📖 Note: this article provides information about Work Roles (WRs) on the FifthDomain platform, and the process of setting up WRs (with FifthDomain skills mapping) within your organisation on the platform.
About Work Roles on the FifthDomain Platform
Work Roles (WRs) comprise of a list of skills and responsibilities representing specific job functions within an organisation. An individual's ability to exhibit a WR's required skills and responsibilities determines how well they match the WR, and how well they can carry out the job function their WR represents.
The FifthDomain platform allows cyber teams to add their operational cyber work roles to their organisation on the platform. WRs in your organisation can then be assigned to specific members of your cyber teams (if they are Affiliated users in your organisation on the platform).
Once a member of your cyber team has been assigned a WR within your organisation, Manager users (with platform permissions granting them the ability to view Affiliated User Profiles) can then overlay the WR over their Cyber Skills Cortex. This allows them to see how well that team member matches with their assigned WR, and identify specifically which of their required cyber skills are fulfilled and unfulfilled based on their current cyber skillset. Once skill gaps are identified, they can then be remediated by assigning relevant FifthDomain Training Activities and/or other events.
For more details about Affiliated User Profiles (and which permissions can view them), please refer to this article. For more details on overlaying WRs onto an Affiliated User Profile, please refer to this article.
📖 Note: Having Work Roles in your organisation is a pre-requisite to being able to generate FifthDomain Training Activities, and use FifthDomain's workforce management features - overlaying Work Roles, Functions, and Squads.
All WRs on the FifthDomain platform are custom-created for each individual organisation using the platform, based on consultation with the FifthDomain team. There are currently no standardised "off-the-shelf" WRs that you can add to your organisation.
Each WR that is added to an organisation on the platform is private and specific only to that organisation. For example, Organisation 'A' cannot view, interact with, or otherwise access any details (i.e. WR names, skills and proficiency levels) about Organisation 'B''s WRs, and vice-versa.
Mapping Work Roles to FifthDomain Skill-Proficiencies
Customer WRs (and the Customer Skills that they comprise of) are reflected in the FifthDomain platform as a selection of required equivalent FifthDomain Skills in the FifthDomain Cynaptic Adaptor.
In adding WRs to your organisation on the platform, each skill contained in your organisation's WRs (i.e. each Customer Skill) will be mapped to their equivalent (one or many) FD Skill(s). When a user has a WR assigned to them on the platform, and that WR is overlayed onto their Cyber Skills Cortex, the equivalent FD Skills required of the WR will display.
Each required Customer Skill in a WR also has a set target proficiency level that users assigned to the WR need to be able to demonstrate the equivalent FD Skill(s) at, in order for the Skill to be considered as 'fulfilled' by them. Essentially, your organisation's WRs will be reflected on the platform as a series of Skill-Proficiency requirements.
Overview of FifthDomain Skills
A list of FifthDomain Skills (FD skills) is below. Each FD Skill belongs to one of six Professional Specialties, which group FD Skills into essential cyber operations functions. To set up WRs on your platform, you will need to provide a list of Customer Skills required for each WR. The FifthDomain team will then map each of your organisation's skills (Customer Skills) to their equivalent FD Skill(s).
Professional Specialty: Intelligence
FD Skill | Description | Example in a SOC Context |
Threat Intelligence Gathering (TG) | Collecting and analysing cyber threat actors, infrastructure, and Indicators of Compromise | Identifying new malware variants from multiple sources and analysing their impact |
Opensource Collection (OC) | Gathering of information from publicly available sources | Collecting threat indicators from open-source cybersecurity feeds |
Darkweb Monitoring (DM) | Collecting, analysing, and reporting data from dark web sources | Identifying the company's leaked data or potential threats in dark net markets and forums |
Social Media Analysis (SA) | Collecting and analysing information from social media platforms | Monitoring chatter about the latest phishing campaigns or malware on cybersecurity forums and social platforms |
Geo-Intelligence (GI) | Applying geospatial intelligence in cyber operations | Identifying potential cyber threats based on geographical origin or target |
Professional Specialty: Protection
FD Skill | Description | Example in a SOC Context |
Access Control (AC) | Managing permissions and authorisations for system access | Ensuring that users only have necessary and appropriate access to systems |
System Hardening (SH) | Reducing system vulnerabilities through configuration adjustments and patch management | Implementing system patches and upgrades to mitigate known vulnerabilities |
Encryption Techniques (ET) | Applying encryption to protect data confidentiality and integrity | Encrypting sensitive data in transit and at rest to prevent unauthorised access |
Vulnerability Assessment (VA) | Identifying and assessing system vulnerabilities | Conducting regular scans to find and prioritise vulnerabilities in the organisation's systems |
Network Hardening (NH) | Implementing strategies and controls to enhance the security of the network infrastructure. | Setting up firewall rules to block unauthorised access, securing router configurations, setting up a network access control system to restrict network access based on user profiles, disabling unnecessary network services and ports to reduce the attack surface, and setting up an IDS/IPS system for detecting and preventing network intrusions |
Professional Specialty: Engineering
FD Skill | Description | Example in a SOC Context |
Automation Programming (AP) | Using programming to automate repetitive tasks | Writing a script to automate the process of collecting and analysing logs |
Software Debugging (SD) | Identifying and fixing errors in software | Debugging an issue with the SOC's threat intelligence platform |
SOC Tech Deployment (TD) | Deploying and managing technology solutions within a Security Operations Centre | Implementing a new SIEM solution in the SOC |
API Development (AD) | Creating APIs for interacting with applications or services | Developing an API for the company's custom security tool |
Secure Coding (SC) | Developing software in a way that guards against security vulnerabilities | Reviewing code for potential security flaws |
Professional Specialty: Penetration
FD Skill | Description | Example in a SOC Context |
Network Exploitation (NX) | Manipulating network topology and configuration vulnerabilities to gain unauthorised access or disrupt services | Spotting a potential brute-force attack on the network |
OS Exploitation (OX) | Manipulating operating system vulnerabilities to gain unauthorised access | Detecting an attempt to exploit a known OS vulnerability |
Database Exploitation (DX) | Exploiting vulnerabilities in databases to gain unauthorised access or extract data | Identifying an SQL injection attack against a company database |
AI Exploitation (AX) | The strategic utilisation of techniques to manipulate artificial intelligence systems, such as chatbots, with the aim of revealing hidden data or eliciting unintended responses | Recognising a phishing attack that tries to deceive employees into revealing their passwords |
Binary Exploitation (BX) | Exploiting software at the binary level | Identifying a buffer overflow attack against a binary running on a server |
Web Exploitation (WX) | Exploiting vulnerabilities in web applications to gain unauthorised access or disrupt services | Identifying a cross-site scripting attack on the company's web application |
Professional Specialty: Detection
FD Skill | Description | Example in a SOC Context |
Intrusion Detection (ID) | Identifying potential incidents, threats and vulnerabilities in the network | Monitoring network traffic for signs of potential attacks using an IDS |
Anomaly Detection (AN) | Identifying unusual patterns that could indicate a security breach | Detecting abnormal user behaviour that might indicate a compromised account |
Alert Creation (AE) | Creating and configuring alerts based on specific security conditions | Setting up alerts for unsuccessful login attempts |
Traffic Analysis (TA) | Analysing network traffic to detect security incidents | Detecting unusual traffic patterns or volumes that might indicate a DDoS attack |
Log Analysis (LA) | Interpreting log entries to identify and investigate suspicious activities | Analysing server logs for signs of a potential breach |
Professional Specialty: Investigation
FD Skill | Description | Example in a SOC Context |
Malware Analysis (MA) | Examining malicious software and scripts to understand its functions, origins, and impact | Analysing a new ransomware variant to develop countermeasures |
Reverse Engineering (RE) | Dismantling and analysing device or system to understand its composition and operation | Reverse engineering a piece of malware to identify its propagation method |
Cryptanalysis (CA) | Decrypting or decoding encrypted data and programs without knowing the encryption key | Cracking the encryption used by a piece of ransomware |
Digital Forensics (DF) | Collecting, analysing and reporting on digital data for incident investigations, including steganography | Investigating a ransomware attack by collecting and analysing affected system images |
Host Analysis (HA) | Examining host activities and configurations for signs of compromise | Checking system configurations and logs on a host showing signs of infection |
Data Recovery (DR) | Retrieving data from damaged, failed, corrupted, or inaccessible storage media | Recovering files deleted by a wiper malware |
💡 Remember:
One Customer Skill can be mapped to one or many equivalent FD Skills. FifthDomain will map each Customer Skill to all relevant equivalent FD Skills. For instance, a relatively high-level Customer Skill such as "Collect and monitor cyber intelligence" may have multiple FD Intelligence skills as equivalent FD Skill mappings (e.g. Opensource Collection (OC), Threat Intelligence Gathering (TG), Darkweb Monitoring (DM), etc). However, less high-level Customer Skills will mostly only need to be mapped to a single equivalent FD Skill.
Also note that if deemed suitable, one FD Skill may be mapped to multiple Customer Skills. For instance, separate Customer Skills like "Scan dark web locations for emerging threats" and "Track known ongoing sources for stolen data and malicious activity" may both be most appropriately mapped to the FD Skill Darkweb Monitoring (DM).
In this case, the number of Customer Skills may be more than the number of required equivalent FD Skills in a WR. For example, if a WR has five Customer Skills attached to it, but each of the Customer Skills are best mapped to the same FD Skill, then when a user is assigned that WR, they will only have one required FD Skill to fulfil. The FifthDomain team will consult with your organisation to ensure fit-for-purpose mappings to FD Skills.
Overview of FifthDomain Proficiencies
Proficiency levels, per the Cynaptic Skills Adaptor, determine a participant's level of ability in a particular skill on the platform. There are five proficiency levels that participants can demonstrate on the platform. These are described below:
📖 Cynaptic Adaptor Proficiency Levels (drawn from the Dreyfus Model of Skills Acquisition):
Level 1 (Novice): Demonstration of a basic but incomplete understanding of a concept, and a mechanistic approach requiring supervision for relevant work completion.
Level 2 (Advanced Beginner): Demonstration of a working understanding of a concept, and a perception of required actions as steps. Those at this level can an complete simpler tasks independently.
Level 3 (Competent): Demonstration of a good working and background understanding of a concept, with contextual awareness. Those at this level are capable of independent work to an acceptable standard.
Level 4 (Proficient): Demonstration of deep understanding of a concept, complete with a holistic view of required actions. Those at this level consistently achieve high standards when performing relevant work.
Level 5 (Expert): Demonstration of authoritative and/or deep holistic understanding of a concept, complete with intuitive handling of routine relevant matters. Those at this level excel effortlessly when performing relevant work.
Each challenge on the platform is assigned one of the five proficiency levels. Solving a challenge which tests a particular skill at a particular proficiency level indicates that the solving participant is able to demonstrate that skill at that proficiency level.
In the case of WRs, each Customer Skill within a WR also needs to have a proficiency level attached to it, indicating the target proficiency level required for Customer Skill within the WR. FifthDomain will map each Customer Skill you provide for each WR to one of five FifthDomain Cynaptic proficiencies. For instance, a Customer Skill "Perform Vulnerability Assessments" (which may be mapped to the FD Skill 'VA'), may be required at Level 2 (Advanced Beginner) for a specific WR.
The target proficiency level of each Customer Skill within a WR will inform the level of ability required for that skill within the context of that WR.
If a user has not met the target proficiency for a required FD Skill in their WR (i.e. if they have not demonstrated the equivalent FD Skill at all, or if they have only demonstrated it below the target proficiency), then that FD Skill would be unfulfilled by them. In such cases, an ability gap requiring some remediation is likely to be present for that skill.
If a user has met the target proficiency for a required FD Skill in their WR (i.e. if they have demonstrated the equivalent FD Skill at or above the target proficiency), then that FD Skill would be fulfilled by them. In such cases, it is likely that the user can adequately perform the skill at the ability level required for their WR.
For example, say there is a WR named 'Vulnerability Analyst', which contains the Customer Skill "Perform Vulnerability Assessments" (mapped to the 'VA' FD Skill). If "Perform Vulnerability Assessments" has its required proficiency set to Level 2 (Advanced Beginner), then users who are assigned the 'Vulnerability Analyst' WR will be required to be able to demonstrate 'VA' at Level 2 or above. Level 2 will become the target proficiency level for 'VA' within for the 'Vulnerability Analyst' WR.
If user 'A' and user 'B' both have 'Vulnerability Analyst' as their assigned WR, and user 'A' has demonstrated the 'VA' FD Skill at Level 1, and user 'B' has demonstrated it at Level 2, then user 'A''s Cyber Skills Cortex will show that 'VA' is unfulfilled, as they have not demonstrated 'VA' at or above the Level 2 target. Conversely, user 'B''s Cyber Skills Cortex will show that 'VA' is fulfilled, as they have demonstrated 'VA' at or above the Level 2 target.
📖 Note: to ensure effective Skill-Proficiency mapping, your organisation will need to provide some indication of the difficulty or level of ability required for each Customer Skill. If your organisation is able to identify a specific required FifthDomain Cynaptic proficiency for each Customer Skill, this will be most ideal. Otherwise, suitable target proficiencies for each Customer Skill provided will be identified by the FifthDomain team through consultation.
💡 Remember: each Customer Skill provided will be mapped to one required proficiency level. If deemed appropriate, one Customer Skill in a WR may map to many equivalent FD Skills. In such cases, all mapped FD Skills will be mapped to the proficiency selected for the Customer Skill (within that WR).
For example, if a Customer Skill "Collect and monitor cyber intelligence" is mapped to 3 x FD Skills - Opensource Collection (OC), Threat Intelligence Gathering (TG), and Darkweb Monitoring (DM) - and the Customer Skill is assigned Level 1 (Novice) as its target proficiency for the WR 'Intelligence Analyst', then, users assigned this WR would be required to demonstrate OC, TG, and DM all at Level 1.
Additionally, if deemed suitable, multiple Customer Skills in a single WR may be mapped to the same FD Skill. In such cases, the highest required proficiency for the FD Skill within the WR will become the target proficiency for that FD Skill within the WR. As an example, say there is a WR named 'Vulnerability Analyst' with the following Customer Skills and proficiency targets:
Customer Skill 1 - “Perform vulnerability assessments” (mapped to the FD Skill 'VA') - required at Level 2 (Advanced Beginner)
Customer Skill 2 - “Manage vulnerability assessments” (mapped to the FD Skill 'VA') - required at Level 4 (Proficient)
In the example above, both Customer Skills in the WR are mapped to the 'VA' FD Skill. Users assigned the 'Vulnerability Analyst' WR will have 'VA' Level 4 as their required proficiency level for 'VA', not Level 2, as Level 4 is the highest target proficiency required of all Customer Skills mapped to 'VA' in the WR.
❗️Important: Please note that although overlaying WRs onto Cyber Skills Cortexes is a helpful way to discern whether members within cyber teams have Skill-Proficiency gaps in certain required skills, insights provided by the Cyber Skills Cortex are dependent on users completing enough events on the FifthDomain platform, and solving enough challenges to reflect their real-life cyber skills.
Additionally, please also consider the frequency, recency, and/or 'depth' of Skill-Proficiency demonstrations in assessing a user's real-life skills. Users who have demonstrated required skills at their target proficiencies may, in some cases, still have a skills gap if they have only demonstrated the relevant Skill-Proficiency infrequently, and/or not very recently.
Who can set up Work Roles on the platform?
WRs can only be set up for an organisation on the platform by the FifthDomain team. If you would like to set up WRs in your organisation on the platform, please contact the FifthDomain Support team to discuss the WRs you would like to add.
What needs to be provided for Work Role setup?
📌 Summary of What to Provide for WR Setup
In order for WRs to be set up in your organisation on the platform, you will need to provide the following:
A list of WRs (i.e. with exact names) that need to be added;
For instance, 'Intelligence Analyst', 'Senior Vulnerability Analyst', etc.
For each WR, a list of required Customer Skills;
For each Customer Skill, an indication of the target proficiency or level of ability required to be performed by users assigned to the WR.
💡 Remember: The FifthDomain platform, and the FifthDomain Cynaptic Adaptor is based on measuring, baselining, and improving operational and technical cyber skills. As such, you will not be able to add WRs and Customer Skills that are not of this nature, such as strategic, governance, or managerial-based cyber roles.
After you have provided this information, and WR setup consultation sessions have occurred as required, the FifthDomain team will add your organisation's Customer Skills to your organisation's account on the platform, and map each Customer Skill to the appropriate equivalent FD Skill(s). Next, the FifthDomain team will add your organisation's WRs, and will then add the required Customer Skills to each WR. Each Customer Skill will be assigned a suitable target proficiency level.
Once WRs have been set up and added to your organisation, affiliated users in your organisation will be able to be assigned these WRs. Users within the organisation who can access Affiliated User Profiles will then be able to overlay affiliated users' assigned WRs to their Cyber Skills Cortex, allowing them to identify exactly which required skills are currently fulfilled and unfulfilled.
If you require any changes to your WRs, Customer Skills, or mapped FD Skills and proficiencies, you will need to contact the FifthDomain team to have the required changes made on platform.
💡 Remember: Although your organisation will be able to view your WRs as Cyber Skills Cortex overlays, they will be expressed as FifthDomain Skill-Proficiencies. Your organisation's Customer Skills will not be visible on platform - Customer Skills are always expressed on platform via their mapped equivalent FD Skills (and proficiencies). Customer Skills are provided to FifthDomain only to ensure effective mapping to the FifthDomain Cynaptic Adaptor.