Research Using Data Underpinning the CMM

One of the biggest values of the CMM is providing a framework to gather standardised indicators of cybersecurity at the national level, allowing for international comparisons. The methodology to implement the CMM is anchored in the qualitative analysis of the data from desk research and in-country consultations from multi-stakeholders. Moreover, the CMM framework allows to gauge the maturity level of a nation in a wide variety of cybersecurity aspects, providing a quantitative measure of maturity for all these aspects (62 cybersecurity aspects in the 2021 CMM Edition). 

As the number of nations assessed under the CMM framework has been growing, the GCSCC has been able to gather original quantitative and qualitative data to conduct research on cybersecurity capacity. 


The impact of capacity building: A general analysis

The growing centrality of cybersecurity has led many governments and international organisations to focus on building the capacity of nations to withstand threats to the public and its digital resources. These initiatives entail a range of actions that vary from education and training to technology and related standards, as well as new legal and policy frameworks. While efforts to proactively address security problems seem intuitively valuable, they are new, meaning there is relatively little research on whether they achieve their intended objectives. This paper takes a cross-national comparative approach to determine whether there is empirical support for investing in capacity-building. Marshalling field research from 73 nations, the comparative data analysis: (1) describes the status of capacity-building across the nations; (2) determines the impact of capacity-building when controlling for other key contextual variables that might provide alternative explanations for key outcomes and (3) explores the factors that are shaping national advances in capacity-building. The analysis finds a low, formative status of cybersecurity capacity in most of the nations studied and also shows that relatively higher levels of maturity translate into positive outcomes for nations. The study provides empirical support to international efforts aimed at building cybersecurity capacity.

Creese, S., Dutton, W.H., Esteve-González, P., and Shillair, R. (2021). Cybersecurity capacity-building: cross-national benefits and international divides. Journal of Cyber Policy, 6(2), 214-235.


Analysis of the CMM dimension on cybersecurity culture and society

This paper presents an empirical study of the social and cultural aspects of cybersecurity capacity building in 78 nations. While nations within geographically defined regions might be expected to share similar attitudes, values, and practices around cybersecurity, this analysis finds that regional differences can be explained largely by cross-national differences in development and the scale of Internet use. These results question the centrality of regions in shaping social and cultural attributes directly tied to cybersecurity capacity. However, the analysis identifies some countries with greater and some with lesser levels of maturity in capacity building than expected only on the basis of their development and scale of Internet use. Further research focused on the dynamics of under- and over-performance of different nations might illuminate where regional contexts could place a brake on, or provide an impetus for, under- or over-performance in cybersecurity capacity building. That said, national development and the scale of Internet use are the most explanatory of cultural attitudes, values, and practices of societies tied to cybersecurity, such as trust on the Internet.

Creese, S., Dutton, W.H., Esteve-González, P. (2021). The social and cultural shaping of cybersecurity capacity building: a comparative study of nations and regions. Personal and Ubiquitous Computing, 25: 941-955.


Analysis of the CMM dimension on building cybersecurity knowledge and capabilities

The data from this CMM dimension has been used in two different papers to answer two different research questions.

  • The first paper assesses the impact of cybersecurity education, awareness raising, and training (CEAT) on the vitality of internet use and services at the national level. CEAT encompasses one of five dimensions of a larger cybersecurity capacity building model (CMM) that was developed by the Global Cybersecurity Capacity Centre. The paper describes this dimension of capacity building within the CMM, and its indicators of education, awareness, and training in cybersecurity capacity. The paper then presents a cross-national analysis of the outcomes of CEAT on internet use based on comparative data from 80 nations. Controlling for contextual variables, such as the wealth of the nations and scale of internet use, the analysis shows a positive and statistically significant impact of CEAT on the vitality of internet use and services, as well as a distribution of CEAT scores that indicates key issues for low-income and developing nations. A qualitative analysis of responses from these nations is used to identify key reasons for their levels of maturity in this area. While recognising key limitations of these findings, it offers suggestions for policy and practice to meet the need for effective programs for education, awareness raising, and training. In addition, the research suggests the need for more detailed indicators of CEAT initiatives in more nations and over time to assess the validity of the findings and the recommendations for policy and practice in this area of capacity building offered in this paper.

Shillair, R., Esteve-González, P., Dutton, W.H.,Creese, S., Nagyfejeo, E., and von Solms, B. (2022). Cybersecurity education, awareness raising, and training initiatives: National level evidence-based results, challenges, and promise. Computers & Security, 119

  • The second paper focuses on awareness raising campaigns. Nowadays, many cyber users do not understand how to protect themselves and their information within cyber space. One reason is that cyber users are unaware of possible cyber risks and threats that may occur within cyber space. The second reason is that citizens, businesses and users within the public sector may be aware of relevant cyber risks but do not really understand the seriousness of such risks and the consequences if they do realise. Therefore, cybersecurity awareness campaigns are an integral part of improving cybersecurity awareness. Based on in-country reviews conducted as part of the Global Cybersecurity Capacity Centre (GCSCC) programme, we observed that the campaigns to raise cybersecurity awareness throughout the country are often led by different ‘owners’ without co-ordination and adequate resources therefore creating fragmentation in the national cybersecurity awareness raising programme. This paper suggests that the development of a coordinated and coherent national cybersecurity awareness program is critical for building a basic level of aware-ness at the national level. We will examine the requirements needed to develop a coordinated national awareness raising programme by reviewing the existing literature, best practice approaches and the role of different stakeholders such as the government, private sector and civil society. We will draw conclusions on the main obstacles to ensure overall coherence between the actions of stakeholders and the efforts countries should prioritise in order to increase awareness of cyber risks at the national level.

Nagyfejeo, E., and von Solms, B. (2020). Why do national cybersecurity awareness programmes often fail? International Journal of Information Security and Cybercrime, 9(2): 18-27.

Using the CMM data to analyse the 2020 EU Cybersecurity Strategy

In December 2020, the European Union (EU) launched a new Cybersecurity Strategy. Accomplishing its aims will require a balancing of national and supranational direction across member states to meet both their national cybersecurity priorities and their commitments with the European Community. Beyond the EU, the 2020 Strategy is envisioned to support the principles of the Paris Call for Trust and Security in Cyberspace in a context of a polarised international debate on cyber norms. This adds another layer of complexity specially for the 2020 Strategy goals to support EU partners in strengthening their cybersecurity capacity. This paper uses theoretical and empirical methodologies to answer the question on how the 2020 Strategy should be implemented to ensure cybersecurity capacity building internally and externally. A gap analysis of the 2020 Strategy using two different frameworks, a framework on national cybersecurity capacities and another framework on principles of cyber norms, allows to make hypotheses on how the 2020 Strategy should be successfully implemented within EU member states and beyond. Moreover, we use data on cybersecurity capacity for above 80 countries to test whether the empirical evidence supports our hypotheses. Regarding building capacity internally, we find that the 2020 Strategy should prioritise social and cultural aspects of cybersecurity to booster the effects of investing in the core national capacities required in it. Moreover, we find that countries more mature in cybersecurity capacity are more likely to have states supporting the Paris Call, and this evidence suggests that the EU efforts in building capacity externally can support the advancement of the Principles of the Paris Call. Finally, we propose a flexible framework for capacity building that would enable states to progress in achieving broad principles and collaborating in operational cybersecurity functions to achieve a common aim, without necessarily needing to agree on the details of their implementation. 

Creese, S., Dutton, W.H., Esteve-González, P., Goldsmith, M., Nagyfejeo, E., Saunders, S., von Solms, B., and Weisser Harris, C. (2022). The solution is in the details: Building cybersecurity capacity in Europe