Cybersecurity Capacity Maturity Model For Nations (CMM) 2021 Edition

Cybersecurity Capacity Maturity
Model for Nations (CMM) 2021 EDITION
Electronic copy available at: https://ssrn.com/abstract=3822153

Executive Summary
The world’s economies continue to develop with an ever- Capacity Centre undertook a global collaborative exercise
increasing dependence on technology. If we do not ensure aimed at extracting and synthesising the community’s latest
that cybersecurity capacity exists across the entirety of knowledge. The GCSCC developed change proposals based
cyberspace, we will inevitably create cyber-ghettos. In such on lessons learned from CMM deployments, and undertook
environments, cyber-harm may become prevalent and cyber- a series of online and offline consultations with experts, to
attacks can easily be launched. The ability of countries to validate the findings and discuss the changes. Those who
respond and grow capacity in the face of changing threats were consulted included the GCSCC Expert Advisory Panel,
– be they due to trends in technology use, the socio-political strategic, regional and implementation partners of the
climate, or evolution of the threat-actor ecosystem – has GCSCC, and other experts from academia, international and
never been more important. regional organisations, governments, the private sector, and
civil society. Based on their input, indicators for each Aspect
The Cybersecurity Capacity Maturity Model for Nations have been identified, designed, refined, and validated.
(CMM) helps nations understand what works, what
does not work and why, across all areas of cybersecurity Actors around the world, ranging from individuals to nation
capacity. This is important so that governments and states, need to ensure that cyberspace and the systems
enterprises can adopt policies and make investments that dependent on it are resilient to increasing attacks. The
have the potential to significantly enhance safety and CMM 2021 Edition and its deployment will continue to
security in cyberspace, while also respecting human rights, contribute towards efforts to achieve this resilience, not only
such as privacy and freedom of expression. by gaining a more profound understanding of international
cybersecurity capacity, but also by increasing effective
Since 2015, the Global Cyber Security Capacity Centre investment into cybersecurity capacity based on a rigorous
(GCSCC, Capacity Centre) has actively promoted the CMM analysis of data collected from the deployment of the
across sectors, to drive conversation around cybersecurity model. Critical gaps in all areas of international cybersecurity
capacity and to help improve global technology. The will be identified and filled with scalable and effective
resulting adoption of the CMM by various key international countermeasures, in co-operation with international
stakeholders, and the completion of more than 120 CMM partners from the global cybersecurity community.
reviews in more than 85 countries around the world,
demonstrates the positive impact of the research, supports The enhancement of the CMM is not intended to be a D1
government self-assessments and informs the development static exercise; a continuous process of refinement will
of industry tools and resources. be maintained to ensure the CMM remains applicable
to all national contexts and reflects the global state of D2
Prompted by the changing threat landscape and cybersecurity capacity maturity. However, this evolution
corresponding cybersecurity practice, the GCSCC has led a will continue to be a considered exercise, stimulated by
revision of the CMM, the first to be carried out since the D3
evidence and practice.
2016 edition was issued. To produce this 2021 edition, the
D4
D5
2 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

Contents Executive Summary
A National Cybersecurity Assessment with the CMM
The Dimensions of National Cybersecurity Capacity
2
4
5
The Structure of the CMM 7
Dimension 1: Cybersecurity Policy and Strategy 9

D 1.1: National Cybersecurity Strategy 12
D 1.2: Incident Response and Crisis Management 14
D 1.3: Critical Infrastructure (CI) Protection 16
D 1.4: Cybersecurity in Defence and National Security 17
Dimension 2: Cybersecurity Culture and Society 19

D 2.1: Cybersecurity Mindset 22
D 2.2: Trust and Confidence in Online Services 23
D 2.3: User Understanding of Personal Information Protection Online 26
D 2.4: Reporting Mechanisms 27
D 2.5: Media and Online Platforms 28
Dimension 3: Building Cybersecurity Knowledge and Capabilities 29

D 3.1: Building Cybersecurity Awareness 32
D 3.2: Cybersecurity Education 34
D 3.3: Cybersecurity Professional Training 36
D 3.4: Cybersecurity Research and Innovation 37
Dimension 4: Legal and Regulatory Frameworks 38

D 4.1: Legal and Regulatory Provisions 41
D 4.2: Related Legislative Frameworks 43
D 4.3: Legal and Regulatory Capability and Capacity 45
D 4.4: Formal and Informal Co-operation Frameworks to Combat Cybercrime 47
Dimension 5: Standards and Technologies 48

D 5.1: Adherence to Standards 51
D 5.2: Security Controls 53
D 5.3: Software Quality 55 D1
D 5.4: Communications and Internet Infrastructure Resilience 56
D 5.5: Cybersecurity Marketplace 57
D 5.6: Responsible Disclosure 59 D2
Evolution of the CMM 60

Acknowledgements 61 D3
About the GCSCC 62
D4
D5

A National Cybersecurity
Assessment with the CMM
The CMM review of a country involves data-gathering by a • the enhancement of the internal credibility of the
team of researchers who carry out in-country stakeholder cybersecurity agenda within governments;
consultation and desk research. The output is an evidence-
based report which: • help in defining roles and responsibilities within
governments;
• benchmarks the maturity of a country’s cybersecurity
capacity; • providing evidence to increase funding for cybersecurity
capacity building; and
• details a pragmatic set of actions to contribute to the
advancement of cybersecurity capacity maturity gaps; and • a foundation for country strategy and policy development.
• identifies priorities for investment and future capacity- It is important that a country can evidence its achievements
building, based on a country’s specific needs. in cybersecurity capacity and the CMM identifies what that
evidence should be, and what it demonstrates. Such evidence
According to an independent study commissioned by the gathering is in itself a multi-stakeholder process, involving a
UK Foreign, Commonwealth and Development Office, the wide range of sources and organisations. Discussions can be
benefits of a CMM review for a country are numerous and important to resolve differences of opinion. Whether such
include: discussions can be effective if done remotely (and online), or
will necessitate face-to-face meetings, will depend upon the
• increased cybersecurity awareness and capacity building, country undertaking a review.
and greater collaboration within government;
For more information on the CMM review methodology,
• networking and collaboration with business and wider process and exemplary CMM reports, visit:
society; https://gcscc.ox.ac.uk/the-cmm
D1
D2
D3
D4
D5

Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and
and Strategy and Society Knowledge and Regulatory Technologies
Capabilities Frameworks
The Dimensions
of National Dimension 1
Cybersecurity Policy
Dimension 2
Cybersecurity
Cybersecurity
and Strategy Culture and Society
Capacity
The CMM considers cybersecurity to comprise five Dimensions
which together constitute the breadth of national capacity that a
country requires to be effective in delivering cybersecurity:
1. Developing cybersecurity policy and strategy;

Dimension 3
Dimension 5 Building Cybersecurity
2. Encouraging responsible cybersecurity culture within society;
Standards and
Knowledge and
3. Building cybersecurity knowledge and capabilities; Technologies
Capabilities
4. Creating effective legal and regulatory frameworks; and
5. Controlling risks through standards and technologies.
Dimension 4 D1
Legal and Regulatory
Frameworks
D2
D3
D4
D5

ension 1 ension 2 ension 3 nsion 4
imecountry’s mension 5
Dim Dim 1 Cybersecurity
Dimension Dimand Strategy
Policy exploresDthe capacity Di The CMM defines five Stages of maturity for all Dimensions being: start-up,
to develop and deliver cybersecurity strategy, and to enhance its cybersecurity formative, established, strategic, and dynamic. These correspond to the following:
resilience by improving its incident response, cyber defence and critical infrastructure initial development of capacity, being established, being world-leading, and able to
(CI) protection capacities. This Dimension considers effective strategy and policy anticipate and prepare for future cybersecurity needs.
in delivering national cybersecurity capability, while maintaining the benefits of a
cyberspace vital for government, international business and society in general. It should be noted that there are relationships between the Dimensions; for example,
Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and to be effective in one area of capacity often places requirements on other areas1. It
nsion
andeStrategy Dimension
anden2siCybersecurity
o
Society
n Culturee nand
s
Knowledgeio Society reviewsRegulatory
and
n important
ens ion elements of Technologies
a is also the case that resources are limited and priorities for capacity enhancements
1 Dim 2 Dim
responsible
3 im
DCapabilities
cybersecurity culture
4 im
DFrameworks
such as the understanding
5
of cyber-related risks are likely to require a response which could span multiple Dimensions. Therefore,
in society, the level of trust in Internet services, e-government and e-commerce a benchmarking activity reviews a country against the entire CMM and across all
ension 1 ensiousers’
n 2 understanding enofsipersonal
on 3 nsion 4
eprotection ension 5 Dimensions, enabling an holistic consideration of national capacity.
Dim services,
D im and D im information
D im online. D im
Moreover, this Dimension explores the existence of reporting mechanisms
functioning as channels for users to report cybercrime. In addition, this Dimension
reviews the role of media and social media in shaping cybersecurity values,
Policy Cybersecurity Culture Building and
attitudes Cybersecurity
behaviour. Legal and Standards and
y
2 iand sion
menSociety 3 i mensionand
Knowledge
4 i m ension 5
Regulatory Technologies
D DCapabilities DFrameworks
Dimension 3 Building Cybersecurity Knowledge and Capabilities reviews the
Cybersecurity Policy Cybersecurity Culture Building Cybersecurity Legal and Standards and
availability, quality and uptake of programmes for various groups of stakeholders,
nsion
andeStrategy anden sio
Society
n e
Knowledgen sionand en sio
Regulatoryn Technologies
1 Dim 2 including m
Di the government,
3 private m
i sector4and the population
DCapabilities im as a 5whole, and relate
DFrameworks
to cybersecurity awareness-raising programmes, formal cybersecurity educational
programmes, and professional training programmes.
ulture Building Cybersecurity Dimension Legal4 and Standards and
y3 imensionand
Knowledge 4 im ensiLegal
Regulatory
and Regulatory
on 5Dimension 1
Frameworks examines the government’s
TechnologiesDimension 2
DCapabilities DFrameworks
capacity to design and enact national legislation that directly and indirectly
Cybersecurity Policy Cybersecurity
relates to cybersecurity, with a particular
and Strategy emphasis placed on the topics of
Policy Cybersecurity Culture Building Cybersecurity Legal andCulture and SocietyStandards and
sion 3 regulatory requirements for cybersecurity, cybercrime-related legislation and
y
2 anden
Dim
Society imensionand
Knowledge
DCapabilities 4 mension 5
iRegulatory
DFrameworks
Technologies
related legislation. The capacity to enforce such laws is examined through law
enforcement, prosecution, regulatory bodies and court capacities. Moreover, this
Dimension observes issues such as formal and informal co-operation frameworks
curity Legal and to combat cybercrime.
Standards and
nd
im en sio
Regulatoryn 5Dimension 1
Technologies
Dimension 2
s4 DFrameworks Dimension 5 Standards and Technologies addresses effective and widespread
ulture use of cybersecurity
and Strategy
Building Cybersecurity Legal andCulturetechnology to protect
and SocietyStandards and individuals, organisations and national
y3 m ensionand
Knowledge
i 4 im ensionThis
infrastructure.
Regulatory 5 Dimension specifically
Technologies examines the implementation of
DCapabilities DFrameworks
cybersecurity standards and good practices, the deployment of processes and D1
Dimension 3
controls,
Dimension 5 and the development of technologies and products in Building order toCybersecurity
reduce
Standards and
cybersecurity risks. Knowledge and
Standards and Technologies Capabilities
D2
y Dimension 1 TechnologiesDimension 2
s
curity
and Strategy Legal andCulture and SocietyStandards and D3
imension 5
nd Regulatory Technologies
s4 DFrameworks
Dimension 3 D4
DimensionFor
5 a country to reach an established level of maturity under the Aspect ‘Initiatives by Government’ in Factor 3.1 Building Cybersecurity Awareness, one of the requirements that must be met is that the content
1
Building Cybersecurity
of the co-ordinated national cybersecurity awareness-raising programme includes explicit links to national cybersecurity strategy. Similarly, for a country to reach an established level of maturity under the Aspect
Standards and
Knowledge
‘Administration’ in Factor 3.2 Cybersecurity Education, cybersecurity education priorities and from the multi-stakeholder consultation process should be reflected in the national cybersecurity strategy.
resulting
Technologies DimensionCapabilities
4
D5
Dimension 2
Cybersecurity Frameworks
ulture and SocietyStandards and
y Technologies
The Structure of the CMM
Dimension Indicator
The five Dimensions together cover the breadth of national cybersecurity capacity assessed Indicators represent the most basic part of CMM’s structure. Each Indicator describes
by the CMM. Each Dimension is constituted by a range of Factors, which capture the core the steps, actions, or building blocks that are indicative of a specific Stage of maturity. To
capacities required to deliver the Dimension. Together, they represent the different ‘lenses’ have successfully reached a Stage of maturity, a country will need to convince itself that it
through which cybersecurity capacity can be evidenced and analysed. can evidence each of the Indicators. In order to elevate a country’s cybersecurity capacity
maturity, all of the Indicators within a particular Stage will need to have been fulfilled. Most
Factor of these Indicators are binary in nature, i.e., the country can either evidence it has fulfilled
the Indicator criteria, or it cannot provide such evidence.
Within the five Dimensions, Factors describe what it means to possess cybersecurity
capacity. These are the essential elements of national capacity, which are then measured for
maturity Stage. The complete list of Factors seeks to holistically incorporate all of a nation’s
cybersecurity capacity needs. Most Factors are composed of a number of Aspects which
structure the Factor’s Indicators into more concise parts (which directly relate to evidence
DIMENSION
gathering and measurement). However, some Factors that are more limited in scope do not
have specific Aspects.
FACTOR
Aspect
Where a Factor possesses multiple components, these are Aspects. Aspects are an ASPECT
organisational method to divide Indicators into smaller clusters that are easier to
comprehend. The number of Aspects depends on the themes that emerge in the content of
the Factor and the overall complexity of the Factor.
START-UP FORMATIVE ESTABLISHED STRATEGIC DYNAMIC
STAGE STAGE STAGE STAGE STAGE
Stage
Indicators Indicators Indicators Indicators Indicators
Stages define the degree to which a country has progressed in relation to a certain Factor or
Aspect of cybersecurity capacity. The CMM consists of five distinct Stages of maturity: start-up,
D1
formative, established, strategic, dynamic (detailed on page 8). A CMM review will benchmark
a country against these Stages, capturing existing cybersecurity capacity, from which a country
can improve or decline depending on the actions taken (or inaction). Within each Stage there D2
are a number of Indicators which a country has to fulfil to successfully have reached the Stage.
D3
D4
D5

Dimension 5 Building
Standards and Dimension 1 Cybersecurity
Dimension 2
Cybersecurity
Policy Culture
Knowledge Building Cy
and Cybersecurity
Technologies and Strategy and Society
Capabilities
and Strategy Culture andKnowle
Society
Dimension 4 Capab
Frameworks
The Stages of National Dimension 5

Standards and
Dimensio
Building
Dimension 1 Cy
Cybersecurity Capacity
Technologies CybersecurityKnowledge
Policy
Capabilities
and Strategy
Dimension 4
Stages define the degree to which a country has progressed in relation to a certain Factor or Aspect of cybersecurity capacity Frameworks Dynamic
(see page 7). A CMM review will benchmark a country against these Stages, capturing existing cybersecurity capacity.
Dimension 5
Start-up Standards and
Technologies
At this Stage, either no cybersecurity maturity exists, orStart-up
it is very Stage Formative
embryonic in nature. There mightStage Established
be initial discussions about Stage Strategic Stage Dynamic Stage
cybersecurity capacity building, but no concrete actions have been taken. There may be an absence of observable evidence at Dimension 4
this Stage; Legal and Regulatory
StrategicFrameworks
Formative
Some features of the Aspect have begun to grow and be formulated, but may be ad hoc, disorganised, poorly defined or simply Dimension 5
new. However, evidence of this activity can be clearly demonstrated; Standards and
Start-up Stage Formative Stage Established Stage Technologies
Strategic Stage Dynamic Stage
Established Dimension 4
The Indicators of the Aspect are in place, and evidence shows that they are working. There is not, however, well thought-out Legal and Regulatory
consideration of the relative allocation of resources. Little trade-off decision-making has been made concerning the relative Established Frameworks
investment in the various elements of the Aspect. But the Aspect is functional and defined;
Strategic
Start-up Stage Formative Stage Established Stage Strategic Stage
Choices have been made about which parts of the Aspect are important, and which are less important for the particular
organisation or nation. The strategic Stage reflects the fact that these choices have been made, conditional upon the nation or Dimen
organisation’s particular circumstances; and Legal and R
Formative Frame
Dynamic
D1
At this Stage, there are clear mechanisms in place to alter national strategy depending on the prevailing circumstances, such
as the technology of the threat environment, global conflict, or a significant change in one area of concern (e.g. cybercrime
or privacy). There is also evidence of global leadership on cybersecurity issues. Key sectors, at least, have devised methods Start-up Stage Formative Stage Established Stage D2 S
for changing strategies at any stage during their development. Rapid decision-making, reallocation of resources, and constant
attention to the changing environment are feature of this Stage.
D3
The CMM allows the benchmarking of current national cybersecurity capacity. Understanding the requirements to achieve Start-up
higher levels of capacity will directly indicate areas for further investment, and how to evidence such capacity levels. The CMM
can also be used to build business cases for investment and expected performance enhancements. Combining a CMM review D4
with national risk assessments, social, and economic strategies can further prioritise which capacity enhancements to make.
Start-up Stage Formative Stage Establish
D5

and Strategy
Dimension 1: Cybersecurity
Policy and Strategy
imension 1
D
This Dimension explores the country’s capacity to develop and deliver
cybersecurity strategy and enhance its cybersecurity resilience through
improving its incident response, cyber defence and critical infrastructure
protection capacities. This Dimension considers effective strategy and
policy in delivering national cybersecurity capability, while maintaining
the benefits of a cyberspace vital for government, international business
and society in general.
D1
D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5

Factor Factor
D 1.1: National Cybersecurity Strategy D 1.2: Incident Response and Crisis Management
Cybersecurity strategy is essential to mainstreaming This Factor addresses the capacity of the government
a cybersecurity agenda across government because it to identify and determine characteristics of national
helps prioritise cybersecurity as an important policy level incidents in a systematic way. It also reviews the
area, determines responsibilities and mandates of key government’s capacity to organise, co-ordinate, and
cybersecurity government and non-governmental actors, operationalise incident response, and whether cybersecurity
and directs allocation of resources to the emerging and has been integrated into the national crisis management
existing cybersecurity issues and priorities framework
> Navigate to Factor > Navigate to Factor
Aspects Aspects
• Strategy Development: this Aspect addresses the • Identification and Categorisation of Incidents: this Aspect
development of a national strategy, allocation of identifies whether internal mechanisms are in place for
implementation authorities across sectors and civil society, identifying and categorising incidents;
and an understanding of national cybersecurity risks and
threats which drive capacity building at a national level; • Organisation: this Aspect addresses the existence of a
mandated central body designated to collect incident
• Content: this Aspect addresses the content of the national information, and its relationship with the public and private
cybersecurity strategy and whether it is linked explicitly sector for national level incident response; and
to national risks, priorities and objectives such as national
security, public awareness raising, and mitigation of • Integration of Cyber into National Crisis Management: this
cybercrime, incident response capability and critical national Aspect explores to what extent cybersecurity is integrated
infrastructure protection; into the national crisis management framework.
D1
• Implementation and Review: this Aspect addresses the

existence of an over-arching programme for cybersecurity D 1.1
co-ordination, including a departmental owner or co-
ordinating body with a consolidated budget; and D 1.2
• International Engagement: this Aspect explores to

D 1.3
what extent the country is aware of the existence of
international discussions on cybersecurity policy, and how
D 1.4
the international debates on cybersecurity policy and
related issues affect the country’s interests and international
standing. D2
D3
D4
D5

Factor Factor
D 1.3: Critical Infrastructure (CI) Protection D 1.4: Cybersecurity in Defence
and National Security
This Factor studies the government’s capacity to identify
CI assets, the regulatory requirements specific to the This Factor explores whether the government has the capacity
cybersecurity of CI, and the implementation of good to design and implement a strategy for cybersecurity within
cybersecurity practice by CI operators national security and defence. It also reviews the level of
> Navigate to Factor cybersecurity capability within the national security and
defence establishment, and the collaboration arrangements on
Aspects cybersecurity between civil and defence entities
• Identification: this Aspect addresses the existence of a > Navigate to Factor
general list of CI assets, sectors and operators, and an audit
of CI assets on a regular basis; Aspects
• Defence Force Cybersecurity Strategy: this Aspect
• Regulatory Requirements: this Aspect addresses the addresses the existence of a strategy for supporting
existence of regulatory requirements specific to the cybersecurity within national security and defence,
cybersecurity of CI; and and whether it is supported by appropriate legal
authorities and relevant operational doctrine and rules of
• Operational Practice: this Aspect explores whether CI
engagement;
operators implement recognised industry standards, and
the existence of arrangements for collaboration across and • Defence Force Cybersecurity Capability: this Aspect
within sectors. reviews the level of cybersecurity capability and
organisational structures within the national security
establishment; and
D1
• Civil Defence Co-ordination: this Aspect examines the
collaboration on cybersecurity between civil and defence
entities, and the existence of adequate resources in place. D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5

Factor - D 1.1: National Cybersecurity Strategy
Aspect Start-Up Formative Established Strategic Dynamic
No national cybersecurity Processes for strategy A national cybersecurity strategy Strategy review and renewal The national cybersecurity
strategy exists, although development have been has been published. processes are in place. strategy and implementation
planning processes for initiated. plan are both proactively
An assessment of country-specific Emerging cybersecurity risks
strategy development may reviewed to take account of
An outline/draft national national cybersecurity risk has been are regularly assessed and used
have begun. broader strategic developments
cybersecurity strategy has been conducted. to update the strategy and
within the country (political,
Advice may have been sought articulated. implementation plan.
The strategy reflects the needs economic, social, technical, legal
from international partners.
Consultation processes have and roles of relevant stakeholders The impact of the strategy and environmental).
been agreed for key stakeholder across government (national and on risk and harm reduction is
Strategy The country is an acknowledged
groups, including private sector, sub-national), business and civil understood and is used to inform
authority within the international
Development civil society and international society. funding and priority decisions.
community and is supporting
partners.
An implementation programme is the development of national and
in place which covers the scope of global cybersecurity strategies.
the strategy.
Cybersecurity considerations are
Mechanisms are in place to enable embedded within other relevant
strategy ‘owners’ to monitor national-level strategies and
achievement of outcomes, address implementation programmes.
implementation issues and
maintain strategy alignment.
Various national policies and Content exists that reflects The content of the national The content takes account of the The content takes account of the
strategies may exist that refer country-specific priorities and cybersecurity strategy is based on impact on cybersecurity risk of impact of broader developments
to cybersecurity, but these circumstances. a comprehensive risk assessment emerging technologies and their on cybersecurity risk (political,
are not comprehensive and that includes explicit links to use within critical infrastructure, economic, social, technical, legal
Links exist between the strategy
there is little evidence that wider national level economic and the wider economy and society. and environmental).
(or draft strategy) and priorities D1
these reflect specific national political policies and strategies.
such as national security, The outcomes defined in The content of the national
priorities and circumstances.
digital strategy and economic The content includes actions the strategy are specific and cybersecurity strategy promotes
development, but these are to raise public and business measurable. Metrics have and encourages bilateral and D 1.1
generally ad hoc and lack detail. awareness, mitigate cybercrime, been defined which enable multilateral co-operation
establish incident response stakeholders to evaluate the between countries to ensure
The strategy (or draft strategy) D 1.2
capability, promote public-private effectiveness of the strategy in a secure, resilient and trusted
defines the key outcomes against
Content which success can be evaluated.
partnership and protect critical reducing harm. cyberspace.
infrastructure and the wider D 1.3
Consideration has been given
economy.
to how the beneficial outcomes
Consideration has been given to of the strategy can be sustained
D 1.4
how the national cybersecurity beyond the strategy’s lifetime,
strategy might incorporate or including how the maintenance
support wider online policy of new capabilities will be
objectives such as: child protection; financed. D2
the promotion of Human Rights;
the promotion of Equality, Diversity
and Inclusion; and managing D3
disinformation.
D4
D5

Factor - D 1.1: National Cybersecurity Strategy
No overarching A co-ordinated cybersecurity A detailed implementation plan has Outcome-oriented metrics are Mechanisms are in place
national cybersecurity implementation programme is been published including actions, being used to monitor the impact to make more far-reaching
implementation programme being developed with relevant responsible entities and resource that the programme is having on changes to the programme in
has been developed. stakeholders involved, including budgets. The implementation plan risk reduction (and other relevant the event of significant changes
the private sector and civil involves relevant stakeholders across strategy goals). in circumstance (political,
society. government and other sectors. economic, social, technical, legal
There is evidence of these
and environmental).
Actions within the programme A co-ordinating body has been metrics being used to refine
have been assigned to specific assigned. The body has sufficient action plans. The programme contributes
‘owners’ but the availability of authority to ensure that action to the global development of
Metrics (both progress and
adequate resources has not yet ‘owners’ are held to account. outcome-oriented metrics and
outcome-oriented metrics) are
Implementation been confirmed. their application.
The resources required to deliver the drawn from a wide variety of
and Review Mechanisms to review processes actions of the programme have been governmental, non-governmental
are limited or ad hoc. identified and are in place. Budget and international sources.
shortfalls are identified and escalated
There is independent oversight
to the relevant authority.
and/or assurance of the
Programme review processes and programme.
metrics are in place that allow
progress to be measured and risks,
issues and dependencies to be
escalated to the relevant authority.
These processes are adequately
funded.
There is limited awareness The country is aware of the An assessment has been made of The country is actively building The country is a leading actor
of the principal international existence of international how the international debates on international communities in building consensus, fostering D1
debates relating to discussions on cybersecurity cybersecurity policy and related of interest around specific inclusivity and shaping the
cybersecurity policy (such policy and related issues. issues affect the country’s interests cybersecurity policy goals and international debates on key
as cybersecurity norms, and international standing. Specific promoting their adoption. cybersecurity policy issues. D 1.1
The country may, on occasion,
mutual legal assistance, engagement objectives have been
participate in regional or The country makes a major The country is focused on the
Internet Governance, data defined accordingly. Multiple
international discussions on contribution to regional/ future, seeing emerging issues D 1.2
sovereignty, data protection). stakeholders have been involved in
matters related to cybersecurity international operational bodies (around new technology or new
International this process.
The country may benefit issues, but does not generally and is actively involved in types of threat), and is initiating
Engagement from regional/ international play an active role. The country is actively participating building capacity in third-party new international debates D 1.3
operational collaboration in relevant international bodies and countries. around the key issues.
The country may participate
networks but does not forums, either directly or through D 1.4
in relevant operational The country is actively involved
actively engage. relevant representative bodies.
collaboration and policy bodies in creating new regional/
Their voices are being heard and
(such as FIRST*, regional CERT** international collaboration
are having an impact.
bodies, the IGF***, or the UN mechanisms. D2
GGE****), but takes mainly a The country actively contributes to
passive role. regional/ international operational
collaboration and policy bodies. D3
* Forum of Incident Response and Security Teams

** Computer Emergency Response Team D4
*** Internet Governance Forum
**** The United Nations Group of Governmental Experts
D5

Factor - D 1.2: Incident Response and Crisis Management
No process for identifying and Some organisations and sectors Most major organisations Insights arising from national The criteria for categorising
categorising national-level have internal mechanisms for have internal mechanisms for level incidents are routinely incidents are sufficiently flexible
incidents exists. identifying and categorising identifying and categorising analysed in order to establish to cater for rapidly emerging
incidents within their purview. incidents. lessons and inform broader changes in the underlying
Identification cybersecurity policy and strategy. technological or threat
A process for identifying A central registry of national-
environment.
and national-level incidents is under level cybersecurity incidents
Categorisation development. exists and a process for timely The country is contributing
escalation of incidents, from the to international best practice
of Incidents There is no central registry in
organisational to the national in incident identification and
place but ad-hoc arrangements
level, is in place. categorisation.
exist for dealing with the most
significant events. Individual national incidents are
categorised according to severity
and resources are allocated
accordingly.
No organisation for national-level A national CERT* might exist but A national body for incident The national body undertakes The government’s overall
cyber incident response exists. lacks sufficient resources and response has been established. a wide range of engagement operational response is
skills. It has the resources, skills, activities such as convening adaptive to changes in the
A few organisations may have
documented processes and legal communities of interest, running underlying technical and threat
internal cybersecurity response Processes for managing incidents
authorities required to address cross-sector exercises and environment.
mechanisms in place but co- are still in development.
the range of cyber incident promoting best cybersecurity
ordination is minimal. The country is contributing to
Some organisations from scenarios that the country is likely practices.
international best practice on
public and private sectors have to face (including out-of-hours
The national body innovates to how to organise operational
internal cybersecurity response capability, if appropriate).
provide a range of additional responses to cybersecurity
mechanisms in place but co-
ordination with the national
Relationships and protocols services that improve the threats. D1
are in place to enable incident country’s ability to prevent,
CERT is ad hoc.
management co-ordination detect, respond and recover
The role of sub-national bodies between the national body and from threats. D 1.1
Organisation is unclear. other elements of the public and
The national body is widely
Bilateral co-operation with private sectors.
recognised as an authoritative D 1.2
international partners is limited The role of sub-national bodies voice on cybersecurity within the
or ad hoc. in incident response is clear country.
and mechanisms are in place to D 1.3
The effectiveness of the national
enable co-ordination between the
body in reducing cyber risk and
national and sub-national levels. D 1.4
harm is regularly evaluated
There is regular sharing of threat and benchmarked against
and vulnerability information, international good practice.
and operational good practices D2
between the national body and a
wide range of public and private
sector organisations, as well as D3
international partners.
D4
* Computer Emergency Response Team

D5

Factor - D 1.2: Incident Response and Crisis Management
No framework exists for national- A national crisis management Cybersecurity is fully integrated Lessons learnt from cyber crisis The country is contributing to
level crisis management. framework is in development into the national crisis exercises are used to inform the debate on the integration
and a specific organisation has management framework and the both national crisis management of cyber into national and
Cybersecurity has not been
been allocated responsibility organisation responsible for crisis policy and the national international crisis management.
considered as a potential
for leading national-level crisis management is equipped to deal cybersecurity strategy and
national-level crisis scenario. Emergency communications
response. with a range of cybersecurity- implementation plan.
capabilities are capable of
Emergency communication related scenarios.
Cybersecurity has been International crisis planning operating beyond the country’s
capabilities are limited.
recognised as relevant to The role of a cyber incident and exercising with partners border in order to support third-
national crisis management, management authority within exists and routinely includes party countries and global crisis
Integration of both as a factor in its own right the crisis management process is cybersecurity as an element. responses.
Cybersecurity and as an element of other crisis well defined and established, and
The resilience of emergency
scenarios. escalation thresholds are fully
into National understood.
communications has been stress-
Crisis An exercise programme is in tested against a wide range of
development and includes National crisis management potential scenarios.
Management
cybersecurity-based scenarios. scenarios with cybersecurity
components are regularly
Emergency communication
exercised.
capabilities are in place but may
not be well integrated or lack Emergency communication
resilience to cyber disruption. systems are regularly tested
for cyber resilience against a
range of cybersecurity-related
scenarios.
D1
D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5

Factor - D 1.3: Critical Infrastructure (CI) Protection
There may be some A list of general CI assets, sectors The list of CI assets has been The list of CI assets is adaptive to There is flexibility in the process
appreciation of what and operators has been created. formalised and incorporates a range of strategic shifts in the underlying for identifying CI assets to cater
constitutes a CI asset, but no appropriate public and private sector technical, social and economic for rapidly emerging changes in
formal categorisation of CI organisations. environment. the underlying technological or
assets has been produced. threat environment.
Specific operators have been identified Interdependencies between
Identification and are aware of their status. sectors are managed. The country is actively involved
in the identification and
The list is kept up to date to Cross-border dependencies are
prioritisation of global CI assets.
reflect changes in the country’s managed.
circumstances. Cross-sector and cross-border
dependencies are mitigated.
Cross-border dependencies have been
identified.
There are no existing The need for baseline CI operators are mandated by Novel approaches to regulatory Regulatory frameworks are
regulatory requirements standards to govern CI assets is regulation to meet appropriate supervision are being developed sufficiently flexible to cater for
specific to the cybersecurity acknowledged but these are not cybersecurity standards (either in to improve CI cybersecurity while rapidly emerging changes in
of CI. explicitly mandated in regulation. the form of specific cyber regulation also facilitating effective and the underlying technological or
or as part of broader regulatory efficient CI service delivery. threat environment.
Sector regulators do not
requirements).
Regulatory routinely assess CI operators for The country is promoting best The country is actively involved
compliance. Mandatory breach reporting and practice regulatory approaches at in establishing regulatory
Requirements vulnerability disclosure requirements an international level. approaches to assuring global CI.
are in place.
Formal processes are in place to
evaluate CI operator compliance with
regulatory standards and incident and D1
vulnerability disclosure.
D 1.1
A few CI operators may Many CI operators are CI operators are consistently There is extensive collaboration The country and its CI operators
be implementing good implementing good cybersecurity implementing recognised industry among CI operators and with are contributing to the
cybersecurity practices, but practice. standards and the effectiveness public authorities to develop international debate on global D 1.2
this is inconsistent. of their cybersecurity controls are strategies that enhance collective critical infrastructure resilience.
There is some self-assessment
regularly assessed. cybersecurity. D 1.3
against recognised industry Experts from the regulators
standards. Mechanisms are in place for operators The resilience of the critical and CI operators are recognised
to share threat and vulnerability infrastructure ecosystem as internationally for their D 1.4
Some informal arrangements
information, best practices and lessons a whole has been assessed contribution to addressing
Operational exist for collaboration across and
learned from incidents and near against a range of scenarios, and global infrastructure protection
Practice within sectors.
misses. measures are in place to address challenges. D2
systemic risks to the economy
CI operators participate fully in
and society.
national incident response and crisis
management planning and exercising. D3
Mechanisms are in place for public
authorities to provide information and
other practical support to CI operators, D4
both pre- and post- incident.
D5

Factor - D 1.4: Cybersecurity in Defence and National Security
The potential impact of The potential impact of A strategy for cybersecurity for Defence strategy includes Strategy and doctrine are
cybersecurity on national cybersecurity on national national security and defence appropriate considerations of not static but are adaptive to
security and defence may have security and defence has been has been formally adopted deterrence. changing capabilities and to the
been considered but has not assessed and a strategy for (stand-alone or as part of a wider geo-political and technical threat
The country’s defence and
been formally articulated. addressing these risks is under document). environment.
national security establishment
development.
The strategy is supported by (alongside other stakeholders) The strategy is designed to
This analysis includes risks to the appropriate legal authorities and is actively engaged in the promote stability in cyberspace.
ability of the country’s military relevant operational doctrine global debate on international This includes measures to predict
and other national security and rules of engagement. These humanitarian law and norms and influence the strategies and
assets to operate in a contested are consistent with international of behaviour as they relate actions and reactions of potential
Defence Force cyber environment. humanitarian law. to conflict in cyberspace. allies and adversaries.
Cybersecurity Declaratory strategy and
The dependence of national
Strategy security and military entities on
published doctrine may be part
of this.
the cybersecurity of other parts of
the critical national infrastructure
is understood and is addressed
in the defence cybersecurity
strategy.
Cybersecurity considerations
inform other elements of national
security and defence strategy,
where relevant.
Specialist cybersecurity capability Specialist cybersecurity capability Capabilities and organisational Relevant deterrence and Defence cybersecurity
within the national security requirements are understood, structures are in place and defence/resilience capabilities capabilities are able to support D1
establishment is limited. and relevant organisational have been tested. Resourcing is are in place, forming part of the multilateral responses to shared
structures have been defined. provided through the national country’s defence cybersecurity national security challenges.
Initial steps have been taken to military estimate or equivalent strategy. D 1.1
establish these. process.
Cybersecurity is embedded in
Operational doctrine and rules of wider operational and command D 1.2
Defence Force engagement are fully embedded training within the country’s
Cybersecurity in training. military forces.
Capability D 1.3
Specialist intelligence resources
are being applied to provide
support and are appropriately D 1.4
resourced.
Mechanisms to facilitate
collaboration with allies are in D2
place and have been tested.
D3
D4
D5

Factor - D 1.4: Cybersecurity in Defence and National Security
Collaboration on cybersecurity Informal collaboration on Collaboration on cybersecurity Civil defence collaboration on The country is leading the
between civil and defence cybersecurity between civil between civil and defence entities cybersecurity is built into the international debate on best
entities is limited. and defence entities may exist exists and has been formalised. strategic planning of both sectors practice in cross-governmental,
but has not been formalised. and designed to address a range civil-defence cybersecurity
Respective roles have been
Defence entities have not been of future crisis scenarios. collaboration.
defined within the country’s crisis
formally resourced to undertake
management procedures. Mechanisms are in place that
this work.
enable defence and the national
The resources required within
security community to draw on
the defence and national security
the skills and capabilities of the
Civil Defence community, to support civil and
broader economy and society.
Co-ordination CI authorities, have been formally
(For example, via a formal cyber
assessed and assigned.
reserve force)
Formal mechanisms are in
place to determine military/
national security cybersecurity
dependencies on civil and CI
infrastructure. The ability of civil
and CI infrastructure operators to
provide these services has been
assured.
D1
D 1.1
D 1.2
D 1.3
D 1.4
D2
D3
D4
D5

nd Strategy and Society
Dimension 2: Cybersecurity
Culture and Society
mension1 imension 2
D
This Dimension reviews important elements of a responsible
cybersecurity culture such as the understanding of cyber-
related risks in society, the level of trust in Internet services,
e-government and e-commerce services, and users’
understanding of personal information protection online.
Moreover, this Dimension explores the existence of reporting
mechanisms functioning as channels for users to report D1
cybercrime. In addition, this Dimension reviews the role of
media and social media in shaping cybersecurity values, D2
attitudes and behaviour.
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

Factor Factor
D 2.1: Cybersecurity Mindset D 2.2: Trust and Confidence in Online Services
This Factor evaluates the degree to which cybersecurity This Factor reviews critical skills, the management of
is prioritised and embedded in the values, attitudes, and disinformation, the level of users’ trust and confidence in
practices of government, the private sector, and users the use of online services in general, and of e-government
across society at large. A cybersecurity mindset consists and e-commerce services in particular.
of values, attitudes and practices–including habits > Navigate to Factor
of individual users, experts, and other actors–in the
cybersecurity ecosystem that increase the capacity of users Aspects
to protect themselves online • Digital Literacy and Skills: this Aspect examines whether
> Navigate to Factor Internet users critically assess what they see or receive
online;
Aspects
• Awareness of Risks: this Aspect examines the level of • User Trust and Confidence in Online Search and
awareness of cybersecurity risks within the government, Information: this Aspect examines whether users trust in
private sector and users; the secure use of the Internet based on indicators of website
legitimacy;
• Priority of Security: this Aspect examines the extent to
which the government, private sector and users make • Disinformation: this Aspect examines the existence of tools
cybersecurity a priority; and and resources to address online disinformation;
• Practices: this Aspect examines whether the government, • User Trust in E-government Services: this Aspect examines
D1
private sector and users follow safe cybersecurity practices. whether there are government e-services offered, whether
trust exists in the secure provision of such services, and if
efforts are in place to promote such trust in the application D2
of security measures; and
• User Trust in E-commerce Services: this Aspect examines D 2.1

whether e-commerce services are offered and established in
a secure environment and trusted by users. D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

Factor Factor Factor
D 2.3: User Understanding of Personal D 2.4: Reporting Mechanisms D 2.5: Media and Online Platforms
Information Protection Online
This Factor explores the existence of reporting mechanisms that This Factor explores whether cybersecurity is a common subject
This Factor looks at whether Internet users and stakeholders function as channels for users to report Internet-related crime of discussion across mainstream media, and an issue for broad
within the public and private sectors recognise and such as online fraud, cyber-bullying, child abuse online, identity discussion on social media. Moreover, this Factor looks at the
understand the importance of protecting personal theft, privacy and security breaches, and other incidents. role of media in conveying information about cybersecurity to
information online, and whether they are sensitive of their > Navigate to Factor the public, thus shaping their cybersecurity values, attitudes
privacy rights. and online behaviour.
> Navigate to Factor Aspects > Navigate to Factor
• Reporting Mechanisms: (as above)
Aspects Aspects
• Personal Information Protection Online: (as above) • Media and Social Media: (as above)
D1
D2
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

Factor - D 2.1: Cybersecurity Mindset
The government has minimal Leading government agencies There is widespread awareness Government agencies across all Government agencies at all levels
or no level of awareness of have a minimal level of of cybersecurity risks within most levels are aware of cybersecurity are fully aware of cybersecurity
cybersecurity risks. awareness of cybersecurity government agencies. risks and proactively anticipating risks and use them to update
risks. new risks. cybersecurity policies and
The private sector has minimal There is widespread awareness
operational practices.
or no level of awareness of Leading private firms have a of cybersecurity risks within most Private sector actors at all levels are
Awareness of cybersecurity risks. minimal level of awareness of private firms. fully aware of cybersecurity risks Most private sector actors across
cybersecurity risks. and are anticipating new risks. all levels mitigate cybersecurity
Risks Users have minimal or no level A growing number of Internet
risks and use them to update
of awareness of cybersecurity A limited proportion of Internet users within society have Users are fully aware of
cybersecurity policies and
risks. users have awareness of awareness of cybersecurity risks. cybersecurity risks and try to
operational practices.
cybersecurity risks. anticipate new risks.
Most users identify and
anticipate cybersecurity risks and
try to adapt their behaviour.
The government has minimal or Leading government agencies Most government agencies at all Government agencies across all Government agencies at all levels
no recognition of the need to and private firms recognise the levels are making cybersecurity levels routinely prioritise and habitually, as a matter of course,
prioritise cybersecurity. need to prioritise cybersecurity. a priority. reassess cybersecurity priorities in prioritise cybersecurity.
response to changing threats to the
Private sector actors have Private firms recognise the Most private firms at all levels Private sector actors at all
population.
minimal or no recognition of the need to prioritise cybersecurity. are making cybersecurity a levels habitually prioritise
need to prioritise cybersecurity. priority. Most private sector actors across cybersecurity, as a matter of
A limited proportion of Internet
all levels routinely prioritise and course.
Users have minimal or no users recognise the need to A growing number of Internet
reassess cybersecurity priorities in
recognition of the need to prioritise cybersecurity. users within society make Users habitually prioritise D1
Priority of response to changing threats to the
prioritise cybersecurity. cybersecurity a priority. cybersecurity and take steps to
Security Surveys and metrics to assess population.
improve their security online.
No surveys or metrics exist knowledge of cybersecurity Surveys and metrics to evaluate
Most users routinely prioritise D2
to document cybersecurity in within the nation are limited or knowledge of cybersecurity Survey results and metrics are
cybersecurity and seek to take
government, private sector, or ad hoc. within the nation are available. used to refine cybersecurity
proactive steps to improve
across users. policies, inform operational
cybersecurity.
practices and IT-related initiatives D 2.1
Surveys and metrics are routinely within the nation.
conducted and publicised in fields
of government, business and D 2.2
industry, and among users.
D 2.3
The government agencies do Leading government agencies Most government agencies at all Government agencies across Government agencies at all
not follow safe cybersecurity follow safe cybersecurity levels follow safe cybersecurity all levels routinely follow safe levels habitually follow and D 2.4
practices. practices. practices. cybersecurity practices. also develop safe cybersecurity
practices. D 2.5
Private sector companies do Leading private firms follow Most private firms at all levels Most private sector actors,
not follow safe cybersecurity safe cybersecurity practices. follow safe cybersecurity practices. (including SMEs) across all levels Private sector actors at all levels
Practices practices.
A limited but growing Most Internet users within this
routinely follow safe cybersecurity habitually follow and develop
practices. safe cybersecurity practices. D3
In this country, very few Internet proportion of Internet country know and follow safe
users follow safe cybersecurity users know or follow safe cybersecurity practices Most users know and routinely Nearly all users know
practices or take protective cybersecurity practices. follow safe cybersecurity practices. and habitually follow safe
D4
measures to ensure their cybersecurity practices as a
security. matter of course.
D5

Factor - D 2.2: Trust and Confidence in Online Services
Very few Internet users in this A limited but growing proportion Most Internet users critically Most Internet users critically Nearly all Internet users
country critically assess what of Internet users critically assess assess what they see or receive assess what they see or receive habitually assess the risk in
they see or receive online. what they see or receive online. online, based on identifying online, based on identifying using online services, including
possible risks. possible risks. changes in the technical and
Internet users generally do A limited proportion believe that
cybersecurity environment.
not believe or even consider they have the ability to use the Most Internet users understand Most Internet users recognise
that they have the ability to Internet and protect themselves how and act to protect questionable information online Internet users continuously
Digital Literacy use the Internet and protect online. themselves from misinformation and take steps to ignore it or adjust their behaviour based on
and Skills themselves online. online, such as performing a check its validity. their assessments of the quality
One or more programmes are
search. of information they receive.
No programmes are available being developed to support Efforts are under way to co-
to support digital and media digital and media literacy skills. Programmes have been ordinate programmes that Internet platform providers,
literacy skills. developed to support digital and support Internet, digital, and regulators and civil society
media literacy skills. media literacy skills between are collaboratively developing
Internet platform providers, programmes to support Internet,
regulators and civil society. digital, and media literacy skills.
Most Internet users have no Only a limited proportion of A growing proportion of users Most users have a learned level Nearly all users trust that they
trust or have a blind trust in users have sufficient trust in their have sufficient trust in using the of trust in using the Internet can safely use of the Internet for
websites and what they see or use of the Internet. Internet safely and recognise safely and recognise indicators of a variety of purposes and can
receive online. indicators of legitimate sites and legitimate sites and information help others to use it safely.
A limited proportion of Internet
information sources. sources.
Very few Internet users users feel confident using it. Nearly all Internet users feel
User Trust and feel confident in using the
Surveys and metrics to assess
A growing number of users feel Most Internet users feel confident using the Internet and
Confidence Internet. confident using the Internet. confident using the Internet, sourcing valid content.
users’ trust and confidence D1
believe they can recognise
in Online Surveys or other metrics online are limited or ad hoc. Surveys and metrics to assess
problematic or non-legitimate
Surveys and metrics have a
Search and to assess users’ trust and users’ trust and confidence strong reputation in the region
websites (including mimicry
confidence online are not online are in place and or globally and are shaping the D2
Information available. adequately funded.
attempts), and check information
development of metrics in other
using tools such as search
nations.
options.
Surveys and metrics to assess D 2.1
users’ trust and confidence
online are routinely conducted. D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

Internet platform providers Internet platform providers Internet platform providers have Internet platform providers have Internet platform providers have
are not addressing issues are developing approaches to a number of approaches in place instituted policies and practices instituted policies and practices
of disinformation such as address issues of disinformation to address disinformation; these to address disinformation; these to address disinformation in
misinformation, in this nation. in this nation. respect freedom of expression and respect freedom of expression some innovative ways that
other human rights online. and other human rights online. respect freedom of expression
Civil society and other non- The development of tools
and other human rights online.
government actors lack the and resources to address Civil society stakeholders have The joint efforts of civil society
tools and resources to address disinformation have been developed tools and resources to stakeholders are in place and are The joint efforts of civil society
online disinformation, such initiated by leading civil society address online disinformation. regularly used to address online stakeholders are proactively
as exposing misinformation and non-governmental actors. disinformation in ways that reviewed to take account of
Government programmes and
Disinformation campaigns.
Government programmes initiatives to strengthen the
respect freedom of expression broader strategic developments
and other human rights online. related to disinformation and
Government agencies and and initiatives to address public’s preparedness against
awareness raising.
actors have not addressed disinformation are being online disinformation are Outcome-oriented surveys are
online disinformation online. developed but entail filtering and restricted to awareness raising, used to refine programmes and The country is supporting the
limited efforts to inform Internet but avoid censorship or filtering of initiatives aimed at empowering development of national/
users. information. users and building the public’s regional/ international action
understanding of possible online plans and guidelines to address
disinformation. disinformation in ways that
protect an open Internet and
empower users.
Government offers a very Government has begun to build Key e-government services E-government services have E-government services in this
limited number of e-services, a core set of e-services, for which have been developed and have become the dominant (default) country are recognised regionally
if any, and has not publicly they recognise the need to apply generated a large number of mode of government information or internationally. D1
promoted their security. security measures in order to users. service delivery.
Internet users trust that
establish trust in their use.
Generally, the public does A sizeable and growing number The majority of Internet users in e-government services are
not use any significant A limited number of early of Internet users trust in the use this country trust in the secure proactively reviewed, improved D2
e-government services. adopters trust in the secure use of e-government services. use of e-government services and expanded to enhance their
User Trust in No surveys or metrics exist to
of e-government services.
Surveys and metrics to assess
and make use of them. security.
E-government show how Internet users trust Metrics to assess users’ trust in users’ trust in e-government Surveys and metrics to assess Outcome-oriented surveys are D 2.1
Services e-government services. e-government services is limited services are in place and users’ trust in e-government used to review e-government
or ad hoc. adequately funded. services are routinely conducted. services and evaluate the D 2.2
There is a lack of information
management of online content.
about e-government security Public authorities are developing Public authorities are publishing Public authorities are co-
and security breaches. information on privacy and information and updates of their ordinating, publishing and The country is a leader in D 2.3
security initiatives and breaches privacy and security breaches informing users about privacy informing users about current
in an ad-hoc manner. and initiatives such as privacy by and security initiatives and and developing privacy and
default. breaches. security breaches, initiatives and D 2.4
other issues.
D 2.5
D3
D4
D5

E-commerce services are not E-commerce services are being E-commerce services are E-commerce services have E-commerce services in this
offered. provided to a limited extent. fully established by multiple become widely accepted as a country are recognised regionally
stakeholders in a secure safe practice for consumers. or internationally.
Internet users lack the trust to A limited number of early
environment.
use any available e-commerce adopters trust in the secure use The majority of users trust in Internet users trust that
services. of e-commerce services. A sizeable and growing number the secure use of e-commerce e-commerce services are
of Internet users trust in the services and make use of them. proactively reviewed, improved
No surveys or metrics exist to Metrics to assess users’ trust in
secure use of e-commerce and expanded to enhance their
show how Internet users trust e-commerce services is limited Surveys and metrics to assess
services. security.
User Trust in e-commerce services. or ad hoc. users’ trust in e-commerce
E-commerce Surveys and metrics to assess services are routinely conducted. Outcome-oriented surveys are
There is little or no recognition The private sector recognises
users’ trust in e-commerce used to review and improve
Services of the need for security the need for the application of
services are in place and
Stakeholders are investing in
e-commerce services in order
initiatives for e-commerce security measures to establish enhanced service functionality of
adequately funded. to promote transparent,
services. trust in e-commerce services. e-commerce services, protection
trustworthy and secure systems.
Reliable security solutions are up of personal information and
to date and available, such as for the provision of user feedback Terms and conditions provided
payment systems. Certification mechanisms. by e-commerce services are clear
schemes and trust marks for and easily comprehensible to all
e-commerce services are in users.
place.
D1
D2
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

Factor - D 2.3: User Understanding of Personal Information Protection Online
Users and stakeholders within Users and stakeholders within A growing proportion of users All stakeholders have the Users have the knowledge and
the public and private sectors the public and private sectors have the skills to manage their information, confidence and the skills necessary to protect their
have no or minimal knowledge may have general knowledge privacy online, and protect ability to take steps to protect personal information online,
about how personal information about how personal information themselves from intrusion, their personal information online adapting their abilities to the
is handled online, nor do they is handled online; and may interference, or unwanted access and to maintain control of the changing risk environment.
believe that adequate measures employ good (proactive) of information by others. distribution of this information.
Policies in private and public
are in place to protect their cybersecurity practices to protect
Personal There is considerable public Users and stakeholders within sectors are proactively reviewed
personal information online. their personal information
Information debate regarding the protection the public and private sectors to ensure privacy and security
online.
There is no or limited discussion of personal information and widely recognise the importance do not compete in a changing
Protection regarding the protection of Discussions have begun about the balance between of protection of personal environment and are informed
Online personal information online. regarding the protection of security and privacy. information online and are aware by user feedback and public
personal information and about of their privacy rights. debate.
Privacy standards are not in place Privacy policies have been
the balance between security
to shape Internet and social developed within the public and Mechanisms are in place in New mechanisms are in place,
and privacy.
media practices. private sectors. private and public sectors to such as privacy by default, as
Concrete actions or privacy shape Internet and social media tools for transparency and are
policies are being developed. practices and ensure that privacy promoted.
and security do not compete.
D1
D2
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

Factor - D 2.4: Reporting Mechanisms
There are no official reporting The public and/or private sectors Reporting mechanisms have been Co-ordinated reporting Mechanisms have been
mechanisms available, but are providing some channels established, promoted and are mechanisms are widely used developed to co-ordinate
discussions might have begun. for reporting cyber harms (such regularly used. and promoted within public and response to reported incidents
as online fraud, cyber-bullying, private sectors. between law enforcement and
Users do not use social media Internet users widely use social
child abuse online, identity theft, the national incident response
channels to raise concerns over media channels to inform other Internet users routinely use
privacy and security breaches, capability.
any cyber harms and problems. users. social media channels to inform
and other incidents), but these
Reporting other users. Internet users habitually use
No metrics of reported incidents channels are not co-ordinated There are good metrics of
social media channels to inform
Mechanisms exist. and are used in an ad-hoc reported incidents. Cyber harm metrics have been
other users and share good
manner. used to inform the revision and
practice.
promotion of new policies and
Internet users use social media
practices. Metrics are routinely used to
channels to inform other users in
inform policy and decision-
an ad-hoc manner.
makers.
Metrics of reported incidents is
being developed.
D1
D2
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

Factor - D 2.5: Media and Online Platforms
Mass media rarely, if ever, cover It is perceived that there is It is perceived that cybersecurity It is perceived that mass media It is perceived that the
information about cybersecurity ad-hoc mass media coverage is a common subject across coverage extends beyond broad discussion of personal
or report on issues such as of cybersecurity, with limited mainstream media, and threat reporting and can inform experiences and personal
security breaches or cybercrime. information provided and information and reports on a wide the public about proactive attitudes of individuals across
reporting on specific issues that range of issues, including security and actionable cybersecurity mainstream and social media
There is no, or rarely any
individuals face online, such as breaches and cybercrime, are measures, as well economic and inform policy making and
discussion on social media about
protection for children online, or widely disseminated. social impacts. facilitate societal change.
Media and cybersecurity.
cyber-bullying.
There is broad discussion on social There is frequent discussion on Social media has become a
Social Media Any portrayal of whistleblowers
It is perceived that there is media about cybersecurity. social media about cybersecurity major component in tracking and
is negative, and based on
limited discussion on social and individuals regularly use addressing cyber harms.
criminal or other negative There is acceptance that
media about cybersecurity. social media to share online
stereotypes. whistleblowers can play a positive Whistleblowing has been
experiences.
There have been positive role. encouraged and protected as a
examples of cases where Transparency is encouraged as means of social accountability.
whistleblowers have had a are whistleblowers.
constructive impact.
D1
D2
D 2.1
D 2.2
D 2.3
D 2.4
D 2.5
D3
D4
D5

nd Society Knowledge and
Capabilities
Dimension 3: Building Cybersecurity
Knowledge and Capabilities
mension2 imension 3
D
This Dimension reviews the availability, quality and uptake of
programmes for various groups of stakeholders, including the
government, private sector and the population as a whole,
and relate to cybersecurity awareness-raising programmes,
formal cybersecurity educational programmes, and professional
training programmes.
D1
D2
D3
D 3.1
D 3.2
D 3.3
D 3.4
D4
D5

Factor Factor
D 3.1: Building Cybersecurity Awareness D 3.2: Cybersecurity Education
This Factor focuses on the availability of programmes that This Factor addresses the availability and provision of
raise cybersecurity awareness throughout the country, high-quality cybersecurity education programmes and
concentrating on cybersecurity risks and threats and ways sufficient qualified teachers and lecturers. Moreover,
to address them. this Factor examines the need to enhance cybersecurity
> Navigate to Factor education at national and institutional levels and the
collaboration between government and industry to ensure
Aspects that educational investments meet the needs of the
• Awareness-raising Initiatives by Government: this cybersecurity education environment across all sectors.
Aspect examines the existence of a national co-ordinated > Navigate to Factor
cybersecurity awareness-raising programme driven by the
government, covering a wide range of demographics and Aspects
issues, developed in consultation with stakeholders from • Provision: this Aspect explores whether there are
various sectors; educational cybersecurity offerings and educator
qualification programmes available that provide an
• Awareness-raising Initiatives by Private Sector: this Aspect understanding of current risks and skills requirements; and
examines the existence of awareness-raising programmes
driven by the private sector and the extent to which they are • Administration: this Aspect explores the co-ordination of,
aligned with government and civil society initiatives; and resources for developing and enhancing cybersecurity
education frameworks with allocated budget and spending
• Awareness-raising Initiatives by Civil Society: this Aspect based on the national demand.
examines the existence of awareness-raising programmes
driven by the civil society and the extent to which they are D1
aligned with government and private sector initiatives; and
• Executive Awareness Raising: this Aspect examines efforts D2

to raise executives’ awareness of cybersecurity issues in the
public, private, academic and civil society sectors, as well as
how cybersecurity risks might be addressed. D3
D 3.1
D 3.2
D 3.3
D 3.4
D4
D5

Factor Factor
D 3.3: Cybersecurity Professional Training D 3.4: Cybersecurity Research and Innovation
This Factor addresses and reviews the availability and This Factor addresses the emphasis placed on cybersecurity
provision of affordable cybersecurity professional training research and innovation to address technological, societal
programmes to build a cadre of cybersecurity professionals. and business challenges and to advance the building of
Moreover, this Factor reviews the uptake of cybersecurity cybersecurity knowledge and capabilities in the country.
training, and horizontal and vertical cybersecurity knowledge > Navigate to Factor
and skills transfer within organisations, and how this transfer
of skills translates into a continuous increase of cadres of Aspects
cybersecurity professionals. • Cybersecurity Research and Development: this Aspect
> Navigate to Factor investigates the existence of a research and innovation
culture in the country, one that is related to a national list of
Aspects current and completed projects, financial support, incentives
• Provision: this Aspect examines the development, and usable research outputs.
availability and provision of cybersecurity training
programmes for enhancing skills and capabilities; and
• Uptake: this Aspect examines the uptake and affordability

of such programmes to produce a cadre of certified
cybersecurity professionals. Issues investigated include
initiatives to register for such programmes, initiatives to
stay in the country after successful completion, knowledge-
sharing after completing a programme, and the existence of
a national register of successful and certified students. D1
D2
D3
D 3.1
D 3.2
D 3.3
D 3.4
D4
D5

Factor - D 3.1: Building Cybersecurity Awareness
No overarching national A co-ordinated cybersecurity A co-ordinated national The national awareness-raising The national cybersecurity
cybersecurity awareness-raising awareness raising programme cybersecurity awareness- programme is fully integrated awareness-raising programme
programme has been developed with the involvement of raising programme with with sector-specific, tailored with private and civil society
by the government. the government is under detailed implementation plan awareness-raising programmes, stakeholders is proactively
development, with relevant is published. The content such as those focusing on reviewed to take account of
The need for awareness of
stakeholders involved, including includes explicit links to national industry, academia, civil society, broader strategic developments
cybersecurity threats and
the private sector and civil society. cybersecurity strategy. and/or women and children. within the country (political,
vulnerabilities in the government
economic, social, technical, legal
is not recognised or is only at Awareness-raising programmes, A co-ordinating body has been Emerging cybersecurity risks
and environmental).
initial stages of discussion. courses, seminars and online assigned with sufficient authority are regularly assessed and
resources initiated by the and resources required to deliver used to update the national The country is actively involved
government are available but the actions of the national cybersecurity awareness-raising in creating new regional/
Initiatives by not sufficiently reflected in the programme. programme. international cybersecurity
national cybersecurity strategy or awareness-raising programmes
Government A national cybersecurity There is evidence of these
is in development. that contribute toward
awareness portal exists metrics being used to refine
expanding and enhancing
The actions within the to improve the skills and actions within the national
international awareness-raising
programmes are led by different knowledge of the society awareness-raising programme
good practices.
‘owners’ but they are not yet co- and is disseminated via that and national cybersecurity
ordinated. programme. strategy. The national cybersecurity
awareness-raising programme
The availability of adequate Programme review processes
has a measurable impact on the
resources has not yet been and outcome-oriented metrics
reduction of the overall threat
confirmed. are in place, are adequately
landscape.
funded and allow effectiveness
Initial system of mechanisms and
to be measured.
metrics to review processes are
limited or ad hoc.
D1
The need for awareness of Awareness-raising programmes, Collaborative awareness-raising The effectiveness of joint The joint awareness-raising
cybersecurity threats and courses, seminars and online efforts (e.g.: joint policy and/or awareness-raising efforts with efforts with government and
vulnerabilities in the private resources initiated by the private advocacy work) with government government and civil society civil society stakeholders are D2
sector is not recognised or is only sector are available but no co- and civil society stakeholders stakeholders is regularly proactively reviewed to take
at initial stages of discussion. ordination or scaling efforts have are made in order to pool assessed and used to enhance account of broader strategic
been conducted. resources, information and collaborative processes. developments within the D3
identify solutions for cyber safety country (political, economic,
Initial system of mechanisms and Private sector initiatives are
practices. social, technical, legal and
metrics to review processes are fully integrated into the national
environmental). D 3.1
limited or ad hoc. The role of specific ‘owners’ awareness-raising programme.
Initiatives by assigned to actions within private The joint awareness-raising
Evidence from the lessons learnt
Private Sector sector initiatives are clear and efforts with government and D 3.2
is fed into the development of
mechanisms are in place to civil society stakeholders have a
future programmes.
enable co-ordination between measurable impact on reduction
the levels of government, private of the overall threat landscape. D 3.3
sector and civil society.
Programme review processes D 3.4
and outcome-oriented metrics
are in place, well-funded and
shared with government and civil D4
society stakeholders.
D5

Factor - D 3.1: Building Cybersecurity Awareness
The need for awareness of There are indications that civil Collaborative awareness-raising The effectiveness of joint The joint awareness-raising
cybersecurity threats and society realises that it can play efforts (e.g.: joint policy and/or awareness-raising efforts efforts with government and
vulnerabilities in civil society is a role in awareness-raising advocacy work) with government with government and private private sector stakeholders are
not recognised or is only at initial programmes, courses, seminars and private sector stakeholders sector stakeholders is regularly proactively reviewed to take
stages of discussion. and online resources, but no real are taking place in order to pool assessed and used to enhance account of broader strategic
deliverables are yet evident. resources and information and collaborative processes. developments within the
identify solutions for cyber safety country (political, economic,
Initial system of metrics may Civil society initiatives are fully
practices. social, technical, legal and
exist. integrated into the national
environmental).
The role of specific ‘owners’ awareness-raising programme.
Initiatives by assigned to actions within civil The joint awareness-raising
Evidence from the lessons learnt
Civil Society society initiatives are clear and efforts with government and
is fed into the development of
mechanisms are in place to private sector have a measurable
future programmes.
enable co-ordination between impact on reduction of the
the levels of government, private overall threat landscape.
sector and civil society.
Programme review processes
and outcome-oriented metrics
are in place, well-funded and
shared with government and
private sector stakeholders.
Awareness raising on Executives are made aware of Awareness raising of executives Executive awareness-raising Cybersecurity risks are
cybersecurity issues for general cybersecurity issues, but in the public, private, academic efforts in nearly all sectors considered as an agenda item
executives is limited or non- not how these issues and threats and civil society sectors address include the identification at every executive meeting,
existent. might affect their organisations. cybersecurity risks in general, of strategic assets, specific and funding and attention is D1
some of the primary methods of measures in place to protect reallocated to address those
Executives are not yet aware Executives of particular
attack, and how the organisation them, and the mechanism by risks.
of their responsibilities to sectors, such as finance and
deals with cyber issues (usually which they are protected.
shareholders, clients, customers, telecommunications, have been Executives at regional and D2
abdicated to the CIO*).
and employees in relation to made aware of cybersecurity Executives are able to alter international level are regarded
cybersecurity. risks in general, and how Select executive members strategic decision making and as a source of good practice in
Executive the organisation deals with are made aware of how allocate specific funding and responsible and accountable
cybersecurity issues, but not of cybersecurity risks affect the people to the various elements corporate cybersecurity D3
Awareness
strategic implications. strategic decision making of of cyber risk, contingent on their governance.
Raising
the organisation, particularly company’s prevailing situation.
those in the financial and D 3.1
Executives are made aware of
telecommunications sectors.
what contingency plans are
Awareness-raising efforts of in place to address various D 3.2
cybersecurity crisis management cyber-based attacks and their
at the executive level is still aftermath. D 3.3
reactive in focus.
Executive awareness courses in
cybersecurity are mandatory for D 3.4
nearly all sectors.
* Chief Information Officer D4
D5

Factor - D 3.2: Cybersecurity Education
Few or no cybersecurity Qualification programmes for Qualifications for and supply of Cybersecurity educators are not National courses, degrees, and
educators are available, and cybersecurity educators are educators are readily available in only drawn from the academic research are at the forefront of
there are no qualification being explored, with a small cybersecurity. environment, but incentives are cybersecurity education.
programmes for educators. cadre of existing qualified in place so that industry and/or
Specialised courses in Cybersecurity education
educators. government experts take these
Computer science courses cybersecurity are offered and programmes maintain a balance
positions as well.
are offered that may have a Some educational courses exist in accredited at university level. between preserving core
security component, but no cybersecurity-related fields, such Accredited cybersecurity courses components of the curriculum
Cybersecurity risk-awareness
cybersecurity-related courses are as information security, network are embedded in all computer and promoting adaptive
modules are offered as part of
offered. security and cryptography, but science degrees. processes that respond to rapid
many university courses.
cybersecurity-specific courses are changes in the cybersecurity
No accreditation in cybersecurity Degrees are specifically offered
not yet offered. Degrees in cybersecurity-related environment.
education exists. in cybersecurity, and encompass
fields are offered by universities
A demand for cybersecurity courses and models in various Prevailing cybersecurity
or equivalent educational
education is evidenced through other cybersecurity-related requirements are considered in
institutions.
course enrolment and feedback. fields, including technical and the redevelopment of all general
Universities and other bodies non-technical elements such as curricula.
hold seminars/lectures on policy implications, and multi-
cybersecurity issues, aimed at disciplinary education.
Provision non-specialists.
Cybersecurity educational
Research and development offerings are weighted and
are leading considerations in focused on an understanding
cybersecurity education. of current risks and skills
Cybersecurity education is requirements. The content of
not limited to universities cybersecurity courses covers
or equivalent educational topics on emerging threats in
institutions, but ranges from cybersecurity.
primary, secondary and tertiary National or international D1
to post-graduate levels, including cybersecurity frameworks and/
vocational education. or curricular guidelines are taken
Steps might have been taken into consideration by academic D2
to incorporate STEM* or institutions when designing
equivalent education framework cybersecurity courses.
with a focus on cybersecurity Apprenticeship programmes in D3
throughout primary and different industry sectors are
secondary curricula. offered to combine knowledge
and practical skills. D 3.1
D 3.2
* Science, Technology, Engineering, and Mathematics
D 3.3
D 3.4
D4
D5

Factor - D 3.2: Cybersecurity Education
The need to enhance national The need to enhance Broad consultation across Metrics are being used to refine International cybersecurity
cybersecurity education is not cybersecurity education government, private sector, actions within educational centres of excellence are
yet considered. in schools and universities academia and civil society investment to create a cadre established through twinning
or equivalent educational stakeholders informs of cybersecurity experts in the programmes led by world-class
A network of national contact
institutions has been identified cybersecurity education priorities country across, all sectors. institutions.
points for governmental,
by leading government, industry, and is reflected in national
regulatory bodies, critical Management of the government Co-operation between all
and academic stakeholders. cybersecurity strategy.
industries and education budget and spending on stakeholders in cybersecurity
institutions is not yet established. Schools, government and National budget is dedicated to cybersecurity education is based education is routine and can be
industry collaborate in an national cybersecurity research on national demand. proven.
Discussion of how co-ordinated
ad-hoc manner to supply the and laboratories at universities
management of cybersecurity Leading national cybersecurity Content in cybersecurity
resources necessary for providing or equivalent educational
education and research enhances academic institutions share education programmes is aligned
cybersecurity education. institutions.
Administration national knowledge development lessons learnt with other national with practical cybersecurity
has not or has only just begun. A national budget focused on Competitions, initiatives and and international counterparts. problems and business
cybersecurity education is not funding schemes for students challenges and provides a
Government has established
yet established. and employees are promoted mechanism for enhancing
academic centres of excellence in
by government and/or industry curricula based on the evolving
Initial system of mechanisms cybersecurity.
in order to increase the landscape.
and metrics to review the supply
attractiveness of cybersecurity
and demand for cybersecurity
careers.
courses are limited or ad hoc.
Programme review processes
and outcome-oriented metrics to
review the supply and demand
for cybersecurity courses are in
place and well-funded.
D1
D2
D3
D 3.1
D 3.2
D 3.3
D 3.4
D4
D5

Factor - D 3.3: Cybersecurity Professional Training
Few or no training The need for training Structured cybersecurity training A range of cybersecurity training The public and private sector
programmes in cybersecurity professionals in cybersecurity has programmes exist to develop skills courses is tailored towards collaborate to offer training,
exist. been documented at the national towards building a cadre of cybersecurity- meeting national strategic and constantly adapt and seek
level. specific professionals. demand and aligns with to build skillsets drawn from
international good practice. both sectors.
Training for general IT staff is National or international cybersecurity
provided on cybersecurity issues vocational-based frameworks and The training programmes outline Training offerings and
so that they can react to incidents international best practices are taken the priorities in the national education programmes are
as they occur, but no training for into consideration when designing cybersecurity strategy. co-ordinated so that the
dedicated security professionals professional training courses. foundation established in
Training programmes are offered
exists. schools can enable training
Security professional certification is to cybersecurity professionals
programmes to build a highly
ICT* professional certification offered across sectors within the country. and focus on the skills necessary
Provision skilled workforce.
is offered, with some security to communicate technically
The needs of society are well understood,
modules or components. complex challenges to non- Programmes and incentive
and a list of training requirements is
technical audiences, such as structures are in place to
Best practice training and documented.
management and general ensure the retention of the
certifications might be accessible
Training programmes for non- employees. trained workforce within the
via international online sources
cybersecurity professionals are recognised country.
(e.g.: CISSP**). Outcome-oriented metrics drawn
and offered.
from comprehensive supply-and-
Ad-hoc training courses, seminars
Government initiatives to stay in the demand data for cybersecurity
and online resources are available
country after the successful completion of professionals are being used to
for cybersecurity professionals
cybersecurity training programmes might inform the modes, sustainability
through public or private sources,
be in place. and procedures of future training
with limited evidence of take-up.
programmes.
Training uptake by IT Metrics that evaluate the take- There is an established cadre of certified The uptake of cybersecurity Cybersecurity professionals D1
personnel designated to up of ad-hoc training courses, employees trained in cybersecurity training is used to inform future not only fulfil national
respond to cybersecurity seminars, online resources, issues, processes, planning and analytics. training programmes. requirements, but domestic
incidents is limited or non- and certification offerings are A national register of successful and professionals overseas are D2
Co-ordination of training across
existent. limited in scope or ad hoc. certified students and professionals might consulted to share lessons
all sectors ensures the national
exist. learnt and best practice.
There is no transfer of The transfer of knowledge demand for professionals is met.
knowledge from employees from employees trained in The transfer of knowledge from D3
trained in cybersecurity to cybersecurity to untrained employees trained in cybersecurity to
untrained employees. employees in both the public and untrained employees in both public and
private sectors is ad hoc. private sectors is established. D 3.1
Uptake
Job creation initiatives for cybersecurity
within organisations are established and D 3.2
encourage employers to train staff to
become cybersecurity professionals.
D 3.3
Programme review processes and
metrics are in place to allow progress to
be measured and assess the supply and D 3.4
demand for cybersecurity-skilled workers
in both public and private environments.
These processes are adequately funded. D4
* Information and Communications Technology

** Certified Information Systems Security Professional D5

Factor - D 3.4: Cybersecurity Research and Innovation
There are limited or no Some integration of Cybersecurity R&D activities have The country is actively building The country is a leading actor
cybersecurity research and cybersecurity R&D activities been established and are indicated communities of interest around in cybersecurity research and
development (R&D) activities occurs within the country, or in the national cybersecurity R&D priorities in cybersecurity. innovation and is shaping
occurring in the country. with a partner country that strategy. R&D strategy may be in international debates on the
R&D strategy is in place and fully
understands how cyberactivity development. development of R&D strategic
There is no access to R&D implemented.
R&D applies to the local context plans.
activities in cybersecurity from The resources and processes
of the country. The country makes a major
other countries. required to deliver the actions of The country is forward looking,
contribution to cybersecurity
The country may participate in cybersecurity R&D activities have seeing emerging issues (around
R&D and is actively involved
relevant regional/ international been identified and are in place. new technology or new types of
in building innovation capacity
cybersecurity-related research Funding is adequate to deliver threat), and uses R&D to prepare
through international R&D
collaboration networks. these actions. a future threat environment.
consortia and investment.
Research and Cybersecurity R&D performance There is active regional/ The country is contributing to
Emerging cybersecurity risks are
metrics are limited in scope, or international collaboration international best practices in
Development regularly assessed and used to
ad hoc. with leading practice and cybersecurity R&D.
update the national cybersecurity
developments.
strategy and the development of
The country is actively future programmes of the R&D
participating and contributing strategy.
to regional/ international
Synergy between academic
cybersecurity-related research
institutions and industry
collaboration networks.
supports R&D activities and is
Metrics for measuring R&D used to design cyber curricula
performance are in place and that cover industry needs.
allow progress to be measured and
to improve the cybersecurity R&D
capability of the country.
D1
D2
D3
D 3.1
D 3.2
D 3.3
D 3.4
D4
D5

wledge and Regulatory
apabilities Frameworks
Dimension 4: Legal and
Regulatory Frameworks
mension3 imension 4
D
This Dimension examines the government’s capacity
to design and enact national legislation that directly
and indirectly relates to cybersecurity, with a particular
emphasis placed on the topics of regulatory requirements
for cybersecurity, cybercrime-related legislation and related
legislation. The capacity to enforce such laws is examined
through law enforcement, prosecution, regulatory bodies
and court capacities. Moreover, this Dimension observes
D1
issues such as formal and informal co-operation frameworks
to combat cybercrime.
D2
D3
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor Factor
D 4.1: Legal and Regulatory Provisions D 4.2: Related Legislative Frameworks
This Factor addresses various legislation and regulatory This Factor addresses the legislative frameworks related to
provisions relating to cybersecurity, including legal and cybersecurity including data protection, child protection,
regulatory requirements, substantive and procedural consumer protection, and intellectual property.
cybercrime legislation, and human rights impact > Navigate to Factor
assessment.
> Navigate to Factor Aspects
• Data Protection Legislation: this Aspect examines the
Aspects existence and implementation of comprehensive data
• Substantive Cybercrime Legislation: this Aspect explores protection legislation;
whether existing legislation criminalises a variety of
cybercrimes in specific legislation or general criminal law; • Child Protection Online: this Aspect focuses on the
legislative protection of children online, including the
• Legal and Regulatory Requirements for Cybersecurity: protection of their rights online and the criminalisation of
this Aspect reviews the existence of legal and regulatory child abuse online;
frameworks on cybersecurity;
• Consumer Protection Legislation: this Aspect addresses
• Procedural Cybercrime Legislation: this Aspect examines the existence and implementation of legislation protecting
whether comprehensive criminal procedural law–with consumers online from fraud and other forms of business
procedural powers for the investigation of cybercrime and malpractice; and
evidentiary requirements to deter, respond to and prosecute
cybercrime and crimes involving electronic evidence–is • Intellectual Property Legislation: this Aspect is concerned
implemented; and with the existence and implementation of online intellectual
D1
property legislation.
• Human Rights Impact Assessment: this Aspect examines
whether human rights impact assessments of substantive D2
and procedural cybercrime legislation and cybersecurity
regulations are carried out.
D3
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor Factor
D 4.3. Legal and Regulatory Capability and Capacity D 4.4: Formal and Informal Co-operation
Frameworks to Combat Cybercrime
This Factor studies the capacity of law enforcement to
investigate cybercrime, the prosecution’s capacity to This Factor addresses the existence and function of formal
present cybercrime and electronic evidence cases, and the and informal mechanisms that enable co-operation between
court’s capacity to preside over cybercrime cases and those domestic actors and across borders to deter and combat
involving electronic evidence. Finally, this Factor reviews cybercrime.
the existence of cross-sector regulatory bodies to oversee > Navigate to Factor
compliance with specific cybersecurity regulations.
> Navigate to Factor Aspects
• Law Enforcement Co-operation with Private Sector:
Aspects this Aspect examines the information exchange mechanism
• Law Enforcement: this Aspect examines whether law on cybercrime between domestic public and private sectors,
enforcement officers and agencies have received training including co-operation with Internet service and other
in investigating and managing cybercrime cases, and cases technology providers;
involving electronic evidence, and whether there are
sufficient human, procedural and technological resources; • Co-operation with Foreign Law Enforcement Counterparts:
this Aspect examines the existence of formal mechanisms of
• Prosecution: this Aspect examines whether prosecutors international law enforcement co-operation; and
have received training on handling cybercrime cases and
cases involving electronic evidence, and whether there are • Government-Criminal Justice Sector Collaboration:
sufficient human, procedural and technological resources; this Aspect reviews the formal communication channels
between government and criminal justice actors.
• Courts: this Aspect examines whether courts have sufficient D1
resources and training to ensure effective and efficient
prosecution of cybercrime cases and cases involving
electronic evidence; and D2
• Regulatory Bodies: this Aspect reviews the existence of

cross-sector regulatory bodies to oversee compliance with D3
specific cybersecurity regulations.
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor - D 4.1: Legal and Regulatory Provisions
Specific substantive criminal law Partial legislation exists that Substantive cybercrime legal Measures are in place to exceed Substantive cybercrime law
on cybercrime does not exist. addresses some aspects of provisions are contained in specific minimal baselines specified in is constructed so that it can
General criminal law may exist, cybercrime, or cybercrime legal legislation or a general criminal international treaties, where cater for dynamic changes in
but its application to cybercrime provisions are in development. law. appropriate. the underlying technology and
Substantive is unclear.
The country may have ratified The country seeks to adapt
threat environment, without the
Cybercrime need for substantial and lengthy
regional or international its substantive cybercrime
revision.
Legislation instruments on cybercrime. The legislation to take account of
country consistently seeks to emerging technologies and their The country is actively
implement these measures into use. contributing to the international
domestic law. promotion of effective
cybercrime legislation.
There are limited cybersecurity Stakeholders from relevant Comprehensive cybersecurity The effectiveness of law Regulatory frameworks are
requirements set out in sectors have been consulted to requirements are set out in and regulation in improving sufficiently flexible to cater for
regulation or law. support the establishment of relevant regulation and law cybersecurity practice is regularly rapidly emerging changes in
legal and regulatory frameworks. (including sector-specific assessed and used to inform the underlying technological or
The need to create legal and
requirements, where relevant). their future development. threat environment.
regulatory frameworks on Draft legislation and regulation
cybersecurity may have been may be in place, but this has yet These requirements may include Regulations are updated to The country is promoting best
Legal and recognised and may have to be adopted and may not cover mandatory standards, or breach take account of emerging practice legal and regulatory
Regulatory resulted in a gap analysis. all relevant sectors. notification requirements technologies. approaches internationally.
Requirements and vulnerability disclosure
The country is actively involved in
requirements.
for the development of international
Cybersecurity Relevant civil and criminal agreements to promote
liabilities are clearly articulated harmonisation and mutual
and understood by regulated recognition of cybersecurity laws D1
entities. and regulations.
Relevant legal and regulatory
bodies have the powers needed D2
to enforce these requirements.
D3
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor - D 4.1: Legal and Regulatory Provisions
Specific procedural criminal Development of specific Comprehensive criminal Measures are in place to exceed Procedural cybercrime law is
law for cybercrime does not procedural cybercrime procedural law containing minimal baselines specified in constructed in a way that it can
exist. It is not clear how general legislation, or amendment of provisions on the investigation international treaties, where cater for dynamic changes in
criminal procedural law applies general procedural criminal law of cybercrime and evidentiary appropriate. the underlying technology and
to cybercrime investigations, to adapt to cybercrime cases, has requirements has been adopted threat environment, without the
The country seeks to adapt
prosecutions, and electronic begun. and is applied. need for substantial and lengthy
procedural cybercrime
evidence. revision.
The country may have ratified legislations to take account of
Procedural regional or international emerging technologies and their The country is actively
instruments on cybercrime. The use. contributing to the promotion of
Cybercrime country consistently seeks to effective procedural cybercrime
Legislation implement these measures into legislation and instruments to
domestic law. improve international cybercrime
investigations.
Procedural laws relating to
cybercrime permit the exchange
of information (and other actions
required) to support successful
cross-border investigation of
cybercrime.
Substantive and procedural Human rights impact Full human rights impact Human rights impact The country is actively
cybercrime legislation and assessments of substantive and assessments of substantive and assessments are regularly contributing to the development
cybersecurity regulations may be procedural cybercrime legislation procedural cybercrime legislation reviewed to ensure that practice and promotion of human rights
in development, but no human and cybersecurity regulations and cybersecurity regulations remains compatible with human impact assessments as they
rights impact assessments have may have been conducted, have been completed and rights requirements, and that the relate to cybersecurity.
Human been carried out. including consideration of privacy international standards are met. effect of emerging technologies D1
Rights Impact and freedom of expression is considered.
Implementation of this legislation
implications. Some issues,
Assessment is monitored on a regular basis Consideration has also been
however, have yet to be resolved.
for human rights compliance, and given to how cybersecurity D2
Relevant human rights experts this is independently verified. can enhance human rights
have been consulted in the protection within the country
development of the legislation and internationally.
and regulation. D3
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor - D 4.2: Related Legislative Frameworks
Data protection legislation does Data protection legislation is in Comprehensive data protection The effectiveness of data Data protection legislation
not exist. development. legislation in line with protection legislation is regularly is constructed so that it can
international standards and best assessed and used to inform its cater for dynamic changes in
Stakeholders from relevant
practice has been adopted and is development. the underlying technology and
sectors have been consulted to
enforced. threat environment, without the
support the development of this The country seeks to adapt data
need for substantial and lengthy
legislation. A lead agency responsible protection laws to take account
revision.
Data for data protection has been of emerging technologies and
designated. their use. The country is developing
Protection and promoting international
Legislation standards for data protection
legislation.
The country is actively involved
in the development of legal
instruments to enable improved
international collaboration in
this area.
Legislation relating to child Legislation related to child The application of child The effectiveness of online Online child protection law
protection is limited and protection is in place and is being protection in the online child protection law is regularly is constructed so that it can
its application in the online adapted to reflect its application environment is understood and assessed and used to inform its cater for dynamic changes in
environment is yet to be in the online environment. reflected in relevant legislation. development. the underlying technology and
considered. Legislation is implemented in line threat environment, without the
Stakeholders from relevant The country seeks to adapt child
with international standards and need for substantial and lengthy
sectors have been consulted to protection law to take account
best practice. revision.
Child support the development and of emerging technologies and
adaptation of this legislation. their use. The country is developing D1
Online standards for online child
protection law. D2
instruments to enable improved D3
this area.
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor - D 4.2: Related Legislative Frameworks
Legislation related to consumer Legislation related to consumer The application of consumer The effectiveness of online Consumer protection legislation
protection is limited and protection is in place and is being protection in the online consumer protection law is is constructed so that it can
its application in the online adapted to reflect its application environment is understood and regularly assessed and used to cater for dynamic changes in
environment is yet to be in the online environment. reflected in relevant legislation. inform its development. the underlying technology and
considered. Legislation is implemented in line threat environment, without the
Stakeholders from relevant The country seeks to adapt
sectors have been consulted to consumer protection legislation
Consumer support the development of this to take account of emerging
legislation. technologies and their use. The country is developing
Legislation standards for online consumer
protection law.
instruments to enable improved
this area.
Legislation related to intellectual Legislation related to intellectual The application of intellectual The effectiveness of online Intellectual property legislation
property protection is limited property protection is in place property protection in the online intellectual property protection is constructed so that it can
and its application in the and is being adapted to reflect environment is understood and law is regularly assessed and cater for dynamic changes in
online environment is yet to be its application in the online reflected in relevant legislation. used to inform its development. the underlying technology and
considered. environment. Legislation is implemented in line threat environment, without the
The country seeks to adapt
Stakeholders from relevant intellectual property protection
Intellectual sectors have been consulted to legislation to take account of
support the development of this emerging technologies and their The country is developing D1
Property legislation. use. and promoting international
Legislation standards for online intellectual
protection law. D2
instruments to enable improved D3
this area.
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor - D 4.3: Legal and Regulatory Capability and Capacity
Law enforcement officers/ Traditional investigative A comprehensive institutional Quantified risk assessments are The country is actively involved in
agencies do not have sufficient measures are applied to capacity with sufficient human, used to allocate resources to the development of collaborative
capacity to prevent and cybercrime investigations, but procedural and technological operational cybercrime units (at platforms between national law
combat cybercrime and do not digital investigation capacity is resources to investigate national and state/local levels). enforcement authorities.
receive specialised training on limited. cybercrime cases has been
Trends and statistics on The law enforcement agencies
cybercrime investigations. established.
Law enforcement officers may cybercrime, law enforcement within the country are at the
receive training on cybercrime Digital chain of custody and interventions and their impact forefront of developing new
and digital evidence, but it is ad evidence integrity is established, on harm reduction are collected, capabilities and approaches for
hoc. including formal processes, roles analysed and used to inform the prevention and disruption of
and responsibilities. strategy and long-term resource cybercrime and promoting their
Law allocation decision. use internationally.
Enforcement Standards for the training of
law enforcement officers on Law enforcement strategies
cybercrime and digital evidence include crime prevention
exist and are implemented. measures alongside enforcement
measures. Intelligence is used to
The respective roles of national
support proactive investigation.
and state/local law enforcement
agencies are understood and Law enforcement agencies have
state-/local-level forces are the capabilities to maintain
equipped to undertake their role. the integrity of data to meet
international evidential standards
in cross-border investigation.
Prosecutors do not receive A limited number of prosecutors A comprehensive institutional Institutional structures are in There is national capacity to
adequate training and resources have the capacity to conduct capacity, including sufficient place, with a clear distribution of prosecute complex domestic and
to review electronic evidence or cybercrime cases and to handle human and technological tasks and obligations within the cross-border cybercrime cases. D1
prosecute cybercrime. electronic evidence, but this resources, to prosecute prosecution services at all levels
capacity is largely ad hoc and is cybercrime cases and cases of the state.
Consultation may have begun
Prosecution not institutionalised. involving electronic evidence is D2
to consider this capacity in the A mechanism exists that enables
established.
prosecutor community. If prosecutors receive training on the exchange of information
cybercrime and digital evidence, A specialist cadre of cybercrime and good practices between
it is ad hoc. prosecutors may have been prosecutors and judges to D3
established. ensure efficient and effective
prosecution of cybercrime cases.
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor - D 4.3: Legal and Regulatory Capability and Capacity
There is no process to equip A limited number of judges Sufficient human and The institutional capacity of The country is actively involved
judges so they can preside have the capacity to preside technological resources are the court system to conduct in developing and promoting
over cybercrime cases or cases over a cybercrime case, but this available to ensure effective cybercrime cases is frequently best practices in the conduct of
involving electronic evidence. capacity is largely ad hoc. and efficient legal proceedings reviewed and revised based on cybercrime cases.
regarding cybercrime cases an assessment of effectiveness.
Consultation may have begun If judges receive training on
and cases involving electronic
to consider this capacity in the cybercrime and digital evidence,
evidence.
judicial community. it is ad hoc.
Judges receive specialised
Courts training about cybercrime and
electronic evidence.
States/local courts are equipped
to deal with cybercrime cases,
appropriate to their level.
Relevant courts are equipped to
process civil litigation relating to
cybersecurity liability.
Sector-specific regulators have Sector-specific regulators Sector-specific regulators (e.g.: The impact of regulatory actions Regulatory bodies are actively
limited understanding of the have started to establish their finance, energy, transport) are on organisations’ cybersecurity involved in the development and
potential impact of cyber on cybersecurity roles. equipped with the capability and practices are regularly assessed promotion of regulatory best
their regulated entities. resources required to oversee and used to inform supervisory practice internationally.
A requirement for the
compliance with cybersecurity activity and regulation
There is no cross-sector establishment of cross-sector
requirements within their sector. development.
regulatory body to supervise regulatory bodies to oversee
specific cybersecurity compliance with specific Where cross-sector regulatory Regulatory bodies regularly D1
Regulatory requirements. cybersecurity regulations may bodies have been established to assess emerging technologies
Bodies have been considered. oversee cybersecurity, they have and their potential impact on
the necessary capability and the cybersecurity of regulated
Relevant stakeholders have been D2
resources to undertake their role. entities.
consulted in this process.
Regulatory interventions and
investigations are informed by,
and prioritised on the basis of, D3
national assessments of cyber
risk.
D4
D 4.1
D 4.2
D 4.3
D 4.4
D5

Factor - D 4.4: Formal and Informal Co-operation Frameworks to Combat Cybercrime
Co-operation between domestic Exchange of information on Information is regularly The effectiveness of public and The country is actively
public and private sectors on cybercrime between domestic exchanged between domestic private co-operation is regularly contributing to the promotion of
cybercrime is limited. public and private sectors is ad public and private sectors and assessed and used to enhance public–private partnership and
hoc and unregulated. is supported by appropriate collaborative processes. the development of international
Law Specifically, co-operation
legislation. public–private partnership
between Internet service and Specifically, ad-hoc co-operation Collaboration frameworks
Enforcement other technology providers and between Internet service and Effective co-operation are regularly adapted to take
platforms.
Co-operation law enforcement has not been other technology providers and mechanisms between Internet account of new technologies and
with Private established. law enforcement exists but is not service and other technology emerging forms of cybercrime.
Sector always effective. providers and law enforcement
have been established as
part of these broader public–
private sector collaboration
arrangements.
There are minimal or no forms Formal mechanisms of Formal mechanisms of Law enforcement agencies work The country actively contributes
of international co-operation to international law enforcement international law enforcement jointly with foreign counterparts, to the promotion and
prevent and combat cybercrime. co-operation may exist, but their co-operation have been potentially through joint task development of international
application to cybercrime is ad established to facilitate the forces, resulting in successful co-operation mechanisms.
hoc or only possible in some detection, investigation, and cross-border cybercrime
cases. prosecution of cybercrime. investigations and prosecutions.
Co-operation
with Law enforcement is not formally Mutual legal assistance,
integrated into regional and extradition agreements and
Foreign Law international cybercrime mechanisms have been
Enforcement networks. established and are applied to
Counterparts cybercrime cases. D1
Domestic law enforcement
agencies are integrated with
regional and international D2
networks, such as Interpol or
24/7 networks.
D3
There is minimal interaction Exchange of information Formal relationships between The relationship between The country actively contributes
Government- between government and between government and government and criminal justice government actors, prosecutors, to the international promotion
Criminal criminal justice actors. criminal justice actors is limited actors have been established, judges and law enforcement of efficient and timely exchange D4
Justice Sector and ad hoc. resulting in the regular exchange agencies is regularly assessed of information between
Collaboration of information on cybercrime and used to enhance their government and criminal justice
issues. effectiveness. actors. D 4.1
D 4.2
D 4.3
D 4.4
D5

egulatory Technologies
ameworks
Dimension 5: Standards
and Technologies
mension4 imension 5
D
This Dimension addresses effective and widespread
use of cybersecurity technology to protect individuals,
organisations and national infrastructure. The Dimension
specifically examines the implementation of cybersecurity
standards and good practices, the deployment of processes
D1
and controls, and the development of technologies and
products in order to reduce cybersecurity risks.
D2
D3
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
D 5.1: Adherence to Standards D 5.2: Security Controls D 5.3: Software Quality
This Factor reviews the government’s capacity to promote, This Factor reviews evidence regarding the deployment of This Factor examines the quality of software deployment and
assess implementation of, and monitor compliance with security controls by users and public and private sectors, the functional requirements in public and private sectors. In
international cybersecurity standards and good practices. and whether the technological cybersecurity control set is addition, this Factor reviews the existence and improvement
> Navigate to Factor based on established cybersecurity frameworks. of policies on and processes for software updates and
> Navigate to Factor maintenance based on risk assessments and the critical
Aspects nature of services.
• ICT Security Standards: this Aspect examines whether Aspects > Navigate to Factor
cybersecurity-related standards and good practices are being • Technological Security Controls: this Aspect explores to
adhered to and implemented widely across the public sector what extent up-to-date technological security controls, Aspects
and CI organisations; including patching and backups, are deployed in all sectors; • Software Quality and Assurance: (as above)
and
• Standards in Procurement: this Aspect addresses the
implementation of standards and good practices in all • Cryptographic Controls: this Aspect reviews the deployment
sectors to guide procurement processes, including risk of cryptographic techniques in all sectors and users for
management, lifecycle management, software and hardware protection of data at rest or in transit, and the extent to
assurance, outsourcing, and use of cloud services; and which these cryptographic controls meet international
standards and guidelines and are kept up to date.
• Standards for Provision of Products and Services: this
Aspect addresses the use of standards and good practices D1
by local suppliers of goods and services, including software,
hardware, managed services, and cloud services.
D2
D3
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
D 5.4: Communications and Internet D 5.5: Cybersecurity Marketplace D 5.6: Responsible Disclosure
Infrastructure Resilience
This Factor addresses the availability and development of This Factor explores the establishment of a responsible
This Factor addresses the existence of reliable Internet services competitive cybersecurity technologies, cyber-insurance disclosure framework for the receipt and dissemination of
and infrastructure in the country, as well as rigorous security products, cybersecurity services and expertise, and the security vulnerability information across sectors, and whether there
processes across private and public sectors. Also, this Factor implications of outsourcing. is sufficient capacity to continuously review and update this
reviews the control that the government might have on its > Navigate to Factor framework.
Internet infrastructure and the extent to which networks and > Navigate to Factor
systems are outsourced. Aspects
> Navigate to Factor • Cybersecurity Technologies: this Aspect examines whether Aspects
a national market for cybersecurity technologies is in place • Sharing Vulnerability Information: this Aspect explores
Aspects and supported, and informed by national need; existing information-sharing mechanisms or channels on the
• Internet Infrastructure Reliability: this Aspect examines technical details of vulnerabilities among the stakeholders;
the reliability and protection of Internet services and • Cybersecurity Services and Expertise: this Aspect explores and
infrastructure in public and private sectors; and the availability of cybersecurity consultancy services for
private and public organisations; • Policies, Processes and Legislation for Responsible
• Monitoring and Response: this Aspect examines whether Disclosure of Security Flaws: this Aspect explores the
mechanisms are in place to conduct risk assessments and • Security Implications of Outsourcing: this Aspect examines existence of a responsible-disclosure policy or framework in
monitor network resilience in both public and private whether risk assessments are conducted to determine how public- and private-sector organisations and the right to legal
sectors. to mitigate the risks of outsourcing IT to a third party or protections for those disclosing security flaws.
cloud services; and D1
• Cyber Insurance: this Aspect explores the existence of a

market for cyber-insurance, its coverage, and products D2
suitable for various organisations.
D3
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.1: Adherence to Standards
Either no standards or good Information risk management A nationally-agreed baseline of Government and organisations The country is actively involved
practices have been identified standards have been identified cybersecurity-related standards promote use of standards and best in the development and
for use in securing data, for use and there have been and good practices have been practices according to assessment of promotion of defined standards
technology or infrastructure, some initial signs of promotion identified and implemented national risks and budgetary choices. internationally.
by the public and private and take-up within public and widely across public and private
The choice of standards and best Implementation of standards and
sectors. private sectors. sectors.
practices and their implementation is non-compliance decisions are
Or initial identification of There is some evidence of An entity within government continuously revised. made in response to changing
some appropriate standards measurable implementation exists to assess the use of threat environments and
Emerging cybersecurity risks are
and good practices has been and use of international standards across public and resource drivers across sectors
regularly assessed and used to re-
made by the public and standards and good practices. private sectors. and CI, through collaborative risk
ICT Security evaluate the need for additional ICT
private sectors, and possibly management.
Government schemes exist security standards.
Standards some ad-hoc implementation,
to promote continued Evidence exists of debate within
but no concerted endeavour There is evidence of debate between
enhancements, and metrics all sectors on compliance to
to implement or change government and other stakeholders
are being applied to monitor standards and best practices,
existing practice in a as to how national and organisational
compliance. based on continuous needs
measurable way. resource decisions should align and
assessments.
Consideration is being given as to drive implementation of standards.
how standards and best practices
Evidence of contribution to
can be used to address risk
international standards’ bodies
within supply chains within the
exists and contributes to thought
CI, by both government and CI.
leadership and sharing of experience
by organisations. D1
D2
D3
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.1: Adherence to Standards
No standards or best practices Cybersecurity standards Cybersecurity standards and Organisations have the ability to The country is actively involved
have been identified for and best practices guiding best practices in guiding monitor and change use of standards in the development and
use in guiding procurement procurement processes procurement processes (including and best practices in procurement promotion of these standards
processes by the public and (including risk management, risk management, lifecycle processes, support deviations and internationally.
private sectors. If they are lifecycle management, software management, software and non-compliance decisions as the need
Implementation of standards in
recognised, implementation and hardware assurance, hardware assurance, outsourcing, arises through risk-based decision-
procurement processes and non-
is ad hoc and un-co-ordinated. outsourcing, and use of cloud and use of cloud services) are making.
compliance decisions are made
services) have been identified being adhered to widely within
Emerging cybersecurity risks are in response to changing threat
for use. public and private sectors.
regularly assessed and used to environments.
Evidence of promotion Implementation and compliance re-evaluate the need for additional
and implementation of of standards in procurement standards in procurement.
Standards in cybersecurity standards and practices within the public and
Critical aspects of procurement
Procurement best practices in defining private sectors is evidenced
and supply, such as total lifecycle
procurement practices exists through measurement and
cost, quality, inter-operability,
within public and private assessments of process
maintenance, support and other value-
sectors. effectiveness.
adding activities, are continuously
improved, and procurement process
improvements are made in the context
of wider resource planning.
Organisations are able to benchmark
the skills of their procurement
professionals against the competencies D1
outlined in procurement standards and
identify any skills and capability gaps.
D2
Either no standards or Core activities and There is evidence of widespread Security considerations are The country is actively involved
best practices have been methodologies for secure implementation of standards incorporated in all stages of the in the development and D3
identified for use in securing development and lifecycle in the software development development of software, hardware promotion of these standards
the products and services management for software, processes, hardware quality and provision of managed services internationally.
(in particular, software, hardware and provision of assurance, provision of managed and cloud services.
Implementation of these D4
hardware, managed services managed services and cloud services and cloud services
Core development activities, standards and non-compliance
and cloud services) developed services are being identified and by public and private sector
including configuration and decisions are made in response
or offered by providers in the discussed within professional organisations.
documentation management, to changing threat environments.
country. communities. D5
Standards for Government has an established security development and lifecycle
Provision of Or there is some Government promotes programme for promoting and planning have been adopted into
identification, but only limited relevant standards in software monitoring standard adoption the practices of product and service
Products and evidence of take-up. development, hardware in software development, providers D 5.1
Services quality assurance, provision hardware quality assurance and
Projects on software development,
of managed services and cloud security, for public and D 5.2
hardware quality assurance,
cloud security but there is commercial systems.
managed service and cloud security
no evidence of widespread
Evidence that high integrity continuously assess the value of D 5.3
adoption of these standards yet.
systems and software standards and reduce or enhance
development techniques are levels of compliance according to
present within the educational risk-based decisions. D 5.4
and training offerings in the
country. D 5.5
D 5.6
Factor - D 5.2: Security Controls
There is minimal or no Technological security controls Up-to-date technological security Widespread adoption of The application of advanced
understanding or deployment are deployed by users and controls, including patching and technological security controls technological controls within the
of the technological security public and private sectors, but backups, are deployed in all leads to effective upstream country is a leading influence
controls available in the possibly not consistently across sectors. protection of users and public internationally.
marketplace, by users and public all sectors. and private sectors.
Physical security controls are Implementation of advanced
and private sectors.
The deployment of up-to-date used to prevent unauthorised All sectors have the capacity to technological security controls
Internet service and other technological security controls personnel from entering continuously assess the security are made in response to
technology providers may not is promoted in an ad-hoc computing facilities in all sectors. controls deployed, for their changing threat environments.
offer any upstream controls to manner and all sectors are being effectiveness and suitability
Internet service and other
their customers. incentivised to make use of according to their changing
technology providers establish
them. needs.
internal policies for the
Internet service and other deployment of technical security The understanding of the
technology providers may be controls, to manage identified technological security controls
offering security services as part risks in the products and services being deployed extends to
of their services but possibly in they are offering. their impact on organisational
an ad-hoc manner. operations and budget allocation.
The technological cybersecurity
Technological Internet service and other control set reflects The public and private sectors
Security technology providers recognise a internationally-established have the capacity to critically
need to establish internal policies cybersecurity frameworks, assess and upgrade cybersecurity
Controls for the deployment of technical standards and good practice. controls according to their
security controls, to manage appropriateness and suitability
identified risks in the products for use, and considering D1
and services they are offering. emerging risks.
There is widespread adoption of
multi-factor authentication for D2
online services and privileged
accounts. Certificate Authorities
are available and digital D3
certificates are widely used.
Internet service and other
technology providers have D4
the ability to prevent access
to non-trusted sites or web
addresses in accordance with the D5
requirements of the appropriate
regulator.
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.2: Security Controls
Cryptographic techniques (e.g.: Cryptographic controls for Cryptographic techniques are The public and private sectors The country is contributing to
encryption and digital signatures) protecting data at rest and available for all sectors and users critically assess the deployment the international debate around
for protection of data at rest and in transit are recognised and for the protection of data at rest of cryptographic controls, best practice on cryptographic
data in transit may be a concern deployed ad hoc by multiple or in transit. according to their objectives and controls.
but are not yet deployed within stakeholders and within various priorities.
There is a broad understanding Implementation of cryptographic
the government or private sector, sectors.
of secure communication The public and private controls are made in response to
or by the general public.
Tools, such as TLS*, are deployed services, such as encrypted or sectors adapt encryption and changing threat environments.
ad hoc by service providers signed email. cryptographic control policies
to secure all communications based on the evolution of
The cryptographic controls
between servers and users. technological advancement and
deployed meet international
changing threat environment.
Cryptographic standards and guidelines for each
sector and are kept up to date. The public and private sectors
Controls have developed encryption
Tools, such as TLS are routinely
and cryptographic control
deployed by service providers
policies based on the previous
to secure all communications
assessment, and regularly review
between servers and users.
the policies for effectiveness.
The country has considered
implementing digital-identity
management.
The country has considered D1
whether it requires a national
PKI**.
D2
* Transport Layer Security
** Public Key Infrastructure
D3
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.3: Software Quality
Quality and performance of Software quality and functional Software quality and functional Quality of software used in public Software applications of high-
software used in the country requirements in public and requirements in public and and private sectors is monitored level performance, reliability
is a concern, but functional private sectors are recognised private sectors are recognised and and assessed. and usability are available, with
requirements are not yet fully and identified, but not established. service continuity processes fully
Policies and processes
monitored. necessarily in a strategic manner. automated.
Reliable software applications on software updates and
A catalogue of assured software A catalogue for assured software that adhere to international maintenance (including patch Requirements of software
platforms and applications within platforms and applications within standards and good practices are management) are being quality are being systematically
the public and private sectors the public and private sectors is being used widely in the public improved, based on risk reviewed, updated, and adapted
Software does not exist. in development. and private sectors. assessments and the critical to the changing cybersecurity
Quality and nature of services in all sectors. environment.
Policies and processes regarding Policies and processes Policies on and processes
Assurance updates and maintenance on software updates and for software updates and Benefits to businesses from
(including patch management) of maintenance (including patch maintenance (including patch additional investment in
software applications have not management) are now in management) are established in ensuring software quality and
yet been formulated. development. all sectors. maintenance are measured and
assessed.
Evidence of software quality Software applications are
deficiencies is being gathered characterised as to their reliability, Software defects are manageable
and assessed regarding its impact usability and performance in in a timely manner and service
on usability and performance. adherence to international continuity is ensured.
standards and good practices.
D1
D2
D3
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.4: Communications and Internet Infrastructure Resilience
Affordable and reliable Internet Limited Internet services and Reliable Internet services are Regular assessments are made Acquisition of infrastructure
services and infrastructure in infrastructure are available, but widely available and used. of technology, of processes for technologies is effectively
the country may not have been with low levels of adoption and compliance with international controlled, with flexibility
Internet services are trusted
established; if they have been, issues of unreliability. standards, and of guidelines that incorporated according to
widely for conducting
adoption rates of those services address the national need in changing market dynamics.
The ability of Internet e-commerce and electronic
are a concern. the face of emerging risks, and
infrastructure in public and business transactions; Costs for infrastructure
changes are made as required.
There is little or no national private sectors to withstand appropriate authentication technologies are continually
oversight of network incidents with minimum processes are established. There is effective and assessed and optimised.
Internet infrastructure. disruption has been discussed by controlled acquisition of critical
Infrastructure Technology deployed and Scientific, technical, industrial
multiple stakeholders but may technologies, and there are
If networks and systems are processes used for managing and human capabilities are
Reliability outsourced, the reliability of
not have been fully addressed.
Internet infrastructure meet
managed strategic planning and
being systematically maintained,
service continuity processes in
third-party providers may not Support for securing Internet international standards and enhanced, and perpetuated in
place.
have been considered. infrastructure may rely on follow good practices. order to maintain the country’s
regional assistance. independent resilience.
Network redundancy measures National infrastructure is
may be considered, but not in formally managed, with Optimised efficiency is in place
a systematic, comprehensive documented processes, roles to mediate extended outages of
fashion. and responsibilities, and limited systems.
redundancy.
No risk assessments are Processes on developing risk Mechanisms are in place in Risks related to emerging and National-level assets can act
D1
conducted by Internet assessments for Internet both public and private sectors converging technologies are to work with the international
infrastructure owners to identify infrastructure owners have been to conduct risk assessments, regularly assessed by Internet community in the event of a
vulnerable assets and prioritise initiated. monitor and test network Infrastructure owners. trans-jurisdictional crisis or
protective actions. resilience, and to respond to incident. D2
There is ad-hoc monitoring Risks related to emerging and
incidents.
There is no monitoring in place of parts of the Internet converging technologies are Lessons learnt from international
to detect that incidents have infrastructure, but it may not be Incident response plans are in regularly assessed by regulatory collaborations are used to
Monitoring occurred. comprehensive. place in both public and private agencies responsible for evolve monitoring and response D3
and Response sectors and are regularly tested electronic communications capabilities.
No incident response plans are Incident response plans are in
and kept under review. networks and this is used to
in place. development in some sectors. Evidence exists that sovereign
inform funding and priority D4
Appropriate resources novel monitoring and response
decisions.
are allocated to hardware capabilities are being developed
integration, technology stress in anticipation of emerging
testing, personnel training, threats. D5
monitoring, response, and drills
to test response plans.
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.5: Cybersecurity Marketplace
If domestic production of If there is domestic production, If there is domestic production, If there is local development Security functions in software
cybersecurity technologies the need for secure processes is secure processes are in place. of cybersecurity technology, and computer system
exists, it does not follow secure recognised. it abides by secure coding configurations are automated
If there is reliance on foreign
processes. guidelines, good practices and in the development and
If there is reliance on foreign technologies, the security
adheres to internationally- deployment of technologies.
The country has not considered technologies, the security implications are identified and
accepted standards.
the security implications of implications are considered. mitigated in the context of an Domestic cybersecurity products
using foreign cybersecurity international supply chain. Risk assessments and are exported to other nations
Cybersecurity technologies. market incentives inform and are considered superior
Technologies the prioritisation of product products.
development and mitigation of
The country has established a
identified risks.
body to assure the security of
The security implications of foreign technologies (devices
using foreign technologies are and software) and supply chains,
routinely analysed and revised or to certify entities which can
based on the assessment of do this.
emerging cybersecurity risks.
Cybersecurity consultancy There are a growing number There are widespread Private and public organisations The cybersecurity service sector
services are not widely on offer of cybersecurity consultancy cybersecurity consultancy routinely seek advice from in the country helps shape the
in the country. services available for private and services available for private and cybersecurity consultancy international market.
public organisations. public organisations. services, including advice about D1
Few if any service providers have
emerging risks.
Cybersecurity professional certification. A growing number of service All service providers provide
providers provide detail of the details of the professional There is an adequate supply of
Services and professional certifications they certifications they possess. cybersecurity professionals in the D2
Expertise possess. country.
A national body accredits service
There may be limited or no providers, to assist organisations
guidance to assist organisations in selecting service providers. D3
with the selection of service
providers.
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.5: Cybersecurity Marketplace
No risk assessments are Some organisations and sectors Most major organisations from Insights arising from risk The country is contributing
conducted to determine how to conduct risk assessments to the public and private sectors assessments are routinely to international best practice
mitigate the risks of outsourcing determine how to mitigate the conduct risk assessments to analysed in order to establish on how to mitigate the risk of
IT to a third party or cloud risks of outsourcing IT to a third determine how to mitigate the and promote cybersecurity best outsourcing IT.
services. party or cloud services. risks of outsourcing IT to a third practices to mitigate the risk of
party or cloud services. outsourcing IT.
Security There is a lack of understanding At least some organisations and
of the security measures that the sectors understand the security There is widespread Different risk scenarios with the
Implications of outsourced IT service provider measures that the outsourced IT understanding of the security IT service provider are explored
Outsourcing applies. service provider applies. guarantees provided by the and tested, including emerging
outsourced IT service providers. risks.
At least some organisations have
developed business continuity Most organisations have
and disaster recovery processes. developed and tested processes
to support business continuity
and disaster recovery.
The need for a cyber-insurance The need for a market in cyber- A market for cyber-insurance is Cyber-insurance market offers Cyber-insurance practices in
market may have been identified, insurance has been identified established and encourages the a variety of covers to mitigate the country help to shape the
but no products and services through the assessment of sharing of threat- information consequential losses. international market.
are widely available, either financial risks for the public among participants of the
Cover is selected by organisations
domestically or from external and private sectors, and the market.
based on strategic planning
providers. appropriateness of available D1
Products suitable for small and needs and identified risk.
offerings is now being discussed.
Cyber medium-sized enterprises (SMEs)
The cyber-insurance market
Insurance are also on offer.
is innovative and adapts to D2
emerging risks, standards and
practices, while addressing the
full scope of cyber harm.
D3
Insurance premium reductions
are offered for consistent cyber-
secure behaviour.
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Factor - D 5.6: Responsible Disclosure
There is no informal way of Technical details of vulnerabilities There are formal information- Vulnerability information-sharing The country is contributing to
sharing information among the are shared informally with other sharing mechanisms or channels mechanisms are continuously the debate and international
stakeholders about the technical stakeholders which can distribute in place to share the technical reviewed and updated based best practice on the sharing of
details of vulnerabilities. the information more broadly. details of vulnerabilities with on the needs of all affected vulnerability information.
other stakeholders, which can stakeholders, and in the light of
Sharing Software and service providers Software and service providers
distribute the information more emerging risks.
generally lack the ability to are able to address bug and
Vulnerability address bug and vulnerability vulnerability reports but there
broadly.
All affected products and services
Information reports. may not be formal protocols for A substantial proportion of are routinely updated within
doing so. vulnerabilities in products and defined deadline.
services are remedied within
Processes are in place to review
defined deadlines after their
and reduce deadlines where
discovery.
possible.
The need for a responsible- The need for a responsible- A responsible-disclosure Responsible-disclosure policies The country is contributing to the
disclosure policy in public and disclosure policy in public and policy or framework is in place and processes are continuously debate on responsible-disclosure
private sector organisations, and private sector organisations in public and private sector reviewed and updated based frameworks and legal protections
the right to legal protections for is recognised but policies or organisations, and includes a on the needs of all affected for those disclosing security flaws
those disclosing security flaws processes may not be in place, or disclosure deadline, scheduled stakeholders and in the light of responsibly.
Policies, are not yet acknowledged. may only be in development. resolution, and the need for emerging risks.
Processes and acknowledgement.
The right to legal protections for An analysis of the technical
Legislation for D1
those disclosing security flaws is Organisations have established details of vulnerabilities
Responsible recognised but legislation may processes to receive and is published and advisory
Disclosure of not be in place; or may only be in disseminate vulnerability information is disseminated
development. information responsibly. according to individual roles and D2
Security Flaws responsibilities.
Software and service providers The right to legal protections for
commit to refraining from those disclosing security flaws
taking legal action against a responsibly is in place. D3
party disclosing information
responsibly.
D4
D5
D 5.1
D 5.2
D 5.3
D 5.4
D 5.5
D 5.6
Evolution of the CMM
This CMM 2021 Edition builds on the success of the model over the last six years by considering
the changing cyber threat to users, the lessons learned from more than 120 CMM reviews
undertaken around the world, and the feedback from cybersecurity experts.
The decision to revise the CMM was informed by two key factors:
• The need to respond to all pertinent aspects of threat, systems vulnerabilities and
consequential harm due to changing operational environments and risks; and
• Re-assessment of the changing cybersecurity control landscape and risk management

practices available to the community.
To determine whether or not to propose a change to the CMM, or to the evidence required to
justify an attainment of capacity maturity, the following decision process was followed.
All potential changes to be included in the CMM 2021 Edition had to meet the following criteria:
• Each change must have been proposed by partners, users, or expert advisors. It must be
based on experience in deploying the model, feedback from a country which has used the
model or from a member of the international stakeholder community with particular insight
into changing environments that need be taken into account;
• The change must have been discussed with the GCSCC Expert Advisory Panel, regional,
strategic and implementation partners and other experts during the online conference calls
and/or one-to-one online meetings. Clear consensus must have been reached amongst the
attendees;
• The change must have been discussed at the CMM Revision Workshop in February 2020.
Clear consensus must have been reached amongst attendees;
D1
• Global Constellation partners and strategic and implementation partners must have been
consulted; and
D2
• Members of the GCSCC Technical Board must agree that the changes are desirable.
Those criteria that did not meet the requirements were documented as requiring further D3
research and consultation.
D4
D5

Acknowledgements
This CMM 2021 Edition was developed by the GCSCC with significant contributions by its partners and collaborators:
GCSCC Technical Board

GCSCC Research Team
GCSCC Expert Advisory Panel
Global Constellation Partners
• Cybersecurity Capacity Centre for Southern Africa (C3SA), Cape Town, South Africa
• Oceania Cyber Security Centre (OCSC), Melbourne, Australia
Strategic and Implementation Partners
• Commonwealth Telecommunications Organisation (CTO)
• Global Forum on Cyber Expertise (GFCE)
• International Telecommunication Union (ITU)
• NRD Cyber Security
• Organization of American States (OAS)
• World Bank
D1
More than 150 individuals contributed to different steps of the revision process, too many to list them all. We would like to thank all of them.
D2
We also would like to thank our research funders and our partners who provided in-kind support: the UK Foreign, Commonwealth and
Development Office (FCDO), State Government of Victoria (Australia), the Organization of American States (OAS), the Inter-American
Development Bank (IDB), the World Bank, the International Telecommunications Union (ITU), the Commonwealth Telecommunication D3
Organisation (CTO), the Global Forum on Cyber Expertise (GFCE), the Norwegian Ministry of Foreign Affairs, the Ministry of Foreign Affairs of
the Netherlands, GIZ (the German agency for international co-operation), and NRD Cyber Security.
D4
D5

About the GCSCC
The Global Cyber Security Capacity Centre (GCSCC), a programme of
the Oxford Martin School and based at the Department of Computer
Science of the University of Oxford, is a leading international centre
for research on efficient and effective cybersecurity capacity-
building. It promotes an increase in the scale, pace, quality and
impact of cybersecurity capacity-building initiatives across the world
and aims to improve the scale and effectiveness of cybersecurity
capacity-building by gaining a more comprehensive and nuanced
understanding of the cybersecurity capacity landscape. The goal of
the GCSCC is to ensure that the knowledge and research collected
and produced by the centre can assist nations to improve their
cybersecurity capacities in a systematic and substantive way. By
helping in the understanding of national cybersecurity capacity, the
GCSCC hopes to help promote an innovative cyberspace in support of
well-being, human rights and prosperity for all.
D1
D2
D3
D4
D5

Global Cyber Security Capacity Centre
Department of Computer Science, University of Oxford
Wolfson Building
Parks Road
Oxford
OX1 3QD
United Kingdom
Tel: +44 (0)1865 287430

Email: cybercapacity@cs.ox.ac.uk
Web: https://gcscc.ox.ac.uk/ and https://www.oxfordmartin.ox.ac.uk/cyber-security/ March 2021

Cybersecurity Capacity Maturity Model For Nations (CMM) 2021 Edition

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurity Capacity Maturity Model For Nations (CMM) 2021 Edition

Uploaded by

Copyright:

Available Formats

Cybersecurity Capacity Maturity

Model for Nations (CMM) 2021 EDITION

Electronic copy available at: https://ssrn.com/abstract=3822153

2 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

Dimension 1: Cybersecurity Policy and Strategy 9

Dimension 2: Cybersecurity Culture and Society 19

Dimension 3: Building Cybersecurity Knowledge and Capabilities 29

Dimension 4: Legal and Regulatory Frameworks 38

Dimension 5: Standards and Technologies 48

Evolution of the CMM 60

3 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

4 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

1. Developing cybersecurity policy and strategy;

5. Controlling risks through standards and technologies.

5 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

7 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

The Stages of National Dimension 5

8 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

9 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

• Implementation and Review: this Aspect addresses the

• International Engagement: this Aspect explores to

10 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

11 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

12 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

* Forum of Incident Response and Security Teams

13 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

* Computer Emergency Response Team

14 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

15 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

16 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

17 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

18 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

19 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

• User Trust in E-commerce Services: this Aspect examines D 2.1

20 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

21 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

22 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

23 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

24 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

25 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

26 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

27 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

28 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

29 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

• Executive Awareness Raising: this Aspect examines efforts D2

30 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

• Uptake: this Aspect examines the uptake and affordability

31 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

32 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

* Chief Information Officer D4

33 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

34 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

35 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

* Information and Communications Technology

36 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

37 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

38 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

39 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

• Regulatory Bodies: this Aspect reviews the existence of

40 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

41 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

42 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition

43 Cybersecurity Capacity Maturity Model for Nations (CMM) - 2021 Edition