Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework

Authors

DOI:

https://doi.org/10.23962/10539/27535

Keywords:

cybersecurity, cybersecurity resilience maturity measurement (CRMM), cybersecurity resilience quadrants (CRQs), critical information infrastructure (CII), NIST cybersecurity framework (NIST CSF), cyber risk management, cybersecurity resilience, cybersecurity controls

Abstract

African countries are at high risk with respect to cybersecurity breaches and are experiencing substantial financial losses. Amongst the top cybersecurity frameworks, many focus on guidelines with respect to detection, protection and response, but few offer formal frameworks for measuring actual cybersecurity resilience. This article presents the conceptual design for a cybersecurity resilience maturity measurement (CRMM) framework to be applied in organisations, notably for critical information infrastructure (CII), as part of cyber risk management treatment. The main thrusts of the framework are to establish, through assessment in terms of quantitative measures, which cybersecurity controls exist in an organisation, how effective and efficient these controls are with respect to cybersecurity resilience, and steps that need to be taken to improve resilience maturity. The CRMM framework we outline is conceptualised as being applicable both pre- and post-cyber attack. Drawing on the NIST cybersecurity framework (NIST CSF) and other relevant frameworks, the CRMM approach conceptualised in this article would be able to depict an organisation's cybersecurity practices and gauge the organisation's cybersecurity maturity at regular intervals. This CRMM approach is grounded in the idea that, by quantifying an organisation's current practices against established baseline security controls and global best practices, the resulting status measurement can provide the appropriate basis for managing cyber risk in a consistent and proportionate fashion. The CRMM framework defines four cybersecurity resilience quadrants (CRQs), which depict four different degrees of organisational preparedness, in terms of both risk and resilience.

References

Agile Helpline. (2011). Agile strategy manifesto. Retrieved from http://www.agilehelpline.com/2011/04/agile-strategy-manifesto.html

Almuhammadi, S., & Alsaleh, M. (2017). Information security maturity model for NIST cyber security framework. Computer Science C Information Technology (CS C IT), 7(3) 51–62. https://doi.org/10.5121/csit.2017.70305

Barrett, M., Marron, J., Yan Pillitteri, V., Boyens, J., Witte, G., & Feldman, L. (2017). The cybersecurity framework: Implementation guidance for federal agencies. Draft NISTIR 8170. US Department of Communication. Retrieved from https://csrc.nist.gov/csrc/media/publications/nistir/8170/draft/documents/nistir8170-draft.pdf

Center for Internet Security (CIS). (2018). CIS controls version 7. Retrieved from https://learn.cisecurity.org/20-controls-download

Cheng, Y., Deng, J., Li, J., Deloach, S. A., Singhal, A., & Ou, X. (2014). Metrics of security. In A. Kott, C. Wang, & R. F. Erbacher (Eds.), Cyber defense and situational awareness (pp. 263–295). Cham: Springer. https://doi.org/10.1007/978-3-319-11391-3_13

Department for Business, Innovation and Skills (BIS). (2012). Cyber risk management – A board level responsibility. London: UK Government. Retrieved from https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/12-1119-cyber-risk-management-board-responsibility.pdf

Depository Trust and Clearing House (DTCC). (2014, October). Cyber risk – A global systemic threat: A white paper to the industry on systemic risk. Retrieved from http://www.dtcc.com/~/media/Files/Downloads/issues/risk/cyber-risk.pdf

Federal Republic of Nigeria. (2015). Cybercrime Act. Retrieved from http://www.nigerianlawguru.com/legislations/STATUTES/CYBERCRIME%20ACT%202015.pdf

Hartwig, R. P., & Wilkinson, C. (2014). Cyber risks: The growing threat. Insurance Information Institute. Retrieved from https://www.iii.org/sites/default/files/docs/pdf/paper_cyberrisk_2014.pdf

Hassani, H., et al. (2011). Research methods in computer science. Methodological Innovations Online, 11(1), 1–16. https://doi.org/10.13140/RG.2.2.25912.55043

Hathaway, M., Demchak, C., Kerben, J., McArdle, J., & Spidalieri, F. (2015). Cyber readiness index 2.0: A plan for cyber readiness: A baseline and an index. Arlington, VA: Potomac Institute for Policy Studies. Retrieved from http://www.potomacinstitute.org/images/CRIndex2.0.pdf

Hewlett Packard Enterprise (HPE). (2016). HPE cyber risk report 2016. Retrieved from http://techbeacon.com/sites/default/files/gated_asset/hpe-cyber-risk-report-2016.pdf

Identity Theft Resource Center (ITRC). (2016). ITRC data breach reports: 2016 end of year report. Retrieved from https://www.idtheftcenter.org/images/breach/2016/DataBreachReport_2016.pdf

International Organisation for Standardisation & International Electrotechnical Commission (ISO/IEC). (n.d.). ISO/IEC 27000 family - Information security management systems. Retrieved from https://www.iso.org/isoiec-27001-information-security.html

Information Security Forum (ISF). (2018). The standard of good practice for information security 2018. Retrieved from https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/

Information Systems Audit and Control Association (ISACA).(2012).COBIT 5 introduction. Retrieved from https://www.isaca.org/COBIT/Documents/An-Introduction.pdf

International Telecommunication Union (ITU). (2015). Global cybersecurity index and cyberwellness profiles. Retrieved from https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf

ITU. (2017). Global cybersecurity index 2017. Retrieved from https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-R1-PDF-E.pdf

Marinos, L. (2013). ENISA threat landscape 2013: Overview of current and emerging cyber- threats. European Union Agency for Network and Information Security. https://doi.org/10.2788/14231

Mbanaso, U. M. (2016). Cyber warfare: African research must address emerging reality. The African Journal of Information and Communication (AJIC), 18, 157–164. https://doi.org/10.23962/10539/21789

Mbanaso, U. M., & Dandaura, E. S. (2015). The cyberspace: Redefining a new world. IOSR Journal of Computer Engineering, 17(3), 17–24. doi: 10.9790/0661-17361724

McAndrew, T. (2018, January 28). Human phish-bait: Why people are the weakest link in our cyber defence. Washington Times.

MindTools. (2018). SMART. Retrieved from https://www.mindtools.com/pages/article/smart-goals.htm

Minister of Justice and Correctional Services. (2018). Cybercrimes Bill. Pretoria: Government of South Africa. Retrieved from https://www.ellipsis.co.za/wp-content/uploads/2018/03/181023Clean_Cybercrimes_Bil.pdf

Nath, S. (2018). Building capability with CMMI. ISACA Journal. Retrieved from https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=667

National Institute of Standards and Technology (NIST). (2014). Framework for improving critical infrastructure cybersecurity. https://doi.org/10.1109/JPROC.2011.2165269

NIST. (2018). Framework for improving critical infrastructure cybersecurity. v1.1 Draft. https://doi.org/10.1109/JPROC.2011.2165269

Powers, E. W., Fancher, J. D., & Silber, J. (2016). Beneath the surface of a cyberattack: A deeper look at business impacts. Deloitte. https://doi.org/10.1007/978-1-4302-1115-0_14

Salhin, A., Kyiu, A., Taheri, B., Porter, C., Valantasis-Kanellos, N., & König, C. (2016). Quantitative data gathering methods and techniques. In A. Paterson et al. (Eds.), Research methods for accounting and finance. https://doi.org/10.23912/978-1-910158-88-3-3226

Serianu.(2017a). Africa cyber security report 2017: Demystifying Africa’s cyber security poverty line. Retrieved from http://www.serianu.com/downloads/AfricaCyberSecurityReport2017.pdf

Serianu.(2017b). Kenya cyber security report 2017: Demystifying Africa’s cyber security poverty line. Retrieved from http://www.serianu.com/downloads/KenyaCyberSecurityReport2017.pdf

Serianu.(2017c). Nigeria cyber security report 2017: Demystifying Africa’s cyber security poverty line. Retrieved from http://www.serianu.com/downloads/NigeriaCyberSecurityReport2017.pdf

Serianu.(2017d).Tanzania cybersecurity report 2017: Demystifying Africa’s cybersecurity poverty line. Retrieved from http://www.serianu.com/downloads/TanzaniaCyberSecurityReport2017.pdf

Serianu.(2017e). Uganda cybersecurity report 2017:Demystifying Africa’s cyber security poverty line. Retrieved from http://www.serianu.com/downloads/UgandaCyberSecurityReport2017.pdf

Sundström, M., & Holmberg, R. (2008). The weakest link human behaviour and the corruption of information security management in organisations – An analytical framework. In International Institute of Informatics and Systemics (Ed.), IMSCI ‘08: 2nd International Multi-Conference on Society, Cybernetics and Informatics, Vol. III Proceedings (pp. 94-99). Retrieved from http://portal.research.lu.se/ws/files/5974349/1543150.pdf

Van Heerden, R., Von Solms, S., & Vorster, J. (2018). Major security incidents since 2014: An African perspective. In IEEE (Ed.), 2018 IST-Africa Week Conference (IST-Africa).

Retrieved from https://ieeexplore.ieee.org/document/8417326

Downloads

Published

27-06-2019

Issue

No. 23 (2019)

Section

Research Articles

License

Copyright (c) 2019 https://creativecommons.org/licenses/by/4.0

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Mbanaso, U.M., Abrahams, L. and Apene, O.Z. (2019) “Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework”, The African Journal of Information and Communication (AJIC) [Preprint], (23). doi:10.23962/10539/27535.
Views
  • Abstract 844
  • pdf 343