Cybersecurity Capacity Maturity Model for Nations
 | This template is not to be used in article space. This is the sandbox page where you will draft your initial Wikipedia contribution. If you're starting a new article, you can develop it here until it's ready to go live. If you're working on improvements to an existing article, copy only one section at a time of the article to this sandbox to work on, and be sure to use an edit summary linking to the article you copied from. Do not copy over the entire article. You can find additional instructions here. Remember to save your work regularly using the "Publish page" button. (It just means 'save'; it will still be in the sandbox.) You can add bold formatting to your additions to differentiate them from existing content. |
Cybersecurity Capacity Maturity Model for Nations
Cybersecurity Capacity Maturity Model for Nations (CMM) is a framework developed to review the cybersecurity capacity maturity of a country across five dimensions.[1] It was designed by Global Cyber Security Capacity Centre of University (GCSCC) of University of Oxford and first of its kind framework for countries to review their cybersecurity capacity, benchmark it and receive recommendation for improvement.[2] The five dimensions covers the capacity area required by a country to improve its cybersecurity posture.[3] The assessment rate each dimension using five levels that range from Start-up, Formative, Established, Strategic and Dynamic. The recommendations includes guidance on areas of cybersecurity to improve on and thus need more focus and investment. As at June, 2021, the framework has been adopted and implemented in over 80 countries worldwide.[4] Its' deployment has been catalyzed by the involvement of international organizations such as the Organization of American States (OAS), the World Bank (WB), the International Telecommunications Union (ITU) and the Commonwealth Telecommunications Union (CTO) and Global Forum on Cyber Expertise (GFCE).[5]
Overview
The World Summit on Information Society identified that Capacity building in the realm of cybersecurity as one of the pillars necessary to reap the benefits of processes and services digitalization, especially in developing nations.[6] In order to assist with this effort, GCSCC developed the CMM.
The CMM was developed in 2014, through collaborative effort between the GCSCC and over 200 experts from academia, international and regional organizations and the private sector.[7] CMM assesses the capacity of a country from five identified area called dimensions with the objective of improving the coverage, measurement and effectiveness of cyber security capacity building within five levels of progression, which are: start-up, formative, established, strategic and dynamic.[8]
The 5 dimensions from the 2021 version are:[3]
1. Developing cybersecurity policy and strategy;
This dimension examines how a nation fares in terms of availability and implementation of Cybersecurity policies and strategy.
2. Encouraging responsible cybersecurity culture within society;
This dimension views how well citizens of a nation are familiar with digital risk and the provision of a viable channel for reporting cybercriminal activities.
3. Building cybersecurity knowledge and capabilities;
This dimension explores structures in place for cybersecurity awareness and education within the nation.
4. Creating effective legal and regulatory frameworks;
Examine the ability of a country to develop, ratify and enforce cybersecurity and privacy related legislation.
5. Controlling risks through standards and technologies.
This dimension examines the common use of cybersecurity standard and presence of structures for development of such technologies.
The dimensions have been further divided into factors and the factors into aspects.
Factors:
These are the components of a nations capacity whose maturity level is measured.
Aspect:
This are smaller subdivision of factors and they help with understanding each factor and they aid in evidence gathering and measurement.
Stage:
This represent how matured a nations is on each factor or aspect. There are 5 stages of maturity; start-up, formative, established, strategic and dynamic. For a nation to met a particular maturity stage, it has to fulfill some indicators.
The assessment represents a nations initial steps towards towards improving its cybersecurity posture.[9]The assessment report is the property of the assessed nation [9] and the they choose whether to make it public or not.[2] Based on pilot assessments conducted in 6 countries, modifications to improve the model were made and an updated version was released in 2016. Further consultations based on lessons learnt over the years from CMM deployments resulted in an updated version in 2021.[10]
The dimensions, factors and aspects have changed overtime between CMM versions.
Differences between versions
Version 1 of the framework was released in 2014 and Kosovo was the first pilot country. The 2014 has has 5 dimensions and 21 factors.[11] The 2016 version has 5 dimensions with 24 factors.[12] The 2021 version has 5 dimensions and 23 factors.[3]
Between the 2014 and 2016 version, there was no change in the naming of the dimensions. The changes came in 2021 and its represented in table 1.
| Dimensions | 2014/2016 | 2021 |
|---|---|---|
| D1 | Cybersecurity Policy and Strategy | Developing cybersecurity policy and strategy |
| D2 | Cyber Culture and Society | Encouraging responsible cybersecurity culture within society |
| D3 | Cybersecurity Education, Training and Skills | Building cybersecurity knowledge and capabilities |
| D4 | Legal and Regulatory Frameworks | Creating effective legal and regulatory frameworks |
| D5 | Standards, organisations, and technologies | Controlling risks through standards and technologies |
Below (table 2) is a representation of how the factors have changed between versions.
| Factors | 2014 | 2016 | 2021 |
|---|---|---|---|
| D1.1 | Documented or Official National Cybersecurity Strategy | National Cybersecurity Strategy | National Cybersecurity Strategy |
| D1.2 | Incident Response | Incident Response | Incident Report and Crisis Management |
| D1.3 | Critical National Infrastructure | Critical Infrastructure (CI) Protection | Critical Infrastructure (CI) Protection |
| D1.4 | Crisis Management | Crisis Management | Cybersecurity in Defense and National Security |
| D1.5 | Cyber Defence Consideration | Cyber Defence consideration | |
| D1.6 | Digital Redundancy | Communications redundancy | |
| D2.1 | Cybersecurity Mind-set | Cybersecurity mind-set | Cybersecurity Mindset |
| D2.2 | Cybersecurity Awareness | Trust and confidence on the Internet | Trust and Confidence in Online Service |
| D2.3 | Confidence and Trust on the Internet | User understanding of personal information protection on the Internet | User Understanding of Personal Information Protection Online |
| D2.4 | Privacy Online | Reporting mechanisms | Reporting Mechanisms |
| D2.5 | Media and social media | Media and Social Media | |
| D3.1 | National Availability of Cyber Education and Training | Raising awareness | Building Cybersecurity Awareness |
| D3.2 | National Development of Cyber Security Education | Framework for education | Cybersecurity Education |
| D3.3 | Training and Educational Initiatives within the Public and Private Sector | Framework for professional training | Cybersecurity Professional Training |
| D3.4 | Corporate Governance, Knowledge and Standards | Cybersecurity Research and Innovation | |
| D4.1 | Cybersecurity Legal Frameworks | Legal frameworks | Legal and Regulatory Provisions |
| D4.2 | Legal Investigation | Criminal justice system | Related Legislative Framework |
| D4.3 | Responsible Reporting | Formal and informal cooperation frameworks to combat cybercrime | Legal and Regulatory capability and Capacity |
| D4.4 | Formal and Informal Co-operation Frameworks to Combat Cybercrime | ||
| D5.1 | Adherence to Standards | Adherence to standards | Adherence to Standards |
| D5.2 | Cybersecurity Coordinating Organisations | Internet infrastructure resilience | Security Controls |
| D5.3 | National Infrastructure Resilience | Software quality | Software Quality |
| D5.4 | Cybersecurity Marketplace | Technical security controls | Communications and Internet Infrastructure Resilience |
| D5.5 | Cryptographic controls | Cybersecurity Marketplace | |
| D5.6 | Cybersecurity marketplace | Responsible Disclosure | |
| D5.7 | Responsible disclosure |
The Stages of National Cybersecurity Capacity[3]
Start-up
At this stage, a nation has no presentable evidence to show existence of cybersecurity initiatives.
Formative
Evidence is available to proof initiatives on some of the aspects, however these efforts may be at the initiation state or be ad hoc.
Established
The is evidence to show that the aspect is defined, functional and working but adequate resource allocation is lacking.
Strategic
Aspect has been prioritized based of national need.
Dynamic
A working adaptable cybersecurity strategy is available, which is evidenced by global leadership on cybersecurity issues, agility of decision-making, and resources allocation.
The Review Process
CMM Review Process has 3 stages.[2][13]
Stage 1: Desk research and country-partner identification.
The first step is selection of a country. A CMM review can be requested by a country or a country can be selected for assessment by an international or regional organization.
One selected, a relationship is established with host country and necessary stakeholders identified from Academia, Civil Societies, Government Ministries/Department, International Organizations and the Private Sector.
Stage 2: The Review
The actual review with the stakeholders is a three-day consultation process.
Based on the five dimensions, multiple teams are created across stakeholders.
Open discussions or focus groups method is applied to ask and answers questions. Questions and answer can also be collected using online tool.[14] . Inability to provide evidence for all indicators under each aspect will result in a lower maturity level for that aspect.[2]
Remote follow-up sessions or email communication may be used for further data collection.
Stage 3: Review Report
A report is presented to the country's government and it is at the discretion of that country to make it publicly available or not.
The recommendation
The output of the CMM assessment is a report which details the gaps identified from each aspect and the present maturity level of each indicator. Depending on a nations need, it recommends the areas that should be given priority in terms of resource allocation.
Sample results from some of the reviews are available here
Nations with CMM
Cybersecurity capacity for over 80 nations have been reviewed using CMM.[9] The list of nations is available here.
References
- ^ "Global Cyber Security Capacity Centre | Digital Watch". dig.watch. Retrieved 2021-07-23.
- ^ a b c d The World Bank. "Global Cybersecurity Capacity Program. "Lessons Learned and Recommendations towards strengthening the Program"" (PDF). documents.worldbank.org. Retrieved 2021-06-23.
{{cite web}}: CS1 maint: url-status (link) - ^ a b c d Global Cyber Security Capacity Centre (2021). "Cybersecurity Capacity Maturity Model for Nations (CMM)" (PDF).
{{cite web}}: CS1 maint: url-status (link) - ^ "CMM Reviews around the World". gcscc.ox.ac.uk. Retrieved 2021-06-24.
- ^ RAND (2017). "Developing Cybersecurity Capacity. A proof-of-concept implementation guide" (PDF).
{{cite web}}: CS1 maint: url-status (link) - ^ International Telecommunication Union (2015). "WSIS+10 Statement on the Implementation of the WSIS Outcomes" (PDF).
{{cite web}}: CS1 maint: url-status (link) - ^ "National cybersecurity capacity maturity assessment". www.nrdcs.lt. Retrieved 2021-07-11.
- ^ Klimburg, Alexander; Zylberberg, Hugo (2015). "Cyber Security Capacity Building: Developing Access" (PDF).
{{cite web}}: CS1 maint: url-status (link) - ^ a b c Designer (2019-11-22). "The CMM - Oceania Cyber Security Centre". Retrieved 2021-07-11.
- ^ "Development and Evolution of the CMM". gcscc.ox.ac.uk. Retrieved 2021-07-03.
- ^ Global Cyber Security Capacity Centre (2015). "Cybersecurity Capacity Assessment of the Republic of Kosovo".
{{cite web}}: CS1 maint: url-status (link) - ^ "2020 Cybersecurity Report: Risks, Progress, and the Way Forward in Latin America and the Caribbean | Publications" (PDF). publications.iadb.org. Retrieved 2021-06-25.
- ^ "CMM Review Process". gcscc.ox.ac.uk. Retrieved 2021-07-03.
- ^ Organization of American States (2016). "Cybersecurity Are We Ready in Latin America and the Caribbean?".
{{cite web}}: CS1 maint: url-status (link)