Assessing national cybersecurity capacity in the Pacific

OCSC has partnered with the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford to review national cybersecurity capacity and conduct related research in the Pacific using the Cybersecurity Capacity Maturity Model for Nations (CMM).

OCSC provides complimentary national cybersecurity reviews to nations in the Pacific using the CMM. The OCSC team travels to the host nation to meet with a variety of stakeholders across sectors, building up a comprehensive understanding of national cybersecurity capacity informed by the people involved in it, to focus on what is important for the nation in context ensuring that the CMM recommendations are relevant and applicable.

This initial assessment helps host nations document and benchmark their current cybersecurity capacity, to both identity gaps for consideration of investment and enable the measurement of the impact of resulting capacity building activities through a second assessment in the future. The initial CMM report is owned by the host nation and provides the first step towards strengthening a nation’s cybersecurity capacity, informing the development or next iteration of a national cybersecurity strategy, policies and legislative initiatives. Following the finalisation of the report, the OCSC works with the host nation to strengthen cybersecurity capacity, through OCSC’s member universities, partners and the international community, to deliver coordinated and sustainable capacity building projects that help address each nation’s priorities.

The GCSCC developed the CMM as a framework to facilitate the review of the maturity of a country’s cybersecurity capacity in consultation with over two hundred international experts drawn from governments, international organisations, academia, public and private sectors and civil society. The CMM has been deployed more than 100 times in 84 nations across the globe. A detailed list of the reviews and links to the published reports can be found on the GCSCC website.

The CMM considers national cybersecurity capacity maturity across the following five dimensions (D): (D1) Cybersecurity Policy and Strategy; (D2) Cyber Culture and Society; (D3) Cybersecurity Education, Training and Skills; (D4) Legal and Regulatory Frameworks; and (D5) Standards, Organisations, and Technologies.

Each dimension contains a number of factors which describe what it means to possess cybersecurity capacity. Each factor presents a number of aspects grouping together related indicators, which describe steps and actions that, once observed, define the stage of maturity of that aspect.

There are five stages of maturity, ranging from the start-up stage to the dynamic stage. The start-up stage implies an ad-hoc approach to capacity, whereas the dynamic stage represents a strategic approach and the ability to adapt dynamically or to change in response to environmental considerations.

For more details on the definitions, please consult the CMM document.

Together the OCSC, the GCSCC, and it’s partners are focused on further developing the CMM as a framework for understanding what works, what doesn’t work and why – across all areas of cybersecurity capacity. This is important so that governments and enterprises can adopt policies and make investments that have the potential to significantly enhance safety and security in cyberspace, while also respecting core human rights’ values and interests, such as privacy and freedom of expression

​Our ambition is to review all countries in the region, including Australia. The OCSC team and partners have so far deployed the CMM to:

If you would like your country to take part in a cybersecurity capacity review, please contact us to discuss the process, impact and outcomes of a CMM review and your requirements.