Collaborative work of RiskRecon by Mastercard and the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford brings to bear new indicators of cybersecurity that can help keep government organisations secure and better protect critical digital assets.
The study pairs cybersecurity ratings and insights from Mastercard, which employs passive techniques to identify and assess an organization’s cyber posture, with previously conducted research from the GCSCC to explain how cybersecurity capacity efforts affect the online risks faced by governments.
An initial exploratory study is anchored in a sample of 83 national governments whose cybersecurity capacities have been measured through the lens of Oxford’s Cybersecurity Capacity Maturity Model for Nations (CMM). This enables us to focus on over 50 indicators of cybersecurity capacities, all of which have been collected from consultations with multiple stakeholder groups in each nation.
“Our partnership with the University of Oxford is testament to the power of collaboration especially between the private sector and academia. By working together to drive actionable research, we can help governments world-wide bolster their cyber defenses through establishing stronger cyber standards and encryption requirements.”, says Rigo Van den Broeck, Executive Vice President, Cybersecurity Product Innovation at Mastercard.
Mastercard brings into the study data on the cybersecurity risks faced by the governments of these 83 nations. These online risks are based on a risk rating model that uses non-invasive scanning across nine security domains that evaluate systems against thousands of security checks and monitors for malicious activity and breach events and incidents like malware attacks.
Preliminary results show that the overall cybersecurity risk rating of governments improves with some concrete and objective cybersecurity capacity initiatives. These involve national maturity in cybersecurity legal and regulatory frameworks, as well as implementation of cybersecurity technologies and standards. For example, those governments in nations with defined cryptographic controls in place and with regulatory requirements for critical infrastructure are more likely to have better cybersecurity risk ratings than those governments lacking these aspects of cybersecurity capacity.
Moreover, our analysis has found that the overall risk rating of governments is better in those countries with the number of internet users growing at a higher rate, and that nations with larger populations tend to have worse cybersecurity risk ratings. These findings fit with other research that has shown that the scale of internet use (the total internet population) and centrality (greater reliance on the internet across areas) are key aspects of the national context shaping cybersecurity and its outcomes.
These preliminary results are promising. They demonstrate that investment in national cybersecurity capacity benefits governments and citizens, and that governments are adapting to the cybersecurity needs of their changing societies, as illustrated by their ability to address a rising number of internet users. Moreover, the results are in line with our earlier research on the value of cybersecurity capacity building in shaping the experience of internet users as well as the economic vitality of nations (Creese et al. 2019, 2021a, 2021b; Shillair et al., 2022).
Not all aspects of capacity building are related to risks, so we are continuing to collaborate with Mastercard and develop these preliminary findings in more depth. We would value any expressions of interest in our joint work.
Creese, S., Shillair, R., Bada, M., Reisdorf, B.C., Roberts, T., and Dutton, W. H. (2019), ‘The Cybersecurity Capacity of Nations’, pp. 165-179 in Graham, M., and Dutton, W. H. (eds), Society and the Internet: How Networks of Information and Communication are Changing our Lives, 2nd Edition. Oxford: Oxford University Press.
Creese, S., Dutton, W. H., and Esteve-González, P. (2021a), ‘The Social and Cultural Shaping of Cybersecurity Capacity Building: A Comparative Study of Nations and Regions’, Personal and Ubiquitous Computing, 25, May, 941-955. DOI: https://doi.org/10.1007/s00779-021-01569-6
Creese, S., Dutton, W. H., Esteve-González, P., and Shillair, R. (2021b), ‘Cybersecurity Capacity Building: Cross-National Benefits and International Divides’, Journal of Cyber Policy, 6(2), 214-235. DOI: https://doi.org/10.1080/23738871.2021.1979617
Shillair, R., Esteve-González, P., Dutton, W. H., Creese, S., Nagyfejeo, E., and von Solms, B. (2022), ‘Cybersecurity Education, Awareness Raising, and Training Initiatives: National Level Evidence-Based Results, Challenges, and Promise’, Computers & Security, 119: 1-11. DOI: https://doi.org/10.1016/j.cose.2022.102756