Cyber security, decryption and digital investigation are on the menu when young talents compete for a place on the podium. The picture is from the finals in the European Cyber Security Challenge in Austria last year. Photo: David Bohmann

Practice makes the hacker

The need for cyber security expertise is steadily increasing. This summer’s cyber attacks against 12 Norwegian ministries and the Storting were a stark reminder of this. According to an NTNU researcher, hacking in organized forms is the solution.

Not all hackers are out to cause mischief. Many of tomorrow’s cyber security stars are probably among today’s budding hackers.

And it is just as well. According to the Cybersecurity Workforce Study annual report, there was a global shortage of 3.4 million IT security employees in 2022, representing a 26 per cent increase from the previous year.

Cyber security’s answer to the Champions League

“There is a clear trend: The need for employees with cyber security expertise is increasing year by year. This means that we need to rethink the recruitment process,” said Muhammad Mudassar Yamin. Yamin is an associate professor in the Department of Information Security and Communication Technology at NTNU in Gjøvik. Yamin has conducted research on and participated as a trainer in Europe’s largest cyber security competition – the European Cyber Security Challenge (ECSC).

This is European Cyber Security Challenge (ECSC)

ECSC is an annual cybersecurity competition organized in collaboration between The European Union Agency for Cybersecurity, ENISA, and 35–40 European countries. (ENISA is the European Union Agency for Network and Information Security, the EU's center of expertise for data and information security.)

Each year, participating countries send their best teams to compete in a series of tasks related to cybersecurity. The teams consist of ten participants aged 14–25, with only five allowed to be over 21 years old. In 2022, a total of 37,000 young talents took part.

This year's competition is the eighth edition of the event and will take place at Vikingskipet in Hamar from October 24 to 27.

The event is part of the government's national strategy for digital security, and NTNU has been tasked by the Ministry of Justice and Public Security to organize it.

Cybersecurity hacker competition

These battles are fought in silence. Skilled young talents during last year’s European Cyber Security Challenge final. Photo: David Bohmann.

“ECSC is a bit like cyber security’s answer to the Champions League,” he said.

Each year, between 35 and 40 countries participate in the European tournament with a selection of young talents who have qualified through national competitions. They get the opportunity to compete against each other in tasks ranging from decryption and online security to digital forensics.

This year, the competition will take place in Hamar’s Vikingskipet.

Cultivating stars is not enough

There is no denying that there is a lot of prestige involved when you get the opportunity to test your strengths against some of Europe’s top cyber security talents. However, the hope is that the participants will be left with more than just honour and glory at the end of the competition.

The need for cyber security experts is increasing year by year. This means that we need to rethink the recruitment process.

“In the same way that Champions League footballers started off in local football clubs, competitions like this will spark the enthusiasm of many future students and staff in the cyber security field,” Yamin said.

He and his colleagues have studied how different countries recruit and train their participants for the competition. The researchers have also investigated what the participating countries hope to get out of the competition and how they work towards their goals.

Muhammad Mudassar Yamin supports hacker competitions

“The demand for employees with digital security expertise is increasing year by year,” says Associate Professor Muhammad Mudassar Yamin at NTNU in Gjøvik. Photo: Kenneth Nordahl Pedersen.

“There is broad agreement among the participating countries that identifying young cyber security talents and creating interest in and awareness of the topic are among the most important objectives of the competition,” he said

And it is about more than just cultivating stars:

“The research suggests that participants who do not make it all the way to the final may be just as interested – and in some cases more interested – in a career in cyber security as the finalists,” Yamin said.

He believes this should affect the way the competitions are organised.

Contestants who do not make it all the way to the final may be just as – and perhaps more – interested in a career in cyber security as the finalists.

“If the goal is to generate interest in and recruit to the cyber security industry, a huge opportunity would be missed if we only cultivate the stars. We need to focus more on the early phases of the competition and make sure we get as many people involved as possible,” he said

“Basically, we need to train as many people as possible, for as long as possible. Our research also indicates that this will probably be of great importance regarding participant diversity,” Yamin said.

A healthy tree has strong roots

Yamin’s research suggests that the way participants are recruited and trained for the competition can also tell us something about how well developed the cyber security environment is in the countries in question.

“The tree analogy summarizes our main findings well. A healthy tree has strong roots. It is from these that the trunk gets the necessary nutrients to grow. Only when the trunk is strong enough will the tree be able to properly spread its branches and bear fruit,” Yamin said.

“The countries that invest at root level, i.e. in primary and lower secondary schools, generally do very well in ECSC. This also tends to result in a more developed national cyber security environment. A shallow root system, on the other hand, results in a weak trunk and sparse crown.”

In other words, not the best conditions for a great crop.

A potential spectator sport?

With two scoreboards – one advanced and one simple – spectators do not need to know the rules or have in-depth knowledge about cyber security beforehand for them to become caught up in the activities that are to take place in Vikingskipet from 24 to 27 October.

“The fact that chess has been brought into the mainstream shows that it is possible to make activities with relatively complicated rules and a high degree of technical difficulty engaging to an audience, even though there might not be that much physical action going on,” Yamin said.

Ethical hacking might not become the new national sport, but chances are good that this kind of competition will bring a steady stream of new students and workers to the cyber security field.


De Zan, T. & Yamin, M.M. (2021). Towards a Common ECSC Roadmap: Success factors for the implementation of national cyber security competitions. April 2021. Research Gate

Yamin, M.M., Katt, B., Torseth, E. (2021). Selecting and Training Young Cyber Talent: A European Cybersecurity Challenge Case Study. In: Schmorrow, D.D., Fidopiastis, C.M. (eds.) Augmented Cognition. HCII 2021. Lecture Notes in Computer Science(), vol 12776. Springer, Cham.

Yamin, M.M., Erdodi, L., Torseth, E., Katt, B. (2022). Selecting and Training Young Cyber Talent: A Recurrent European Cyber Security Challenge Case Study. In: Schmorrow, D.D., Fidopiastis, C.M.