During the past two years, the GCSCC has been enhancing the knowledge generated through the extended use of the Cybersecuirty Capacity maturity for Nations (CMM)
through the globe by analysing the wealth of data that this has produced to develop the evidence-base for assessing the effectiveness and relative value of capacity-building investments in cybersecurity. We have produced research on the impact of overall capacity-building, the methodology to collect data on cybersecurity capacity, and the impact and effectiveness of specific capacity interventions such as awareness-raising campaigns.
The CMM has been deployed for a second time in 36 nations (Kosovo
, Malawi, Uganda
, Montenegro and 32 countries in Latin America and the Caribbean). The CMM national data at different moments in time allows us to follow the developments that these nations have made. For example, in many of these countries there was no National Cybersecurity Strategy (NCS) in the first report, while in the second report an NCS was in place, as in Kosovo, or is being drafted, as in Uganda. The capacity-building of these two nations has made progress particularly in the cybersecurity policy and strategy dimension; Kosovo in the NCS and incident response, and Uganda in cyber defence and crisis management.
Work by the OAS and IDB (2020)
shows that visible progress has been made across the different aspects of the CMM throughout Latin America and the Caribbean
over 2016–2020, which has been reflected in rising capacity-maturity scores. Since 2015, the number of countries that have adopted an NCS has more than doubled, which reflects that aspects within Dimension 1
(Cybersecurity Policy and Strategy) have progressed more than any other Dimension. Although significant improvements have been made with regards to promoting a cybersecurity mind-set, data suggests that government officials and general Internet users still lag behind the private sector. With regards to cybersecurity-related legislations, interestingly, the maturity scores for the aspect on Substantive Cybercrime Legislation stopped growing compared to the aspect on Procedural Cybercrime Legislation, which demonstrated the most activity within the region between 2016 and 2020. In contrast, the aspects with the lowest maturity scores across the region, showing little improvement, were Responsible Disclosure, Organisation of Critical Infrastructure Protection, Crisis Management, Risk Management and Response, and Cybercrime Insurance. The OAS and GCSCC have a unique partnership and have been collaborating since the development of CMM in 2015. The OAS, as a trusted partner, has been an active contributor in the revision process of the CMM 2021 Edition between 2019 and 2021.
GCSCC’s partnership with the World Bank
brought a CMM review to 13 African nations for the ECOWAS and Commonwealth programmes. The data available from these reviews shows that some countries had their highest levels of maturity in a particular dimension, while other countries diversified their efforts across different dimensions. This observation underlines the non-existence of a unique path in building capacity, as it depends on the particular needs of each country. However, those countries with the highest maturity level in the national cybersecurity policy and strategy dimension were more likely to be more mature in the other cybersecurity dimensions than the average. Although this strategy does not have to be the right one for all countries and in all contexts, it highlights the potential for major impact that well designed and informed policies can have on other cybersecurity dimensions. Moreover, it drives additional questions on how countries with limited resources might prioritize the dimensions to invest in.
The partnership with the World Bank also led to assessments in all six countries of the Western Balkan (including a reassessment in Montenegro) with funding by KISA. The regional report with lessons learnt and common priorities is developed by World Bank with contribution by the GCSCC will be presented add the Digital Summit in October 2022.
Since 2018, the GCSCC has been working together with the Oceania Cyber Security Centre (OCSC) to support the Pacific Island nations in developing and strengthening their cybersecurity capacity. General learnings and themes have emerged from the work completed in Samoa, Tonga, Vanuatu, Papua New Guinea, Micronesia, Tuvalu and Kiribati between 2018 and 2021. The main topics touch upon issues related to the lack of qualified personnel in both the public and private sectors, the brain-drain of people with higher qualification to more developed countries, the malicious use of social media, fake news, deception, and fake accounts (Rudolph et al., 2020)
. The CMM reports have provided specific recommendations for these countries that have been followed by implementation of capacity-building projects, such as the creation of awareness-raising programmes.
Impact of Capacity-Building on National Outcomes
When looking at those CMM aspects encouraging responsible cybersecurity culture within society in 78 nations, it is clear that most countries were still in an early phase of capacity building but differences in maturity between regions could be explained by the scale of Internet use in the countries and their economic and governmental development (Creese et al., 2021)
. Using secondary data and general indicators of cybersecurity capacity, the role of national wealth and number of Internet users was found to play a key role in shaping cybersecurity, and, at the same time, cybersecurity capacity was found to have an impact on reducing end-user cybersecurity problems (Dutton et al., 2019). Work in progress using original data from our national CMM reviews finds that cybersecurity capacity not only had a role in reducing negative end-user experiences in using technology and associated services, but also in increasing their positive experiences (Creese et al., 2019).
Building cybersecurity capacity and policy interventions, such as controlling cyber-risk effectively within business and critical national infrastructures, are key to mitigate the risks implied in the emerging technology environment (WEF, 2020)
. Although there has been a dramatic rise in research on cybersecurity, there is little evidence of a proportional growth of multidisciplinary approaches to this area (Dutton and Esteve-González, 2020). A key aspect of the GCSCC research agenda is a commitment to the study of cybersecurity capacity from a multidisciplinary perspective.
Insights in Methodology for Collecting Data on National Cybersecurity Capacity
The CMM 2021 Edition
extracted and synthesised the community’s latest knowledge to adapt the CMM framework to the changing cybersecurity capacity landscape (GCSCC, 2021)
. With the aim of improving the reliability and validity of capacity indicators of maturity, a ‘structured field coding’ (SFC) is under development as a methodology for collecting and coding observations before, during, and after field research (Dutton et al., 2021)
. Moreover, SFC has been valuable in adapting the CMM methodology to an online environment, required in the context of the COVID-19 pandemic. Despite having the convenience of conducting CMM reviews from home, saving on travel costs and the flexibility of scheduling the sessions over more than a week, this created some additional challenges. Those include connectivity problems that delayed the completion of CMM reviews (Bagui et al., 2020)
, and a reduction of the collateral capacity-building effect of in-person CMM assessments. There is also a possibility that the remote CMMs produce fewer comprehensive insights into the state of maturity in the country because the assessment teams couldn’t benefit from being in-country and the serendipitous ability to gather additional insights whilst there, although we have no evidence of this being the case it is an active area of ongoing investigation. Since there is a continued demand for CMM reviews despite the pandemic, we will be considering this issue as we move forward and the GCSCC continues to refine its adapted approach to conducting CMM reviews online.
Impact and Effectiveness of Cybersecurity Awareness-Raising Campaigns
The data collected during national CMM reviews has been used to study national awareness-raising campaigns from different perspectives. This research has linked the increasing cybercrime indicators in Africa with data on cybersecurity awareness from CMM reports in six African countries, highlighting that these countries did not possess a national programme for raising awareness, and that the ICT literacy levels were extremely low (Bada et al., 2019). Another study analyses the CMM reports of eight countries in Europe, Africa, and Oceania, and shows that awareness initiatives are often led by different organisations without coordination or adequate resources, creating fragmentation in the national awareness-raising programme (Nagyfejeo and Solms, 2020)
. Analysis of the impact of awareness-raising across all nations, which is still in progress, supports the centrality of this dimension to capacity-building.
Contributions to the Global Cybersecurity Capacity-Building Debate
Over the period the GCSCC has contributed to and led on a number of collaborative activities and publications informing global debates on emerging priorities and themes in cybersecurity capacity-building. The Global Forum on Cyber Expertise (GFCE) highlights the central role that assessments today play for informing national strategies and investment. Evidence-based cybersecurity capacity-building strategy and activity based on a holistic assessment of capacity and a multi-stakeholder involvement in data-collection is seen as good practice and has informed project activity of the GFCE and members and partners around the world.
The CMM 2021 Edition has been produced and reflects current views on best practice in the face of the changing cybersecurity-capacity landscape. Issues such as international cooperation, managing disinformation, and research and development have gained importance in national capacity, but so has the topic of cybersecurity capacity-building in general in the context of the UN Group of Governmental Experts and UN Open-Ended Working Group; all highlight the important position that the GCSCC plays in shaping international cybersecurity capacity building. The CMM 2021 Edition is also informing the update of the “Guide to Developing a National Cybersecurity Strategy”
by the ITU and partners.
Bada, M., Von Solms, B., Agrafiotis, I. 2019. Reviewing National Cybersecurity Awareness for Users and Executives in Africa. International Journal on Advances in Security, 12(1-2): 108-118.
Creese, S., Dutton, W. H., and Esteve-González, P. 2021. The Social and Cultural Shaping of Cybersecurity Capacity Building: A Comparative Study of Nations and Regions. Personal and Ubiquitous Computing, forthcoming. https://doi.org/10.1007/s00779-021-01569-6
Dutton, W. H., Creese, S., Shillair, R., Bada, M. 2019. Cyber Security Capacity: Does It Matter? Journal of Information Policy, 9, pp. 280-306.
Global Forum on Cyber Expertise (GFCE). Overview of Existing National Cyber Capacity Assessment Tools, forthcoming June 15th.
Nagyfejeo, E., Solms, B.V. 2020. Why Do National Cybersecurity Awareness Programmes Often Fail? International Journal of Information Security and Cybercrime, 9(2), 18-27.
Rudolph, C., Creese, S., Sharma, S. 2020. Cybersecurity in Pacific Island Nations. Communications of the ACM, 63 (4): 53-54. https://doi.org/10.1145/3378550