Вы находитесь на странице: 1из 60

Cybersecurity Capacity Maturity

Model for Nations (CMM)

Revised Edition

Global Cyber Security Capacity Centre

University of Oxford
Executive Summary
The goal of the Global Cyber Security Capacity Centre (Capacity Centre) is to increase the scale and
effectiveness of cybersecurity capacity-building, both within the UK and internationally by gaining a
more comprehensive and nuanced understanding of the cybersecurity capacity landscape. It is our
aim to ensure that the knowledge and research collected and produced by the Capacity Centre can
assist nations improve their cybersecurity capacity in a systematic and substantive way. By helping
understand national cybersecurity capacity, the Capacity Centre hopes to help promote an innovative
cyberspace in support of well-being, human rights and prosperity for all.

In order to achieve this aim, the Capacity Centre developed its prototype National Cybersecurity
Capacity Maturity Model in 2014, and deployed it in 2015 during 11 national cybersecurity capacity
reviews, as well as a regional assessment of the Latin American and Caribbean Region (led by the
Organization of American States in collaboration with the Inter-American Development Bank). The
reviews were conducted alongside several international organisations and leading ministries, and
convened stakeholders from across all sectors of society in order to gain a comprehensive
understanding of the maturity of cybersecurity capacity of the nation. During the reviews, the Capacity
Centre was able to gauge whether the content of CMM is consistent with the cybersecurity capacity
landscape, as well as determine ways to enhance the overall content, structure and deployment of
the CMM through lessons learnt.

Therefore, the Capacity Centre has developed a revised edition of the CMM, based on the lessons
learnt through the deployment of the model. The Capacity Centre proposed a series of modifications
based on the lessons learnt to a panel of cybersecurity experts from various disciplines. These expert
consultations confirmed several proposed amendments, and produced additional inputs for
consideration in the revision of the CMM. Once the amended content was curated by senior
academics leading the development of the respective cybersecurity capacity dimensions, the revised
edition of the CMM was produced.

Most of the alterations that have been made in the revised edition of the CMM are structural rather
than substantial. Certain factors and aspects have been combined or reconfigured to improve the
clarity and precision of the model as a whole, while ensuring the continuity of the content. For
example, in Dimension 3, several review participants expressed confusion regarding the differences
between factors, which resulted in a reconfiguration of this dimension in order to more clearly
communicate the intention of each factor. Other revisions, such as adding factors to certain
dimensions, were made to ensure the essence of the cybersecurity capacity dimensions is more
accurately reflected. In Dimension 5, in particular, several new factors were added so that the focus
of the dimension is drawn toward technical standards, controls and products rather than the existing
ambiguous scope. Finally, some factors were added as a direct result of feedback from the various
country reviews, such as the addition of a factor on the role of media in Dimension 2 and a factor on
international cooperation in Dimension 4.

This effort to enhance the content of the CMM is not intended to be a static exercise. As the Capacity
Centre continues to deploy the model across the world, new lessons will be learnt that can be used to
further enhance the CMM. Our aim is to ensure the CMM remains applicable to all national contexts
and reflects the global state of cybersecurity capacity maturity.

Table of Contents
Executive Summary...................................................................................................................... 2
I. Introduction.............................................................................................................................. 5
II. Development of the Cybersecurity Capacity Maturity Model ..................................................... 8
a. Selection of Cybersecurity Capacity-Building Factors ....................................................................... 8
b. Pilot Phase and Deployment ............................................................................................................ 9
III. Evolution of the Cybersecurity Capacity Maturity Model ........................................................ 10
a. Revision Process ............................................................................................................................. 10
b. Modifications and New Factors of CMM Revised Edition ............................................................... 10
IV. National Cybersecurity Capacity Maturity Model ................................................................... 14
Dimension 1: Cybersecurity Policy and Strategy .......................................................................... 14
D 1.1: National Cybersecurity Strategy ............................................................................................... 16
D 1.2: Incident Response.................................................................................................................... 17
D 1.3: Critical Infrastructure (CI) Protection ....................................................................................... 20
D 1.4: Crisis Management .................................................................................................................. 22
D 1.5: Cyber Defence ......................................................................................................................... 23
D 1.6: Communications Redundancy.................................................................................................. 24
Dimension 2: Cyber Culture and Society ..................................................................................... 25
D 2.1: Cybersecurity Mind-set ............................................................................................................ 27
D 2.2: Trust and Confidence on the Internet ...................................................................................... 28
D 2.3: User Understanding of Personal Information Protection Online .............................................. 30
D 2.4: Reporting Mechanisms ............................................................................................................ 31
D 2.5: Media and Social Media ........................................................................................................... 31
Dimension 3: Cybersecurity Education, Training and Skills ........................................................... 32
D 3.1: Awareness Raising ................................................................................................................... 33
D 3.2: Framework for Education ........................................................................................................ 35
D 3.3: Framework for Professional Training ....................................................................................... 37
Dimension 4: Legal and Regulatory Frameworks ......................................................................... 39
D 4.1: Legal Frameworks .................................................................................................................... 41
D 4.2: Criminal Justice System ............................................................................................................ 45
D 4.3: Formal and Informal Cooperation Frameworks to Combat Cybercrime ................................... 47
Dimension 5: Standards, Organisations, and Technologies .......................................................... 49
D 5.1: Adherence to Standards .......................................................................................................... 51
D 5.2: Internet Infrastructure Resilience ............................................................................................ 53

D 5.3: Software Quality ...................................................................................................................... 54
D 5.4: Technical Security Controls ...................................................................................................... 55
D 5.5: Cryptographic Controls ............................................................................................................ 56
D 5.6: Cybersecurity Marketplace ...................................................................................................... 57
D 5.7: Responsible Disclosure ............................................................................................................ 58
Acknowledgements.................................................................................................................... 59
Director.............................................................................................................................................. 59
Research Team .................................................................................................................................. 59
Technical Board ................................................................................................................................. 59
Expert Panel ....................................................................................................................................... 59

I. Introduction
The goal of the Global Cyber Security Capacity Centre (Capacity Centre) is to increase the scale and
effectiveness of cybersecurity capacity-building, both within the UK and internationally through the
deployment of the Cybersecurity Capacity Maturity Model (CMM). The Capacity Centre will make this
knowledge available to governments, communities and organisations to help increase their
cybersecurity capacity. By helping increasing national cybersecurity capacity the Capacity Centre
hopes to help promote an innovative cyberspace in support of well-being, human rights and prosperity
for all.

We currently consider cybersecurity capacity to comprise five dimensions:

1. Devising cybersecurity policy and strategy;

2. Encouraging responsible cybersecurity culture within society;
3. Developing cybersecurity knowledge;
4. Creating effective legal and regulatory frameworks; and
5. Controlling risks through standards, organisations and technologies.

Policy and

Organisations, Cyber Culture
and and Society

Legal and
Training and

These five dimensions cover the broad expanse of areas that should be considered when seeking to
enhance cybersecurity capacity. We recognise that these dimensions may overlap with one another
on certain issues, and indeed the Capacity Centre hopes to understand the interdependences between
cybersecurity capacities as it conducts more national capacity reviews. Within each dimension, there
are several factors, aspects, stages of maturity, and indicators of cybersecurity capacity, each of which
is defined as follows:

 Dimension: The 5 dimensions represent the clusters of cybersecurity capacity through which
the Capacity Centre analyses the nuances of capacity. They represent the different research
‘lenses’ through which cybersecurity capacity is studied. Accordingly, the most fundamental
structure of the CMM is divided into dimensions, which consist of a number of factors.
 Factor: Within the 5 dimensions, factors describe what it means to possess cybersecurity
capacity. They are elements that contribute to the enhancement of cybersecurity capacity
maturity, and the complete list of factors seeks to holistically incorporate all elements of the
cybersecurity capacity landscape, though we recognise that this list may need to be adapted
based on lessons learnt in reviews. Most factors are composed of a number of aspects that
structure the factor’s content (indicators) into more concise parts, while some factors that are
more limited in scope do not have specific aspects.

 Aspect: Each factor is then presented as a number of aspects, which represent different
components of the factor. Aspects represent an organisational method to divide indicators
into smaller clusters that are easier to comprehend. The number of aspects depends on the
themes that emerge in the content of the factor and the overall complexity of the factor. Each
aspect is composed of a series of indicators within 5 stages of maturity.
 Stage: Stages define to which degree a country has progressed in relation to a certain
factor/aspect of cybersecurity capacity. The CMM consists of 5 distinct stages of maturity
(defined on page 6), that serve as a snapshot of existing cybersecurity capacity, from which a
country can improve or decline depending on the actions taken (or inaction). Within each
stage there are a number of indicators which a country has to fulfil to move towards higher
cybersecurity capacity maturity.
 Indicator: Indicators represent the most elemental part of CMM’s structure. Each indicator
describes the steps, actions, or building blocks that are indicative of a specific stage of maturity
within a distinct aspect, factor and dimension. In order to elevate a country’s cybersecurity
capacity maturity, all of the indicators within a particular stage will need to have been fulfilled.
Most of these indicators are binary in nature, i.e. the country can either evidence they have
fulfilled the indicator criteria, or they cannot provide such evidence. In order for a country to
enhance its maturity within a given aspect of factor, the fulfilment of every indicator needs to
evidenced, otherwise they country cannot progress to the following stage.
The preceding terms are layered as follows:


Start-up stage Formative stage Established stage Strategic stage Dynamic stage
Indicators Indicators Indicators Indicators Indicators

Below is a template for how the factors, aspects, and indicators are visualised in each dimension of
the CMM:

D X.X: Factor Title

Aspect Start-Up Formative Established Strategic Dynamic
Indicator 1 Indicator 4 Indicator 6 Indicator 9 Indicator 12

Aspect A Indicator 2 Indicator 5 Indicator 7 Indicator 10 Indicator 13

Indicator 3 Indicator 8 Indicator 11

Indicator 1 Indicator 3 Indicator 6 Indicator 8 Indicator 11

Aspect B Indicator 2 Indicator 4 Indicator 7 Indicator 9 Indicator 12

Indicator 5 Indicator 10

In order to determine to what stage of maturity particular indicators belong, each stage has been
characterised as follows:

 Start-up: At this stage either no cybersecurity maturity exists, or it is very embryonic in nature.
There might be initial discussions about cybersecurity capacity building, but no concrete
actions have been taken. There is an absence of observable evidence at this stage.

 Formative: Some features of the aspects have begun to grow and be formulated, but may be
ad-hoc, disorganized, poorly defined – or simply “new”. However, evidence of this activity can
be clearly demonstrated.

 Established: The elements of the aspect are in place, and working. There is not, however, well-
thought-out consideration of the relative allocation of resources. Little trade-off decision-
making has been made concerning the “relative” investment in the various elements of the
aspect. But the aspect is functional and defined.

 Strategic: Choices have been made about which parts of the aspect are important, and which
are less important for the particular organisation or nation. The strategic stage reflects the
fact that these choices have been made, conditional upon the nation or organization's
particular circumstances.

 Dynamic: At this stage, there are clear mechanisms in place to alter strategy depending on
the prevailing circumstances such as the technology of the threat environment, global conflict
or a significant change in one area of concern (e.g. cybercrime or privacy). Dynamic
organisations have developed methods for changing strategies in stride. Rapid decision-
making, reallocation of resources, and constant attention to the changing environment are
feature of this stage.

The CMM allows the review of current national cybersecurity capacity maturity. In each case,
understanding the requirements to achieve higher levels of capacity should directly indicate areas
requiring further investment, and the data required to evidence such capacity levels. This means that
the CMM could also be used to build business cases for investment and expected performance

II. Development of the Cybersecurity Capacity Maturity Model
a. Selection of Cybersecurity Capacity-Building Factors
In developing the first iteration of the model in 2014, the Capacity Centre began the process of
selecting factors contributing to building capacity in cybersecurity through exhaustive exploration into
various disciplines. This search sought to gather as much publically available material on cybersecurity
capacity-building as possible, in order not to miss relevant material and reduce the risk of duplicating
efforts conducted by other institutions. Therefore, the Capacity Centre researched, assessed, and
analysed cybersecurity capacity-building factors from several organisations from around the world.

This process sought to ensure that the CMM developed by the Capacity Centre is as scientifically
rigorous as possible. Such factors include, but are not limited to, content produced by: the
International Telecommunications Union (ITU), the European Network and Information Security
Agency (ENISA), Hathaway Global Strategies LLC., the National Institute of Standards and Technologies
(NIST), the Economist Intelligence Unit (EIU), the Organization for Economic Co-Operation and
Development (OECD), the Australian Strategic Policy Institute (ASPI), and the World Economic Forum
(WEF). These organisations (among others) have all conducted significant research into various factors
contributing to cybersecurity capacity-building. The Capacity Centre acknowledges the importance of
these initiatives in the development of the CMM. In addition, in order to collect as diverse and credible
input as possible, the Capacity Centre consulted with various stakeholders with diverse geographic,
organisational and disciplinary perspectives. These stakeholders are all regarded as experts in their
respective fields, which encompass the five dimensions of cybersecurity capacity identified by the
Capacity Centre. Stakeholders routinely contributed to the collection of cybersecurity capacity-
building material.

Once the initial broad collection of factors had been completed, the Capacity Centre proceeded to
prioritise these factors based on a defined methodology. Prioritisation was deemed necessary in order
to prevent an over-abundance of information during the deployment phase. In order to conduct this
prioritisation, the Capacity Centre developed a survey which proposed the following questions:

 CATEGORISATION: To what extent do you believe that this should be a primary factor within
one of the five dimensions (as opposed to a consideration that serves as an aspect of a factor)?
 EVIDENCE: To what extent do you believe it is impossible/easy to gather evidence to
demonstrate that a nation state or other organisation possesses this capability (i.e. is it
measurable or demonstrable in an observable way)?
 VALIDATION: How scientifically robust do you believe measures of this factor could be?
 POTENTIAL: Do you agree that this factor should be included in the Cybersecurity Capacity
Maturity Model, assuming supporting data could be acquired?
 RELEVANCE: How important is this factor to the future development of cybersecurity capacity?

This survey was completed by several of the stakeholders previously mentioned. The Capacity Centre
collected the responses for all of the participants in the survey in order to create an average score for
all results in each dimension of capacity, and then took the average of each factor across all five
questions, which produced a single score for every factor. These average scores per factor served as
our base for prioritisation. The Capacity Centre decided to use the third quartile as its benchmark for
highest priority factors, as this produced both an operational number of factors and is an objective
standard for selection. By comparing each score against the baseline, and accounting for overlap
between different dimensions, the factors for inclusion were selected.

However, before the CMM could be converted into a tool for national cybersecurity reviews, the CMM
was revised to reflect the operational environment. This revision process was crucial to ensuring that
the CMM maintains a functional purpose, rather than a theoretical perspective. The Organisation of
American States (OAS) provided invaluable insight into several operational environments in which the
CMM might be deployed. Finally, the CMM was adapted into a deployment tool, which optimised
accessibility to the various stakeholders participating in the cybersecurity review. The adaptation
process sought to capture the academic rigour and content behind the development of the CMM, but
condense, re-structure, and rephrase the material in such a way as to maximise the impact of the
capacity-building exercise.

b. Pilot Phase and Deployment

During the pilot phase of CMM in the first quarter of 2015, the Global Cyber Security Capacity Centre
worked alongside the Organisation of American States (OAS) and Inter-American Development Bank
(IDB) 1 and the World Bank 2 to conduct national cybersecurity capacity maturity reviews. Further
country reviews were conducted over the following year in conjunction with the Commonwealth
Telecommunications Organisation (CTO),3 the government of The Netherlands under the auspices of
the Global Forum on Cyber Expertise (GFCE)4 and individual countries.5 Throughout the process of
deployment, the Capacity Centre has not only gained a unique understanding of the cybersecurity
capacities of several countries, but has also learned lessons about cybersecurity capacity-building that
can benefit the cybersecurity discipline as an evolving field of work.

As the Capacity Centre does not and cannot have thorough and in-depth understanding of each
domestic context in which the model is deployed, it is important to work alongside international
organisations or host ministries or organisations within the respective country. Moreover,
cooperation with international organisations has sought to enable those organisations to achieve its
own cybersecurity capacity-building objectives through a holistic understanding of a country’s existing
cybersecurity capacity. After engaging with the model deployment a number of times, these
organisations will continue to conduct reviews in their own right, with remote Capacity Centre
support. In this way, we can increase economies of scale while empowering international
organisations to use a single model that is applicable to a variety of objectives and addresses
cybersecurity capacity comprehensively.

Colombia, Jamaica, and regional review
Armenia, Bhutan, Kosovo and Montenegro.
Uganda and Fiji.
Indonesia and United Kingdom.

III. Evolution of the Cybersecurity Capacity Maturity Model
This document presents the second iteration of the Capacity Centre’s Cybersecurity Capacity Maturity
Model. All revisions that have been made are based on lessons learnt in the pilot phase and
subsequent post-pilot deployment of the CMM and through expert consultations. However, to
validate the results of this revision process and ensure widest stakeholder consultations, this revised
edition of the CMM has been disseminated to international cybersecurity experts for review and
advice before finalisation.

a. Revision Process
In order to gather feedback and suggestions for the CMM evolution, a series of conference calls with
members of the Capacity Centre’s Expert Panel was arranged in late 2015. Each conference call
focused on one of the five dimensions of the CMM and discussed various enhancements to the existing
factors. These calls also introduced potential new factors, as gathered from the lessons learnt of the
deployment of the model, a roundtable Expert Panel discussion, and additional preliminary
consultations with the respective dimension Chairs. The outcome of the discussion during each of the
calls was analysed and fed into the revision of the five CMM dimensions. The revised content was in
turn curated by senior academics leading the development of the respective dimensions. Key
modifications are described below.

b. Modifications and New Factors of CMM Revised Edition

Dimension One: Cybersecurity Policy and Strategy

An additional aspect was added to the Incident Response factor (‘Mode of Operation’) to better reflect
the operational part of incident response capacity, including processes, tools and training. This was
originally a factor in Dimension 5, but the review participants felt this factor was out-of-place without
the context of the other aspects of incident response included in Dimension 1.

Furthermore, several aspects within various factors were merged to create a more focused view on
each factor. For example, crisis management was condensed from two aspects to one because during
the reviews, it became evident that participant responses for the ‘Evaluation’ aspect of crisis
management was dependent on their response to the ‘Planning’ aspect. By combining these two
aspects, the dependent relationship between aspects is removed.

Finally, to avoid further redundancies in this dimension, the word “national” was removed from
various factors, aspects and indicators (apart from ‘National Cybersecurity Strategy’, which was
identified as a noun), as the CMM is in itself a national model.

Dimension Two: Cyber Culture and Society

One of the major changes within the second dimension was the clarification of the relationship
between cybersecurity awareness raising and cybersecurity mind-set. To ensure coherence within and
across dimensions, the factor on initiatives seeking to raise awareness was moved to Dimension Three
(Cybersecurity Education, Training and Skills), while the prevailing cybersecurity mind-set and social
perception was retained in Dimension Two.

Three new factors were introduced within this dimension, namely: User Understanding of Personal
Information Protection Online, Reporting Mechanisms, and Media and Social Media. All of these new
factors had been identified as missing or not distinct enough during the deployment of the CMM.

The factor on User Understanding of Personal Information Protection Online refers to the
understanding and sensitisation of users to protecting their personal data. This factor was identified
as important in the first iteration of the CMM, but was not included due to difficultly of evidence
collection. We decided that, since perceptual evidence should be included in the reviews, we are able
to include this factor.

The factor on Reporting Mechanisms was identified as an important aspect to be included in the
revised edition of the CMM by the various experts we consulted during the revision phase. This factor
explores the existence of reporting mechanisms functioning as channels for users to report cybercrime
and the possible development of coordinated programmes to promote the use of these mechanisms.
The evidence gathered will offer valuable insight in a country’s preparedness to control cybersecurity
risks and the public ability to recognise and report these.

The role of media was identified as important during the CMM reviews and is now a distinct factor in
the revised edition. The factor on Media and Social Media explores whether cybersecurity is a
common subject across mainstream media, or an issue for broad discussion on social media, as well
as the role of media in conveying information about cybersecurity to the public, thus shaping their
cybersecurity values, attitudes and online behaviour.

Dimension Three: Cybersecurity Education, Training and Skills

Awareness raising was moved to this dimension from the cultural and social dimension, as raising
awareness of cybersecurity is crucial to building knowledge. Additionally, the participants in the
reviews often claimed that executive awareness of cybersecurity depended on the sector. By re-
contextualising this factor into raising executive awareness, this aspect can be more readily applied at
the national level.

Additionally, while the content of the third dimension did not change substantially, the deployment
of the CMM suggested a broad restructuring of the factors and their aspects, as the previous structure
proved to be confusing to country review participants and showed overlaps. For example, there was
a conflation of education and training in the first iteration of the model that many participants found
confusing. In the new structure, education and training are clearly separated and are defined by the
provisional aspect, as well as development/uptake aspect, rather than addressing both education and
training in the same factors. Emphasis was further shifted from focusing primarily on businesses and
the private sector towards addressing all sectors of society.

Dimension Four: Legal and Regulatory Frameworks

Among the different components of the factor legal and regulatory frameworks, only ICT security
legislation was considered unclear during the reviews, as the interpretation varied between ICT
security legislation as the legal tool for mandatory standards adoption, or as a unique cybercrime law.
As a result, this aspect of the first factor was clarified and the content was made more explicit by
referring to the protection of critical information infrastructure, e-transactions, liability of Internet
Service Providers and cyber incident reporting obligations.

Additionally, while a distinction was made in the CMM between training prosecutors and judges,
review participants commented that it is not only crucial to maintain this distinction in further versions
of the model, but also that the need for specialised trainings should be highlighted. This finding was
corroborated by experts consulted on this dimension. In fact, one expert even suggested that, if the
same training programmes are used for all parts of the criminal justice system, it would signify a lower
level of cybersecurity capacity maturity.

The third factor on responsible disclosure was less self-explanatory to participants, as it did not directly
relate to the other elements of this dimension and there was disagreement whether responsible
disclosure requires a legal response or is rather an issue for policy or standards and good practice.
Experts consulted on the various dimensions concluded that the responsible disclosure factor should
be moved to the Standards, Organisations, and Technologies Dimension, as its content relates to
technical vulnerabilities and the standards that are in place to disclose and address these.

Through expert consultations, several recommendations were gathered to further enhance the
structure of Dimension Four. It was discussed that additional aspects on legislation addressing
intellectual property, data protection, child protection online and consumer protection should be
added to provide a more holistic overview of the legal framework relating to cybersecurity and
emphasise these specific subjects that are widely debated at the international arena.

Another recommendation raised during expert consultations was the need to distinguish domestic
and international cooperation as its own factor rather than an aspect of the criminal justice system
factor. In accordance with expert input, the newly established third factor within this dimension
includes both formal legal cooperation mechanisms (such as mutual legal assistance and extradition)
and informal mechanisms (such as cooperation between law enforcement and Internet Service
Providers), on domestic and international levels.

Dimension Five: Standards, Organisations, and Technologies

The various reviews conducted by the Capacity Centre indicated that the focus of Dimension Five was
not as clear or succinct as the other four. Therefore, four new factors were based on recommendations
from cybersecurity experts, in order to tailor the focus of this dimension on a clear set of issues.

Two new factors that were added observe the level of deployment and implementation of technical
security and cryptographic control measures. These factors will gather evidence on the deployment
of up-to-date technical security controls such as anti-malware systems, intrusion detection systems,
network firewalls, event-logging and auditing functionality, as well as the deployment of cryptographic
controls in all sectors, and whether these controls meet international standards and guidelines.

In addition, software quality was added as a new factor. Experts in cybersecurity have identified that
the aspect of quality during deployment of software and the functional requirements as well as the
existence and improvement of policies and processes on software updates were missing from the

The only other substantial change was the combination of the two aspects of National Infrastructure
Resilience into one on Internet Infrastructure Resilience which, based on input from the reviews, more
accurately reflects the content in the indicators.

IV. National Cybersecurity Capacity Maturity Model

Dimension 1: Cybersecurity Policy and Strategy

This dimension explores the country’s capacity to develop and deliver cybersecurity strategy and
enhance its cybersecurity resilience through improving its incident response, crisis management,
redundancy, and critical infrastructure protection capacities. Delivering cybersecurity must include
capability in early warning, deterrence, resistance and recovery. This dimension considers effective
security policy in delivering national defence and resilience capability, while maintaining the benefits
of a cyberspace vital for government, international business and society in general.

D 1.1: National Cybersecurity Strategy

Cybersecurity strategy is essential to mainstreaming a cybersecurity agenda across government
because it helps prioritise cybersecurity as an important policy area, determines responsibilities and
mandates of key cybersecurity government and non-governmental actors, and directs allocation of
resources to the emerging and existing cybersecurity issues and priorities.
 Development: This aspect addresses the development of a national strategy, allocation of
implementation authorities across sectors and civil society and an understanding of national
cybersecurity risks and threats which drives capacity building at a national level.
 Organisation: This aspect addresses the existence of an overarching programme for
cybersecurity coordination, including a departmental owner or coordinating body with a
consolidated budget.
 Content: This aspect addresses the content of the national cybersecurity strategy and whether
it is linked explicitly to national risks, priorities and objectives such as public awareness raising,
mitigation of cybercrime, incident response capability and critical national infrastructure

D 1.2: Incident Response

This factor addresses the capacity of the government to identify and determine characteristics of
national level incidents in a systematic way. It also reviews the government’s capacity to organise,
coordinate, and operationalise incident response.
 Identification of Incidents: This aspect identifies whether there is a central registry of national
level cyber incidents.
 Organisation: This aspect addresses the existence of a mandated central body designated to
collect incident information, and its relationship with the public and private sector for national
level incident response.
 Coordination: This aspect explores the existence of coordinated national incident response
with clear roles and responsibilities as well as lines of communication for crisis situations.
 Mode of Operation: This aspect addresses the operational and technical capacity of the
incident response organisation, such as services, processes, resources and tools.

D 1.3: Critical Infrastructure (CI) Protection

This factor studies the government’s capacity to identify CI assets and the risks associated with them,
engage in response planning and critical assets protection, facilitate quality interaction with CI asset
owners, and enable comprehensive general risk management practice including response planning.

 Identification: This aspect addresses the existence of a general list of CI assets, identified risk-
based priorities, and an audit of CI assets on a regular basis.
 Organisation: This aspect addresses the existence of a formal collaboration mechanism
between government ministries and owners of critical assets.
 Risk Management and Response: This aspect explores whether cybersecurity is embedded
into general risk management practices, and whether security measures are developed to
ensure business continuity of CI in the context of the prevailing risk environment. Additionally,
this aspect refers to information protection procedures and processes for response planning
to an attack on critical assets, supported by adequate technical security solutions.

D 1.4: Crisis Management

This factor addresses crisis management planning addresses conducting specialised needs
assessments, training exercises, and simulations that produce scalable results for policy development
and strategic decision-making. Through qualitative and quantitative techniques, cybersecurity
evaluation processes aim to produce structured and measurable results that would solicit
recommendations for policymakers and other stakeholders and inform national strategy
implementation as well as inform budgetary allocations.
 Crisis Management: (as above)

D 1.5: Cyber Defence Consideration

This factor explores whether the government has the capacity to design and implement a cyber
Defence strategy and lead its implementation including through a designated cyber Defence
organisation. It also reviews the level of coordination between various public and private sector actors
in response to malicious attacks on strategic information systems and critical national infrastructure.
 Strategy: This aspect addresses the existence of a national cyber Defence strategy.
 Organisation: This aspect addresses the existence of a designated organisation within the
government responsible for Defence for conflict using cyber means.
 Coordination: This aspect addresses coordination in response to malicious attacks on strategic
information systems and critical national infrastructure.

D 1.6: Communications Redundancy

This factor reviews a government’s capacity to identify and map digital redundancy and redundant
communications among stakeholders. Digital redundancy foresees a cybersecurity system in which
duplication and failure of any component is safeguarded by proper backup. Most of these backups will
take the form of isolated (from mainline systems) but readily available digital networks, but some may
be non-digital (e.g. backing up a digital communications network with a radio communications
 Communications Redundancy: (as above)

D 1.1: National Cybersecurity Strategy
Aspect Start-Up Formative Established Strategic Dynamic
No national cybersecurity An outline/draft national A national cybersecurity Strategy review and renewal Continual revision and
strategy exists, although cybersecurity strategy has strategy has been published. processes are confirmed. refinement of cybersecurity
planning processes for been articulated. strategy is conducted
strategy development may Multi-stakeholder Regular scenario and real- proactively to adapt to
have begun. Processes for strategy consultation processes have time cyber exercises that changing socio-political,
development have been been followed and provide a concurrent picture threat and technology
Advice may have been initiated. observations fed back to the of national cyber resilience environments.
sought from international identified strategy 'owners'. are considered a strategic
partners. Consultation processes have priority. The country is a leader
been agreed for key National cybersecurity within the international
stakeholder groups, strategy is promoted and Relevant metrics, community and the debate
Strategy Development including international implemented by multiple measurement, and shaping the development of
partners. stakeholders across monitoring processes, data, global cybersecurity
government and other and historic trends are strategy.
sectors. evaluated and inform

Cybersecurity strategic
plans, aligned with national
strategic priorities, drive
capacity building and
investments in security.
No overarching national A coordinated cybersecurity The single agreed Evidence exists of iterative A singular national
cybersecurity programme programme is being cybersecurity programme application of metrics and cybersecurity posture exists
has been developed. developed through a multi- has a designated resulting refinements to with the ability to reassign
stakeholder consultative coordinating body with a operations and strategy tasks and budgets
process. mandate to consult across across government, dynamically according to
public and private sectors, including resource allocation changing risk assessments.
However, budgets reside in and civil society. considerations.
Organisation disparate public A designated national body
departments without a The programme is defined A consolidated cybersecurity disseminates and receives
discrete cybersecurity according to goals and budget has been feedback on the strategy
budget line. objectives, using metrics to administered in order to from wider society to
measure progress. allocate resources. continuously enhance the
national cybersecurity
Discrete budget for posture.
cybersecurity exists, but is

D 1.1: National Cybersecurity Strategy
Aspect Start-Up Formative Established Strategic Dynamic
not yet a part of a
consolidated budget.
Various national policies Content includes links The content of the national Metrics and measurements New content is periodically
may exist with a reference established between cybersecurity strategy is are utilised to update incorporated in the strategy
to cybersecurity, but if so, cybersecurity, national risk linked explicitly and directly national cybersecurity in response to evolving
the content is generic, not priorities and business to national risks, priorities strategy content to help threat landscapes.
necessarily aligned with development, but these are and objectives, as well as leaders evaluate the success
national goals, and does not generally ad-hoc and lack business development. of the various cybersecurity Content of the national
provide actionable detail. objectives and guide cybersecurity strategy leads,
Content directives. Content at a minimum resource investment. promotes and encourages
should seek to raise public national and international
awareness, mitigate Content now also seeks to cooperation to ensure a
cybercrime, establish protect critical secure, resilient and trusted
incident response capability infrastructure internal cyberspace.
and protect critical threats.
infrastructure from external
and internal threats.

D 1.2: Incident Response

Aspect Start-Up Formative Established Strategic Dynamic
No catalogue of national Certain cybersecurity A central registry of Regular, systematic updates Focus on incident
level incidents exists, or is in incidents have been national-level cybersecurity to the national-level identification and analysis is
development. categorised and recorded as incidents is operational. incident registry are made. adapted in response to
Identification of national-level threats. environmental changes.
Incidents Resources are allocated for
analysing incidents in order
to prioritise which incidents
are most urgent.

D 1.2: Incident Response
Aspect Start-Up Formative Established Strategic Dynamic
No organisation for national Private sector organisations A funded national body for Distinct and formal security National incident response
cyber incident response key to national cybersecurity incident response has been roles and responsibilities are capability is fully financially
exists. have been identified, but no established (such as CSIRTs allocated across sustainable, from a single or
formal coordination and or CERTs), with specified government, critical multiple sources.
information sharing roles and responsibilities. infrastructure, enterprise,
mechanisms exist between and individual systems. An early warning capacity is
public and private sectors. incorporated into the
Organisation Human and financial mission of the incident
Dispersed public and private resources allocated to response organisation,
sector bodies detect and incident response are which seeks to shape and
respond to incidents as they adequate to the manage the threat
occur but a specific mandate cybersecurity threat landscape before
for a national cyber incident environment and enhance responding to specific
response organisation is yet effectiveness of the incidents.
to be agreed. organisation.
Coordination of incident Leads for incident response Routine and coordinated The national incident Multi-level and inclusive
response is informally have been designated at the national incident response is response organisation national and international
managed within or between operational level, but established and published coordinates and coordination between all
public and private sectors. national-level coordination between public and private collaborates with sub- levels and sectors is
has not yet been sectors, with lines of national/sectorial incident- internalised as vital for
established. communication prepared response organisations. continuous and effective
for times of crisis. incident response.
Technical capabilities now
International cooperation go beyond coordinating Regional coordination exists
for incident response response and include to resolve incidents as they
between organisations strategically focusing occur.
Coordination exists to resolve incidents as resources in coordinating
they occur. international incident and
threat intelligence

A platform for the reporting

and sharing of incidents
across sectors is promoted.

D 1.2: Incident Response
Aspect Start-Up Formative Established Strategic Dynamic
Key incident response Key incident response Key incident response Incident response teams The results of testing key
processes (detection, processes have been processes and tools are have established a training processes through case
resolution, prevention, etc.) identified, but not officially defined, documented and policy for their members; scenarios are being analysed
and (digital) tools to support documented or functional. members are being trained and are incorporated into
them have not been well operationalised. in specialised subjects and the updating of processes.
defined or documented. Members of CSIRTs receive accredited by internationally
Members of CSIRTs receive training regularly in order to recognised bodies on a The benefits of training and
There is limited or no training in an ad-hoc understand key concepts of regular basis. accreditation are being
sufficient training or manner. cybersecurity incident evaluated and inform the
understanding of the key response. Team members are able to future training planning.
concepts of cybersecurity Incident response is reactive carry out a sophisticated
incident response. and ad-hoc. National-level incident incident analysis Tools for early detection,
response is limited in scope investigation quickly and identification, prevention,
and still reactive. efficiently. response and mitigation of
Mode of Operation zero-day vulnerabilities are
Key processes (detection, embedded in incident
resolution, prevention, etc.) response organisation(s).
are being monitored and
reviewed in regular basis, Mechanisms for regional
and tested with different cooperation in incident
case scenarios. response have been
Forensics services are

National incident response

teams coordinate with
international counterparts.

D 1.3: Critical Infrastructure (CI) Protection
Aspect Start-Up Formative Established Strategic Dynamic
Some understanding of A list of general CI assets has A detailed audit of CI assets CI risks and assets have Priority listing of CI assets is
what comprises CI assets is been created. as it relates to been prioritised according regularly re-appraised to
acknowledged, but no cybersecurity is performed to vulnerability and impact, capture changes in the
formal categorisation of on a regular basis. which guides strategic threat environment.
assets has been produced. investment.
Identification CI asset audit lists are
disseminated to relevant Vulnerability/asset
stakeholders. management processes are
in place so that incremental
security improvements can
be made.
There is little or no There is informal and ad-hoc A mechanism is established There is a clear Owners of critical
interaction between threat and vulnerability for regular vulnerability understanding of which infrastructure and assets
government ministries and disclosure among CI owners disclosure with defined threats to CI are managed are able to rapidly respond
owners of CI assets. No as well as between CI and scope for reporting centrally, and which are to the changing threat
mechanism for collaboration the government, but the incidents (either managed locally. landscape.
exists. scope of reporting mandatory or voluntary)
requirements has not been between CI asset owners A public awareness Trust has been established
specified. and the government. campaign to facilitate the CI between the government
communication strategy is and CIs with respect to
Formal internal and established with a point of cybersecurity and exchange
external CI communication contact for this information. of threat information, which
strategies have been is fed into the strategic
Organisation defined and are consistent Cybersecurity requirements decision-making process.
across sectors, with clear and vulnerabilities in CI
points of contact. supply chains are clearly
identified, mapped and
Strategic engagement managed.
between government and
CI is agreed and promoted.

Risk management skills and Physical and virtual access Best practices in security Cybersecurity is firmly Audit practices to assess
understanding may be control is implemented. measures, guidelines, and embedded into general risk network and system
incorporated into business standards for CI management practice. dependencies and
practices, but cybersecurity, CI has basic capacity to cybersecurity have been vulnerabilities (i.e.
if recognised, is subsumed detect, identify, respond to established and adopted. Assessment of the breadth unmitigated dependencies)
into IT and data protection and recover from cyber and severity of harm are implemented on a
risk and is not recognised as threats, but such capabilities Cybersecurity risk incurred by CI assets is regular basis and inform
a priority. are uncoordinated and vary management processes regularly conducted and continuous reassessment of
in quality. have been established, response planning is CI risk portfolio,
Response planning and supported by adequate tailored to that assessment technologies, policies and
Risk Management and threat awareness may have Protection of CI assets technical security solutions, to ensure business processes.
Response been broadly discussed, but includes basic level communication links, and continuity.
no formal plan exists. cybersecurity awareness and harm mitigation measures. The impact of cybersecurity
data security policies, but no Resources are allocated in risk on the business
protection processes have CI risk management proportion to the assessed operations of CI, including
been agreed. procedures are used to impact of an incident to direct and opportunity
create a national response ensure rapid and effective costs, impact on revenue,
plan including the incident response. and hindrance to
participation of all vital innovation, are understood
entities. Insider threat detection is and incorporated into
accounted for. future planning and
executive decision making.

D 1.4: Crisis Management
Categories Start-Up Formative Established Strategic Dynamic
It is understood that general A preliminary cybersecurity A cybersecurity exercise, A realistic high-level The exercise involves
crisis management is needs assessment of with limited size and scenario informs a plan to neutral peer stakeholders to
necessary for national measures and techniques geographic scope has been test information flows, observe, and, where
security, but cybersecurity is that require testing has conducted involving all decision-making and appropriate, contribute, and
not yet considered as a been undertaken, but no relevant stakeholders in all resource investment at the addresses international
component. exercise has been sectors. national level. challenges to produce
conducted at this point. scalable results for
Crisis management exercise Appropriate resources have Trust is developed well in international policy- and
design and planning An exercise planning been allocated to the advance via the recruitment decision-making.
authority may have been authority has been exercises. and pre-exercise briefing
allocated in principle (either designated, and has process and through An evaluation of the crisis
directly or via consultants), outlined the steps to be Planning process includes guaranteed confidentiality management exercise is
but cybersecurity crisis taken in order to conduct the engagement of control. provided for the
management planning has the cybersecurity exercise. participants, an outline of international community, so
not been thoroughly their role in the exercise, Specific, Measurable, that lessons learnt can
outlined. Key stakeholders and other and the articulation of Attainable, Relevant, and contribute toward a global
subject matter experts, such benefits and incentives for Time-Bound (SMART) understanding of crisis
Crisis Management as think tanks, academics, participation. objectives and performance management.
civil leaders and consultants key indicators (PKI) inform
are included in the planning Trained internal or external decisions in crisis Crisis management is
process. monitors facilitate the management, and embedded in risk analysis,
exercise. evaluation results inform review and management.
Exercise monitors, if future investment in
designated, are internal and The exercise is evaluated national cybersecurity
may lack training. and commentary is provided capacity.
by participants and
stakeholders. Findings are evaluated
against international crisis
management good practice.

Tailored, sector-specific
reports are prepared for
each stakeholder, while
ensuring sensitive
information is secured.

D 1.5: Cyber Defence
Aspect Start-Up Formative Established Strategic Dynamic
National security policy and Specific threats to national National cyber Defence Resources dedicated toward The policy or strategy drives
Defence strategy may be security in cyberspace have policy or strategy exists and Cyber Defence are allocated the international discussion
published and may contain a been identified, such as outlines the country’s based on national strategic on rules of engagement in
cybersecurity component. external threat actors (both position in its response to objectives. cyberspace.
state and non-state), insider different types and levels of
threats, supply chain cyber-attacks (for example, The evolving threat Rules of engagement are
Strategy vulnerabilities, and threats cyber-enabled conflict landscape in cybersecurity is clearly defined and the
to military operational producing a kinetic effect captured through repeated military doctrine that
capacity, but a coherent and offensive cyber-attacks review in order to ensure applies to cyberspace is fully
strategy does not yet exist. aimed to disrupt that cyber Defence ways developed and takes note of
infrastructure). and means continue to meet significant shifts in the
national security objectives. cybersecurity environment.
Informal management of Cyber operations units are There is a defined Highly specialised expertise The Defence apparatus
cyber Defence may be incorporated into the organisation within the with advanced capabilities contributes to the debate in
distributed among the different branches of the Defence apparatus and full situational developing a common
Organisation armed forces and/or armed forces, but no central responsible for conflict using awareness are integrated international understanding
government organisations, command and control cyber means. into the national defence of the point at which a
with occasional reference to structure exists. posture. cyber-attack might trigger a
signals intelligence. cross-domain response.
No, or limited, capacity for Cyber Defence capability The entity in charge of cyber Analytical capacity exists to The country is leading the
coordinated cyber Defence requirements are agreed Defence coordinates support the coordination of international debate on
exists between domestic between the public and integration regarding cyber resource allocation for cyber Defence and
stakeholders (e.g. law private sector in order to events between national cyber Defence; systematically shares
enforcement, public, and minimise the threat to government, military and possibly including a cyber- intelligence with allies.
enterprise, private) or national and international critical infrastructure and defence research centre.
interstate stakeholders (e.g. security. identifies clear roles and
Coordination allied or neutral states). responsibilities. The understanding of
strengths and weaknesses
Defence organisations and within the coordination
critical infrastructure mechanism then feeds into
providers have established a the re-evaluation of the
mechanism to report threat national security posture of
intelligence. the nation.

D 1.6: Communications Redundancy
Aspect Start-Up Formative Established Strategic Dynamic
Digital redundancy Stakeholders convene to Emergency response assets Outreach and education of Optimised efficiency is in
measures may be identify gaps and overlaps in are hardwired into a redundant communications place to mediate extended
considered, but not in a emergency response asset national emergency protocols is undertaken for outages of systems.
systematic, comprehensive communications and communication network. key stakeholders and is
fashion. authority links. tailored to their unique roles National-level assets can act
Communication is and responsibilities. to assist neighbours in the
Current emergency Emergency response assets, distributed across event of an international-
response assets may have priorities and standard emergency response Emergency response assets level crisis or incident.
been identified, but lack any operating procedures are functions, geographic areas practice interoperability and
level of integration. mapped and identified in of responsibility, public and function effectively under
the event of a private responders, and compromised
communications disruption command authorities. communications scenarios.
Redundancy along any node in the
emergency response Appropriate resources are The results of these
network. allocated to hardware scenarios then inform
integration, technology strategic investment in
stress testing, personnel future emergency response
training and crisis assets.
simulations drills.
Stakeholders contribute to
international efforts on
redundancy communication

Dimension 2: Cyber Culture and Society
This dimension reviews important elements of a responsible cybersecurity culture such as the
understanding of cyber-related risks in society, the level of trust in Internet services, e-government and
e-commerce services, and users’ understanding of personal information protection online. Moreover,
this factor explores the existence of reporting mechanisms functioning as channels for users to report
cybercrime. In addition, this factor reviews the role of media and social media in shaping cybersecurity
values, attitudes and behaviour.

D 2.1: Cybersecurity Mind-set

This factor evaluates the degree to which cybersecurity is prioritised and embedded in the values,
attitudes, and practices of government, the private sector, and users across society-at-large. A
cybersecurity mind-set consists of values, attitudes and practices, including habits, of individual users,
experts, and other actors in the cybersecurity ecosystem that increase the resilience of users to threats
to their security online.
 Government: This aspect examines whether all agencies across all levels of government have
embedded a proactive cybersecurity mind-set.
 Private sector: This aspect examines whether all agencies have embedded a proactive
cybersecurity mind-set across business and industry.
 Users: This aspect examines whether a cybersecurity mind-set is adopted throughout society.

D 2.2: Trust and Confidence on the Internet

This factor reviews the level of user’s trust and confidence in the use of online services, in general, and
e-government and e-commerce services, in particular.
 User Trust and Confidence on the Internet: This aspect examines whether users trust in online
services, and whether there is a coordinated programme by operators of Internet
infrastructure to promote trust.
 User Trust in E-government Services: This aspect examines whether there are government e-
services offered, if trust exists in the secure provision of such services, and if efforts are in
place to promote such trust in the application of security measures.
 User Trust in E-commerce Services: This aspect examines whether e-commerce services are
offered and established in a secure environment, trusted by users.

D 2.3: User Understanding of Personal Information Protection Online

This aspect looks at whether Internet users and stakeholders within the public and private sectors
recognise and understand the importance of protection of personal information online, and whether
they are sensitised to their privacy rights.
 User Understanding of Personal Information Protection Online: (as above)

D 2.4: Reporting Mechanisms

This aspect explores the existence of reporting mechanisms functioning as channels for users to report
internet related crime such as online fraud, cyber-bullying, child abuse online, identity theft, privacy
and security breaches, and other incidents.
 Reporting Mechanisms: (as above)

D 2.5: Media and Social Media
This aspect explores whether cybersecurity is a common subject across mainstream media, and an
issue for broad discussion on social media. Moreover, this aspects speaks about the role of media in
conveying information about cybersecurity to the public, thus shaping their cybersecurity values,
attitudes and online behaviour.
 Media and Social Media: (as above)

D 2.1: Cybersecurity Mind-set
Aspect Start-Up Formative Established Strategic Dynamic
Government has no or Leading agencies have Most government officials at Agencies across all levels of The cybersecurity mind-set
minimal recognition of the begun to place priority on all levels are aware of government have routinized serves as a foundation for
need to prioritise a cybersecurity, by identifying cybersecurity good a cybersecurity mind-set, government official’s
cybersecurity mind-set. risks and threats. practices. employing good (proactive) operational practices and is
practices as a matter of evidenced as global good
Leading agencies within habit. practice.
Government government may have
begun to consider Cybersecurity mind-set Cybersecurity mind-set of
cybersecurity. informs strategic planning. government officials is
related to a reduction of the
overall threat landscape of
the government.
The private sector has no or Leading firms have begun to Most private sector actors Most private sector actors, The cybersecurity mind-set
minimal recognition of the place priority on a at all levels are aware of including SMEs, have serves as a foundation for
need to prioritise a cybersecurity mind-set by cybersecurity good routinized a cybersecurity private sector operational
cybersecurity mind-set. identifying high-risk practices. mind-set, employing good practices, informs all IT
practices. (proactive) practices as a related initiatives and is
matter of habit. evidenced as global good
Private Sector Programmes and materials practice.
have been made available to Cybersecurity mind-set,
train and improve informs strategic planning. Cybersecurity mind-set of
cybersecurity practices. the private sector is related
to a reduction of the overall
threat landscape of the
Users have no or minimal A limited proportion of A growing number of users Most users have routinized Cybersecurity mind-set of
recognition of the need to Internet users have begun feel it is a priority for them a cybersecurity mind-set, users is related to a
prioritise a cybersecurity to place priority on to employ good employing secure practices reduction of the overall
Users mind-set and take no cybersecurity, by identifying cybersecurity practices and as a matter of habit. threat landscape of the
proactive steps to improve risks and threats. make conscious efforts to country.
their cybersecurity. securely use online systems.

D 2.2: Trust and Confidence on the Internet
Aspect Start-Up Formative Established Strategic Dynamic
Most Internet users have A very limited proportion of A growing proportion of Most Internet users critically Individuals assess the risk in
blind trust on websites and Internet users critically Internet users critically assess what they see or using online services,
regarding what they see or assess what they see or assess what they see or receive online, based on including changes in the
receive online. receive online and believe receive online, based on identifying possible risks. technical and cybersecurity
that they have the ability to identifying possible risks. environment and
use the Internet and protect Most Internet users feel continuously adjust their
Operators of Internet themselves online. A growing proportion of confident while using the behaviour based on this
infrastructure may consider users trust in the secure use Internet, have the ability to assessment.
measures promoting trust in A limited proportion of of the Internet based on recognise non-legitimate
User Trust and online services. users trust in the secure use indicators of website websites (including mimicry Internet infrastructure
of the Internet based on legitimacy. attempts), and have a sense operators assess trust
Confidence on the indicators of website of control over providing promotion services and
Internet legitimacy. Internet infrastructure personal data online. integrate findings into
operators have established programme and policy
Operators of Internet programmes to promote Programmes to promote revision.
infrastructure develop trust in online services. trust in the use of online
measures to promote trust services are assessed based
in online services but have User-consent policies are in on measures of
not established them. place designed to notify effectiveness which informs
practices on the collection, resource allocation.
use or disclosure of sensitive
personal information.
Government offers no or Government continues to E-government services have Public authorities are E-government services and
limited e-services, but has increase e-service provision, been fully developed. routinely publishing certain promotion thereof are
not publicly promoted the but also recognises the need information about their continuously improved and
necessary secure for the application of High-level risks affecting e- activities. expanded to enhance
environment. security measures to government services are transparent/open and
establish trust in these prioritised in order to Privacy-by-default is secure systems and user
If e-government services are services. reduce occurrences. promoted as a tool for trust.
User Trust in E- provided, users are transparency in e-
government Services unfamiliar with or lack trust The need for security in e- The public sector promotes government services. Impact assessments on data
in them. government services is use of e-government protection in e-government
recognised by stakeholders services and trust in these The majority of users trust services are consistently
and users. services through a in the secure use of e- taking place and feed back
coordinated programme, government services and into strategic planning.
A limited proportion of including the compliance to make use of them.
users trust in the secure use web standards that protect
of e-government services. the anonymity of users.

D 2.2: Trust and Confidence on the Internet
Aspect Start-Up Formative Established Strategic Dynamic
Processes are employed for
Some e-government A growing proportion of gathering user feedback in
services are informing users users trust in the secure use order to ensure efficient
of the utility of deployed of e-government services. management of online
security solutions. content.
Possible breaches in e-
government services are
being identified,
acknowledged, and
disclosed in an ad-hoc
E-commerce services are E-commerce services are E-commerce services are E-commerce service E-commerce services are
not offered or are offered in being provided to a limited fully established by multiple providers recognise the continuously improved in
an unsecure environment. extent. stakeholders in a secure need for building trust in order to promote
environment. order to ensure business transparent, trustworthy
If e-commerce services are The private sector continuity, and resources and secure systems.
provided, users are recognises the need for the Security solutions are are allocated accordingly.
unfamiliar with or lack trust application of security updated and reliable Terms and conditions
in them. measures to establish trust payment systems have been The majority of users trust provided by e-commerce
in e-commerce services. made available. in the secure use of e- services are clear and easily
commerce services and comprehensible to all users.
User Trust in E-
A limited proportion of A growing proportion of make use of them.
commerce Services users trust in the secure use users trust in the secure use User feedback mechanisms
of e-commerce services. of e-commerce services. Stakeholders invest in are integrated into e-
establishing enhanced commerce services in order
Some e-commerce services The private sector promotes service functionality of e- to enhance trust between
are informing users of the use of e-commerce services commerce services, users and providers.
utility of deployed security and trust in these services. protection of personal
solutions. information and the
Terms and conditions of use provision of feedback
of e-commerce services are mechanisms for users.
easily accessible.

D 2.3: User Understanding of Personal Information Protection Online
Aspect Start-Up Formative Established Strategic Dynamic
Users and stakeholders Users and stakeholders A growing proportion of All stakeholders have the Users have the knowledge
within the public and private within the public and private users have the skills to information, confidence and and skills necessary to
sectors have no or minimal sectors may have general manage their privacy online, the ability to take measures protect their personal
knowledge about how knowledge about how and protect themselves to protect their personal information online, adapting
personal information is personal information is from intrusion, interference, information online and to their abilities to the
handled online, nor do they handled online; and may or unwanted access of maintain control of the changing risk environment.
believe that adequate employ good (proactive) information by others. distribution of this
measures are in place to cybersecurity practices to information. There is a wide recognition
protect their personal protect their personal There is constant public of the need to ensure
information online. information online. debate regarding the Users and stakeholders security and protection of
User Understanding of protection of personal within the public and private personal information.
Personal Information There is no or limited Discussions have begun information and about the sectors widely recognise the
Protection Online discussion regarding the regarding the protection of balance between security importance of protection of Policies are in place in
protection of personal personal information and and privacy, which informs personal information online, private and public sectors to
information online. about the balance between privacy policies within public and are sensitised to their ensure that privacy and
security and privacy, but this and private sectors. privacy rights. security are not competing
Discussions may have begun has not resulted in concrete in a changing environment
and involve multiple actions or policies. Mechanisms are in place in and are informed by user
stakeholders, but no privacy private and public sectors to feedback and public debate.
standards are in place. ensure that privacy and
security are not competing. Assessments of personal
information protection in e-
Privacy by default as a tool services are regularly
for transparency is conducted and feed back
promoted. into policy revision.

D 2.4: Reporting Mechanisms
Aspect Start-Up Formative Established Strategic Dynamic
There are no reporting The public and/or private Reporting mechanisms have Coordinated reporting All relevant stakeholders
mechanisms available, but sectors are providing some been established and are mechanisms are widely actively collaborate and
discussions might have channels for reporting regularly used. used. share good practice to
begun. online fraud, cyber-bullying, enhance existing reporting
child abuse online, identity Programmes to promote the Programmes to promote the mechanisms and there is a
theft, privacy and security use of these mechanisms use of these mechanisms clear distribution of roles
breaches, and other have been established by are prioritised by public and and responsibilities,
incidents, but these public and private sectors. private sectors and are including regarding the
channels are not considered as an investment response to reported
Reporting Mechanisms coordinated and are used in in loss prevention and risk incidents.
an ad-hoc manner. control.
Mechanisms have been
Promotion of the existing Effectiveness metrics of developed to coordinate
reporting channels has not reporting mechanisms are response to reported
yet begun or is ad-hoc. applied and findings inform incidents between law
the revision and promotion enforcement and the
of the mechanisms. national incident response

D 2.5: Media and Social Media

Aspect Start-Up Formative Established Strategic Dynamic
Media and social media There is ad-hoc media Cybersecurity is a common Media coverage extends The broad discussion of
rarely, if ever, cover coverage of cybersecurity, subject across mainstream beyond threat reporting and personal experiences and
information about with limited information media, and information and can inform the public of personal attitudes of
cybersecurity or report on provided and reporting on reports on a wide range of proactive and actionable individuals across
issues such as security specific issues that issues, including security cybersecurity measures, as mainstream and social
breaches or cybercrime. individuals face online, such breaches and cybercrime well economic and social media inform policy making
Media and Social as online child protection or are widely disseminated. impacts. and facilitate societal
Media cyber-bullying. change.
There is broad discussion on There is frequent discussion
There is limited discussion social media about on social media about
on social media about cybersecurity. cybersecurity and
cybersecurity. individuals regularly
exchange experiences online
using social media.

Dimension 3: Cybersecurity Education, Training and Skills

This dimension reviews the availability of cybersecurity awareness raising programmes for both the
public and executives. Moreover, it evaluates the availability, quality, and uptake of educational and
training offerings for various groups of government stakeholders, private sector, and the population
as a whole.

D 3.1: Awareness Raising

This factor focuses on the prevalence and design of programmes to raise awareness of cybersecurity
risks and threats as well as how to address them.
 Awareness Raising Programmes: This aspect examines the existence of a national
coordinated programme for cybersecurity awareness raising, covering a wide range of
demographics and issues, developed based on consultations with stakeholders from various
 Executive Awareness Raising: This aspect examines efforts raising executives’ awareness of
cybersecurity issues in the public, private, academic and civil society sectors, as well as how
cybersecurity risks might be addressed.

D 3.2: Framework for Education

This factor addresses the importance of high quality cybersecurity education offerings and the
existence of qualified educators. Moreover, this factor examines the need for enhancing cybersecurity
education at the national and institutional level and the collaboration between government, and
industry to ensure that the educational investments meet the needs of the cybersecurity environment
across all sectors.
 Provision: This aspect explores whether there are cybersecurity educational offerings and
educator qualification programmes available based on an understanding of current risks and
skills requirements.
 Administration: This aspect explores the coordination and resources for developing and
enhancing cybersecurity education frameworks, with allocated budget and spending based on
the national demand.

D 3.3: Framework for Professional Training

This factor addresses the availability and provision of cybersecurity training programmes building a
cadre of cybersecurity professionals. Moreover, this factor reviews the uptake of cybersecurity training
and horizontal and vertical cybersecurity knowledge transfer within organisations and how it
translates into continuous skills development.
 Provision: This aspects examines the development, availability and provision of cybersecurity
training programmes for enhancing skills and capabilities.
 Uptake: This aspect examines the existence of certified employees trained in cybersecurity
issues, processes, planning and analytics through the uptake of cybersecurity training
programmes and knowledge transfer within organisations.

D 3.1: Awareness Raising
Aspect Start-Up Formative Established Strategic Dynamic
The need for awareness of Awareness raising A national programme for The national awareness Awareness raising
cybersecurity threats and programmes, courses, cybersecurity awareness raising programme is programmes are adapted in
vulnerabilities across all seminars and online raising, led by a designated coordinated and integrated response to performance
sectors is not recognised, or resources are available for organisation (from any with sector-specific, tailored evidenced by monitoring
is only at initial stages of target demographics from sector) is established, which awareness raising which results in the
discussion. public, private, academic, addresses a wide range of programmes, such as those redistribution of resources
and/or civil society sources, demographics and issues, focusing on government, and future investments.
but no coordination or but no metrics for industry, academia, civil
scaling efforts have been effectiveness have been society, and/or children. Metrics contribute toward
conducted. applied. national cybersecurity
Metrics for effectiveness are strategy revision processes.
Awareness raising Consultation with established and evidence of
programmes may be stakeholders from various application and lessons Awareness programme
informed by international sectors informs the creation learnt are fed into future planning gives explicit
initiatives but are not linked and utilisation of programmes. consideration to national
to national strategy. programmes and materials. demand from the
The evolution of the stakeholder communication
Awareness Raising A single online portal linking programme is supported by (in the widest sense), so that
Programmes to appropriate cybersecurity the adaptation of existing campaigns continue to
information exists and is materials and resources, impact the entire society.
disseminated via that involving clear methods for
programme. obtaining a measure of The national awareness
suitability and quality. raising programme has a
measurable impact on
Programmes contribute reduction of the overall
toward expanding and threat landscape.
enhancing international
awareness raising good
practice and capacity-
building efforts.

D 3.1: Awareness Raising
Aspect Start-Up Formative Established Strategic Dynamic
Awareness raising on Executives are made aware Awareness raising of Executive awareness raising Cybersecurity risks are
cybersecurity issues for of general cybersecurity executives in the public, efforts in nearly all sectors considered as an agenda
executives is limited or non- issues, but not how these private, academic and civil include the identification of item at every executive
existent. issues and threats might society sectors address strategic assets, specific meeting, and funding and
affect their organisation. cybersecurity risks in measures in place to protect attention is reallocated to
Executives are not yet aware general, some of the them, and the mechanism address those risks.
of their responsibilities to Executives of particular primary methods of attack, by which they are protected.
shareholders, clients, sectors, such as finance and and how the organisation Executives are regarded
customers, and employees telecommunications, have deals with cyber issues Executives are able to alter regionally and
in relation to cybersecurity. been made aware of (usually abdicated to the strategic decision making, internationally as a source
cybersecurity risk in general CIO). and allocate specific funding of good practice in
and how the organisation and people to the various responsible and accountable
Executive Awareness deals with cybersecurity Select executive members elements of cyber risk, corporate cybersecurity
Raising issues, but not of strategic are made aware of how contingent on their governance.
implications. cybersecurity risks affect the company’s prevailing
strategic decision making of situation.
the organisation,
particularly those in the Executives are made aware
financial and of what contingency plans
telecommunications sectors. are in place to address
various cyber-based attacks
Awareness raising efforts of and their aftermath.
cybersecurity crisis
management at the Executive awareness
executive level is still courses in cybersecurity are
reactive in focus. mandatory for nearly all

D 3.2: Framework for Education
Aspect Start-Up Formative Established Strategic Dynamic
Few or no cybersecurity Qualification programmes Qualifications for and supply Cybersecurity educators are National courses, degrees,
educators are available, and for cybersecurity educators of educators are readily not only drawn from the and research are at the
there are no qualification are being explored, with a available in cybersecurity. academic environment, but forefront of cybersecurity
programmes for educators. small cadre of existing incentives are in place so education internationally.
professional educators. Specialised courses in that industry and/or
Computer science courses cybersecurity are offered government experts take Cybersecurity education
are offered that may have a Some educational courses and accredited at the these positions as well. programmes maintain a
security component, but no exist in cybersecurity- university level. balance between preserving
cybersecurity-related related fields, such as Accredited cybersecurity core components of the
courses are offered. information security, Degrees in cybersecurity- courses are embedded in all curriculum and promoting
network security and related fields are offered by computer science degrees. adaptive processes that
No accreditation in cryptography, but universities. respond to rapid changes in
cybersecurity education Degrees are offered in
cybersecurity-specific Universities and other the cybersecurity
exists. cybersecurity specifically,
courses are not yet offered. bodies hold environment.
which encompasses courses
A demand for cybersecurity seminars/lectures on and models in various other Prevailing cybersecurity
education is evidenced cybersecurity issues aimed cybersecurity-related fields, requirements are
Provision through course enrolment at non-specialists. including technical and non- considered in the re-
and feedback. technical elements such as development of all general
Research and development
is a leading consideration in policy implications, and curricula.
cybersecurity education. multi-disciplinary education.

Cybersecurity educational
offerings are weighted and
focused based on an
understanding of current
risks and skills requirements.

Cybersecurity education is
not limited to universities,
but ranges from primary to
post-graduate levels,
including vocational

D 3.2: Framework for Education
Aspect Start-Up Formative Established Strategic Dynamic
The need for enhancing The need for enhancing Broad consultation across Metrics are developed to International cybersecurity
national cybersecurity cybersecurity education in government, private sector, ensure that educational centres of excellence are
education is not yet schools and universities has academia and civil society investments meet the needs established through
considered. been identified by leading stakeholders informs of the cybersecurity twinning programmes led by
government, industry, and cybersecurity education environment across all world class institutions.
A network of national academic stakeholders. priorities and is reflected in sectors.
contact points for national cybersecurity Routinized cooperation
governmental, regulatory Schools, government, and strategy. Government budget and between all stakeholders in
bodies, critical industries industry collaborate in an spending on cybersecurity cybersecurity education can
and education institutions is ad-hoc manner to supply National budget is dedicated education is managed based be evidenced.
not yet established. the resources necessary for to national cybersecurity on the national demand.
Administration providing cybersecurity research and laboratories at Content in cybersecurity
Discussion of how universities. Leading national education programmes is
coordinated management of cybersecurity academic aligned with practical
cybersecurity education and A national budget focused Competitions and initiatives institutions share their cybersecurity problems and
research enhances national on cybersecurity education for students are promoted lessons learnt with other business challenges, and
knowledge development has is not yet established. by government and/or national and international provides a mechanism for
not, or only just begun. enhancing curriculum based
industry in order to increase counterparts.
on the evolving landscape.
the attractiveness of
cybersecurity careers. Government has established
academic centres of
excellence in cybersecurity.

D 3.3: Framework for Professional Training
Aspect Start-Up Formative Established Strategic Dynamic
Few or no training The need for training Structured cybersecurity A range of cybersecurity The public and private
programmes in professionals in training programmes exist training courses is tailored sector collaborate to offer
cybersecurity exist. cybersecurity has been to develop skills towards toward meeting national training, constantly adapting
documented at the national building a cadre of strategic demand and aligns and seeking to build skillsets
level. cybersecurity-specific with international good drawn from both sectors.
professionals. practice.
Training for general IT staff Training offerings
is provided on cybersecurity Security professional The training programme coordinate with education
issues so that they can react certification is offered outlines the priorities in the programmes so that the
to incidents as they occur, across sectors within the national cybersecurity foundation established in
but no training for dedicated country. strategy. schools can enable training
security professionals exists. programmes to build a
Provision The needs of society are Training programmes are highly skilled workforce.
ICT professional certification well understood and a list of offered to cybersecurity
is offered, with some training requirements is professionals that focus on Programmes and incentive
security modules or documented. the skills necessary to structures are in place to
components. communicate technically ensure the retention of
Training programmes for complex challenges to non- trained workforce within the
Ad-hoc training courses, non-cybersecurity technical audiences, such as country.
seminars and online professionals are recognised management and general
resources are available for and initially offered. employees.
cybersecurity professionals
through public or private Metrics of effectiveness
sources, with limited assess the modes and
evidence of take-up. procedures of training.
Training uptake by IT Metrics evaluating take-up There is an established The uptake of cybersecurity Cybersecurity professionals
personnel designated to of ad-hoc training courses, cadre of certified employees training is used to inform not only fulfil national
respond to cybersecurity seminars, online resources, trained in cybersecurity future training programmes. requirements, but domestic
incidents is limited or non- and certification offerings issues, processes, planning professionals are consulted
existent. exist, but are limited in and analytics. Coordination of training internationally to share
scope. across all sectors ensures lessons learnt and good
Uptake Knowledge transfer from the national demand for practice.
There is no knowledge employees trained in professionals is met.
transfer from employees cybersecurity to untrained
trained in cybersecurity to employees is ad hoc.
untrained employees.

D 3.3: Framework for Professional Training
Aspect Start-Up Formative Established Strategic Dynamic
Job creation initiatives for
cybersecurity within
organisations are
established and encourage
employers to train staff to
become cybersecurity

Dimension 4: Legal and Regulatory Frameworks
This dimension examines the government’s capacity to design and enact national legislation directly
and indirectly relating to cybersecurity, with a particular emphasis placed on the topics of ICT security,
privacy and data protection issues, and other cybercrime-related issues. The capacity to enforce such
laws is examined through law enforcement, prosecution, and court capacities. Moreover, this
dimension observes issues such as formal and informal cooperation frameworks to combat cybercrime.

D 4.1: Legal Frameworks

This factor addresses various legislation and regulation frameworks related to cybersecurity, including:
ICT security legislative frameworks, privacy, freedom of speech, and other human rights online, data
protection, child protection, consumer protection, intellectually property, substantive and procedural
cybercrime legislation.
 Legislative Frameworks for ICT Security: This aspect addresses the existence and
implementation of comprehensive ICT security legislative and regulatory frameworks.
 Privacy, Freedom of Speech & Other Human Rights Online: This aspect examines to what
extent domestic legislation ensures that human rights are protected online, including privacy,
freedom of speech, freedom of information, and freedom of assembly and association.
 Data Protection Legislation: This aspect examines the existence and implementation of
comprehensive data protection legislation.
 Child Protection Online: This aspect focuses on the legislative protection of children online,
including the protection of their rights online and the criminalisation of child abuse online.
 Consumer Protection Legislation: This aspect addresses the existence and implementation of
legislation protecting consumers online from fraud and other forms of business malpractice.
 Intellectual Property Legislation: This aspect is concerned with the existence and
implementation of online intellectual property legislation.
 Substantive Cybercrime Legislation: This aspect explores if existing legislation criminalises a
variety of cybercrimes in specific legislation or general criminal law.
 Procedural Cybercrime Legislation: This aspect examines whether comprehensive criminal
procedural law with procedural powers for the investigation of cybercrime and evidentiary
requirements to deter, respond to and prosecute cybercrime and crimes involving electronic
evidence is implemented.

D 4.2: Criminal Justice System

This factor studies the capacity of law enforcement to investigate cybercrime, and the prosecution’s
capacity to present cybercrime and electronic evidence cases. Finally, this factor addresses the court
capacity to preside over cybercrime cases and those involving electronic evidence.
 Law Enforcement: This aspect examines whether law enforcement have received training on
investigating and managing cybercrime cases and cases involving electronic evidence, and
have sufficient human, procedural and technological resources.
 Prosecution: This aspect examines whether prosecutors have received training on handling
cybercrime cases and cases involving electronic evidence, and whether there are sufficient
human, procedural and technological resources.
 Courts: This aspect examines whether courts have sufficient resources and training to ensure
effective and efficient prosecution of cybercrime cases and cases involving electronic evidence.

D 4.3: Formal and Informal Cooperation Frameworks to Combat Cybercrime
This factor addresses the existence and functioning of formal and informal mechanisms that enable
cooperation between domestic actors and across borders to deter and combat cybercrime.
 Formal Cooperation: This aspect examines the existence and effectivity of formal cooperation
mechanisms to combat cybercrime, both between state actors and across borders, including
mutual legal assistance and extradition procedures.
 Informal Cooperation: This aspect examines the existence and effectivity of informal
cooperation mechanisms to combat cybercrime, both domestically and across borders, as well
as within the public sector and between public and private sectors.

D 4.1: Legal Frameworks
Aspect Start-Up Formative Established Strategic Dynamic
Legislation relating to ICT Experienced stakeholders Comprehensive ICT The country reviews existing Mechanisms are in place for
security does not yet exist. from all sectors may have legislative and regulatory legal and regulatory continuously harmonising
been consulted to support frameworks addressing mechanisms for ICT security, ICT legal frameworks with
Efforts to draw attention to the establishment of a legal cybersecurity have been identifies where gaps and national cybersecurity-
the need to create a legal and regulatory framework. adopted. overlaps exist, and amends related ICT policies,
framework on cybersecurity laws accordingly or enacts international law, standards
have been made and may Key priorities for creating Laws address the protection new laws. and good practices.
have resulted in a gap cybersecurity legal of critical information
Legislative Framework analysis. frameworks have been infrastructure, e- Monitoring of enforcement Participation in the
for ICT Security identified through multi- transactions, liability of of legislative frameworks development of regional or
stakeholder consultation, Internet Service Providers informs resource allocation international cybersecurity
potentially resulting in draft and, potentially, cyber and legal reform. cooperation agreements
legislation, but legislation incident reporting and treaties is a priority.
has not yet been adopted. obligations.
Efforts are in place to
exceed minimal baselines
specified in these treaties
where appropriate.
Domestic law does not Domestic legislation Domestic law recognises International and regional In order to meet dynamic
recognise fundamental partially recognises privacy, fundamental human rights trends and good practices changes in the application of
human rights in relation to freedom of information, on the Internet, including inform the assessment and technology to human rights,
cybercrime. freedom of assembly and privacy online, freedom of amendment of domestic procedures are in place to
association, and freedom of speech, freedom of legal frameworks protecting amend and update legal
Discussions of privacy issues expression online. information, and freedom of human rights online and frameworks as needed.
online may have begun and assembly and association. associated resource
include multiple Stakeholders from all key planning. Access to the Internet is
Privacy, Freedom of stakeholders, but no privacy sectors have been consulted Domestic law specifies recognised and enshrined as
Speech & Other legislation or standards are for the development of safeguards to protect the Research is conducted and a human right.
Human Rights Online in place. legislation addressing individual’s right to privacy measures are in place to
human rights online. during the collection, use exceed minimal baselines The state is an active
and disclosure of personal specified in international contributor in the global
information in investigations agreements. discourse on human rights
involving electronic on the Internet.
Domestic actors, policies
All relevant actors from and practices actively shape
private sector and civil positive international

D 4.1: Legal Frameworks
Aspect Start-Up Formative Established Strategic Dynamic
society are involved in discussions of privacy
shaping laws and online.
regulations on privacy,
freedom of speech, and
other human rights online.

The country has ratified or

acceded to international

Data protection legislation is Data protection legislation is Comprehensive data Legal mechanisms are in In order to meet dynamic
not yet under development. under development. protection legislation has place that enable strategic changes in the technological
been adopted and enforced, decision making that environment, procedures
Public discourse on data Stakeholders from all key which includes conditions determines the timeframe are in place to amend and
protection issues may have sectors have been consulted for the collection of in which personal data is no update legal frameworks as
begun and includes multiple to support the development personal data and longer required as evidence needed.
stakeholders. of legislation. protection from misuse. for investigation and must
be deleted.
Data Protection
Legislation International and regional
trends and good practices
inform the assessment and
amendment of data
protection laws and
associated resource

Legislation protecting Legislative provisions Comprehensive legislation The country continuously In order to meet dynamic
children online is not yet protecting children online on the protection of seeks to improve national changes in the technological
under development. are under development. children online has been child protection online environment, procedures
adopted and enforced, and legislation to comply with are in place to amend and
Child Protection
Public discourse on child Stakeholders from all key ensures that data protection regional and international update legal frameworks as
Online protection online may have sectors have been consulted and privacy rules for legal law and standards. needed.
begun and includes multiple to support the development minors apply to the online
stakeholders. of legislation. environment.

D 4.1: Legal Frameworks
Aspect Start-Up Formative Established Strategic Dynamic
Legislation protecting Legislation protecting Comprehensive legislation The country continuously In order to meet dynamic
consumers against online consumers online is under protecting consumers from seeks to improve national changes in the application of
fraud and other forms of development. business malpractice online consumer protection technology to consumer
cybercrime is not yet under has been adopted and is legislation to address protection, procedures are
Consumer Protection development. Stakeholders from all key enforced. national needs and comply in place to amend and
Legislation sectors have been consulted with regional and update legal frameworks as
to support the development A lead agency responsible international consumer needed.
of legislation. for the protection of protection standards.
consumers online has been
Intellectual property of Legislation on intellectual Comprehensive legislation Legislation on intellectual Decisions to update
online products and services property online is under addressing intellectual property online is regularly legislation are based on the
might be discussed among development, through property of online products reviewed and amended balance between
multiple stakeholders, but consultation with key and services has been accordingly to reflect intellectual property and
no specific legal provisions stakeholders. adopted and is enforced. changes in national open access policies,
Intellectual Property are in place. priorities and the through multi-stakeholder
Legislation international ICT landscape. discussion.
If general law on intellectual
property exists, it is not Legislative amendments are
applicable to online informed by multi-
products and services yet. stakeholder consultations
and public discourse.
Specific substantive criminal Partial legislation exists that Substantive cybercrime legal Measures are in place to The country is an active
law on cybercrime does not addresses some aspects of provisions are contained in exceed minimal baselines contributor in the global
exist or general criminal law cybercrime or cybercrime specific legislation or a specified in international discourse on developing and
exists, but its application to legal provisions are under general criminal law. treaties where appropriate, improving international
cybercrime is unclear development. which includes procedures cybercrime treaties.
The country has ratified to amend substantive legal
Substantive Specific substantive criminal regional or international frameworks as needed. Laws, where needed, are
Cybercrime Legislation provisions on cybercrime instruments on cybercrime amended to reflect changes
might be discussed among and consistently seeks to in the international ICT
lawmakers, but the implement these measures environment.
development of the into domestic law.
provisions has not yet

D 4.1: Legal Frameworks
Aspect Start-Up Formative Established Strategic Dynamic
Specific procedural criminal Development of specific Comprehensive criminal In the case of cross-border The country is an active
law for cybercrime does not procedural cybercrime procedural law containing investigation, procedural contributor in the global
exist and general criminal legislation or amendment of provisions on the law stipulates what actions discourse on developing and
procedural law is not general procedural criminal investigation of cybercrime need to be conducted under improving international
applicable to cybercrime law to adapt to cybercrime and evidentiary particular case cybercrime treaties.
investigations, prosecutions, cases has begun. requirements has been characteristics, in order to
and electronic evidence. adopted and is enforced. successfully investigate Procedural law, where
Procedural Cybercrime The state has ratified cybercrime. needed, is amended to
Legislation Procedural criminal regional or international adapt to the changing
legislation for cybercrime instruments on cybercrime Measures are in place to cybercrime landscape and
might be discussed among and consistently seeks to exceed minimal baselines emerging investigative
lawmakers, but implement these measures specified in international challenges.
development of the into domestic law. treaties where appropriate,
legislation has not yet which includes procedures
begun. to amend procedural legal
frameworks as needed.

D 4.2: Criminal Justice System
Aspect Start-Up Formative Established Strategic Dynamic
Law enforcement does not Traditional investigative A comprehensive Resources dedicated to fully All law enforcement officers
have sufficient capacity to measures are applied to institutional capacity with operational cybercrime units receive specialised and
prevent and combat cybercrime investigations, sufficient human, have been allocated based continuous training based
cybercrime and does not with limited digital forensics procedural and on strategic decision on relative responsibilities
receive specialised training capacity. technological resources to making. and new, evolving threat
on cybercrime investigate cybercrime cases landscapes.
investigations. If law enforcement officers has been established. Advanced investigative
receive training on capabilities allow the Law enforcement can utilise
cybercrime and digital Digital chain of custody and investigation of complex sophisticated digital forensic
evidence, it is ad-hoc and evidence integrity is cybercrime cases, supported tools, and these
not specialised. established including formal by regular testing and technologies are
Law Enforcement processes, roles and training of investigators. consistently updated.
Law enforcement agencies The institutional capacity of
Standards for the training of have the resources to law enforcement is
law enforcement officers on maintain the integrity of frequently reviewed and
cybercrime exist and are data to meet international revised based on an
implemented. evidential standards in assessment of effectiveness.
cross-border investigation.

Statistics and trends on

cybercrime investigations
are collected and analysed.
Prosecutors do not receive A limited number of A comprehensive Institutional structures are There is national capacity to
adequate training and specialised cybercrime institutional capacity, in place, with a clear prosecute complex domestic
resources to review prosecutors have the including sufficient human, distribution of tasks and and cross-border cybercrime
electronic evidence or capacity to build a case training and technological obligations within the cases. A dedicated
prosecute cybercrime. based on electronic resources, to prosecute prosecution services at all cybercrime prosecution unit
evidence, but this capacity is cybercrime cases and cases levels of the state. might have been
There are no specialised largely ad-hoc and un- involving electronic established.
Prosecution cybercrime prosecutors, but institutionalised. evidence is established. Statistics and trends on
consultation may have cybercrime prosecutions are All prosecutors receive
begun to consider this If prosecutors receive constantly collected and specialised and continuous
capacity within the criminal training on cybercrime and analysed. training based on relative
justice community. digital evidence, it is ad-hoc responsibilities and new,
and not specialised. A mechanism exists that evolving threat landscapes.
enables the exchange of
information and good

D 4.2: Criminal Justice System
Aspect Start-Up Formative Established Strategic Dynamic
practices between
prosecutors and judges to
ensure efficient and
effective prosecution of
cybercrime cases.
A separate court structure A limited number of judges Sufficient human and The court system has Judges receive specialised
or specialized judges for have the capacity to preside technological resources are organised itself to ensure a and continuous training
cybercrime cases and cases over a cybercrime case, but available to ensure effective central management of based on relative
involving electronic this capacity is largely ad- and efficient legal cybercrime cases, with clear responsibilities and new,
evidence do not exist. hoc and not systematic. proceedings regarding distribution of tasks and evolving threat landscapes.
cybercrime cases, and cases obligations within the court
Courts Consultation may have If judges receive training on involving electronic system at all levels of the The institutional capacity of
begun to consider this cybercrime and digital evidence. state. the court system is
capacity in the judicial evidence, it is ad-hoc and frequently reviewed and
community. not specialised. Judges receive specialised Statistics and trends on revised based on an
training on cybercrime and cybercrime convictions are assessment of effectiveness.
electronic evidence. collected and analysed.

D 4.3: Formal and Informal Cooperation Frameworks to Combat Cybercrime
Aspect Start-Up Formative Established Strategic Dynamic
No or minimal forms of Formal mechanisms of Formal mechanisms of Formal international Formal international
international cooperation international cooperation international cooperation cooperation mechanisms cooperation mechanisms
exist to prevent and combat have been established, but have been established in are fully functional, with are regularly reviewed to
cybercrime. the application to order to prevent and established communication determine effectiveness,
cybercrime is ad-hoc or only combat cybercrime by channels. and are revised accordingly
There is no formal possible in some cases. facilitating their detection, to reflect the changing
mechanism that promotes investigation, and Strategic decisions are made cybercrime landscape.
the exchange of information Exchange of information on prosecution. to expand and enhance
between domestic public cybercrime between formal cooperation Formal and informal
and private sectors on domestic public and private Mutual legal assistance and mechanisms on cybercrime international cooperation
cybercrime and cooperation sectors is ad-hoc and extradition agreements and as needed. mechanisms complement
Formal Cooperation is limited. unregulated. mechanisms have been each other and are
established and are applied Resources are allocated to interoperable.
to cybercrime cases. support the exchange of
information between public Formal mechanisms that
Legislative requirements for and private sectors enable the exchange of
the exchange of information domestically and enhance information between
between domestic public legislative requirements and domestic public and private
and private sectors have communication sectors are adapted in
been determined. mechanisms. accordance with identified
needs and changing threat
There is minimal interaction Exchange of information Informal relationships A strategic relationship Government and criminal
between government and between government and between government and between government justice actors exchange
criminal justice actors. criminal justice actors is criminal justice actors have actors, prosecutors, judges information timely and
limited and ad-hoc. been established, resulting and law enforcement efficiently, and cooperation
Cooperation between in the regular exchange of agencies has been is adapted to the changing
Internet Service Providers Ad-hoc cooperation information on cybercrime established relating to cybercrime environment
and law enforcement has between Internet Service issues. cybercrime. and associated
not been established. Providers and law requirements.
Informal Cooperation enforcement exists, but is Effective informal Law enforcement
Law enforcement not always effective. cooperation mechanisms cooperates with domestic A routinized relationship
cooperation with foreign between Internet Service and foreign ISPs in between law enforcement
counterparts is not Law enforcement Providers and law combatting cybercrime. and ISPs, domestically and
effective. cooperates with foreign enforcement have been across borders, has been
counterparts on an ad-hoc established, with clear Law enforcement agencies established and is adaptable
basis, but is not integrated communication channels. work jointly with foreign to emerging forms of
counterparts, potentially cybercrime.

D 4.3: Formal and Informal Cooperation Frameworks to Combat Cybercrime
Aspect Start-Up Formative Established Strategic Dynamic
in regional and international Domestic law enforcement through joint task forces,
networks. agencies are informally resulting in successful cross- Formal and informal
integrated with regional and border cybercrime international cooperation
international counterparts investigations and mechanisms complement
and networks, such as prosecutions. each other and are
Interpol or 24/7 networks. interoperable.

Dimension 5: Standards, Organisations, and Technologies
This dimension addresses effective and widespread use of cybersecurity technology to protect
individuals, organisations and national infrastructure. The dimension specifically examines the
implementation of cybersecurity standards and good practices, the deployment of processes and
controls, and the development of technologies and products in order to reduce cybersecurity risks.

D 5.1: Adherence to Standards

This factor reviews government’s capacity to design, adapt and implement cybersecurity standards
and good practice, especially those related to procurement procedures and software development.
 ICT Security Standards: This aspect examines whether cybersecurity related standards and
good practices are being adhered to and adopted widely across the public sector and Critical
Infrastructure (CI) organisations.
 Standards in Procurement: This aspect addresses the implementation of standards in
procurement practices.
 Standards in Software Development: This aspect addresses the implementation of standards
in software development.

D 5.2: Internet Infrastructure Resilience

This factor addresses the existence of reliable Internet services and infrastructure in the country as well
as rigorous security processes across private and public sectors. Also, this aspect reviews the control
that the government might have on its Internet infrastructure and the extent to which networks and
systems are outsourced.
 Internet Infrastructure Resilience: (as above)

D 5.3: Software Quality

This factor examines the quality of software deployment and the functional requirements in public and
private sectors. In addition, this factor reviews the existence and improvement of policies on and
processes for software updates and maintenance based on risk assessments and the criticality of
 Software Quality: (as above)

D 5.4: Technical Security Controls

This factor reviews evidence regarding the deployment of technical security controls by users, public
and private sectors and whether the technical cybersecurity control set is based on established
cybersecurity frameworks.
 Technical Security Controls: (as above)

D 5.5: Cryptographic Controls

This factor reviews the deployment of cryptographic techniques in all sectors and users for protection
of data at rest or in transit, and the extent to which these cryptographic controls meet international
standards and guidelines and are kept up-to-date.
 Cryptographic Controls: (as above)

D 5.6: Cybersecurity Marketplace

This factor addresses the availability and development of competitive cybersecurity technologies and
insurance products.

 Cybersecurity Technologies: This aspect examines whether a national market for
cybersecurity technologies is in place and supported, and informed by national need.
 Cyber Insurance: This aspect explores the existence of a market for cyber insurance, its
coverage and products suitable for various organisations.

D 5.7: Responsible Disclosure

This factor explores the establishment of a responsible disclosure framework for the receipt and
dissemination of vulnerability information across sectors and if there is sufficient capacity to
continuously review and update this framework.
 Responsible Disclosure: (as above)

D 5.1: Adherence to Standards
Aspect Start-Up Formative Established Strategic Dynamic
No standards or good Information risk Nationally agreed baseline Government and The choice of adopted
practices have been management standards of cybersecurity related organisations promote standards and good
identified for use in securing have been identified for use standards and good adoption of standards and practices and their
data, technology or and there have been some practices has been good practises according to implementation is
infrastructure, by the public initial signs of promotion identified, and adopted assessment of national risks continuously improved.
and private sectors. and take-up within public widely across public and and budgetary choices.
and private sectors. private sectors. Adoption of standards and
Or, initial identification of There is evidence of debate non-compliance decisions
some appropriate standards There is some evidence of Some body within between government and are made in response to
and good practices has been measurable implementation government exists to assess other stakeholders as to changing threat
ICT Security Standards made by the public and and adoption of level of adoption across how national and environments and resource
private sectors, possibly international standards and public and private sectors. organisational resource drivers across sectors and CI
some ad hoc good practices. Government schemes exist decisions should align and through collaborative risk
implementation, but no to promote continued drive standard adoption. management.
concerted endeavour to enhancements, and metrics
implement or change are being applied to monitor Evidence of contribution to Evidence exists of debate
existing practice in a compliance. international standards’ within all sectors on
measurable way. bodies exists and compliance to standards
Consideration is being given contributes to thought and good practices, based
to how standards and good leadership and sharing of on continuous needs
practices can be used to experience by organisations. assessments.
address risk within supply
chains within the CI, by both
government and CI.
No standards or good Cybersecurity standards and Procurement practices meet Cybersecurity standards and Organisations have the
practices have been good practices guiding international IT guidelines, good practices in guiding ability to monitor use of
identified for use in guiding procurement processes standards and good procurement processes are standards and good
procurement processes by have been identified for use. practices. being adhered to widely practices in procurement
the public and private within public and private processes and support
Standards in sector. If they are Evidence of promotion and Adoption and compliance of sectors. deviations and non-
Procurement recognised, implementation adoption of cybersecurity standards in procurement compliance decisions in
is ad hoc and standards and good practices within the public Critical aspects of real-time through risk-based
uncoordinated. practices in defining and private sectors, is procurement and supply, decision making and quality
procurement practices evidenced through such as prices and costs, assurance.
exists within public sectors measurement and quality, timescales and
and private sectors. assessments of process other value adding activities
effectiveness. are continuously improved,
and procurement process

D 5.1: Adherence to Standards
Aspect Start-Up Formative Established Strategic Dynamic
improvements are made in
the context of wider
resource planning.

Organisations are able to

benchmark the skills of their
procurement professionals
against the competencies
outlined in procurement
standards and identify any
skills and capability gaps.

Internal stakeholders have

been trained in the secure
use of E-sourcing or E-
tendering systems and
purchase-to-pay systems
(P2P) in order to implement
these tools in performing
key tasks in procurement
and supply.
No standards or good Core activities and Government has an Security considerations are Software development
practices for software methodologies for software established programme for incorporated in all stages of projects continuously assess
development have been development processes promoting and monitoring software development. the value of standards and
identified for use relating to focused on integrity and standard adoption in reduce or enhance levels of
integrity and resilience in resilience are being software development – Core development activities, compliance according to
public and private sectors. discussed within both for public and including configuration and risk-based decisions.
Standards in Software professional communities. commercial systems. documentation
Or, there is some management, security Procurement of software
identification, but only Government promotes Evidence of public and development and lifecycle includes on-going
limited evidence of take-up. relevant standards in private sector organisations planning have been assessments of the value of
software development, but adopting standards in their adopted. standards in delivering
there is no widespread use software development software quality –
of these standards yet. processes. Procurement of software throughout the lifetime of
Some organisations supply developed according to the contract (as opposed to
or seek to adopt standards Evidence that high integrity required standards is simply initially at
in code development. systems and software considered based on an procurement stage).
development techniques

D 5.1: Adherence to Standards
Aspect Start-Up Formative Established Strategic Dynamic
are present within the assessment of risk in Requirements are built into
educational and training investment decisions. contracts with suppliers.
offerings in the country.

D 5.2: Internet Infrastructure Resilience

Aspect Start-Up Formative Established Strategic Dynamic
Affordable and reliable Limited Internet services Reliable Internet services Regular assessment of Acquisition of infrastructure
Internet services and and infrastructure are and infrastructure have processes according to technologies is effectively
infrastructure in the country available, but may not be been established. international standards and controlled, with flexibility
may have not yet been reliable. guidelines are conducted incorporated according to
established; if they have Internet is used for e- together with assessment of changing market dynamics.
been, adoption rates of Resilience of Internet commerce and electronic national information
those services are a infrastructure in public and business transactions; infrastructure security and Costs for infrastructure
concern. private sectors has been authentication processes critical services that drive technologies are continually
discussed by multiple are established. investment in new assessed and optimised.
Internet Infrastructure There is little or no national stakeholders, but has not technologies. There is effectively
Resilience control of network been fully addressed. Technology and processes controlled acquisition of
infrastructure; networks deployed for Internet critical technologies with
and systems are There may be regional infrastructure meet managed strategic planning
outsourced, with potential support to secure Internet international IT guidelines, and service continuity
adoption from unreliable infrastructure in the standards, and good processes in place.
third-party markets. country. practices.
Scientific, technical,
National infrastructure is industrial and human
formally managed, with capabilities are being
documented processes, systematically maintained,
roles and responsibilities, enhanced and perpetuated
and limited redundancy. in order to maintain the
country’s independent

D 5.3: Software Quality
Aspect Start-Up Formative Established Strategic Dynamic
Quality and performance of Software quality and Software quality and Quality of software used in Software applications of
software used in the functional requirements in functional requirements in public and private sectors is high level performance,
country is a concern, but public and private sectors public and private sectors monitored and assessed. reliability and usability are
functional requirements are are recognised and are recognised and available, with service
not yet fully monitored. identified, but not established. Policies and processes on continuity processes fully
necessarily in a strategic software updates and automated.
A catalogue of secure manner. Reliable software maintenance are being
software platforms and applications that adhere to improved based on risk Requirements of software
applications within the A catalogue for secure international standards and assessments and the quality are being
public and private sectors software platforms and good practices are being criticality of services. systematically reviewed,
does not exist. applications within the used widely in the public updated, and adapted to
public and private sectors is and private sectors. Benefits to businesses from the changing cybersecurity
Software Quality Policies and processes under development. additional investment in environment.
regarding updates of Policies on and processes ensuring software quality
software applications have Policies and processes on for software updates are and maintenance are
not yet been formulated. software updates and established. measured and assessed.
maintenance are now under
development. Software applications are Software defects are
characterised as to their manageable in a timely
Evidence of software quality reliability, usability and manner and service
deficiencies is being performance in adherence continuity is ensured.
gathered and assessed to international standards
regarding its impact on and good practices.
usability and performance.

D 5.4: Technical Security Controls
Aspect Start-Up Formative Established Strategic Dynamic
There is minimal or no Technical security controls Up-to-date technical Penetration of technical All sectors have the capacity
understanding or are deployed by users, security controls, including security controls leads to to continuously assess the
deployment of the technical public and private sectors, patching and backups, are effective upstream security controls deployed
security controls offered in but inconsistently. deployed in all sectors. protection of users and for their effectiveness and
the market, by users, public public/private sectors. suitability according to their
and private sectors. The deployment of up-to- Users have an changing needs.
date technical security understanding of the Within the public and
Internet Service Providers controls is promoted in an importance of anti-malware private sectors, technical The understanding of the
(ISPs) may not offer any ad-hoc manner and all software and network security controls are being technical security controls
upstream controls to their sectors are being firewalls across devices. kept up-to-date, monitored being deployed extends to
customers. incentivised to their use. for effectiveness and its impact on organisational
Physical security controls reviewed on a regular basis. operations and budget
ISPs may be offering anti- are employed to prevent allocation.
malware software as part of unauthorized personnel The public and private
Technical Security
their services but possibly in from entering computing sector have the capacity to ISPs supplement technical
Controls an ad-hoc manner. ISPs facilities. critically assess and upgrade security controls with multi
recognise the need to cybersecurity controls factor authentication, digital
establish policies for ISPs establish policies for according to their certificates and whitelisting
technical security control technical security control appropriateness and to ensure prevention of
deployment as part of their deployment as part of their suitability for use. access of non-trusted sites
services. services. or web addresses and
maintain a safe Internet
Network Introduction The technical cybersecurity environment.
Detection Systems (NIDS) control set is based on
and Host Intrusion established cybersecurity
Detection Systems (HIDS) frameworks, such as the
are deployed but not SANS top 20 cybersecurity
necessarily in a consistent controls, the CESG 10 steps
manner. to cybersecurity, or PAS 55.

D 5.5: Cryptographic Controls
Aspect Start-Up Formative Established Strategic Dynamic
Cryptographic techniques Cryptographic controls for Cryptographic techniques The public and private The relevance of
(e.g. encryption and digital protecting data at rest and are available for all sectors sectors critically assess the cryptographic controls
signatures) for protection of in transit are recognised and and users for protection of deployment of deployed for securing data
data at rest and data in deployed ad-hoc by multiple data at rest or in transit. cryptographic controls, at rest and data in transit is
transit may be a concern stakeholders and within according to their objectives continuously assessed
but are not yet deployed various sectors. There is a broad and priorities. through risk assessments.
within the government, understanding of secure
private sector or the general State of the art tools, such communication services, The public and private The public and private
public. as SSL or TLS, are deployed such as encrypted/signed sectors have developed sector adapt encryption and
ad-hoc by web service email. encryption and cryptographic control
providers to secure all cryptographic control policies based on the
Cryptographic communications between The cryptographic controls policies based on the evolution of technological
Controls servers and web browsers. deployed meet international previous assessment, and advancement and changing
standards and guidelines regularly review the policies threat environment.
accordingly for each sector for effectiveness.
and are kept up-to-date.

State of the art tools, such

as SSL or TLS, are deployed
routinely by web service
providers to secure all
communications between
servers and web browsers.

D 5.6: Cybersecurity Marketplace
Aspect Start-Up Formative Established Strategic Dynamic
Few or no cybersecurity The domestic market may Cybersecurity products are Cybersecurity technology Security functions in
technologies are produced provide non-specialised now being produced by development abides by software and computer
domestically; but cybersecurity products, but domestic providers in secure coding guidelines, system configurations are
international offerings may these are not market- accordance with market good practices and adhere automated in the
be available. driven. needs. to internationally accepted development and
standards. deployment of technologies.
Cybersecurity is considered National dependence on
Cybersecurity in software and foreign cybersecurity Risk assessments and Domestic cybersecurity
Technologies infrastructure development. technologies is increasingly market incentives inform products are exported to
mitigated through enhanced the prioritisation of product other nations and are
domestic capacity. development to mitigate considered superior
identified risks. products.

The need for a cyber The need for a market in A market for cyber Cyber insurance specifies a The cyber insurance market
insurance market may have cyber insurance has been insurance is established and variety of coverages to is innovative and adapts to
been identified, but no identified through the encourages information mitigate consequential emerging risks, standards
products and services are assessment of financial risks sharing among participants losses. These coverages are and practices, while
available. for public and private of the market. selected based on strategic addressing the full scope of
sectors, and development of planning needs and cyber harm.
products is now being First-party insurance identified risk.
discussed. typically covers damage to Insurance premiums are
digital assets, business Products suitable for SMEs offered for consistent cyber-
Cyber Insurance interruptions and, are also on offer. secure behaviour.
potentially, reputational

Third-party insurance covers

liability and the costs of
forensic investigations,
customer notification, credit
monitoring, public relations,
legal defence,
compensation and
regulatory fines.

D 5.7: Responsible Disclosure
Aspect Start-Up Formative Established Strategic Dynamic
The need for a responsible Technical details of A vulnerability disclosure Responsible disclosure Responsible disclosure
disclosure policy in public vulnerabilities are shared framework is in place, which processes for all involved policies are continuously
and private sector informally with other includes a disclosure stakeholders (product reviewed and updated
organisations is not yet stakeholders who can deadline, scheduled vendors, customers, security based on the needs of all
acknowledged. distribute the information resolution, and an vendors and public) are set. affected stakeholders.
more broadly. acknowledgement report.
An analysis of the technical Responsible disclosure
Software and service Organisations have details of vulnerabilities is frameworks are shared
providers are able to established processes to published and advisory internationally, so that best
Responsible Disclosure address bug and receive and disseminate information is disseminated practice in this area can be
vulnerability reports. vulnerability information. according to individual roles created.
and responsibilities.
Software and service All affected products and
providers commit to refrain The large majority of services are routinely
from legal action against a products and services are updated within deadline.
party disclosing information updated within
responsibly. predetermined deadlines. Processes are in place to
review and reduce


We would like to acknowledge the contributions of the academic chairs of each dimension, as well as
the various working group members that brought their expertise into the development of the CMM.

Professor Sadie Creese (University of Oxford)

Research Team
Dr Maria Bada

Eva Ignatuschtschenko

Lilly Pijnenburg Muller

Taylor Roberts

Technical Board
Professor Ivan Arreguín-Toft (Boston University)
Professor Ian Brown (University of Oxford)
Professor Paul Cornish (Global Cyber Security Capacity Centre, University of Oxford)
Professor William Dutton (Michigan State University)
Professor Michael Goldsmith (University of Oxford)
Lara Pace (University of Oxford)
Professor David Upton (University of Oxford)
Professor Basie Von Solms (University of Johannesburg)

Expert Panel
Professor Gary Blair; Dr Grant Blank; Professor Roger Bradbury; Dr David Bray; Mr Bruno Brunskill;
Mr Georgios Chatzichristos; Mr Belisario Contreras; Mr Luc Dandurand; Professor Chris Demchak; Dr
Tobias Feakin; Mr Andrew Fitzmaurice; Dr Marco Gercke; Professor Chris Hankin; Mr Robert Hayes;
Mr Paul Hopkins; Mr Peter Kahiigi; Ms Gail Kent; Professor Douwe Korff; Ms Vashti Maharaj; Mr
Steven Malby; Mr John Mallery; Dr Aaron Martin; Mr Alan Mears; Professor Chris Mitchell; Professor
Joseph Nye; Professor Sir David Omand; Dr Wolter Pieters; Mr Steve Purser; Dr Tristram Riley-Smith;
Ms Sandra Sargent; Professor Angela Sasse; Mr Mike Steinmetz; Mr Graeme Stewart; Ms Heli
Tiimaa-Klaar; Professor Ian Walden; Mr Alex Ward; Mr Graham Wright

The Global Cyber Security Capacity Centre
Oxford Martin School, University of Oxford,
Old Indian Institute, 34 Broad Street, Oxford
OX1 3BD, United Kingdom

Tel: +44 (0)1865 287430 • Fax: +44 (0) 1865 287435

Email: cybercapacity@oxfordmartin.ox.ac.uk
Web: www.oxfordmartin.ox.ac.uk