Cybersecurity Capabilities in a Critical Infrastructure Sector of a Developing Nation

Catota Quintana, Frankie

01 December 2016

When information technology is incorporated into the operations of financial critical infrastructure, it brings with it a range of cyber risks, and mitigating them requires that firms and regulators develop capabilities to foster protection. The sophistication of cyber threats to the financial sector has been growing rapidly. Developed nations have worked hard to improve their knowledge of these threats and establish strategies to respond accordingly. However, in developing nations, both the understanding of the risks posed by cyber threats and the ability to address those risks have been slower to evolve. Developing the needed cybersecurity capabilities in developing countries encounter challenges that need to be identified and addressed. In order to begin to do that, this thesis reports on three studies conducted in the context of Ecuador. The first study identifies and assesses incident experiences, challenges, barriers, and desired actions reported by financial security managers with the objective of identifying strategies to enhance incident response capabilities. The second study begins with the security incidents reported by the Ecuadorian financial stakeholders during the first study and assesses the potential effectiveness of the government policy that is intended to address IT risk in the financial sector. The third study explores the challenges that universities face in order to provide cybersecurity instruction to protect critical infrastructure and explores potential strategies to advance cybersecurity education at the university level. In support of this work we collected data from national practitioners involved in responding to security incidents and in developing cybersecurity skills. Sixty-one in-depth, semi-structured interviews across five cities were conducted (95% in person, the rest by telephone) with respondents who had good knowledge in the subjects. Respondents come mainly from: the financial sector (CISOs, risk and IT managers, security chiefs, security officers, authorities); telecommunications sector, especially ISPs (managers, directors, engineers, authorities); and academia (deans, directors, professors). We transcribed all the interviews, coded them and conducted qualitative text analysis. This research finds that (1) the financial sector is already facing risks driven by outsiders and insiders that lead to fraud and operational errors and failures. The main barriers to improving protection are small team size, network visibility, inadequate internal coordination, technology updating, lack of training, and lack of awareness. The sector has little community support to respond to incidents, and the national legal framework has not supported appropriate prosecution of cyber criminals; (2) the national IT risk management policy has reasonably covered most countermeasures related to reported security incidents. There are however, several areas of gap, one of the most important is network security, which can enable sophisticated malware attacks; (3) today the level of cybersecurity education is mostly elementary in Ecuador. Academic interviewees at only four of the thirteen universities studied expressed confidence that they can provide students with reasonable preparation. Ecuador needs to design a national cybersecurity plan that prioritizes protection for critical infrastructure and should support strategies that allow the country to enhance cybersecurity capabilities. Properly designed these initiatives should allow the nation to develop a core structure to confront current and emergent cyber challenges in the financial sector and other critical national operations, and build the human resources necessary to continue that effort.

capacity building

cybersecurity capabilities

cybersecurity education

cybersecurity policy

developing nations

incident response

Empirical study of the impact of e-government services on cybersecurity development

Onumo, Aristotle, Cullen, Andrea J., Awan, Irfan U.

January 2017

Yes / This study seeks to investigate how the development of e-government services impacts on cybersecurity. The study uses the methods of correlation and multiple regression to analyse two sets of global data, the e-government development index of the 2015 United Nations e-government survey and the 2015 Inter-national Telecommunication Union global cybersecurity develop-ment index (GCI 2015). After analysing the various contextual factors affecting e-government development , the study found that, various composite measures of e-government development are significantly correlated with cybersecurity development. The therefore study contributes to the understanding of the relation-ship between e-government and cybersecurity development. The authors developed a model to highlight this relationship and have validated the model using empirical data. This is expected to provide guidance on specific dimensions of e-government services that will stimulate the development of cybersecurity. The study provided the basis for understanding the patterns in cybersecurity development and has implication for policy makers in developing trust and confidence for the adoption e-government services. / National Information Technology Development Agency, Nigeria.

Towards an aligned South African National Cybersecurity Policy Framework

Chigada, Joel

22 August 2023

This thesis measured and aligned factors that contribute to the misalignment of the South African National Cybersecurity Policy Framework (SA-NCPF). The exponential growth rate of cyber-attacks and threats has caused more headaches for cybersecurity experts, law enforcement agents, organisations and the global business economy. The emergence of the global Corona Virus Disease-2019 has also contributed to the growth of cyber-attacks and threats thus, requiring concerted efforts from everyone in society to devise appropriate interventions that mitigate unacceptable user behaviour in the reality of cyberspace. In this study, various theories were identified and pooled together into an integrative theoretical framework to provide a better understanding of various aspects of the law-making process more comprehensively. The study identified nine influencing factors that contributed to misalignment of the South African National Cybersecurity Policy Framework. These influencing factors interact with each other continuously producing complex relationships, therefore, it is difficult to measure the degree of influence of each factor, hence the need to look at and measure the relationships as Gestalts. Gestalts view individual interactions between pairs of constructs only as a part of the overall pattern. Therefore, the integrative theoretical framework and Gestalts approach were used to develop a conceptual framework to measure the degree of alignment of influencing factors. This study proposed that the stronger the coherence among the influencing factors, the more aligned the South African National Security Policy Framework. The more coherent the SA-NCPF is perceived, the greater would be the degree of alignment of the country's cybersecurity framework to national, regional and global cyberlaws. Respondents that perceived a strong coherence among the elements also perceived an effective SA-NCPF. Empirically, this proposition was tested using nine constructs. Quantitative data was gathered from respondents using a survey. A major contribution of this study was that it was the first attempt in South Africa to measure the alignment of the SA-NCPF using the Gestalts approach as an effective approach for measuring complex relationships. The study developed the integrative theoretical framework which integrates various theories that helped to understand and explain the South African law making process. The study also made a significant methodological contribution by adopting the Cluster-based perspective to distinguish, describe and predict the degree of alignment of the SA-NCPF. There is a dearth of information that suggests that past studies have adopted or attempted to address the challenge of alignment of the SA-NCPF using the cluster-based and Gestalts perspectives. Practical implications from the study include a review of the law-making process, skills development strategy, a paradigm shift to address the global Covid-19 pandemic and sophisticated cybercrimes simultaneously. The study asserted the importance of establishing an independent cybersecurity board comprising courts, legal, cybersecurity experts, academics and law-makers to provide cybersecurity expertise and advice. From the research findings, government and practitioners can draw lessons to review the NCPF to ensure the country develops an effective national cybersecurity strategy. Limitations and recommendations for future research conclude the discussions of this study.

Alignment

Cybercrime

Cyberlaws

Cybersecurity

Information Systems Security

National Cybersecurity Policy Framework

Gender in Cyber policy, is it really necessary? : A critical analysis of gender in EU’s cybersecurity policy

Linden, Emmie

January 2022

Cyberspace offers many opportunities but is also a very hostile place for women. Studies claim that women are disproportionally affected by certain cybercrimes and suffer frequent rights violations in cyberspace. The aim of cybersecurity policies is, among others, to protect citizens from different cyberthreats and the EU has a vital role in designing such policies. This involves portraying what issues are seen as cyberthreats and in extension, which issues are prioritized over others. Therefore, it is important to problematize what key EU bodies depict as cybersecurity threats and how they incorporate gender in their cybersecurity policy and strategy. This study uses post-structural feminist theory to analyze the EU cybersecurity discourse and its implications for women’s rights. This is because the theory emphasizes the deconstruction of discourse to showcase hidden gendered power dimensions. It is a qualitative case study that uses the framing method to identify the discursive construction of threats, priorities, and key issues, and McPhail’s feminist policy analysis framework to investigate how gender is incorporated in the discourse. The findings confirm previous research, which states that cybersecurity is mainly state-centric and securitized and gender is silenced in the overall discourse. Among the five distinct frames that I identified in the discourse on cybersecurity, none includes a gendered perspective. No official EU document adopts or argues for a gender-sensitive approach to cybersecurity. Gender is only mentioned with regard to empowering women in the STEM sector, although the European Parliament stresses the need to target cyberviolence against women. The study concludes that a gender-neutral approach to cybersecurity has negative implications for women’s rights, as cybercrimes and violates women endure are overlooked and deprioritized in comparison to a gendered approach. This is because it is more likely that political measures can be taken if the policies and actors acknowledge the gendered issues, which then have positive implications for the protection of women’s rights in cyberspace.

EU

cybersecurity policy

gender

human rights

women’s rights

securitization

post- structural feminist theory

policy discourse analysis

Political Science

Statsvetenskap