Dimension 1: Cybersecurity Policy and Strategy


This Dimension explores the country’s capacity to develop and deliver cybersecurity strategy and enhance its cybersecurity resilience through improving its incident response, cyber defence and critical infrastructure protection capacities. This Dimension considers effective strategy and policy in delivering national cybersecurity capability, while maintaining the benefits of a cyberspace vital for government, international business and society in general. 

Dimension1 2021 Edition structure

Dimension 1. Diagram


Details Research and Directions

National level cyber policy and strategy is needed to ensure that the actions of multiple actors across government, the private sector, and society are mutually supportive. No two countries are the same, and so cybersecurity policy and strategy needs to be grounded in a proper understanding of the unique risks and challenges being faced, and a country’s wider social, economic and political goals.
This Dimension examines a how national level cybersecurity policy is formulated, how priorities are identified and agreed, and how implementation is structured and overseen. It examines specific national level capabilities required to manage incidents and crises, to ensure the security and resilience of critical national infrastructure, and to provide for effective security within the defence and national security sector. International collaboration is essential to effective cybersecurity, and this is also explored within the CMM.

Our research has identified a wide variation in the approaches that are being taken to national level cybersecurity policy and strategy. Common challenges include programme governance, securing the necessary priority, budget and profile for cybersecurity within government, engaging private sector partners, and achieving the right level of broader stakeholder and civil society engagement. Cybersecurity often cuts across traditional inter-agency boundaries within government, making programme governance all the more important. Evaluating the impact of strategic interventions in cybersecurity is a challenge for all countries, and this is one of the areas where we will be focussing our future research. 

Other focus areas for research include: national level risk assessment; incentivisation and regulation; how national cybersecurity policy and strategy can support economic growth and development; and the impact of emerging technology on national cybersecurity policy and strategy.

Dimension 1 is led by Dr Jamie Saunders, an Oxford Martin Fellow and Visiting Professor at University College London.


Expand All

Cybersecurity strategy is essential to mainstreaming a cybersecurity agenda across government because it helps prioritise cybersecurity as an important policy area, determines responsibilities and mandates of key cybersecurity government and non-governmental actors, and directs allocation of resources to the emerging and existing cybersecurity issues and priorities.

  • Strategy Development: this Aspect addresses the development of a national strategy, allocation of implementation authorities across sectors and civil society, and an understanding of national cybersecurity risks and threats which drive capacity building at a national level;
  • Content: this Aspect addresses the content of the national cybersecurity strategy and whether it is linked explicitly to national risks, priorities and objectives such as national security, public awareness raising, and mitigation of cybercrime, incident response capability and critical national infrastructure protection;
  • Implementation and Review: this Aspect addresses the existence of an over-arching programme for cybersecurity co-ordination, including a departmental owner or coordinating body with a consolidated budget; and
  • International Engagement: this Aspect explores to what extent the country is aware of the existence of international discussions on cybersecurity policy, and how the international debates on cybersecurity policy and related issues affect the country’s interests and international standing.


This Factor addresses the capacity of the government to identify and determine characteristics of national level incidents in a systematic way. It also reviews the government’s capacity to organise, co-ordinate, and operationalise incident response, and whether cybersecurity has been integrated into the national crisis management framework.

  • Identification and Categorisation of Incidents: this Aspect identifies whether internal mechanisms are in place for identifying and categorising incidents;
  • Organisation: this Aspect addresses the existence of a mandated central body designated to collect incident information, and its relationship with the public and private sector for national level incident response; and
  • Integration of Cyber into National Crisis Management: this Aspect explores to what extent cybersecurity is integrated into the national crisis management framework. 


This Factor studies the government’s capacity to identify CI assets, the regulatory requirements specific to the cybersecurity of CI, and the implementation of good cybersecurity practice by CI operators.

  • Identification: this Aspect addresses the existence of a general list of CI assets, sectors and operators, and an audit of CI assets on a regular basis;
  • Regulatory Requirements: this Aspect addresses the existence of regulatory requirements specific to the cybersecurity of CI; and
  • Operational Practice: this Aspect explores whether CI operators implement recognised industry standards, and the existence of arrangements for collaboration across and within sectors.


This Factor explores whether the government has the capacity to design and implement a strategy for cybersecurity within national security and defence. It also reviews the level of cybersecurity capability within the national security and defence establishment, and the collaboration arrangements on cybersecurity between civil and defence entities.

  • Defence Force Cybersecurity Strategy: this Aspect addresses the existence of a strategy for supporting cybersecurity within national security and defence, and whether it is supported by appropriate legal authorities and relevant operational doctrine and rules of engagement;
  • Defence Force Cybersecurity Capability: this Aspect reviews the level of cybersecurity capability and organisational structures within the national security establishment; and
  • Civil Defence Co-ordination: this Aspect examines the collaboration on cybersecurity between civil and defence entities, and the existence of adequate resources in place.