global cyber security capacity maturity model - cmm wsis forum 2015 – geneva dr maria bada...
TRANSCRIPT
Global Cyber Security Capacity Maturity Model - CMM
WSIS Forum 2015 – GenevaDr Maria Bada
25/05/2015
CMM - Five Dimensions
• Start-up: At this level either nothing exists, or it is very embryonic in nature.
• Formative: Some features of the indicators have begun to grow and be formulated, but may be ad-hoc, disorganized, poorly defined - or simply "new". However, evidence of this activity can be clearly evidenced.
• Established: The elements of the sub-factor are in place, and working.
• Strategic: Choices have been made about which parts of the indicator are important, and which are less important for the particular organization/nation.
• Dynamic: There are clear mechanisms in place to alter strategy depending on the prevailing circumstances. Rapid decision-making, reallocation of resources, and constant attention to the changing environment are features of this level.
Levels of Maturity
Dimension 1Cybersecurity Policy and Strategy
D1-1: National Cybersecurity StrategyD1-2: Incident ResponseD1-3: Critical National Infrastructure (CNI) ProtectionD1-4: Crisis ManagementD1-5: Cyber Defence ConsiderationD1-6: Digital Redundancy
Capacity Dimensions
Dimension 2Cyber culture and society
D2-1: Cybersecurity Mind-setD2-2: Cybersecurity AwarenessD2-3: Confidence and trust on the InternetD2-4: Privacy online
Capacity Dimensions
Dimension 3 Cybersecurity education, training and skills
D3-1: National availability of cyber education and trainingD3-2: National development of cybersecurity educationD3-3: Corporate training and educational initiatives within companiesD3-4: Corporate Governance, Knowledge and Standards
Capacity Dimensions
Dimension 4Legal and regulatory frameworks
D4-1: Cybersecurity legal frameworksD4-2: Legal investigationD4-3: Responsible Disclosure
Capacity Dimensions
Dimension 5
Standards, organisations, and technologies
D5-1: Adherence to standardsD5-2: National Infrastructure ResilienceD5-3: Cybersecurity marketplace
Capacity Dimensions
Dimension 1: Cybersecurity Policy and Strategy
D1-1: National Cybersecurity StrategyIndicator: Strategy Development No evidence of a cyber security national strategy exists; if a cyber component exists it may be the responsibility of one
or more departments of government; a process for development has begun without stakeholder consultation
An outline of a national cyber security strategy has been articulated built on government consultation; consultation processes have been established for key stakeholder groups, possibly involving international assistance
A national cyber strategy has been established; a specific mandate to consult across sectors and civil society has been agreed; data and historic trends are used to plan; some understanding of national cyber security risks and threats drives capacity building at a national level
Cyber security strategy is knowledgeably implemented by multiple stakeholders across government; strategy review and renewal processes are confirmed; regular scenario and real-time cyber exercises are conducted; cyber security strategic plans drive capacity building and investments in security; metrics and measurement processes are established, implemented and inform decision making
Continual revision of cyber security strategy is conducted to adapt to changing socio-political, threat and technology environments, driving the multi-stakeholder decision making process; trust and confidence building measures (TCBMs) are undertaken to ensure the continued inclusion and contribution of all stakeholders including the private sector, wider society and international partners
coordinated response to cyber attacks/risks
Factors Crucial for Combating Cybercrime
The national cybersecurity strategy content linked explicitly to national risks, priorities and objectives
raise public awareness
establish incident response capacity
mitigate cybercrime
protect critical national infrastructure
National Cybersecurity Strategy
building trust on internet use
promote positive and
responsible forms of online behaviour
Factors Crucial for Combating Cybercrime
Awareness-raising campaigns linked to cyber security strategy
Covering a wide range of groups including training courses, seminars and online resources
Established metrics for effectiveness
Cybersecurity Awareness
capacity to understand complex
cybercrime cases and
inform decision making
Factors Crucial for Combating Cybercrime
Public and private sector training available for Employees, Law Enforcement, Prosecutors, Experts, Board members
Education/Training
capacity to address and combat cybercrime
Factors Crucial for Combating Cybercrime
A comprehensive structure within the criminal justice system for combating cybercrime while respecting human rights
Comprehensive ICT legislative and regulatory frameworks addressing cybersecurity
Substantive cybercrime law
Procedural cybercrime law
Cybersecurity legal frameworks
technical capacity to prevent cybercrime
international and regional cooperation
Factors Crucial for Combating Cybercrime
Availability and use of critical technologies, processes, business models and standards to support control of cyber across national critical infrastructures and across international cyberspace
National Infrastructure Resilience
encourage information sharing among
participants
Factors Crucial for Combating Cybercrime
Existence of a market in
cybercrime insurance
Assessment of financial risks for public and private sector
Cybercrime Insurance
• World Bank: Armenia, Kosovo, Bhutan and Montenegro• OAS: Jamaica and Colombia
Country Assessments using the CMM February-March 2015
• Capacity factors in countries assessed thus far range from start-up to established
• General lack of awareness, education and training
• General lack of technical standards’ implementation
Observations from Capacity Assessments
Steps to be taken forward
Assessed Capacity
Data
Strategy for Investment
• Science requires measurement
• Academic analysis of data from assessments could reveal geographic, stakeholder, and interdependent factor trends
• Trends feed into global strategy for investment
• Ambition is to assess the world’s cybersecurity capacity alongside regional/international partners
Steps to be taken forward
Assessed Capacity
Cooperation
Cyber-Harm
• Devising a model against which countries (or regions, or multi-nationals) can assess their capacity in fighting cybercrime
• The development of a model to understand cyber-harm to focus prioritisation of investments on more specific capacity harm-reduction
• Benefits drawing on, not competing with, other similar efforts
The CMM is available at: http://www.sbs.ox.ac.uk/cybersecurity-capacity/
Thank you
WSIS Forum 2015 – GenevaDr Maria Bada
25/05/2015