Our study resulted in the articles and presentations listed below. The knowledge gained during this research was used in the writing of this thesis, and we also used it as a mechanism to validate our models with peers. These articles influenced our thesis, and valuable knowledge was gained in terms of SOC and CSIRT functions, as well as the development of frameworks and models. The articles below is a direct result of this study.
1. Framework for the implementation of business cybersecurity
Author(s): PC Jacobs (Presenter), MM Grobler, SH von Solms
Date: 12 - 13 May 2016
Type: Conference
London, United Kingdom: International conference on Business and Cyber Security (ICBCS) Article:
(https://www.researchgate.net/publication/305769629_Towards_a_framework_for_the_ development_of_business_cybersecurity_capabilities)
DOI: 10.13140/RG.2.1.5110.0406
Relevance Chapter 2 and 4: This article applied the NCMF in an organisational environment, thus
demonstrating its breadth and flexibility.
Abstract Information and communications technology is often seen as a critical organisational asset.
To prevent loss of revenue and money, as well as to protect organisational reputation, this asset must be protected from threats and vulnerabilities. Organisations use different
23 standards, frameworks and best practices when addressing cybersecurity. These governance documents could be chosen based on legislative or corporate governance requirements, and are most often industry specific. These documents typically prescribe sets of controls to be implemented, such as technical controls, administrative controls and physical controls. Most of these documents also describe very specific capabilities that a business has to develop in securing their cyber domain. Capabilities, consisting of people, processes and technology, are meant to achieve outcomes or effects, and are applicable to the operational domain. Initial research has shown that no cybersecurity capability development framework applicable to the business domain exists. In this article, a framework called the Business Cybersecurity Capability Development Framework (BCCapDev framework) is proposed. In developing the BCCapDev, a modular approach is followed, starting with the identification of requirements for such a framework. Input into the BCCapDev framework such as legal requirements and business governance requirements are identified. Existing standards, frameworks and best practices are consulted, and capabilities identified, as well as actors and stakeholders. Mechanisms to align BCCapDev processes with business are identified, as well as a methodology to build the capability. The framework is developed in such a way that it is modular, reusable, and independent to changes in standards, frameworks or best practices. The BCCapDev is also developed flexible enough to be industry neutral.
2. E-CMIRC – Towards a model for the integration of services between SOCs and CSIRTs
Author(s): PC Jacobs (presenter), SH von Solms, MM Grobler
Date: 25 – 26 July 2016
Type: Conference
Munich, Germany: 15th European Conference on Cyber Warfare and Security (ECCWS- 2016) (Refereed and Published)
DOI: 978-1-910810-96-5
Relevance Appendix D: This article presented an integrated services model for SOCs and CSIRTs. This
knowledge was used during the identification and selection of services to be offered from the E-CMIRC.
Abstract Security Operation Centres (SOCs) and Computer Security Incident Response Teams
(CSIRTs) or Computer Emergency Response Teams (CERTs) can play a pivotal role in the monitoring of, and response to threats, attacks and vulnerabilities in organisations, including governments. While the focus of a SOC is on the monitoring of technical security controls and critical assets, and the response to attacks and threats, CSIRTs’ main focus is on response and incident management. One postulation is that a CSIRT or CERT is a highly specialised sub-capability of a SOC, whereas another postulation could be that a SOC serves as an input mechanism into CSIRTs and CERTs. In this paper, the differences between SOCs, CERTs and CSIRTs are established, and synergies between them are defined. This leads to an
A National Cybersecurity Management Framework for Developing Countries
integrated services model for the establishment of an initial SOC and CSIRT capability in developing countries. Developing countries have unique challenges facing them where it concerns cybersecurity. Aspects such as Information Communication and Technology (ICT) Infrastructure is often a challenge, and so is funding for ICT as well as skills. Political instability could also influence the cybersecurity posture of developing countries by leaving developing nations open to malicious state-sponsored attacks. This SOC and CSIRT capability are made viable and possible through the savings in cost and resources by identifying overlapping services, as well as the application of the proposed model. This emergent SOC and CSIRT combined capability is called the Embryonic Cyberdefense Monitoring and Incident Response Centre (E-CMIRC). The purpose of this paper is to identify a high-level integrated services model for the E-CMIRC in order to reduce cost and resources which serves as a barrier to entry in developing countries. A scalable operational framework is identified, and for the management of the effectiveness and efficiency, and also to ensure that all aspects of service delivery are considered, the Information Technology Information Library (ITIL) is proposed.
3. Towards a National Cybersecurity Capability Development Model
Author(s): PC Jacobs (presenter), SH von Solms, MM Grobler
Date: 28 – 30 July 2017
Type: Conference
Dublin, Ireland: 16th European Conference on Cyber Warfare and Security (ECCWS) 2017 (Refereed and Published)
ISBN: 2048-8602
Relevance Appendix E: The knowledge gained with this article was applied during the development of
the E-CMIRC CDM.
Abstract Nations need to develop cybersecurity capabilities at the national level in order to facilitate
the requirements expressed through national authoritative and normative documents. These national cybersecurity capabilities typically consist of people, processes and technology or tools. From the research conducted, no publicly available models or frameworks for national cybersecurity capability development could be found. In this paper, the authors identify and compare existing military capability development models and propose a national cybersecurity capability development model based on these models. Military capability development frameworks are a comprehensive way to define work deliverables and work standards and provides a way to measure the work deliverables (eWorks Moodle, 2016). The use of such a national cybersecurity capability development model is advantageous during the planning phase of the national cybersecurity capability. For example, the using of a model allows for a capability to be broken down into its components; a model serves as a blueprint to ensure that those building the capability considers all components, allows for cost estimation and facilitates the evaluation of trade-offs. One national cybersecurity capability –
25 the incident management cybersecurity capability - is selected to illustrate the application of the national cybersecurity capability development model.
This model was developed as part of previous research and is called the Embryonic Cyberdefence Monitoring and Incident Response Centre (E-CMIRC) (P. Jacobs; S.H. von Solms & M.M. Grobler, 2016). The characteristics of national incident management cybersecurity incidents have to be determined, as these would affect each component of the military-based national cybersecurity capability development model. Once the national cybersecurity capability components are identified using the military-based cybersecurity capability development model, it also has to be operated. To achieve this requirement, available organisational, operational models are identified and compared, and one operating model is selected to augment the national cybersecurity capability development model. The fusion of the military-based national cybersecurity capability development model with the operations models results in the national military-based cybersecurity capability development model. This paper has three outcomes in mind: firstly, to determine the characteristics of national cybersecurity incidents, secondly, the development of the national cybersecurity capability development model, and thirdly, the development of a national cybersecurity capability operational model. This paper describes the methodology followed in describing the E-CMIRC structure using a capability development framework, and organisational, operational models. The national cybersecurity capability development model – using a military capability development framework - and the national cybersecurity capability operational models derived from existing organisational frameworks, are presented as a single, integrated model.