Assessing National Cybersecurity Capacity

The CMM considers cybersecurity to comprise five Dimensions which, together, constitute the breadth of national capacity that a country requires to be effective in delivering cybersecurity:

  1. Developing cybersecurity policy and strategy;
  2. Encouraging responsible cybersecurity culture within society;
  3. Building cybersecurity knowledge and capabilities;
  4. Creating effective legal and regulatory frameworks; and
  5. Controlling risks through standards and technologies.


Download the CMM 2021 Edition                                                                     

The Dimensions

Dimension 1 Cybersecurity Policy and Strategy explores the country’s capacity to develop and deliver cybersecurity strategy, and to enhance its cybersecurity resilience by improving its incident response, cyber defence and critical infrastructure (CI) protection capacities. This Dimension considers effective strategy and policy in delivering national cybersecurity capability, while maintaining the benefits of a cyberspace vital for government, international business and society in general.

Dimension 2 Cybersecurity Culture and Society reviews important elements of a responsible cybersecurity culture such as the understanding of cyber-related risks in society, the level of trust in Internet services, e-government and e-commerce services, and users’ understanding of personal information protection online. Moreover, this Dimension explores the existence of reporting mechanisms functioning as channels for users to report cybercrime. In addition, this Dimension reviews the role of media and social media in shaping cybersecurity values, attitudes and behaviour. 

Dimension 3 Building Cybersecurity Knowledge and Capabilities reviews the availability, quality and uptake of programmes for various groups of stakeholders, including the government, private sector and the population as a whole, and relate to cybersecurity awareness-raising programmes, formal cybersecurity educational programmes, and professional training programmes.

Dimension 4 Legal and Regulatory Frameworks examines the government’s capacity to design and enact national legislation that directly and indirectly relates to cybersecurity, with a particular emphasis placed on the topics of regulatory requirements for cybersecurity, cybercrime-related legislation and related legislation. The capacity to enforce such laws is examined through law enforcement, prosecution, regulatory bodies and court capacities. Moreover, this Dimension observes issues such as formal and informal co-operation frameworks to combat cybercrime.

Dimension 5 Standards and Technologies addresses effective and widespread use of cybersecurity technology to protect individuals, organisations and national infrastructure. This Dimension specifically examines the implementation of cybersecurity standards and good practices, the deployment of processes and controls, and the development of technologies and products in order to reduce cybersecurity risks.

The CMM defines five Stages of maturity for all Dimensions being: start-up, formative, established, strategic, and dynamic. These correspond to the following: initial development of capacity, being established, being world-leading, and able to anticipate and prepare for future cybersecurity needs.

It should be noted that there are relationships between the Dimensions; for example, to be effective in one area of capacity often places requirements on other areas.  It is also the case that resources are limited and priorities for capacity enhancements are likely to require a response which could span multiple Dimensions. Therefore, a benchmarking activity reviews a country against the entire CMM and across all Dimensions, enabling an holistic consideration of national capacity.