Assessing national cybersecurity capacity

The Cybersecurity Capacity Maturity Model for Nations (CMM) is a methodical framework designed to review the maturity of a country’s cybersecurity capacity. It was developed by the Global Cyber Security Capacity Centre through a global collaborative exercise in 2014 and updated in 2016. This one-of-its-kind effort involved over two hundred experts from academia, international and regional organisations and the private sector. To date, the CMM has been deployed over 110 times in over 80 nations worldwide and its reach has significantly impacted the global cybersecurity capacity building landscape.

Download the CMM

CMM Structure

The CMM is premised on five Dimensions, which cover the broad expanse of areas that ought to be considered when seeking to enhance cybersecurity capacity: Cybersecurity Policy and Strategy; Cyber Culture and Society; Cybersecurity Education, Training and Skills; Legal and Regulatory Frameworks; and Standards, Organisations and Technologies.

Each Dimension comprises a set of Factors, which describe and define what it means to possess cybersecurity capacity. Most factors are broken down into several aspects. Aspects represent an organisational method of clustering, since each aspect is composed of a series of indicators within the five stages of maturity.
 

 

Dimension 1: Cybersecurity Policy and Strategy

Dimension 1 gauges the country’s capacity to develop and deliver cybersecurity policy and strategy and to enhance cybersecurity resilience through improvements in incident response, crisis management, redundancy, and critical infrastructure protection capacity. The Dimension Cybersecurity Policy and Strategy also includes considerations for early warning, deterrence, defence and recovery. It considers effective policy in advancing national cyber-defence and resilience capacity, while facilitating the effective access to cyberspace increasingly vital for government, international business and society in general.

In an era of globalisation, technological innovation and rapid expansion of cyberspace, effective national and international cyber security is of critical importance.

This Dimension examines how countries resist and recover from cyber intrusions in order to help inform a more effective and comprehensive national and international cyber security policy.

Delivering cyber security must include capability in early warning, deterrence, resistance and recovery. The scope of research in this Dimension is to consider the effectiveness of security policy in delivering national defence and resilience capability, while maintaining the benefits of a cyberspace vital for government, international business and society in general.

We would expect a mature cyber security policy to provide the necessary security capacity at all levels of society – government, national infrastructure, businesses, the third sector and individuals. Security capacity must be unobtrusive, yet effective, and must also have the flexibility to deal with new challenges as they arise in order to cope with the ever-changing nature of cyberspace. Consideration must be given to how cybersecurity fits with more traditional security policy, and the working relationships between the various public bodies involved in keeping cyberspace secure. Government needs a way of coordinating effectively with the custodians of cyberspace in industry. It is also important to consider how to recover from a major cyber intrusion in the event that one succeeds.

At the international level, our work looks at the strategies that peer nation-states and developing countries use to enhance their cybersecurity capacity, to identify targets for increased collaboration, as well as challenges to effective cooperation. We need to consider international development activities: how these might contribute to national policy in the form of securing states from cyber threats, and how to proceed diplomatically if an intrusion comes from within another jurisdiction. We will also consider whether states using cyberspace to police criminality could or should cooperate internationally to achieve an acceptable level of oversight, while still respecting users’ privacy and retaining the benefits of cyber communication. Finally, it is important to examine how governments and communities can effectively inform their adversaries, allies and the public about the shift to a more defensive posture.

Throughout this work, we also consider how cybersecurity capacity can be built under constraints. Assuming resources are limited, what should be the relative importance of warning, deterrence, defence and recovery? Measures to deter attacks may seem ideal in that they offer to preserve the benefits of cyberspace without distorting the policy environment and society itself. But sustaining a credible deterrent posture in cyberspace presents a number of difficulties and consideration must also therefore be given to defence and recovery. A key aim of this research area is therefore to establish which of these objectives are likely to prove most cost-efficient and effective in terms of policy.  

The research into this Dimension is currently overseen by Dr Jamie Saunders, who after spending most of his career working within the UK Government (including as Director International of Cyber Policy at the UK Foreign & Commonwealth Office) is now a strategic security consultant and visiting professor at University College London (UCL).

 

Factors

Expand All

Cybersecurity strategy is essential to mainstreaming a cybersecurity agenda across government because it helps prioritise cybersecurity as an important policy area, determines responsibilities and mandates of key cybersecurity government and non-governmental actors, and directs allocation of resources to the emerging and existing cybersecurity issues and priorities.

  • Development: This aspect addresses the development of a national strategy, allocation of implementation authorities across sectors and civil society and an understanding of national cybersecurity risks and threats which drives capacity building at a national level.
  • Organisation: This aspect addresses the existence of an overarching programme for cybersecurity coordination, including a departmental owner or coordinating body with a consolidated budget.
  • Content: This aspect addresses the content of the national cybersecurity strategy and whether it is linked explicitly to national risks, priorities and objectives such as public awareness raising,  mitigation of cybercrime, incident response capability and critical national infrastructure protection.

This factor addresses the capacity of the government to identify and determine characteristics of national level incidents in a systematic way. It also reviews the government’s capacity to organise, coordinate, and operationalise incident response.

  • Identification of Incidents: This aspect identifies whether there is a central registry of national level cyber incidents.
  • Organisation: This aspect addresses the existence of a mandated central body designated to collect incident information, and its relationship with the public and private sector for national level incident response.
  • Coordination: This aspect explores the existence of coordinated national incident response with clear roles and responsibilities as well as lines of communication for crisis situations.
  • Mode of Operation: This aspect addresses the operational and technical capacity of the incident response organisation, such as services, processes, resources and tools.

This factor studies the government’s capacity to identify CI assets and the risks associated with them, engage in response planning and critical assets protection, facilitate quality interaction with CI asset owners, and enable comprehensive general risk management practice including response planning.

  • Identification: This aspect addresses the existence of a general list of CI assets, identified risk-based priorities, and an audit of CI assets on a regular basis.
  • Organisation: This aspect addresses the existence of a formal collaboration mechanism between government ministries and owners of critical assets.
  • Risk Management and Response: This aspect explores whether cybersecurity is embedded into general risk management practices, and whether security measures are developed to ensure business continuity of CI in the context of the prevailing risk environment. Additionally, this aspect refers to information protection procedures and processes for response planning to an attack on critical assets, supported by adequate technical security solutions.

This factor addresses crisis management planning addresses conducting specialised needs  assessments, training exercises, and simulations that produce scalable results for policy  development and strategic decision-making. Through qualitative and quantitative techniques, cybersecurity evaluation processes aim to produce structured and measurable results that would solicit recommendations for policymakers and other stakeholders and inform national strategy implementation as well as inform budgetary allocations.

  • Crisis Management: (as above)

This factor explores whether the government has the capacity to design and implement a cyber Defence strategy and lead its implementation including through a designated cyber Defence organisation. It also reviews the level of coordination between various public and private sector actors in response to malicious attacks on strategic information systems and critical national infrastructure.

  • Strategy: This aspect addresses the existence of a national cyber Defence strategy.
  • Organisation: This aspect addresses the existence of a designated organisation within the government responsible for Defence for conflict using cyber means.
  • Coordination: This aspect addresses coordination in response to malicious attacks on strategic information systems and critical national infrastructure.

This factor reviews a government’s capacity to identify and map digital redundancy and redundant communications among stakeholders. Digital redundancy foresees a cybersecurity system in which duplication and failure of any component is safeguarded by proper backup. Most of these backups will take the form of isolated (from mainline systems) but readily available digital networks, but some may be non-digital (e.g. backing up a digital communications network with a radio communications network).

  • Communications Redundancy: (as above)

Dimension 2: Cyber Culture and Society

This Dimension reviews important elements of a responsible cybersecurity culture and society such as the understanding of cyber-related risks by all actors, developing a learned level of trust in Internet services, including e-government and e-commerce services, and users’ understanding of how to protect personal information online. Dimension 2 also entails the existence mechanisms for accountability, such as channels for users to report threats to cybersecurity. In addition, this Dimension reviews the role of media and social media in helping to shape cybersecurity values, attitudes and behaviour.

Business and industry, governments and civil society are increasingly encouraging consumers and citizens to conduct transactions and participate in civic, social and public affairs online. Networked individuals are also organising activities from the grass roots using social media.

For these institutional and citizen-originated initiatives to be successful, networked individuals need to be confident that they are adequately protected in cyberspace. They must be aware of risks, know how to use the Internet safely and securely, and have the time and inclination to take the necessary steps to do so.

The GCSCC is conducting research to find out more about individual users’ attitudes and beliefs with respect to security and privacy, and what they understand as their cyber responsibilities. This will help determine whether users in general need more support with cybersecurity, and identify demographic groups who may require particular assistance in accessing services or reassurance that cyberspace is safe to use.

We suspect that individual users are often insufficiently aware of the risks and of best security practices when conducting transactions online.

Many citizens see the Internet as a utility and hope to be able to use it safely without having to spend much time and effort on updates. Most other utilities do not require such user input, as safe practices are built into the infrastructure and taught from an early age. As cyber service providers are far from a point at which computing will be provided in such a utility state, users can be left vulnerable to cyber-attacks unless adequate measures are taken to protect them, by themselves or others.

It is likely that the answer lies only partly in making people more aware of security threats. Over-stating risks could be counterproductive as it could create a culture of fear around cyber space. This could turn certain groups of people away from the Internet, particularly those who have little experience online, cutting them off from benefits such as better access to education and services. Understanding what consumers and citizens think of cyberspace is the first step in helping them make best use of it.

Our research compares knowledge and attitudes to responsibility, risks, security and privacy and best practice across different countries and over time. Understanding users is critical to developing cybersecurity technologies and policies, making it critical for this area of research to connect with other Dimensions.

This Dimension is chaired by Professor William Dutton, Founding Director of the Oxford Internet Institute (OII) and Emeritus Professor at the University of Southern California (USC).

Factors

Expand All

This factor evaluates the degree to which cybersecurity is prioritised and embedded in the values, attitudes, and practices of government, the private sector, and users across society-at-large. A cybersecurity mind-set consists of values, attitudes and practices, including habits, of individual users, experts, and other actors in the cybersecurity ecosystem that increase the resilience of users to threats to their security online.

  • Government: This aspect examines whether all agencies across all levels of government have embedded a proactive cybersecurity mind-set.
  • Private sector: This aspect examines whether all agencies have embedded a proactive cybersecurity mind-set across business and industry.
  • Users: This aspect examines whether a cybersecurity mind-set is adopted throughout society.

This factor reviews the level of user’s trust and confidence in the use of online services, in general, and e-government and e-commerce services, in particular.

 

  • User Trust and Confidence on the Internet: This aspect examines whether users trust in online services, and whether there is a coordinated programme by operators of Internet infrastructure to promote trust.
  • User Trust in E-government Services: This aspect examines whether there are government eservices offered, if trust exists in the secure provision of such services, and if efforts are in place to promote such trust in the application of security measures.
  • User Trust in E-commerce Services: This aspect examines whether e-commerce services are offered and established in a secure environment, trusted by users.

This aspect looks at whether Internet users and stakeholders within the public and private sectors recognise and understand the importance of protection of personal information online, and whether they are sensitised to their privacy rights.

  • User Understanding of Personal Information Protection Online: (as above)

This aspect explores the existence of reporting mechanisms functioning as channels for users to report internet related crime such as online fraud, cyber-bullying, child abuse online, identity theft, privacy and security breaches, and other incidents.

  • Reporting Mechanisms: (as above)

This aspect explores whether cybersecurity is a common subject across mainstream media, and an issue for broad discussion on social media. Moreover, this aspect speaks about the role of media in conveying information about cybersecurity to the public, thus shaping their cybersecurity values, attitudes and online behaviour.

  • Media and Social Media: (as above)

Dimension 3: Cybersecurity Education, Training and Skills

This Dimension reviews the availability of cybersecurity awareness-raising programmes for both the general public and for executives. It evaluates the availability, quality, and uptake of educational and training offerings for various groups of government stakeholders, private sector, and the population as a whole.

Business use of cyberspace has grown rapidly in recent years, and leadership and workforce skills in security risks have struggled to keep up, potentially leaving organisations exposed to threats. This Dimension is examining the current state of cybersecurity training and education and identifying what needs to be done to better protect organisations now and in the future.

We consider education and training in cybersecurity for pupils, undergraduates, postgraduates, apprentices, vocational students, general staff, IT specialists, executives and policy makers. We examine what currently works, what has been tried and failed, and the reasons for this.

Executive training is a key area for our research, as business schools’ curricula have traditionally included very little about managing information risks, let alone cybersecurity ones. Dealing with cybersecurity has conventionally been a technical issue but there is now an increasing awareness that these risks need to be understood and addressed at executive level.

It is vitally important for business people to understand technical issues, and for security experts to be more aware of corporate needs. Education and training can help spread the message that cybersecurity cannot solely be the remit of the IT department, but has to be everybody’s responsibility.

Businesses also need to consider both external and internal risks, such as criminals blackmailing an employee to pass on passwords. Managers need to be made aware of the importance of applying best practice.

There is almost certainly a role for IT specialists within organisations to communicate to junior or senior managers the need for better security. While many will be highly qualified, people enter into the IT industry by diverse routes, and some may also require additional training in certain aspects of cybersecurity. Education in cybersecurity in schools should both equip pupils to use the internet safely while young and prepare them for their working life. We will be examining how best to add the subject to the curriculum. We need to find out what pupils already know and how the curriculum can help their awareness of cybersecurity to inform their behaviour as citizens and in the workforce. This is not a straightforward question, because by the time current school pupils enter into employment, the nature of work and the workforce is likely to have changed considerably.

With our research, for each level of education and training, our work shows cases of success and failure, and develops general principals and guidelines to allow organisations to better protect themselves against future cyber-attacks.

This Dimension is currently chaired by Professor S.H. (Basie) von Solms, Director, Centre for Cyber Security, University of Johannesburg.

 

Factors

Expand All

This factor focuses on the prevalence and design of programmes to raise awareness of cybersecurity risks and threats as well as how to address them.

  • Awareness Raising Programmes: This aspect examines the existence of a national coordinated programme for cybersecurity awareness raising, covering a wide range of demographics and  issues, developed based on consultations with stakeholders from various sectors.
  • Executive Awareness Raising: This aspect examines efforts raising executives’ awareness of cybersecurity issues in the public, private, academic and civil society sectors, as well as how cybersecurity risks might be addressed.

 

This factor addresses the importance of high quality cybersecurity education offerings and the existence of qualified educators. Moreover, this factor examines the need for enhancing  cybersecurity education at the national and institutional level and the collaboration between government, and industry to ensure that the educational investments meet the needs of the  cybersecurity environment across all sectors.

  • Provision: This aspect explores whether there are cybersecurity educational offerings and educator qualification programmes available based on an understanding of current risks and skills requirements.
  • Administration: This aspect explores the coordination and resources for developing and enhancing cybersecurity education frameworks, with allocated budget and spending based on the national demand.

This factor addresses the availability and provision of cybersecurity training programmes building a cadre of cybersecurity professionals. Moreover, this factor reviews the uptake of cybersecurity training and horizontal and vertical cybersecurity knowledge transfer within organisations and how it translates into continuous skills development.

  • Provision: This aspects examines the development, availability and provision of cybersecurity training programmes for enhancing skills and capabilities.
  • Uptake: This aspect examines the existence of certified employees trained in cybersecurity issues, processes, planning and analytics through the uptake of cybersecurity training programmes and knowledge transfer within organisations.

Dimension 4: Legal and Regulatory Frameworks

This Dimension examines the government’s capacity to design and enact national legislation directly and indirectly relating to cybersecurity, with a particular emphasis placed on the topics of ICT security, privacy and data protection issues, and other cybercrime-related issues . The capacity to enforce such laws is examined through law enforcement, prosecution, and court capacities. Moreover, Dimension 4 observes issues such as formal and informal cooperation frameworks to combat cybercrime.

Organisations, individuals, and governments need to be confident that their data, computer systems and processes are effectively protected in order to reap the full benefits of cyberspace.

To achieve this, government intervention is sometimes required, for example to oblige private critical infrastructure providers to develop security risk-management plans. We investigate how governments can encourage the development of a secure Internet and online environment using law and regulation.

This Dimension creates a set of resources highlighting best practice in all areas of cybersecurity legislation. Governments across the world are therefore able to use this to improve their legislative framework, identifying areas where they can do more to protect cyberspace and seeing what steps are required to do so.

To create these resources, we examine at a national, regional and international level all the areas of online security that require government action, such as critical national infrastructure, criminal activity, data protection, computer emergency response teams, and education. Criminal activity is one area that receives much attention, but we make sure that we also cover legislation that provides incentives for better protection of data and systems: building more resilient systems, deterring an attack, responding after an incident, and from non-malicious actions, such as losing a laptop.

A key issue is how governments ensure that private critical infrastructure providers meet essential security standards. This is vital because so much of the economy relies on this infrastructure, and breaches can have far-reaching effects. Some countries have asked critical infrastructure providers to voluntarily participate in security standards but there has been limited uptake to date. For the most essential security measures, some governments are considering stronger interventions, and our research examines the best ways to go about this. In the area of cybercrime, as well as considering well documented threats, we look at the use of digital equipment in traditional crimes, for example in theft, and consider how the police can make use of new digital technologies without compromising privacy.

As the effectiveness of laws partially depends on how they are enforced, we also look at the impact of regulatory bodies covering communication and the utilities, and the effectiveness of reporting practices and penalties for data leaks in various countries and regions.

Our research covers laws and regulations at the global, regional and national level. We also examine whether national, regional or international approaches are most appropriate for a particular aspect. To date, we aim to create documents highlighting best practices that will enable policymakers across the world to access knowledge to make decisions on developing effective laws and regulations in their own jurisdictions.
This Dimension is chaired by Professor Federico Varese, Professor of Criminology at the University of Oxford and Senior Research Fellow at Nuffield College, Oxford.

 

 

Factors

Expand All

This factor addresses various legislation and regulation frameworks related to cybersecurity, including: ICT security legislative frameworks, privacy, freedom of speech, and other human rights online, data protection, child protection, consumer protection, intellectually property, substantive and procedural cybercrime legislation.

  • Legislative Frameworks for ICT Security: This aspect addresses the existence and implementation of comprehensive ICT security legislative and regulatory frameworks.
  • Privacy, Freedom of Speech & Other Human Rights Online: This aspect examines to what extent domestic legislation ensures that human rights are protected online, including privacy,
  • freedom of speech, freedom of information, and freedom of assembly and association.
  • Data Protection Legislation: This aspect examines the existence and implementation of comprehensive data protection legislation.
  • Child Protection Online: This aspect focuses on the legislative protection of children online, including the protection of their rights online and the criminalisation of child abuse online.
  • Consumer Protection Legislation: This aspect addresses the existence and implementation of legislation protecting consumers online from fraud and other forms of business malpractice.
  • Intellectual Property Legislation: This aspect is concerned with the existence and implementation of online intellectual property legislation.
  • Substantive Cybercrime Legislation: This aspect explores if existing legislation criminalises a variety of cybercrimes in specific legislation or general criminal law.
  • Procedural Cybercrime Legislation: This aspect examines whether comprehensive criminal procedural law with procedural powers for the investigation of cybercrime and evidentiary requirements to deter, respond to and prosecute cybercrime and crimes involving electronic evidence is implemented.

This factor studies the capacity of law enforcement to investigate cybercrime, and the prosecution’s capacity to present cybercrime and electronic evidence cases. Finally, this factor addresses the court capacity to preside over cybercrime cases and those involving electronic evidence.

  • Law Enforcement: This aspect examines whether law enforcement have received training on investigating and managing cybercrime cases and cases involving electronic evidence, and have sufficient human, procedural and technological resources.
  • Prosecution: This aspect examines whether prosecutors have received training on handling cybercrime cases and cases involving electronic evidence, and whether there are sufficient human, procedural and technological resources.
  • Courts: This aspect examines whether courts have sufficient resources and training to ensure effective and efficient prosecution of cybercrime cases and cases involving electronic evidence.

This factor addresses the existence and functioning of formal and informal mechanisms that enable cooperation between domestic actors and across borders to deter and combat cybercrime.

  • Formal Cooperation: This aspect examines the existence and effectivity of formal cooperation mechanisms to combat cybercrime, both between state actors and across borders, including mutual legal assistance and extradition procedures.
  • Informal Cooperation: This aspect examines the existence and effectivity of informal cooperation mechanisms to combat cybercrime, both domestically and across borders, as well as within the public sector and between public and private sectors.

Dimension 5: Standards, Organisations, and Technologies

This Dimension addresses effective and widespread use of cybersecurity technology to protect individuals, organisations and national infrastructure. The Dimension specifically examines the implementation of cybersecurity standards and good practices, the deployment of processes and controls, and the development of technologies and products in order to reduce cybersecurity risks.

Effective and widespread use of cybersecurity technology, such as firewalls and anti-virus software, is essential to protect individuals, organisations and national infrastructure. We therefore examine and measure best practice in the use of technology and associated business processes, and look at how to ensure good uptake of products.

Views vary as to what best practice is in the use of security products. This Dimension therefore takes an independent look at best practice to determine what results in the most effective cybersecurity. As well as being used appropriately, security products need to be widely adopted. We examine the impact on uptake of the user-friendliness of design, and the optimal configurations of security features to deploy on devices at the time of purchase.

An important consideration regarding uptake is that one cost of security is inconvenience, and this must not outweigh the advantages of the information economy. It is not necessary for everyone to have top-level security –governments’ needs are very different from those of the general public. In considering how to encourage greater use of products, we consider the appropriate security posture for a particular situation.
Business processes around security are also vital, but it is not enough for organisations to simply have a tick-box culture of compliance and training. It is important to think about particular threats to their business and how to react to them. We measure whether organisations have moved to a culture where they are genuinely conscious of, and keen to reduce, the risks from cyber-attack.

As well as looking at protection from cyber-attacks, we examine the tools, structures and processes to help clear up after a security breach and minimise damage. We consider which sorts of organisational structure are most effective, and how to protect nations without such a facility, for instance by sharing in regional provision.

Throughout the different strands to Dimension 5, we seek out projects that are being conducted across the world to help our research, and comparing their success. We consider whether national initiatives are more or less effective than transnational ones, or whether regional activities would produce better results. We also examine whether it is better to have various international forums to work on these areas, or if it would be more effective to combine them. The results should allow countries to see what really works in this area, and where there are gaps in their knowledge and approach.

This Dimension is chaired by Professor Michael Goldsmith, Senior Research Fellow at the Department of Computer Science, University of Oxford and Director of the GCSCC.

 

Factors

Expand All

This factor reviews government’s capacity to design, adapt and implement cybersecurity standards and good practice, especially those related to procurement procedures and software development.

  • ICT Security Standards: This aspect examines whether cybersecurity related standards and good practices are being adhered to and adopted widely across the public sector and Critical Infrastructure (CI) organisations.
  • Standards in Procurement: This aspect addresses the implementation of standards in procurement practices.
  • Standards in Software Development: This aspect addresses the implementation of standards in software development.

This factor addresses the existence of reliable Internet services and infrastructure in the country as well as rigorous security processes across private and public sectors. Also, this aspect reviews the control that the government might have on its Internet infrastructure and the extent to which networks and systems are outsourced.

  • Internet Infrastructure Resilience: (as above)

This factor examines the quality of software deployment and the functional requirements in public and private sectors. In addition, this factor reviews the existence and improvement of policies on and processes for software updates and maintenance based on risk assessments and the criticality of services.

  • Software Quality: (as above)

This factor reviews evidence regarding the deployment of technical security controls by users, public and private sectors and whether the technical cybersecurity control set is based on established cybersecurity frameworks.

  • Technical Security Controls: (as above)

This factor reviews the deployment of cryptographic techniques in all sectors and users for protection of data at rest or in transit, and the extent to which these cryptographic controls meet international standards and guidelines and are kept up-to-date.

  • Cryptographic Controls: (as above)

This factor addresses the availability and development of competitive cybersecurity technologies and insurance products.

  • Cybersecurity Technologies: This aspect examines whether a national market for cybersecurity technologies is in place and supported, and informed by national need.
  • Cyber Insurance: This aspect explores the existence of a market for cyber insurance, its coverage and products suitable for various organisations.

This factor explores the establishment of a responsible disclosure framework for the receipt and dissemination of vulnerability information across sectors and if there is sufficient capacity to continuously review and update this framework.

  • Responsible Disclosure: (as above)