Our Approach

The GCSCC defines cybersecurity capacity broadly to span policy, strategy, social and cultural factors, education and training, law and regulation, and cyber technologies and standards. In line with this definition, our research approach is multidisciplinary, tackling cybersecurity capacity across all of its dimensions from multiple academic perspectives. In analysing these different dimensions of cybersecurity capacity, we have sought to follow some key principles, including efforts to:

  • Avoid reinvention: seek to identify best practice wherever it arises;
  • Be inclusive: to consider relevant global and multi-cultural issues;
  • Mantain objectivity: work with multiple stakeholders to represent their individual and community knowledge, while avoiding commercial or partisan interests;
  • Ensure rigour: seeking evidence to support and challenge hypotheses in ways that avoid confirmation-bias;
  • Enable expectations across dimensions: identifying and investigating relationships which may exist among multiple dimensions of capacity building.

The Cybersecurity Capacity Maturity Model for Nations (the CMM) was developed with the intention to research the nuances of capacity building across and within multiple dimensions, the types of activities which can deliver and increase capacity, where best practice exists, the conditions under which increases in capacity should be sought, and the ways in which the dimensions relate to and depend upon each other for success. With this aim, the CMM provides a framework that allows us to compare cybersecurity capacity across different nations in the world and over time. Its methodology ensures that we collect insights from different actors and groups of stakeholders in order to reflect a broad view of cybersecurity capacity in each nation. 

In order to deploy the CMM around the globe, we have been working closely with key stakeholders from across the international community since 2015 (see Partners and Funders section). In 2018, we also reinforced our global strategy by establishing regional collaboration partnerships – based on a constellation of centres of excellence – in key locations around the world. These centres, the Oceania Cyber Security Centre (OCSC) in Australia and the Cybersecurity Capacaity Centre for Southern Africa (C3SA), broaden the reach of the CMM by devolving the deployment of the CMM to local actors who contribute regional expertise and take ownership of the process (see the Global Constellation section). 

Since its inception in 2015, the CMM has been deployed more than 100 times to over 80 nations (see the CMM Reviews around the World section), and many of these countries have subsequently published their reports based on the CMM consultations. The first report released as a result of this work was launched in June 2015 in Kosovo. Consequently, we have seen – and hope to continue to see – countries make better-informed cybersecurity capacity decisions, improve planning, avoid duplication and create more informed strategies for capacity building investments. We continue to grow this global constellation of Regional Centres and the academic literature around the subject supported by interviews, observations, and data from the field that the centres collect and analyse, contributing to the expansion of knowledge on cybersecurity capacity building. For more information on the papers published around this topic, visit the Publications section.