Dimension 3: Cybersecurity Knowledge and Capabilities
This Dimension reviews the availability, quality and uptake of programmes for various groups of stakeholders, including the government, private sector and the population as a whole, and relate to cybersecurity awareness-raising programmes, formal cybersecurity educational programmes, and professional training programmes.
Details Research and Directions
Building Cybersecurity Knowledge and Capabilities
Cybercrime is growing at alarming rate, and has already reached critical levels. It is estimated that by 2025, the global cost of cybercrime can be up to $10.5 trillion USD annually. This situation compels countries to incorporate cybersecurity as an integral part of their strategic plans – usually resulting in a National Cybersecurity Strategy. It is also well documented that one of the core elements of a good cybersecurity strategy, is to ensure that a country has the relevant levels of cybersecurity knowledge and capabilities on all levels in the country.
The ‘Guide to Developing a National Cybersecurity Strategy’ by the International Telecommunications Union and its partners including the GCSCC, emphasises ‘the challenges related to advancing cybersecurity capacity-building and awareness-raising among government entities, citizens, businesses and other organisations – crucial to enabling a country’s digital economy.’ Therefore, part of the evaluation of a country’s cybersecurity maturity, is determining the state of maturity of cybersecurity capacity-building and awareness-raising in the country. Once this state is determined, the country can proceed with expanding existing capacity-building programs and establishing new capacity-building programs.
As indicated, such a National Cybersecurity Strategy should address cybersecurity capacity-building and awareness-raising among government entities, citizens, businesses and other organisations. Such cybersecurity capacity-building and awareness-raising efforts should take place on different levels in the country, and should cover a spectrum of cybersecurity knowledge, from initial cybersecurity awareness to advanced technical cybersecurity aspects.
Cybersecurity awareness is internationally accepted as one of the best ways to fight cybercrime. The more cyber-aware users are, the better they can recognise cyberattacks and thwart such attacks. Such awareness should cover the whole spectrum – pre-school, primary and secondary schools, universities, NGOs, the general public and all users in government and industry. It is therefore of strategic value and benefit to a country to ensure that its whole population is as cyber-aware as possible – this will greatly add to the country’s cyber-resilience.
Cybersecurity awareness amongst executives from all walks of life are as essential. Business entities, both from government and the private sector, are absolutely dependant on cyberspace for their daily activities. It is therefore essential that Executives must also realize the cyber-risk to their entities, and be as cyber-aware as possible. Furthermore, cybersecurity is part of an Executive’s Corporate Governance responsibilities.
Cybersecurity education on school and university levels are part of building cybersecurity capacity in a country. Children should from an early age be exposed to more formal cybersecurity courses as part of primary and secondary school education. University courses in cybersecurity are needed to prepare a cadre of cyber experts to help the country to be cyber-resilient. Universities should offer specific technical cybersecurity degree courses, but aspects of cybersecurity should also be included in all other university courses to expose all students to cyberspace risks.
However, more than formal cybersecurity education is needed. A country also needs skilled professional cyber-experts who need not have completed a formal degree in cybersecurity. Cybersecurity professionally certified experts are needed for many operational aspects in a country to ensure cyber-resilience.
As Cyberspace is growing at an amazing pace, a country also needs, where at all possible, to develop a cybersecurity research capability to solve cyber problems unique to the specific country.Therefore, the level of cybersecurity maturity of a country is impacted by many aspects, and a holistic approach is needed to really ensure the cyber-resilience of the country.
The Cybersecurity Capacity Maturity Model for Nations (CMM), originally developed by the GCSCC has one dimension (Dimension 3) specifically dedicated to evaluating the maturity of cybersecurity knowledge and capabilities on all levels in the country. Such an evaluation will review all the aspects mentioned above and provide the country with a comprehensive report with recommendations to improve the cybersecurity maturity status of the country.
The GCSCC is the Founding member of the international Constellation of Cybersecurity Capacity Centres, and also performs detailed research on all aspects of cybersecurity knowledge and capabilities. Research reports are regularly published. One such research report, involving 80 countries, supports the view that a country’s cybersecurity knowledge and capabilities are positively shaping the economy of the country.
Dimension 3 is currently Chaired by Professor S.H. (Basie) von Solms, Director of the Centre for Cyber Security at the University of Johannesburg in South Africa.
Professor David Upton co-Chaired the dimension before he sadly passed away in 2017. The Oxford Martin School and the Global Cyber Security Capacity Centre are deeply grateful for Professor Upton’s contributions to our community.
Factors
This Factor focuses on the availability of programmes that raise cybersecurity awareness throughout the country, concentrating on cybersecurity risks and threats and ways to address them.
Aspects
- Awareness-raising Initiatives by Government: this Aspect examines the existence of a national co-ordinated cybersecurity awareness-raising programme driven by the government, covering a wide range of demographics and issues, developed in consultation with stakeholders from various sectors;
- Awareness-raising Initiatives by Private Sector: this Aspect examines the existence of awareness-raising programmes driven by the private sector and the extent to which they are aligned with government and civil society initiatives;
- Awareness-raising Initiatives by Civil Society: this Aspect examines the existence of awareness-raising programmes driven by the civil society and the extent to which they are aligned with government and private sector initiatives; and
- Executive Awareness Raising: this Aspect examines efforts to raise executives’ awareness of cybersecurity issues in the public, private, academic and civil society sectors, as well as how cybersecurity risks might be addressed.
This Factor addresses the availability and provision of high-quality cybersecurity education programmes and sufficient qualified teachers and lecturers. Moreover, this Factor examines the need to enhance cybersecurity education at national and institutional levels and the collaboration between government and industry to ensure that educational investments meet the needs of the cybersecurity education environment across all sectors.
Aspects
- Provision: this Aspect explores whether there are educational cybersecurity offerings and educator qualification programmes available that provide an understanding of current risks and skills requirements; and
- Administration: this Aspect explores the co-ordination of, and resources for developing and enhancing cybersecurity education frameworks with allocated budget and spending based on the national demand.
This Factor addresses and reviews the availability and provision of affordable cybersecurity professional training programmes to build a cadre of cybersecurity professionals. Moreover, this Factor reviews the uptake of cybersecurity training, and horizontal and vertical cybersecurity knowledge and skills transfer within organisations, and how this transfer of skills translates into a continuous increase of cadres of cybersecurity professionals.
Aspects
- Provision: this Aspect examines the development, availability and provision of cybersecurity training programmes for enhancing skills and capabilities; and
- Uptake: this Aspect examines the uptake and affordability of such programmes to produce a cadre of certified cybersecurity professionals. Issues investigated include initiatives to register for such programmes, initiatives to stay in the country after successful completion, knowledgesharing after completing a programme, and the existence of a national register of successful and certified students
This Factor addresses the emphasis placed on cybersecurity research and innovation to address technological, societal and business challenges and to advance the building of cybersecurity knowledge and capabilities in the country.
Aspects
- Cybersecurity Research and Development: this Aspect investigates the existence of a research and innovation culture in the country, one that is related to a national list of current and completed projects, financial support, incentives and usable research outputs.