| Date: | April 2013 - March 2017 |
| Project leader: | Sadie Creese, Ian Brown, Michael Goldsmith, David Upton |
The Global Cyber Security Capacity Centre (GCSCC) is a leading international centre for research on efficient and effective cybersecurity capacity building. It has created the National Cybersecurity Capacity Maturity Model (CMM), the first-of-its-kind model to review a country’s cybersecurity capacity maturity. Together with key strategic international partners, such as the World Bank, the Organization of American States (OAS), the Commonwealth Telecommunications Organisation, and the International Telecommunication Union, the Capacity Centre has since 2015 successfully deployed the CMM in over 40 countries around the world, and significantly underpinned a regional study in Latin America and the Caribbean through collaboration with the OAS. The review processes and the resulting reports, drafted by the GCSCC, enabled the governments to benchmark national cybersecurity policy and strategies, cybersecurity culture, knowledge development, legal and regulatory frameworks, and risk controls. The results and recommendations enabled nations to better plan national strategies, facilitate international and regional collaboration and cooperation, and set priorities for strategic investment and capacity development. To foster global knowledge exchange and transfer of expertise gained in the global community, the GCSCC also runs the publicly-available Cybersecurity Capacity Portal, a global online resource for good practice and knowledge in cybersecurity capacity building, which also includes a mapping of international and regional capacity building efforts by the various actors in the field. [www.sbs.ox.ac.uk/cybersecurity-capacity/]
The deployment of the model has been in itself an effective capacity-building exercise and has been informing the thinking of the global community. The deployment of the CMM has also become part of two global and regional initiatives by the Global Forum on Cyber Expertise (GFCE). The GCSCC encourages the further uptake of the model by other countries and international community actors and has constant conversations with regional organisations, governments, private companies and other research institutions who work on this issue. It also has recently established its first regional partnership with the Oceania Cybersecurity Centre, which will be the focal point for cybersecurity capacity building in that region.
Rather than evaluating the country’s policies only, they look at the its maturity in addressing a wide range of questions, including: how well do the various stakeholders work together to create and revise policies, make decisions, and assess whether strategies are working? The resultant review allows countries to understand their strengths and weaknesses, and target their resources to develop cybersecurity capacity according to their national priorities.
This methodology has been endorsed by the Organization of American States, the World Bank, and the Commonwealth Telecommunications Organisation, and has been used to assess over 40 countries, including Bhutan, Jamaica, Uganda, the UK, and 32 members of the Organisation of American States (
link). The model is a living document which continues to be revised and refined.
The Capacity Centre is also developing a model for Understanding Cyber Harm, moving beyond simple measures of financial harm to address complex issues of reputational, psychological, physical harm etc. Together the Capacity Maturity Model and the future HARM Model will enable nation states and/or organisations to make better informed decisions when it comes to financial investments in cybersecurity capacity building.
The Capacity Centre also hosts the
Cybersecurity Capacity Portal, a global resource for expertise and knowledge on cybersecurity capacity building. This publicly-available online platform provides access to all of the tools, models and best cases, includes and inventory of international, regional and national cyber capacity building initiatives underway, and aggregates a number of other resources in the field.
More details at:
http://www.oxfordmartin.ox.ac.uk/cybersecurity
