SlideShare a Scribd company logo

Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model for Nations (CMM)

C
Carolin Weisser

The document discusses lessons learned from implementing the Cybersecurity Capacity Maturity Model (CMM) in various countries, highlighting five dimensions of cybersecurity capacity. Key findings include challenges in policy, culture, education, legal frameworks, and standards, alongside the importance of cooperation and information-sharing. It notes that current reviews are beneficial for identifying capacity gaps and emphasizes the need for prioritizing cybersecurity capacity in national agendas to mitigate end user problems and enhance ICT adoption.

Government & Nonprofit
Related topics:
Capacity-Building Insights Information Security
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Lessons Learned from Implementing the CMM Prof Michael Goldsmith – Co-Director and Senior Research Fellow Dr Patricia Esteve-González – Research Fellow 2020 Global Cybersecurity Capacity Building Conference Melbourne, 18 February 2020
At the Heart of Oxford • A research programme at the Oxford Martin School • Part of the Cyber Security research network at the University of Oxford • Partnership and collaboration with the Department of Computer Science, Department of Sociology, Oxford Internet Institute, Said Business School and others
Funding Partners
The 5 DIMENSIONS of Cybersecurity Capacity D 5 Standards Organisations, and Technologies D 3 Cybersecurity Education, Training and Skills D 1 Cybersecurity Policy and Strategy D 2 Cyber Culture and Society D 4 Legal and Regulatory Frameworks
Example: Dimension, Factors, and Aspects
Aspect 2 Indicator Q Indicator P Indicator O Indicator N Indicator M Indicator L Indicator K Indicator J Indicator I Indicator H Indicator G Indicator F Indicator E Indicator D Indicator C Indicator B Indicator A Start-up Formative Established Strategic Dynamic 5 STAGES of Maturity
Stakeholder clusters Academia, Civil Society groups & Internet Governance Criminal Justice & Law Enforcement Defence & Intelligence Community Government Ministries Legislators/Policy OwnersCSIRT and IT leaders (Government & Private) Critical National Infrastructure Private Sector & Businesses Cyber Task Force International Partners Stakeholder Clusters
Brazil Colombia Ecuador Jamaica + 2 Regional Studies by the OAS Botswana Burkina Faso Cabo Verde Cameroon Cote d’Ivoire The Gambia Ghana Lesotho Liberia Madagascar Bangladesh Bhutan Kyrgyzstan Indonesia Myanmar Thailand Sri Lanka Status: January 2020 Fiji Kiribati Micronesia Samoa Papua New Guinea Tonga Vanuatu Albania Armenia Bosnia & Herzegovina Cyprus Georgia Iceland Kosovo Lithuania Macedonia Montenegro Serbia Switzerland UK Over 80 National Cybersecurity Capacity Reviews Mauritius Namibia Niger Nigeria Senegal Sierra Leone Tunisia Uganda Zambia
Melbourne, Australia Cape Town, South Africa Cybersecurity Capacity Centre for Southern Africa Consortium of University of Cape Town, Research ICT Africa, the Norwegian Institute of International Affairs (NUPI) and the GCSCC Constellation of Regional Cybersecurity Capacity Research Centres
Lessons Learnt • Policy and Strategy: Misperception of the role of the CSIRT. • Culture and Society: Lack of awareness and of understanding of the relationship between trust/confidence and security. • Education and Training: Disconnect between educational offerings and industry needs. • Bada et al. (2018): study of 6 countries with lack of national programme for raising awareness, and low ICT literacy levels. The authors link low awareness to increasing cybercrime indicators. • Legal Frameworks: Question whether new cybercrime/cybersecurity legislation is needed or adapting existing law is sufficient. • Standards: Standards adoption (particularly ISO standards) mostly ad-hoc. • Overall: Lack of cooperation and information-sharing; resources; data collection challenges.
• Countries found the reviews informative and helpful in identifying previously under-considered capacity gaps. • Diverse stakeholder groups enables comprehensive picture in report development. • Review itself as capacity-building exercise and allowed discussions among different stakeholders. • Various lessons learned across all five dimensions of cybersecurity capacity. The Impact of a CMM Assessment
• There are cybersecurity challenges not reflected on the current CMM. • Workshop to discuss suggested changes and gather your feedback (this Thursday at Fitzroy Ballroom, Sofitel Melbourne on Collins). • The revised CMM will consider backwards comparability. • Research outputs. Revision of the CMM to Keep its Robustness
Research on Cybersecurity Capacity 1. What is the status of cybersecurity capacity building? 2. What factors are shaping capacity building within nations? 3. What are the implications of capacity building for nations?
The Shaping and Impacts of Cyber Security Capacity Prof S. Creese‡, Dr P. Esteve-González*, Dr R. Shillair†, and Prof W.H. Dutton* ‡ Founding Director, GCSCC, University of Oxford * Oxford Martin Fellows, GCSCC, University of Oxford † Assistant Professor, Quello Centre, Michigan State University & GCSCC Research Associate
Research Model in Dutton et al. (2020)* *Dutton, W.H., Creese, S., Shillair, R., and Bada, M. (2020). Cybersecurity Capacity: Does It Matter? Journal of Information Policy, 9, 280-306. Diffusion (centrality) Indicators of Cyber Security Capacity Wealth End User Cyber Security Problems Size (scale) Scale
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model for Nations (CMM)
Data This study considers granulated data at the aspect level for 62 countries where the CMM was implemented (2015-2019). • 31 countries from CMM assessments – collection of data by field research (GCSCC and strategic & implementation partners). • 31 countries in IDB and OAS (2016)* – collection of data by an online survey. *Inter-American Development Bank and Organization of American States (2016). Cybersecurity. Are we ready in Latin America and the Caribbean? Cybersecurity Report 2016. Available at https://publications.iadb.org/en/cybersecurity-are-we-ready-latin- america-and-caribbean (25 June 2019, last accessed).
Region Obs. Income (WB) Obs. Africa 10 Low and lower-medium 22 America 31 Low: 6 Asia 6 Lower-medium: 16 Eastern Europe 5 Upper-medium 30 Europe 4 High 10 South Caucasus 2 Oceania 4 Total 62 Total 62 Countries in the Sample 62 countries where the CMM was applied (2015-2019)
The Cyber Security Capacity Variable (CSC) Our strategy is to summarize the CMM data on the maturity stage of 47 aspects through an overall average maturity stage that we name Cybersecurity Capacity (CSC). • Factors’ average maturity stages were calculated from their corresponding aspects. • Dimensions’ average maturity stage were calculated from their corresponding factors. • CSC was calculated as the average maturity stage of all dimensions.
Alternative indicators Correlation with CSC (N) Global Cybersecurity Index (ITU) 0.61 (61) Networked Readiness Index (WEF) 0.76 (50) Secure Servers (Netcraft) 0.79 (61) Software Spending (Global Innovation Index) 0.53 (39) Cyber Security Capacity (CSC) related to other Cybersecurity Indicators Pearson’s correlation coefficients, number of observations in parentheses. All correlations have statistical significance <.001.
What is the status of cybersecurity capacity building?
Average Maturity Stage per Factor (N=62)
Methodology We consider 2 statistical methods to test the model: 1. OLS regressions with heteroskedasticity-robust errors. 2. Structural equation modelling and path analysis. Using SmartPLS: Ringle, C. M., Wende, S., and Becker, J.-M. 2015. "SmartPLS 3." Boenningstedt: SmartPLS GmbH, http://www.smartpls.com The results under both methodologies are consistent.
What factors are shaping capacity building within nations?
OLS to explain Cyber Security Capacity (CSC) Robust standard errors in parentheses. Symbols +, *, **, *** indicate, correspondingly, levels of significance at 0.1, 0.05, 0.01, 0.001. CSC Number of Users (log) 0.12*** (0.03) Percentage of Users 0.01** (0.00) GDP per capita (log) 0.14* (0.05) Constant -1.55** (0.51) N 62 R-Squared 0.67
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model for Nations (CMM)
What are the implications of capacity building for nations?
*p<.05; **p<.01; ***p<.001 Impact of CSC on End User Cyber Security Problems (Piracy and Encounter Rates) Figure 1: Cyber Security Capacity and Impact on Threats
*p<.05; **p<.01; ***p<.001 Impact of CSC on Use (Individual, Government, and Business Usage)
*p<.05; **p<.01; ***p<.001 Impact of CSC on Voice (Voice and Accountability)
OLS to Explain the Impact of CSC Robust standard errors in parentheses. Symbols +, *, **, *** indicate, correspondingly, levels of significance at 0.1, 0.05, 0.01, 0.001. Piracy Encount. Rates NRI: Ind. usage NRI: Bus. usage NRI: Gov. usage Voice & account. CSC -17.77* -5.23 0.51* 0.52+ 0.85** 0.58* (7.23) (5.17) (0.22) (0.26) (0.29) (0.23) Number of Users -0.58 2.24* -0.02 -0.04 0.00 -0.17** (log) (1.07) (0.87) (0.05) (0.04) (0.06) (0.04) Percent. of Users -0.07 -0.25+ 0.03*** -0.01 0.01 -0.01+ (0.14) (0.14) (0.01) (0.00) (0.01) (0.00) GDP per capita -3.52 3.52 0.15 0.23* -0.10 0.34** (log) (4.23) (3.58) (0.14) (0.11) (0.15) (0.11) Constant 146.78*** -18.83 -0.06 1.61+ 2.62* -0.79 (36.23) (28.95) (1.04) (0.89) (1.19) (0.97) N 34 35 50 50 50 62 R-Squared 0.71 0.43 0.87 0.44 0.43 0.64
• Mitigates end user problems. • Fosters ICT adoption and usage. • Enhances citizens’ perception of freedom. Capacity Catters: the Impact of CSC
Conclusions
• Nations in the sample are in the early phases of capacity building. • Capacity shaped by the scale and diffusion of the Internet along with the wealth of nations. • National choices on building capacity have implications for end-user problems, citizens’ perception of freedom, as well as the vitality of ICT adoption and usage. • Cybersecurity capacity needs to be prioritized in the political agenda to address the cybersecurity global gap. Cybersecurity Divide and Global Gap
THANK YOU! [EMAIL ADDRESS] @CapacityCentre Thank you for your attention J https://www.linkedin.com/company/ global-cyber-security-capacity-centre/ www.oxfordmartin.ox.ac.uk/cybersecurity Department of Computer Science University of Oxford 15 Parks Road, Oxford, OX1 3QD, UK Phone: +44(0)1865 287903 cybercapacity@cs.ox.ac.uk
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model for Nations (CMM)

More Related Content

PPTX
Cybersecurity Day for Parliament
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
PPTX
GFCE 2019 Presentation (Updated Nov 2019)
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
PPTX
Webinar slides march 2022 nikki robinson
CapitolTechU
 
PPTX
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
CapitolTechU
 
PPTX
Cyber Civil Defense - Risk Masters - Allan Cytryn
Boston Global Forum
 
PPTX
Protecting Critical Infrastructure: a multi-layered approach
ITU
 
PDF
REPORT Risk Nexus - Global Cyber Governance: Preparing for New Business Risks
ESADE
 
PDF
Airport security 2013 john mc carthy
Russell Publishing
 
Cybersecurity Day for Parliament
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
GFCE 2019 Presentation (Updated Nov 2019)
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
Webinar slides march 2022 nikki robinson
CapitolTechU
 
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
CapitolTechU
 
Cyber Civil Defense - Risk Masters - Allan Cytryn
Boston Global Forum
 
Protecting Critical Infrastructure: a multi-layered approach
ITU
 
REPORT Risk Nexus - Global Cyber Governance: Preparing for New Business Risks
ESADE
 
Airport security 2013 john mc carthy
Russell Publishing
 

What's hot (20)

PPTX
Cybersecurity - Sam Maccherola
TechBiz Forense Digital
 
PPTX
Mike Alcorn presentation
svito
 
PDF
Guide to high volume data sources for SIEM
Joseph DeFever
 
PDF
BGF-G7-Summit-Initiative-Official-1 Ise-Shima Norms
Allan Cytryn
 
PPT
CERT Certification
Conferencias FIST
 
PDF
Potential Impact of Cyber Attacks on Critical Infrastructure
Unisys Corporation
 
PDF
Guideline Thailand Cybersecure Strate Digital Economy
Settapong_CyberSecurity
 
PPTX
Protection of critical information infrastructure
Neha Agarwal
 
PDF
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Mark Raduenzel
 
PDF
IEEE-S&P Magazine-2015-Massacci
Fabio Massacci
 
PDF
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
PDF
Law Enforcement Cyber Incident Reporting
David Sweigert
 
PDF
Cyber Security Strategies and Approaches
vngundi
 
PDF
Wef risk responsibility_hyperconnectedworld_report_2014
Silvia Cardona
 
PDF
DDoS Attacks Advancing and Enduring a SANS & Corero Survey
Stephanie Weagle
 
PDF
Computer Security Incident Handling Guide
Muhammad FAHAD
 
PPTX
Trust, Privacy and Biometrics
blogzilla
 
PDF
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
Citrin Cooperman
 
PPTX
Introduction to National Critical Infrastructure Cyber Security: Background a...
Jack Whitsitt
 
PDF
presCyberNISC2015
Denis Philippe
 
Cybersecurity - Sam Maccherola
TechBiz Forense Digital
 
Mike Alcorn presentation
svito
 
Guide to high volume data sources for SIEM
Joseph DeFever
 
BGF-G7-Summit-Initiative-Official-1 Ise-Shima Norms
Allan Cytryn
 
CERT Certification
Conferencias FIST
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Unisys Corporation
 
Guideline Thailand Cybersecure Strate Digital Economy
Settapong_CyberSecurity
 
Protection of critical information infrastructure
Neha Agarwal
 
Raduenzel_Mark_FinalAssignment_NSEC506_Fall2015
Mark Raduenzel
 
IEEE-S&P Magazine-2015-Massacci
Fabio Massacci
 
Combating cyber crimes chinatu
Chinatu Uzuegbu
 
Law Enforcement Cyber Incident Reporting
David Sweigert
 
Cyber Security Strategies and Approaches
vngundi
 
Wef risk responsibility_hyperconnectedworld_report_2014
Silvia Cardona
 
DDoS Attacks Advancing and Enduring a SANS & Corero Survey
Stephanie Weagle
 
Computer Security Incident Handling Guide
Muhammad FAHAD
 
Trust, Privacy and Biometrics
blogzilla
 
TRU Snacks Webinar Series - Navigating Cybersecurity Risk in the Age of COVID-19
Citrin Cooperman
 
Introduction to National Critical Infrastructure Cyber Security: Background a...
Jack Whitsitt
 
presCyberNISC2015
Denis Philippe
 
Ad

Similar to Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model for Nations (CMM) (20)

PPTX
Presentation to GFCE 2019 in Addis Ababa, Ethiopia
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
PPTX
Cybersecurity Capacity: from the Nation to the Workplace
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
PPTX
Cybersecurity Capacity Building: Cross-National Benefits and International Di...
PatriciaEsteveGonzal
 
PDF
National cybersecurity capacity building framework for countries in a transit...
Mohamed Ben Naseir
 
PPTX
Why do national cybersecurity awareness programmes often fail?
Global Cyber Security Capacity Centre, University of Oxford
 
PPTX
Presentatiowlelwkled3ked3ked3kdol3drn.pptx
FbMx
 
PDF
Cyber Readiness Index 2.0
Francesca Spidalieri
 
PPTX
CapTech Talks Webinar Jan 2025 Dewayne Hart.pptx
CapitolTechU
 
PDF
Session 1.2 Professor Sadie Creese
Commonwealth Telecommunications Organisation
 
PDF
Holistic Cybersecurity_September 21, 2022_FV.pdf
DrDaveChatterjee
 
PDF
Cyber Security Capacity Review of the Republic Senegal
A. S. M. Raiahan
 
PPTX
DHS Cybersecurity Webinar
businessforward
 
PDF
Hp arc sight_state of security ops_whitepaper
rickkaun
 
PDF
Dissertation - Cyber Security
Alysha Paulsen
 
PDF
Is Cyber Resilience Really That Difficult?
John Gilligan
 
PPTX
Security-Invest Where it Matters Most
InnoTech
 
PDF
A Strategy for Addressing Cyber Security Challenges
Cybersecurity Education and Research Centre
 
PDF
Cyber Resilience Tips and Techniques For Protection & Response
Continuity and Resilience
 
PPTX
Global Cyber Security Capacity Centre
blogzilla
 
PPSX
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
James Mulhern
 
Presentation to GFCE 2019 in Addis Ababa, Ethiopia
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
Cybersecurity Capacity: from the Nation to the Workplace
Oxford Martin Centre, OII, and Computer Science at the University of Oxford
 
Cybersecurity Capacity Building: Cross-National Benefits and International Di...
PatriciaEsteveGonzal
 
National cybersecurity capacity building framework for countries in a transit...
Mohamed Ben Naseir
 
Why do national cybersecurity awareness programmes often fail?
Global Cyber Security Capacity Centre, University of Oxford
 
Presentatiowlelwkled3ked3ked3kdol3drn.pptx
FbMx
 
Cyber Readiness Index 2.0
Francesca Spidalieri
 
CapTech Talks Webinar Jan 2025 Dewayne Hart.pptx
CapitolTechU
 
Session 1.2 Professor Sadie Creese
Commonwealth Telecommunications Organisation
 
Holistic Cybersecurity_September 21, 2022_FV.pdf
DrDaveChatterjee
 
Cyber Security Capacity Review of the Republic Senegal
A. S. M. Raiahan
 
DHS Cybersecurity Webinar
businessforward
 
Hp arc sight_state of security ops_whitepaper
rickkaun
 
Dissertation - Cyber Security
Alysha Paulsen
 
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Security-Invest Where it Matters Most
InnoTech
 
A Strategy for Addressing Cyber Security Challenges
Cybersecurity Education and Research Centre
 
Cyber Resilience Tips and Techniques For Protection & Response
Continuity and Resilience
 
Global Cyber Security Capacity Centre
blogzilla
 
Cyber Attacks aren't going away - including Cyber Security in your risk strategy
James Mulhern
 
Ad

Recently uploaded (20)

PPTX
Quiz - Saturday.pptxaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
DheerajKL1
 
PPTX
Weekly Report 17-10-2024_cybersecutity.pptx
gowenow253
 
PDF
The Detrimental Impacts of Hydraulic Fracturing for Oil and Gas_ A Researched...
Energy for One World
 
PDF
ISO-9001-2015-internal-audit-checklist2-sample.pdf
WaqasBhutto1
 
PDF
oil palm convergence 2024 mahabubnagar.pdf
Venugopal Kodati
 
PPTX
The DFARS - Part 251 - Use of Government Sources By Contractors
JSchaus & Associates
 
PPTX
11Sept2023_LTIA-Cluster-Training-Presentation.pptx
BenflorBiong2
 
PPTX
Inferenceahaiajaoaakakakakakakakakakakakakaka
Faiz975600
 
PPTX
PCCR-ROTC-UNIT-ORGANIZATIONAL-STRUCTURE-pptx-Copy (1).pptx
jayceebernardolachic
 
PPTX
sepsis.pptxMNGHGBDHSB KJHDGBSHVCJB KJDCGHBYUHFB SDJKFHDUJ
SivasangariPurushoth
 
PDF
PPT Items # 6&7 - 900 Cambridge Oval Right-of-Way
ahcitycouncil
 
PDF
Item # 3 - 934 Patterson Final Review.pdf
ahcitycouncil
 
PDF
2025 Shadow report on Ukraine's progression regarding Chapter 29 of the acquis
robertzeldy
 
PPTX
The DFARS - Part 250 - Extraordinary Contractual Actions
JSchaus & Associates
 
PPTX
Introduction_to_the_Study_of_Globalization.pptx
marianolyn100
 
PDF
PPT Item #s 2&3 - 934 Patterson SUP & Final Review
ahcitycouncil
 
PDF
Courtesy Meeting NIPA and MBS Australia.
Tri Widodo W. UTOMO
 
PDF
How FPOs Are Reshaping Agriculture in Maharashtra?
Watershed Organisation Trust
 
PDF
Abhay Bhutada and Other Visionary Leaders Reinventing Governance in India
Raj Kumble
 
PDF
About Karen Miner-Romanoff - Academic & nonprofit consultant
kromanoff
 
Quiz - Saturday.pptxaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
DheerajKL1
 
Weekly Report 17-10-2024_cybersecutity.pptx
gowenow253
 
The Detrimental Impacts of Hydraulic Fracturing for Oil and Gas_ A Researched...
Energy for One World
 
ISO-9001-2015-internal-audit-checklist2-sample.pdf
WaqasBhutto1
 
oil palm convergence 2024 mahabubnagar.pdf
Venugopal Kodati
 
The DFARS - Part 251 - Use of Government Sources By Contractors
JSchaus & Associates
 
11Sept2023_LTIA-Cluster-Training-Presentation.pptx
BenflorBiong2
 
Inferenceahaiajaoaakakakakakakakakakakakakaka
Faiz975600
 
PCCR-ROTC-UNIT-ORGANIZATIONAL-STRUCTURE-pptx-Copy (1).pptx
jayceebernardolachic
 
sepsis.pptxMNGHGBDHSB KJHDGBSHVCJB KJDCGHBYUHFB SDJKFHDUJ
SivasangariPurushoth
 
PPT Items # 6&7 - 900 Cambridge Oval Right-of-Way
ahcitycouncil
 
Item # 3 - 934 Patterson Final Review.pdf
ahcitycouncil
 
2025 Shadow report on Ukraine's progression regarding Chapter 29 of the acquis
robertzeldy
 
The DFARS - Part 250 - Extraordinary Contractual Actions
JSchaus & Associates
 
Introduction_to_the_Study_of_Globalization.pptx
marianolyn100
 
PPT Item #s 2&3 - 934 Patterson SUP & Final Review
ahcitycouncil
 
Courtesy Meeting NIPA and MBS Australia.
Tri Widodo W. UTOMO
 
How FPOs Are Reshaping Agriculture in Maharashtra?
Watershed Organisation Trust
 
Abhay Bhutada and Other Visionary Leaders Reinventing Governance in India
Raj Kumble
 
About Karen Miner-Romanoff - Academic & nonprofit consultant
kromanoff
 

Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model for Nations (CMM)

  • 1. Lessons Learned from Implementing the CMM Prof Michael Goldsmith – Co-Director and Senior Research Fellow Dr Patricia Esteve-González – Research Fellow 2020 Global Cybersecurity Capacity Building Conference Melbourne, 18 February 2020
  • 2. At the Heart of Oxford • A research programme at the Oxford Martin School • Part of the Cyber Security research network at the University of Oxford • Partnership and collaboration with the Department of Computer Science, Department of Sociology, Oxford Internet Institute, Said Business School and others
  • 4. The 5 DIMENSIONS of Cybersecurity Capacity D 5 Standards Organisations, and Technologies D 3 Cybersecurity Education, Training and Skills D 1 Cybersecurity Policy and Strategy D 2 Cyber Culture and Society D 4 Legal and Regulatory Frameworks
  • 6. Aspect 2 Indicator Q Indicator P Indicator O Indicator N Indicator M Indicator L Indicator K Indicator J Indicator I Indicator H Indicator G Indicator F Indicator E Indicator D Indicator C Indicator B Indicator A Start-up Formative Established Strategic Dynamic 5 STAGES of Maturity
  • 7. Stakeholder clusters Academia, Civil Society groups & Internet Governance Criminal Justice & Law Enforcement Defence & Intelligence Community Government Ministries Legislators/Policy OwnersCSIRT and IT leaders (Government & Private) Critical National Infrastructure Private Sector & Businesses Cyber Task Force International Partners Stakeholder Clusters
  • 8. Brazil Colombia Ecuador Jamaica + 2 Regional Studies by the OAS Botswana Burkina Faso Cabo Verde Cameroon Cote d’Ivoire The Gambia Ghana Lesotho Liberia Madagascar Bangladesh Bhutan Kyrgyzstan Indonesia Myanmar Thailand Sri Lanka Status: January 2020 Fiji Kiribati Micronesia Samoa Papua New Guinea Tonga Vanuatu Albania Armenia Bosnia & Herzegovina Cyprus Georgia Iceland Kosovo Lithuania Macedonia Montenegro Serbia Switzerland UK Over 80 National Cybersecurity Capacity Reviews Mauritius Namibia Niger Nigeria Senegal Sierra Leone Tunisia Uganda Zambia
  • 9. Melbourne, Australia Cape Town, South Africa Cybersecurity Capacity Centre for Southern Africa Consortium of University of Cape Town, Research ICT Africa, the Norwegian Institute of International Affairs (NUPI) and the GCSCC Constellation of Regional Cybersecurity Capacity Research Centres
  • 10. Lessons Learnt • Policy and Strategy: Misperception of the role of the CSIRT. • Culture and Society: Lack of awareness and of understanding of the relationship between trust/confidence and security. • Education and Training: Disconnect between educational offerings and industry needs. • Bada et al. (2018): study of 6 countries with lack of national programme for raising awareness, and low ICT literacy levels. The authors link low awareness to increasing cybercrime indicators. • Legal Frameworks: Question whether new cybercrime/cybersecurity legislation is needed or adapting existing law is sufficient. • Standards: Standards adoption (particularly ISO standards) mostly ad-hoc. • Overall: Lack of cooperation and information-sharing; resources; data collection challenges.
  • 11. • Countries found the reviews informative and helpful in identifying previously under-considered capacity gaps. • Diverse stakeholder groups enables comprehensive picture in report development. • Review itself as capacity-building exercise and allowed discussions among different stakeholders. • Various lessons learned across all five dimensions of cybersecurity capacity. The Impact of a CMM Assessment
  • 12. • There are cybersecurity challenges not reflected on the current CMM. • Workshop to discuss suggested changes and gather your feedback (this Thursday at Fitzroy Ballroom, Sofitel Melbourne on Collins). • The revised CMM will consider backwards comparability. • Research outputs. Revision of the CMM to Keep its Robustness
  • 13. Research on Cybersecurity Capacity 1. What is the status of cybersecurity capacity building? 2. What factors are shaping capacity building within nations? 3. What are the implications of capacity building for nations?
  • 14. The Shaping and Impacts of Cyber Security Capacity Prof S. Creese‡, Dr P. Esteve-González*, Dr R. Shillair†, and Prof W.H. Dutton* ‡ Founding Director, GCSCC, University of Oxford * Oxford Martin Fellows, GCSCC, University of Oxford † Assistant Professor, Quello Centre, Michigan State University & GCSCC Research Associate
  • 15. Research Model in Dutton et al. (2020)* *Dutton, W.H., Creese, S., Shillair, R., and Bada, M. (2020). Cybersecurity Capacity: Does It Matter? Journal of Information Policy, 9, 280-306. Diffusion (centrality) Indicators of Cyber Security Capacity Wealth End User Cyber Security Problems Size (scale) Scale
  • 17. Data This study considers granulated data at the aspect level for 62 countries where the CMM was implemented (2015-2019). • 31 countries from CMM assessments – collection of data by field research (GCSCC and strategic & implementation partners). • 31 countries in IDB and OAS (2016)* – collection of data by an online survey. *Inter-American Development Bank and Organization of American States (2016). Cybersecurity. Are we ready in Latin America and the Caribbean? Cybersecurity Report 2016. Available at https://publications.iadb.org/en/cybersecurity-are-we-ready-latin- america-and-caribbean (25 June 2019, last accessed).
  • 18. Region Obs. Income (WB) Obs. Africa 10 Low and lower-medium 22 America 31 Low: 6 Asia 6 Lower-medium: 16 Eastern Europe 5 Upper-medium 30 Europe 4 High 10 South Caucasus 2 Oceania 4 Total 62 Total 62 Countries in the Sample 62 countries where the CMM was applied (2015-2019)
  • 19. The Cyber Security Capacity Variable (CSC) Our strategy is to summarize the CMM data on the maturity stage of 47 aspects through an overall average maturity stage that we name Cybersecurity Capacity (CSC). • Factors’ average maturity stages were calculated from their corresponding aspects. • Dimensions’ average maturity stage were calculated from their corresponding factors. • CSC was calculated as the average maturity stage of all dimensions.
  • 20. Alternative indicators Correlation with CSC (N) Global Cybersecurity Index (ITU) 0.61 (61) Networked Readiness Index (WEF) 0.76 (50) Secure Servers (Netcraft) 0.79 (61) Software Spending (Global Innovation Index) 0.53 (39) Cyber Security Capacity (CSC) related to other Cybersecurity Indicators Pearson’s correlation coefficients, number of observations in parentheses. All correlations have statistical significance <.001.
  • 21. What is the status of cybersecurity capacity building?
  • 22. Average Maturity Stage per Factor (N=62)
  • 23. Methodology We consider 2 statistical methods to test the model: 1. OLS regressions with heteroskedasticity-robust errors. 2. Structural equation modelling and path analysis. Using SmartPLS: Ringle, C. M., Wende, S., and Becker, J.-M. 2015. "SmartPLS 3." Boenningstedt: SmartPLS GmbH, http://www.smartpls.com The results under both methodologies are consistent.
  • 24. What factors are shaping capacity building within nations?
  • 25. OLS to explain Cyber Security Capacity (CSC) Robust standard errors in parentheses. Symbols +, *, **, *** indicate, correspondingly, levels of significance at 0.1, 0.05, 0.01, 0.001. CSC Number of Users (log) 0.12*** (0.03) Percentage of Users 0.01** (0.00) GDP per capita (log) 0.14* (0.05) Constant -1.55** (0.51) N 62 R-Squared 0.67
  • 27. What are the implications of capacity building for nations?
  • 28. *p<.05; **p<.01; ***p<.001 Impact of CSC on End User Cyber Security Problems (Piracy and Encounter Rates) Figure 1: Cyber Security Capacity and Impact on Threats
  • 29. *p<.05; **p<.01; ***p<.001 Impact of CSC on Use (Individual, Government, and Business Usage)
  • 30. *p<.05; **p<.01; ***p<.001 Impact of CSC on Voice (Voice and Accountability)
  • 31. OLS to Explain the Impact of CSC Robust standard errors in parentheses. Symbols +, *, **, *** indicate, correspondingly, levels of significance at 0.1, 0.05, 0.01, 0.001. Piracy Encount. Rates NRI: Ind. usage NRI: Bus. usage NRI: Gov. usage Voice & account. CSC -17.77* -5.23 0.51* 0.52+ 0.85** 0.58* (7.23) (5.17) (0.22) (0.26) (0.29) (0.23) Number of Users -0.58 2.24* -0.02 -0.04 0.00 -0.17** (log) (1.07) (0.87) (0.05) (0.04) (0.06) (0.04) Percent. of Users -0.07 -0.25+ 0.03*** -0.01 0.01 -0.01+ (0.14) (0.14) (0.01) (0.00) (0.01) (0.00) GDP per capita -3.52 3.52 0.15 0.23* -0.10 0.34** (log) (4.23) (3.58) (0.14) (0.11) (0.15) (0.11) Constant 146.78*** -18.83 -0.06 1.61+ 2.62* -0.79 (36.23) (28.95) (1.04) (0.89) (1.19) (0.97) N 34 35 50 50 50 62 R-Squared 0.71 0.43 0.87 0.44 0.43 0.64
  • 32. • Mitigates end user problems. • Fosters ICT adoption and usage. • Enhances citizens’ perception of freedom. Capacity Catters: the Impact of CSC
  • 34. • Nations in the sample are in the early phases of capacity building. • Capacity shaped by the scale and diffusion of the Internet along with the wealth of nations. • National choices on building capacity have implications for end-user problems, citizens’ perception of freedom, as well as the vitality of ICT adoption and usage. • Cybersecurity capacity needs to be prioritized in the political agenda to address the cybersecurity global gap. Cybersecurity Divide and Global Gap
  • 35. THANK YOU! [EMAIL ADDRESS] @CapacityCentre Thank you for your attention J https://www.linkedin.com/company/ global-cyber-security-capacity-centre/ www.oxfordmartin.ox.ac.uk/cybersecurity Department of Computer Science University of Oxford 15 Parks Road, Oxford, OX1 3QD, UK Phone: +44(0)1865 287903 cybercapacity@cs.ox.ac.uk