Reducing Risk and Building CapacityThe Cybersecurity Capacity Maturity Model (CMM) for NationsProf Michael GoldsmithGlobal Cyber Security Capacity Centre (GCSCC)April 2017

Delivering Effective Cybersecurity Both Within The UK And InternationallyThe Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity capacity-building, promoting an increase in the scale, pace, quality and impact of cybersecurity capacity-building initiatives across the world.

It brings together international expertise across multiple sectors to contribute to Centre’s outputs.

Cybersecurity Capacity Maturity Model for Nations (CMM)

5 Dimensions of Cybersecurity Maturity

D 1Cyber Policy and Strategy

D 2Cyber Culture and Society

D 5Organisations,

Technologies andStandards

D 3Cyber

Education,Training and

SkillsD 4Cyber

Legislationand

Regulation

Human, financial

and technical resources

Structure of the CMM

Dimension

Factor

Aspect

Start-up stage

Indicators

Formative stage

Indicators

Established stage

Indicators

Strategic stage

Indicators

Dynamic stage

Indicators

Stages of Maturity

Start-up

Formative

Established

StrategicDynamic

Example:

Dimension 1Cyber Policy and Strategy

1.1: National cybersecurity strategy

1.2: Incident response

1.3: Critical Infrastructure (CI) Protection

Identification

Organisation

Risk Management and Response1.4: Crisis Management

1.5: Cyber Defence Consideration

1.6: Communications Redundancy

CMM Reviews

Stakeholder Clusters

Criminal Justice

Defense/ Intelligence

Academia/ Civil Society

GovernmentLegislators

CERT and IT

Critical Infrastructure

Strategic Partners

Ministry of Foreign Affairs of the NetherlandsMinistry of Foreign Affairs of NorwayUK Cabinet Office

Partners

17 Reviews of National Cybersecurity Capacity since 2015

ColombiaJamaica

ArmeniaIceland (planned)KosovoKyrgyzstanLithuania MontenegroUK

MadagascarSenegalSierra LeoneUgandaZambia

BhutanFijiIndonesiaThailand

Underpinned a Regional Study by the OASAntigua and BarbudaArgentinaThe Bahamas BarbadosBelizeBoliviaBrazilChileColombiaCosta RicaDominicaDominican RepublicEcuadorEl SalvadorGrenadaGuatemalaGuyana

HaitiHonduras

JamaicaMexico

NicaraguaPanama

ParaguayPeru

Saint Kitts and NevisSaint Lucia

Saint Vincent andthe Grenadines

SurinameTrinidad and Tobago

UruguayVenezuela

https://publications.iadb.org/handle/11319/7449

What Are The Benefits Of The CMM?

• Ownership of review lies with country• Review of global cybersecurity capacity in 5 dimensions• Self-assessment to point out needs and next steps• Qualitative and quantitative benchmarking• Review report with recommendations

Observations From CMM Reviews

• Generally, countries found the reviews informative and helpful in identifying previously under-considered capacity gaps

• Diverse stakeholder groups enables comprehensive picture in report development

• Review itself as capacity-building exercise• Various lessons learned across all five dimensions of

cybersecurity capacity

Lessons Learned (Selection)

Policy and Strategy Misperception of the role of the CSIRT

Culture and Society Lack of understanding of the relationship between trust/confidence and security

Education, Trainingand Skills

Disconnect between educational offerings andindustry needs

Legislation and Regulation

Question whether new cybercrime/cybersecurity legislation is needed or adapting existing law is sufficient

Organisations, Technologies and

Standards

Standards adoption (particularly ISO standards) is mostly ad-hoc

Overall Data collection challenges

Way Ahead

CMM revision

Reflect lessons learned

Adapt to evolving cybersecurity

landscape

Continued deployment & support

Regional centres

International governance

International partners

Development of complementary

models

Cyber Harm Model

CMM for organisations

Incl Inventory of current intl and regional initiatives in cybersecurity

capacity building –partnership with the Global Forum on Cyber Expertise

(GFCE)

Visit: www.sbs.ox.ac.uk/cybersecurity-capacity

National Cybersecurity Reference Guide

A project undertaken in partnership with Commonwealth Secretariat Cybercrime Initiative, Commonwealth Telecommunication Organisation, ENISA, GCSP, ITU, Intellium, Microsoft, NATO CCDCOE, OECD, OAS, Potomac Institute, RAND Europe, UNCTAD and World Bank.

- will represent a single resource for any country to gain a clear understanding of the purpose and content of a national cybersecurity strategy and how to develop one- will also outline the existing relevant models and resources as well as offer an overview of the assistance available from various organizations.

Global Cyber Security Capacity CentreOxford Martin School, University of Oxford34 Broad Street, Oxford OX1 3BD, UK Phone: +44(0)1865 287903 cybercapacity@oxfordmartin.ox.ac.uk

www.oxfordmartin.ox.ac.uk/cybersecurity

Thank you!