Dimension 5: Standards and Technologies
This Dimension addresses effective and widespread use of cybersecurity technology to protect individuals, organisations and national infrastructure. The Dimension specifically examines the implementation of cybersecurity standards and good practices, the deployment of processes and controls, and the development of technologies and products in order to reduce cybersecurity risks.
Details Research and Directions
Effective and widespread use of cybersecurity technology, such as firewalls and anti-virus software, is essential to protect individuals, organisations and national infrastructure. We therefore examine and measure best practice in the use of technology and associated business processes, and look at how to ensure good uptake of products.
Views vary as to what best practice is in the use of security products. This Dimension therefore takes an independent look at best practice to determine what results in the most effective cybersecurity. As well as being used appropriately, security products need to be widely adopted. We examine the impact on uptake of the user-friendliness of design, and the optimal configurations of security features to deploy on devices at the time of purchase.
An important consideration regarding uptake is that one cost of security is inconvenience, and this must not outweigh the advantages of the information economy. It is not necessary for everyone to have top-level security –governments’ needs are very different from those of the general public. In considering how to encourage greater use of products, we consider the appropriate security posture for a particular situation.
Business processes around security are also vital, but it is not enough for organisations to simply have a tick-box culture of compliance and training. It is important to think about particular threats to their business and how to react to them. We measure whether organisations have moved to a culture where they are genuinely conscious of, and keen to reduce, the risks from cyber-attack.
As well as looking at protection from cyber-attacks, we examine the tools, structures and processes to help clear up after a security breach and minimise damage. We consider which sorts of organisational structure are most effective, and how to protect nations without such a facility, for instance by sharing in regional provision.
Throughout the different strands to Dimension 5, we seek out projects that are being conducted across the world to help our research, and comparing their success. We consider whether national initiatives are more or less effective than transnational ones, or whether regional activities would produce better results. We also examine whether it is better to have various international forums to work on these areas, or if it would be more effective to combine them. The results should allow countries to see what really works in this area, and where there are gaps in their knowledge and approach.
This Dimension is chaired by Professor Michael Goldsmith, Senior Research Fellow at the Department of Computer Science, University of Oxford and Director of the GCSCC.
Factors
This Factor reviews the government’s capacity to promote, assess implementation of, and monitor compliance with international cybersecurity standards and good practices.
Aspects
- ICT Security Standards: this Aspect examines whether cybersecurity-related standards and good practices are being adhered to and implemented widely across the public sector and CI organisations;
- Standards in Procurement: this Aspect addresses the implementation of standards and good practices in all sectors to guide procurement processes, including risk management, lifecycle management, software and hardware assurance, outsourcing, and use of cloud services; and
- Standards for Provision of Products and Services: this Aspect addresses the use of standards and good practices by local suppliers of goods and services, including software, hardware, managed services, and cloud services.
This Factor reviews evidence regarding the deployment of security controls by users and public and private sectors, and whether the technological cybersecurity control set is based on established cybersecurity frameworks.
Aspects
- Technological Security Controls: this Aspect explores to what extent up-to-date technological security controls, including patching and backups, are deployed in all sectors; and
- Cryptographic Controls: this Aspect reviews the deployment of cryptographic techniques in all sectors and users for protection of data at rest or in transit, and the extent to which these cryptographic controls meet international standards and guidelines and are kept up to date.
This Factor examines the quality of software deployment and the functional requirements in public and private sectors. In addition, this Factor reviews the existence and improvement of policies on and processes for software updates and maintenance based on risk assessments and the critical nature of services.
Aspects
- Software Quality: (as above)
This Factor addresses the existence of reliable Internet services and infrastructure in the country, as well as rigorous security processes across private and public sectors. Also, this Factor reviews the control that the government might have on its Internet infrastructure and the extent to which networks and systems are outsourced.
Aspects
- Internet Infrastructure Reliability: this Aspect examines the reliability and protection of Internet services and infrastructure in public and private sectors; and
- Monitoring and Response: this Aspect examines whether mechanisms are in place to conduct risk assessments and monitor network resilience in both public and private sectors.
This Factor addresses the availability and development of competitive cybersecurity technologies, cyber-insurance products, cybersecurity services and expertise, and the security implications of outsourcing.
Aspects
- Cybersecurity Technologies: this Aspect examines whether a national market for cybersecurity technologies is in place and supported, and informed by national need;
- Cybersecurity Services and Expertise: this Aspect explores the availability of cybersecurity consultancy services for private and public organisations;
- Security Implications of Outsourcing: this Aspect examines whether risk assessments are conducted to determine how to mitigate the risks of outsourcing IT to a third party or cloud services; and
- Cyber Insurance: this Aspect explores the existence of a market for cyber-insurance, its coverage, and products suitable for various organisations
This Factor explores the establishment of a responsible disclosure framework for the receipt and dissemination of vulnerability information across sectors, and whether there is sufficient capacity to continuously review and update this framework.
Aspects
- Sharing Vulnerability Information: this Aspect explores existing information-sharing mechanisms or channels on the technical details of vulnerabilities among the stakeholders; and
- Policies, Processes and Legislation for Responsible Disclosure of Security Flaws: this Aspect explores the existence of a responsible-disclosure policy or framework in public- and private-sector organisations and the right to legal protections for those disclosing security