A presentation to the 2019 meeting of the Global Forum on Cyber Expertise (GFCE) in Addis Ababa, October 2019, entitled 'The Shaping and Impacts of Cyber Security Capacity'. The slides are updated since the conference to reflect revised multivariate path analyses.

1. The Shaping and Impacts of
Cyber Security Capacity
October 2017
Prof William Dutton and Dr Patricia Esteve-Gonzalez –
Oxford Martin Fellows, GCSCC, University of Oxford
Dr Ruth Shillair – Assistant Professor, Quello Centre,
Michigan State University & GCSCC Research Associate
Department of Computer Science, University of Oxford
15 Parks Road, Oxford, OX1 3QD, UK
cybercapacity@cs.ox.ac.uk
www.oxfordmartin.ox.ac.uk/cybersecurity
Revision of presentation at
Addis Ababa, October, 2019

2. Introduction

3. Cybersecurity and Capacity Building
Cybersecurity capacity is the ability to employ the
collection of tools, policies, security concepts, security
safeguards, guidelines, risk management approaches,
actions, training, best practices, assurance and
technologies that can be used to protect the cyber
environment and organization and user’s assets.
Adapted from (ITU (Recommendation ITU–T X.1205), 2008)

4. Previous Funders
Oxford’s GCSCC:
Funding Partners
GCSCC Regional Partner

5. Strategic & Implementation Partners
Ministry of Foreign Affairs Netherlands
Ministry of Foreign Affairs Norway
UK Cabinet Office
Global Forum on Cyber Expertise

6. Early Publications on Shaping of Capacity and
its Implications for Nations
Reviews of each of the nations reviewed by the GCSCC discuss the factors
shaping capacity and its implications. Initial cross-national comparative analyses
are published in:
Creese, S., Shillair, R., Bada, M., Reisdorf, B.C., Roberts, T., and Dutton, W. H.
(2019), ‘The Cybersecurity Capacity of Nations’, pp. 165-179 in Graham, M., and
Dutton, W. H. (eds), Society and the Internet: How Networks of Information and
Communication are Changing our Lives, 2nd Edition. Oxford: Oxford University
Press.
Dutton, W. H., Creese, S., Shillair, R., and Bada, M. (forthcoming), ‘Cyber Security
Capacity: Does it Matter?’, Journal of Information Policy, forthcoming.

7. Key Research Questions of Paper in Progress
1. What is the status of national
cybersecurity capacity building?
2. What factors are shaping capacity
building within nations?
3. What are the implications of capacity
building for nations?

8. Approach and
Methodology

9. Basic Approach to Research on Cybersecurity
Capacity Building
• Cybersecurity
Maturity Model
(CMM)
• 5 Dimensions
Maturity
Model
• Modified Focus
Groups
• Interviews &
Desk Research
Field Research
• Coding of Maturity
Across Dimensions
• Cross-national
Comparative Analysis
Maturity

10. Data from CMM assessments
The core output of the GCSCC is the Cybersecurity Capacity Maturity
Model for Nations (CMM) – a model suitable for self-assessment of
current capacity, spanning multiple dimensions, multi-stakeholder
consultation process, creating a comprehensive benchmark of current
position and how to increase maturity.

11. The 5 DIMENSIONS
of Cybersecurity
Capacity
D 5
Standards
Organisations,
and
Technologies
D 3
Cybersecurity
Education,
Training and
Skills
D 1
Cybersecurity
Policy
and Strategy
D 2
Cyber
Culture
and Society
D 4
Legal and
Regulatory
Frameworks

12. Example: dimension, factors, and aspects

13. Five Stages of Cybersecurity Capacity
Maturity:
Start-up
Formative
Established
Strategic
Dynamic

14. Five Stages of Cybersecurity Capacity
Maturity:
Start-up
Formative
Established
Strategic
Dynamic
1. Start-up: at this stage either no cybersecurity
maturity exists, or it is very embryonic in
nature. There might be initial discussions about
cybersecurity capacity building, but no
concrete actions have been taken. There is an
absence of observable evidence of
cybersecurity capacity at this stage.

15. Five Stages of Cybersecurity Capacity
Maturity:
Start-up
Formative
Established
Strategic
Dynamic
2. Formative: some aspects have begun to grow
and be formulated, but may be ad-hoc,
disorganised, poorly defined – or simply new
However, evidence of this aspect can be clearly
demonstrated.

16. Five Stages of Cybersecurity Capacity
Maturity:
Start-up
Formative
Established
Strategic
Dynamic 3. Established: indicators of the aspect are in
place, and functioning. However, there is not
well-thought-out consideration of the relative
allocation of resources. Little trade-off
decision-making has been made concerning
the relative investment in this aspect. But the
aspect is functional and defined.

17. Data from CMM assessments
Cluster by region Cluster by CMM year Cluster by income
Region Obs. Year Obs. Income (WB) Obs.
Africa 10 2015 8 Low and Lower-Medium 22
America 31 2016 35 Low: 6
Asia 6 OAS: 31 Lower-Medium: 16
Eastern Europe 5 Non-OAS: 4 Upper-Medium 30
Europe 4 2017 5 High 10
South Caucasus 2 2018 10
Oceania 4 2019 4
Total 62 Total 62 Total 62
• 62 nations where the CMM has been implemented (2015 - 2019).

18. Collection of data
This study considers granulated data at the aspect level from the field
sessions with stakeholders (GCSCC and strategic & implementation
partners) in 31 countries.
• In-country focus group discussions with key stakeholders.
• 10 sessions over 3 days.
• This data is different from the CMM reports.
In addition, this study considers data at the aspect level for 31 countries
from IDB and OAS (2016).
• Collection of data by survey.
Conversion of all country data to the CMM model, 2014.

19. Cyber Security Dimensions Factors
1. Policy and Strategy D1.1 National Cybersecurity Strategy
D1.2 Incident Response
D1.3 Critical Infrastructure Protection
D1.4 Crisis Management
D1.5 Cyber Defence
D1.6 Digital Redundancy
2. Culture and Society D2.1 Cybersecurity Mind-Set
D2.2 Cybersecurity Awareness
D2.3 Confidence and Trust on the Internet
D2.4 Privacy Online
3. Education, Training, and Skills D3.1 National Availability of Cyber Education and Training
D3.2 National Development of Cybersecurity Education
D3.3 Corporate Training and Educational Initiatives within
Companies
D3.4 Corporate Governance, Knowledge and Standards
4. Legal and Regulatory Frameworks D4.1 Legal Frameworks
D4.2 Legal Investigation (Criminal Justice System)
D4.3 Responsible Disclosure
5. Standards, Organisations, and
Technologies
D5.1 Adherence to Standards
D5.2 Internet Infrastructure Resilience
D5.3 Cybersecurity Marketplace

20. Calculation of variables from data at the
aspect level
Our strategy is to summarize the CMM data on 50 aspects through an
overall index on Cybersecurity Capacity (CSC).
• Factors’ average maturity stages were calculated from their
corresponding aspects.
• Dimensions’ average maturity stage were calculated from their
corresponding factors.
• CSC was calculated as the average maturity stage of all dimensions.

21. Cybersecurity Capacity (CSC) related to Five Dimensions of the CMM
(factors)
Dimension CSC D1 D2 D3 D4 D5
CSC Overall Cyber Security Capacity 1.00
D1 Cybersecurity Policy and Strategy .91 1.00
D2 Cyber Culture and Society .95 .82 1.00
D3 Cybersecurity Education, Training, and Skills .89 .75 .83 1.00
D4 Legal and Regulatory Frameworks .91 .76 .87 .77 1.00
D5 Standards, Organisations, and Technologies .91 .84 .81 .77 .76 1.00
Pearson’s correlation coefficients for 62 observations. All correlations have statistical
significance <.001.

22. Cybersecurity Capacity (CSC) related to Other Cybersecurity Indicators
Alternative indicators CSC (N)
Global Cybersecurity Index (ITU) .61 (61)
Networked Readiness Index (WEF) .76 (50)
Secure Servers, logarithm (Netcraft) .79 (61)
Software Spending (Global Innovation Index) .53 (39)
Pearson’s correlation coefficients, number of observations in parentheses.
All correlations have statistical significance <.001.

23. What is the status of
Cybersecurity Capacity Building?

24. Average maturity stage per factor (N=62)

26. What Factors are Shaping the
Cybersecurity Capacity of
Nations?

27. Factors Related to Cybersecurity Capacity (CSC)
(sources)
Pearson’s correlation coefficients for 62 observations. Symbols +, *, **, *** correspond,
respectively, to levels of significance at 0.1, 0.05, 0.01, 0.001.
Category Independent variable CSC
Demographic Total Population .34**
Economic GDP per capita .59***
Infrastructure
Percentage of Users (Centrality of Internet) .60***
Number of Users (Scale of Use) .50***
Political and Administrative
System
Administrative Capacity .60***

28. Correlations Among Independent Variables
Pearson’s correlation coefficients for 62 observations. Symbols +, *, **, *** correspond,
respectively, to levels of significance at 0.1, 0.05, 0.01, 0.001.
1 2 3 4 5
1 Total Population (ln) 1.00
2 GDP per capita (ln) -.29* 1.00
3 Number of Users (ln, scale) .97*** -.07 1.00
4 Percentage of Users (centrality) -.30* .88*** -.06 1.00
5 Administrative Capacity -.21+ .63*** -.07 .65*** 1.00

30. What are the Implications of
Cybersecurity Capacity for
Nations?

31. Outcomes related to Cybersecurity Capacity (CSC)
Outcome Variables CSC (N)
Piracy -.82*** (34)
Encounter Rates -.35* (35)
NRI: Individual Usage
.76*** (50)
NRI: Business Usage
.61*** (50)
NRI: Government Usage
.65*** (50)
Voice & Accountability
.33** (62)
Pearson’s correlation coefficients, number of observations in parentheses.
Symbols +, *, **, *** indicate, correspondingly, levels of significance at 0.1,
0.05, 0.01, 0.001.

32. Path Analysis*
*Using SmartPLS: Ringle, C. M., Wende, S., and Becker, J.-M. 2015. "SmartPLS 3."
Boenningstedt: SmartPLS GmbH, http://www.smartpls.com
Centrality of
Internet Use
Cybersecurity
Capacity
Wealth
End User
Cyber Security
Problems
Scale of
Internet Use
Population

33. *p<.05; **p<.01; ***p<.001
Impact of CSC on Negative Outcomes
(Piracy and Encounter Rates)
End User
Cyber Security
Problems
R2=.821***
Percentage
of Population
Using
Internet
R2= .777**
Cybersecurity
Capacity
R2= .759***
GDP Per
Capita
b= .395***
b= -1.061***
b= .881****
Number of
Internet
Users
R2=.984***
b= -.030***
b=.295***
b=.226***
Total
Population b=1.031***
b=.576***
Administrative
Capacity
R2= .389***
b= .623****
b=.563***
b=.392***
b= .392***

34. Impact of CSC on Positive Outcomes
(Voice and Accountability, and NRI indicators of usage)
Percentage
of Population
Using
Internet
R2= .779**
Cybersecurity
Capacity
R2= .760***
GDP Per
Capita
Indicators of
Usage
R2=.952***
b= .420*
b= .397***
b= .868****
Number of
Internet
Users
R2=.984***
b= .424***
b=.300***
b=.226***
Total
Population b=1.031***
b=-.207***
*p<.05; **p<.01; ***p<.001
Administrative
Capacity
R2= .392***b= .607****
b=.562***
b=.385***

35. Conclusions

36. Conclusions
• Nations in the early phases of capacity building.
• Capacity (CSC) shaped by the scale and centrality of
the Internet along with the wealth and size of
nations and their respective capacity for
administrative change – a Capacity Divide?
• National choices on building CSC have implications
for cybersecurity as well as the vitality of Internet
use by individuals, business and government.
• New Questions: Relevance of cross-national
variations in patterns of capacity building.

37. Next Steps in Progressing the Research
Continue to Refine Indicators
• Cybersecurity Capacity
• Outcomes, e.g., beyond Encounter Rates
Structured Field Coding
• Systematic Coding of Field Research
• Operational Definitions of Maturity

38. THANK YOU!
[EMAIL ADDRESS]
@CapacityCentre
Thank You
https://www.linkedin.com/company/
global-cyber-security-capacity-centre/
www.oxfordmartin.ox.ac.uk/cybersecurity
Department of Computer Science
University of Oxford
15 Parks Road, Oxford, OX1 3QD, UK
Phone: +44(0)1865 287903
cybercapacity@cs.ox.ac.uk