The rising number of Australian cybersecurity breaches underscores a significant shortage of skilled professionals in the field – an issue that has been discussed for many years.
Universities are positioned as key players in addressing this gap; however, there remains limited understanding of how effectively university-based cybersecurity education is meeting the demands of the industry.
A project conducted by Charles Sturt University, ‘An Analysis of Australian Cybersecurity Postgraduate Degrees’, is designed to explore and better understand the current landscape of postgraduate cybersecurity education in Australia.
Australia’s postgraduate cybersecurity education landscape has expanded significantly over the past decade.
Since 2013, the number of coursework-based programs has grown from a single program to 41 in 2024.
This study examined the curricula of these programs, drawing data from university handbooks and archived web sources to assess the structure, focus, and consistency of offerings.
The study identified institutions offering or having previously offered postgraduate cybersecurity qualifications.
Only programs with ‘cybersecurity’ explicitly in the title were included, ensuring a focus on specialist programs aligned with industry needs.
To maintain a consistent unit of comparison, only the highest qualification per study stream was analysed — typically a Master’s degree — though in distinct cases like Swinburne University, multiple streams (eg. a Graduate Diploma in Cybersecurity Management and a Master of Cybersecurity) were included due to their curricular differences.
The dataset covered 41 programs in 2024, comprising 34 Master’s programs, five Graduate Certificates, and two Graduate Diplomas.
A total of 382 core courses were analysed, with 514 descriptive keywords identified in their titles.
The six most frequent course keywords were Security, Cyber, Cyber Security, Networks, Data, and Management — revealing an emphasis on foundational and managerial concepts.
However, more technically specialised skills such as Ethical Hacking, Penetration Testing, and Cyber Defence were far less common, indicating a potential gap in critical cybersecurity expertise.
The programs also featured soft-skill-oriented courses, such as Cyber and the Law and Project Management.
Research and capstone projects allow students to apply theoretical knowledge to real-world problems.
Twenty-nine programs included a research or capstone project, and 12 featured an industry-integrated element.
Deakin University offers innovative formats — first year students undertaking Project Management and Practices receive supervision and guidance from second year students undertaking Project Execution and Delivery.
However, inconsistencies exist. One of two specialisation streams facilitated by the University of NSW Faculty of Engineering require a capstone, and four programs in the dataset had no research requirement at all.
Some courses featured multiple topics — 26 had two, and 10 had three or more.
This bundling can make it difficult for students to assess course relevance, especially when titles suggest equal weighting that may not reflect actual content focus, for example ‘Network and Memory Forensics’ with four distinct assessments, but unclear topic emphasis based on the title alone.
Accreditation data from the Australian Computer Society were also examined.
Of the 41 programs in 2024, only 17 were accredited — 12 as ‘Professional’ and five as ‘Cyber Security Professional’. All accredited programs were Master’s-level qualifications.
While Australia has developed a broad array of postgraduate cybersecurity programs, the study found inconsistent curriculum design and a lack of standardisation.
Not all programs include critical technical skills, and the variation in capstone requirements may impact graduate readiness.
Further, the wide range of course keywords and inconsistent course naming conventions introduce unnecessary complexity for prospective students.
Some universities, attempt to integrate management and leadership development into cybersecurity education.
Others, like Deakin, have piloted novel mentorship-based project models. These approaches reflect an awareness of the need for both technical and soft skills in the workforce.
Another concern raised was the absence of dedicated cybersecurity programs at some high-ranking institutions, such as the University of Melbourne, despite its status as an Academic Centre of Cyber Security Excellence.
In such cases, cybersecurity content is embedded within broader IT programs rather than offered as standalone qualifications.
Australia’s postgraduate cybersecurity education sector has matured significantly in recent years, offering students various pathways into the industry. However, challenges remain.
Curriculum gaps, limited accreditation, and inconsistent capstone integration suggest a need for greater standardisation and alignment with global frameworks like Skills for the Information Age (SFIA).
Enhanced clarity in course design, expanded industry collaboration, and better integration of practical experience could help ensure graduates are truly industry ready.
As cyber threats grow in complexity, so too must our educational systems evolve.
A coordinated national approach — similar to the US CAE-C model — may help drive more consistent, high-quality training across the sector and better prepare the next generation of cybersecurity professionals.
This study raises important questions that warrant further investigation — particularly regarding how relevant these degrees are to professionals’ careers, the currency of the knowledge they provide, and the depth of the skills they develop.
To expand on these findings, a survey targeting cybersecurity professionals has been launched to gather insights into which skills are considered essential for graduates entering the field.
The survey is currently open to all cybersecurity professionals, regardless of their educational background.
The survey link is: https://csufobjbs.au1.qualtrics.com/jfe/form/SV_6VcZAA4l8WtzXr8
This survey has Ethics Approval through Charles Sturt University and is open until the 30 June 2025.
Michael James is a senior digital forensics examiner with 12 years’ experience in the field and over 35 years information technology experience. He is currently studying for a Doctor of Information Technology.
