Global Cyber Security Capacity
Maturity Model - CMM
WSIS Forum 2015 – Geneva
Dr Maria Bada
25/05/2015
CMM - Five Dimensions
Levels of Maturity
• Start-up: At this level either nothing exists, or it is very embryonic in nature.
• Formative: Some features of the indicators have begun to grow and be formulated,
but may be ad-hoc, disorganized, poorly defined - or simply "new". However, evidence
of this activity can be clearly evidenced.
• Established: The elements of the sub-factor are in place, and working.
• Strategic: Choices have been made about which parts of the indicator are important,
and which are less important for the particular organization/nation.
• Dynamic: There are clear mechanisms in place to alter strategy depending on the
prevailing circumstances. Rapid decision-making, reallocation of resources, and constant
attention to the changing environment are features of this level.
Capacity Dimensions
Dimension 1
Cybersecurity Policy and Strategy
D1-1: National Cybersecurity Strategy
D1-2: Incident Response
D1-3: Critical National Infrastructure (CNI) Protection
D1-4: Crisis Management
D1-5: Cyber Defence Consideration
D1-6: Digital Redundancy
Capacity Dimensions
Dimension 2
Cyber culture and society
D2-1: Cybersecurity Mind-set
D2-2: Cybersecurity Awareness
D2-3: Confidence and trust on the Internet
D2-4: Privacy online
Capacity Dimensions
Dimension 3
Cybersecurity education, training and skills
D3-1: National availability of cyber education and training
D3-2: National development of cybersecurity education
D3-3: Corporate training and educational initiatives within
companies
D3-4: Corporate Governance, Knowledge and Standards
Capacity Dimensions
Dimension 4
Legal and regulatory frameworks
D4-1: Cybersecurity legal frameworks
D4-2: Legal investigation
D4-3: Responsible Disclosure
Capacity Dimensions
Dimension 5
Standards, organisations, and technologies
D5-1: Adherence to standards
D5-2: National Infrastructure Resilience
D5-3: Cybersecurity marketplace
Dimension 1: Cybersecurity Policy and Strategy
D1-1: National Cybersecurity Strategy
Indicator: Strategy Development
 No evidence of a cyber security national strategy exists; if a cyber component exists it may be the responsibility of one
or more departments of government; a process for development has begun without stakeholder consultation
 An outline of a national cyber security strategy has been articulated built on government consultation; consultation
processes have been established for key stakeholder groups, possibly involving international assistance
 A national cyber strategy has been established; a specific mandate to consult across sectors and civil society has been
agreed; data and historic trends are used to plan; some understanding of national cyber security risks and threats
drives capacity building at a national level
 Cyber security strategy is knowledgeably implemented by multiple stakeholders across government; strategy review and
renewal processes are confirmed; regular scenario and real-time cyber exercises are conducted; cyber security strategic
plans drive capacity building and investments in security; metrics and measurement processes are established,
implemented and inform decision making
 Continual revision of cyber security strategy is conducted to adapt to changing socio-political, threat and technology
environments, driving the multi-stakeholder decision making process; trust and confidence building measures (TCBMs)
are undertaken to ensure the continued inclusion and contribution of all stakeholders including the private sector, wider
society and international partners
Factors Crucial for Combating Cybercrime
National Cybersecurity Strategy
The national cybersecurity strategy
content linked explicitly to national risks,
priorities and objectives
raise public awareness
establish incident response capacity
mitigate cybercrime
protect critical national infrastructure
coordinated response
to cyber attacks/risks
Factors Crucial for Combating Cybercrime
Cybersecurity Awareness
Awareness-raising campaigns
linked to cyber security strategy
Covering a wide range of
groups including training
courses, seminars and online
resources
Established metrics for
effectiveness
building trust on internet use
promote positive and
responsible forms of online
behaviour
Factors Crucial for Combating Cybercrime
Education/Training
Public and private
sector training
available for
Employees, Law
Enforcement,
Prosecutors, Experts,
Board members
capacity to understand
complex cybercrime
cases and
inform decision making
Factors Crucial for Combating Cybercrime
Cybersecurity legal frameworks
A comprehensive structure within
the criminal justice system for
combating cybercrime while
respecting human rights
Comprehensive ICT legislative and
regulatory frameworks addressing
cybersecurity
Substantive cybercrime law
Procedural cybercrime law
capacity to address
and combat cybercrime
Factors Crucial for Combating Cybercrime
National Infrastructure Resilience
Availability and use of
critical technologies,
processes, business
models and standards
to support control of
cyber across national
critical infrastructures
and across
international
cyberspace
technical capacity to
prevent cybercrime
international and
regional cooperation
Factors Crucial for Combating Cybercrime
Cybercrime Insurance
encourage information
sharing among participants
Country Assessments using the CMM
February-March 2015
•
•
World Bank: Armenia, Kosovo, Bhutan and Montenegro
OAS: Jamaica and Colombia
Observations from Capacity Assessments
•
Capacity factors in countries assessed thus far range from startup to established
•
General lack of awareness, education and training
•
General lack of technical standards’ implementation
Steps to be taken forward
• Science requires measurement
• Academic analysis of data from assessments
could reveal geographic, stakeholder, and
interdependent factor trends
• Trends feed into global strategy for
investment
• Ambition is to assess the world’s
cybersecurity capacity alongside
regional/international partners
Assessed
Capacity
Steps to be taken forward
• Devising a model against which countries
(or regions, or multi-nationals) can assess
their capacity in fighting cybercrime
• The development of a model to
understand cyber-harm to focus
prioritisation of investments on more
specific capacity harm-reduction
• Benefits drawing on, not competing with,
other similar efforts
Assessed
Capacity
The CMM is available at:
http://www.sbs.ox.ac.uk/cybersecurity-capacity/
Thank you
WSIS Forum 2015 – Geneva
Dr Maria Bada
25/05/2015