See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/317222815 A Strategy for a Cybersecurity Culture: A South African Perspective Article in Electronic Journal of Information Systems in Developing Countries · May 2017 DOI: 10.1002/j.1681-4835.2017.tb00590.x CITATIONS READS 16 1,117 2 authors: Noluxolo Gcaza Rossouw von Solms Nelson Mandela University Nelson Mandela University 7 PUBLICATIONS 61 CITATIONS 82 PUBLICATIONS 910 CITATIONS SEE PROFILE Some of the authors of this publication are also working on these related projects: A Framework for Information Security Management in Local Government View project Cyber-crime Center for the South African Police Services (SAPS) View project All content following this page was uploaded by Noluxolo Gcaza on 22 September 2017. The user has requested enhancement of the downloaded file. SEE PROFILE EJISDC (2017) 80, 6, 1-17 1 A STRATEGY FOR A CYBERSECURITY CULTURE: A SOUTH AFRICAN PERSPECTIVE Noluxolo Gcaza Nelson Mandela Metropolitan University & Council for Scientific and Industrial Research South Africa s208045801@live.nmmu.ac.za Rossouw von Solms Nelson Mandela Metropolitan University South Africa rossouw.vonsolms@nmmu.ac.za ABSTRACT Nowadays, having Internet access is deemed to be a basic human right. The South African government has embraced this notion; and as a result, free Wireless Internet (WiFi) has been rolled out in numerous cities in the country. This national effort to connect South African citizens is, however, not matched with adequate national cybersecurity efforts. Across nations, cultivating a culture in pursuing cybersecurity is well appreciated as a fundamental approach. In line with this, the South Africa government envisages a culture of cybersecurity amongst its citizens. However, there is an apparent lack of a practical plan to cultivate such a cybersecurity culture in South Africa. This paper proposes a national strategy for promoting a cybersecurity culture in South Africa. KEYWORDS Culture; Cybersecurity; National Strategy 1. INTRODUCTION In many nations across the globe cybersecurity is accepted as a national priority (Center for Strategic and International Studies, 2011). According to Sharma (2012) lack of cybersecurity can cripple the economy and safety of an entire nation. This is owing to the apparent dependence on cyberspace to perform functions deemed critical to the wellbeing of individuals, organizations and nations. Such a reliance on cyberspace is speedily shifting Internet access from being a ‘luxury’ for a few to becoming a ‘basic human right’ for all (Zeldin, 2012). Although, the ever-increasing reliance on cyberspace should solidify the need for cybersecurity, nations like South Africa (SA) still lag behind. Currently in SA, there are instances were not having Internet access prohibits citizens from executing rather essential functions, like registering a company, or applying for schools (De Lanerolle, 2016). Accordingly, in parts of SA, the government provides free access to cyberspace (De Lanerolle, 2016). This transition in the way SA operates will lead to an increasing dependence and adoption of cyberspace. It is known that cyberspace, having such endless opportunities, also has endless risks associated with cyber-related services. It was revealed that SA ranked 3rd in the world in terms of cybercrime victims (Lewis, 2015). As it is, over eight million South Africans have fallen victim to cybercrime (eNCA, 2016). Moreover, it is reported that more and more SA citizens are aware of the reality of cybercrime. However, security is viewed as a “hassle” (eNCA, 2016). This draws attention to the security in cyberspace, as well as the safety of SA citizens whilst they are active in cyberspace. As such, alongside the call for a “Connected South The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 2 Africa”; there should also be the call for promoting a secure connected SA. Regrettably, in so far as cybersecurity implementation is concerned, SA lags behind (R von Solms & von Solms, 2015). Cybersecurity can be defined as “the protection of cyberspace itself, the electronic information, the [Information and Communication Technologies], as well as ICTs that support cyberspace, and the users of cyberspace in their personal, societal and national capacity, including any of their interests, either tangible or intangible, that are vulnerable to attacks originating in cyberspace” (von Solms & van Niekerk, 2013). Indeed, the challenge of cybersecurity is not unique to SA. Many nations have developed and implemented cybersecurity policies, in order to address this need. It is accepted that cultivating a cybersecurity culture is an apt approach to promoting a secure consumption of cyberspace (Wamala, 2011). The aim of a cybersecurity culture is to instill “a certain way to ‘naturally behave’ in daily life, a way that subscribes to certain [cybersecurity] assumptions” (Gcaza et al., 2015). As it is, research that focuses particularly on cybersecurity culture is still in its infancy; and knowledge on the subject is not clearly bounded or defined (Gcaza et al., 2015). This makes it challenging to clearly articulate what a cybersecurity culture should entail, and how it can be fostered. Thus, a national strategy for cultivating such a cybersecurity culture would add great value. Such a strategy should not only clearly articulate what needs to be in place, in order to cultivate the culture; but it would also need to outline how the culture can be cultivated. Henceforth, the problem description for the study is provided in the following section. Subsequently, an overview of strategy will be discussed. Thereafter, the research approach employed to conduct this research is introduced. This will be followed by an account on the development of the proposed strategy will be provided. Finally, the proposed strategy will be presented, followed by a few concluding remarks. 1. PROBLEM DESCRIPTION South Africa (SA) acknowledges that a culture of cybersecurity is fundamental to the overall national security. As a result, a cybersecurity policy framework was drafted; and the cabinet of the country approved a National Cybersecurity Policy Framework (NCPF) in the year 2012 (SA Government Gazette, 2015). Amongst other things, the NCPF stipulated the promotion of a cybersecurity culture that subscribes to minimum cybersecurity measures (SA Government Gazette, 2015). Even though the importance of the culture is appreciated in SA, there is an apparent lack of a practical plan or strategy to cultivate a cybersecurity culture. The primary objective of the paper is, therefore, to propose a strategy for a cybersecurity culture in SA. 2. STRATEGY OVERVIEW The concept of strategy finds its origins in the battlefield. In the battlefield, strategy fundamentally addressed tactically ‘positioning’ troops before any contact with the enemy (Fred, 2016) Subsequent to contact with the enemy, the strategy addressed tactically, would need to ‘employ’ the troops, in order that an army could obtain the victory. In this realm, strategy is defined as “the art of distributing and applying military means to fulfill the ends of policy” (Gartner, 1997). In the business context, the troops can be seen as resources; while the enemy can be seen as the challenges, as well as the competition within the environment, in which the business operates. “In business, as in the military, strategy bridges the gap between policy and tactics. Together, strategy and tactics bridge the gap between ends and means” (Fred, 2016). The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 3 A strategy then is a plan that sets out how the organization would position and employ its resources (means), in order to meet its objectives (ends). Mintzberg et al. (1998) define the concept as follows: “Strategy is a plan: a guide or course of action into the future; a ploy: a specific maneuver intended to outwit an opponent or competitor; a position: determination of particular products in particular markets; a perspective: an organization’s way of doing things, and a pattern: consistency in behavior over time”. This description of strategy delineates strategy into five classifications. It addresses the nature of strategy; generally, a strategy would serve as a guide or roadmap for some objective (plan) (Chandler, 1962). Within a strategy, certain tactics are defined and intended to counter the competitors, or other challenges in the business environment (ploy) (Porter, 1986). Moreover, with strategy, an organization can make well-defined resolutions regarding a particular product for particular markets (position). A strategy distinguishes an organization from others (perspective) (Porter, 1986). Finally, a strategy provides consistency (pattern) (Johnson, Whittington, & Scholes, 2009). Glueck (1972) defines a strategy as “a unified comprehensive and integrated plan relating the strategic advantages of the firm or enterprise to the challenges of the environment. It is designed to ensure that basic objectives are achieved”. Strategy is also defined as: “The determination of the long-run goals and objectives of an enterprise. and the adoption of courses of action, as well as the allocation of the necessary resources for carrying out these goals” (Chandler, 1962). In one way or another, the delineations of strategy all share one or more of these features of a strategy, as defined by Mintzberg et al. (1998). Additionally, from the definitions, it is perceived that a strategy is future-oriented. Furthermore, it provides an organization with direction. Considering what a strategy is, clearly, it can highly support SA in achieving the objective it sets out in the NCPF, of cultivating a cybersecurity culture. A strategy would depict how SA can advance towards this goal. Even though the business world adapted the concept of strategy from the battlefield, this domain has not solely relied on knowledge obtained in the genesis of strategy. On the contrary, the corporate community has expanded the study of strategy, and taken the practice to higher grounds. Strategies are developed using various approaches Consistent on many strategy development processes are long-term objectives of the organization (Christiansen, 2014; Tesone, 2014; Enz, 2009; Goldman & Nieuwenhuizen, 2006). These goals can be embedded in the mission and vision of the organization. Many authors refer to such in varying ways; but essentially they point in the same direction, which is: A strategy is driven by a vision or intent that leads an organization to the envisaged position. Having identified the objectives, the business environment is assessed, in order to get a sense of both internal and external dynamics. Taking this assessment into account, the strategy is formulated, whereby policies are influenced by the findings from the assessment. Once formulated, the strategy is implemented and controlled accordingly. Therefore, having long-term objectives, assessing the environment, formulating the strategy, implementing the strategy and controlling the strategy can be accepted as the fundamental elements of strategy development process (Christiansen, 2014; Tesone, 2014; Enz, 2009; Goldman & Nieuwenhuizen, 2006). This section provided an overview of the concept of strategy and strategy development. The following section will discuss the process chosen for developing the proposed national strategy for cybersecurity culture. 4. STRATEGY DEVELOPMENT APPROACH This section discusses the approach that will be used to develop the proposed national strategy for cybersecurity culture. To develop the national strategy for cybersecurity culture The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 4 this study will adopt an approach defined by Tsokota, von Solms, and van Greunen (2017). This approach was chosen because it closely aligns with the nature of the problem addressed in this study. Specifically, this study addresses a national problem; similarly, the chosen approach was devised for a national problem. The strategy development approach is presented graphically below in Figure 1. Figure 1: Strategy Development Approach (Source: Adapted from (Tsokota et al., 2017)) Essentially, the process in Figure 1 consolidates the strategy development approaches from Goldman and Nieuwenhuizen (2006), Enz (2009), Tesone (2012) and Christiansen (2014), respectively. Additionally, the approach adopted a strategy kernel as defined by Rumelt (2011). The kernel outlines three hallmarks for a good strategy: a diagnosis; a guiding policy; and coherent action. A diagnosis captures the overall nature of a challenge, as found in the environmental assessment. A guiding policy serves as an overall approach to the challenge identified in the diagnosis. Finally, the coherent actions comprise coordinated steps of action aimed at addressing a guiding policy. Rumelt (2011) argues that without these components, a strategy is ‘bad’. “A strategy that fails to define a variety of plausible and feasible immediate actions is missing a critical component” (Rumelt, 2011). Rumelt (2011) added that a strategy that fails to address which rational actions ought to be taken to meet the objective is merely ‘fluff’. Such a strategy would leave a huge gap between strategy and implementation. Accordingly, the purpose for incorporating the strategy kernel is to ensure that the proposed strategy brings forth rational actions that will address the objective of cultivating a culture. In essence, the strategy kernel is deemed critical in ensuring that the proposed strategy is not merely “fluff”. The approach presented in Figure 1 captures all the fundamental steps of customary strategy development processes (Tsokota et al., 2017). Each of these steps in Figure 1 is discussed in the subsections that follow. The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 5 4.1 Strategy Direction The point of departure of a strategy is the outlining of the direction of the organization. According to Johnson and authors (2009), the strategic direction can be derived from the long-term objectives of the organization. Some organizations make use of statements that comprise the mission, vision and values. However, this is not cast in stone. Conversely, longterm objectives are always applied without fail. 4.2 Environmental Assessment According to Lester and Waters (1985), the environmental-assessment process consists of the gathering and analyzing of information, and then using “this analyzed intelligence in strategic decision making”. Concerning information gathering, the environmental assessment makes provision for both looking at information (viewing) and looking for information (searching). When conducting an environmental assessment, information can be gathered from different sources. These include personal sources and impersonal sources also known as written sources. Personal sources include face-to-face communication and telephone communication (Temtime, 2001). Written sources include various documents, reports, news articles and magazines. Aguilar (1967) differentiates the modes of information viewing and searching as follows: 1. Undirected viewing – This is viewing information without being led by a specific purpose. 2. Conditioned viewing – This is viewing information on selected areas guided by a specific purpose. 3. Informal search – This is a planned effort to obtain information on a specific issue. 4. Formal search – This is an unstructured effort of actively looking for information. The environmental assessment carried out in this study was conditioned and formal. The viewing was guided; since the distinctive dimensions of the national cybersecurity culture environment were specified; and the search was guided; since a set of questions on the environment was outlined. Additionally, information was gathered from relevant written sources. These sources included journal articles, news articles, government policies, and government websites and official reports. 4.3 Strategy Formulation The strategy formulation process consists of three sub-processes, according to Figure 1. The first sub-process is the diagnosis (D), followed by suggested guiding policies (GPs) and coherent actions (CAs), respectively. As mentioned earlier, the diagnosis stems from the environmental assessment recorded in subsection 4.2 above. All the guiding policies and coherent actions are extrapolated from the existing cybersecurity implementations in Africa, as well as the implementations of leading nations, as described in the Global Cybersecurity Index and Cyberwellness Report (ITU, 2015). In selecting the GP and CA, the SA context was in the forefront guided by the set of diagnoses, in order to ensure the applicability and suitability of the recommendations. 4.4 Strategy Implementation Precisely, strategy implementation is “execution of the activities that make up the strategy Goldman and Nieuwenhuizen (2006). The simplicity of this definition however does not match the practicality of implementing a strategy since most strategies fail to be implemented due to the challenges and complexities of strategy implementation (Rumelt, 2011). According to Wheelen and Hunger (2012), before the process of implementing a strategy begins the following questions need to be considered: The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 6 1. Who are the people who will implement the strategy? 2. What needs to be done to implement the strategy? 3. How is everyone going to work together to do what is needed? The first question focuses on identifying the people needed to implement the strategy. As previously mentioned, implementing the proposed strategy will require diverse personnel form multiple departments across the public sector and the private sector. As such, it will be crucial to be explicit with regard to which departments will play a role in this phase. The second question is concerned with what needs to be done, in order to implement the strategy. Three elements are key in addressing this enquiry, namely: drafting programs; a budget; and various procedures. “A program is a statement of the activities or steps needed to accomplish a single-use plan”. In the case of the proposed strategy, a program can be equated to a guiding policy. Programs are not limited to those defined in the strategy. Instead, they are inclusive off all activities needed, even before the implementation of the agreed-upon policies, such as establishing supportive personnel training, if necessary. Following the program outline, a detailed budget is to be developed to make known the cost of each program. Finally, procedures, also known as Standard Operating Procedures (SOP) for each program need to be outlined. These are sequential steps entailing how each program should be done. In the context of this study, the coherent actions for guiding policies can be seen as the SOPs; because these actions are the coordinated steps of actions aimed at addressing a guiding policy. The final question deals with possible restructuring in the organization – in such a manner that would be conducive to executing a new strategy. This involves ensuring that each program is staffed with adequate personnel. The execution of the proposed strategy will require personnel and intellect from various government departments across the public sector. Wheelen and Hunger (2012) recommend that each of the departments involved needs to draw up plans of action. Thereafter, all the respective action plans should be condensed into a single implementation plan. 4.5 Strategy Control Strategy control is intended to ensure that the stipulated strategic objectives are achieved (Enz, 2009; Goldman & Nieuwenhuizen, 2006). According to Wheelen and Hunger (2012), strategy control comprises five steps, as listed below: 1. Determine what to measure; 2. Establish standards of performance; 3. Measure the actual performance; 4. Compare the actual performance with the established standard; and 5. Take corrective action, if necessary. The above steps recommend that the appropriate body specify all the implementation processes that will be measured. Once that is clear; the performance measures must be defined. Such measures should thereafter be compared with the actual performance of the implementation processes. Finally, corrective actions should be taken, if necessary. This section described the approach that was taken to develop the proposed strategy. The following section gives an account for each of the steps defined in the strategy development process. 5. DEVELOPING THE NATIONAL CYBERSECURITY CULTURE STRATEGY This section discusses the development of the proposed cybersecurity strategy. It does so by providing a detailed account for each of the steps defined in the strategy development approach presented in Figure 1 the previous section. The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 7 5.1 Strategy Direction It was stated in subsection 4.1 that the strategy direction can be derived from the long-term objectives. As such, this paper will not attempt to formulate the vision and mission for this strategy; because the objective for the proposed strategy is defined in NCPF as to “Promote a culture of Cybersecurity” (SA Government Gazette, 2015). Furthermore, the purpose of the culture is captured as follows: “To effectively deal with Cybersecurity, it is prudent that civil society, government and the private sector play their part in ensuring South Africa has a culture of Cybersecurity. Critical to this is the development of a culture of Cybersecurity, in which the role players understand the risks of surfing in cyberspace” (SA Government Gazette, 2015). The NCPF is deemed sufficient to provide the strategic direction of SA concerning a cybersecurity culture. The following subsection will address the environmental assessment. 5.2 Environmental assessment The environmental assessment is intended to identify the challenges, gaps and weaknesses from the environment under review. In this study such challenges, gaps and weaknesses are referred to as diagnostics. Subsection 4.2 made known that information was gathered from written sources. Additionally, the assessment is carried out in a conditioned and formal manner. It focused on aspects of government leadership, stakeholder collaboration, resource allocation and availability, availability methods and means to cultivate cybersecurity culture, and the monitoring and evaluation of existing methods and means. The results from the environmental assessment indicated a lack of government-led initiatives for the functions stipulated in the ontology for cultivating cybersecurity culture. The sources revealed that other stakeholders such as Academia, International Community and Industry are most proactive and leading in the functions instead of the government. This indicates a lack of accountability from the government point of view (Cybersecurity Hub, 2015; Dube, 2015; Lewis, 2015; Lotz, 2015; Mashiloane, 2014; Wamala, 2011). Additionally, a lack of skilled personnel in the police force as well education environment was established. Cybersecurity capacity is crosscutting issue in both private sectors as well public sector. Agencies such as SAPS, educators and business need formal education training to equip them in dealing with the cybersecurity phenomena. As it stands, SA does lack a capacity development program to address such needs (Kritzinger, 2014; Lotz, 2015; Mashiloane, 2014) Furthermore, International bodies such as the ITU and OECD place emphasis on the necessity of legal measures and national cybersecurity framework in order to foster a culture of cybersecurity. In SA however it was found that apart from the NCPF and the Cybersecurity bill that is currently not enacted therefore a lack of cybersecurity regulation is apparent (Department of State Security, 2012; Luiijf, Besseling, & De Graaf, 2013; von Solms & von Solms, 2015). Additionally, it is found show that SA has no government-led research initiatives (Department of State Security, 2015). However across nations research is pivotal in cybersecurity at large. In terms of stakeholder collaboration, it was found that the government is part of some collaboration initiatives (von Solms & von Solms, 2015). Even more, it is established that other relevant stakeholders such as academia, international community and business industry are eager and active in forming partners that contribute to cultivating a cybersecurity culture without the involvement of the government (Kritzinger, 2014; SABRIC, 2016; South African Cyber Security Academic Alliance, 2015; UJ Centre for CyberSecurity, 2016; Wamala, 2011). Since the government ought to be the lead stakeholder, The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 8 it seems that it is poorly managing stakeholders by not providing guidance, support and platforms that will promote such partnerships and collaborations amongst all stakeholders. In terms of resource allocation, in SA there seems to be a lack of financial resources (R von Solms & von Solms, 2015). Similar to traditional culture, a cybersecurity culture will take time to evolve (Gcaza et al., 2015). Methods and means towards fostering such a culture will need to be monitored in order assess the progress and to ensure that activities remain relevant and aligned to the ever-changing requirements of cybersecurity. Developed countries such as the US and UK have stipulated certain benchmarks and success indicators in order to monitor relevant cybersecurity culture initiatives. SA can adopt this practice as monitoring and evaluation is currently lacking (Kortjan, 2013; Kortjan & Solms, 2014; Kortjan & von Solms, 2013). From this discussion that is based on the environmental assessment, the following list of diagnostics was identified: Diagnosis 1 (D1): Poor Government Accountability Diagnosis 2 (D2): Lack of Resources Diagnosis 3 (D3): Poor Stakeholder Management Diagnosis 4 (D4): Lack of Regulation Diagnosis 5 (D5): Lack of Skilled Human Resources Diagnosis 6 (D6): Lack of Research and Development Diagnosis 7 (D7): Lack of Monitoring and Evaluation Essentially, the above is a list of the major diagnostics or elements that need to be addressed by the proposed national strategy, in order to achieve the main objective of cultivating a national cybersecurity culture SA. These diagnostics will be used as inputs to the strategy formulation process that follows. 5.3 Strategy Formulation Each of the individual diagnostics, with its underlying guiding policies (GP) and coherent actions (CA) will be discussed in the following subsections. 5.3.1. D1: Increased Government Accountability It is appreciated globally that it is the responsibility of every government to ensure the national security (High-Level Experts Group (HLEG), 2008; Wamala, 2011; World Economic Forum, 2012). It is a fact that national security is threatened when cybersecurity is neglected. Therefore, the SA government should lead and account for cybersecurity culture implementations. To assist the SA government in this greater accountability, the following guiding policies are proposed. a) GP1.1: Leadership It is appreciated in the NCPF that the SA government needs to take the lead in cybersecurity. It is endorsed throughout the global community that each country must take up the responsibility to ensure cybersecurity in all levels of society (High-Level Experts Group (HLEG), 2008; Wamala, 2011; World Economic Forum, 2012). In terms of leadership in a cybersecurity culture, a dedicated body or individual within the CRC should be appointed to oversee that the government is leading all the stakeholders in all the cybersecurity culture functions. The suggested action is as follows: i. CA1.1.1: Establish a dedicated body within CRC for cybersecurity culture, as well as a cybersecurity culture coordinator. b) GP1.2: Establishment of government-led initiatives The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 9 Having appointed a Cybersecurity Culture Coordinator, government-led activities should be established to support every single function that is stipulated in the ontology. From the assessment it was clear that SA is not on par in particularly three functions: Raising awareness, Formal Education and Research. Developed Countries, such as the US and Canada have noteworthy successes in this regard. Currently, the US is bolstering its national awareness and education pillars; and SA could indeed learn from this. Perhaps the point of departure is the establishment of national means, as suggested below. i. CA1.2.1: Establish a national awareness campaign ii. CA1.2.2: Establish a national cybersecurity curriculum. c) GP1.3: Continual Support Taking into consideration the pace at which the SA government is progressing in this regard, continuous support is necessary to bolster the existing initiatives. This can ensure that government efforts are rolled out timeously and that they remain relevant. i. CA1.3.1: Bolster existing initiatives. 5.3.2. D2: Lack of Resources Resources are an essential component, be they financial resources, infrastructure, information, people or application. These can be deemed as enablers. An adequate allocation thereof is critically important. From a business point of view, KPMG suggests that a company poses the following questions, amongst others: “How large should our cybersecurity budget be; and how should we spend it? How much of our cybersecurity budget is spent on systems and tools; and how much on awareness and culture change? (KPMG, 2014). It is evident that these are the questions that nations, such as the UK and US ask themselves, judging from the clarity of their financial resource allocation. There is no reason why SA should not adopt this approach. Therefore, the guiding policy and coherent action is stated below. d) GP2.1. Resource allocation i. CA2.1.1 Allocate sufficient dedicated financial capital. 5.3.3. D3: Poor stakeholder management According to Luiijf et al. (2013), a national cybersecurity strategy should “align the whole of government”; “co-ordinate public and private planning; and convey the envisaged roles, responsibilities and relationships between all the stakeholders” and “convey one’s national intent to other nations and stakeholders”. It was revealed that in SA, there is a pre-emptive response to cybersecurity culture form several stakeholders. The government can take advantage of this response to better co-ordinate its partnerships. Furthermore, it is accepted that every single stakeholder holds some responsibility in cultivating a culture. However, the government should take the lead in clarifying what this responsibility entails through various means of stakeholder engagement. The National Institute of Standards and Technology (NIST) (in the US) employed a stakeholder engagement approach in developing its cybersecurity framework (National Institute of Standards and Technology, 2014). This approach is beneficial because all the stakeholders are part of the strategic planning throughout the implementation thereof. a) GP3.1: Stakeholder engagement For successful stakeholder engagement, a plan has to be in place to specify the purpose of the engagement; the envisaged results from the engagement; as well the manner in which the engagement will take place (Cundy et al., 2013). Different methods of engagement can The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 10 be used for different stakeholders. These methods include: meetings, workshop, conferences and surveys. i. CA3.1.1 Develop a stakeholder engagement plan. b) GP3.2: Partnership and collaboration The SA government should establish partnerships with stakeholders with the government, as well as with the stakeholders in the private sectors. Additionally, international partnerships should be supported. i. CA3.2.1 Establish Public-private sector partnerships ii. CA3.2.2 Establish International partnerships. 5.3.4. D4: Lack of regulation The ITU recommends that a nation should develop a legal measure pertaining to cybercrime. The lack of cybersecurity legal measures is not unique to SA; as it is a global issue across nations. Some developed countries are leading in this regard. This creates an opportunity for developing countries to learn and adopt practices that are applicable to their needs. Regulation can be viewed as a two-legged process, with lawmaking in one hand and law enforcement in the other. The assessment revealed that SA is lacking on both ends. Therefore, the guiding policies are to develop legislation measures, as well as enforcement measures. a) GP4.1: Legislation From a national level, there is a great need for a cybersecurity policy. Currently, SA is in the process of developing a legal framework – starting from the Cybersecurity Bill. Additionally, SA can adopt the cybersecurity certification and accreditation program to encourage compliance with the national security agencies and the Banking industry. i. CA4.1.1: Develop a cybersecurity policy ii. CA4.1.2: Develop cybersecurity standards iii. CA4.1.3: Establish accreditations for compliance programs iv. CA4.1.4: Adopt cybersecurity competency models for industry. b) GP4.2: Enforcement The findings revealed that currently, in SA one would be unlikely to get effective assistance at police stations, when reporting cybercrime incidents. Establishing cybercrime units within the South African Police Services (SAPS) can elevate the issue; and, in turn, serve the community better than online reporting mechanisms, such as the national Cybersecurity Hub. Having implemented accreditations for compliance programs, appropriate inspections could encourage industries to regularly update their cybersecurity measures. i. CA4.2.1: Establish cybercrime units in major SAPS police stations ii. CA4.2.2: Establish a cybersecurity inspection program. 5.3.5. D5: Lack of skilled human resources The effectiveness of labour depends on the education, training and the quality of human capital (Moses-Òkè, 2012). The lack of skilled human resources is not unique to SA. To address this issue, it is recommended by the ITU national cybersecurity guide that national programs be developed for the relevant professions. The focus should be on higher education qualifications, training for those who are already in the workforce, and crucially, the capacity within the law enforcement agencies. The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 11 a) GP5.1: Capacity Development i. CA5.1.1: Establish higher education certification ii. CA5.1.2: Establish cybersecurity internships iii. CA5.1.3: Promote training for human resources already in the workforce iv. CA5.1.4: Establish an enforcement capacity. 5.3.6. D6: Lack of Research and Development “A concerted and collaborative research effort is needed to manage the situation and to provide solutions to the pressing cybersecurity problems our nation faces” (Wybourne et al., 2009). The need for research cannot be overemphasized. SA appreciates the need to partner with higher education institutions for the purpose of research and development (Department of State Security, 2015). Research and development can contribute greatly to the development of a context-sensitive solution that will meet the needs of all levels of the South African Nation. b) GP6.1: National Cybersecurity Research Program This can be practically realized by establishing a national cybersecurity agenda and funding postgraduate research across the disciplines. The research agenda should have projects that ultimately place SA in a position to implement innovative cybersecurity measures that are of a global standard. Additionally, the research outcomes should develop statistical data particularly on country-specific needs to assist SA in developing tailor-made cybersecurity programs. i. CA 6.1.1: Establish a national cybersecurity research bursary scheme; ii. CA 6.1.2: Establish a national cybersecurity culture research agenda. 5.3.7. D7: Lack of monitoring and evaluation Monitoring is defined as “the systematic process of collecting, analysing and using information to track a programme's progress in reaching its objectives and to guide management’s decisions” (Umhlaba Development Services, 2011). Evaluation is defined as “a systematic and objective examination concerning the relevance, effectiveness, efficiency and impact of activities in the light of specified objectives” (Benedict, 2016). From both definitions, it is clear that for monitoring and evaluation to be useful, clear objectives should be set. Additionally, having clear indicators is beneficial in determining whether or not a program is going to be a success. a) GP7.1: Monitor and Evaluate One of the guidelines from the Organization for Economic Co-Operation and Development (OECD) for a cybersecurity culture is reassessment (OECD, 2002). This refers to reviewing and reassessing the security efforts, in order to make the appropriate modifications to security policies, practices, measures and procedures, in order to maintain the relevance and effectiveness of the measures. For all cybersecurity culture functions, there should be means whereby they can be monitored and evaluated. i. CA7.1.1: Define benchmarks ii. CA7.1.2: Define success indictors for initiatives iii. CA7.1.3: Develop an evaluation criterion iv. CA7.1.4: Publish periodic process reports The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 12 Taking into consideration all that has been argued above, the proposed national strategy for cybersecurity culture consisting of diagnosis, guiding policies and coherent actions has been summarized and presented in Figure 4 below. Figure 4: Proposed National Cybersecurity Culture Strategy The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 13 Figure 4 presents a condensed view of the strategy formulation content, which includes the list of diagnosis, guiding policies and coherent actions. This section has expanded on the diagnostics established from the environmental assessment in the previous section. It did this by suggesting suitable guiding policies (GPs) and coherent actions (CAs) that can be taken in cultivating the envisaged cybersecurity culture. As mentioned, the guiding policies and coherent actions are extrapolated from the existing cybersecurity implementations in African nations, as well as the implementations of leading nations, as described in the Global Cybersecurity Index and the Cyberwellness Report (ITU, 2015). The following section will discuss how SA can go about implementing the proposed policies and actions. 5.4 Strategy Implementation In Subsection 4.4, strategy implementation was described as executing the activities stipulated in the strategy. As simple as that can be perceived, it was said that for successful implementation, a comprehensive implementation plan should be developed. Developing an implementation plan requires clarity of all the required human capital (Wheelen & Hunger, 2012). On the contrary, cybersecurity culture is has multiple role-players with roles and responsibilities that require peculiar consideration in order to delineate. As such, this paper will not attempt to develop a comprehensive implementation plan. It will however suggest that such an implementation plan should, however, suggest that the following programs be at the forefront: 1. 2. 3. 4. 5. Appointing a dedicated body for cybersecurity culture within the CRC Resource allocation Launch the Cybersecurity Research Agenda Develop a robust stakeholder engagement plan Establishing partnerships Since it is the CRC that is charged with the role to co-ordinate cybersecurity national efforts, it is assumed that they would appoint a body and allocates the necessary resources, starting from a budget. It is general knowledge that cultivating a cybersecurity culture is a complex matter; as many stakeholders and many subcultures exist in SA. The very stakeholders have certain roles and obligations to uphold in the process. Even more, the stakeholders are also the beneficiaries of the national cybersecurity culture. As such, the CRC has to take it upon itself to clarify these roles and responsibilities to the relevant stakeholders, and to stress the importance of their involvement in the process. This makes stakeholder engagement very important for the success of the strategy. 5.5 Strategy Control The guiding policies and coherent actions defined in Subsections 5.3.7 play a crucial role in the strategy-control phase. In this section, it is suggested that the body responsible for cybersecurity culture should define benchmarks for all the initiatives that will be developed. It must also stipulate clear success indicators for each of the initiatives. This will ensure that progress is made in achieving the targets. After a program is rolled out to the targeted audience; it should be evaluated, in order to rule on its effectiveness. From the results of the evaluation, the strategy can be amended accordingly. To ensure transparency to all the stakeholders, periodic reports must be published. The following section will provide some concluding remarks. Adhering to the strategy control process, as defined in subsection 4.5, together with the control policies recommended in the proposed strategy, can ensure that the objectives of the strategy would be achieved. The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 14 5.6 The Validity of the Strategy The validity of research findings can be accredited to either the use of a rigorous process in conducting research or the argumentation provided by the researcher (von Solms & van Niekerk, 2011). In the case of this research, the validity of the strategy is espoused to the use of a rigorous strategy development process as defined by Tsokota et al, (2017). According to Holloway and Galvin (2016) the use of a sound methodology can insure the trustworthiness of research findings. This is in agreement with Oates (2006) who suggests that the use of an appropriate research approach accordingly produces accurate and meaning results. Based on this, the strategy development process that was used to craft the proposed strategy is deemed sufficient in ensuring that the resultant strategy is valid. The process is firmly established on the principles of the strategy kernel as defined by Rumelt (2011). According to Rumelt (2011) the purpose of the kernel is to separate a ‘good’ strategy and a ‘bad’ strategy. A bad strategy is characterized by having goals without a clear indication as to how the goals can be achieved. On the contrary a good strategy is characterized by having goals, identifying what hinders the organization in reaching the goals, and identifying precise and coherent actions that need to occur to remedy the hindrances towards achieving the goals. In essence the strategy kernel is the heart of a good strategy, adapted in order to ensure that the proposed strategy is ‘good’ thus ensuring the validity of the proposed strategy. 6. CONCLUSION South Africa is increasingly relying and depending on Internet services in its normal, everyday operations. In addition to this, SA has accepted that Internet access is a basic right for all citizens. This paper has argued that alongside connectivity, cybersecurity should also be a priority. An accepted approach to go about implementing cybersecurity lies in cultivating such a culture. Opportunely, in the NCPF, SA also accepts that a culture of cybersecurity is an imperative. Based on this, this paper contends and proposes a national strategy for cultivating such a cybersecurity culture. To develop the proposed strategy, this paper used a strategy development process as defined by Tsokota et al (2017). The use of the selected strategy development process narrows the ‘gap’ between strategy and implementation, which normally exists in many strategies. From this process, the research contributes a diagnosis of issues that are currently hindering SA from establishing the envisaged cybersecurity culture. The diagnostics are: poor government accountability, lack of resources, poor stakeholder management, lack of regulation, lack of skilled human resources, lack of research and development, and lack of monitoring and evaluation. Accordingly, the paper contributed a list of guiding policies and coherent actions relevant and suitable to the South African context as means towards addressing the identified diagnostics. The limitations of the study can be considered in the strategy implementation phase and control phase. This is because an implementation plan was not developed apart from suggesting which activities should be at the forefront of executing the strategy. Additionally, the strategy evaluation partly relies in correct execution of policies that are suggested in the proposed strategy meaning that an error in the implementation stage is likely to negatively impact the controlling of the strategy. It might be very difficult, if not impossible, to evaluate or verify a strategy that will guarantee successful implementation. For this reason, it is important that strategy development rigorously adheres to some reputable strategy development methodology. In doing so, the resultant strategy gets refined through some checks and balances that form part of the methodology. Thus, as future research one can focus specifically on verifying and finetuning the strategy prior or even during the implementation phase. Additionally, the study can The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 15 also benefit from an in depth inquiry on the roles and responsibilities of all role-players in cybersecurity culture domain. 7. REFERENCES Aguilar, F. J. (1967). Scanning the Business Environment. Macmillan. Benedict, N. (2016). Defining of Evaluation Stages in Business https://www.academia.edu/28458754/DEFINING_OF_EVALUATION_STAGES_IN _BUSINESS.docx Center for Strategic and International Studies. (2011). Cybersecurity Two Years Later. https://doi.org/978-0-89206-625-4 Chandler, A. D. (1962). Strategy and Structure. In Chapters in the History of the American Industrial Enterprise. MIT Press. Christiansen, B. (2014). Handbook of Research on Effective Marketing in Contemporary Globalism. IGI Global. Cundy, A., Bardos, R., Church, A., Puschenreiter, M., Friesl-Hanl, W., Müller, I., … Vangronsveld, J. (2013). Developing Principles of Sustainability and Stakeholder Engagement for “Gentle” Remediation Approaches: The European Context. Journal of Environmental Management, 129, 383–291. Cybersecurity Hub. (2015). Cybersecurity Hub. De Lanerolle, I. (2016). Internet Freedom: Why Access is Becoming a Human Right http://themediaonline.co.za/2016/06/internet-freedom-why-access-is-becoming-ahuman-right/ Department of State Security. (2012). Statement on the Approval by Cabinet of the Cyber Security Policy Framework for South Africa. http://www.info.gov.za/speech/ DynamicAction?pageid=461&tid=59794 Department of State Security. (2015, March 1). Minister David Mahlobo: Cybersecurity Symposium. Speeches. Johannesburg, South Africa. http://www.gov.za/speeches/ minister-david-mahlobo-cybersecurity-symposium-1-mar-2015-0000 Dube, B. (2015). Minister David Mahlobo: Closing session of State Security Cybersecurity Conference. Speeches. Pretoria, South Africa. eNCA. (2016, July 6). 8.8 million South Africans hit by cyber crime. eNews Channel Africa. Johannesburg, South Africa. https://www.enca.com/technology/88-million-southafricans-hit-by-cyber-crime Enz, C. (2009). Hospitality Strategic Management: Concepts and Cases. Wiley Publishing. Fred, N. (2016). Strategy Definitions & Meanings. Gartner, S. S. (1997). Strategic Assessment in War. London: Yale University Press. Gcaza, N., Solms, R. Von, & Vuuren, J. Van. (2015). An Ontology for a National CyberSecurity Culture Environment. In Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015) (1-10). Glueck, W. F. (1972). Business Policy: Strategy Formation and Management Action. McGraw-Hill. Goldman, G., & Nieuwenhuizen, C. (2006). Strategy: Sustaining Competitive Advantage in a Globalised Context. Juta and Company Ltd. High-Level Experts Group (HLEG). (2008). ITU Global Cybersecurity Agenda High-Level Experts Group (HLEG) Global Strategic Report. Geneva, Switzerland. Retrieved from http://www.cybersecurity-gateway.org/pdf/global_strategic_report.pdf ITU. (2015). Global Cybersecurity Index & Cyberwellness Profiles. Switzerland. Johnson, G., Whittington, R., & Scholes, K. (2009). Exploring Strategy. (Prentice Hall, Ed.) (9th ed.). Kortjan, N. (2013). A Cyber Security Awareness and Education Framework for South Africa. The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 16 Nelson Mandela Metropolitan University. http://contentpro.seals.ac.za/iii/cpro/ app?id=0865119265660214&itemId=1014829&lang=eng&service=blob&suite=def Kortjan, N., & Solms, R. Von. (2014). A Conceptual Framework for Cyber-Security Awareness and Education in SA. South African Computer Journal, 52, 29-41. Kortjan, N., & von Solms, R. (2013). Cyber Security Education in Developing Countries: A South African Perspective. In e-Infrastructure and e-Services for Developing Countries (289–297). Springer. KPMG. (2014). Cyber security: it’s not just about technology. https://www.kpmg.com/ Global/en/IssuesAndInsights/ArticlesPublications/Documents/cyber-security-not-justtechnology.pdf Kritzinger, E. (2014). Cyber-safety A South African School Perspective. Johannesburg, South Africa. http://eagle.unisa.ac.za/elmarie/images/Pdf/r2.pdf Lester, R., & Waters, J. (1985). Environmental Scanning and Business Strategy. London, UK: British Library, Research and Development Department. Lewis, C. (2015). SA ranks high in cybercrime. http://www.sabc.co.za/news/a/ ebe2b3004a2f054d9f61dfa53d9712f0/SA-ranks-high-in-cybercrime-20151012 Lotz, B. (2015). We don’t have enough people to cope with cybercrime, Hawks. Cybersecurity News. Africa. http://www.htxt.co.za/2015/09/10/we-dont-have-enoughpeople-to-cope-with-cybercrime-hawks/ Luiijf, E., Besseling, K., & De Graaf, P. (2013). Nineteen National Cyber Security Strategies. International Journal of Critical Infrastructures, 9, 1-2, 3-31. Mashiloane, L. (2014, May 29). Piet Pieterse: SAPS intensifies cybercrime battle. ITWEB. Johannesburg, South Africa. http://www.itweb.co.za/mobilesite/news/134890 Mintzberg, H., Ahlstrand, B., & Lampel, J. (1998). Strategy Safari: A Guided Tour through the Wilds of Strategic Management. New York: The Free Press. Moses-Òkè, R. (2012). Cyber Capacity without Cyber Security: A Case Study of Nigeria’s National Policy for Information Technology (NPFIT). The Journal of Philosophy, Science & Law, 12, 1–14. http://jpsl.org/archives/cyber-capacity-without-cybersecurity-case-study-nigerias-national-policy-information-technology-npfit/ National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity. OECD. (2002). Recommendation of the Council Concerning Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security. http://acts.oecd.org/Instruments/ShowInstrumentView.aspx?InstrumentID=116&Lang =en&Book=False Porter, M. (1986). The Strategic Role of International Marketing. Journal of Consumer Marketing, 3, 2, 17–21. Rumelt, R. (2011). Good Strategy/Bad Strategy. USA: Profile Books LTD. SA Government Gazette. (2015). National Cybersecurity Policy Framework for South Africa. SABRIC. (2016). The South African Banking Risk Information Centre. https://www.sabric.co.za/ Sharma, R. (2012). Study of Latest Emerging Trends on Cyber Security and its Challenges to Society, 3, 6, 2010-2013. South African Cyber Security Academic Alliance. (2015). Welcome to SACSAA. http://www.cyberaware.org.za/ Temtime, Z. (2001). Environmental Scanning Behavior of Small and Medium Firms in Developing Economies: Evidence from Botswana. Pakistan Journal of Applied Sciences, 1, 3, 263–269. Tsokota, T., von Solms, R., & van Greunen, D. (2017). An ICT Strategy for the Sustainable Development of the Tourism Sector in a Developing Country : A Case Study of The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org EJISDC (2017) 80, 6, 1-17 17 Zimbabwe. Electronic Journal of Information Systems in Developing Countries, 78, 5, 1-20. UJ Centre for CyberSecurity. (2016). UJ Centre for Cyber Security. Retrieved September 6, http://adam.uj.ac.za/csi/ Umhlaba Development Services. (2011). Introduction to Monitoring and Evaluation Using the Logical Framework Approach. Johannesburg, South Africa. http://eeas.europa.eu/archives/delegations/ethiopia/documents/eu_ethiopia/ressources/ m_e_manual_en.pdf von Solms, R., & van Niekerk, J. (2011). Research in Computer Science, Information Systems and Information Technology - Back to the Basics. In Proceedings of the 41st Annual Conference of the Southern African Computer Lecturers’ Association (SACLA) (5). Fairmont Zimbali Resort. von Solms, R., & van Niekerk, J. (2013). From Information Security to Cyber Security. Computers & Security, 38. 97-102. http://www.sciencedirect.com/science/article /pii/S0167404813000801 von Solms, R., & von Solms, B. (2015). National Cyber Security in South Africa: A Letter to the Minister of Cyber Security. In The Proceedings of the 10th International Conference on Cyber Warfare and Security: ICCWS2015 (p. 369). Kruger National Park: Academic Conferences Limited. Wamala, F. (2011). ITU National Cybersecurity Strategy Guide. Chemistry & Geneva, Switzerland. http://onlinelibrary.wiley.com/doi/10.1002/cbdv.200490137/abstract Wheelen, T. L., & Hunger, J. D. (2012). Strategic Management and Business Policy: Toward Global Sustainability (13th ed.). Pearson/Prentice Hall. World Economic Forum. (2012). Risk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience. http://www3.weforum.org/docs/WEF_IT_ PathwaysToGlobalCyberResilience_Report_2012.pdf Wybourne, M., Austin, M. F., & Palmer, C. C. (2009). National Cyber Security: Research and Development Challenges. US. Zeldin, W. (2012). U.N. Human Rights Council: First Resolution on Internet Free Speech. http://www.loc.gov/law/foreign-news/article/u-n-human-rights-council-firstresolution-on-internet-free-speech/ The Electronic Journal of Information Systems in Developing Countries www.ejisdc.org View publication stats