote cybersecurity best practices in everyday life
(Ballantyne, 2016). Therefore, the K–12 Education recommendation is potentially dependent on
educators possessing cybersecurity skills and knowledge to teach and influence K–12 students.
In theory, this strategic influence would then increase children’s achievement-related beliefs,
expectancies, and plans to study and pursue cybersecurity as a career (Eccles et al., 1983;
Owusu et al., 2021; Petruzzelli & Nidhi, 2019).
K–12 Cyber Attacks
However, educators’ lack of cybersecurity skills and knowledge is further compounded
with the reality that 56% of K–12 schools worldwide reported cyberattacks in 2021–2022

11
(Riddell, 2022). Since 2005, U.S. schools have reported 2,691 data breaches in K–12 school
districts and colleges/universities, affecting 32 million student records (Cook, 2023). If K–12
schools cannot protect themselves from cyber-attacks, students do not have a safe digital
environment to experience and emulate cybersecurity best practices in school. Therefore,
teaching students about cybersecurity becomes a moot point considering cybersecurity is a
combination of technology and human behavior best practices (CISA, 2022; Government
Accountability Office [GAO], 2022a; Thortenson, 2023). For example, schools may implement
12-digit passwords in their learning software. However, if educators share their passwords or
have the same password across personal and professional online accounts, the risk increases
for the password to become compromised by a malicious actor. These actions increase the risk
of a data breach and the security of the software. As a result, K–12 schools need to train their
educators in cybersecurity and have a safe digital environment for their students (CISA, 2021b;
CISA, n.d.). At a minimum, this may teach students to become better digital citizens. On the
other hand, educators practicing cybersecurity may spark students’ interest in the field because
educators are two to three times more impactful on students’ academic performance over any
other school factor (Eccles et al., 1983; Opper, 2019; Owusu, et al., 2021).
To help U.S. K–12 schools provide a safe digital environment, three federal agencies are
assigned to assist and advise K–12 schools against cyber threats: the Department of Education,
the Department of Homeland Security’s CISA, and the Federal Bureau of Investigation (CISA,
2023a; CISA, 2023b; CISA, n.d.; GAO, 2022a). Despite these relationships and the availability
of cybersecurity education material, K–12 schools and these agencies do not have formal
channels to address cybersecurity risks and incidents nor a feedback loop to discuss the
effectiveness of existing cybersecurity practices (CISA, 2021b; CISA, n.d.; GAO, 2022a). As a
result, K–12 schools’ computer networks are increasingly cyber-attacked, resulting in
ransomware attacks, stolen personally identifiable student and staff data, and disrupted
distance learning services (CISA, 2020; GAO, 2022a). To understand the gravity of the problem,

12
Microsoft’s (2023) threat activity tracker has reported the education industry as having 80% of
all reported malicious enterprise software or malware encounters within the last 30 days. In
other words, of the 9.5 million Microsoft-tracked devices with malware, 7.6 million are devices
from the education industry (Microsoft, 2023). Generally, there is a lack of standardized
cybersecurity policies and guidance for K–12 schools and cybersecurity personnel to protect
and configure all the schools’ devices and data (Altman, 2021; CISA, 2020; GAO, 2022a).
K–12 Digital and Technology Deserts
In addition to the lack of cybersecurity education and having a safe digital school
environment, inaccessibility and inequity run rampant in public schools, rural areas, and highpoverty communities within the United States (Bushweller, 2020; EdWeek Research Center,
2020). These disparities are known as the digital and technology deserts within the U.S. which
became more prevalent during the COVID-19 pandemic, wherein 50% of low-income families
and 42% of families of color did not have internet and the technology required for online
education (Abel, 2023; EdWeek Research Center, 2020). In March 2020, 15 million students
were estimated not to have broadband internet (Campbell et al., 2021), thereby increasing the
achievement gap of low-income students and students of color (Abel, 2023). As a result, if all
students were taught cybersecurity at school, some of the students of color and low-income
students would not be able access technology to do their cybersecurity homework. These facts
potentially impact the value students associate with technology and cybersecurity secondary to
relative inaccessibility for low-income students and students of color.
To help resolve some of the inaccessibility and inequity, the U.S. Department of
Commerce announced in May 2022 the “Internet for All” initiative to bring affordable and reliable
high-speed internet to everyone in America (U.S. Department of Commerce, 2022). However,
only $65 billion of the needed $80 billion that the Federal Communications Commission
estimated for the “Internet for All” initiative was approved in President Biden’s bipartisan
infrastructure bill (Campbell et al., 2021). Therefore, “Internet for All” may still be a bridge too far

13
for those living in rural areas (Campbell et al., 2021; Levin, 2016; Porter, 2021). This is not a
new problem for rural America considering the U.S. federal government has tried to expand
broadband internet since the Telecommunications Act of 1996 with limited progress (Campbell
et al., 2021; Sun, 2021). Concurrently, there is additional, external urgency for the U.S. to solve
the internet accessibility problem because the United Nations (UN, 2016) has decreed internet
access as a fundamental human right (Mhlungu, 2022). According to the UN (2016),
intentionally preventing or disrupting access to information online violates international human
rights laws (Mhlungu, 2022). Therefore, the U.S. must prioritize the accessibility and equity in its
digital and technology deserts to meet the UN’s fundamental human right of internet access.
To help U.S. and global decision-makers enact policies helping people worldwide
connect to the internet in a useful and empowering way, the Alliance for Affordable Internet
(A4AI) proposed a target known as meaningful connectivity (A4AI, 2019). Meaningful
connectivity consists of four dimensions of internet access that matter most to users. There are
four dimensions and the corresponding thresholds: (a) the minimum threshold for regular
internet use is daily; (b) the minimum appropriate device threshold is access to a smartphone;
(c) the minimum threshold for data is an unlimited broadband connection at home or a place for
work or study; and (d) the minimum threshold for a fast connection is 4G mobile connection
speed (A4AI, 2019).
Future U.S. Government Efforts to Strengthen K–12
Consequently, if K–12 educators have limited cybersecurity knowledge (EdWeek
Research Center, 2020; A. Klein, 2021; Rahman et al., 2020), most K–12 schools are therefore
vulnerable to cyber-attacks (CISA, 2020; GAO, 2022; Thortenson, 2023). In addition, 50% of
low-income students and 42% of students of color have limited to no access to the internet and
other technologies (Abel, 2023; EdWeek Research Center, 2020) and thus the K–12 Education
cybersecurity is an unreliable resource recommendation for resolving the workforce shortage.
To address most of these issues, the 2022 National Workforce and Education Summit at the

14
White House announced efforts to strengthen the K–12 system to prepare students for
cybersecurity job opportunities (The White House, 2022). The initiative comprises two
categories: (a) the National Security Agency will assist the U.S. Department of Education in
providing technical assistance to state and local educational agencies to accelerate the
adoption and implementation of middle schools’ cybersecurity career and technical education
pathways; and (b) the U.S. Department of Commerce will make its cybersecurity workforce
framework to provide curricula and resources for K–12 educators (The White House, 2022).
The result of these initiatives is an update to the current National Initiative for
Cybersecurity Education (NICE) Cybersecurity Workforce Framework, which is part of CISA’s
National Initiative for Cybersecurity Careers and Studies (NICCS). The NICE Framework is a
U.S. nationally-focused resource categorizing and describing cybersecurity work across public,
private, non-profit, and academic sectors (CISA, 2024; CISA, 2020; Petersen et al., 2020). The
NICE Framework was initially published in August 2017; the latest update was in November
2020 (Petersen et al., 2020). Therefore, it is unclear whether the 2022 initiatives will promote
positive changes to the K–12 systemic problems considering the NICE Framework has existed
since 2017 but has yet to resolve the lack of cybersecurity knowledge among educators and
students.
Post-secondary Education Partnership
U.S. post-secondary education and training institutions have found it challenging to keep
pace with the need for cybersecurity talent due to the growing sophistication of cybercrime and
cyber threats (Crumpler & Lewis, 2019). Furthermore, there is a discrepancy between provided
cyber education and what employers need as evidenced by cybersecurity educational programs
emphasize more governance-related topics in cybersecurity such as policy planning and
compliance audit (Crumpler & Lewis, 2019). In comparison, employers have a greater need for
technical cybersecurity topics such as secure system design and security tool development
(Crumpler & Lewis, 2019). As a result of this discrepancy, 61% of hiring organizations felt that

15
fewer than half of all applicants for cybersecurity positions were qualified (Crumpler & Lewis,
2019), while 43% of hiring organizations could not find qualified cybersecurity talent (Coker,
2022).
Center for Strategic and International Studies Recommendations
In 2019, the Center for Strategic and International Studies (CSIS) provided
recommendations to close the talent gap, such as the National Security Agency and
Department of Homeland Security (DHS) raising the eligibility criteria for more computing
fundamentals and hands-on learning experience for schools to receive the Center of Academic
Excellence in Cyber Defense (CAE-CD) designation (Crumpler & Lewis, 2019). There are 406
educational institutions with the CAE-CD designation (CAE Community, 2022), a 76% increase
since 2019 (Crumpler & Lewis, 2019). CSIS’ second recommendation was to utilize the National
Institute of Standards and Technology’s (NIST) NICE program as a building block for educators,
employers, and cybersecurity competition providers to work together in standardizing
performance measures across cyber competitions and aligning these challenges with the NICE
Cybersecurity Workforce Framework (Crumpler & Lewis, 2019). As stated above, the NICE
Framework’s last update was in 2020, but the 2022 National Workforce and Education Summit
indicates additional future updates (The White House, 2022).
2022 Pledges and Commitments
In addition to the NICE Framework update, the White House fact sheet from the 2022
National Workforce and Education Summit provided a list of organizations and post-secondary
educational institutions with pledges to improve cybersecurity education and skills-based
pathways to cybersecurity jobs (The White House, 2022). These organizational and educational
pledges are intended to recruit more cybersecurity candidates through different channels, such
as apprenticeships, cybersecurity boot camp scholarships, and free training. In addition, these
programs are targeting specific groups, such as K–12 students, women, underrepresented
communities of color, and U.S. military veterans.

16
• Accenture, a global strategy and consulting company, has committed to creating
access to new roles in cybersecurity, cloud, and other technical areas through
apprenticeship and upskilling programs (The White House, 2022).
• Johns Hopkins University’s Alperovitch Institute for Cybersecurity Studies has
committed to training postgraduate students to become future policymakers and
practitioners for leading firms and government agencies in the field of
cybersecurity (The White House, 2022).
• Auburn University’s Ginn College of Engineering is partnering with the U.S.
Department of Energy to incorporate its national cyber-informed engineering strategy
throughout Auburn’s engineering and computer science programs (The White
House, 2022).
• Cisco has committed to training an additional 200,000 students in the U.S. (The
White House, 2022).
• CompTIA, a leading certification provider, will use its training and certifications to
provide job seekers with the skills needed for a career in IT and help employers
realize the benefits of IT apprenticeships (The White House, 2022).
• Dakota State University’s $90 million investment in a cyber-research initiative will
double the annual number of graduates over the next 5 years, launch a state-wide
Governor’s Cyber Academy accessible to all high school students, and build and
operate an applied research laboratory facility in Sioux Falls, South Dakota (The
White House, 2022).
• Fortinet, a cybersecurity solution and service provider, has committed to: (a) closing
the cyber skills gap by making its information security awareness and training service
available for free for all K–12 school districts across the U.S; (b) expanding its free
training offerings provides the potential to help more than 8 million staff and faculty
members in U.S. schools become more cyber aware and improve their skillsets to

17
avoid breaches at educational institutions; and (c) advance Fortinet’s pledge to train
1 million people in cybersecurity by 2026 (The White House, 2022).
• IBM committed to training 150,000 people in cybersecurity skills in 2021 and, in
2022, has furthered its commitment by creating more pathways to cybersecurity
careers through its new cybersecurity leadership centers with historically Black
colleges and universities (HBCUs) and minority serving institutions (The White
House, 2022).
• ISC2 announced their One Million Certified in Cybersecurity program, pledging to put
one million people through its entry-level certification exam and education program
for free (The White House, 2022). Over 500,000 of the one million course
enrollments and exams will go toward students of HBCUs, MSIs, tribal organizations,
and women’s organizations across the United States and the globe (The White
House, 2022).
• NPower, a national non-profit, will offer skill development opportunities and free IT
training and credentials to U.S. military-connected individuals and young adults from
underserved and underrepresented communities to prepare them for careers in
cloud computing and cybersecurity (The White House, 2022).
Employer and U.S. Government Responsibility
In 2017, NIST developed the NICE Cybersecurity Workforce Framework standard,
Special Publication (SP) 800-181, to establish a taxonomy and lexicon for all cybersecurity work
and workers (NIST, n.d.) in conjunction with U.S. industry, government, academia, and nonprofit organizations (Sussman, 2021). Iterations of the NICE Framework started as early as
2007 when the DHS recognized that the cybersecurity workforce had yet to be defined or
assessed (NIST, n.d.). The most current version, NIST SP 800-181 Revision 1 (2020), is
relatively less detailed and prescriptive to improve agility, flexibility, interoperability, and
modularity of different organizations and their cybersecurity needs (NIST, 2020).

18
The results of the NICE Framework development include four components of task,
knowledge, skills, and ability to formulate the cybersecurity work roles to depict today’s
cybersecurity worker (CISA, 2024; Newhouse et al., 2017; Peterson et al., 2020; Sussman,
2021). Figure 1 illustrates the 2017 NICE cybersecurity work categories, and Figure 2 depicts
the 33 specialty areas within each category based on the 2017 NICE Framework.
Figure 1
2017 NICE Framework Cybersecurity Work Categories
Note. From NIST Cyber History by NIST, n.d. (https://csrc.nist.gov/nist-cyber-history).

19
Figure 2
Sussman’s (2021) Adaptation of NICE 2017 Workforce Framework
Note. Adapted from “Workforce Framework for Cybersecurity (NICE Framework),” by R.
Petersen, D. Santos, M. C. Smith, K. A. Wetzel, and G. Witte, 2020, NIST Special Publication
800-181, Rev.1. In “Exploring the Value of Non-Technical Knowledge Skills and Abilities to
Cybersecurity Hiring Managers,” by L. Sussman, 2021, Journal of Higher Education Theory and
Practice, 21(6), p.100. Copyright 2021 by North American Business Press.
According to NIST SP 800-181 Revision 1, the removal of categories, specialty areas,
and work roles is to simplify the approach for organizations to implement the NICE Framework
by presenting them with a streamlined set of building blocks or tasks, knowledge, and skills

20
(NIST, 2020). However, these changes may have been too extreme, considering the NICE
Framework decreased from 144 pages to 27 pages, and the proposed 2023 changes include
the return of work categories and roles. Figure 3 is the return of work role categories and their
proposed name changes. Table 1 shows the proposed changes to the descriptions of each work
category.
Figure 3
NIST (2024) Work Role Categories
Note. From Unveiling NICE Framework Components v1.0.0: Explore the Latest Updates Today!
by NIST, 2024. (https://www.nist.gov/news-events/news/2024/03/unveiling-nice-frameworkcomponents-v100-explore-latest-updates-today).

21
Table 1
NIST (2023) Proposed Work Role Category Descriptions
Proposed
category name
2017 description Proposed description
Oversight and
governance
Provides leadership, management,
direction, or development and
advocacy so the organization
may effectively conduct
cybersecurity work.
Provides leadership, management,
direction, and advocacy so the
organization may effectively
manage cybersecurity-related
risks to the enterprise and
conduct cybersecurity work.
Design and
development
Conceptualizes, designs, procures,
and/or builds secure information
technology systems, with
responsibility for aspects of
system and/or network
development.
Conducts research,
conceptualizes, designs, and
develops secure technology
systems and networks.
Implementation
and operation
Provides the support,
administration, and maintenance
necessary to ensure effective and
efficient information technology
system performance and security.
Provides the implementation,
support, administration, and
maintenance necessary to
ensure effective and efficient
technology system performance
and security.
Protection and
defense
Identifies, analyzes, and mitigates
threats to internal information
technology systems and/or
networks.
Protects against, identifies, and
analyzes risks to technology
systems or networks. Includes
investigation of cybersecurity
events or crimes related to
technology systems and
networks.
Intelligence Performs highly-specialized review
and evaluation of incoming
cybersecurity information to
determine its usefulness for
intelligence.
Performs highly specialized review
and evaluation of incoming
cybersecurity information to
determine its usefulness for
national intelligence.
Cyberspace
effects
Provides specialized denial and
deception operations and
collection of cybersecurity
information that may be used to
develop intelligence.
Plans, supports, and executes
cybersecurity for cyberspace
capabilities where the primary
purpose is to externally defend
or conduct force projection in or
through cyberspace.
Note. Adapted from NICE Framework Work Role Categories and Work Roles: An Introduction
and Summary of Proposed Updates by NIST, 2023.
(https://www.nist.gov/system/files/documents/2023/04/18/NICEFramework_WRrev_introApr202
3.pdf).

22
As of March 2024, the proposed NICE Framework 2023 changes resulted in the
additional publication of the NICE Framework Components v1.0.0 (NIST, 2024). The NICE
Framework Components provides a cybersecurity workforce framework consisting of work
categories, work roles, competency areas, and task, knowledge, and skill statements (NIST,
2024). In addition, the NICE Framework Components v1.0.0 explains the relationship between
the components (NIST, 2024).
Human Resources and Talent Acquisition
The NICE Framework provides an example of the complexity and needs of a fully
functioning cybersecurity workforce to include specific knowledge and skills needed for each
work roles’ tasks. As a result, human resources (HR) and hiring managers have the information
within the NICE Framework and the corresponding NICE Framework Components to develop
better job postings. Figure 4 illustrates how employers can use the NICE Framework to develop
job descriptions by breaking down the tasks of the work role and the required skills and
knowledge needed to succeed.

23
Figure 4
Petersen et al.’s (2020) NIST Work Roles’ Relationship to Building Blocks
Note. From “Workforce Framework for Cybersecurity (NICE Framework)” by R. Peterson, D.
Santos, M. C. Smith, K. A. Wetzel, and G. Witte, 2020, NIST Special Publication 800-181 Rev.1,
p. 11. (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181r1.pdf).
Job Descriptions and Certifications. Limited literature, data, and metrics exist on the
successful implementation of the NICE Framework throughout the United States. However, the
growing workforce shortfall and unfilled cybersecurity job openings in the United States indicate
more organizations need to utilize the NICE Framework to understand their cybersecurity needs
and subsequently develop job postings based on those needs (Palmer, 2021). HR across all
industries, government, academia, and non-profit are using traditional hiring templates and
practices focused on the minutiae of degrees, certifications, and expectations of skills and
experience to find qualified candidates (Balaraman, 2021; Miller, 2021). Unfortunately for HR,

24
cybersecurity does not fit this paradigm, and cybersecurity expertise is found in a candidate’s
inquisitive nature, problem-solving skills, technical aptitude, and the ability to understand the
interdependencies of people, systems, and applications (Balaraman, 2021; CISA, 2019; Miller,
2021).
The cybersecurity career pathway does not have the exact prescribed requirements as
other professions, such as medical doctors or attorneys. Instead, it is a career pathway with
multiple entrances, including but not limited to traditional education, certifications, boot camps,
internships/apprenticeships, and on-the-job training (CISA, 2019). This ability to enter
cybersecurity multiple ways has made it easier for those entering the field but harder for
traditional HR practitioners to find qualified cybersecurity candidates. Therefore, employers
must be responsible for understanding their cybersecurity needs and determining the essential
skills needed for the cybersecurity job posting (Balaraman, 2021). This practice promotes
searching for specific cybersecurity skills in a candidate, not certifications or degrees (Taylor,
2023).
With such complexities in developing job descriptions and identifying recruiting pipelines
across a multi-entrance career pathway, HR and cybersecurity hiring managers must have a
strong and effective relationship (ISC2, 2019). It is the hiring manager’s responsibility to define
the ideal cybersecurity candidate via skills and, in return, HR provides feedback and expertise
on their recruiting experience across the different hiring pipelines (ISC2, 2022). However,
despite the necessity of this relationship, only 40% of surveyed hiring cybersecurity managers
said HR adds value to the recruiting process in a cybersecurity workforce study (ISC2, 2022).
External and Internal Hiring Approaches. With an effective partnership between HR
and cybersecurity, building a solid cybersecurity team requires a two-prong approach: (a) nearterm or external hires and (b) long-term or internal hires (ISC2, 2019). The top recruiting
sources for external hires are recent educational institution graduates and career changers for
early-in career cybersecurity positions (ISC2, 2019). The top recruiting pipelines for

25
cybersecurity positions requiring specifically relevant experience are consulting or contracting
employees and security hardware/software vendors (ISC2, 2019). The latter external pipelines
will likely have advanced knowledge in cybersecurity and cybersecurity certifications (ISC2,
2019). To provide context in what an organization gains in hiring more experienced external
cybersecurity talent or the loss of losing cybersecurity talent, the U.S. military estimated the
training and certification of one cybersecurity U.S. military service member is between $220,000
to $500,000 (GAO, 2022b).
The second hiring approach to building a solid cybersecurity team is growing internal
employees (ISC2, 2019). Organizations with programs that develop internal talent, such as
rotating job assignments, mentoring programs, and encouraging employees outside of
cybersecurity to learn about cybersecurity, lessen their cybersecurity workforce shortage (ISC2,
2022). Furthermore, organizations that develop a retention strategy that encourages career
progression and professional development for their existing cybersecurity employees can
translate to increased job satisfaction and loyalty (Kevis, 2024). This reduces an organization’s
risk of losing their cybersecurity talent by investing in their employees’ cybersecurity training and
promoting from within their cybersecurity teams. As organizations promote from within, they can
make available the vacated early-in career cybersecurity positions. With these early-in career
positions available, organizations could then take advantage of the top recruiting sources:
recent educational institution graduates and career changers (ISC2, 2019).
Belonging
The cybersecurity industry needs to change its hiring and retention practices to promote
diversity and inclusion and resolve its reputation of having toxic work environments and culture
(de Magalhães, 2022). People outside the cybersecurity industry view it as highly exclusionary
of underrepresented groups, sustaining an environment of traditional gender roles that rewards
misogyny and harassment, and promoting elitism by requiring degrees and certifications (de
Magalhães, 2022; Merkel, 2022). Therefore, as long as the cybersecurity industry is not

26
welcoming toward underrepresented groups, the talent pool will remain small as these
underrepresented groups will not join an industry known for excluding people like them (Merkel,
2022). In a survey report, 81% of respondents feel toxic work environments would prevent them
from exploring a career in cybersecurity. Additionally, 44% of respondents likely to pursue a
career in cyber technology feel toxic work environments would prevent them from entering the
cybersecurity industry (Champlain College, 2021).
To turn this exclusionary reputation around, the cybersecurity industry must embrace
people’s differences in a way that welcomes people to be themselves (Raz, 2020). Because
diversity and belonging have become interdependent workplace expectations, cybersecurity
organizations should ensure their employee recruitment and retention strategies also
encompass belonging (Argo & Sheikh, 2023; Merkel, 2022; Twaronite, 2019).
Maslow (1943) recognized belonging as a fundamental human need within his hierarchy
of needs, and Coqual (2020) defined belonging in the workplace. Belonging in the workplace is
feeling seen for unique contributions, connected to co-workers, supported in daily work and
career development, and proud of an organization’s values and purpose (Coqual, 2020). In
addition, Argo and Sheikh (2023) identified key and representative facets of the belonging
barometer as social connections, psychological safety, and co-creation. Social connections
measure emotional connections, feeling welcomed and included, and relationship satisfaction
(Argo & Sheikh, 2023). Psychological safety measures individuals’ ability to express opinions,
value contributions, and bring their whole, authentic selves to the workplace (Argo & Sheikh,
2023). Co-creation measures one’s perception of equal treatment in the workplace, fitting into
the workplace community, and ability to influence decisions (Argo & Sheikh, 2023).
Workplace environments with a high belonging barometer will likely see more employee
creativity, better job performance, increased organizational loyalty, higher employee retention
rates, fewer health complaints, and fewer missed days at work (Argo & Sheikh, 2023; Coqual,

27
2020). The cybersecurity industry needs these attributes to increase the talent pool, retain
cybersecurity workers, and lure non-traditional cybersecurity candidates.
Belonging for Generation Z and Beyond
Belonging is not just a topic that organizations need to address for the current
workforce, but it is a requirement in recruiting for Generation Z and beyond. Generation Z
identify as compassionate, open-minded, determined, and wanting to impact the world
positively; they value authenticity, work-life balance, and transparency (Haney & Lutters, 2017;
Medina et al., 2023). Because this is the first native digital generation, they will likely have a
different perspective on cybersecurity and approach it differently, having been exposed to the
internet and technology at an early age (Haney & Lutters, 2017). Therefore, to leverage this
different perspective an opportunity exists for the cybersecurity industry and the organizations
within it to have belonging programs that appeal to Generation Z. For example,
underrepresented Generation Z individuals with cybersecurity training want to apply their
knowledge within organizations demonstrating established inclusivity and diversity goals and
plans, such as mentorship programs and support groups (Carr & Opare, n.d).
Meritocracy
Technology companies such as Red Hat and Qvest have touted how meritocracy
continues to breed success in their workplace (Crosslind, 2020; Lu, 2022; Whitehurst, 2014).
The meritocratic ideal emphasizes how the most entrepreneurial or technologically skilled will
gain wealth and prestige, while those without these skills face unemployment and low-paid work
(Crosslind, 2020). In other words, meritocracy is the belief that hard work and intelligence result
in promotions or upward mobility without the influences of internal politics, gender, race, wealth,
or social class (Crosslind, 2020; Liu, 2011; Lu, 2022).
Based on this definition and ideal, meritocracy in U.S. technology companies should
have a similar societal representation of men and women of color and White women within their
workforce. However, White and Asian men disproportionately dominate the technology industry

28
(Crosslind, 2020; Dean & Bhuiyan, 2020). In response, technology companies have blamed the
lack of job applicants as the reason behind the lack of minority representation in their workforce
(Dean & Bhuiyan, 2020; Weise & Guynn, 2014), despite the steady pace of Black (9%)
graduates and the growing number of women (53%) and LatinX (12%) graduates in STEMrelated bachelor’s degrees (Fry et al., 2021). Table 2 compares the U.S. population and the
U.S. tech industry population.
Table 2
U.S. Diversity Stats for Tech
Ethnicity U.S. population U.S. tech industry population
White 60% 68%
Black 13% 7%
Asian 6% 14%
Hispanic/LatinX 18% 8%
Other 2% 1%
Mixed race 3% 1%
Note. Employer information numbers may not add up to totals due to rounding.
Adapted from EEO-1 Single, Headquarters, and Establishment Reports by EEOC, 2014.
(https://www.eeoc.gov/special-report/diversity-high-tech).

29
In addition, leadership positions lack minority representation in comparison to White men
(Crosslind, 2020; Weingarten & Kofman-Burns, 2022) seen in Table 3, the equal employment
opportunity data gathered from 75 Silicon Valley tech firms (Equal Employment Opportunity
Commission [EEOC], 2014). According to Weingarten and Kofman-Burns (2022), there is a
decades-old tradition where employees ascending the career ladder will have an increased
representation for those in the majority but will significantly decrease for underrepresented
ones. If this data reflects meritocracy in organizations, then the data indicates that minorities in
technology have less merit than White men (Crosslind, 2020). However, this is likely not the
case, considering 51% of HR professionals admitted that the selection process for leaders gave
some employees an unfair advantage due to the process’ informality, lack of definition for high
potential leaders, and informal feedback (Weingarten & Kofman-Burns, 2022).
Table 3
EEOC’s (2014) Women/Men and Non-Whites/Whites in EEO Occupations
Professionals Sales Technicians Executives and
managers
combined
Women 30% 25% 23% 28%
Men 70% 75% 77% 72%
Total 100 100 100 100
Asian American 50% 11% 23% 36%
Black 2% 3% 11% <1%
Hispanic/LatinX 4% 6% 12% 1.6%
White 41% 77% 50% 57%
All other 3% 3% 4% 5%
Total 100 100 100 100
Note. From EEO-1 Single, Headquarters, and Establishment Reports by EEOC, 2014.
(https://www.eeoc.gov/special-report/diversity-high-tech).

30
Furthermore, group favoritism of helping others, like ourselves, is likely the cause of
most workplace discrimination (Armstrong, 2014; Greenwald & Pettigrew, 2014). After reviewing
several studies on workplace discrimination in the last 5 decades, Greenwald and Pettigrew
(2014) proposed “that unequal treatment in the form of doing favors for those like you, rather
than inflicting harm on those unlike you, causes the majority of discrimination in the United
States” (Armstrong, 2014, para. 8–9). This action would explain the minimal improvement in
employee diversity at technology companies, considering employee referrals are a primary form
of recruitment (Crosslind, 2020; Dean & Bhuiyan, 2020). For example, if an employee’s social
network lacks diversity, their referrals for job openings will likely reflect that lack of diversity,
thereby compounding the diversity problem (Crosslind, 2020; Dean & Bhuiyan, 2020).
Therefore, the problem is not a lack of qualified candidates but technology companies’
unwillingness to accept the meritocratic ideal does not work, especially if technology companies
want to see diversity reflective of society in the workplace (Crosslind, 2020). Technology
companies must re-evaluate their promotion process, referral process, and college recruitment
efforts to remove the ideas of meritocracy and unintentional discrimination in the form of favors
(Crosslind, 2020; Dean & Bhuiyan, 2020; Greenwald & Pettigrew, 2014; Weingarten & KofmanBurns, 2022).
Diversity in Technology
Since 2017, 2400 CEOs have signed pledges to enhance diversity and inclusion (CEO
Action Team, 2023; Ward, 2023). Major U.S. technology companies have made diversity,
equity, and inclusion (DEI) a priority in hiring practices and have collectively spent $8 billion a
year on DEI training (Oladipo, 2023; Wiley, 2021). Despite this expenditure and focus, progress
is far too slow (Wiley, 2021), as Tables 2 and 3 indicate. In addition, some organizations and
social leaders have reported ceasing their DEI initiatives, citing the initiative excluded some
demographics (e.g. White men), counter to a core American value of opportunity for all
Americans (Harmeling, 2023; Linnane, 2023; Merritt, 2024; Ray & Melaku, 2023; Weiss, 2023).

31
To further perpetuate the DEI problem, the ~240,000 tech layoffs from 2022–2023 (Crunchbase,
2023) have overrepresented women at 46% and LatinX at 12% (Linane, 2023; Oladipo, 2023).
Technology Without Diversity
As technology continually advances without a diverse workforce, technologies such as
artificial intelligence (AI) algorithms are at risk of perpetuating bias (e.g., racial and gender) if
data to train algorithms does not reflect the diversity of society (Reventlow, 2021). For example,
IBM, Microsoft, and Amazon’s facial recognition software have shown to only work accurately
for middle-aged White male faces but misclassified Black female faces 35% of the time
(Crockford, 2020; Hardesty, 2018; Reventlow, 2021). Studies on the accuracy of AI facial
recognition determined the problem was how the AI-powered facial recognition is trained and
not the AI technology itself (Crockford, 2020; Hardesty, 2018; Reventlow, 2021). Therefore, until
there is a change from primarily White males designing, developing, and engineering the
technology, technologies will remain at risk of bias and discrimination (Crockford, 2020;
Hardesty, 2018; Reventlow, 2021).
Including Vulnerable and Marginalized Groups in Technology
In addition to promoting a more diverse workforce in technology, it is necessary to
include vulnerable and marginalized groups when designing, engineering, and implementing
technologies for society (Anthony, 2023; Renaud & Coles-Kemp, 2022; Reventlow, 2021). The
exclusion of vulnerable and marginalized groups in developing technology solutions will
continue exacerbating the existing power imbalance (Renaud & Coles-Kemp, 2022). For
example, in the United States most Americans have cell phones, but there is more variation
among smartphone owners who are more than likely younger, more affluent, and highly
educated (Pew Research Center, 2021). See Table 4 for data on U.S. cellphone and
smartphone users.

32
Table 4
Pew Research Center’s (2021) Who Owns Cell Phones and Smartphones
Cellphone Smartphone Cellphone, but not
smartphone
Total 97% 85% 11%
Men 97% 85% 11%
Women 98% 85% 12%
Ages 18–29 100% 96% 4%
30–49 100% 95% 5%
50–64 97% 83% 12%
65+ 92% 61% 29%
White 97% 85% 11%
Black 99% 83% 15%
Hispanic 100% 85% 14%
High school or less 96% 75% 19%
Some college 98% 89% 9%
College graduates 98% 93% 5%
Less than $30,000 97% 76% 19%
$30,000–$49,000 97% 83% 14%
$50,000–$74,999 97% 85% 12%
$75,000+ 100% 96% 3%
Urban 98% 89% 9%
Suburban 97% 84% 12%
Rural 94% 80% 14%
Note. Survey of U.S. adults conducted May 19–September 5, 2023. Adapted from “Mobile Fact
Sheet” by Pew Research Center, 2021. (https://www.pewresearch.org/internet/factsheet/mobile).
The older, less affluent, and less educated generally have different usage patterns from
the majority, such as sharing older, unsupported hardware/software that may not have the latest

33
security updates due to the cost of smartphones and data plans (Anthony, 2023). As a result,
malicious actors may exploit these groups as they may also have low digital literacy and tech
familiarity (Anthony, 2023). Without adequate cyber and technology knowledge, marginalized
and vulnerable groups risk experiencing cyber fraud with calls and text messages requesting
monetary funds (Anthony, 2023; Renaud & Coles-Kemp, 2022). In addition, it is unlikely that
these groups will receive recompense after reporting the fraud due to limited institutional and
government trust, social status, and education level (Anthony, 2023).
Expanding the Scope of Cybersecurity
A possible solution to becoming more inclusive of vulnerable and marginalized groups is
expanding the scope of cybersecurity responsibilities in designing, developing, and
implementing technologies (Renaud & Coles-Kemp, 2022). The increased scope would address
a broader range of vulnerabilities, including identifying and understanding threats from different
perspectives, such as people experiencing homelessness, seeking protection and refuge from
another country, and needing help from domestic violence (Anthony, 2022; Renaud & ColesKemp, 2022; Reventlow, 2021).
Threat modeling is a cybersecurity activity that can bring technologists and marginalized
and vulnerable groups together to develop more inclusive security functionality in technologies
(Renaud & Coles-Kemp, 2022). Threat modeling examines applications, systems, and business
processes to determine security vulnerabilities and threats and then define countermeasures to
prevent or mitigate the effects of those vulnerabilities and threats (Cobb, n.d.).
Gender Diversity in Cybercrime
Although there is limited research and studies on the diversity of cybercriminals, it is
important to annotate a recent Trend Micro report on the uptick in underground cybercriminal
forums advertising jobs specifically for women (Fuentes, 2023). The jobs are primarily muling
(e.g., drug trafficking and money laundering), call center support, social engineering confidence
scams, and romance scams (Fuentes, 2023). The report further provides explicit feedback that

34
women are preferred for call-based confidence jobs because they have a higher success rate
for extracting personal information from scam victims (Fuentes, 2023). Overall, the report
approximates 30% of cybercriminals are women, but it remains inconclusive on whether women
are more accepted in cybercrime communities (Fuentes, 2023). Despite analyzing cybercriminal
forums via AI and text analyzer tools to determine gender, the report questions the results of
these tools due to the importance of cybercriminals’ anonymity and their abilities to mislead and
misrepresent their true identities (Fuentes, 2023). At the same time, the more business-focused
cybercriminal forums have created a more inclusive environment by adding a business rating to
its members’ reputation score and establishing a code of conduct (Fuentes, 2023). These forum
environment’s rules and etiquette of prohibiting bullying and all forms of harassment may appeal
to more women to join these cybercriminal forums (Fuentes, 2023). However, due to limited
studies, the data is only one indicator in the recruitment and increase of women into cybercrime;
therefore, this information is currently warning of a possible trend.
The report highlighted law enforcement and other cyber investigators should not assume
a malicious actor’s gender as it may undermine an investigation despite current data showing
men are the majority among cybercriminals (Fuentes, 2023). Furthermore, cybersecurity
workers need to design and architect cybersecurity solutions that account for all genders
considering the significant push for more females in STEM fields will likely increase women in
cybercrime (Fuentes, 2023). For example, some security tools use AI to determine the
behaviors of a malicious actor. If most malicious actors are men, then the AI may not recognize
a non-male malicious actor’s behavior and methodology as they hack an organization.
Recruiting Strategies for Diversity
The lack of diversity is not unique to the cybersecurity industry. Therefore, the
cybersecurity industry can leverage the recommendations from other industries, such as the
U.S. military and government agencies. Both industries have developed strategies to promote
the recruitment of underrepresented groups in the U.S. military and local, state, and federal

35
government agencies. For example, Rand Corporation has completed research studies on
recruiting women in the U.S. military (Yeung, et al., 2017) and hiring a diverse public sector
workforce (Goldman, et al., 2021). The recommendations for recruiting women in the U.S.
military are to (a) increase the proportion of female recruiters; (b) create female mentorship
programs; (c) increase advertising and promotional materials that highlight roles that women fill
in the U.S. military; (d) counter stereotypes and misperceptions in the U.S. military; and (e)
make better use of technology (Yeung, et al., 2017). In comparison, the recommendations for
hiring and recruiting a diverse public sector workforce are to (a) articulate the commitment to
recruit underrepresented individuals; (b) communicate the benefits of public sector careers; (c)
improve the awareness of job and internship opportunities; (d) foster preparation for career
entry and retention; and (e) institutionalize the connections between government and higher
education (Goldman, et al., 2021). Combining these two recommendations into a strategic plan
to recruit men and women of color and White women into cybersecurity may lessen the
cybersecurity workforce shortfall and promote diversity, equity, inclusion, and belonging.
Technology’s Role in Recruiting
Rand Corporation’s research on recruiting women in the U.S. military recommended the
U.S. military should make better use of recruiting technology (Yeung, et al., 2017). To make
better use of technology in recruiting, a different Rand research report suggests leveraging
machine learning and AI to find potential U.S. military recruits via a targeted marketing
campaign with the use of big data (Lim et al., 2019). See Figure 5 for Lim et al.’s (2019)
structure of data-enabled marketing process. In addition, the research report suggests using
marketing strategies such as microtargeting to find potential U.S. military recruits (Lim et al.,
2019). Microtargeting is the use of consumer and demographic data to determine the interests
of specific people with the intention to send targeted advertisements that align with their
interests on their preferred communication platform, such as social media (Wright, 2023).
Applying AI to these data sets, also known as big data, has the potential to create behavioral

36
and psychological profiles of potential recruits, predict their preferences, and gauge their
likelihood of joining the U.S. military (Lim et al., 2019). See Figure 6 Lim et al.’s (2019)
illustration of microtargeting.
Figure 5
Lim et al.’s (2019) Structure of Data-enabled Marketing Process
Note. From Leveraging Big Data Analytics to Improve Military Recruiting by N. Lim, B. R. Orvis,
and K. C. Hall, 2019, p. 40. (https://www.rand.org/pubs/research_reports/RR2621.html).
Copyright 2019 by RAND Corporation.

37
Figure 6
Lim et al.’s (2019) Illustration of Microtargeting
Note. From a presentation briefing by Mullen Lowe and Office of People Analytics. In
“Leveraging Big Data Analytics to Improve Military Recruiting” by N. Lim, B. R. Orvis, and K. C.
Hall, 2019, p. 43. (https://www.rand.org/pubs/research_reports/RR2621.html). Copyright 2019
by RAND Corporation.
AI and Machine Learning in Cybersecurity Recruiting.
Like the U.S. military, the cybersecurity industry could apply similar microtargeting
marketing campaigns to potential cybersecurity candidates. However, to apply this technology in
cybersecurity recruiting there needs to be an understanding of cybersecurity professionals, such
as common personality traits, interests, motivations (attainment, intrinsic, and utility values) and

38
lived experiences (expectancies). Furthermore, to apply a diversity lens to this recruiting
strategy the understanding should focus on current men and women of color and White women
cybersecurity professionals.
Fortunately, literature exists on cybersecurity professionals and cybersecurity
competition participants’ personality traits, interests, and non-technical skills (Bashir et al., 2016;
Freed, 2014; Haney & Lutters, 2017). However, there is limited research specific to
cybersecurity professionals who identify as men and women of color and White women. Haney
and Lutters’ (2017) found non-technical skills, such as likeability, positive attitudes, critical
thinking, adaptability, teamwork, empathy, relationship building, and communication skills as
core skills for an effective cybersecurity professional. In Freed’s (2014) personality trait study,
she compared 118 cybersecurity and information technology professionals. The study found
cybersecurity professionals scored high in intellect, adventurousness, and assertiveness while
scoring low in trust and vulnerability. Freed (2014) surmises that cybersecurity professionals
may have scored high in intellect due to the constant changes in cyberattacks and new
technologies. The ability to manage while expecting constant change is adaptability, which is a
higher level of aptitude, possibly resulting in higher scores of intellect (Freed, 2014; Mussel,
2013). In addition, cybersecurity professionals scored high in adventurousness and
assertiveness (Freed, 2014; Haney & Lutters, 2017). Adventurousness is an eagerness to try
new activities and experience different things, while familiarity and routine are dull (Freed,
2014). High scorers in assertiveness are likely individuals that are driven, competitive,
energetic, and work with greater vigor and purpose (Freed, 2014; Woods & Sofat, 2013).
Furthermore, Freed’s (2014) study findings identified cybersecurity professionals scoring low in
trust. Freed (2014) associated the need to protect companies and loved ones from outside
threats as the likely reason cybersecurity professionals are less likely to trust individuals.
Combining these research studies as a foundation to develop targeted marketing
campaigns using machine learning and AI has a potential for cybersecurity recruitment.

39
Specifically, cybersecurity recruiters can better understand the behavioral and psychological
profiles of potential candidates, predict their preferences, and gauge their likelihood of joining
cybersecurity (Lim et al., 2019). However, there is a risk this may perpetuate traditional and
homogeneous cybersecurity solutions if the research studies’ participants are the norm of
cybersecurity professionals: White, male, between the ages of 40-44, with a bachelor’s degree
in a STEM-related field (Deloitte Touche Tohmatsu Limited, 2021). Therefore, it is critical to
represent the diverse workforce needed when gathering recruiting data to bring in different
perspectives that can increase the potential of creative and innovative cybersecurity solutions
(Rankin, 2019; Tucker, 2022).
Conceptual Framework
Expectancy value theory (EVT) suggests that people’s expectations of success and their
value on the outcomes of their actions influence their choices and behaviors. Applying EVT to
the cybersecurity workforce shortage analyzed how individuals decide to pursue and not pursue
careers in the field.
Eccles et al. (1983) defined expectancy for success as a person’s belief in their ability
influences how they will perform a task (Rosenzweig et al., 2019). Subjective task value is a
person’s desire to complete a task, which is determined by a person’s interest/intrinsic value,
attainment value, utility value, and the influence of cost (Eccles et al., 1983). In furthering the
research of EVT and its application to student’s motivation and learning, Rosenzweig et al.
(2019) define intrinsic value as the enjoyment of completing a task, attainment value as the
meaningfulness of the task, and utility value as the usefulness of a task towards goals. Figure 7
is Eccles et al. (1983) EVT model.

41
Figure 7
Eccles et al.’s (1983) EVT Model
Note. From “Motivational Beliefs, Values and Goals” by J. Eccles, and A. Wigfield, 2002. Annual Review of Psychology, 53, p. 119.
Copyright 2002 by Annual Reviews.

42
In addition, Wigfield et al. (2017) strengthened the importance of cost in EVT by defining
cost as the cost-benefit ratio of doing an activity when determining its value to an individual.
Wigfield et al. (2017) identified cost components as loss of valued alternatives, sunk cost,
financial cost, social cost, effort required, emotional cost, and psychological cost. Figure 8
breaks down subjective task values and cost. In addition, Figure 8 depicts how the cost
negatively influences the overall subjective task values or the desire to complete the task.
Figure 8
Wigfield et al.’s (2017) Value Components and Cost Influence
Note. From “Achievement values: Interactions, interventions, and future directions” by A.
Wigfield, E. Q. Rosenzweig, J. S. Eccles, 2017. In A. J. Elliot, C. S. Dweck, & D. S. Yeager
(Eds.), Handbook of competence and motivation: Theory and application, 2nd ed., p. 124.
Copyright 2017 by The Guilford Press.

43
Similar to how Eccles et al. (1983) utilized EVT to understand gender and STEM
classes, I believe the EVT model will help me understand why men and women of color and
White women currently in cybersecurity choose to work in cybersecurity or not. Therefore, I
have interpreted the model for my research as seen in Figure 9, where the section in the
first/blue box is the individuals’ perception of their reality. This perception then feeds into
individuals’ second/orange box or expectation of success (Expectancy) and subjective task
value (Value) to provide insight into individuals’ achievement-related choice and performance
(Achievement). In addition, I created Figure 10 as the conceptual framework to apply to my
problem of practice. Figure 10 combines Wigfield et al. (2017) cost breakdown with Eccles et
al.’s (1983) right side of the EVT model, as highlighted in orange in Figure 9.

44
Figure 9
Interpretation of Eccles et al.’s (1983) EVT Model
Note. The first box from left to right is an individual’s perception of reality, which feeds into the second box. The second box from left
to right is an individual’s expectation of success (Expectancy) and subjective task value (Value). Adapted from “Motivational Beliefs,
Values and Goals” by J. Eccles, and A. Wigfield, 2002. Annual Review of Psychology, 53, p. 119. Copyright 2002 by Annual
Reviews.

4
5
Figure 10
Conceptual Framework
Potential cybersecurity
professional: men and women of
color and White women
Expectancy: How confident is an
individual in their ability to
succeed in cybersecurity?
Past experiences and
environmental influences can
determine success.
Value: How important, useful, or
enjoyable does the individual
perceive cybersecurity as a
profession?
Attainment value: aligning
career to personal interest
and long term goals
Intrinsic value: career growth
potential and continuous
learning
Utility value: high salary
potential and job security
Cost
Loss of valued alternatives
Sunk costs
Financial costs
Social costs
Effort required
Emotional cost
Psychological cost
Understanding expectancy and value will provide
insight on likely outcomes such as engagement,
continued interest, and career success.

46
Based on this conceptual framework (Figure 10), I would like to understand the
expectancy and value needed for men and women of color and White women to pursue careers
in cybersecurity by examining experiences and environmental factors, the three components of
subjective task value: attainment value, intrinsic value, and utility value (Eccles et al., 1983), and
the influence of cost. Factors influencing expectancy are past experiences and environmental
influences that have impacted an individual’s confidence, such as (a) assessing their existing
technical skills and their perceived ability to acquire cybersecurity knowledge and expertise, (b)
evaluating their problem-solving abilities and their confidence in addressing complex
cybersecurity challenges, and (c) any perceived barriers to entry. Factors influencing value are
an individual’s (a) attainment value, such as aligning their cybersecurity career with their
personal interest and long-term goals; (b) intrinsic value, such as career growth potential and
continuous learning from working in cybersecurity; and (c) utility value such as high salary
potential and job security in cybersecurity. Factors influencing costs are educational expenses,
time commitment and sacrifice to develop and maintain skills needed for a cybersecurity career,
and the opportunity costs associated with pursuing a cybersecurity career, such as foregoing
other educational and career opportunities.
My study calls for a qualitative design because I am interested in understanding how
men and women of color and White women cybersecurity professionals interpret their lived
experiences and what meaning they attribute to those experiences (Merriam & Tisdale, 2016).
Furthermore, my study intends to inform the cybersecurity industry and its leaders of ways to
improve community reach-outs, recruitment, and retention of men and women of color and
White women in the cybersecurity discipline (Merriam & Tisdale, 2016).
Summary
In summary, for current cybersecurity workforce shortage solutions to work, fundamental
issues require resolutions. The K–12 cybersecurity solutions will become more impactful if
educators receive time and resources to learn cybersecurity, all students have meaningful

47
connectivity regardless of economic status and location, and schools’ devices, networks, and
infrastructure must become safe environments for students and educators to learn and apply
cybersecurity best practices. Post-secondary institutions must ensure their curriculum meets
current and forecasted cybersecurity employer needs, threats, and vulnerabilities. All employers
in all sectors and industries need to apply the NICE Framework to standardize job descriptions,
promote belonging and diversity in the workplace, promote diversity in recruiting with
technology, and accept that meritocratic ideas do not equally support success with parity for
everyone in an organization. In conjunction with these changes, my qualitative research study
design of applying EVT to the cybersecurity workforce shortage through my research questions
will help answer the expectancy and value aspects that attract and retain more men and women
of color and White women into cybersecurity.

48
Chapter Three: Methodology
As cyber threats evolve in sophistication and frequency, the need for a well-prepared
and competent workforce becomes increasingly critical. This study’s significance lies in its
potential to illuminate why those identifying as men of color and women of all ethnicities choose
to enter the cybersecurity field. In addition, why cybersecurity professionals with at least 3 years
of experience and identify as men and women of color or White women choose to leave the
cybersecurity field. This information is crucial for developing effective strategies to attract and
retain individuals from underrepresented groups. Limited information is available on the
motivations and factors that drive women and people of color to pursue careers in cybersecurity.
This knowledge gap hinders efforts to create inclusive environments that appeal to a broader
range of individuals.
This study addressed this gap by investigating the factors influencing men and women of
color and White women in their decisions to enter the cybersecurity field. By exploring the
motivations, experiences, and perspectives of men and women of color and White women, I
gained valuable insights into the drivers behind their career choices. Through this research, I
sought to uncover the individual and systemic factors that shape the decisions of diverse
individuals to pursue cybersecurity careers. Chapter 3 provides an overview of the study’s
design, data collection, data sources, validity and reliability, credibility and trustworthiness,
ethics, and limitation and delimitation.
Research Questions
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?

49
Overview of Design
I chose to conduct a phenomenological qualitative research design because this
approach aims to understand and interpret the lived experiences of individuals within a specific
or interest phenomenon (Merriam & Tisdale, 2016), such as having a cybersecurity career. The
phenomenological design explored the subjective perspectives, meanings, and lived
experiences in individuals’ daily life and social interactions (Merriam & Tisdale, 2016). Because
this type of research assumes there is an essence of a shared experience, I captured the lived
experiences of participants identifying as men and women of color and White women to bracket,
analyze, and compare the essence of working in cybersecurity (Merriam & Tisdale, 2016). To
gather this information, I conducted 17 individual synchronous interviews with men and women
of color and White women. See Table 5.
Table 5
Data Sources
Research questions Interviews
RQ1: What initially interested men and women of color and White women to
pursue the cybersecurity profession?
X
RQ2: What are the initial motivational costs of men and women of color and
White women in pursuing a career in cybersecurity?
X
RQ3: What are the expectancies of men and women of color and White
women with cybersecurity experiences regarding career longevity?
X

50
Research Setting
My research setting consisted of 17 synchronous web conferencing meetings with
participants via USC’s provided Zoom application. I chose web interviews to ensure geography
was not a factor in selecting participants, and it allowed me the ability to record and view
recordings (Merriam & Tisdale, 2016). However, one participant chose not to allow any
recordings, and another was accidentally not recorded. To mitigate these challenges, these two
interviews were documented via copious handwritten notes, taken during the interviews to
reduce the effect of recollection or memory. The recordings and notes also allowed me to
review each participant’s nonverbal cues (Merriam & Tisdale, 2016). The participants’
demographic were men and women of color and White women. All participants but one had at
least 3 years of cybersecurity experience. It was difficult to find participants who worked in the
cybersecurity industry for 3 or more years that decided to no longer pursue a cybersecurity
career. Therefore, I chose to interview a participant with extensive technology experience but
worked in cybersecurity-specific role for less than 3 years. I chose this demographic because
my research questions are specific to men and women of color and White women, considering
only 26% of the U.S. cybersecurity workforce identify as non-White minorities, and only 24%
identify as female (Osborne, 2022; Reed & Acosta-Rubio, 2018; Sganga, 2022).
The Researcher
As a woman professional trained and employed in the male-dominated career fields of
information technology, cybersecurity, and the U.S. military, I have continuously found myself as
one of few women of color. I have been a cybersecurity practitioner for over 20 years in the
private and public sectors. However, despite my work experience and positionality, I am a
classically trained engineer with limited personal marginalization experience during my
formative years (K–12) because of the diverse and resource-rich environment I grew up in. I
was raised in a U.S. military family that lived in Germany for 15 years, where I attended
Department of Defense Dependent Schools with approximately 53% minority students and 97%

51
of graduating seniors attending college or vocational school (Cohen et al., 1999). While I
experienced limited marginalization through high school, I did experience difficult work
environments as the only woman or one of few women of color in the U.S. Army, defense
contracting, retail, and health sectors. As a result of my positionality, I used triangulation to gain
different perspectives and rich, thick descriptions to mitigate my bias and promote transferability
(Merriam & Tisdale, 2016).
Data Sources
My data collection method was 17 synchronous individual participant web interviews. My
protocol started with a survey to determine eligibility of potential participants (3 years of
cybersecurity experience, women and men of color, or White women). After determining
eligibility, I scheduled meetings to conduct semi-structured phenomenological interviews with
open-ended questions specific to my research questions and conceptual framework (Merriam &
Tisdale, 2016). See Appendix A for survey to determine eligibility of possible participants,
Appendix B for interview questions for active cybersecurity professionals, and Appendix C for
interview questions for inactive cybersecurity professionals.
Method
The semi-structured interview format provided me with the guidelines needed to address
my research questions and the flexibility to respond to the situation, the participants’ emerging
worldview, and new ideas on cybersecurity (Merriam & Tisdale, 2016). In addition, because I
uncovered each participant’s lived experience (Seidman, 2013), my interview questions focused
on the events and factors that caused the participants to pursue or no longer pursue
cybersecurity careers (Marshall & Rossman, 2016).
Participants
My target participant population were men and women of color and White women with a
minimum of 3 years of experience in cybersecurity in different roles such as managers, program
managers, engineers, and analysts. However, I could not find a participant who chose to no

52
longer pursue a cybersecurity career after working in the industry for 3 years. As a result, I
mitigated this challenge by utilizing one participant, who had less than 3 years of cybersecurity
experience to fulfill this category. Because my research study is specific to understanding
participants’ lived experiences, I used a purposeful sampling of most people with at least 3
years of experience in a cybersecurity role (Merriam & Tisdale, 2016). The participants included
individuals actively working in the cybersecurity industry with a minimum of 3 years of
cybersecurity experience and one individual with extensive technology experience but less than
3 years in a cybersecurity role. My target sample size was 17 participants. I recruited via my
LinkedIn network of cybersecurity professionals using purposeful sampling via snowball or chain
sampling (Merriam & Tisdale, 2016).
Instrumentation
My interview protocol consisted of 13 questions for active cybersecurity professionals
(Appendix B) and inactive cybersecurity professionals (Appendix C). The interview questions
were in a semi-structured format: one question to build rapport with the participant, six questions
addressing RQ1 to determine cybersecurity interest, four questions addressing RQ2 to
determine motivation and cost in pursuing a cybersecurity career, and five questions addressing
RQ3 to determine expectancy on career longevity. The key concepts within the EVT conceptual
framework I addressed in my interviews are expectancy (previous experiences and external
factors), value (intrinsic, utility, and attainment), and cost (loss of valued alternatives, sunk,
financial, social, effort required, emotional, and psychological).
Data Collection Procedures
My data collection procedure consisted of requesting a 60-minute meeting with each
participant lasting no more than 45–50 minutes per interview with a buffer of 10–15 minutes for
any questions and comments the participant had of me. I used the Zoom platform’s native
recording and transcribing features that used Zoom’s end-to-end encryption method using
transport layer security 1.2 and 256-bit Advanced Encryption Standard with a one-time key for

53
each session (Zoom, 2023). I stored my recordings and transcription in ZoomCloud with
password protection. The password is only known to me.
During each interview, I used my home office with headphones to ensure the
participants’ privacy and confidentiality. For each meeting, I used my semi-structured questions
(Appendix B and Appendix C) and wrote field notes during the interview. After I received the
transcription from ZoomCloud, I saved each participant’s transcribed interview onto my
password-protected computer, and the password is known only by me. If I had any questions
after the interview and the respective participant gave me permission, I corresponded with them
asynchronously via University of Southern California (USC) email. All USC email
correspondence is saved in a file on my password-protected personal computer and will be
deleted from my USC email inbox within 1 year of the interview.
Data Analysis
The data analysis methodology I used is interpretive phenomenological analysis (IPA)
for an in-depth exploration of the lived experiences of participant men and women of color and
White women cybersecurity professionals and their interpretation of those experiences (Smith &
Eatough, 2012). I chose IPA because it provided me with flexible guidelines that I was able to
adapt to my research needs (Smith & Eatough, 2011). IPA involved an iterative process of
various analytical stages: (a) required several readings of the interview transcriptions to obtain a
holistic perspective for future interpretations while remaining grounded within the participants’
accounts; (b) identified initial themes and organized them into clusters; (c) refined, condensed,
and examined connections between themes; and (d) developed a narrative on the interplay
between my interpretative activity and the participants’ account of their experiences (Smith &
Osborne, 2003).
Validity and Reliability
An additional benefit of using IPA in my research study is the iterative process promotes
validity and reliability through the analytic journey from raw data to the end table (Smith &

54
Eatough, 2011). The IPA process created an audit trail and running record of the methods,
procedures, and decision points to carry out the study (Merriam & Tisdale, 2016). In addition, I
documented my reflections and decisions on the problems, issues, and ideas I encountered as I
collected my data (Merriam & Tisdale, 2016). In following the scientific method, I aim to ensure
that an outside source can follow my methods, analysis, and concur with my results (Merriam &
Tisdale, 2016). In qualitative research, data reliability was conceptualized through the
consistency of my results (Lincoln & Guba, 1985).
Credibility and Trustworthiness
To maximize credibility and trustworthiness, I used Merriam and Tisdale’s (2016)
suggested triangulation and rich, thick description. The triangulation method ensured I
interviewed different types of cybersecurity professionals, such as managers, program
managers, engineers, and analysts. This range of cybersecurity professionals provided multiple
sources of data and perspectives to confirm emerging findings (Merriam & Tisdale, 2016). Using
rich, thick description allows readers of my study “to determine the extent to which their situation
matches the research context” (Merriam & Tisdale, 2016, p. 260).
To further promote validity, I used a maximum variation in the participants I interviewed
within my study’s defined inclusion and exclusion criteria to increase the application of my
research findings to other contexts and situations (Merriam & Tisdale, 2016). All participants but
one had at least 3 years of cybersecurity experience, but not all the participants were active
cybersecurity professionals. All the participants had different experiences based on their job
roles, such as manager, program/project manager, engineer, and analyst. The participants also
had different job functions within cybersecurity, such as governance, risk, and compliance
(GRC), forensic analysis, incident response, and security reviews. In having maximum variation,
I can document the diversity and identify commonalities across the different cybersecurity job
roles and functions (Patton, 2015).

55
Ethics
I submitted my research study’s procedures and protocols to USC’s Institutional Review
Board to confirm that the five basic principles of ethical research are met (Glesne, 2011). This
included voluntary participation and addressing informed consent by providing the research
participants with the purpose of the inquiry. This information helped the participants determine
their involvement in the study and allowed them to withdraw at any point (Glesne, 2011).
Additionally, I asked permission to record the interview and ensured the participants’
confidentiality by respecting and enforcing their anonymity during the interview (Glesne, 2011).
In addition, each participant’s name in this research study is a pseudonym. As stated in the
Data Collection Procedures, I utilized Zoom’s native encryption during the interviews and for
transcription storage on ZoomCloud and my password-protected computer. My computer is
password-protected and encrypted via FileVault. Lastly, at the end of each interview, I
requested the participant’s permission to correspond with them asynchronously via USC email.
Limitations and Delimitations
I encountered several limitations and delimitations in this qualitative phenomenological
research study. First, the limited sample size of 17 participants restricted the transferability of
the findings to a broader population (i.e., generalizability of my results). Second, my subjectivity
and bias could affect the analysis and interpretation of my participants’ experience and the
study’s outcome. Third, the reliance on participants’ self-reporting of their experiences may have
introduced challenges in accurately capturing the full depth and nuances of their lived
experiences due to factors, such as cultural barriers, language differences, or cognition. Finally,
the study was constrained by the time and availability of the participants, which may have
impacted the extent and depth of data collection and analysis. Despite these limitations, the
study is delimitated by focusing on the interests, motivations, and lived experiences of women
and men of color and White women within the cybersecurity industry. This deliberate

56
delimitation provides in-depth insights into the unique experiences of women and men of color
and White women.

57
Chapter Four: Findings
My problem of practice is the lack of diversity in the cybersecurity field, contributing to
the shortage of cybersecurity professional workforce. This study aims to promote inclusivity and
diversity in the cybersecurity workforce and ultimately bridge the gap between the high demand
and low supply of skilled cybersecurity professionals. The research design and methodology
used is qualitative phenomenological semi-structured interviews to understand the underlying
factors that motivated cybersecurity professionals identifying as men and women of color and
White women to choose the cybersecurity profession. The conceptual framework used is Eccles
et al.’s (1983) EVT to explore motivations, past experiences, and the environmental elements
that have influenced the cybersecurity professionals I have interviewed. Three research
questions (RQ) guided this study:
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?
Demographics
Seventeen participants were interviewed for this study. The participants identified as
men and women of color and White women with at least 3 years of cybersecurity experience.
One participant had less than 3 years of experience but worked in the support and maintenance
(including security updates) of operational technology (OT) and information technology for more
than 3 years. Table 6 provides the participants’ demographic information. The participants
comprised six out of 17 (35%) males and 11 out of 17 (65%) females. The participants’ race and
ethnicities are six (35%) Black, five (29%) White, three (18%) LatinX, and three (18%) Asian.
The participant’s cybersecurity experience range for those with 3 or more years of experience is

58
4–30 years. The average years of experience for participants with 3 years or more of
experience is 11 years.
Table 6
Participants’ Demographic Information
Pseudonym Gender Race or
ethnicity
Current role* Years of cybersecurity
experience
Clark Male Black Cybersecurity analyst 6
Diana Female Black GRC program manager 7
Donna Female Black GRC and freelance security
researcher
6
George Male Black Network security
administrator
12
Keira Female White Cybersecurity program
manager
4
Lana Female Black GRC 8
Lisa Female LatinX Deputy chief information
security officer
6
Marjorie Female White Internal audit 23
Mark Male Asian Cybersecurity analyst 3
Nadia Female Black Cybersecurity engineer 22
Paula Female LatinX Cybersecurity engineer 10
Rico Male Asian Cybersecurity architect 30
Sadie Female White Cybersecurity program
manager
5
Sally Female White Cybersecurity software
engineer
7
Sam Male Asian R&D program manager <3
Sara Female White Program manager 8
Sergio Male LatinX Cybersecurity architect 20
*Governance, Risk, and Compliance (GRC); Research and Development (R&D)

59
Participant Profile
Clark
Clark is a cybersecurity analyst who identifies as a Black male. Before cybersecurity,
Clark’s roles were in Information Technology help desk and networking. He has 6 years of
experience in cybersecurity working as a defense contractor and continues to serve in the U.S.
U.S. military. He completed his bachelor’s degree in information systems.
Diana
Diana is a governance, risk, and compliance (GRC) program manager who identifies as
a Black female. Before cybersecurity, Diana worked in human resources, privacy, and loss
prevention. Because privacy and cybersecurity are interconnected, Diana has worked in privacy
and cybersecurity in the GRC domain for 7 years. She has completed her high school education
with some college classes. Most of her cybersecurity learnings are from on-the-job training,
gaining knowledge from cybersecurity subject matter experts, and self-learning applications via
mobile devices or online.
Donna
Donna works in IT auditing and GRC and founded a freelance security research group.
She identifies as a Black female. As a freelance security researcher, she discovered missed
vulnerabilities in the software development process (Microsoft, n.d.). Before working in
cybersecurity, she worked at a university in a non-technical role and provided help desk support
at a company. Donna completed her bachelor’s degree in business administration and a
master’s degree in cybersecurity.
George
George is a network security administrator. He is a Black male who has 12 years of
cybersecurity experience. Before that, he was a systems administrator. He completed his
bachelor’s degree in computer science and master’s degree in management of information
systems.

60
Keira
Keira works in IT hardware as a cybersecurity program manager. She identifies as a
White female. Before her role in cybersecurity, she worked as an industrial engineer at the
same company. She has 4 years of cybersecurity experience. Keira completed her bachelor’s
degree in industrial and systems engineering.
Lana
Lana works in GRC. She identifies as a Black female. Before working in cybersecurity,
she worked in quality assurance in the healthcare industry. She has 8 years of cybersecurity
experience in the GRC domain. Lana completed her bachelor’s degree in information science.
Lisa
Lisa is a deputy chief information security officer. She identifies as a LatinX female.
Before cybersecurity, she worked in the marketing industry. Lisa has 6 years of cybersecurity.
She completed her master’s in business administration and will complete a doctorate in
education in 2024.
Marjorie
Marjorie is an executive working in the IT audit domain of cybersecurity. She identifies
as a White female. Before cybersecurity, she worked as a manager supporting the helpdesk.
Marjorie has 23 years of experience in cybersecurity. She completed her bachelor’s degrees in
German and Gender Studies.
Mark
Mark is a cybersecurity analyst. Mark identifies as an Asian male. Before cybersecurity,
he was a network administrator and law enforcement in the U.S. military. Mark has 3 years of
cybersecurity experience and 10 years of technology experience (including 3 years of
cybersecurity). He completed his bachelor’s degree in criminal justice and master’s in
cybersecurity.

61
Nadia
Nadia is a cybersecurity engineer. Nadia identifies as a Black female. Before
cybersecurity, she was in the U.S. military as an intelligence analyst. Nadia has 22 years of
cybersecurity experience. She completed her bachelor’s degree in education with a minor in
engineering.
Paula
Paula is a cybersecurity engineer. Paula identifies as a LatinX female. Before
cybersecurity, she was in the U.S. military as a munitions system technician. Paula has 10
years of cybersecurity experience. She completed her bachelor’s degree in computer and
information systems with a minor in business administration and a master’s in information
security and assurance.
Rico
Rico is a cybersecurity architect. He identifies as an Asian male. Before cybersecurity,
he was a software developer. Rico has 30 years of cybersecurity experience and completed his
bachelor’s degree in systems programming.
Sadie
Sadie is a cybersecurity program manager. Sadie identifies as a White female. Before
cybersecurity, she worked in the museum and art animation industries. Sadie has 5 years of
cybersecurity experience. She completed her bachelor’s degree in art history, master’s degree
in business administration, and doctorate in philosophy.
Sally
Sally is a cybersecurity software engineer. Sally identifies as a White female. Before
cybersecurity, she was a software developer. Sally has 7 years of experience in cybersecurity.
She completed her bachelor’s degree in computer science.

62
Sam
Sam is a program manager in research and development (R&D) and an adjunct
professor in engineering. Before R&D, he was a program manager in cybersecurity and an
engineer and manager in the automotive industry. Sam has less than 3 years of experience in
cybersecurity due to the work environment and lack of cybersecurity education. He has no
desire to work in the cybersecurity field. He has completed his bachelor’s degree in mechanical
engineering, master’s degree in mechanical engineering, and doctorate in manufacturing
engineering with minors in decision analysis and financial business management.
Sara
Sara is a technology program manager who identifies as a White female. Before working
as a technology program manager, she was a cybersecurity manager, software developer, and
help desk support. Sara has 20 years of technology experience, including 8 years of
cybersecurity experience. She is open to returning to the cybersecurity field and has completed
her bachelor’s degree in computer science.
Sergio
Sergio is a cybersecurity architect. Sergio identifies as a LatinX male. Before
cybersecurity, he was in the U.S. military. Sergio has 20 years of cybersecurity experience.
Sergio completed his associate degree in computer science, bachelor’s degree in information
assurance, and master’s degree in information technology.
Participant Education
Table 7 displays the education and emphasis of the study of each participant. All but one
of the seventeen participants (94%) have completed a bachelor’s degree. The sixteen
participants have completed 28 degrees, and 19 of the 28 (68%) degrees are in a Science,
Technology, Engineering, and Math (STEM) related field. Please note Nadia’s degree in
education was included because of her minor in engineering. In addition, Clark, Mark, Paula,
Sara, and Sergio worked full-time jobs before or while acquiring their bachelor’s degrees. Clark,

63
Mark, Paula, and Sergio served in the military, while Sara was an IT help desk employee for a
retail company. This information indicates that at least five of the seventeen (29%) participants
were non-traditional adult learners when they acquired their bachelor’s degrees.

64
Table 7
Participants’ Education and Emphasis of Study
Pseudonym Education level Emphasis of study STEM related
Clark* Bachelor’s Information systems Yes
Diana Some college – No
Donna Bachelor’s
Master’s
Business administration
Cybersecurity
No
Yes
George Bachelor’s
Master’s
Computer science
Management of information systems
Yes
Yes
Keira Bachelor’s Industrial and systems engineering Yes
Lana Bachelor’s Information science Yes
Lisa Bachelor’s
Master’s
Doctorate
Unknown
Business administration
Organizational change and leadership
No
No
No
Marjorie Bachelor’s German
Minor: Study of men and women in society
No
Mark* Bachelor’s
Master’s
Criminal justice
Cybersecurity
No
Yes
Nadia Bachelor’s Education
Minor: Engineering
Yes
Paula* Bachelor’s
Master’s
Computer and information systems
Minor: Business administration
Information security and assurance
Yes
Yes
Rico Bachelor’s Systems programming Yes
Sadie Bachelor’s
Master’s
Doctorate
Art history
Business administration
No
No
No
Sally Bachelor’s Computer science Yes
Sam Bachelor’s
Master’s
Doctorate
Mechanical engineering
Mechanical engineering
Manufacturing engineering
Minor: Decision analysis
Minor: Financial business management
Yes
Yes
Yes
Sara* Bachelor’s Computer science Yes
Sergio* Associate
Bachelor’s
Master’s
Computer science
Information assurance
Information technology
Yes
Yes
Yes
Note. * Worked full-time jobs before to or while acquiring their bachelor’s degree.

65
Research Question 1
Research question 1 (RQ1) asks, “What initially interested men and women of color and
White women professionals to pursue the cybersecurity profession?” Using the EVT, this
question aims to understand the past experiences and motivations that have influenced the
participants’ desire to pursue careers in the cybersecurity industry. Thematic data analysis
produced the following themes that addressed RQ1: internal personality traits and external
influences.
The Money Factor
Seventeen participants were interviewed, and when discussing the rewards of
cybersecurity, salary and earning potential were mentioned by 15 participants (88%). However,
only five (29%) participants consider earning potential as one of their main drivers to pursue a
career in cybersecurity. According to George, “You can’t just do it for the money because that’s
going to show in [the quality of] your work. You have to have a passion for security and making
a change.” George’s statement suggests that pay and earning potential should not be the
primary reasons for working in cybersecurity. In addition, when Sally switched to cybersecurity
from general software development, she took a pay cut in her salary. It was “knowing that the
work that I’m doing is unambiguously good” that motivated Sally to change her career path
regardless of the loss in pay for the first few years.
Internal Personality Traits
The majority of participants seem to agree as they expressed internal personality traits
as one of their key reasons to pursue a career in cybersecurity: avid learners (7; 41%),
challenge-driven (10; 59%), and protectors (10; 59%). Some participants mentioned multiple
traits as their reasons for working in cybersecurity; therefore, the total number of participants
describing each trait exceeds the number of participants (17).

66
Avid Learners
Although six participants (35%) found cybersecurity had a high learning curve when
entering the field, all participants regarded continuous learning as a benefit and not a burden in
cybersecurity. Seven participants (41%) would describe themselves as avid learners due to their
natural curiosity. All participants found learning an integral part of the profession and a
requirement for career progression. Because technology is constantly changing, including how it
is used, the participants expressed how critical it is to learn about new technologies, their
vulnerabilities, and how malicious actors can exploit them. According to Lisa, who had
previously worked in sales and marketing when she started in cybersecurity:
I would sit in meetings, and things would go over my head. What is phishing and vishing
and smishing and social engineering, and all these things that I was going to educate
populations on? I had to learn all the terminologies myself. And, so, every meeting I’d be
in, I’d go on Google, and I’d look up every single word. I would work twice as hard. I
would take certifications and get credentials. I was trying to do as much as I could to be
credible and learn quickly.
The new technology concepts and the complexity of applying cybersecurity to technologies did
not deter Lisa. Instead, they fascinated her and made her want to learn more. In her first
cybersecurity position, she enjoyed “being around smart people passionate about technology.”
Because of her love of learning, Lisa aims to acquire additional degrees in psychology and
cybersecurity.
In comparison, Nadia describes enjoyment in how cybersecurity is a growing, multidimensional field that allows her to learn different cybersecurity domains depending on the job.
In addition, Nadia loves how cybersecurity is constantly expanding and emerging, forcing her to
learn new ideas and concepts, which prevents her from getting bored. In her first cybersecurity
job (22 years ago), Nadia stated, “It just seemed fun to me, the investigative portion of it. And so
I was like, I really like this. I can’t see myself leaving cybersecurity. I just want to stay here

67
forever.” Nadia’s statement highlights how a career in cybersecurity allows avid learners to
continuously learn as they navigate their careers through the different cybersecurity domains.
Challenge-Driven
Ten out of 17 participants (59%) described how they are challenge-driven and relish the
prestige and novelty of cybersecurity. According to Sally, working in cybersecurity gives her “a
constant sense of novelty, feeling connected to the cutting edge of what’s going on in the world.”
Before becoming a cybersecurity professional, Sally was a software engineer. During our
interview, she reflected on her time as a general software engineer and compared her 7-year
tenure in cybersecurity:
I wouldn’t have the same sense of deep technical knowledge and expertise that I do in
the [cybersecurity] work that I do, and I find that very rewarding. I found it really gratifying
to be the person in the room who knows the right answer about what we need to be
doing in terms of encryption, or how we authenticate to different services. So, developing
that expertise and being in a position where others respect me for my expertise is
something that I found very rewarding.
Similarly, earlier in Marjorie’s 23-year cybersecurity career as a consultant, she found:
There was some motivation to show up the boys and be smarter than the boys in the
group, and that’s when I said, “I like that friendly competition. I could keep up with the
boys.” There was never a hack that I couldn’t execute. When I did the attack and
penetration work, there was never a client that I wasn’t able to … compromise, and
there’s some real pride in that. … Partially because it [cybersecurity] is such a boydominated place, and I was one of the only women in that space.
Both Sally and Marjorie discuss the novelty of cybersecurity and how becoming cybersecurity
experts has provided them a level of prestige amongst their peers in and out of the
cybersecurity field. This prestige has motivated them to continue to take on more challenges as

68
more technology and complexity are introduced in their respective cybersecurity domains:
incident handling and auditing.
In comparison, Diana discussed the leadership visibility of cybersecurity in her
organization. Instead of becoming overwhelmed by her limited cybersecurity knowledge, she
rose to the challenge and collaborated with leaders and engineers. She described:
How many paths and connections you can make with other people. So, being that I’m
sitting as a program manager, I get to interact with all of these various leaders. I get to
interact with the VP [Vice President] of privacy. I get to interact with engineers. And
that’s helpful just to continue to broaden my own education, but also build on those
competencies as well.
Throughout Diana’s career at her organization, she continually challenges herself. Diana began
her career as a loss prevention agent at one of her company’s retail stores, eventually working
in the corporate offices in customer privacy protection. After gaining knowledge in privacy, she
helped develop corporate privacy training for employees to take on her current challenge of
corporate cybersecurity training across her organization. Despite not completing a formal postsecondary program, she leverages her connections and on-the-job learning to acquire more
cybersecurity knowledge.
Protectors
The final personality trait that was most prevalent amongst the participants was
protectiveness. Ten out of 17 (59%) of the participants discussed their desire to protect others
from harm. According to Rico, as his job transitioned from IT account management to
cybersecurity early in his career, he found his purpose:
I think that’s when it hit me. There’s a bigger purpose here, I’m actually protecting
[college students]. … I’m trying to think back like 30 years. But it hit me when I started
taking cases where people would say, “I’m being stalked. I’m being harassed.
Someone’s trying to break into my account. I’m receiving harassing emails”. … This

69
[cybersecurity] is not just a geeky little thing. These are people’s lives, and that’s
basically my driver through all this time: we’re protecting students.
Similar to Rico, Mark has an innate need to protect others. After his time in the U.S.
military, he was a law enforcement officer, but “didn’t have the job satisfaction quite there,
because the technology part was missing.” Mark found job satisfaction in cybersecurity because
it combined his need to protect others with the technology and networking training he received
in the U.S. military. Mark was not the only participant who tried to work in multiple industries to
try different jobs; Lisa was also unsure of her career path:
I tried so many jobs growing up. I mean, you name it: I waitressed, I bartended, and I did
all of it to try to figure out what I wanted to do, or at least what I didn’t like, and I never
felt the way I felt about cybersecurity with any other industry. It [jobs in different
industries] was a means to an end. But again, what I love the most about it
[cybersecurity] is the ability to help people, to protect. That strikes a chord with me.
Maybe I’d be a really good cop. I don’t know, but I like being able to educate. It fills all
those things inside of me, all those values, because I get to be creative. I get to inspire,
teach, educate.
Furthermore, many participants volunteer or conduct community outreach to inform
people about cybersecurity best practices. For example, Rico educates students at his
university via an information booth, Lisa has authored a children’s cybersecurity book, and
Nadia informs children and young women as a youth director at her church.
External Influences
Outside of the participants’ personality traits, external influences impacted the
participants’ choices to become cybersecurity professionals. Several participants discussed how
parents and family members, primary and secondary school programs, and co-workers fed into
their curious natures. In addition, some participants discussed how culture and finances limited
their knowledge and education in technology and cybersecurity.

70
Parental and Familial Influence
Twelve of the 17 (71%) participants expressed that their parents and close family
members had limited technology and cybersecurity knowledge and felt they did not influence
their career choice in cybersecurity. According to Rico, his family was not very supportive early
in his career: “If anything, it was the inverse—people thought I was being weird.” Sara
discussed how she had a difficult childhood as her family was impoverished and living on
welfare: “I did not have exposure to the types of careers that were possible for me.” Mark
shared how his Bangladeshi parents grew up in a village in a developing country that was “not
very technology-oriented.” Sergio discussed his Mexican heritage and how his family primarily
consists of blue-collar workers whose priority is bringing in food and money versus education.
Lastly, Diana expressed frustration with how she learned about computers in school, but:
I really didn’t understand a lot, but that frustrated me, not understanding a lot. It
frustrated me being taught things about computers at school but not having one at home
to continue that self-education because my parents didn’t, couldn’t afford to invest in a
computer.
On the other hand, the participants who were influenced by their parents and family
members strongly believed in themselves when presented with opportunities in technology and
cybersecurity. For example, Marjorie and her father worked on soldering circuit boards on Apple
2 and Apple 3 computers. She was also given a computer when she was 10 years old. Marjorie
said, “I never thought of technology as a boy thing. Then, I made it into high school and college
... where I got the impression math is for boys.” This impression may have influenced her choice
to earn a bachelor’s degree in German despite her strong affinity and aptitude for technology.
As a result, while acquiring her bachelor’s degree, a “friend bought me a book, UNIX in 21
Days, and I learned it.” She applied the UNIX concepts she learned on her own to her job at the
IT helpdesk at her university. She would eventually become a helpdesk manager, leading her to

71
a career in cybersecurity consulting and her eventual role as an executive in the IT auditing
domain of cybersecurity.
Another participant, Sadie, also felt that family played a significant role in her decision to
work in cybersecurity:
I openly credit my brother for getting me into cybersecurity and also being a key support
to my 1st year of helping me learn. He works and went to school for cybersecurity. So, I
was familiar and exposed to the industry secondhand through his journey. I always
found cybersecurity fascinating, and my father is also in law enforcement. I was kind of
constantly around and exposed to security concepts like physical security, privacy, data
protection from my family.
As a result of this influence, when Sadie decided to change careers for more stability
and a higher earning potential, she explored the cybersecurity field. She learned she could
leverage her past project management experience through her discovery process and her
brother’s advice. In addition, Sadie’s exposure to security concepts through her father’s law
enforcement experience and her brother’s journey into cybersecurity convinced her that she
would succeed in cybersecurity.
In contrast, Kiera’s family influenced her education and career because they had
experienced financial hardship due to the mid-to-late 2000s Great Recession. Because of the
financial hardship, her parents would only pay for her post-secondary education if her starting
salary was equal to or more than the cost of tuition. This motivated Kiera to choose engineering
for her bachelor’s degree.
Although most participants did not have parental and familial support due to financial
circumstances and culture, Marjorie and Sadie exemplify how parental and family engagement
may inspire children’s career choices later in life. Specifically, childhood exposure to technology
and security concepts likely influences how children learn and approach new technology and

72
cybersecurity as adults. At the same time, Kiera chose her field of study to strengthen her
chances of having a career that promoted job stability and financial security.
Primary and Secondary Education Programs
Five of 17 (29%) participants expressed how their primary and secondary education
influenced their career choice. However, 12 of the 17 (71%) participants acquired a postsecondary degree in a STEM-related field, and of those 12, seven (41%) were traditional
learners who attended college or university after secondary school. Therefore, it is more likely
than not that primary and secondary school STEM programs had some influence on the
participants’ attainment value in learning cybersecurity and technology. Below are four
participants’ primary and secondary school experiences that led them to careers in
cybersecurity.
Clark described how he was known as the “science and math guy” in high school and
how he chose to specialize in electrical engineering. Although Clark states he did not do well in
electrical engineering, he “thought it was fun”, which gave him the enjoyment to learn
engineering. Clark’s studies resulted in his placement in the IT networking field in the U.S.
Army. He would later complete his bachelor’s degree in information systems.
Another participant, George, grew up around computers and would attend math and
science-related summer programs. While in secondary school, his teachers guided him towards
math classes to help him get a post-secondary degree in computer science. George excelled in
his math classes, and “it was only fitting that I continue to build upon my skill set.” His efforts
resulted in an academic college scholarship. The science programs and his teachers fostered
his knowledge and curiosity in STEM, motivating him to pursue a computer science degree.
Another participant, Nadia, describes how she had access to a computer while in
primary school:
I was probably in fourth grade. We had one computer at our school, and out of all the
kids that were at our school, only a few of us got to use it … The teachers would only let

73
the people [students] who were passing all their classwork use the computer. So,
because I was always ahead of my class, a lot of the time I went to the library to use the
computer. So, I ended up learning how to make film strips and all kinds of stuff. And, it
was fun.
Nadia would do well in secondary school and later acquire a degree in education with a minor in
engineering.
Lastly, Sergio recalled his parents taking him to an after-school daycare program:
And there was one room that I always liked because they always had all these computer
games they had back in the day. It was an Atari, and they had a Commodore 64.
Nobody really knew how to use it, but I was able to play with it. And it always kind of
stuck with me. I always liked playing with those things.
This exposure and joy in learning new technology would eventually lead Sergio to his first job as
a radio operator in the U.S. military, which allowed him to go to a post-secondary institution. At
this institution, an instructor showed interest in his software development skills and let him know
that he had a technology talent. Sergio credits the instructor for guiding him into a software
development and cybersecurity career.
These four primary and secondary school experiences did not directly lead to careers in
cybersecurity for the four participants, but they promoted the participants’ interest and curiosity
in technology. Clark, Nadia, and Sergio describe their exposure to technology as fun, and they
did not consider the time spent on technology as school- “work.”
Co-workers
Four of the 17 participants (24%) discussed how co-workers influenced or piqued their
interest in cybersecurity. While in the U.S. military, Paula was fascinated with her hacker coworkers, who would illegally download computer games and movies.
I was like, “Oh, super cool.” And then, they always had an in-case-of-emergency super
delete button like under [the] computer. I could never see myself doing that because,

74
obviously, it’s illegal. But I thought the ability to be able to reverse engineer … software
or be able just to hack stuff was pretty cool. I mean, I really had no idea what it really
entailed.
Although Paula states she had wanted to learn more about computers before the U.S.
military, this was Paula’s first real-life experience that triggered her interest in cybersecurity. Her
interests in computers and cybersecurity led her to complete post-secondary degrees in
computer information systems and information security and assurance.
In comparison, Donna’s experience was more structured and legal. In her previous
company, she worked as desktop support. While there, she was exposed to different
engineering teams, such as IT networking and cybersecurity. Also, her manager and director
allowed the desktop support employees to shadow other departments. Donna shadowed the
cybersecurity department, describing the security engineers as “friendly and nice.”
One of the managers would teach us lock picking after [hours] in the evenings. And I had
time to really explore what they did. And the different routes within cyber security under
their department. And then I learned about bug bounty which is independent security
research. And, for me, after looking into that, I saw that was the future.
This engagement led Donna to pursue a master’s degree in cybersecurity, have a career in the
GRC cybersecurity domain, and start a five-person independent research/hacking team.
These two examples highlight how co-workers influenced the participants’ career
choices. Although Paula’s co-workers were hacking illegal software, there was camaraderie for
her to explore the co-workers’ computer and network setup. Secondly, Donna’s ability to
investigate the different aspects of cybersecurity at the company where she worked allowed her
to find future opportunities in bug bounty or independent security research. Without these coworkers, it is unclear if Paula or Donna would have found something else to pique their
cybersecurity interests.

75
Summary of RQ 1
In summary, 88% of participants mentioned pay and salary potential as a reward that
interested them in pursuing a cybersecurity career. However, there were other drivers that
supported their initial interest in turning cybersecurity into their career. Most participants (71%)
found internal personality traits and external influences as the reasons they stayed interested in
the joining the cybersecurity profession. The internal personality traits that appeared in many
participants are avid learner, challenge-driven, and protector. The most impactful external
influences were parental and familial, primary and secondary-education programs, and coworkers. See Table 8 for a summary of internal personality traits quotes and Table 9 for a
summary of external influences quotes.

76
Table 8
Summary of Internal Personality Traits Quotes
Internal personality trait Quote
Avid learner I had to learn all the terminologies myself. And, so every meeting
I’d be in, I’d go on Google and I’d look up every single word. I
would work twice as hard. I would take certifications and get
credentials. I was trying to do as much as I could to be credible
and learn quickly. (Lisa)
It just seemed fun to me, the investigative portion of it. And so I
was like, I really like this. I can’t see myself leaving
cybersecurity. I just want to stay here forever. (Nadia)
Challenge-driven Developing that expertise and being in a position where others
respect me for my expertise is something that I found very
rewarding. (Sally)
There was never a hack that I couldn’t execute. When I did the
attack and penetration work there was never a client that I
wasn’t able to … compromise, and there’s some real pride in
that. (Marjorie)
So being that I’m sitting as a program manager, I get to interact
with all of these various leaders. I get to interact with the VP
[Vice President] of privacy. I get to interact with engineers.
(Diana)
Protector I think that’s when it hit me. There’s a bigger purpose here, I’m
actually protecting [college students]. … These are people’s
lives and that’s basically my driver through all this time is we’re
protecting students. (Rico)
But again, what I love the most about it is the ability to help
people, to protect. That strikes a chord with me. (Lisa)

77
Table 9
Summary of External Influences Quotes
External influence Quote
Parental and familial
influence
I never thought of technology as a boy thing. Then, I made it into high
school and college ... where I got the impression math is for boys.
(Marjorie)
I openly credit my brother for getting me into cybersecurity. I always
found cybersecurity fascinating, and my father is also in law
enforcement. I was … exposed to security concepts like physical
security, privacy, data protection from my family. (Sadie)
Primary and
secondary
schools
I was probably in fourth grade. We had one computer at our school.
So, because I was always ahead of my class, a lot of the time I went
to the library to use the computer. So, I ended up learning how to
make film strips and all kinds of stuff. And, it was fun. (Nadia)
And there was one room that I always liked because they always had
all these computer games. It was an Atari, and they had a
Commodore 64. Nobody really knew how to use it, but I was able to
play with it. And it always kind of stuck with me. I always liked
playing with those things. (Sergio)
Co-workers They always had an in-case-of-emergency super delete button like
under [the] computer. I could never see myself doing that because,
obviously, it’s illegal. But I thought this the ability to be able to
reverse engineer software or be able just to hack stuff was pretty
cool. (Paula)
Research Question 2
Research question 2 (RQ2) asks, “What are the initial motivational costs of men and
women of color and White women in pursuing a career in cybersecurity?” Using EVT, this
question aims to understand the sacrifices the participants had to make as they pursued careers
in the cybersecurity industry. Thematic data analysis produced the following themes that

78
addressed RQ2: barriers and constant risks. Within each theme, the associated costs that were
most prevalent among the participants were effort required, loss of valued alternatives,
emotional costs, and psychological costs.
Barriers
When asked about barriers to entry into the cybersecurity field there was evidence of
complex interplays between education, ethnicity, race, gender, sexuality, and socio-economic
status that created roadblocks in their respective career journeys. Despite these roadblocks,
most participants persevered through these challenges with the help of their network. The
participants provided examples that I categorized into two sub-themes: (a) bias in education and
lack of experience and (b) gender, ethnic, and racial bias.
Bias in Education and Lack of Experience
Nine out of 17 (53%) discussed their lack of education and experience as barriers to
entry as they explored or worked in cybersecurity. During our interview, Nadia shared how
someone once said she could not work in cybersecurity because she did not have the
credentials or education. In response, she asked what credentials and education she needed to
work in cybersecurity. The person providing her information either could not or would not offer
her a direct answer. Because it was the early 2000s, Nadia believes his lack of answers was
due to the limited availability of cybersecurity certifications and courses.
Lana sought to change career paths from quality assurance to cybersecurity within the
last 10 years. She had previously worked as a quality assurance program manager, and she
identified transferrable auditing skills that could allow her to be a fit in the GRC domain.
However, as she applied for entry positions, she found that her lack of direct cybersecurity
education and experience prevented recruiters from interviewing her. As she reflects on her 8
years in cybersecurity, Lana believed her experience in quality assurance should have been
enough for her to interview for some of those entry positions because the job posting

79
requirements far exceeded the reality of the role and responsibilities of her first cybersecurity
job.
Lastly, Sam shared his first and only cybersecurity experience. Because Sam had
worked in the automotive industry and had several mechanical and manufacturing engineering
degrees, he and the hiring manager knew he had the technical aptitude to start a new position
within a cybersecurity department in a government agency. Instead of admiring his education
and expertise in another industry, the cybersecurity team did not accept him:
They are insular people you got to be in [IT or cybersecurity] then they can accept you to
be an IT guy. I didn’t learn a whole lot from working in that area. I learned more [from]
calling my friends, calling my relatives [in cybersecurity]. They [the cybersecurity team]
don’t bring new people in. They will say, “Do you have all those certifications? Do you
have this? Do you have that?” They’re more process-oriented than educating new
people to come in.
Although Sam wanted to learn and demystify cybersecurity’s complexity using common
engineering and IT language and principles, the cybersecurity team needed to share their
knowledge with him. Because Sam felt unwelcomed, he could not contribute his ideas on
providing better cybersecurity support for operational technology. Sam thinks his lack of
cybersecurity training and certifications made him an outsider among his teammates.
Gender, Racial, and Ethnic Differences
Six of the 17 participants (35%) identified as men of color; however, none of them
wanted to directly explore the racial and ethnic biases that may have hindered their
cybersecurity profession. For example, when asked about Mexican Americans’ rarity and
possible bias in his cybersecurity career, Sergio replies, “So that is one of the things [topics] that
I’m trying to stay away from.” Another male participant, Clark, answered my question regarding
possible racial issues when looking for a contracting position by stating, “Not really because for
the most part, everything’s [communication] been over the phone or through email.” Instead,

80
some of the male participants preferred to indirectly discuss racial and ethnic bias by replacing
words such as “discrimination” with the word “challenges.” According to George,
I don’t want to say discrimination. But most of the challenges come, if you haven’t been
prior military, and that was my case. See, I’m not prior military, so I’m coming pretty
much off the street, so to speak, into the government sector and into the field of security.
But then, when I went out on the civilian [non-government sector] side you really see
people that really look at you like, “Oh, what does he know? Or how does he come here
and make this kind of money over me, and I could do the same type of thing, you know.”
George further emphasized,
Even to the point where people that you know have said negative things towards you
because of … your race. Then, when I tried to apply for jobs, they would want to cut the
salary way below the average just because they want you to start at the bottom. They
don’t want to pay your worth, and I wasn’t coming as a person without any skill sets,
degrees, or certifications.
Sergio and George would address these challenges by either proving he was right to
validate himself amongst his colleagues or letting the work “speak for itself. And that’s all it [the
work] needs to say.” It is unclear why the male participants in this research did not want to
directly discuss racial and ethnic bias despite acknowledging their racial and ethnic rarity in the
cybersecurity field.
In comparison, the female participants (65%) did not present any issues when
discussing racial, ethnic, or gender bias. Ten of the 11 female participants (91%) provided
scenarios where they experienced some form of racial, ethnic, or gender bias. Amongst the
participants’ experiences, Marjorie’s example of bias in cybersecurity was the most severe. She
experienced three separate incidents of what she describes as “horrific sexual harassment to
the point of sexual assault” from two male bosses and a male customer at a client site. Other
female participants describe less aggressive examples of bias, such as Nadia, who was falsely

81
accused of causing delays at work by another female who was in a position of power. Diana
described an incident where her White female manager questioned the way she spoke, which
Diana indicated may have been due to her lack of education, her ethnicity, or both. Sally
discussed how she is:
Likely to not be assumed to be as technical as male peers. I have to work a little bit
harder to establish myself as a technical authority in order to be believed about my
expertise. The support of male peers or managers helps if they say, “Oh, yeah, like you
should listen to Sally. She’s the expert.” But I don’t get that [assumption] by default.
In contrast, one out of 17 participants (6%) does not believe that gender, racial, or ethnic
bias negatively affects the cybersecurity industry. Donna acknowledged the existence of bias,
but she thinks the DEI initiatives in cybersecurity is more exclusionary than inclusive:
It really excludes White males to the point where, I’ll say it, they are discriminated
against. They are treated unfairly. I’ve seen it in tech. Maybe I’m the only one who’s
willing to talk about it … it’s like White males are the scapegoat. It’s like, “Oh, we want
anything but a White male.”
To further convey how she and others in her network view the influence of DEI on the
cybersecurity industry, Donna shared:
There’s … barbershop jokes in the tech industry or cyber industry: “Oh, just identify as a
woman, and then your application will be pushed through because there’s such a push
for diversity.” And I’m sick of it. It’s not going to work. And other than just having
programs to expose all people. There’s no need to try to get certain groups.
Lastly, Donna believes:
You need to learn how to be the best by the best. So, we wouldn’t diversify a basketball
team. Usually, it’s tall Black men you want to learn from. The tall Black men, if we’re
looking at just their characteristics in their race. Would you rather learn from team
diversity or the all-star team, which is mostly Black men? You’re not thinking about

82
diversity in that sense. Well, if I have to learn how to be the best from White males, so
be it. That’s who I want to learn from. If I need help with work life balance because I’m a
mom or help with things like fatigue that, biologically, I’m susceptible to and it’s an
obstacle then, that’s what the women’s group should focus on.
During my interview with Donna, I asked how she recommends solving the large
cybersecurity skills gap in the United States. Donna responded with:
Honestly, I don’t [know]. And this isn’t based off of any type of research ‘cause at the
end of the day, I’m a hacker. Hackers are tinkerers. We tell it how it is. And how we see
it. And I don’t think you’re going to fix the gap. It may just be a White boys club, and I
don’t have a problem with that. There’s a phenomenon of certain groups dominating
certain industries more than others.
Although Donna has a differing opinion on gender, racial, and ethnic bias amongst the
participants, she did not appear to have any problems providing her perspective.
Therefore, twelve of the 17 participants (71%) believe there are challenges in gender,
racial, and ethnic bias in cybersecurity. Amongst the participants, the female participants were
more willing than male participants to have direct discussions and provide examples of
situations in which they experienced these biases.
Constant Risks
When the participants were asked about the risks in pursuing a cybersecurity career, the
most prevalent were lack of guidance (11 participants, 65%), long hours (nine participants,
53%), and high stress (eight participants, 47%). The lack of guidance is likely related to the
many pathways an individual can enter a cybersecurity career. The long hours and high stress
are likely related to the nature of the profession’s workforce shortage, continuous education in
new technology and threats, constant pressure to stay vigilant against cyberattacks, and the
scrutiny and criticism of past cybersecurity decisions after an incident.

83
Lack of Guidance
Eleven participants (65%) conveyed an overall lack of guidance within the cybersecurity
field. The participants discussed how the industry is unorganized in its education, career paths,
and career progression. Mark expressed how there is a lack of consensus and organization in
the order someone should learn cybersecurity concepts as they progressed through their
career.
According to George, if it were not for his initiative to gain cybersecurity knowledge,
acquire certifications, and not settle for less than his value, he would not have known about the
cybersecurity opportunities he has already pursued. Diana echoed George’s experience, “it
probably was a bit more of a claw and fight to even gain the understanding of things within
cybersecurity” to piece together and create her cybersecurity career path. Similarly, Nadia
shared the limited knowledge available to the public on cybersecurity certifications for specific
cybersecurity jobs. Lastly, Sadie needed help to get her employer’s support for career
progression.
I was encountering a lot of “I was really good at my job,” but people kind of wanted to
just keep me there as opposed to helping me expand. So, I did change employers and
used that pivot to find new people who would be more supportive, and my current
employer did fund my boot camp participation, and I was able to just pass my CISSP
[Certified Information Systems and Security Professional].
Long Hours
Nine of the 17 participants (53%) discussed how cybersecurity can have long hours
outside the 40-hour work week. Both Rico and Sally describe how cybersecurity’s incident
response domain requires an on-call rotation outside regular business hours (8 am – 5 pm).
Sally shared,

84
Work life balance is also not the best within technology. Broadly, I sort of have accepted
that I’m always going to be on a team with an on-call rotation. Because if you’re in
incident response, there just has to be someone who’s ready to respond.
Rico echoed Sally’s statement, “I’ve been on call for over half my life. I’ve always carried
something, I’ve carried a pager … and a cell phone before most people [had pagers and cell
phones]. Because when something happens … you have to be ready.” Then, Rico pointed out a
positive to being on-call, “It helped when I had kids, because I can wake up and be working in
seconds. So, when a kid is crying … you [I] wake up in three seconds. I’m alert.” Then, Rico
concluded with the negative impact his long hours have had on his family:
I remember … a painful example. When my wife was delivering our second child, a large
[high profile] customer called with an incident while I was in the delivery room and I had
to say, “No, I cannot take this incident. You have to find someone else to take this
incident because my wife is giving birth.”
In a similar vein, Donna described how a problematic situation in her family life as a single
mother allowed her the time she needed to focus on her career and education.
At one point [I] had less custody than my ex [ex-partner] and that actually really helped
me. I didn’t really like the idea of it, but I wouldn’t have been able to pursue a master’s
degree if I didn’t have that situation. It wasn’t like a situation that I wanted, but it was
what it was … so I just figured it’s my time to go to school and work on your [my] career.
Lastly, Sergio discussed how his long hours negatively affected his family.
Yeah, my family time suffered a lot. It wasn’t just overtime. Some of the schooling I had
to attend was at a vendor’s site for special training. Sometimes, it pulls me away from
the family [but] I’m always home for Thanksgiving, Christmas, or birthday parties.
In these examples, the participants indicate that some jobs, such as incident response,
require longer hours due to incidents occurring outside regular business hours. Also, the
participants discussed the additional education they needed to enter the cybersecurity field and

85
throughout their careers. As a result, the extra time to learn and work in cybersecurity has
negatively impacted their work-life balance and time with family.
High Stress
The third most prevalent risk amongst the participants in pursuing a career in
cybersecurity is high stress (eight participants, 47%). Paula described how knowing an
organization’s vulnerabilities creates pressure to make “sure that things are secured
immediately or on time”. Then, this pressure generates doubt about Paula’s cybersecurity
decisions to secure a system, resulting in fear of losing her job if a cybersecurity breach occurs.
Instead of feeding into the doubt and fear by working more, Paula balances this pressure by
prioritizing her family first, which helps her develop a work-life balance.
Another participant, Lisa, described how there are such intense moments that impact her
health.
I just had to go get medication because I have that stress induced eye virus. So yeah, it
takes a toll on me physically and … my autoimmune deficiencies. I don’t know [why] but
I have to really ensure that I balance the intensities because it is intense.
Furthermore, Lisa shared:
I think the intensity is around the decision making and ensuring we’ve socialized it with
so many people … that we’ve done our due diligence to ensure that whatever we
present isn’t going to harm people, the business, and it’s going to be the right decision.
You have to think of all possible scenarios before you even do something.
Motivational Costs in Cybersecurity’s Barriers and Risks
Using EVT’s definitions, the motivational costs the participants described most when
discussing cybersecurity barriers and constant risks are the effort required, loss of valued
alternatives, emotional cost, and psychological costs:
1. Because of a bias in education and a lack of experience, some participants had to
put more effort into their cybersecurity education and knowledge.

86
2. The additional effort required created a loss of valued alternatives, as many
participants described how they sacrificed family time, which caused them to feel
guilty.
3. The gender, racial, and ethnic biases created an emotional and psychological cost
amongst the participants as they described incidents of discrimination, sexual
harassment, false accusations in the workplace, and a perceived lack of
technological expertise.
4. The lack of guidance forced the participants to develop their career paths (effort
required). At the same time, the ambiguity of an established career path caused
some participants to doubt their cybersecurity education and skills (emotional and
psychological costs).
5. Long hours have the exact motivational costs as bias in education and lack of
experience. The long hours needed in cybersecurity indicate the participants’
additional effort required to do their jobs as they sacrificed valued alternatives, such
as family time and work-life balance, which impacted their emotional and mental
health (psychological cost).
6. High stress due to the pressures of influential decision-making and the constant
analysis of worst-case scenarios, such as cybersecurity data breaches, negatively
impacted some of the participants’ emotional and mental health.
Summary of RQ2
In identifying the motivational costs of pursuing a career in cybersecurity, thematic data
analysis produced two themes: barriers and constant risks. The participants’ barriers are the
following sub-themes: (a) education and lack of experience and (b) gender, racial, and ethnic
bias. The constant risks most participants shared are the following sub-themes: (a) lack of
guidance, (b) long hours, and (c) high stress. Within each theme and sub-theme, the associated
motivational costs that were most prevalent were effort required, loss of valued alternatives,

87
emotional cost, and psychological costs. See Table 10 for a summary of barrier quotes and
Table 11 for a summary of constant risk quotes.

88
Table 10
Summary of Barriers Quotes
Barrier Quote
Bias in education
and experience
They are insular people you got to be in [IT or cybersecurity] then they
can accept you to be an IT guy. I didn’t learn a whole lot from working
in that area. I learned more [from] calling my friends, calling my
relatives [in cybersecurity]. They [cybersecurity team] don’t bring new
people in. They will say, “Do you have all those certifications? Do you
have this? Do you have that?” They’re more process-oriented than
educating new people to come in. (Sam)
Gender, racial,
and ethnic
differences
I don’t want to say discrimination. But most of the challenges come, if
you haven’t been prior U.S. military, and that was my case. … Then,
when I tried to apply for jobs, they would want to cut the salary way
below the average, just because they want you to start at the bottom.
They don’t want to pay your worth, and I wasn’t coming as a person
without any skill sets, degrees, or certifications. (George)
Not really, because for the most part everything’s [communication] been
over the phone or through email. (Clark)
Horrific sexual harassment to the point of sexual assault. (Marjorie)
Likely to not be assumed to be as technical as male peers. I have to
work a little bit harder to establish myself as a technical authority in
order to be believed about my expertise. (Sally)
Diversity, equity, and inclusion (DEI) initiatives in cybersecurity really
excludes white males to the point where, I’ll say it, they are
discriminated against. They are treated unfairly. I’ve seen it in tech.
Maybe I’m the only one who’s willing to talk about it … it’s like white
males are the scapegoat. (Donna)
Well, if I have to learn how to be the best from white males, so be it.
That’s who I want to learn from. If I need help with work life balance
because I’m a mom or help with things like fatigue that, biologically,
I’m susceptible to and it’s an obstacle then, that’s what the women’s
group should focus on. (Donna)

89
Table 11
Summary of Constant Risks Quotes
Constant risks Quote
Lack of
guidance
It probably was a bit more of a claw and fight to even gain the understanding of
things within cybersecurity. (Diana)
I was encountering a lot of “I was really good at my job,” but people kind of
wanted to just keep me there as opposed to helping me expand. So, I did
change employers and used that pivot to find new people who would be
more supportive … and I was able to just pass my CISSP.” (Sadie)
Long hours Work life balance is also not the best within technology. Broadly because I sort
of have accepted that I’m always going to be on a team with an on-call
rotation. Because if you’re in incident response, there just has to be
someone who’s ready to respond. (Sally)
I remember … a painful example. When my wife was delivering our second
child, a large [high profile] customer called with an incident while I was in the
delivery room and I had to say, “No, I cannot take this incident. You have to
find someone else to take this incident because my wife is giving birth.”
(Rico)
Yeah, my family time suffered a lot. It wasn’t just overtime. Some of the
schooling that I had to attend were at a vendor’s site for special training.
Sometimes it pulls me away from the family [but] I’m always home for
Thanksgiving or Christmas or birthday parties. (Sergio)
High stress I just had to go get medication because I have that stress induced eye virus.
So yeah, it takes a toll on me physically and … my autoimmune deficiencies
… I think the intensity is around the decision making and ensuring we’ve
socialized it with so many people … that we’ve done our our diligence to
ensure that whatever we present isn’t going to harm people, the business
and it’s going to be the right decision. You have to think of all possible
scenarios before you even do something. (Lisa)

90
Research Question 3
Research question 3 (RQ3) asks, “What are the expectancies of men and women of
color and White women with cybersecurity experiences regarding career longevity?” Using EVT,
this question aims to understand the participants’ beliefs about their career longevity in
cybersecurity. Thematic data analysis produced the following themes that addressed RQ3: (a)
future opportunities and (b) future technologies and threats.
Future Opportunities
All the participants (17 participants, 100%) believe there are future opportunities in the
cybersecurity industry. Specifically, the participants enjoy the flexibility to work in the different
domains of cybersecurity, such as incident response and GRC, and different sectors, such as
government, non-profit, and education. According to Clark,
The abundance of jobs in the job market and the ability to move around the field
[cybersecurity domains] is not easy, but it’s just as simple as studying for a cert[ification]
… meet some people, you network with them. You learn how to do it and you can slide
into a different position.
In addition, Sadie found cybersecurity allowed her to work across many industries when
she decided to join the cybersecurity field. As part of her career evaluation process, Sadie
wanted to ensure she was not putting her career “into a corner that was too niche.” She found
cybersecurity meets that requirement as a consultant who works “with multiple clients across
many different industries and supporting them with their cybersecurity challenges and
transformations.” Furthermore, Diana, who acknowledged the public fear that living in the digital
age could take away human-driven jobs, is optimistic because she believes: “If you look in the
right area, especially within cybersecurity, you could find where there’s a lot more opportunities
that are opening up.”
Additionally, Sadie expressed excitement about the future of cybersecurity as
Generation Z enters the workforce.

91
We have such great potential for Gen. Z, our first kind of digital native generation, that it
should be that much easier for them to understand the internet and security concepts
because they grew up with computers and technology in a way that other generations
did not.
As the first digital native generation, Sadie is enthusiastic about Generation Z’s different
cybersecurity points of view and potential cybersecurity innovations.
Future Technologies and Threats
Because of society’s growing dependency on technology and the speed of technological
advancements, 12 of 17 participants (71%) expressed concerns about the existing and new
threats technology presents. Despite the constant news of data breaches and warnings, Sergio
does not “understand just how cavalier some people are with their cyber assets, or even with
their digital footprint.” Sergio added how some American cyber-victims become upset and ask,
“‘Why didn’t the Federal Government protect me?! Why aren’t the rules involved in there?’ But
then, when you put those rules in [place], they [American people] cry, ‘But, you can’t step on my
freedom.’” Sergio further explained, “You [the American people] can’t have it both ways. There
either has to be some type of regulation, or there’s not any regulation, and you have to regulate
yourself. Sometimes it’s a little [frustrating]. It rubs me raw.”
At the same time, these threats and the American society’s inability to regulate itself
reassure the participants of the continued demand for cybersecurity professionals. For example,
Lana shared how during the massive technology layoffs in 2022–2023, only 2% were
cybersecurity-related roles. This remains consistent in Marjorie’s experience as some of her “old
bosses would say, ‘if you stay in the cyberspace [cybersecurity], you’re never going to need a
job.”
Although this sense of job security may remain valid for cybersecurity professionals,
Sam indicated there are still opportunities for cybersecurity to become more impactful and
proactive:

92
Specifically, it is on cybersecurity to come up with new ways to figure out when these
cyberattacks happen. If you look at the way you know you’re attacked, it is only after it
happened, right? I think [it is] because cybersecurity can only take the past [data and
logs] and codify it. If such attack comes, they [cybersecurity] stop it. They can’t forecast
the future attacks because we don’t know what the new vulnerabilities are.
Furthermore, Sam utilized his non-cybersecurity operational technology (OT) experience to
point out:
If you look at OT systems, you get different signatures [patterns of activity] if it is
attacked. For example, your refrigerator has a sensor, right? If it got attacked, your
refrigerator mechanically and electrically would have a big behavior. … Your system
[refrigerator] will behave differently. Since it is a physical system, it does follow some
laws of physics, right? It could be a vibration difference in the sound or vibration
differences in the metal. Something different will be going on when it got attacked.
Additionally, Sam shared that it is not the IT that would provide this information or signatures:
It’s all in the OT. … And, if you can pick the signature, you can find out what the
equation is to represent that signature. Now you have an equation, then you can develop
synthetic data. Synthetic data is a big thing in machine learning and artificial intelligence.
You can generate your own data because you have a mathematical equation … that
represents the refrigerator system. Now that you physically modeled it, you can double
the synthetic data. If you have a bunch of synthetic data, you can map it to the real
event. You [now] know this is a cyberattack.
In short, Sam shared how the synthetic data would depict the refrigerator’s specific
behavior or signature associated with a cyberattack. Cybersecurity systems would then look for
this signature to notify cybersecurity professionals of an active cyberattack. In addition, Sam
explained, you could then generate a theoretical database with all the possible outputs of a
theoretical equation based on the physics and chemistry of a specific equipment, such as a

93
motor or engine. According to Sam, one of those outputs in the theoretical database “will relate
to a cyberattack,” which could then be used as a signature or pattern to look for in OT systems.
Summary of RQ3
In identifying the participants’ beliefs about their career longevity in cybersecurity,
thematic data analysis produced two themes: future opportunities and future technologies and
threats. Because the participants are aware of American society’s dependency on technology
and the constant technological advancement, they believe there will be a continued abundance
of cybersecurity jobs and opportunities to explore different cybersecurity domains within their
career journey. In addition, with younger generations entering the workforce, participants are
excited to see how technology and cybersecurity will evolve. At the same time, some
participants are apprehensive and do not believe American society’s cybersecurity knowledge
will be on par with its ever-growing dependency on technology. See Table 12 for a summary of
career longevity–themed quotes.
Table 12
Summary of Career Longevity-Themed Quotes
Career longevity theme Quote
Future opportunities The abundance of jobs in the job market and the ability to move
around the field [cybersecurity domains] is not easy, but it’s just as
simple as studying for a cert[ification] … meet some people, you
network with them. You learn how to do it and you can slide into a
different position. (Clark)
If you look in the right area, especially within cybersecurity you could
find where there’s a lot more opportunities that are opening up.
(Diana)
We have such great potential for Gen. Z, who are our first kind of
digital native generation that it should be that much easier for them
to understand the internet and security concepts because they

94
grew up with computers and technology in a way that other
generations did not. (Sadie)
Future technologies and
threats
I don’t understand just how cavalier some people are with their cyber
assets, or even with their digital footprint. (Sergio)
Why didn’t the Federal Government protect me?! Why aren’t the rules
involved in there?’ But then, when you put those rules in [place],
they [American people] cry, ‘But, you can’t step on my freedom.’
You [the American people] can’t have it both ways. There either
has to be some type of regulation or there’s not any regulation, and
you have to regulate yourself. (Sergio)
Old bosses would say, “if you stay in the cyberspace [cybersecurity],
you’re never going to need a job.” (Marjorie)
Specifically, it is on cybersecurity to come up with new ways to figure
out when these cyberattacks happen. If you look at the way you
know you’re attacked, it is only after it happened, right? I think [it is]
because cybersecurity can only take the past [data and logs] and
codify it. If such attack comes, they [cybersecurity] stop it. They
can’t forecast the future attacks because we don’t know what the
new vulnerabilities are. (Sam)
Summary of Findings
Chapter 4 explored seventeen participants’ cybersecurity career journeys by learning
what made them decide to become cybersecurity professionals, what motivational costs they
had to overcome, and their beliefs in career longevity. The findings highlight the common
internal personality traits and external influences; shared barriers and risks; and collective future
opportunities and technological threats that impact career longevity. Based on the findings
identified in Chapter 4, Chapter 5 presents recommendations to improve recruitment for men
and women of color and White women in the cybersecurity profession.

95
Chapter Five: Discussion and Recommendations
My problem of practice in this study is the lack of diversity in the cybersecurity field,
contributing to the shortage of cybersecurity professional workforce. This study aims to promote
inclusivity and diversity in the cybersecurity workforce and ultimately bridge the gap between the
high demand and low supply of skilled cybersecurity professionals. The findings for this study
are the participants’ (a) common internal personality traits and external influences, (b) shared
barriers and risks, and (c) collective future opportunities and technological threats that impact
career longevity. Eccles et al.’s (1983) EVT is the conceptual framework used with the following
three research questions guiding this study:
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?
Summary of Findings
Research findings emerged from the completed qualitative data analysis using Eccles et
al.’s (1983) EVT to explore 17 participants’ motivations, past experiences, and the
environmental elements that influenced their cybersecurity careers. EVT suggests that people’s
expectations of success and the value they associate with those outcomes influence their
choices and behaviors. When applied to career choice, this theory provides the framework to
identify and understand commonalities in motivations, barriers, and expectancy in career
longevity across the participants of this study. Eccles et al. (1983) defined expectancy for
success as a person’s belief in their ability influences how they will perform a task (Rosenzweig
et al., 2019). Subjective task value is a person’s desire to complete a task, which is determined
by a person’s interest/intrinsic value, attainment value, utility value, and the influence of cost

96
(Eccles et al., 1983). Rosenzweig et al. (2019) define intrinsic value as the enjoyment of
completing a task, attainment value as the meaningfulness of the task, and utility value as the
usefulness of a task towards goals. This theoretical view aligns with how and why the
participants became cybersecurity professionals and why existing barriers limit men and women
of color and White women from entering the profession. In addition, the theory supports the
participants’ viewpoints on career longevity.
Research Question 1
RQ1 focused on the motivations or values that influenced the participants to pursue their
cybersecurity profession. Although 88% of participants mentioned pay and salary as the initial
spark to explore cybersecurity, it was not the primary reason that supported their initial interest
in turning cybersecurity into their career. Instead, two themes emerged as the reasons most
participants (71%) stayed interested in cybersecurity: internal personality traits and external
influences.
Three sub-themes surfaced within the internal personality traits’ theme: (a) avid learner,
(b) challenge-driven, and (c) protector. This aligns with Freed’s (2014) personality trait study of
118 cybersecurity and information technology professionals, where she found cybersecurity
professionals scored high in intellect, adventurousness, and assertiveness while scoring low in
trust and vulnerability. Freed (2014) surmises that cybersecurity professionals may have scored
high in intellect due to the constant changes in cyberattacks and new technologies. The ability
to manage while expecting constant change is adaptability, which is a higher level of aptitude,
possibly resulting in higher scores of intellect (Freed, 2014; Mussel, 2013). Like this study’s
identification of challenge-driven participants, Freed (2014) found cybersecurity professionals
scored high in adventurousness and assertiveness. Adventurousness is an eagerness to try
new activities and experience different things, while familiarity and routine are dull (Freed,
2014). High scorers in assertiveness are likely to be driven, competitive, energetic, and likely to
work with greater vigor and purpose (Freed, 2014; Woods & Sofat, 2013). The third sub-theme,

97
protectiveness, aligns with Freed’s (2014) cybersecurity professionals scoring low in trust. Freed
(2014) associated the need to protect companies and loved ones from outside threats as the
likely reason cybersecurity professionals are less likely to trust individuals.
The second theme that motivated the participants to pursue careers in cybersecurity is
external influences, which comprised three sub-themes: (a) parental and familial, (b) primary
and secondary-education programs, and (c) co-workers. The external influences directly align
with Eccles et al.’s (1983) study on students’ decision to enroll in advanced math courses.
Eccles et al.’s (1983) study found that parents’ and teachers’ beliefs and attitudes strongly
influenced children’s achievement-related beliefs, expectancies, and plans. As a result,
participants, such as Marjorie, who did not study computer science but has fond memories of
her parents providing her with a computer and soldering computer parts, gave her the
confidence or attainment value to learn a programming language independently. Her success in
learning a programming language snowballed into taking on an IT management position that led
her to cybersecurity consulting.
Similarly, Sergio’s exposure to technology at an after-school program gave him
attainment and intrinsic values. Despite not knowing how to use the game consoles and
computers, he learned to figure it out independently (attainment value). He continued to “play”
with technology throughout his childhood (intrinsic value). This experience likely gave Sergio the
sense that technology is fun and not challenging to learn. These past enjoyments in technology
likely led Marjorie and Sergio to develop technology skills that gave them the attainment value
to learn and develop careers in cybersecurity.
In Owusu et al.’s (2021) study on the influence of peers, teachers, and parents on 401
students’ careers, they found peers strongly influenced the likely careers that an individual
student may want to pursue. Furthermore, the study found female students are more influenced
than males regardless of age (Owusu et al., 2021). Owusu et al.’s (2021) findings align with the
experiences of Paula and Donna with their co-workers. Paula was intrigued by the hacking

98
activities of her co-workers. At the same time, Donna appreciated the friendliness of the security
engineers and after-hours lock-picking lessons from one of the cybersecurity managers.
Research Question 2
RQ2 focused on identifying the motivational costs of pursuing a career in cybersecurity.
The analysis identified two themes: barriers and constant risks. The participants’ barriers had
the following sub-themes: (a) bias in education and lack of experience and (b) gender, racial,
and ethnic bias. The constant risks most participants shared had the following sub-themes: (a)
lack of guidance, (b) long hours, and (c) high stress. Within each theme and sub-theme, the
associated motivational costs that were most prevalent were effort required, loss of valued
alternatives, emotional costs, and psychological costs.
The barrier’s sub-theme of education and lack of experience aligns with the literature of
how HR across all industries, government, academia, and non-profit are using traditional hiring
templates and practices focused on the minutiae of degrees, certifications, and expectations of
skills and experience to find qualified candidates (Balaraman, 2021; Miller, 2021). This barrier is
seen in Lana’s cybersecurity journey when she changed her career field from quality assurance
to cybersecurity. After working in her first cybersecurity position, Lana realized the job posting
requirements far exceeded the role’s tasks and responsibilities. On the other hand, Sam’s
experience and education in mechanical and manufacturing engineering landed him his first
cybersecurity position, but the team did not welcome him. The team could not accept his lack of
direct cybersecurity experience and education. The team’s behavior aligns with cybersecurity’s
reputation of being highly exclusionary of underrepresented groups, sustaining an environment
of traditional gender roles that rewards misogyny and harassment, and promoting elitism by
requiring degrees and certifications (de Magalhães, 2022; Merkel, 2022).
This exclusionary reputation further aligns with this study’s barrier sub-theme of gender,
racial, and ethnic bias in cybersecurity. Twelve of the 17 participants (71%) provided scenarios
where they experienced some form of racial, ethnic, or gender bias. As a result, there is an

99
overwhelming lack of belonging in cybersecurity’s toxic work environments and culture (de
Magalhães, 2022). Furthermore, group favoritism of helping others like ourselves is likely the
cause of most workplace discrimination (Armstrong, 2014; Greenwald & Pettigrew, 2014).
Greenwald and Pettigrew (2014) found “that unequal treatment in the form of doing favors for
those like you, rather than inflicting harm on those unlike you, causes the majority of
discrimination in the U.S.” (Armstrong, 2014, para. 8–9). This research finding supports most of
the female participants’ (10 out of 11, 91%) experiences as they shared stories of either
harassment or bias.
On the other hand, Donna expressed a differing opinion on gender, racial, and ethnic
bias. She shared how diversity, equity, and inclusion (DEI) initiatives are exclusionary to White
males. Although this opinion is the minority in this research study, it aligns with the growing
backlash to DEI in the United States (Harmeling, 2023; Linnane, 2023; Merritt, 2024).
The first sub-theme in constant risk is lack of guidance, where 11 participants (65%)
conveyed an overall lack of guidance within the cybersecurity field. The participants discussed
how the industry is unorganized in its education, career paths, and career progression. This lack
of direction aligns with the fact that the cybersecurity career pathway does not have the exact
prescribed requirements for other professions, such as medical doctors and attorneys. The
multiple entry points, such as traditional education, certifications, boot camps,
internships/apprenticeships, and on-the-job training (CISA, 2019), allow individuals to start a
cybersecurity career more easily. However, it creates complexity in career progression because
there is no step-by-step instruction to becoming a cybersecurity engineer, analyst, program
manager, etc.
The second and third sub-themes of constant risk are long hours and high stress in a
cybersecurity career. These two sub-themes go hand-in-hand because the participants shared
stories of long hours due to cybersecurity incidents and the significant impact these incidents
may have on an organization or people, which may cause high stress due to the level of

100
responsibility. In addition, the long hours take away from the participants’ important family or
personal time needed to relieve stress. Interestingly, Freed’s (2014) research found
cybersecurity professionals scored low in the vulnerability personality trait. Those who score low
in vulnerability tend to experience level-headedness and clear thinking (Freed, 2014; Johnson,
2011). This trait aligns with the need for cybersecurity professionals to remain calm under
pressure as they frequently encounter on-the-job stress (Freed, 2014). However, due to the
cybersecurity workforce shortage, the participants may feel more stress as they may be fulfilling
multiple job roles or responsibilities.
Research Question 3
RQ3 focused on identifying the participants’ beliefs about their career longevity in
cybersecurity. Two themes emerged: future opportunities and future technologies and threats.
All the participants (17 of 17, 100%) believe there are future opportunities in cybersecurity. This
belief aligns with the literature that over 750,000 unfilled cybersecurity jobs exist in the United
States (Giacomarra, 2024). The demand for cybersecurity professionals will likely continue to
grow, considering 79% of the 3,876 surveyed business and technology executives in the 2024
Global Digital Trust Insights Survey will increase their cybersecurity budget (PwC, 2024).
According to NASDAQ, cybersecurity spending will increase by 13% annually through 2030
(Dessai, 2024).
The second theme is future technologies and threats, where 12 of 17 participants (71%)
expressed concerns about the existing and new threats technology presents. This concern
supports the same reason business and technology executives are increasing their
cybersecurity budgets in 2024: complex cyber threats (PwC, 2024). Malicious actors are
becoming more sophisticated in their use of generative artificial intelligence (Gen AI) in their
cyberattacks, such as deepfakes (Yampolskiy, 2024) or artificial images and videos generated
by machine learning (University of Virginia, n.d.). As Gen AI matures, it will add more
complications to an already complex cyber threat landscape (Dessai, 2024).

101
Recommendations for Practice
Although the cybersecurity threat landscape and workforce shortage problems may
seem daunting, opportunities exist to increase the cybersecurity workforce pipeline with the
findings identified in this research study. From the findings in this research study, I recommend
reframing cybersecurity, changing cybersecurity hiring and recruiting practices, transforming to
a culture of belonging, and leveraging cybersecurity personality traits. Lastly, outside of my
findings but within my literature review, I recommend cybersecurity funding for K–12 schools
that would include teacher education, a comprehensive cybersecurity program for parents and
children, and feedback mechanism for K–12 schools to report progress and cybersecurity
incidents.
Recommendation 1: Reframing Cybersecurity
Reframing cybersecurity is a concept previously introduced by Haney and Lutters
(2017). Their research findings and recommendations for the education community was to
consider incorporating and emphasizing non-technical skills as critical traits that successful
cybersecurity professionals need (Haney & Lutters, 2017). Instead of only focusing on the
technical skills of cybersecurity, broaden what a cybersecurity professional needs to be
successful in government, public and private sectors, academia, and non-profit (Haney &
Lutters, 2017; Sussman, 2021). For example, many of the skills highlighted by Haney and
Lutters’ (2017) study consisted of “personal attributes, such as likeability and a positive attitude;
career and collaborative attributes, such as critical thinking, adaptability, and teamwork; people
skills, such as empathy and relationship building; and communication skills” (p. 3).
In addition, many participants discussed how cybersecurity is more than certain
cybersecurity activities, such as hacking, incident handling, and penetration testing. The U.S.
National Initiative for Cybersecurity Education (NICE) Framework categorized cybersecurity into
seven categories: securely provision, operate and maintain, oversee and govern, protect and
defend, analyze, collect and operate, and investigate (CISA, 2024). Within these categories are

102
specialty areas, such as oversee and govern has cybersecurity management, legal advice and
advocacy, program/project management and acquisitions, strategic planning and policy, and
training, education, and awareness (CISA, 2024). In addition, the specialty areas have work
roles, such as legal advice and advocacy, privacy officer/privacy compliance manager, and
cyber legal advisor (CISA, 2024). Although a privacy officer and cyber legal advisor work roles
require familiarity with cybersecurity concepts, people fulfilling these roles are more likely
experts in privacy and cyber law than technical concepts. This example reiterates
cybersecurity’s need for people in different disciplines, not just technology. Therefore, I
recommend rebranding and marketing cybersecurity as a multi-dimensional field that needs
various technical and non-technical skills. This rebranding is critical in appealing to
underrepresented communities, such as women and men of color and White women.
Lastly, one of the participants, Sadie, is excited about Generation Z entering the
cybersecurity workforce because Generation Z are the first digital natives, having been exposed
to the internet and technology at a young age (Haney & Lutters, 2017). Thus, there is an
opportunity for the cybersecurity industry to market to Generation Z through its values and how
it identifies itself. Generation Z values authenticity, work-life balance, and transparency (Medina
et al., 2023). They identify as compassionate, open-minded, determined and want to impact the
world positively (Haney & Lutters, 2017; Medina et al., 2023). I recommend microtargeted
advertisement strategies on social media platforms to frame how cybersecurity is a service in
many industries and the positive impact it can have on people’s daily lives (Lim et al., 2017).
Recommendation 2: Cybersecurity Hiring and Recruiting Practices
The partnership between human resources (HR) and cybersecurity is critical to removing
bias in job postings and recruitment (ISC2, 2019). This partnership should focus on recruiting
and hiring for specific cybersecurity skills, not certifications or degrees (Balaraman, 2021). I
recommend organizations utilize the U.S. government’s NICE framework, where cybersecurity
work roles comprise specific knowledge, skills, and abilities (KSA) needed to complete tasks

103
(CISA, 2024). Using KSAs in job postings will mitigate bias for certifications and degrees to the
required knowledge, skills, and abilities to perform the job.
My second recommendation in hiring and recruiting is for cybersecurity hiring managers
to consider promoting from within their teams for more senior cybersecurity roles while opening
entry-level cybersecurity jobs to both internal and external candidates (ISC2, 2019). In addition,
cybersecurity organizations should have programs that develop internal talent, such as rotating
job assignments, mentoring programs, and encouraging employees outside of cybersecurity to
learn about cybersecurity (ISC2, 2022).
My third recommendation in hiring and recruiting is the U.S. Department of Homeland
Security’s CISA campaign the value of the NICE Framework and NICE Framework Components
across all U.S. based organizations with a cybersecurity department. I recommend CISA
develop an outreach program for organizations to ask questions and request advice to
implement the NICE Framework within their cybersecurity departments. In addition, I
recommend CISA socialize and present the NICE Framework at cybersecurity conferences that
many organizations attend, such as the annual Black Hat Conference, DEFCON, and RSA
Conference.
Unfortunately, some organizations with cybersecurity departments outside of the U.S.
government and post-secondary academia may be unaware of the NICE Framework
considering some of the participants of this study were not familiar with it. In addition, I
anecdotally inquired via a LinkedIn posting in an active cybersecurity forum if anyone was
familiar of the NICE Framework. Disappointingly, I did not receive a response acknowledging
familiarization of the NICE Framework. Therefore, there is an opportunity for some
organizations to learn about the NICE Framework at conferences. This exposure to the NICE
Framework may trigger interest for some organizations to inquire about the recommended
CISA’s outreach program. Thereby, eventually causing organizations’ respective HR

104
departments to shift their cybersecurity hiring and recruiting practices from certifications and
degrees to a skills-based approach (Balaraman, 2021; CISA, 2019; Miller, 2021; Taylor, 2023).
Recommendation 3: Transforming to a Culture of Belonging
To remove barriers and mitigate risks identified in this study, cybersecurity organizations
must transform into a culture of belonging. As described in Maslow’s (1943) hierarchy of needs,
belonging is a fundamental human need. Belonging in the workplace is feeling seen for unique
contributions, connected to co-workers, supported in daily work and career development, and
proud of an organization’s values and purpose (Coqual, 2020). It is not as simple as recruiting
and hiring men and women of color and White women to overcome the workforce shortage, but
having an environment that promotes belonging to retain talent and bring in non-traditional
cybersecurity candidates. At a minimum, this requires cybersecurity organizations to train their
workforce on DEI and highlight how DEI is integral to their mission. For example, if a
cybersecurity organization decided to hire more men and women of color, the organization
would need to ensure DEI training was already integrated into the organization’s annual training
with open dialog between leadership and individual contributors. The organization’s leaders
would need to explain how the push for DEI will meet the company’s cybersecurity objectives by
having additional people join the team with different points of view based on their lived
experiences. Showing the added value a more diverse team would make will help teams’
welcome new employees and understand how having different points of view is critical to the
organization’s success.
I recommend that cybersecurity organizations apply Argo and Sheikh’s (2023) belonging
barometer to ensure that different aspects of belonging are included as they transform into a
culture of belonging. Argo and Sheikh (2023) identified the facets of the belonging barometer as
social connections, psychological safety, and co-creation. Social connections measure
emotional connections, feeling welcomed and included, and relationship satisfaction.
Psychological safety measures individuals’ ability to express opinions, value contributions, and

105
bring their whole, authentic selves to the workplace. Co-creation measures one’s perception of
equal treatment in the workplace, fitting into the workplace community, and ability to influence
decisions (Argo & Sheikh, 2023).
Recommendation 4: Leveraging Cybersecurity Personality Traits
There is an opportunity for the cybersecurity industry to leverage the personality trait
findings identified in this research study. The research study has highlighted the three
personality traits of 17 men and women of color and White women: avid learner, challengedriven, and protectors. I recommend the cybersecurity industry target their recruitment to
communities of color and women who identify as avid learners, challenge-driven individuals,
and protectors. This type of recruiting can be accomplished by applying the U.S. military’s
recruitment practices for women, such as advertisements and messaging emphasizing the
reality of cybersecurity and debunking myths perpetuated by Hollywood films (Yeung et al.,
2017). In addition, change advertisements to show diverse people in various roles and not just
traditional cybersecurity roles (Yeung et al., 2017).
An additional way to accomplish targeted recruitment of men and women of color and
White women who are avid learners, challenge-driven, and protectors is to utilize machine
learning and AI. The U.S. military uses machine learning as a recruitment solution to design
microtargeted marketing campaigns (Lim et al., 2019). The cybersecurity industry can target its
advertisements to this specific population by gathering data such as hobbies, extracurricular
activities, and social media activities of people of color and women with specific personality
traits.
Recommendation 5: Fund K–12 Schools’ Cybersecurity Program
The COVID-19 pandemic accelerated the reliance and usage of technology in K–12
programs (Bushweller, 2020). Despite the uptick in technology use, many schools do not offer
programs for parents, educators, and children to learn essential cybersecurity skills to promote
children’s safety as they learn online. The risk of children becoming cyber victims increases as

106
they rely heavily on technology and the internet for school and daily life. Generally, standardized
cybersecurity policies and guidance for K–12 schools, students, and parents are needed
(Altman, 2021; CISA, 2023b; Government Accountability Office [GAO], 2022). Therefore, I
recommend federal and state funding for K–12 schools’ cybersecurity programs.
Because children can be vulnerable to cyberattacks at home and in school, there is a
call to action for schools, parents, and educators to become more versed in cybersecurity.
Therefore, the possible missing links to promoting children’s safety and increasing their
cybersecurity knowledge are creating a comprehensive K–12 cybersecurity program. As a lowcost option, school districts and schools can develop an interactive webpage within their
respective websites of cybersecurity resources, such as CISA’s free online cybersecurity
education material for schools, teachers, and parents (CISA, 2021b; CISA, 2023a; CISA, 2023b;
CISA, n.d.). Solutions for schools, educators, and parents allow children to see and emulate
cybersecurity best practices at school and at home. Most of all, parents and educators will know
how to create safe environments (school and home) for children to ask questions and report
questionable online activities.
Implementation of Recommendations
My recommendations require change at the industry and organizational levels. The
cybersecurity industry needs to change to reframe cybersecurity and leverage personality traits
from this study. Organizational changes need to occur to change cybersecurity hiring and
recruiting practices and transform them into a culture of belonging. To conduct these changes, I
recommend using awareness, desire, knowledge, ability, and reinforcement, also known as
ADKAR (Prosci, n.d.).
ADKAR
The ADKAR change model was developed by Jeff Hiatt in 1996 (Creasey, 2024).
ADKAR focuses on people’s ability to adapt to change instead of the change itself (Creasey,
2024; Galli, 2018). Because many of my recommendations require existing cybersecurity

107
professionals to adapt to changing how cybersecurity is viewed and shared, the ADKAR model
will help manage their experience as changes occur (Galli, 2018). To reframe cybersecurity and
change recommended recruiting methods, it is crucial to involve existing cybersecurity
professionals as champions for change. In addition, school districts can apply ADKAR to help
manage students, schools, parents, and educators’ experiences as the new cybersecurity
program is implemented in K–12.
The ADKAR change model begins after identifying a change (Galli, 2018). ADKAR is an
acronym for the five sequential goals of this change model. See Figure 11 for Prosci’s ADKAR
diagram.
Figure 11
Prosci’s (n.d.) ADKAR Diagram
Note. The ADKAR diagram shows two dimensions: the organizational or project side of change
and the people side of change. From The PROSCI ADKAR® model: A goal-oriented change
management model to guide individual and organizational change, by Prosci (n.d.). Copyright
by PROSCI, INC.

108
Implementing Recommendation 1: Reframing Cybersecurity
A governing cybersecurity body, such as CISA or (ISC)2 should manage the change to apply
the needed industry change for reframing cybersecurity. The following is an example of how to
apply ADKAR to reframing cybersecurity:
• Awareness: Ensure cybersecurity professionals know the needed change to reframe
cybersecurity as a multi-dimensional career field requiring people from different
disciplines.
• Desire: Industry leaders should communicate the benefits of recruiting from different
communities. Provide current cybersecurity professionals with opportunities to
participate, such as marketing cybersecurity to different communities and disciplines
and developing advertisements and messaging.
• Knowledge: Provide an online resource to understand the historical context, why
cybersecurity needs reframing, and the intended goals and objectives of reframing
cybersecurity.
• Ability: Provide communication and literature on reframing cybersecurity to different
audiences, such as K–12, early in career, and cybersecurity teams.
• Reinforcement: Provide communication on the status of the different recruiting
efforts. Existing annual reports can include this communication.
Implementing Recommendation 2: Cybersecurity Hiring and Recruiting
First, assuming organizations want to leverage the NICE Framework into their hiring and
recruiting practices, cybersecurity organizations can apply ADKAR to help people adapt to the
change.
• Awareness: Ensure cybersecurity managers and HR recruiting partners know the
need to change how cybersecurity recruits individuals based on the NICE
Framework’s KSAs.

109
• Desire: Cybersecurity leaders should communicate the benefits of using the NICE
Framework and how it applies to their organization.
• Knowledge: Provide the NICE Framework’s official website and training on using it
from an HR recruiter’s and hiring manager’s perspectives.
• Ability: Provide job posting examples and information on assessing a cybersecurity
team’s needs. Establish office hours for questions and comments.
• Reinforcement: Inquire and communicate feedback from HR recruiters and hiring
managers about the candidates they have interviewed using the NICE Framework.
Secondly, CISA can also utilize ADKAR to develop a NICE Framework outreach
program, socialize it via a marketing campaign, and present its capabilities at popular annual
cybersecurity conferences.
• Awareness: CISA should develop literature and marketing advertisements for
cybersecurity journals, magazines, and conferences on the NICE Framework. In
addition, CISA should create a team to present the NICE Framework at different
cybersecurity conferences.
• Desire: CISA should communicate testimonials from organizations implementing the
NICE Framework in their hiring and recruiting practices to show how it has helped
them find quality candidates.
• Knowledge: CISA should offer training, develop a frequently asked questions (FAQs)
webpage, and create a service team for organizations to ask questions regarding
NICE Framework implementation.
• Ability: As part of the FAQs webpage, CISA should provide a self-service section for
organizations to access recommended implementation approaches, including job
posting examples and information on assessing a cybersecurity team’s needs. In

110
addition, CISA should provide organizations with a list of trained and recommended
NICE Framework consulting services.
• Reinforcement: Inquire and communicate feedback from organizations that have
implemented the NICE Framework annually. This feedback loop should continue
until the NICE Framework has saturated many organizations’ cybersecurity
departments’ hiring and recruiting practices.
Implementing Recommendation 3: Transforming to a Culture of Belonging
Suppose an organization were to apply Argo and Sheikh’s (2023) belonging barometer
to transform its culture. In that case, they have also developed measuring techniques to gauge
an organization’s belonging before and after the change(s). These techniques consist of a 10-
question survey and an explanation of survey results. See Figure 12 for the belonging
barometer survey and Figure 13 for the explanation of the survey results.

111
Figure 12
Argo and Sheikh’s (2023) Belonging Barometer Survey
Note. The 10-item Barometer is adapted for the local community setting. From The Belonging
Barometer: The State of Belonging in America, by N. Argo and H. Sheikh, 2023, p.9. Copyright
2023 by Over Zero.

112
Figure 13
Argo and Sheikh’s (2023) Survey Results Explanation
Note. This is a composite measure of belonging for each respondent, a composite is a
combination of the ten belonging items into a single score. From The Belonging Barometer: The
State of Belonging in America, by N. Argo and H. Sheikh, 2023, p.8. Copyright 2023 by Over
Zero.
The belonging barometer survey may be used during the different stages of ADKAR to
determine if the changes resonate with leaders and individual contributors.
• Awareness: Ensure the cybersecurity organization understands belonging and how it
applies to DEI initiatives.
• Desire: Cybersecurity leaders explain the importance of having a culture of belonging
for underrepresented communities to join the cybersecurity organization.
• Knowledge: Provide different training modalities on belonging and DEI. Establish an
open dialog with leaders and individual contributors for questions and comments.

113
• Ability: Provide real-life scenarios and use cases on the success of having a culture
of belonging.
• Reinforcement: Review survey results and develop actionable improvements to
transform the population into a culture of belonging.
It is important to note that transforming into a DEI and belonging culture is a work in progress
that will continually change depending on the organization’s needs. For example, an
organization implementing a mentoring program will initiate a change and require an update to
its belonging barometer.
Implementing Recommendation 4: Leveraging Cybersecurity Personality Traits
I do not recommend implementing this change recommendation at this time because
additional research is prudent. A quantitative study on cybersecurity personality types for these
groups is needed to increase the trustworthiness and transferability of the findings. In addition,
privacy and security concerns of the big data gathered needs evaluation.
Implementing Recommendation 5: Fund K–12 Schools’ Cybersecurity Program
Because communities and schools may have different cybersecurity knowledge and
practices, it is essential to empower school districts and schools to determine the cybersecurity
needs of their community, digital environment, students, and educators. Therefore, a
comprehensive cybersecurity program must be flexible and agile for each school to implement.
Some K–12 public schools may implement CISA’s online cybersecurity resources as the core
curriculum for students, schools, parents, and educators via a low-cost interactive cybersecurity
resource webpage on school districts and schools’ websites because English is the
community’s primary language. Other K–12 public schools may need to look for alternative
ways to educate their students and parents; therefore, federal and state-funded cybersecurity
programs must be less prescriptive and more flexible to the needs of that school’s community.
However, regardless of how cybersecurity knowledge is shared and taught, success
criteria and mechanisms to measure success are needed to gauge the effectiveness of the

114
school’s cybersecurity program. Measuring success may consist of tests and quizzes for
students before and after implementing the cybersecurity program. In addition, to sustain
cybersecurity knowledge, it is vital to test students’ understanding throughout the school year,
such as once a month. These monthly tests should only check the knowledge in a few
cybersecurity domains versus all cybersecurity best practices. If educators see a dip in
cybersecurity knowledge, they will notify parents and provide the cybersecurity resource
associated with that specific cybersecurity domain.
In addition, reviewing metrics such as website visits and click rates from newsletters is
critical in determining parent and educator engagement and whether current marketing
strategies are working. If these strategies are not working, the school district and school
administration may want to try other methods, such as providing parents with the information in
paper form or developing online forums for parents and educators to ask questions and discuss
their learnings and teaching experiences.
To apply and manage these changes, school districts can apply ADKAR when rolling out
their cybersecurity program to schools, parents, and educators. The following is an example of
implementing a low-cost interactive cybersecurity resource webpage on school districts and
schools’ websites using ADKAR:
• Awareness: School districts notify students, parents, and educators of the upcoming
rollout of the new cybersecurity program.
• Desire: School districts provide data on the risks of children becoming cyber victims
to schools, parents, and educators and show the value of the cybersecurity resource
webpage.
• Knowledge: School districts establish a program management office to provide their
respective schools with implementation guidelines, educators with lesson planning
resources, and a communication plan for feedback and reporting.

115
• Ability: School districts provide different training modalities for educators and parents
on using the cybersecurity resource website and establish program expectations,
roles, and responsibilities for educators, parents, and students.
• Reinforcement: Schools and educators establish monthly student assessments on a
select number of cybersecurity topics and provide parents with the results. In
addition, the schools and school districts provide parents and students with quarterly
cybersecurity program progression reports and an annual cybersecurity program
review.
Recommendation for Future Research
To further understand how diversity may help solve the workforce shortage, I
recommend future research on how communities of color and women respond to the reframing
of cybersecurity to a multi-discipline field that requires both technical and non-technical people
(Haney & Lutters, 2017). In addition, I recommend future research to validate that the
personality traits identified in this study align with a larger sample size of Black, LatinX, and
indigenous cybersecurity professionals (Bashir et al., 2016; Freed, 2017). I recommend these
communities as they are the least represented in technology and cybersecurity professions.
Lastly, I recommend conducting future research using machine learning to micro-target
recruiting advertisements and messaging people with personality traits, extracurricular activities,
and social media activities common in cybersecurity professionals.
Outside of researching diversity to help solve the cybersecurity workforce shortage, I
recommend potential future research on generational differences in cybersecurity and
technology experiences. I also recommend future research on K–12 schools with a
comprehensive cybersecurity program for educators, parents, and students and K–12 schools
without a cybersecurity program.

116
Conclusion
As the cybersecurity threat landscape changes, cybersecurity needs will continue to
change. What remains constant is cyber attackers come from different backgrounds, cultures,
and skill sets. Second, cyber attackers will use their diverse knowledge to innovate and evolve
their attack techniques to circumvent security. To combat this threat, cybersecurity
organizations also need strategies, solutions, and problem-solving techniques to defend and
prevent dynamic and unexpected threats. Organizations must gain broader insights into
potential vulnerabilities and effective defense strategies from their workforce to achieve this
capability. Therefore, the cybersecurity industry and organizations must educate, recruit, and
retain people from different backgrounds, cultures, communities, and socioeconomic classes.
The study’s purpose is to learn more about the motivational and decision-making
process of men and women of color and White women regarding their careers in the
cybersecurity industry. Therefore, I centered this research on the voices of cybersecurity
professionals who identify as men and women of color and White women. In doing so, through
interviews centered on three questions of interest, motivational costs, and expectancies of
longevity, I was able to identify associated, common internal personality traits and external
influences that men and women of color and White women may share. These insights may help
find potential cybersecurity candidates within communities of color and women based on
personality traits and external influences. In addition, I identified the barriers and risks that the
cybersecurity industry and organizations can change, such as messaging and transforming into
a culture of belonging, to increase recruitment and retention.
My personal reasons for conducting this research study are to alert Americans to the
broken cybersecurity talent pipeline and how the most vulnerable population of children, older
people, and marginalized groups (i.e., men and women of color and White women) have the
most risk of becoming cyber victims. This is a call to action. There is an overarching need to
empower these groups and communities against malicious actors through cybersecurity

117
education, information sharing, and include them in developing cybersecurity solutions. To do
this, cybersecurity professionals need to demystify cybersecurity and technology to all
Americans so cybersecurity non-technical best practices (e.g., use different passwords) become
a part of the everyday vernacular. History and evidence indicate the most productive way to
increase knowledge and promote positive changes in the most vulnerable populations is to
educate and empower them to spread the knowledge and develop solutions to protect their
communities. Without representation in technology and cybersecurity, cybersecurity solutions
are at risk of not meeting the needs of the most vulnerable. My goal is to make cybersecurity
accessible for all communities in hopes that the collective will collaborate to protect our most
vulnerable from present and future cyber threats.

118
References
Abel, D. (2023, January 13). Irrigating America’s driest digital desert. Forbes.
https://www.forbes.com/sites/forbestechcouncil/2023/01/13/irrigating-americas-driestdigital-desert/?sh=5b7b50b223aa2/5
Accenture, & Girls Who Code. (2020). New research from Accenture and girls who code
outlines steps to double the number of women in technology in 10 years.
www.accenture.com.
Allen, B. (2022, September 30). Minorities and the cybersecurity skills gap. Forbes.
https://www.forbes.com/sites/forbestechcouncil/2022/09/30/minorities-and-thecybersecurity-skills-gap/?sh=6ff471387f3f
Alliance for Affordable Internet. (2019). Rethinking affordable access–alliance for affordable
internet. Alliance for Affordable Internet. https://a4ai.org/news/rethinking-affordableaccess/
Altman, R. (2021). Cybersecurity concerns escalate in the education industry.
Amos, Z. (2022, November 25). Hidden benefits of diversity in cybersecurity. Information
Security Buzz. https://informationsecuritybuzz.com/hidden-benefits-of-diversity-incybersecurity/
Andress, M. (2022, September 14). Lack of diversity is biggest talent gap facing federal cyber
workforce. Federal Times. https://www.federaltimes.com/management/2022/09/14/lackof-diversity-is-biggest-talent-gap-facing-federal-cyber-workforce/
Anthony, A. (2023). Cyber resilience must focus on marginalized individuals, not just institutions.
https://carnegieendowment.org/2023/03/13/cyber
Argo, N., & Sheikh, H. (2023). The belonging barometer: The state of belonging in America.
Armstrong, D. (2014, May 19). Favoritism, not hostility, causes most discrimination, says UW
psychology professor. University of Washington News.

119
https://www.washington.edu/news/2014/05/19/favoritism-not-hostility-causes-mostdiscrimination-says-uw-psychology-professor/
Balaraman, A. (2021, October 6). Bias in cybersecurity job descriptions hurts diversity in the
field. Tech Policy Press.
Ballantyne, R. (2016). Who should teach kids about cybersecurity the educator K–12. The
Educator. https://www.theeducatoronline.com/k12/news/who-should-teach-kids-aboutcybersecurity/224295
Bashir, M., Wee, C., Memon, N., & Guo, B. (2017a). Profiling cybersecurity competition
participants: self-efficacy, decision-making and interests predict effectiveness of
competitions as a recruitment tool. Computers and Security, 65, 153–165.
https://doi.org/10.1016/j.cose.2016.10.007
Brenner, B. (2022, October 3). How to close the cybersecurity talent gap. SC Magazine.
https://www.scmagazine.com/resource/careers/how-to-close-the-cybersecurity-talentgap
Bureau of Labor Statistics. (2022). Occupational outlook handbook: Information security
analysts. https://www.bls.gov/ooh/computer-and-information-technology/informationsecurity-analysts.htm
Bushweller, K. (2020). How covid-19 is shaping tech use. What that means when schools
reopen. https://www.edweek.org/technology/how-covid-19-is-shaping-tech-use-whatthat-means-when-schools-reopen/2020/06
Campbell, S., Castro, J. R., & Wednesday, D. W. (2021). The benefits and costs of broadband
expansion. https://www.brookings.edu/blog/up-front/2021/08/18/the-benefits-and-costsof-broadband-expansion/
Carr, M., & Opare, A. (n.d.). Improve diversity and cybersecurity hiring in one fell swoop.
Enterprise Security Magazine. https://cyber-

120
security.enterprisesecuritymag.com/cxoinsight/improve-diversity-and-cybersecurityhiring-in-one-fell-swoop-nid-3418-cid-21.html
Center of Academic Excellence Community. (2022). CAE institution map.
https://www.caecommunity.org/cae-map
CEO Action Team. (2023). We pledge to act on supporting more inclusive workplaces. PwC.
https://www.ceoaction.com/pledge/
Champlain College. (2021). Adult viewpoints 2021: The cybersecurity skills gap & barrier to
entry.
Check, J. (2023, January 24). By reframing talent, we can meet the cybersecurity skills gap–SC
media. SC Magazine. https://www.scmagazine.com/perspective/careers/by-reframingtalent-we-can-meet-the-cybersecurity-skills-gap
Cobb, M. (n.d.). What is threat modeling? Tech Target.
https://www.techtarget.com/searchsecurity/definition/threat-modeling#:~:text=Threat
modeling is a procedure,of threats to the system.
Cohen, W., de Leon, R., Rush, F., McGinn, G. H., & Gonzalez, L. (1999). Department of
defense education activity accountability report 1997-1998.
Coker, J. (2022, October 20). Cybersecurity workforce gap grows by 26% in 2022. Infosecurity
Magazine.
Cook, S. (2023, August 2). U.S. schools leaked 32 million records in 2,691 data breaches since
2005. Comparitech. https://www.comparitech.com/blog/vpn-privacy/us-schools-databreaches/
Coqual. (2020). The power of belonging: What it is and why it matters in today’s workplace.
Creasey, T. (2024, March 10). Applying the ADKAR model when change management is new.
Prosci. https://www.prosci.com/blog/applying-the-adkar-model-when-changemanagement-is-new
Crockford, K. (2020, June 16). How is face recognition surveillance technology racist. ACLU.

121
Crosslind, S. (2020, July 14). How big tech meritocracy excludes women and people of colour.
The UX Collective. https://uxdesign.cc/big-tech-meritocracy-excludes-woman-andpeople-of-colour-c15c74b335b
Crumpler, W., & Lewis, J. A. (2019). The cybersecurity workforce gap.
https://www.csis.org/analysis/cybersecurity-workforce-gap
Cybersecurity Infrastructure and Security Agency. (2019). Cybersecurity career paths and
progression.
Cybersecurity and Infrastructure Security Agency. (2020). Cyber actors target K–12 distance
learning education to cause disruptions and steal data. https://www.cisa.gov/newsevents/cybersecurity-advisories/aa20-345a
Cybersecurity and Infrastructure Security Agency. (2021a, February). What is cybersecurity?
Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/newsevents/news/what-cybersecurity
Cybersecurity and Infrastructure Security Agency. (2021b, November 29). Cybersecurity
awareness program parent and educator resources: CISA. Cybersecurity and
Infrastructure Security Agency. https://www.cisa.gov/resourcestools/resources/cybersecurity-awareness-program-parent-and-educator-resources
Cybersecurity and Infrastructure Security Agency. (2023a, June 2). Cybersecurity awareness
program parent and educator resources: CISA. Cybersecurity and Infrastructure Security
Agency. https://www.cisa.gov/resources-tools/resources/cybersecurity-awarenessprogram-parent-and-educator-resources
Cybersecurity and Infrastructure Security Agency. (2023b). Protecting our future: Partnering to
safeguard K–12 organizations from cybersecurity threats.
Cybersecurity and Infrastructure Security Agency. (2024). Workforce framework for
cybersecurity (NICE Framework). National Initiative for Cybersecurity Careers and
Studies. https://niccs.cisa.gov/workforce-development/nice-framework

122
Cybersecurity and Infrastructure Security Agency. (n.d.). K–12 school security guide product
suite: CISA. Cybersecurity and Infrastructure Security Agency CISA.
https://www.cisa.gov/K–12-school-security-guide-product-suite
de Magalhães, S. T. (2022, May 2). Addressing the barriers to closing the cybersecurity skills
gap. Total Security Advisor. https://totalsecurityadvisor.blr.com/policiestraining/addressing-the-barriers-to-closing-the-cybersecurity-skills-gap/
Dean, S., & Bhuiyan, J. (2020, June 24). Why do diversity issues still plague Black tech
workers? Los Angeles Times.
Decrosta, J. (2021). Bridging the gap: An exploration of the quantitative and qualitative factors
influencing the cybersecurity workforce shortage [Capstone Project, Utica College].
http://libproxy.usc.edu/login?url=https://www.proquest.com/dissertations-theses/bridginggap-exploration-quantitative-qualitative/docview/2572571214/se-2?accountid=14749
Deloitte Touche Tohmatsu Limited, Data Wheel. (2021). Information security analysts. Data
U.S.A. https://datausa.io/profile/soc/information-security-analysts
Dennis, M. A. (2023). cybercrime. In Encyclopedia Britannica.
https://www.britannica.com/topic/cybercrime
Dessai, T. (2024, April 18). Cybersecurity faces transformation from generative AI. Nasdaq.
https://www.nasdaq.com/articles/cybersecurity-faces-transformation-from-generative-ai
Donegan, K. (2020). Minorities in cybersecurity face unique and lasting barriers.
https://www.techtarget.com/searchsecurity/feature/Minorities-in-cybersecurity-faceunique-and-lasting-barriers?vgnextfmt=print
Dyer, J., Gregersen, H., & Christensen, C. (2019). Innovator’s DNA: Mastering the five skills of
disruptive innovators. (pp. 23, 46). Harvard Business Review Press.
Eccles, J., Adler, T. F., Futterman, R., Goff, S. B., Kaczala, C. M., Meece, J. L., & Midgley, C.
(1983). Expectancies, values, and academic behavior (J. T. Spence, R. C. Atkinson, G.
Lindzey, & R. F. Thompson, Eds.). W.H. Freeman and Company.

123
EdWeek Research Center. (2020). The state of cybersecurity education in K–12 schools results
of a national survey. https://cyber.org/news/state-cybersecurity-education-K–12-schools
Freed, S. E. (2014, March). Examination of personality characteristics among cybersecurity and
information technology professionals. UTC Scholar. https://scholar.utc.edu/theses/127/
Fry, R., Kennedy, B., & Funk, C. (2021). STEM jobs see uneven progress in increasing gender,
racial and ethnic diversity. Higher education pipeline suggests long path ahead for
increasing diversity, especially in fields like computing and engineering (Vol. 1).
www.pewresearch.org.
Fuentes, M. R. (2023). The gender-equal cybercriminal underground. Trend Micro.
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digitalthreats/genderincybercrime#:~:text=It%20is%20widely%20assumed%20that,the%20total%20prison%2
0inmate%20population.
Galli, B. J. (2018). Change management models: A comparative analysis and concerns. IEEE
Engineering Management Review, 46(3), 124–132.
https://doi.org/10.1109/emr.2018.2866860
Giacomarra, F. (2024, January 23). Cybersecurity jobs remain unfilled as need for talent grows.
Fordham Now. https://now.fordham.edu/university-news/cybersecurity-jobs-remainunfilled-as-need-for-talent-grows/#:~:text=There
Glesne, C. (2011). Becoming qualitative researchers: An introduction (Fourth Edition). Pearson.
Goldman, C. A., Piquado, T., Irwin, J. L., Allen, D., Zhou, Y., & Ryu, S. H. (2021, November 16).
Recruiting and hiring a diverse and talented public sector workforce.
https://www.rand.org/pubs/research_reports/RRA1255-1.html
Gould, W. R. (2023, April 26). The sunk cost fallacy: How it affects your life decisions.
https://www.verywellmind.com/what-is-sunk-cost-fallacy-7106851?print

124
Government Accountability Office. (2022a). Critical infrastructure protection: Additional federal
coordination is needed to enhance K–12 cybersecurity.
https://www.gao.gov/products/gao-23-105480
Government Accountability Office. (2022b, December). U.S. military cyber personnel:
Opportunities exist to improve service obligation guidance and data tracking. U.S. GAO.
https://www.gao.gov/products/gao-23-105423
Gruman, G. (2020, July 16). IT snapshot: Ethnic diversity in the tech industry western countries
stand in their IT diversity?
Haney, J. M., & Lutters, W. G. G. (2017, July 12–14). Skills and characteristics of successful
cybersecurity advocates [Paper presentation]. Workshop on Security Information
Workers, Symposium on Usable Privacy and Security (SOUPS) 2017, Santa Clara,
California. https://www.usenix.org/system/files/conference/soups2017/wsiw2017-
haney.pdf
Hardesty, L. (2018, February 11). Study finds gender and skin-type bias in commercial artificialintelligence systems. MIT News. https://news.mit.edu/2018/study-finds-gender-skin-typebias-artificial-intelligence-systems-0212
Harmeling, S. (2023, November 14). Rather than seeking a more perfect union, Bari Weiss says
Ditch DEI. Forbes. https://www.forbes.com/sites/susanharmeling/2023/11/09/ratherthan-seeking-a-more-perfect-union-bari-weiss-says-ditch-dei/
International Information System Security Certification Consortium. (2017). (ISC)2 cybersecurity
workforce shortage continues to grow worldwide, to 1.8 million in five years.
https://www.isc2.org/News-and-Events/Press-Room/Posts/2017/02/13/CybersecurityWorkforce-Shortage-Continues-to-Grow-Worldwide
International Information System Security Certification Consortium. (2019). Strategies for
building and growing strong cybersecurity teams. https://www.isc2.org/Research/2019-
Cybersecurity-Workforce-Study

125
International Information System Security Certification Consortium. (2022). (ISC)2 cybersecurity
workforce study. https://www.isc2.org//-/media/ISC2/Research/2022-WorkForceStudy/ISC2-Cybersecurity-Workforce-Study.ashx
Kevis, D. (2024, February 16). How to retain your best employees in your cybersecurity team.
Specialist Recruiters. https://www.franklinfitch.com/us/resources/blog/how-to-retain-yourbest-employees-in-your-cybersecurity-team/
Klein, A. (2021). Cybersecurity training for educators lagging behind rising risk of cyberattacks.
www.edweek.org/help/reprintsKlein, D. (2021). Report: Minorities and women are more likely victims of cyber crime.
occrp.org/en/daily/15343-report-minorities-and-women-are-more-likely-victims-of-cybercrime
Lake, S. (2022, October 20). The cybersecurity industry is short 3.4 million workers—that’s good
news for cyber wages. Fortune. https://fortune.com/education/articles/the-cybersecurityindustry-is-short-3-4-million-workers-thats-good-news-for-cyber-wages/
Levin, B. (2016). Achieving bandwidth abundance: The three policy levers for intensifying
broadband competition. In Federal Communications Law Journal (Vol. 68, Issue 3).
https://go-galecom.libproxy2.usc.edu/ps/i.do?p=ITBC&u=usocal_main&id=GALE|A493323883&v=2.1&i
t=r
Lim, N., Orvis, B. R., & Hall, K. C. (2019, October 22). Leveraging big data analytics to improve
U.S. military recruiting. Rand. https://www.rand.org/pubs/research_reports/RR2621.html
Linnane, C. (2023, April 21). Three years after companies doubled down on DEI, ‘the pendulum
swings back.’ here’s why. Marketwatch. https://www.marketwatch.com/story/companiesneglected-their-new-dei-promises-after-inflation-took-hold-theyre-making-a-tactical-errorexperts-say-a8b1cef7

126
Liu, A. (2011). Unraveling the myth of meritocracy within the context of U.S. higher education. In
Higher Education (Vol. 62, Issue 4, pp. 383–397). https://doi.org/10.1007/s10734-010-
9394-7
Lu, C. (2022, November 28). Meritocracy: Our culture of advancement in technology consulting.
https://qvest.us/2022/11/28/meritocracy-our-culture-of-advancement-in-technologyconsulting/
Marshall, C., & Rossman, G. B. (2016). Designing qualitative research. Sage.
Maslow, A. H. (1943). A theory of human motivation. Psychological Review, 50(4), 370–396.
https://doi.org/10.1037/h0054346
Medina, A., Kaur, M., Cobb, K., Peter, S., Alpern, A., Aluko, Y., Barrington, M., Daco, G.,
Estrep, S., Garfield, S., Garfinkel, L., Gissler, M., Kind, J., Parvin, P., Patel, A., Suarez,
V., & Thurow, F. (2023). How can understanding the influence of Gen Z today empower
your tomorrow?. 2023 Ernst & Young Gen Z Segmentation Study.
https://assets.ey.com/content/dam/ey-sites/ey-com/en_us/topics/consulting/ey-2307-
4309403-genz-segmentation-report-us-score-no-20902-231us-2-vf4.pdf
Medsger, M. (2023, June 7). FBI: Cyber crimes cost U.S. $10 billion in 2023, $300 million from
New England. Boston Herald. https://www.bostonherald.com/2023/06/07/
Merkel, D. (2022, October 7). Gatekeeping has no place in cybersecurity. Forbes.
https://www.forbes.com/sites/forbestechcouncil/2022/10/07/gatekeeping-has-no-placein-cybersecurity/?sh=e9b42615fdd4
Merriam, S. B., & Tisdale, E. J. (2016). Qualitative research a guide to design and
implementation (Fourth edition). Wiley.
Merritt, E. (2024, April 10). A growing backlash to DEI. American Alliance of Museums.
https://www.aam-us.org/2024/04/10/a-growing-backlash-to-dei/

127
Mhlungu, G. (2022, July 14). Why internet access needs to be considered a basic human right.
Global Citizen. https://www.globalcitizen.org/en/content/internet-access-basic-humanright/
Microsoft. (2023, May 9). Microsoft security intelligence: Global threat activity. Microsoft.
https://www.microsoft.com/en-us/wdsi/threats
Miller, A. (2021, September). TED talk: Solving the tech skills gap at your local coffee shop.
TEDxLSSC.
https://www.ted.com/talks/alyssa_miller_solving_the_tech_skills_gap_at_your_local_coff
ee_shop
Morgan, S. (Ed.). (2023, April 15). Cybersecurity jobs report: 3.5 million unfilled positions in
2025. Cybercrime Magazine. https://cybersecurityventures.com/jobs/
National Institute of Standards and Technology. (2024, March 8). Unveiling NICE Framework
components v1.0.0: Explore the latest updates today!. NIST. https://www.nist.gov/newsevents/news/2024/03/unveiling-nice-framework-components-v100-explore-latestupdates-today
National Institute of Standards and Technology. (2023). NICE Framework work role categories
and work roles: an introduction and summary of proposed updates.
https://www.nist.gov/system/files/documents/2023/04/18/NICEFramework_WRrev_intro
Apr2023.pdf
National Institute of Standards and Technology. (n.d.). NIST cybersecurity program history and
timeline. National Institute of Standards and Technology. https://csrc.nist.gov/nist-cyberhistory
Newhouse, W., Keith, S., Scribner, B., & Witte, G. (2017). NIST special publication 800-181:
Workforce framework for cybersecurity (NICE Framework).
https://doi.org/10.6028/NIST.SP.800-181r1

128
O’Dea, R. E., Lagisz, M., Jennions, M. D., & Nakagawa, S. (2018). Gender differences in
individual variation in academic grades fail to fit expected patterns for STEM. Nature
Communications, 9(1). https://doi.org/10.1038/s41467-018-06292-0
Oladipo, D. (2023, January 5). Big tech layoffs may further disrupt equity and diversity efforts.
Reuters. https://www.reuters.com/business/sustainable-business/big-tech-layoffs-mayfurther-disrupt-equity-diversity-efforts-2023-01-05/
Opper, I. M. (2019). Understanding teachers’ impact on student achievement.
https://www.rand.org/education-and-labor/projects/measuring-teachereffectiveness/teachers-matter.html
Osborne, C. (2022). Help wanted: Female cybercrime fighters; millions of openings.
Owusu, M. K., Owusu, A., Fiorgbor, E. T., & Atakora, J. (2021, April 29). View of career
aspiration of students: The influence of peers, teachers and parents.
https://journaljesbs.com/index.php/JESBS/article/view/1023/2046
Palmer, D. (2021, August 20). Cybersecurity jobs: This is what we’re getting wrong when hiring–
and here’s how to fix it. ZDNet. https://www.zdnet.com/article/cybersecurity-jobs-this-iswhat-were-getting-wrong-when-hiring-and-heres-how-to-fix-it
Patton, M. Q. (2015). Qualitative research and evaluation methods (Fourth edition). Sage.
Petersen, R., Santos, D., Smith, M. C., Wetzel, K. A., & Witte, G. (2020). NIST special
publication 800-181 revision 1: Workforce framework for cybersecurity (NICE
Framework). https://doi.org/10.6028/NIST.SP.800-181r1
Petruzzelli, E., & Nidhi, S. (2019). Closing the gaps in cybersecurity. CEP Magazaine, 35–39.
Pew Research Center. (2021). Who owns cellphones and smartphones.
https://www.pewresearch.org/internet/fact-sheet/mobile/
PricewaterhouseCoopers. (2024). 2024 global digital trust insights survey. PwC.
https://www.pwc.com/gx/en/issues/cybersecurity/global-digital-trust-insights.html

129
Prosci, Inc. (n.d.). The PROSCI ADKAR® model: A goal-oriented change management model to
guide individual and organizational change. Prosci.
https://www.prosci.com/methodology/adkar
Porter, E. (2021, June 3). A rural-urban broadband divide, but not the one you think of. The New
York Times.
Rahman, N. A. A., Sairi, I. H., Zizi, N. A. M., & Khalid, F. (2020). The importance of
cybersecurity education in school. International Journal of Information and Education
Technology, 10(5), 378–382. https://doi.org/10.18178/ijiet.2020.10.5.1393
Rankin, D. (2019). Training is a mindset. In P. Quade (Ed.), The digital big bang: The hard stuff,
the soft stuff, and the future of cybersecurity (pp. 97–102). O’Reilly.
Ray , V., & Melaku, T. M. (2023, August 9). Countering the corporate diversity backlash. MIT
Sloan Management Review. https://sloanreview.mit.edu/article/countering-the-corporatediversity-backlash/
Raz, I. (2020). How the tech industry can shift from inclusion to belonging. Forbes.
https://www.forbes.com/sites/forbestechcouncil/2020/02/06/how-the-tech-industry-canshift-from-inclusion-to-belonging/?sh=60fc32ef7169
Reed, J., & Acosta-Rubio, J. (2018). Innovation through inclusion: The multicultural
cybersecurity workforce. An (ISC)2 global information security workforce study.
https://www.isc2.org/-/media/Files/Research/Innovation-Through-Inclusion-Report.ashx
Renaud, K., & Coles-Kemp, L. (2022). Accessible and inclusive cyber security: A nuanced and
complex challenge. SN Computer Science, 3(5). https://doi.org/10.1007/s42979-022-
01239-1
Reventlow, N. J. (2021, July 8). Why tech needs to focus on the needs of marginalized groups.
World Economic Forum. https://www.weforum.org/agenda/2021/07/tech-focus-needsmarginalized-groups/

130
Riddell, R. (2022, July 15). 56% of K–12 schools worldwide report ransomware attacks in past
year. K–12 Dive. https://www.k12dive.com/news/56-percent-K–12-schools-worldwidereport-ransomware-attacks-in-past-year-cybersecurity/627321/
Riley, T. (2021, April 19). The Cybersecurity 202: Cybersecurity experts say elevating and
supporting Black professionals is key to workforce shortage. Washington Post.
https://www.washingtonpost.com/politics/2021/04/19/cybersecurity-202-cybersecurityexperts-say-elevating-supporting-black-professionals-is-key-workforce-shortage/
Robinson, K. A., Lee, Y. K., Bovee, E. A., Perez, T., Walton, S. P., Briedis, D., & LinnenbrinkGarcia, L. (2019). Motivation in transition: Development and roles of expectancy, task
values, and costs in early college engineering. Journal of Educational Psychology,
111(6), 1081–1102. https://doi.org/10.1037/edu0000331
Rosenzweig, E. Q., Wigfield, A., & Eccles, J. S. (2019). Expectancy-value theory and its
relevance for student motivation and learning. In The Cambridge Handbook of
Motivation and Learning (pp. 617–644). Cambridge University Press.
https://doi.org/10.1017/9781316823279.026
Sakpal, M. (2019, September 20). CIOs should embrace DEI to build successful teams.
Gartner.
Sam, D., Ganesan, M., Ilavarasan, S., & Victor, T. J. (2023). Hiring and recruitment process
using machine learning. Institute of Electrical and Electronics Engineers, 1–4.
https://doi.org/10.1109/ICECONF57129.2023.10084133.
Sganga, N. (2022, March 19). Women make up just 24% of the cyber workforce. CISA wants to
fix that. CBS News. WiCyS - Women in Cybersecurity. https://www.wicys.org/womenmake-up-just-24-of-the-cyber-workforce-cisa-wants-to-fix-that/
Smith, J. A., & Eatough, V. (2012). Analysing qualitative data in psychology. SAGE Publications,
Ltd. https://doi.org/10.4135/9781446207536

131
Smith, J. A., & Osborne, M. (2003). Interpretative phenomenological analysis. In J. A. Smith
(Ed.), Qualitative psychology: A practical guide to research methods (pp. 51–80). Sage.
Sucui, P. (2022). The not-so secret cyber war: 5 nations conducting the most cyberattacks. In
Clearance Jobs. Clearance Jobs.
Sun, H. (2021). Bridging the digital chasm through the fundamental right to technology. In
Georgetown Journal on Poverty Law and Policy: Vol. XXVIII (Issue 1).
https://www.nytimes.com/2020/04/22/style/challengesSussman, L. L. (2021). Exploring the value of non-technical knowledge, skills, and abilities
(KSAs) to cybersecurity hiring managers. Journal of Higher Education Theory and
Practice, 21(6), 99–117.
Taylor, S. (2023, August 30). Stand together brandvoice: Transforming postsecondary
education by exploring individualized paths. Forbes. https://www.forbes.com/sites/standtogether/2023/08/28/transforming-postsecondary-education-by-exploring-individualizedpaths/?sh=21dfe1e357ac
The White House. (2022). Fact sheet: National cyber workforce and education summit.
https://www.whitehouse.gov/briefing-room/statements-releases/2022/07/21/fact-sheetnational-cyber-workforce-and-education-summit/
Thortenson, T. (2023, February). Tech alone isn’t enough to secure K–12 schools. EdTech:
Focus on K–12. https://edtechmagazine.com/k12/article/2023/02/tech-alone-isntenough-secure-K–12-schools
Tucker, D. (2022, October 14). Fostering diversity in cybersecurity. Security.
Twaronite, K. (2019). Our research shows that when people feel like they belong, they are more
productive, motivated and engaged. EY. https://www.ey.com/en_us/diversityinclusiveness/ey-belonging-barometer-workplace-study
United Nations. (2016, June 27). The promotion, protection and enjoyment of human rights on
the Internet. United Nations.

132
University of California Berkley. (2020, September 3). Cybersecurity in education: What
teachers, parents and students should know. Berkeley Boot Camps.
https://bootcamp.berkeley.edu/blog/cybersecurity-in-education-what-teachers-parentsand-students-should-know/
University of Virginia. (n.d.). What the heck is a deepfake?. UVA Information Security.
https://security.virginia.edu/deepfakes
U.S. Department of Commerce. (2022, May 13). Biden-Harris administration launches $45
billion “Internet for All” initiative to bring affordable, reliable high-speed internet to
everyone in America. U.S. Department of Commerce.
https://www.commerce.gov/news/press-releases/2022/05/biden-harris-administrationlaunches-45-billion-internet-all-initiative
U.S. Department of Defense Chief Information Officer. (n.d.). Cyberspace workforce
management. U.S. Department of Defense Chief Information Officer. Retrieved July 7,
2023, from https://dodcio.defense.gov/CyberWorkforce/CWM/#:~:text=Cybersecurity%20Workforce%3A%20Personnel%20who%20s
ecure,and%20taking%20internal%20defense%20actions.
U.S. Equal Employment Opportunity Commission. (2014). EEOC diversity in high tech. In U.S.
Equal Employment Opportunity Commission. https://www.eeoc.gov/specialreport/diversity-high-tech#:~:text=Whites made up the largest,as well (68.6 percent)
Wang, Q., & Xue, M. (2022). The implications of expectancy-value theory of motivation in
language education. Frontiers in Psychology, 13.
https://doi.org/10.3389/fpsyg.2022.992372
Ward, M. (2023, February 6). Layoffs hitting diversity roles show “Some CEOs weren’t
committed.” Business Insider.
Weigand, S. (2022, December 29). 2023 workforce predictions: Lack of talent will haunt firms as
leadership comes under scrutiny. SC Media.

133
https://www.scmagazine.com/feature/careers/2023-workforce-predictions-lack-of-talentwill-haunt-firms-as-leadership-comes-under-scrutiny
Weingarten, E., & Kofman-Burns, L. (2022). Is your leadership development program
undermining your DEI goals? Harvard Business Review.
Weise, E., & Guynn, J. (2014, October 12). Black and Hispanic computer scientists have
degrees from top universities, but don’t get hired in tech. USA Today.
https://www.usatoday.com/story/tech/2014/10/12/silicon-valley-diversity-tech-hiringcomputer-science-graduates-african-american-hispanic/14684211/1/4
Weiss, B. (2023, November 7). End DEI: It’s not about diversity, equity, or inclusion. It is about
arrogating power to a movement that threatens not just Jews—but America itself. Tablet
Magazine. https://www.tabletmag.com/sections/news/articles/end-dei-bari-weiss-jews
Whitehurst, J. (2014). Meritocracy: The workplace culture that breeds success. Wired.
https://www.wired.com/insights/2014/10/meritocracy/
Wigfield, A., Rosenzweig, E. Q., & Eccles, J. S. (2017). Achievement values: Interactions,
interventions, and future direction. In A. J. Elliot, C. S. Dweck, & D. S. Yeager (Eds.),
Handbook of Competence and Motivation: Theory and Application (pp. 116–134).
EBSCO.
Wiley, & mthree. (2021). Diversity in tech: 2021 U.S. report.
Woods, S. A., & Sofat, J. A. (2013). Personality and engagement at work: The mediating role of
psychological meaningfulness. Journal of Applied Social Psychology, 43(11), 2203–
2210. https://doi.org/10.1111/jasp.12171
Yeung, D., Steiner, C. E., Hardison, C. M., Hanser, L. M., & Kamarck, K. N. (2017, June 28).
Recruiting policies and practices for women in the U.S. military: Views from the field.
Rand.
https://www.rand.org/content/dam/rand/pubs/research_reports/RR1500/RR1538/RAND_
RR1538.pdf

134
Yampolskiy, A. (2024, February 15). The rise of AI threats and cybersecurity: Predictions for
2024. World Economic Forum. https://www.weforum.org/agenda/2024/02/what-does2024-have-in-store-for-the-world-of-cybersecurity/
Zoom. (2023, February 16). Zoom: End-to-end (E2EE) encryption for meetings audio
transcription for cloud recordings. https://support.zoom.us/hc/en-us/articles/201362723-
Media-encryption-for-SIP-H-323#:~:text=By
Zurkus, K. (2016, July 5). Security industry is a meritocracy, so don’t anchor on gender. CSO.
https://www.csoonline.com/article/3091120/security-industry-is-a-meritocracy-so-dontanchor-on-gender.htm

135
Appendix A: Eligibility Survey
My problem of practice in this study is the lack of diversity in the cybersecurity field,
contributing to the shortage of cybersecurity professional workforce. By understanding the
underlying factors and exploring potential solutions, this study seeks to promote inclusivity and
diversity in the cybersecurity workforce for the purpose of ultimately bridging the gap between
the demand and supply of skilled professionals.
The conceptual framework used for this study is expectancy value theory (EVT), which
suggests that people’s expectations of success and their value on the outcomes of their actions
influence their choices and behaviors. Applying EVT to the cybersecurity workforce shortage
analyzes how individuals decide to pursue and not pursue careers in the field.
The following research questions guide this study:
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?
Target population: individuals who are cybersecurity professionals.
Table A1
Eligibility Survey
Question
Open or
closed? Response options
1. Hello, my name is Rosielle. I am a student at the
University of Southern California’s Rossier
School of Education. Thank you for your interest
in joining my research study on discovering
Closed • I agree
• I disagree

136
Question
Open or
closed? Response options
possible solutions to solve the cybersecurity
workforce shortage. Your lived experiences,
opinions, and points of views will help me
understand what motivates individuals who
identify as women and men of color and White
women to pursue careers in cybersecurity.
Prior to scheduling an interview, I need to
confirm your eligibility for my study by completing
this three to four question survey.
This information will only be reported in
aggregate. Your individual responses are kept
strictly confidential. Providing this information is
optional. These data will not be used for a
discriminatory purpose.
Click “I agree” to begin the survey. In doing so,
you agree to participate in the survey and to the
use of your survey responses. If you do not wish
to participate in the survey, please click, “I
disagree”.
2. Criteria: Do you have 3 or more years of
cybersecurity work experience?
Closed • Yes
• No
3. Criteria: How would you describe your gender? Closed • Male (including
transgender men)
• Female (including
transgender women)
• Non-binary/nonconforming
• Prefer not to say
4. Criteria: Which ethnicity best describes you?
(Please choose only one.)
Closed • Hispanic or Latino or
Spanish Origin

137
Question
Open or
closed? Response options
• Not Hispanic or Latino
or Spanish Origin
5. Criteria: Which race(s) best describes you? Closed • Asian
• Native Hawaiian or
Other Pacific Islander
• Black or African
American
• White
• Do not wish to answer
Thank you for your interest in participating in my
survey. Please include your name and contact
information. I will reach out to you via email with
more information.
Open • Email:
• Name:
Thank you for your interest in participating in my
study. Unfortunately, you do not meet the
eligibility criteria to participate in my study.
– • None

138
Appendix B: Interview Protocol: Active Cybersecurity Professional
My problem of practice in this study is the lack of diversity in the cybersecurity field,
contributing to the shortage of cybersecurity professional workforce. By understanding the
underlying factors and exploring potential solutions, this study seeks to promote inclusivity and
diversity in the cybersecurity workforce for the purpose of ultimately bridging the gap between
the demand and supply of skilled professionals.
The conceptual framework used for this study is expectancy value theory (EVT), which
suggests that people’s expectations of success and their value on the outcomes of their actions
influence their choices and behaviors. Applying EVT to the cybersecurity workforce shortage
analyzes how individuals decide to pursue and not pursue careers in the field.
The following research questions guide this study:
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?
Respondent type:
Cybersecurity professionals who identify as women and men of color or White women
with 3 or more years of experience.
Introduction to the interview:
Thank you for agreeing to participate in my study. I appreciate the time that you have set
aside to answer my questions. As I mentioned when we last spoke, the interview should take
about an hour, does that still work for you? Before we get started, I want to provide you with an
overview of my study and answer any questions you may have about participating in this
interview. I am a student at the University of Southern California’s (USC) Rossier School of

139
Education and I am conducting a study on the ever-growing cybersecurity workforce shortage. I
am talking to multiple cybersecurity professionals who identify as women and men of color or
White women to learn more about their lived experiences, opinions, and points of views.
My questions are not evaluative. I will not be making any judgments on you. This
interview is also confidential. I will not share them with any other person. I am happy to provide
you with a copy of my final paper if you are interested. I will keep the data in a password
protected computer and all data will be erased after 12 months.
Do you have any questions about the study before we get started? I would like to turn on
the recording on Zoom so I can accurately capture what you share with me. The recording is
solely for my purposes to best capture your perspectives and will not be shared with anyone
else. May I have your permission to record our conversation?
Table B1
Active Interview Protocol
# Interview questions Potential probes RQ
addressed
Key concept
addressed
1. Please share with me
how long you have
been in the
cybersecurity
profession?
How would you describe
yourself within your cyber
security profession?
Rapport Trust
2. What initially
interested you in the
cybersecurity
profession?
Who, if anyone, promoted
your interest in
cybersecurity?
What was your approach in
discovering cybersecurity?
RQ1 Expectancy
value:
attainment
3. What, if anything,
influenced your
cybersecurity
interest to become a
career pursuit?
What was your evaluation
process in pursuing a
career in cybersecurity?
What factor, if any, did your
friends and family play in
your decision?
RQ1 Expectancy
value:
attainment
Value: intrinsic
Value: utility

140
# Interview questions Potential probes RQ
addressed
Key concept
addressed
4. What past
achievements, if
any, contributed to
your decision to
enter the
cybersecurity field?
Would you please describe
any specific experiences, if
any, that validated your
decision to pursue a career
in cybersecurity?
Did these experiences
reinforce your expectancy
beliefs?
RQ1 Expectancy
5. What, if any, were the
rewards that
motivated you to
choose a career in
cybersecurity?
Since becoming a
cybersecurity professional,
how have these rewards
change?
RQ1
RQ2
Value:
attainment
Value: intrinsic
Value: utility
6. What was your
process, if any, in
evaluating potential
risks associated
with a career in
cybersecurity?
Risk may consist of long
working hours, continuous
learning, or exposure to
high-stress situations.
What, if any, specific
sacrifices were you willing
to make to enter this field?
RQ2 Value: cost
Loss of valued
alternatives
Sunk
Financial
Social
Effort required
Emotional
Psychological
7. What barriers, if any,
did you have to
overcome in your
pursuit of a
cybersecurity
career?
How did you navigate those
challenges and maintain
your motivation?
How did your network help
you through these
challenges?
RQ2
Value:
attainment
Value: cost
Loss of valued
alternatives
Sunk
Financial
Social
Effort required
Emotional
Psychological

141
# Interview questions Potential probes RQ
addressed
Key concept
addressed
8. What were your
expectations
regarding the
potential rewards of
a career in
cybersecurity?
What was your process, if
any, to evaluate the
expected outcomes?
Outcomes can include job
satisfaction, financial
stability, career growth, or
work-life balance.
Did these evaluations align
with your personal goals
and values?
RQ3 Expectancy
value:
attainment
Value: intrinsic
Value: utility
9. Would you describe
how your initial
expectations, if any,
align with the reality
of working in this
field?
How have your expectations,
if any, evolved over time
based on your experiences
in the field?
RQ3 Expectancy
value:
attainment
Value: intrinsic
Value: utility
10. How would you
describe your
cybersecurity
mentorship
experience?
Who, if anyone, helped you
find a mentor?
What mentorship influences,
if any, shape your
expectancy beliefs?
How would you describe the
importance of mentorship in
a cybersecurity career?
RQ3
Expectancy
11. What societal impacts
of cybersecurity, if
any, influenced your
career choice?
How do those societal
impacts align with your
personal values? goals?
RQ1
RQ2
Value:
attainment
12. What top three
factors, if any, have
made you stay in
the cybersecurity
field?
What would you advise those
interested in a
cybersecurity career?
RQ3 Value:
attainment
Value: intrinsic
Value: utility
13. Would you please
provide three ways
you would recruit
the communities
you identify with into
cybersecurity?
How would you promote
cybersecurity careers to K–
12 students? Postsecondary education
students? People
interested in changing their
career?
RQ1
RQ3
Value:
attainment
Value: intrinsic
Value: utility

142
Conclusion to the interview:
Thank you so much for you sharing your thoughts with me today! I really appreciate your
time and willingness to share. Everything that you have shared is really helpful for my study. If I
find myself with a follow-up question, I am wondering if I might be able to contact you, and if so,
is email ok? Again, thank you for participating in my study.

143
Appendix C: Interview Protocol: Inactive Cybersecurity Professional
My problem of practice in this study is the lack of diversity in the cybersecurity field,
contributing to the shortage of cybersecurity professional workforce. By understanding the
underlying factors and exploring potential solutions, this study seeks to promote inclusivity and
diversity in the cybersecurity workforce for the purpose of ultimately bridging the gap between
the demand and supply of skilled professionals.
The conceptual framework used for this study is expectancy value theory (EVT), which
suggests that people’s expectations of success and their value on the outcomes of their actions
influence their choices and behaviors. Applying EVT to the cybersecurity workforce shortage
analyzes how individuals decide to pursue and not pursue careers in the field.
The following research questions guide this study:
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?
Respondent type:
The participants are individuals who no longer work in cybersecurity but have 3 or more
years of cybersecurity experience. In addition, the participants must identify as men and women
of color or White women.
Introduction to the Interview:
Thank you for agreeing to participate in my study. I appreciate the time that you have set
aside to answer my questions. As I mentioned when we last spoke, the interview should take
about an hour, does that still work for you? Before we get started, I want to provide you with an
overview of my study and answer any questions you may have about participating in this

144
interview. I am a student at the University of Southern California’s (USC) Rossier School of
Education and I am conducting a study on the ever-growing cybersecurity workforce shortage. I
am talking to multiple cybersecurity professionals who identify as men and women of color or
White women to learn more about their lived experiences, opinions, and points of views.
My questions are not evaluative. I will not be making any judgments on you. This
interview is also confidential. I will not share them with any other person. I am happy to provide
you with a copy of my final paper if you are interested. I will keep the data in a password
protected computer and all data will be erased after 12 months.
Do you have any questions about the study before we get started? I would like to turn on
the recording on Zoom so I can accurately capture what you share with me. The recording is
solely for my purposes to best capture your perspectives and will not be shared with anyone
else. May I have your permission to record our conversation?
Table C1
Inactive Interview Protocol
# Interview questions Potential probes RQ
addressed
Key concept
addressed
1. Please share with me
your cybersecurity
experience?
How long ago did you work
in cybersecurity?
Rapport Trust
2. What initially
interested you in
the cybersecurity
profession?
Who, if anyone, promoted
your interest in
cybersecurity?
What was your approach
in discovering
cybersecurity?
RQ1 Expectancy
value:
attainment

145
# Interview questions Potential probes RQ
addressed
Key concept
addressed
3. What past
achievements, if
any, contributed to
your decision to
enter the
cybersecurity field?
Would you please describe
any specific
experiences, if any, that
validated your decision
to pursue a career in
cybersecurity?
Did these experiences
reinforce your
expectancy beliefs?
RQ1 Expectancy
4. What, if any, were
the rewards that
motivated you to
choose a career in
cybersecurity?
What, if any, were your
experiences upon
receiving the rewards as
a cybersecurity
professional?
How did the rewards or
lack of rewards influence
your decision to no
longer pursue a
cybersecurity career?
RQ1
RQ2
Value: attainment
Value: intrinsic
Value: utility
5. What, if anything,
influenced you to
no longer pursue a
cybersecurity
career?
Would you please
describe any specific
experiences, if any,
that validated your
decision to no longer
pursue a career in
cybersecurity?
RQ1 Expectancy
value:
attainment
Value: intrinsic
Value: utility
6. What was your
evaluation process
in no longer
pursuing a career
in cybersecurity?
What factor, if any, did
your friends and family
play in your decision?
RQ3 Value:
attainment
Value: intrinsic
Value: utility
7. What was your
process, if any, in
evaluating potential
risks associated
with a career in
cybersecurity?
Risk may consist of long
working hours,
continuous learning, or
exposure to highstress situations.
What, if any, specific
sacrifices were you
initially willing to make
to enter this field?
RQ2 Value: cost
Loss of valued
alternatives
Sunk
Financial
Social
Effort required
Emotional
Psychological

146
# Interview questions Potential probes RQ
addressed
Key concept
addressed
8. What were your
expectations
regarding the
potential rewards
of a career in
cybersecurity?
What was your process,
if any, to evaluate the
expected outcomes?
Outcomes can include
job satisfaction,
financial stability,
career growth, or worklife balance.
Did these evaluations
align with your
personal goals and
values?
RQ3 Expectancy
value:
attainment
Value: intrinsic
Value: utility
9. Would you describe
how your initial
expectations, if
any, aligned with
the reality of
working in this
field?
How have your
expectations, if any,
evolved over time based
on your experiences in
the field?
RQ3 Expectancy
value:
attainment
Value: intrinsic
Value: utility
10. What barriers, if any,
influenced you to
no longer become
a cybersecurity
career?
Please share with me how
you navigated or
attempted to navigate
those challenges.
What factor, if any, did
your network play as you
navigated through these
challenges?
RQ2 Value: attainment
Value: cost
Loss of valued
alternatives
Sunk
Financial
Social
Effort required
Emotional
Psychological
11. How would you
describe your
previous
cybersecurity
mentorship
experience?
Who, if anyone, helped
you find a mentor?
What mentorship
influences, if any, shape
your expectancy beliefs?
How would you describe
the importance of
mentorship in a
cybersecurity career?
RQ3 Expectancy

147
# Interview questions Potential probes RQ
addressed
Key concept
addressed
12. What would you
advise those
interested in a
cybersecurity
career?
What top three factors, if
any, influenced you to
leave the cybersecurity
field?
RQ3 Value: attainment
Value: intrinsic
Value: utility
13. Would you please
provide three ways
you would recruit
the communities
you identify with
into cybersecurity?
How would you promote
cybersecurity careers to
K–12 students? Postsecondary education
students? People
interested in changing
their career?
RQ1
RQ3
Value: attainment
Value: intrinsic
Value: utility
Conclusion to the interview:
Thank you so much for you sharing your thoughts with me today! I really appreciate your
time and willingness to share. Everything that you have shared is really helpful for my study. If I
find myself with a follow-up question, I am wondering if I might be able to contact you, and if so,
is email ok? Again, thank you for participating in my study.

148
Appendix D: A Priori Coding Sheet
My problem of practice in this study is the lack of diversity in the cybersecurity field,
contributing to the shortage of cybersecurity professional workforce. By understanding the
underlying factors and exploring potential solutions, this study seeks to promote inclusivity and
diversity in the cybersecurity workforce for the purpose of ultimately bridging the gap between
the demand and supply of skilled professionals.
The conceptual framework used for this study is expectancy value theory (EVT), which
suggests that people’s expectations of success and their value on the outcomes of their actions
influence their choices and behaviors. Applying EVT to the cybersecurity workforce shortage
analyzes how individuals decide to pursue and not pursue careers in the field.
The following research questions guide this study:
1. What initially interested men and women of color and White women to pursue the
cybersecurity profession?
2. What are the initial motivational costs of men and women of color and White women
in pursuing a career in cybersecurity?
3. What are the expectancies of men and women of color and White women with
cybersecurity experiences regarding career longevity?

149
Table D1
Codes for RQ1
Code/theme Sub-themes Description of theme
Internal personality traits Avid learner Enthusiastic and eager to
learn new things. A
continuous learner.
Challenge-driven Persistent and not easily
deterred by setbacks or
failures.
Protectiveness Desire to protect others from
harm.
External influences Parental and familial Influenced by parents and
family members.
Primary and Secondary
Schools
Influenced by primary and
secondary schools or
program.
Co-workers Influenced by co-workers
and leaders of an
organization.

150
Table D2
Codes for RQ2
Code/theme Sub-themes Description of theme
Barrier to entry Bias in education and lack of
experience
Assumption that an
individual does not have
cybersecurity education
and relevant experience.
Gender, racial, and ethnic
differences
Prejudice based on gender,
race, and ethnicity.
Constant risks Lack of guidance Minimal consistent
information on how to
become a cybersecurity
professional and progress
in the field.
Long hours Required continuous
education in new
technology and threats.
High stress Constant pressure to stay
vigilant against
cyberattacks and the
scrutiny and criticism of
past cybersecurity
decisions after an incident.

151
Table D3
Codes for RQ3
Code/theme Sub-themes Description of theme
Future opportunities Belief there are future job
opportunities in the
cybersecurity industry.
Future technologies and
threats
Concern about the existing
and new threats
technology presents.

Abstract (if available)

Abstract The cybersecurity landscape is facing a formidable challenge as the high demand for skilled professionals continues to outpace the cybersecurity workforce. The U.S. cybersecurity workforce gap has reached an estimated all-time high of 750,000 unfilled positions in 2024. The U.S.’s current cybersecurity workforce consists of only 26% identifying as non-White minorities, while only 24% identify as female. This highlights the untapped potential in reaching out to the U.S.’s diverse groups and communities to address the ever-growing cybersecurity shortage. Also, there is an underlying need to understand the importance of diverse perspectives in cybersecurity to bring forth the necessary creative solutions to defend against the diverse cybercriminal threat. Organizations must gain broader insights into potential vulnerabilities and effective defense strategies from their workforce as a countermeasure to this threat. However, limited data exists on the identification and understanding of men and women of color and White women’s barriers and motivations in cybersecurity. As a result, this study used Eccles et al.’s expectancy value theory (EVT) to explore 17 diverse participants’ cybersecurity career journeys. EVT suggests that people’s expectations of success and the value they associate with those outcomes influence their choices and behaviors. When applied to career choice, this theory provided the framework to identify and understand commonalities in motivations, barriers, and expectancy in career longevity across the participants of this study. These findings fueled my recommendations for change at the industry and organizational levels, such as reframing what cybersecurity is and leveraging the understanding of diverse cybersecurity professionals’ personality traits and influences. Furthermore, organizations need to change their hiring and recruiting practices and transform into a culture of belonging to retain their cybersecurity talent. I recommend implementing these changes using the awareness, desire, knowledge, ability, and reinforcement (ADKAR) change management method to help manage people’s experiences and expectations.

Linked assets

University of Southern California Dissertations and Theses

Conceptually similar

PDF

A qualitative study that examines the transformational factors that prevent cybersecurity from being a funding priority in healthcare organizations

PDF

The role of executives’ knowledge and motivation in enabling organizational supports for diversity, equity, and inclusion

PDF

Factors fueling the Texas construction personnel shortage: a comprehensive examination of stakeholder views and influences

PDF

Diversity management in local government: a gap analysis

PDF

Racial and gender gaps in executive management: a retrospective examination of the problem cause and strategies to address disparities

PDF

Canaries in the mine: centering the voices of Black women DEI practitioners in a period of DEI resistance

PDF

For DEI practitioners of color who’ve considered leaving when the rainbow isn’t enough: the impact of DEI fatigue on the retention of Black women in big tech

PDF

The significance of investigating the absence of Black decision-makers in television and feature films

PDF

IT belongingness: from outcasts to technology leaders in higher education – a promising practice

PDF

Environmental influences on the diversity of professional sports executive leadership

PDF

Black brilliance in leadership: increasing the number of Black women in the senior executive service

PDF

Applying best practices to optimize racial and ethnic diversity on nonprofit boards: an improvement study

PDF

The failure to attract and hire Millennials and Gen Zs within the U.S. aerospace & defense industry creates workforce scarcity

PDF

Exhaustion of Black women in corporate settings: a study to identify helpful interventions

PDF

Addressing the challenges of employee retention: a qualitative analysis of job satisfaction and perceptions of advancement by marginalized women in the insurance industry

PDF

LGBTQ+ representation in young children’s television: a qualitative research study

PDF

The underrepresentation of Black women general officers in a U.S. military reserve component

PDF

Reimagining the pathway to career success: navigating Identity and the white-collar workplace as first-generation immigrant professionals

PDF

Head, heart, and hustle: exploring the value of independent filmmakers

PDF

Diversity initiatives in a California independent school: from plans to reality

Asset Metadata

Creator Vengua, Rosielle (author)

Core Title Identifying diversity solutions for the cybersecurity workforce shortage: a phenomenological qualitative study

School Rossier School of Education

Degree Doctor of Education

Degree Program Organizational Change and Leadership (On Line)

Degree Conferral Date 2024-08

Publication Date 08/30/2024

Defense Date 08/30/2024

Publisher Los Angeles, California (original), University of Southern California (original), University of Southern California. Libraries (digital)

Tag and inclusion (DEI) in cybersecurity,belonging,changing cybersecurity toxic work environments,cybersecurity,cybersecurity diversity recruiting,cybersecurity talent pipeline,cybersecurity workforce shortage,diversity,equity,NICE Framework,retaining cybersecurity talent,skills-based hiring

Format theses (aat)

Language English

Contributor Electronically uploaded by the author (provenance)

Advisor Tobey, Patricia (committee chair), Grad, Richard (committee member), Maddox, Anthony (committee member)

Creator Email rosielle.vengua@gmail.com,vengua@usc.edu

Permanent Link (DOI) https://doi.org/10.25549/usctheses-oUC11399A0AI

Unique identifier UC11399A0AI

Identifier etd-VenguaRosi-13457.pdf (filename)

Legacy Identifier etd-VenguaRosi-13457

Document Type Dissertation

Format theses (aat)

Rights Vengua, Rosielle

Internet Media Type application/pdf

Type texts

Source 20240831-usctheses-batch-1205 (batch), University of Southern California (contributing entity), University of Southern California Dissertations and Theses (collection)

Access Conditions The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.

Repository Name University of Southern California Digital Library

Repository Location USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA

Repository Email cisadmin@lib.usc.edu