See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/317222815
A Strategy for a Cybersecurity Culture: A South African Perspective
Article in Electronic Journal of Information Systems in Developing Countries · May 2017
DOI: 10.1002/j.1681-4835.2017.tb00590.x
CITATIONS
READS
16
1,117
2 authors:
Noluxolo Gcaza
Rossouw von Solms
Nelson Mandela University
Nelson Mandela University
7 PUBLICATIONS 61 CITATIONS
82 PUBLICATIONS 910 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
A Framework for Information Security Management in Local Government View project
Cyber-crime Center for the South African Police Services (SAPS) View project
All content following this page was uploaded by Noluxolo Gcaza on 22 September 2017.
The user has requested enhancement of the downloaded file.
SEE PROFILE
EJISDC (2017) 80, 6, 1-17
1
A STRATEGY FOR A CYBERSECURITY CULTURE:
A SOUTH AFRICAN PERSPECTIVE
Noluxolo Gcaza
Nelson Mandela Metropolitan University &
Council for Scientific and Industrial Research
South Africa
s208045801@live.nmmu.ac.za
Rossouw von Solms
Nelson Mandela Metropolitan University
South Africa
rossouw.vonsolms@nmmu.ac.za
ABSTRACT
Nowadays, having Internet access is deemed to be a basic human right. The South African
government has embraced this notion; and as a result, free Wireless Internet (WiFi) has been
rolled out in numerous cities in the country. This national effort to connect South African
citizens is, however, not matched with adequate national cybersecurity efforts. Across
nations, cultivating a culture in pursuing cybersecurity is well appreciated as a fundamental
approach. In line with this, the South Africa government envisages a culture of cybersecurity
amongst its citizens. However, there is an apparent lack of a practical plan to cultivate such a
cybersecurity culture in South Africa. This paper proposes a national strategy for promoting a
cybersecurity culture in South Africa.
KEYWORDS
Culture; Cybersecurity; National Strategy
1.
INTRODUCTION
In many nations across the globe cybersecurity is accepted as a national priority (Center for
Strategic and International Studies, 2011). According to Sharma (2012) lack of cybersecurity
can cripple the economy and safety of an entire nation. This is owing to the apparent
dependence on cyberspace to perform functions deemed critical to the wellbeing of
individuals, organizations and nations. Such a reliance on cyberspace is speedily shifting
Internet access from being a ‘luxury’ for a few to becoming a ‘basic human right’ for all
(Zeldin, 2012). Although, the ever-increasing reliance on cyberspace should solidify the need
for cybersecurity, nations like South Africa (SA) still lag behind.
Currently in SA, there are instances were not having Internet access prohibits citizens
from executing rather essential functions, like registering a company, or applying for schools
(De Lanerolle, 2016). Accordingly, in parts of SA, the government provides free access to
cyberspace (De Lanerolle, 2016). This transition in the way SA operates will lead to an
increasing dependence and adoption of cyberspace.
It is known that cyberspace, having such endless opportunities, also has endless risks
associated with cyber-related services. It was revealed that SA ranked 3rd in the world in
terms of cybercrime victims (Lewis, 2015). As it is, over eight million South Africans have
fallen victim to cybercrime (eNCA, 2016). Moreover, it is reported that more and more SA
citizens are aware of the reality of cybercrime. However, security is viewed as a “hassle”
(eNCA, 2016).
This draws attention to the security in cyberspace, as well as the safety of SA citizens
whilst they are active in cyberspace. As such, alongside the call for a “Connected South
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
2
Africa”; there should also be the call for promoting a secure connected SA. Regrettably, in
so far as cybersecurity implementation is concerned, SA lags behind (R von Solms & von
Solms, 2015).
Cybersecurity can be defined as “the protection of cyberspace itself, the electronic
information, the [Information and Communication Technologies], as well as ICTs that
support cyberspace, and the users of cyberspace in their personal, societal and national
capacity, including any of their interests, either tangible or intangible, that are vulnerable to
attacks originating in cyberspace” (von Solms & van Niekerk, 2013). Indeed, the challenge of
cybersecurity is not unique to SA. Many nations have developed and implemented
cybersecurity policies, in order to address this need.
It is accepted that cultivating a cybersecurity culture is an apt approach to promoting a
secure consumption of cyberspace (Wamala, 2011). The aim of a cybersecurity culture is to
instill “a certain way to ‘naturally behave’ in daily life, a way that subscribes to certain
[cybersecurity] assumptions” (Gcaza et al., 2015).
As it is, research that focuses particularly on cybersecurity culture is still in its
infancy; and knowledge on the subject is not clearly bounded or defined (Gcaza et al., 2015).
This makes it challenging to clearly articulate what a cybersecurity culture should entail, and
how it can be fostered. Thus, a national strategy for cultivating such a cybersecurity culture
would add great value. Such a strategy should not only clearly articulate what needs to be in
place, in order to cultivate the culture; but it would also need to outline how the culture can
be cultivated.
Henceforth, the problem description for the study is provided in the following section.
Subsequently, an overview of strategy will be discussed. Thereafter, the research approach
employed to conduct this research is introduced. This will be followed by an account on the
development of the proposed strategy will be provided. Finally, the proposed strategy will be
presented, followed by a few concluding remarks.
1.
PROBLEM DESCRIPTION
South Africa (SA) acknowledges that a culture of cybersecurity is fundamental to the overall
national security. As a result, a cybersecurity policy framework was drafted; and the cabinet
of the country approved a National Cybersecurity Policy Framework (NCPF) in the year
2012 (SA Government Gazette, 2015). Amongst other things, the NCPF stipulated the
promotion of a cybersecurity culture that subscribes to minimum cybersecurity measures
(SA Government Gazette, 2015). Even though the importance of the culture is appreciated in
SA, there is an apparent lack of a practical plan or strategy to cultivate a cybersecurity
culture. The primary objective of the paper is, therefore, to propose a strategy for a
cybersecurity culture in SA.
2.
STRATEGY OVERVIEW
The concept of strategy finds its origins in the battlefield. In the battlefield, strategy
fundamentally addressed tactically ‘positioning’ troops before any contact with the enemy
(Fred, 2016) Subsequent to contact with the enemy, the strategy addressed tactically, would
need to ‘employ’ the troops, in order that an army could obtain the victory. In this realm,
strategy is defined as “the art of distributing and applying military means to fulfill the ends of
policy” (Gartner, 1997).
In the business context, the troops can be seen as resources; while the enemy can be
seen as the challenges, as well as the competition within the environment, in which the
business operates. “In business, as in the military, strategy bridges the gap between policy
and tactics. Together, strategy and tactics bridge the gap between ends and means” (Fred,
2016).
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
3
A strategy then is a plan that sets out how the organization would position and employ
its resources (means), in order to meet its objectives (ends). Mintzberg et al. (1998) define
the concept as follows: “Strategy is a plan: a guide or course of action into the future; a ploy:
a specific maneuver intended to outwit an opponent or competitor; a position: determination
of particular products in particular markets; a perspective: an organization’s way of doing
things, and a pattern: consistency in behavior over time”.
This description of strategy delineates strategy into five classifications. It addresses
the nature of strategy; generally, a strategy would serve as a guide or roadmap for some
objective (plan) (Chandler, 1962). Within a strategy, certain tactics are defined and intended
to counter the competitors, or other challenges in the business environment (ploy) (Porter,
1986). Moreover, with strategy, an organization can make well-defined resolutions regarding
a particular product for particular markets (position). A strategy distinguishes an
organization from others (perspective) (Porter, 1986). Finally, a strategy provides consistency
(pattern) (Johnson, Whittington, & Scholes, 2009).
Glueck (1972) defines a strategy as “a unified comprehensive and integrated plan
relating the strategic advantages of the firm or enterprise to the challenges of the
environment. It is designed to ensure that basic objectives are achieved”. Strategy is also
defined as: “The determination of the long-run goals and objectives of an enterprise. and the
adoption of courses of action, as well as the allocation of the necessary resources for carrying
out these goals” (Chandler, 1962).
In one way or another, the delineations of strategy all share one or more of these
features of a strategy, as defined by Mintzberg et al. (1998). Additionally, from the
definitions, it is perceived that a strategy is future-oriented. Furthermore, it provides an
organization with direction. Considering what a strategy is, clearly, it can highly support SA
in achieving the objective it sets out in the NCPF, of cultivating a cybersecurity culture. A
strategy would depict how SA can advance towards this goal.
Even though the business world adapted the concept of strategy from the battlefield,
this domain has not solely relied on knowledge obtained in the genesis of strategy. On the
contrary, the corporate community has expanded the study of strategy, and taken the practice
to higher grounds. Strategies are developed using various approaches Consistent on many
strategy development processes are long-term objectives of the organization (Christiansen,
2014; Tesone, 2014; Enz, 2009; Goldman & Nieuwenhuizen, 2006). These goals can be
embedded in the mission and vision of the organization. Many authors refer to such in
varying ways; but essentially they point in the same direction, which is: A strategy is driven
by a vision or intent that leads an organization to the envisaged position.
Having identified the objectives, the business environment is assessed, in order to get a
sense of both internal and external dynamics. Taking this assessment into account, the
strategy is formulated, whereby policies are influenced by the findings from the assessment.
Once formulated, the strategy is implemented and controlled accordingly. Therefore, having
long-term objectives, assessing the environment, formulating the strategy, implementing the
strategy and controlling the strategy can be accepted as the fundamental elements of strategy
development process (Christiansen, 2014; Tesone, 2014; Enz, 2009; Goldman &
Nieuwenhuizen, 2006).
This section provided an overview of the concept of strategy and strategy
development. The following section will discuss the process chosen for developing the
proposed national strategy for cybersecurity culture.
4.
STRATEGY DEVELOPMENT APPROACH
This section discusses the approach that will be used to develop the proposed national
strategy for cybersecurity culture. To develop the national strategy for cybersecurity culture
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
4
this study will adopt an approach defined by Tsokota, von Solms, and van Greunen (2017).
This approach was chosen because it closely aligns with the nature of the problem addressed
in this study. Specifically, this study addresses a national problem; similarly, the chosen
approach was devised for a national problem. The strategy development approach is
presented graphically below in Figure 1.
Figure 1: Strategy Development Approach (Source: Adapted from (Tsokota et al., 2017))
Essentially, the process in Figure 1 consolidates the strategy development approaches
from Goldman and Nieuwenhuizen (2006), Enz (2009), Tesone (2012) and Christiansen
(2014), respectively. Additionally, the approach adopted a strategy kernel as defined by
Rumelt (2011). The kernel outlines three hallmarks for a good strategy: a diagnosis; a guiding
policy; and coherent action. A diagnosis captures the overall nature of a challenge, as found
in the environmental assessment. A guiding policy serves as an overall approach to the
challenge identified in the diagnosis. Finally, the coherent actions comprise coordinated steps
of action aimed at addressing a guiding policy.
Rumelt (2011) argues that without these components, a strategy is ‘bad’. “A strategy
that fails to define a variety of plausible and feasible immediate actions is missing a critical
component” (Rumelt, 2011). Rumelt (2011) added that a strategy that fails to address which
rational actions ought to be taken to meet the objective is merely ‘fluff’. Such a strategy
would leave a huge gap between strategy and implementation.
Accordingly, the purpose for incorporating the strategy kernel is to ensure that the
proposed strategy brings forth rational actions that will address the objective of cultivating a
culture. In essence, the strategy kernel is deemed critical in ensuring that the proposed
strategy is not merely “fluff”. The approach presented in Figure 1 captures all the
fundamental steps of customary strategy development processes (Tsokota et al., 2017). Each
of these steps in Figure 1 is discussed in the subsections that follow.
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
5
4.1
Strategy Direction
The point of departure of a strategy is the outlining of the direction of the organization.
According to Johnson and authors (2009), the strategic direction can be derived from the
long-term objectives of the organization. Some organizations make use of statements that
comprise the mission, vision and values. However, this is not cast in stone. Conversely, longterm objectives are always applied without fail.
4.2
Environmental Assessment
According to Lester and Waters (1985), the environmental-assessment process consists of the
gathering and analyzing of information, and then using “this analyzed intelligence in strategic
decision making”. Concerning information gathering, the environmental assessment makes
provision for both looking at information (viewing) and looking for information (searching).
When conducting an environmental assessment, information can be gathered from different
sources. These include personal sources and impersonal sources also known as written
sources. Personal sources include face-to-face communication and telephone communication
(Temtime, 2001). Written sources include various documents, reports, news articles and
magazines. Aguilar (1967) differentiates the modes of information viewing and searching as
follows:
1. Undirected viewing – This is viewing information without being led by a specific
purpose.
2. Conditioned viewing – This is viewing information on selected areas guided by a
specific purpose.
3. Informal search – This is a planned effort to obtain information on a specific issue.
4. Formal search – This is an unstructured effort of actively looking for information.
The environmental assessment carried out in this study was conditioned and formal.
The viewing was guided; since the distinctive dimensions of the national cybersecurity
culture environment were specified; and the search was guided; since a set of questions on
the environment was outlined. Additionally, information was gathered from relevant written
sources. These sources included journal articles, news articles, government policies, and
government websites and official reports.
4.3
Strategy Formulation
The strategy formulation process consists of three sub-processes, according to Figure 1. The
first sub-process is the diagnosis (D), followed by suggested guiding policies (GPs) and
coherent actions (CAs), respectively. As mentioned earlier, the diagnosis stems from the
environmental assessment recorded in subsection 4.2 above. All the guiding policies and
coherent actions are extrapolated from the existing cybersecurity implementations in Africa,
as well as the implementations of leading nations, as described in the Global Cybersecurity
Index and Cyberwellness Report (ITU, 2015). In selecting the GP and CA, the SA context
was in the forefront guided by the set of diagnoses, in order to ensure the applicability and
suitability of the recommendations.
4.4
Strategy Implementation
Precisely, strategy implementation is “execution of the activities that make up the strategy
Goldman and Nieuwenhuizen (2006). The simplicity of this definition however does not
match the practicality of implementing a strategy since most strategies fail to be implemented
due to the challenges and complexities of strategy implementation (Rumelt, 2011).
According to Wheelen and Hunger (2012), before the process of implementing a
strategy begins the following questions need to be considered:
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
6
1. Who are the people who will implement the strategy?
2. What needs to be done to implement the strategy?
3. How is everyone going to work together to do what is needed?
The first question focuses on identifying the people needed to implement the strategy.
As previously mentioned, implementing the proposed strategy will require diverse personnel
form multiple departments across the public sector and the private sector. As such, it will be
crucial to be explicit with regard to which departments will play a role in this phase.
The second question is concerned with what needs to be done, in order to implement
the strategy. Three elements are key in addressing this enquiry, namely: drafting programs; a
budget; and various procedures. “A program is a statement of the activities or steps needed to
accomplish a single-use plan”. In the case of the proposed strategy, a program can be equated
to a guiding policy. Programs are not limited to those defined in the strategy. Instead, they are
inclusive off all activities needed, even before the implementation of the agreed-upon
policies, such as establishing supportive personnel training, if necessary.
Following the program outline, a detailed budget is to be developed to make known
the cost of each program. Finally, procedures, also known as Standard Operating Procedures
(SOP) for each program need to be outlined. These are sequential steps entailing how each
program should be done. In the context of this study, the coherent actions for guiding policies
can be seen as the SOPs; because these actions are the coordinated steps of actions aimed at
addressing a guiding policy.
The final question deals with possible restructuring in the organization – in such a
manner that would be conducive to executing a new strategy. This involves ensuring that
each program is staffed with adequate personnel. The execution of the proposed strategy will
require personnel and intellect from various government departments across the public sector.
Wheelen and Hunger (2012) recommend that each of the departments involved needs to draw
up plans of action. Thereafter, all the respective action plans should be condensed into a
single implementation plan.
4.5
Strategy Control
Strategy control is intended to ensure that the stipulated strategic objectives are achieved
(Enz, 2009; Goldman & Nieuwenhuizen, 2006). According to Wheelen and Hunger (2012),
strategy control comprises five steps, as listed below:
1. Determine what to measure;
2. Establish standards of performance;
3. Measure the actual performance;
4. Compare the actual performance with the established standard; and
5. Take corrective action, if necessary.
The above steps recommend that the appropriate body specify all the implementation
processes that will be measured. Once that is clear; the performance measures must be
defined. Such measures should thereafter be compared with the actual performance of the
implementation processes. Finally, corrective actions should be taken, if necessary.
This section described the approach that was taken to develop the proposed strategy.
The following section gives an account for each of the steps defined in the strategy
development process.
5.
DEVELOPING THE NATIONAL CYBERSECURITY CULTURE STRATEGY
This section discusses the development of the proposed cybersecurity strategy. It does so by
providing a detailed account for each of the steps defined in the strategy development
approach presented in Figure 1 the previous section.
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
7
5.1
Strategy Direction
It was stated in subsection 4.1 that the strategy direction can be derived from the long-term
objectives. As such, this paper will not attempt to formulate the vision and mission for this
strategy; because the objective for the proposed strategy is defined in NCPF as to “Promote a
culture of Cybersecurity” (SA Government Gazette, 2015).
Furthermore, the purpose of the culture is captured as follows:
“To effectively deal with Cybersecurity, it is prudent that civil society,
government and the private sector play their part in ensuring South Africa has
a culture of Cybersecurity. Critical to this is the development of a culture of
Cybersecurity, in which the role players understand the risks of surfing in
cyberspace” (SA Government Gazette, 2015).
The NCPF is deemed sufficient to provide the strategic direction of SA concerning a
cybersecurity culture. The following subsection will address the environmental assessment.
5.2
Environmental assessment
The environmental assessment is intended to identify the challenges, gaps and weaknesses
from the environment under review. In this study such challenges, gaps and weaknesses are
referred to as diagnostics. Subsection 4.2 made known that information was gathered from
written sources. Additionally, the assessment is carried out in a conditioned and formal
manner. It focused on aspects of government leadership, stakeholder collaboration, resource
allocation and availability, availability methods and means to cultivate cybersecurity culture,
and the monitoring and evaluation of existing methods and means.
The results from the environmental assessment indicated a lack of government-led
initiatives for the functions stipulated in the ontology for cultivating cybersecurity culture.
The sources revealed that other stakeholders such as Academia, International Community and
Industry are most proactive and leading in the functions instead of the government. This
indicates a lack of accountability from the government point of view (Cybersecurity Hub,
2015; Dube, 2015; Lewis, 2015; Lotz, 2015; Mashiloane, 2014; Wamala, 2011).
Additionally, a lack of skilled personnel in the police force as well education
environment was established. Cybersecurity capacity is crosscutting issue in both private
sectors as well public sector. Agencies such as SAPS, educators and business need formal
education training to equip them in dealing with the cybersecurity phenomena. As it stands,
SA does lack a capacity development program to address such needs (Kritzinger, 2014; Lotz,
2015; Mashiloane, 2014)
Furthermore, International bodies such as the ITU and OECD place emphasis on the
necessity of legal measures and national cybersecurity framework in order to foster a culture
of cybersecurity. In SA however it was found that apart from the NCPF and the
Cybersecurity bill that is currently not enacted therefore a lack of cybersecurity regulation is
apparent (Department of State Security, 2012; Luiijf, Besseling, & De Graaf, 2013; von
Solms & von Solms, 2015). Additionally, it is found show that SA has no government-led
research initiatives (Department of State Security, 2015). However across nations research is
pivotal in cybersecurity at large. In terms of stakeholder collaboration, it was found that the
government is part of some collaboration initiatives (von Solms & von Solms, 2015). Even
more, it is established that other relevant stakeholders such as academia, international
community and business industry are eager and active in forming partners that contribute to
cultivating a cybersecurity culture without the involvement of the government (Kritzinger,
2014; SABRIC, 2016; South African Cyber Security Academic Alliance, 2015; UJ Centre for
CyberSecurity, 2016; Wamala, 2011). Since the government ought to be the lead stakeholder,
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
8
it seems that it is poorly managing stakeholders by not providing guidance, support and
platforms that will promote such partnerships and collaborations amongst all stakeholders. In
terms of resource allocation, in SA there seems to be a lack of financial resources (R von
Solms & von Solms, 2015). Similar to traditional culture, a cybersecurity culture will take
time to evolve (Gcaza et al., 2015). Methods and means towards fostering such a culture will
need to be monitored in order assess the progress and to ensure that activities remain relevant
and aligned to the ever-changing requirements of cybersecurity. Developed countries such as
the US and UK have stipulated certain benchmarks and success indicators in order to monitor
relevant cybersecurity culture initiatives. SA can adopt this practice as monitoring and
evaluation is currently lacking (Kortjan, 2013; Kortjan & Solms, 2014; Kortjan & von
Solms, 2013). From this discussion that is based on the environmental assessment, the
following list of diagnostics was identified:
 Diagnosis 1 (D1): Poor Government Accountability
 Diagnosis 2 (D2): Lack of Resources
 Diagnosis 3 (D3): Poor Stakeholder Management
 Diagnosis 4 (D4): Lack of Regulation
 Diagnosis 5 (D5): Lack of Skilled Human Resources
 Diagnosis 6 (D6): Lack of Research and Development
 Diagnosis 7 (D7): Lack of Monitoring and Evaluation
Essentially, the above is a list of the major diagnostics or elements that need to be
addressed by the proposed national strategy, in order to achieve the main objective of
cultivating a national cybersecurity culture SA. These diagnostics will be used as inputs to
the strategy formulation process that follows.
5.3
Strategy Formulation
Each of the individual diagnostics, with its underlying guiding policies (GP) and coherent
actions (CA) will be discussed in the following subsections.
5.3.1. D1: Increased Government Accountability
It is appreciated globally that it is the responsibility of every government to ensure the
national security (High-Level Experts Group (HLEG), 2008; Wamala, 2011; World
Economic Forum, 2012). It is a fact that national security is threatened when cybersecurity is
neglected. Therefore, the SA government should lead and account for cybersecurity culture
implementations. To assist the SA government in this greater accountability, the following
guiding policies are proposed.
a) GP1.1: Leadership
It is appreciated in the NCPF that the SA government needs to take the lead in
cybersecurity. It is endorsed throughout the global community that each country must
take up the responsibility to ensure cybersecurity in all levels of society (High-Level
Experts Group (HLEG), 2008; Wamala, 2011; World Economic Forum, 2012). In terms
of leadership in a cybersecurity culture, a dedicated body or individual within the CRC
should be appointed to oversee that the government is leading all the stakeholders in all
the cybersecurity culture functions. The suggested action is as follows:
i.
CA1.1.1: Establish a dedicated body within CRC for cybersecurity culture, as well
as a cybersecurity culture coordinator.
b) GP1.2: Establishment of government-led initiatives
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
9
Having appointed a Cybersecurity Culture Coordinator, government-led activities should
be established to support every single function that is stipulated in the ontology. From the
assessment it was clear that SA is not on par in particularly three functions: Raising
awareness, Formal Education and Research. Developed Countries, such as the US and
Canada have noteworthy successes in this regard. Currently, the US is bolstering its
national awareness and education pillars; and SA could indeed learn from this. Perhaps
the point of departure is the establishment of national means, as suggested below.
i.
CA1.2.1: Establish a national awareness campaign
ii. CA1.2.2: Establish a national cybersecurity curriculum.
c) GP1.3: Continual Support
Taking into consideration the pace at which the SA government is progressing in this
regard, continuous support is necessary to bolster the existing initiatives. This can ensure
that government efforts are rolled out timeously and that they remain relevant.
i.
CA1.3.1: Bolster existing initiatives.
5.3.2. D2: Lack of Resources
Resources are an essential component, be they financial resources, infrastructure,
information, people or application. These can be deemed as enablers. An adequate allocation
thereof is critically important. From a business point of view, KPMG suggests that a
company poses the following questions, amongst others: “How large should our
cybersecurity budget be; and how should we spend it? How much of our cybersecurity
budget is spent on systems and tools; and how much on awareness and culture change?
(KPMG, 2014). It is evident that these are the questions that nations, such as the UK and US
ask themselves, judging from the clarity of their financial resource allocation. There is no
reason why SA should not adopt this approach. Therefore, the guiding policy and coherent
action is stated below.
d) GP2.1. Resource allocation
i.
CA2.1.1 Allocate sufficient dedicated financial capital.
5.3.3. D3: Poor stakeholder management
According to Luiijf et al. (2013), a national cybersecurity strategy should “align the whole of
government”; “co-ordinate public and private planning; and convey the envisaged roles,
responsibilities and relationships between all the stakeholders” and “convey one’s national
intent to other nations and stakeholders”. It was revealed that in SA, there is a pre-emptive
response to cybersecurity culture form several stakeholders.
The government can take advantage of this response to better co-ordinate its
partnerships. Furthermore, it is accepted that every single stakeholder holds some
responsibility in cultivating a culture. However, the government should take the lead in
clarifying what this responsibility entails through various means of stakeholder engagement.
The National Institute of Standards and Technology (NIST) (in the US) employed a
stakeholder engagement approach in developing its cybersecurity framework (National
Institute of Standards and Technology, 2014). This approach is beneficial because all the
stakeholders are part of the strategic planning throughout the implementation thereof.
a) GP3.1: Stakeholder engagement
For successful stakeholder engagement, a plan has to be in place to specify the purpose of
the engagement; the envisaged results from the engagement; as well the manner in which
the engagement will take place (Cundy et al., 2013). Different methods of engagement can
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
10
be used for different stakeholders. These methods include: meetings, workshop,
conferences and surveys.
i.
CA3.1.1 Develop a stakeholder engagement plan.
b) GP3.2: Partnership and collaboration
The SA government should establish partnerships with stakeholders with the government,
as well as with the stakeholders in the private sectors. Additionally, international
partnerships should be supported.
i.
CA3.2.1 Establish Public-private sector partnerships
ii. CA3.2.2 Establish International partnerships.
5.3.4. D4: Lack of regulation
The ITU recommends that a nation should develop a legal measure pertaining to cybercrime.
The lack of cybersecurity legal measures is not unique to SA; as it is a global issue across
nations. Some developed countries are leading in this regard. This creates an opportunity for
developing countries to learn and adopt practices that are applicable to their needs.
Regulation can be viewed as a two-legged process, with lawmaking in one hand and law
enforcement in the other. The assessment revealed that SA is lacking on both ends.
Therefore, the guiding policies are to develop legislation measures, as well as enforcement
measures.
a) GP4.1: Legislation
From a national level, there is a great need for a cybersecurity policy. Currently, SA is in
the process of developing a legal framework – starting from the Cybersecurity Bill.
Additionally, SA can adopt the cybersecurity certification and accreditation program to
encourage compliance with the national security agencies and the Banking industry.
i.
CA4.1.1: Develop a cybersecurity policy
ii. CA4.1.2: Develop cybersecurity standards
iii. CA4.1.3: Establish accreditations for compliance programs
iv.
CA4.1.4: Adopt cybersecurity competency models for industry.
b) GP4.2: Enforcement
The findings revealed that currently, in SA one would be unlikely to get effective
assistance at police stations, when reporting cybercrime incidents. Establishing
cybercrime units within the South African Police Services (SAPS) can elevate the issue;
and, in turn, serve the community better than online reporting mechanisms, such as the
national Cybersecurity Hub. Having implemented accreditations for compliance
programs, appropriate inspections could encourage industries to regularly update their
cybersecurity measures.
i.
CA4.2.1: Establish cybercrime units in major SAPS police stations
ii. CA4.2.2: Establish a cybersecurity inspection program.
5.3.5. D5: Lack of skilled human resources
The effectiveness of labour depends on the education, training and the quality of human
capital (Moses-Òkè, 2012). The lack of skilled human resources is not unique to SA. To
address this issue, it is recommended by the ITU national cybersecurity guide that national
programs be developed for the relevant professions. The focus should be on higher education
qualifications, training for those who are already in the workforce, and crucially, the capacity
within the law enforcement agencies.
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
11
a) GP5.1: Capacity Development
i.
CA5.1.1: Establish higher education certification
ii. CA5.1.2: Establish cybersecurity internships
iii. CA5.1.3: Promote training for human resources already in the workforce
iv.
CA5.1.4: Establish an enforcement capacity.
5.3.6. D6: Lack of Research and Development
“A concerted and collaborative research effort is needed to manage the situation and to
provide solutions to the pressing cybersecurity problems our nation faces” (Wybourne et al.,
2009). The need for research cannot be overemphasized. SA appreciates the need to partner
with higher education institutions for the purpose of research and development (Department
of State Security, 2015). Research and development can contribute greatly to the
development of a context-sensitive solution that will meet the needs of all levels of the South
African Nation.
b) GP6.1: National Cybersecurity Research Program
This can be practically realized by establishing a national cybersecurity agenda and
funding postgraduate research across the disciplines. The research agenda should have
projects that ultimately place SA in a position to implement innovative cybersecurity
measures that are of a global standard. Additionally, the research outcomes should
develop statistical data particularly on country-specific needs to assist SA in developing
tailor-made cybersecurity programs.
i.
CA 6.1.1: Establish a national cybersecurity research bursary scheme;
ii. CA 6.1.2: Establish a national cybersecurity culture research agenda.
5.3.7. D7: Lack of monitoring and evaluation
Monitoring is defined as “the systematic process of collecting, analysing and using
information to track a programme's progress in reaching its objectives and to guide
management’s decisions” (Umhlaba Development Services, 2011). Evaluation is defined as
“a systematic and objective examination concerning the relevance, effectiveness, efficiency
and impact of activities in the light of specified objectives” (Benedict, 2016). From both
definitions, it is clear that for monitoring and evaluation to be useful, clear objectives should
be set. Additionally, having clear indicators is beneficial in determining whether or not a
program is going to be a success.
a) GP7.1: Monitor and Evaluate
One of the guidelines from the Organization for Economic Co-Operation and
Development (OECD) for a cybersecurity culture is reassessment (OECD, 2002). This
refers to reviewing and reassessing the security efforts, in order to make the appropriate
modifications to security policies, practices, measures and procedures, in order to
maintain the relevance and effectiveness of the measures. For all cybersecurity culture
functions, there should be means whereby they can be monitored and evaluated.
i.
CA7.1.1: Define benchmarks
ii. CA7.1.2: Define success indictors for initiatives
iii. CA7.1.3: Develop an evaluation criterion
iv.
CA7.1.4: Publish periodic process reports
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
12
Taking into consideration all that has been argued above, the proposed national
strategy for cybersecurity culture consisting of diagnosis, guiding policies and coherent
actions
has
been
summarized
and
presented
in
Figure
4
below.
Figure 4: Proposed National Cybersecurity Culture Strategy
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
13
Figure 4 presents a condensed view of the strategy formulation content, which includes the
list of diagnosis, guiding policies and coherent actions.
This section has expanded on the diagnostics established from the environmental
assessment in the previous section. It did this by suggesting suitable guiding policies (GPs)
and coherent actions (CAs) that can be taken in cultivating the envisaged cybersecurity
culture. As mentioned, the guiding policies and coherent actions are extrapolated from the
existing cybersecurity implementations in African nations, as well as the implementations of
leading nations, as described in the Global Cybersecurity Index and the Cyberwellness
Report (ITU, 2015). The following section will discuss how SA can go about implementing
the proposed policies and actions.
5.4
Strategy Implementation
In Subsection 4.4, strategy implementation was described as executing the activities
stipulated in the strategy. As simple as that can be perceived, it was said that for successful
implementation, a comprehensive implementation plan should be developed. Developing an
implementation plan requires clarity of all the required human capital (Wheelen & Hunger,
2012). On the contrary, cybersecurity culture is has multiple role-players with roles and
responsibilities that require peculiar consideration in order to delineate. As such, this paper
will not attempt to develop a comprehensive implementation plan. It will however suggest
that such an implementation plan should, however, suggest that the following programs be at
the forefront:
1.
2.
3.
4.
5.
Appointing a dedicated body for cybersecurity culture within the CRC
Resource allocation
Launch the Cybersecurity Research Agenda
Develop a robust stakeholder engagement plan
Establishing partnerships
Since it is the CRC that is charged with the role to co-ordinate cybersecurity national
efforts, it is assumed that they would appoint a body and allocates the necessary resources,
starting from a budget. It is general knowledge that cultivating a cybersecurity culture is a
complex matter; as many stakeholders and many subcultures exist in SA. The very
stakeholders have certain roles and obligations to uphold in the process. Even more, the
stakeholders are also the beneficiaries of the national cybersecurity culture. As such, the CRC
has to take it upon itself to clarify these roles and responsibilities to the relevant stakeholders,
and to stress the importance of their involvement in the process. This makes stakeholder
engagement very important for the success of the strategy.
5.5
Strategy Control
The guiding policies and coherent actions defined in Subsections 5.3.7 play a crucial role in
the strategy-control phase. In this section, it is suggested that the body responsible for
cybersecurity culture should define benchmarks for all the initiatives that will be developed.
It must also stipulate clear success indicators for each of the initiatives. This will ensure that
progress is made in achieving the targets. After a program is rolled out to the targeted
audience; it should be evaluated, in order to rule on its effectiveness. From the results of the
evaluation, the strategy can be amended accordingly. To ensure transparency to all the
stakeholders, periodic reports must be published. The following section will provide some
concluding remarks. Adhering to the strategy control process, as defined in subsection 4.5,
together with the control policies recommended in the proposed strategy, can ensure that the
objectives of the strategy would be achieved.
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
14
5.6
The Validity of the Strategy
The validity of research findings can be accredited to either the use of a rigorous process in
conducting research or the argumentation provided by the researcher (von Solms & van
Niekerk, 2011). In the case of this research, the validity of the strategy is espoused to the use
of a rigorous strategy development process as defined by Tsokota et al, (2017). According to
Holloway and Galvin (2016) the use of a sound methodology can insure the trustworthiness
of research findings. This is in agreement with Oates (2006) who suggests that the use of an
appropriate research approach accordingly produces accurate and meaning results.
Based on this, the strategy development process that was used to craft the proposed
strategy is deemed sufficient in ensuring that the resultant strategy is valid. The process is
firmly established on the principles of the strategy kernel as defined by Rumelt (2011).
According to Rumelt (2011) the purpose of the kernel is to separate a ‘good’ strategy and a
‘bad’ strategy. A bad strategy is characterized by having goals without a clear indication as to
how the goals can be achieved. On the contrary a good strategy is characterized by having
goals, identifying what hinders the organization in reaching the goals, and identifying precise
and coherent actions that need to occur to remedy the hindrances towards achieving the goals.
In essence the strategy kernel is the heart of a good strategy, adapted in order to ensure that
the proposed strategy is ‘good’ thus ensuring the validity of the proposed strategy.
6.
CONCLUSION
South Africa is increasingly relying and depending on Internet services in its normal,
everyday operations. In addition to this, SA has accepted that Internet access is a basic right
for all citizens. This paper has argued that alongside connectivity, cybersecurity should also
be a priority. An accepted approach to go about implementing cybersecurity lies in
cultivating such a culture. Opportunely, in the NCPF, SA also accepts that a culture of
cybersecurity is an imperative.
Based on this, this paper contends and proposes a national strategy for cultivating
such a cybersecurity culture. To develop the proposed strategy, this paper used a strategy
development process as defined by Tsokota et al (2017). The use of the selected strategy
development process narrows the ‘gap’ between strategy and implementation, which
normally exists in many strategies. From this process, the research contributes a diagnosis of
issues that are currently hindering SA from establishing the envisaged cybersecurity culture.
The diagnostics are: poor government accountability, lack of resources, poor stakeholder
management, lack of regulation, lack of skilled human resources, lack of research and
development, and lack of monitoring and evaluation. Accordingly, the paper contributed a list
of guiding policies and coherent actions relevant and suitable to the South African context as
means towards addressing the identified diagnostics.
The limitations of the study can be considered in the strategy implementation phase
and control phase. This is because an implementation plan was not developed apart from
suggesting which activities should be at the forefront of executing the strategy. Additionally,
the strategy evaluation partly relies in correct execution of policies that are suggested in the
proposed strategy meaning that an error in the implementation stage is likely to negatively
impact the controlling of the strategy.
It might be very difficult, if not impossible, to evaluate or verify a strategy that will
guarantee successful implementation. For this reason, it is important that strategy
development rigorously adheres to some reputable strategy development methodology. In
doing so, the resultant strategy gets refined through some checks and balances that form part
of the methodology. Thus, as future research one can focus specifically on verifying and finetuning the strategy prior or even during the implementation phase. Additionally, the study can
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
15
also benefit from an in depth inquiry on the roles and responsibilities of all role-players in
cybersecurity culture domain.
7.
REFERENCES
Aguilar, F. J. (1967). Scanning the Business Environment. Macmillan.
Benedict,
N.
(2016).
Defining
of
Evaluation
Stages
in
Business
https://www.academia.edu/28458754/DEFINING_OF_EVALUATION_STAGES_IN
_BUSINESS.docx
Center for Strategic and International Studies. (2011). Cybersecurity Two Years Later.
https://doi.org/978-0-89206-625-4
Chandler, A. D. (1962). Strategy and Structure. In Chapters in the History of the American
Industrial Enterprise. MIT Press.
Christiansen, B. (2014). Handbook of Research on Effective Marketing in Contemporary
Globalism. IGI Global.
Cundy, A., Bardos, R., Church, A., Puschenreiter, M., Friesl-Hanl, W., Müller, I., …
Vangronsveld, J. (2013). Developing Principles of Sustainability and Stakeholder
Engagement for “Gentle” Remediation Approaches: The European Context. Journal
of Environmental Management, 129, 383–291.
Cybersecurity Hub. (2015). Cybersecurity Hub.
De Lanerolle, I. (2016). Internet Freedom: Why Access is Becoming a Human Right
http://themediaonline.co.za/2016/06/internet-freedom-why-access-is-becoming-ahuman-right/
Department of State Security. (2012). Statement on the Approval by Cabinet of the Cyber
Security Policy Framework for South Africa. http://www.info.gov.za/speech/
DynamicAction?pageid=461&tid=59794
Department of State Security. (2015, March 1). Minister David Mahlobo: Cybersecurity
Symposium. Speeches. Johannesburg, South Africa. http://www.gov.za/speeches/
minister-david-mahlobo-cybersecurity-symposium-1-mar-2015-0000
Dube, B. (2015). Minister David Mahlobo: Closing session of State Security Cybersecurity
Conference. Speeches. Pretoria, South Africa.
eNCA. (2016, July 6). 8.8 million South Africans hit by cyber crime. eNews Channel Africa.
Johannesburg, South Africa. https://www.enca.com/technology/88-million-southafricans-hit-by-cyber-crime
Enz, C. (2009). Hospitality Strategic Management: Concepts and Cases. Wiley Publishing.
Fred, N. (2016). Strategy Definitions & Meanings.
Gartner, S. S. (1997). Strategic Assessment in War. London: Yale University Press.
Gcaza, N., Solms, R. Von, & Vuuren, J. Van. (2015). An Ontology for a National CyberSecurity Culture Environment. In Proceedings of the Ninth International Symposium
on Human Aspects of Information Security & Assurance (HAISA 2015) (1-10).
Glueck, W. F. (1972). Business Policy: Strategy Formation and Management Action.
McGraw-Hill.
Goldman, G., & Nieuwenhuizen, C. (2006). Strategy: Sustaining Competitive Advantage in a
Globalised Context. Juta and Company Ltd.
High-Level Experts Group (HLEG). (2008). ITU Global Cybersecurity Agenda High-Level
Experts Group (HLEG) Global Strategic Report. Geneva, Switzerland. Retrieved
from http://www.cybersecurity-gateway.org/pdf/global_strategic_report.pdf
ITU. (2015). Global Cybersecurity Index & Cyberwellness Profiles. Switzerland.
Johnson, G., Whittington, R., & Scholes, K. (2009). Exploring Strategy. (Prentice Hall, Ed.)
(9th ed.).
Kortjan, N. (2013). A Cyber Security Awareness and Education Framework for South Africa.
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
16
Nelson Mandela Metropolitan University. http://contentpro.seals.ac.za/iii/cpro/
app?id=0865119265660214&itemId=1014829&lang=eng&service=blob&suite=def
Kortjan, N., & Solms, R. Von. (2014). A Conceptual Framework for Cyber-Security
Awareness and Education in SA. South African Computer Journal, 52, 29-41.
Kortjan, N., & von Solms, R. (2013). Cyber Security Education in Developing Countries: A
South African Perspective. In e-Infrastructure and e-Services for Developing
Countries (289–297). Springer.
KPMG. (2014). Cyber security: it’s not just about technology. https://www.kpmg.com/
Global/en/IssuesAndInsights/ArticlesPublications/Documents/cyber-security-not-justtechnology.pdf
Kritzinger, E. (2014). Cyber-safety A South African School Perspective. Johannesburg, South
Africa. http://eagle.unisa.ac.za/elmarie/images/Pdf/r2.pdf
Lester, R., & Waters, J. (1985). Environmental Scanning and Business Strategy. London,
UK: British Library, Research and Development Department.
Lewis, C. (2015). SA ranks high in cybercrime. http://www.sabc.co.za/news/a/
ebe2b3004a2f054d9f61dfa53d9712f0/SA-ranks-high-in-cybercrime-20151012
Lotz, B. (2015). We don’t have enough people to cope with cybercrime, Hawks.
Cybersecurity News. Africa. http://www.htxt.co.za/2015/09/10/we-dont-have-enoughpeople-to-cope-with-cybercrime-hawks/
Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen National Cyber Security Strategies.
International Journal of Critical Infrastructures, 9, 1-2, 3-31.
Mashiloane, L. (2014, May 29). Piet Pieterse: SAPS intensifies cybercrime battle. ITWEB.
Johannesburg, South Africa. http://www.itweb.co.za/mobilesite/news/134890
Mintzberg, H., Ahlstrand, B., & Lampel, J. (1998). Strategy Safari: A Guided Tour through
the Wilds of Strategic Management. New York: The Free Press.
Moses-Òkè, R. (2012). Cyber Capacity without Cyber Security: A Case Study of Nigeria’s
National Policy for Information Technology (NPFIT). The Journal of Philosophy,
Science & Law, 12, 1–14. http://jpsl.org/archives/cyber-capacity-without-cybersecurity-case-study-nigerias-national-policy-information-technology-npfit/
National Institute of Standards and Technology. (2014). Framework for Improving Critical
Infrastructure Cybersecurity.
OECD. (2002). Recommendation of the Council Concerning Guidelines for the Security of
Information Systems and Networks - Towards a Culture of Security.
http://acts.oecd.org/Instruments/ShowInstrumentView.aspx?InstrumentID=116&Lang
=en&Book=False
Porter, M. (1986). The Strategic Role of International Marketing. Journal of Consumer
Marketing, 3, 2, 17–21.
Rumelt, R. (2011). Good Strategy/Bad Strategy. USA: Profile Books LTD.
SA Government Gazette. (2015). National Cybersecurity Policy Framework for South Africa.
SABRIC. (2016). The South African Banking Risk Information Centre.
https://www.sabric.co.za/
Sharma, R. (2012). Study of Latest Emerging Trends on Cyber Security and its Challenges to
Society, 3, 6, 2010-2013.
South African Cyber Security Academic Alliance. (2015). Welcome to SACSAA.
http://www.cyberaware.org.za/
Temtime, Z. (2001). Environmental Scanning Behavior of Small and Medium Firms in
Developing Economies: Evidence from Botswana. Pakistan Journal of Applied
Sciences, 1, 3, 263–269.
Tsokota, T., von Solms, R., & van Greunen, D. (2017). An ICT Strategy for the Sustainable
Development of the Tourism Sector in a Developing Country : A Case Study of
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
EJISDC (2017) 80, 6, 1-17
17
Zimbabwe. Electronic Journal of Information Systems in Developing Countries, 78,
5, 1-20.
UJ Centre for CyberSecurity. (2016). UJ Centre for Cyber Security. Retrieved September 6,
http://adam.uj.ac.za/csi/
Umhlaba Development Services. (2011). Introduction to Monitoring and Evaluation Using
the
Logical
Framework
Approach.
Johannesburg,
South
Africa.
http://eeas.europa.eu/archives/delegations/ethiopia/documents/eu_ethiopia/ressources/
m_e_manual_en.pdf
von Solms, R., & van Niekerk, J. (2011). Research in Computer Science, Information
Systems and Information Technology - Back to the Basics. In Proceedings of the 41st
Annual Conference of the Southern African Computer Lecturers’ Association
(SACLA) (5). Fairmont Zimbali Resort.
von Solms, R., & van Niekerk, J. (2013). From Information Security to Cyber Security.
Computers & Security, 38. 97-102. http://www.sciencedirect.com/science/article
/pii/S0167404813000801
von Solms, R., & von Solms, B. (2015). National Cyber Security in South Africa: A Letter to
the Minister of Cyber Security. In The Proceedings of the 10th International
Conference on Cyber Warfare and Security: ICCWS2015 (p. 369). Kruger National
Park: Academic Conferences Limited.
Wamala, F. (2011). ITU National Cybersecurity Strategy Guide. Chemistry & Geneva,
Switzerland. http://onlinelibrary.wiley.com/doi/10.1002/cbdv.200490137/abstract
Wheelen, T. L., & Hunger, J. D. (2012). Strategic Management and Business Policy: Toward
Global Sustainability (13th ed.). Pearson/Prentice Hall.
World Economic Forum. (2012). Risk and Responsibility in a Hyperconnected World
Pathways to Global Cyber Resilience. http://www3.weforum.org/docs/WEF_IT_
PathwaysToGlobalCyberResilience_Report_2012.pdf
Wybourne, M., Austin, M. F., & Palmer, C. C. (2009). National Cyber Security: Research
and Development Challenges. US.
Zeldin, W. (2012). U.N. Human Rights Council: First Resolution on Internet Free Speech.
http://www.loc.gov/law/foreign-news/article/u-n-human-rights-council-firstresolution-on-internet-free-speech/
The Electronic Journal of Information Systems in Developing Countries
www.ejisdc.org
View publication stats