![Page 1: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/1.jpg)
Reducing Risk and Building CapacityThe Cybersecurity Capacity Maturity Model (CMM) for NationsProf Michael GoldsmithGlobal Cyber Security Capacity Centre (GCSCC)April 2017
![Page 2: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/2.jpg)
Delivering Effective Cybersecurity Both Within The UK And InternationallyThe Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity capacity-building, promoting an increase in the scale, pace, quality and impact of cybersecurity capacity-building initiatives across the world.
It brings together international expertise across multiple sectors to contribute to Centre’s outputs.
![Page 3: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/3.jpg)
Cybersecurity Capacity Maturity Model for Nations (CMM)
![Page 4: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/4.jpg)
5 Dimensions of Cybersecurity Maturity
D 1Cyber Policy and Strategy
D 2Cyber Culture and Society
D 5Organisations,
Technologies andStandards
D 3Cyber
Education,Training and
SkillsD 4Cyber
Legislationand
Regulation
Human, financial
and technical resources
![Page 5: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/5.jpg)
Structure of the CMM
Dimension
Factor
Aspect
Start-up stage
Indicators
Formative stage
Indicators
Established stage
Indicators
Strategic stage
Indicators
Dynamic stage
Indicators
![Page 6: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/6.jpg)
Stages of Maturity
Start-up
Formative
Established
StrategicDynamic
![Page 7: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/7.jpg)
Example:
Dimension 1Cyber Policy and Strategy
1.1: National cybersecurity strategy
1.2: Incident response
1.3: Critical Infrastructure (CI) Protection
Identification
Organisation
Risk Management and Response1.4: Crisis Management
1.5: Cyber Defence Consideration
1.6: Communications Redundancy
![Page 8: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/8.jpg)
CMM Reviews
![Page 9: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/9.jpg)
Stakeholder Clusters
Criminal Justice
Defense/ Intelligence
Academia/ Civil Society
GovernmentLegislators
CERT and IT
Critical Infrastructure
![Page 10: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/10.jpg)
Strategic Partners
![Page 11: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/11.jpg)
Ministry of Foreign Affairs of the NetherlandsMinistry of Foreign Affairs of NorwayUK Cabinet Office
Partners
![Page 12: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/12.jpg)
17 Reviews of National Cybersecurity Capacity since 2015
ColombiaJamaica
ArmeniaIceland (planned)KosovoKyrgyzstanLithuania MontenegroUK
MadagascarSenegalSierra LeoneUgandaZambia
BhutanFijiIndonesiaThailand
![Page 13: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/13.jpg)
Underpinned a Regional Study by the OASAntigua and BarbudaArgentinaThe Bahamas BarbadosBelizeBoliviaBrazilChileColombiaCosta RicaDominicaDominican RepublicEcuadorEl SalvadorGrenadaGuatemalaGuyana
HaitiHonduras
JamaicaMexico
NicaraguaPanama
ParaguayPeru
Saint Kitts and NevisSaint Lucia
Saint Vincent andthe Grenadines
SurinameTrinidad and Tobago
UruguayVenezuela
https://publications.iadb.org/handle/11319/7449
![Page 14: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/14.jpg)
What Are The Benefits Of The CMM?
• Ownership of review lies with country• Review of global cybersecurity capacity in 5 dimensions• Self-assessment to point out needs and next steps• Qualitative and quantitative benchmarking• Review report with recommendations
![Page 15: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/15.jpg)
Observations From CMM Reviews
• Generally, countries found the reviews informative and helpful in identifying previously under-considered capacity gaps
• Diverse stakeholder groups enables comprehensive picture in report development
• Review itself as capacity-building exercise• Various lessons learned across all five dimensions of
cybersecurity capacity
![Page 16: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/16.jpg)
Lessons Learned (Selection)
Policy and Strategy Misperception of the role of the CSIRT
Culture and Society Lack of understanding of the relationship between trust/confidence and security
Education, Trainingand Skills
Disconnect between educational offerings andindustry needs
Legislation and Regulation
Question whether new cybercrime/cybersecurity legislation is needed or adapting existing law is sufficient
Organisations, Technologies and
Standards
Standards adoption (particularly ISO standards) is mostly ad-hoc
Overall Data collection challenges
![Page 17: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/17.jpg)
Way Ahead
CMM revision
Reflect lessons learned
Adapt to evolving cybersecurity
landscape
Continued deployment & support
Regional centres
International governance
International partners
Development of complementary
models
Cyber Harm Model
CMM for organisations
![Page 18: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/18.jpg)
Incl Inventory of current intl and regional initiatives in cybersecurity
capacity building –partnership with the Global Forum on Cyber Expertise
(GFCE)
Visit: www.sbs.ox.ac.uk/cybersecurity-capacity
![Page 19: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/19.jpg)
National Cybersecurity Reference Guide
A project undertaken in partnership with Commonwealth Secretariat Cybercrime Initiative, Commonwealth Telecommunication Organisation, ENISA, GCSP, ITU, Intellium, Microsoft, NATO CCDCOE, OECD, OAS, Potomac Institute, RAND Europe, UNCTAD and World Bank.
- will represent a single resource for any country to gain a clear understanding of the purpose and content of a national cybersecurity strategy and how to develop one- will also outline the existing relevant models and resources as well as offer an overview of the assistance available from various organizations.
![Page 20: Reducing Risk and Building Capacity€¦ · The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity](https://reader036.vdocuments.us/reader036/viewer/2022071017/5fd0cd7bda2f805d0e3f793f/html5/thumbnails/20.jpg)
Global Cyber Security Capacity CentreOxford Martin School, University of Oxford34 Broad Street, Oxford OX1 3BD, UK Phone: +44(0)1865 287903 [email protected]
www.oxfordmartin.ox.ac.uk/cybersecurity
Thank you!