1 of 23

Cybersecurity Capacity: From the Nation to the Workplace

Presentation to Yucatán i6 Congress

Professor William Dutton, 9 November 2022

William.Dutton@cs.ox.ac.uk

2 of 23

  • An international research centre in cybersecurity capacity-building at the University of Oxford.
  • Empirical research into what constitutes national cybersecurity capacity, and what constitutes effective cybersecurity capacity development.
  • The GCSCC brings together international expertise across multiple sectors and disciplines from across the world to contribute to its outputs.
  • The GCSCC promotes an increase in the scale, pace, quality and impact of cybersecurity capacity-building initiatives across the world.

GCSCC – Who we are

3 of 23

4 of 23

Cybersecurity Capacity Maturity Model for Nations (CMM)

  • Systemically benchmarks a nation’s position using a multi-stakeholder process
  • Assesses a nation’s current position and directions for increasing of maturity
  • Openly published and scrutinised for nations to self-assess
  • Five-dimensions of assessment bridge siloes of expertise
  • Creates an evidence-base for investment cases, capacity building projects, and national strategies
  • Facilitates comparison cross-nationally and overtime to identify trends and implications

5 of 23

Cybersecurity Capacity Maturity �Model for Nations (CMM) 2021 Edition

  • spanning five Dimensions and 23 Factors including

almost 800 indicators

  • developed and reviewed in global multi-stakeholder consultation processes

Add new CMM graphic

6 of 23

����

7 of 23

5 Stages of

Maturity

8 of 23

  • 10 online sessions over 5 days;
  • 10 stakeholder clusters;
  • 2 Dimensions per stakeholder cluster/session;
  • Interactive discussion;
  • Chatham House Rule;
  • No preparation required.

Modified Focus Group Discussions are Central

9 of 23

Output: the Review Report

  • Narrative of the findings
  • Maturity stage per Factor
  • Recommendations for each Factor
  • Report is owned by the country which decides on the publication of the report
  • GCSCC uses the data (maturity stage per Aspect) for research

10 of 23

  • Drives increased cybersecurity awareness and capacity building and contributes to greater collaboration within government;
  • Enhances internal credibility of cybersecurity agenda within governments;
  • Helps define roles and responsibilities within governments;
  • Helps enable networking and collaboration with business and wider society;
  • Increases funding for cybersecurity capacity building; and
  • Is foundational to country strategy and policy development.

CMM End-user Value and Capacity-building Impact

According to an external evaluation in 2020

11 of 23

Bahamas, The

Brazil

Colombia

Ecuador

Jamaica

+ 2 Regional Studies by the OAS

Botswana

Burkina Faso

Cabo Verde

Cameroon

Chad

Cote d’Ivoire

Gambia, The

Ghana

Iraq

Lesotho

Liberia

Madagascar

Malawi

Bangladesh

Bhutan

Kyrgyzstan

Indonesia

Myanmar

Thailand

Sri Lanka

Status: December 2021

Fiji

Kiribati

Micronesia

Samoa

Papua New Guinea

Tonga

Tuvalu

Vanuatu

Albania

Armenia

Bosnia & Herzegovina

Cyprus

Georgia

Iceland

Kosovo

Lithuania

Macedonia

Montenegro

Serbia

Switzerland

UK

Over 120 National Cybersecurity Capacity Reviews

(inc. reassessments)

Mauritius

Morocco

Namibia

Niger

Nigeria

Rwanda

Senegal

Sierra Leone

Somalia

Tunisia

Uganda

Zambia

12 of 23

Research Insights:

      • Capacity-Building Shapes Positive Internet Use & Development
  • Supports Cybersecurity Education, Awareness Raising, and Training

https://gcscc.ox.ac.uk/publications

13 of 23

New Directions of CMM Development

  • Building on Nations Assessed and the Constellation of Centres
  • Scaling Down: from nation to organization to workplace?
  • Cybersecurity in Working from Home: An Exploratory Study

14 of 23

Cybersecurity Across Workplaces: the Project

Exploratory interviews followed by a survey of the impact of the pandemic on work and cybersecurity

Global Centre for Cybersecurity Capacity Building (GCSC), University of Oxford in collaboration with GrapeData

GrapeData: Tech-enabled market research company specialised in B2B and B2C surveys with global coverage

An exploratory online global survey with 7,330 adult participants (summer 2022)

Limitations of nonprobability sample and the perceptions of respondents

15 of 23

Global Distribution of Respondents by Residence

16 of 23

17 of 23

18 of 23

19 of 23

Cybersecurity Issues: Increasing Trend

20 of 23

Cybersecurity Issues: Peak During the Pandemic

21 of 23

Total Number of Issues (Variety)

WFH during the pandemic, from office before

WFH during and before

Working from office during and before

22 of 23

Next Steps of this Exploratory Project

  • Reporting the descriptive results
  • Developing analytical studies exploring the factors shaping different patterns of working from various places and their impact on cybersecurity problems
  • Identifying support to move beyond an exploratory survey, with its sample limitations

23 of 23

https://www.linkedin.com/company/global-cyber-security-capacity-centre/

www.oxfordmartin.ox.ac.uk/cybersecurity

https://gcscc.ox.ac.uk

Department of Computer Science

University of Oxford

15 Parks Road, Oxford OX1 3QD, UK�Phone: +44(0)1865 287903     �cybercapacity@cs.ox.ac.uk

Contact me at

William.Dutton@cs.ox.ac.uk