Abstract
National cybersecurity capacity building involves the development of managerial, technical, social, legal, policy, and regulatory initiatives by a growing ecology of actors to enhance the resilience of nations to cybersecurity breaches, cybercrime, and terrorism. Capacity building is therefore resource intensive, requiring attention across sectors of society, ranging from governments to Internet users. However, it is difficult to justify commitments to capacity building when the benefits of building national cybersecurity capacity are largely based on logical reasoning, limited case studies, anecdotal evidence, and expert opinion rather than systematic empirical evidence. To explore the value of capacity building, this article reports on the early phase of a systematic effort to bring together cross-national data from multiple sources to examine whether indicators related to the cybersecurity capacity of a nation help explain the experiences of Internet users—one of the final payoffs of cybersecurity capacity building.
Developing a supportive environment for enabling cybersecurity has become a priority for governments, international organizations (IOs), and companies alike, both within their own organizations, as well as in outward investments.1 This enabling environment, more commonly referred to as cybersecurity capacity, ranges from policy and strategy, to sociocultural attitudes, knowledge and skills, regulations, law enforcement, and technical standards and capabilities. Initiatives to build cybersecurity capacity are relatively new, beginning from 2013 with the establishment of the Oxford Global Cyber Security Capacity Centre (GCSCC).2 Microsoft, Symantec, and other private sector organizations have joined governments and IOs in supporting several capacity-building initiatives, such as the International Telecommunications Union (ITU),3 the Potomac Institute,4 the Australia Strategic Policy Institute,5 the Economist Intelligence Unit, Booz Allen Hamilton,6 and the Global Forum on Cyber Expertise (GFCE).7
Capacity-building efforts are designed to confront the growing impact of cyber-based security breaches, crime, and terrorism. For example, Europol's 2019 Internet Organized Crime Threat Assessment identifies an expansion of cybercrime and the need for a holistic response to systematic and persistent threats.8 This is a growing problem as cyber-related crimes are having even more financial impact than traditional crime in some areas of the world.9 Cybersecurity capacity building is an approach for dealing with these increasing threats and mitigating the impacts of attacks. Cyber threats are multidimensional, with attacks taking advantage of technological, societal, and individual weaknesses. Capacity building is a broad policy and strategy that encompasses multiple aspects. These include the domains of policy and strategy; cultural and societal norms and behavior; cybersecurity education training and skills; legal and regulatory frameworks; standards, organizational arrangements, and technologies. Stakeholders across these areas work together to improve systems and practices, which in turn increase resilience to cyberattacks.10
Most of these initiatives are based on the assumption that there are at least three domains that impact information security. Although these domains interact with each other, they are most often discussed separately and in different circles (1) addressing the vulnerabilities of devices and services (primarily the role of security practitioners); (2) the security practices that should be followed by end users; and (3) what can be done about these two things and who should be doing it (the role of governance).11 However, given this interdependence, increasing capacity is assumed to require a collaborative effort and continuing commitment across these three domains, and involve multiple stakeholders in each of these domains. Actors at each layer of design, production, implementation, and use of technology have a role in cybersecurity capacity building.
This article develops the concept of cybersecurity capacity building and whether it works: do these initiatives matter? While it may seem like a commonsense conclusion that enhancing capacity will pay off for nations, organizations, and citizens, it is not a forgone conclusion. It is not clear that the assumptions underpinning capacity building are correct. It may be that capacity is based on the economic resources of nations and not independently influenced by capacity-building initiatives. Or, as some contend, these initiatives might be symbolically but not materially significant, since some nations have been reluctant to strategically invest in them.12 Therefore, it is critical to understand the nature of capacity building and determine whether capacity building actually matters, independently of context, such as the wealth of nations.
Cybersecurity Capacity Building
The concept of “cybersecurity” was coined to signal the move from an era focused on “computer security” to the rise of the Internet and its wide network of connected devices. Once technologically futuristic, the concept captures the growing reality of computer security moving away from a focus on securing an organization against attacks and toward developing a greater resilience to continuing and evolving online security risks across all contexts of Internet use.
In past decades, security was largely viewed as a technical challenge in building electronic and physical barriers to protect computer equipment and data. Since the widespread diffusion of the Internet, distributed computing networks are making equipment, data, and other digital resources more open and global, placing far more responsibility in the hands of users at many levels. One consequence is the rise of centers focused on moving beyond technical initiatives to engage a wide range of actors in all aspects of Internet security—and increasingly defined in broader terms.
One feature of this move has been a greater focus on proactive steps to build an individual's, organization's, or nation's resilience to security threats, that is, their cybersecurity capacity. There have been many discussions of the building blocks of capacity, but relatively little empirical research. This section outlines some of the dimensions underlying capacity building, while the following section moves to an effort to empirically assess whether building the cybersecurity capacity of nations does make a difference in reducing security problems for users. In order to understand the breadth and problematic nature of capacity building, it is useful to consider three major features of cybersecurity capacity building: (1) the many dimensions that define cybersecurity capacity; (2) the multiplicity of actors relevant to each of these issues or dimensions; and (3) the wider policy context shaping capacity building and its implications.
Dimensions of Cybersecurity Capacity Building
There have been a number of initiatives to build cybersecurity capacity beyond the more conventional focus on technical advances. Technical initiatives remain critically important, but emerging frameworks on cybersecurity and capacity building extend well beyond these conventional foci to include interrelated issues or areas, broadly characterized as dimensions in Table 1. While the exact definitions of these dimensions vary across researchers and centers, there is a general consensus that the Internet is forcing initiatives to encompass a far broader array of issues, including cybersecurity strategy and policy, the cultures of security among users, levels of knowledge and awareness, the appropriateness of legal and regulatory frameworks, and the standards, technological, and organizational responses to threats, such as around incident response units (Table 1).
The Broad Scope of Cybersecurity Capacity Building
| Area of Focus | Scoping the Area |
|---|---|
| Devising strategy and policy | Creating and implementing a cybersecurity strategy and related policies |
| Incident management and response | Processes, tools, and training for responding to security incidents, such as Computer Emergency Response Teams (CERTs) and protection of critical infrastructures |
| Fostering a culture in society supportive of security and safety | Instilling trust, norms, values, practices, and a mind-set that balances other values online with security online |
| Developing knowledge | Initiatives in education, training, and skill development supporting awareness and good practice |
| Creating effective legal, regulatory, and administrative frameworks | Updating law, regulation, law enforcement, prosecution, and cross-jurisdictional cooperation to be responsive to evolving threats, from cybercrime to cyberwarfare |
| Standards, organizations, and technologies | Adopting, procuring, and deploying high quality software, technical security, cryptographic methods, and antimalware control systems |
| Area of Focus | Scoping the Area |
|---|---|
| Devising strategy and policy | Creating and implementing a cybersecurity strategy and related policies |
| Incident management and response | Processes, tools, and training for responding to security incidents, such as Computer Emergency Response Teams (CERTs) and protection of critical infrastructures |
| Fostering a culture in society supportive of security and safety | Instilling trust, norms, values, practices, and a mind-set that balances other values online with security online |
| Developing knowledge | Initiatives in education, training, and skill development supporting awareness and good practice |
| Creating effective legal, regulatory, and administrative frameworks | Updating law, regulation, law enforcement, prosecution, and cross-jurisdictional cooperation to be responsive to evolving threats, from cybercrime to cyberwarfare |
| Standards, organizations, and technologies | Adopting, procuring, and deploying high quality software, technical security, cryptographic methods, and antimalware control systems |
The Multiplicity of Actors
Although these dimensions are closely interrelated they are separate, discussed in different circles, and the foci of an array of different actors, including the responsibilities of (1) security practitioners to advance technical designs to reduce the vulnerabilities of digital devices and services, (2) end users, such as Internet users, to follow security practices and norms, and (3) managers, policy-makers, and regulators to govern these two areas and who should be doing what in order to enhance cybersecurity.
Since the Internet, by design, empowers greater access to multiple levels of computing and communication networks, security has increasingly become a concern across all these major domains, and the multiple stakeholders in each, including users. Therefore, actors at each layer of design, production, implementation, and use of the Internet and the systems it pervades, have a role in cybersecurity capacity building. Table 2 provides a simplified typology of the actors involved in capacity building.
Selected Actors Involved in Cybersecurity Capacity Building
| Actor | Role(s) | Examples |
|---|---|---|
| Cybersecurity practitioners | Individuals and teams with expertise in computing, networking, and security | Computer Emergency Response Teams (CERTs); IT experts in organizational centers |
| Researchers, educators | Academic centers of expertise in cybersecurity capacity-building practices and policy in universities and think tanks | Oxford Global Cyber Security Capacity Centre (GCSCC), Oceania Cybersecurity Centre, Chatham House, Brookings, Rand Corporation, European Institute for Security Studies |
| Trainers and advocates | Teams and individuals designing and delivering training, awareness campaigns, and promoting security | The Geneva Internet Platform (GIP) Digital Watch observatory |
| Networkers and coordinators | Provisions of online portals, conferences, and forums on capacity building | World Economic Forum, Global Forum on Cyber Expertise (GFCE) |
| Users | Billions of end users, including organizations, Internet users, and malevolent users | Individual skills, norms, and practices |
| Donors | Individuals and organizations financially and organizationally supporting capacity-building initiatives | Governments, philanthropic foundations, institutions, such as the World Bank |
| Policy-makers and regulators | Governance of the Internet and cybersecurity norms and practices | Internet Governance Forum (IGF), National communication and telecommunication regulators, … |
| Actor | Role(s) | Examples |
|---|---|---|
| Cybersecurity practitioners | Individuals and teams with expertise in computing, networking, and security | Computer Emergency Response Teams (CERTs); IT experts in organizational centers |
| Researchers, educators | Academic centers of expertise in cybersecurity capacity-building practices and policy in universities and think tanks | Oxford Global Cyber Security Capacity Centre (GCSCC), Oceania Cybersecurity Centre, Chatham House, Brookings, Rand Corporation, European Institute for Security Studies |
| Trainers and advocates | Teams and individuals designing and delivering training, awareness campaigns, and promoting security | The Geneva Internet Platform (GIP) Digital Watch observatory |
| Networkers and coordinators | Provisions of online portals, conferences, and forums on capacity building | World Economic Forum, Global Forum on Cyber Expertise (GFCE) |
| Users | Billions of end users, including organizations, Internet users, and malevolent users | Individual skills, norms, and practices |
| Donors | Individuals and organizations financially and organizationally supporting capacity-building initiatives | Governments, philanthropic foundations, institutions, such as the World Bank |
| Policy-makers and regulators | Governance of the Internet and cybersecurity norms and practices | Internet Governance Forum (IGF), National communication and telecommunication regulators, … |
Note: Adapted from Global Partners (2018, 16–18).
Even if governments, organizations, and individuals accepted that they will need to focus on enhancing their resilience to cyberattacks by following best practices and policies, there is a general absence of a clear cross-national consensus on what constitutes best practice or policy. For example, there is a lack of consensus on appropriate norms for online behavior—best practice—that are critical to cybersecurity capacity, with some possible exceptions, such as around international standards for how to manage risks, called cyber-risk management.13 Yet the role of the state is critical in both implementing and enforcing norms that could support security. More research is required to identify the norms and practices along with other strategies critical to supporting security.
Security practitioners produce the technical and procedural solutions that help protect against threats, mitigate damage when there is a breakdown in security, and recover systems postattack. This often entails substantial investments in hardware, software, processes, policy, and training of personnel. This can only be done if governments help build an environment that will protect the investments of the organizations that are producing the relevant technology and accompanying practice. At the same time, the interests of other organizations and end users need to be protected from substandard products that don't follow basic security protocols.
Security practitioners also can promote a more widespread understanding of industry-standard protocols for security by increasing the training of staff. Some companies have supported their staff to become more aware of cybersecurity risks in general, with the intention that this will positively impact behavior while at work. However, many businesses do not share their protection protocols, leaving a void in sharing prescribed cybersecurity practices that can become norms. Although there is an understandable need to keep some company-specific protections proprietary, agreeing on basic security protocols is assumed to help overall protective capacity. This is especially the case as systems are increasingly interdependent; each vendor needs assurance that other vendors are consistently contributing to an ecosystem that follows industry standards for security. Indicators that industry and public/private alliances are engaged in cybersecurity capacity would include such actions as the purchase of proven advances in technology, the use of secure servers, the provision of extensive staff training, and the adoption of cybersecurity standards.
It would be inappropriate to consider technology as being separate from its end users, including the general public of Internet users. When discussing technology and addressing the security of any technical system, humans are inherently part of the system. The behavior of people, how they design, procure, and use technology, including the security features of it, has a direct consequence for the overall security of a system. This creates a challenge when considering the development of norms and confidence building measures since they must take account of the heterogeneous array of people involved.
This heterogeneity often entails people who make poor security choices, such as using pirated software and imitation products,14 that can be more susceptible to malware that can compromise machines to become a source for further attacks.15 Although nations with the most distressed economic conditions can be expected to use more pirated software, this is not simply determined by economic conditions. Often inefficient judicial systems and particular cultural norms, such as privileging individualism over the common good, can contribute to an environment where piracy is more prominent. Increasing capacity could therefore include initiatives to encourage safer alternatives for users than resorting to piracy.
Furthermore, end users are often the last to know about cybersecurity breaches, weaknesses in systems that they trust, or when their personal information has been stolen. They have few protective resources compared to industry or government; thus, they are often primary targets for attacks over the Internet. Efforts to improve the practices of users in ways that improve security have had mixed results.16 Yet, helping to increase the understanding of safe practices, encouraging end users to take personal responsibility,17 and developing a cybersecurity mind-set18 could increase the engagement of end users and thus enhance cybersecurity capacity.
Cybersecurity in the Larger Ecology of Digital Policy and Practice
Finally, not only is capacity building grappling with a wide array of issues across a multitude of actors, it is also only one area within a far broader array of interrelated policy domains. These include such issues as economic development, privacy and data protection, freedom of expression, intellectual property, and more. Too often, consideration of many communication technology and policy issues have been focused on single issues, despite the need to jointly consider a wider range of issues.
The Empirical Study of the Impact of Capacity Building
All of these dimensions to increasing cybersecurity capacity require a significant investment from a wide variety of stakeholders. Even though it seems logical that increasing capacity will benefit the population of a nation, time and again, it has proven impossible to simply project the outcomes of technological initiatives from the features of their designs. Technological innovation is replete with unanticipated outcomes, such as the so-called “productivity paradox.”19 Moreover, up to this point, there has been little empirical research to demonstrate that investment in capacity building will benefit end users.
In this ongoing discussion of various and dynamic aspects of cybersecurity capacity building, there is a need to refine empirical research on its use, implementation, and implications. The primary aim of this study is to advance research on the implications of capacity building for end users of the Internet using a cross-national, comparative approach. We first review some of the key problems in measuring cybersecurity capacity, before describing the operationalization of key variables and a preliminary analysis how capacity can shape outcomes critical to end users of the Internet.
Limits on Efforts to Evaluate Cybersecurity Capacity
To gain more support for investment into capacity development, the cybersecurity community needs to prove its case to policy-makers, regulators, and the public. To do so, there is a need for appropriate indicators to measure the societal impact of efforts to enhance cybersecurity capacity. But there are a number of constraints.
First, as discussed earlier, the collection of data on cybersecurity is hindered by a lack of trust and lack of transparency. Institutions of all types have reasons to not let others know about data breaches or security failures, which are aspects of any indicator of the effectiveness of cybersecurity. For example, cybersecurity capacity is often closely tied to national strategies that address external threats as well as internal strengths and weaknesses.20 It is therefore treated as proprietary information to be guarded, rather than a resource that is shared with other stakeholders.
Secondly, beyond the lack of complete data, many long-term investments in cybersecurity capacity, such as structural changes, do not show immediate results. Policies, such as improved legal protections, that punish cybercriminal attacks may take years to be implemented and even longer to track down and result in the conviction of offenders. Better cybersecurity training and educational initiatives also take time to demonstrate an effect, as trainees need time to learn new skills and incorporate them into the workplace.
For such reasons, there have been few data-based analyses to explore whether increasing cybersecurity capacity actually matters in improving security in ways that show up in the experiences of end users. Using internationally respected open data sources, we explore whether some of the key benefits flowing from improving cybersecurity capacity are actually achieved and realized by end users.
Methods
The present research sought to develop indicators of national contexts, such as the wealth of nations, along with indicators of cybersecurity capacity (ICSC) across the multiple dimensions of capacity building, which include technical, legal, and social dimensions discussed in the following. This approach allows a basic quantitative test to show whether cybersecurity capacity building is reflected in a major set of outcomes—the problems faced by end users.
Given the paucity of indicators that directly measure capacity building, we sought data that was gathered by entities that are widely respected and have robust data collection methods. We chose organizations that had expertise in each corresponding dimension of capacity building. This led us to draw from data repositories of the World Bank,21 Internet World Stats,22 and the World Economic Forum (WEF).23 All of these institutions have global connections, open data, and periodically issue reports concerning Information and Communication Technologies (ICT) use. If their data can be turned to an examination of cybersecurity capacity, the analysis can therefore be replicated, studied over time, and open to public scrutiny.
End-User Security Problems
For our end-user threat experience, we used data collected by Microsoft24 as these specific indicators are broadly collected and rigorously tested. This study specifically relies on The Microsoft Report that is based on data collected in the first two quarters of 2016. These items were averaged together to minimize seasonal fluctuations.
The reported data is collected from many Microsoft products, whose users have opted to share their data. Because of the widespread usage of Microsoft products, which report security issues online, this data is one of the most comprehensive available.25 The products that collect data include Azure security center, Bing, Exchange Online, Malicious Software Removal Tool (MSRT), Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Office 365, SmartScreen Filter, Windows Defender, Windows Defender Advanced Threat Protection, and Windows Defender Offline.26
Two of our indicators of end-user security problems come from this Microsoft data: encounter rates (ERs) and a computers-cleaned metric (CCM).
ERs report “the percentage of computers running Microsoft real-time security products that report a malware encounter.”27 ERs include exploit kits that target plug-ins, such as Adobe Flash Player and JAVA. CCM is the number of computers cleaned from infections per 1,000 runs of the MSRT.28
These indicators are somewhat similar but reflect different dimensions of threats that end users face. The ERs reflect protection from infection in the general environment while the CCM reflects removal of malicious software found on computers.
There are known weaknesses with these data. The computers included in these metrics are limited to machines that are running verified copies of Windows software. The users are actively participating in using Windows protection products. Also, the users are willing to let their results be reported. Given the likely biases, the actual infection rate is arguably much higher in all nations. This would be especially true for machines using pirated operating systems, or those not using products designed to protect from encounters with malware. Nor do these figures include other operating systems, such as open-source systems, Apple, Linux, or increasingly prevalent cloud-based services. Other companies also frequently publish informative and comprehensive security reports (e.g., Symantec, Verizon, Ponemon), but the items in this study were chosen to avoid overlaps of reporting.29
A third measure of end-user security problems is the percentage of software installed that is pirated. This indicator is drawn from data collected by the WEF30 and the ITU. The primary security concern of pirated software is that it often contains malware, and since it is not registered, it will not receive updates to fix known weaknesses. The piracy rates, for countries that report the data, range from a low of 18 percent in the United States, 19 percent in Japan, and 24 percent in the United Kingdom to a high of 90–91 percent in Zimbabwe, Moldova, and Georgia in 2016.31
Independent Variables to Explain Capacity and Its Outcomes
To keep the analysis simple and replicable, the study focused on several contextual variables that might account for levels of cybersecurity capacity and its outcomes. These are the wealth of nations, as indicated by gross domestic product (GDP), the size of nations, as indicated by total population, the scale of Internet use, as indicated by the number of Internet users, and the centrality of Internet use, as indicated by the percentage of Internet users. The number of Internet users can be large in some countries, such as Indonesia, in which the Internet does not yet reach a large proportion of the population, and therefore, does not play as central a role in public and commercial services as in nations with a higher percentage of users.32Figure 1 illustrates how these indicators of wealth, size, scale, and centrality might be associated with the experiences of end users in reducing threats.
Research Model
Wealth: World Bank items include GDP per capita.33
Size: The World Bank data also provides the population of the country in 2015.
Scale: The number of Internet users was obtained from World Internet Statistics.34
Centrality: As a country's percentage of active Internet users increases, the Internet becomes more central to commercial and public services, leading security to matter more. The percentage of Internet users was also obtained from the WEF.35
Indicators of Elements of Cybersecurity Capacity
In this area, as in others, we sought indicators that came as close as possible to variables in our model, in this case, well-defined elements of cybersecurity capacity. While some projects, such as the GCSCC at the University of Oxford, are developing direct indicators of maturity on many dimensions of capacity, they have only been collected for 60 countries in different regions by 2019, and are confidential in some nations, as agreed with the nations studied. However, we have been able to match aspects of these studies with available data to develop strong surrogate indicators of key dimensions of cybersecurity capacity.
A number of indicators were used from the WEF's Network Readiness Index. The data shared by the WEF is gathered from many sources including ITU, World Bank, UNESCO, and other United Nations agencies.36 Many of the points that are used in this report are available through WEF's annual Executive Opinion Survey. This is administered to over 14,000 business executives in all economies covered in their report.37 These data are derived from experts inside each nation, who are familiar with their country reporting these items.
Items selected from the WEF global information technology report are elements that would be needed to support cybersecurity capacity. The items include aspects from law and policy, technological equipment and know-how, education, and how essential technology is to accessing government services. The items selected from WEF's networked readiness pillars that are most relevant for capacity building include
A supportive political and regulatory environment
A healthy business environment that supports innovation
Secure infrastructure
An educational system that is building workers with needed skills
Businesses that offer specific training to their employees
ICT use as part of core interactions that citizens have with their government
The items in the WEF report are part of several pillars of the networked readiness index.38 Those indicators which were used for this research are listed by the dimension that they represent in the network readiness pillars for capacity building. These items indicate an environment that reflects efforts to balance the interests of the people as well as the interests of those developing and supplying software and hardware needed to technology use.
Items analyzed in the political and regulatory domain are
Laws relating to ICTs and their regulation
Intellectual property regulation (IPR)
In the business and innovation domain, we included
The availability of state of the practice technology
Government purchase of the up-to-date technology
Secure infrastructure is measured using
Number of Internet servers per million people in the nation. Secure servers are a basic item to help reduce attacks and infection.39
The quality of the educational system is incorporated by including
Quality educational system, which helps build an overall understanding of the affordances of computers as well as the basics of cybersecurity.
Training in business and industry is reflected in
Businesses that train their staff in ICT use often include specialized cybersecurity and digital safety training.
ICT use by government is demonstrated by
A nation that utilizes ICT for access to key government services is more likely to have also committed to protecting access to those services and protecting the data gathered through those services.
The recognition of the importance of cybersecurity capacity and building a multidimensional framework that serves as an incubator to help improve capacity are some of the key steps to improving capacity. The sources for each variable, its domain, the range of each variable, means, and standard deviation are in Table 3.
Definitions and Characteristics of Variables
| Variable Name | Operational Definition | Range (scale) | Means (Std. Dev.) | Source |
|---|---|---|---|---|
| Scale | Total population | 137,122,000–9,290 (in thousands) | 4,830,166 (16,425,640) | World Bank |
| Wealth | GDP per capita | $727–$277,680 | $23,070 (31.034) | World Bank |
| Size | Number of Internet users | 56,158–721,434,547 (actual) | 25,644,625 (78,342,325) | Internet World Stats |
| Diffusion | Percentage of population using the Internet | 1.38%–98.16% (actual) | 48.87% (28.81%) | World Economic Forum |
| Indicators of cybersecurity capacity (Cronbach's alpha .969) | Laws relating to ICTs and their regulation | 1.98–5.95 (1–7 scale) | 3.92 (0.91) | World Economic Forum |
| Intellectual property regulations | 1.68–6.31 (1–7 scale) | 4.07 (1.03) | World Economic Forum | |
| The availability of the latest technology | 2.75–6.60 (1–7 scale) | 4.82 (0.91) | World Economic Forum | |
| Government purchase of up-to-date technology | 1.63–5.65 (1–7 scale) | 3.38 (0.64) | World Economic Forum | |
| Number of secure Internet servers per millions of population | 0.15–3214.39 (actual) | 349.72 (658.54) | World Economic Forum | |
| Quality of educational system | 2.05–6.13 (1–7 scale) | 3.76 (0.90) | World Economic Forum | |
| Businesses train their staff in ICT use | 2.58–5.74 (1–7 scale) | 4.03 (0.67) | World Economic Forum | |
| National utilization of ICTs for access to key government services | 2.46–6.18 (1–7 scale) | 4.33 (0.95) | World Economic Forum | |
| End-user cybersecurity problems (Cronbach's alpha .899) | Encounter rate (ER) | .07–.48 (% actual) | .26 (.09) | Microsoft |
| Computers-cleaned metric (CCM) | 2.35–80.55 (actual) | 19.47 (13.38) | Microsoft | |
| Piracy rate | 18.00–91.00 (% actual) | 56.99 (21.49) | World Economic Forum |
| Variable Name | Operational Definition | Range (scale) | Means (Std. Dev.) | Source |
|---|---|---|---|---|
| Scale | Total population | 137,122,000–9,290 (in thousands) | 4,830,166 (16,425,640) | World Bank |
| Wealth | GDP per capita | $727–$277,680 | $23,070 (31.034) | World Bank |
| Size | Number of Internet users | 56,158–721,434,547 (actual) | 25,644,625 (78,342,325) | Internet World Stats |
| Diffusion | Percentage of population using the Internet | 1.38%–98.16% (actual) | 48.87% (28.81%) | World Economic Forum |
| Indicators of cybersecurity capacity (Cronbach's alpha .969) | Laws relating to ICTs and their regulation | 1.98–5.95 (1–7 scale) | 3.92 (0.91) | World Economic Forum |
| Intellectual property regulations | 1.68–6.31 (1–7 scale) | 4.07 (1.03) | World Economic Forum | |
| The availability of the latest technology | 2.75–6.60 (1–7 scale) | 4.82 (0.91) | World Economic Forum | |
| Government purchase of up-to-date technology | 1.63–5.65 (1–7 scale) | 3.38 (0.64) | World Economic Forum | |
| Number of secure Internet servers per millions of population | 0.15–3214.39 (actual) | 349.72 (658.54) | World Economic Forum | |
| Quality of educational system | 2.05–6.13 (1–7 scale) | 3.76 (0.90) | World Economic Forum | |
| Businesses train their staff in ICT use | 2.58–5.74 (1–7 scale) | 4.03 (0.67) | World Economic Forum | |
| National utilization of ICTs for access to key government services | 2.46–6.18 (1–7 scale) | 4.33 (0.95) | World Economic Forum | |
| End-user cybersecurity problems (Cronbach's alpha .899) | Encounter rate (ER) | .07–.48 (% actual) | .26 (.09) | Microsoft |
| Computers-cleaned metric (CCM) | 2.35–80.55 (actual) | 19.47 (13.38) | Microsoft | |
| Piracy rate | 18.00–91.00 (% actual) | 56.99 (21.49) | World Economic Forum |
Reliability and Validity of the Indicators
Before moving to the analysis, we first focused on establishing the reliability for the main constructs to be used in our explanatory model, and checked the convergent validity of our new construct, ICSC, and our dependent variable, end-user security problems. To determine the ICSC, our team of experts in cybersecurity capacity from multiple domains, reviewed the available indicators from the WEF's Networked Readiness Scale. After multiple rounds of review, the team agreed upon the seven items that best reflected the core dimensions of evolving models of maturity of cybersecurity capacity building.
As discussed previously, most of the ICSC items are seven-point scales, ranging from 1 to 7. These are laws relating to ICTs, intellectual property protection, availability of the latest technologies, government purchase of advanced technology, the quality of the educational system, the extent of staff training, and impact of ICTs on access to government services.
The one exception is an indicator of the number of secure servers per million population. The number of secure servers available varied widely from .147 in Chad to 3,214.4 in Iceland. The United States was 12th from the top with 1,548.2 and the United Kingdom was 15th from the top with 1,291.2. The distribution was highly skewed at the lower end of the scale, with 88 countries having fewer than 100 secure servers per million people. To test the impact of using this variable, SmartPLS analysis was run using both the raw data for the servers and the scale. The differences in the beta values and r-squared value indicated that there were no significant differences. Therefore, for the rest of the analysis, we used the 1–7 scale for the secure servers variable.
These eight indicators of ICSC were analyzed to determine whether they correlated in order to provide one indication of the reliability of a summary scale. The results of these tests are in Table 2. The path analysis showed high internal consistency with all loadings higher than .700, with the average variance extracted (AVE) less than .500 for all items. These are indications that the model is high in internal validity.40 Even though the items selected for analysis seem diverse, the data analysis supported the theoretically based selections and demonstrated that these were functioning as reflective elements of the same underlying construct.
The outcome indicator of end-user cybersecurity problems construct was formative. This was checked for collinearity and the variance inflation factor (VIF) was well below the level of 5, which would indicate multicollinearity.41 The results of the VIF for the formative items are in Table 4.
Measures of Construct Reliability
| Construct | Variables | Means (Std. Dev.) | Loadings | AVE | Composite Reliability |
|---|---|---|---|---|---|
| Indicators of cybersecurity capacity (ICSC) | ICT law and policy | 3.92 (0.91) | 0.933 | 0.066 | 0.963 n = 139 |
| Intellectual property protection | 4.07 (1.03) | 0.945 | 0.066 | ||
| Up-to-date technology | 4.82 (0.91) | 0.930 | 0.062 | ||
| Government purchase technology | 3.38 (0.72) | 0.704 | 0.257 | ||
| Secure servers | 1.65 (1.23) | 0.778 | 0.196 | ||
| Quality of education | 3.76 (0.90) | 0.838 | 0.198 | ||
| Employee training | 4.03 (0.67) | 0.899 | 0.111 | ||
| ICT use by government | 4.33 (0.95) | 0.951 | 0.044 | ||
| End-user cybersecurity problems | Means (Std. Dev.) | VIF | Composite Reliability | ||
| ER | .26 (0.09) | 2.063 | 0.899 n = 111 | ||
| CCM | 19.47 (13.38) | 2.824 | |||
| Software piracy (%) | 56.99 (21.49) | 1.821 |
| Construct | Variables | Means (Std. Dev.) | Loadings | AVE | Composite Reliability |
|---|---|---|---|---|---|
| Indicators of cybersecurity capacity (ICSC) | ICT law and policy | 3.92 (0.91) | 0.933 | 0.066 | 0.963 n = 139 |
| Intellectual property protection | 4.07 (1.03) | 0.945 | 0.066 | ||
| Up-to-date technology | 4.82 (0.91) | 0.930 | 0.062 | ||
| Government purchase technology | 3.38 (0.72) | 0.704 | 0.257 | ||
| Secure servers | 1.65 (1.23) | 0.778 | 0.196 | ||
| Quality of education | 3.76 (0.90) | 0.838 | 0.198 | ||
| Employee training | 4.03 (0.67) | 0.899 | 0.111 | ||
| ICT use by government | 4.33 (0.95) | 0.951 | 0.044 | ||
| End-user cybersecurity problems | Means (Std. Dev.) | VIF | Composite Reliability | ||
| ER | .26 (0.09) | 2.063 | 0.899 n = 111 | ||
| CCM | 19.47 (13.38) | 2.824 | |||
| Software piracy (%) | 56.99 (21.49) | 1.821 |
We next examined Pearson's zero-order correlations among the set of variables to look for statistically significant relationships between the indicators related to cybersecurity capacity and the dependent variables under consideration. The relationships were statistically significant at the .001 level, using a two-tailed t-test for the ICSC items. The relationships were also strong for the dependent variable items (ER, CCM, and Software Piracy), which all had negative correlations with the ICSC items. This would indicate that as the ICSC items went up, the infection indicators went down (Table 5).
Pearson's Correlations of Constructs
| Computers Cleaned | Encounter Rate | Software Piracy Rate | Laws Relating to ICTs | Intellectual Property Protection | Availability of Latest Technologies | Secure Internet Servers | Quality of Educational System | Extent Staff Training | |
|---|---|---|---|---|---|---|---|---|---|
| Computers cleaned | 1 | ||||||||
| Encounter rate | .815** | 1 | |||||||
| Software piracy rate | .612** | .749** | 1 | ||||||
| Laws relating to ICTs | −.541** | −.552** | −.744** | 1 | |||||
| Intellectual property protection | −.452** | −.624** | −.832** | .859** | 1 | ||||
| Availability of latest technologies | −.584** | −.680** | −.847** | .892** | .867** | 1 | |||
| Secure Internet servers | −.542** | −.669** | −.722** | .637** | .693** | .681** | 1 | ||
| Quality of educational system | −.306** | −.394** | −.573** | .699** | .777** | .695** | .599** | 1 | |
| Extent staff training | −.378** | −.546** | −.695** | .771** | .873** | .792** | .658** | .797** | 1 |
| N | 111 | 104 | 104 | 139 | 139 | 139 | 139 | 139 | |
| Mean (Std. Dev.) | 19.47 (13.38) | .26 (.09) | .57 (.22) | 3.92 (.91) | 4.07 (1.03) | 4.82 (.91) | 347.72 (658.54) | 4.03 (.67) |
| Computers Cleaned | Encounter Rate | Software Piracy Rate | Laws Relating to ICTs | Intellectual Property Protection | Availability of Latest Technologies | Secure Internet Servers | Quality of Educational System | Extent Staff Training | |
|---|---|---|---|---|---|---|---|---|---|
| Computers cleaned | 1 | ||||||||
| Encounter rate | .815** | 1 | |||||||
| Software piracy rate | .612** | .749** | 1 | ||||||
| Laws relating to ICTs | −.541** | −.552** | −.744** | 1 | |||||
| Intellectual property protection | −.452** | −.624** | −.832** | .859** | 1 | ||||
| Availability of latest technologies | −.584** | −.680** | −.847** | .892** | .867** | 1 | |||
| Secure Internet servers | −.542** | −.669** | −.722** | .637** | .693** | .681** | 1 | ||
| Quality of educational system | −.306** | −.394** | −.573** | .699** | .777** | .695** | .599** | 1 | |
| Extent staff training | −.378** | −.546** | −.695** | .771** | .873** | .792** | .658** | .797** | 1 |
| N | 111 | 104 | 104 | 139 | 139 | 139 | 139 | 139 | |
| Mean (Std. Dev.) | 19.47 (13.38) | .26 (.09) | .57 (.22) | 3.92 (.91) | 4.07 (1.03) | 4.82 (.91) | 347.72 (658.54) | 4.03 (.67) |
Correlation is significant at the 0.01 level (two-tailed).
Multivariate Analysis
The indicators described earlier were then used to examine whether the elements of cybersecurity capacity would adequately explain levels of end-user security problems, when controlling for contextual factors that might provide alternative explanations for levels of cybersecurity capacity and their outcomes, such as the wealth of the nation. The central question guiding the analysis was whether the ICSC had a positive relationship with reduced levels of cybersecurity problems.
In order to test our theoretical model using empirical data, we used structural equation modeling. It is used widely in many fields as it allows analysis of both latent and observed variables. It also accounts for measurement error and examines direct as well as indirect relationships.42 Structural equation modeling, which includes path analysis and regression analysis, was done with SmartPLS.43 This tool allows the testing of complex theoretical models and it does not require an assumption of a normal distribution, enabling valid analyses even when a distribution is highly skewed.44 In order to test our model empirically, we ran two path analysis models, one without the ICSC variable included, and one the ICSC included as an intervening, moderating variable. This demonstrated whether the inclusion of ICSC would explain additional variance in end-user problems.
The results of the multivariate path models are provided in Tables 6 and 7, and Figure 2.
Model 1: Path Values Without Indicators of Cybersecurity Capacity
| Path Description | Path Coefficient and Significance | t-Score | CI Low† | CI High† |
|---|---|---|---|---|
| GDP per capita Internet users | 0.087** | 1.975 | 0.035 | 0.199 |
| GDP per capita % of Population using Internet | 0.677*** | 13.525 | 0.558 | 0.753 |
| GDP per capita End-user cybersecurity problems | −0.525*** | 4.275 | −0.800 | −0.318 |
| Number of Internet users Percentage of population using Internet | 0.614 | 1.099 | 0.209 | 2.508 |
| Path Description | Path Coefficient and Significance | t-Score | CI Low† | CI High† |
|---|---|---|---|---|
| GDP per capita Internet users | 0.087** | 1.975 | 0.035 | 0.199 |
| GDP per capita % of Population using Internet | 0.677*** | 13.525 | 0.558 | 0.753 |
| GDP per capita End-user cybersecurity problems | −0.525*** | 4.275 | −0.800 | −0.318 |
| Number of Internet users Percentage of population using Internet | 0.614 | 1.099 | 0.209 | 2.508 |
Confidence intervals are bias corrected;
p < .01;
p < .001.
Model 2: Path Values With Elements of Cybersecurity Capacity
| Path Description | Path Coefficient and Significance | t-Score | CI Low* | CI High* |
|---|---|---|---|---|
| GDP per capita Internet users | −0.087+ | 1.956 | 0.037 | 0.210 |
| GDP per capita Percentage of population using Internet | 0.677*** | 13.699 | 0.560 | 0.752 |
| GDP per capita Indicators of cybersecurity capacity | 0.459*** | 3.828 | 0.238 | 0.689 |
| GDP per capita End-user cybersecurity problems | −0.457*** | 3.768 | −0.796 | −0.300 |
| Total population Percentage of population using Internet | −0.046 | 1.203 | 0.194 | 2.485 |
| Total population Number of Internet users | −0.640*** | 29.934 | 0.873 | 0.995 |
| Number of Internet users Percentage of population using Internet | 0.614 | 0.799 | −0.044 | 0.200 |
| Percentage of population using Internet Indicators of cybersecurity capacity | 0.437*** | 4.008 | 0.208 | 0.623 |
| Indicators of cybersecurity capacity End-user cybersecurity problems | −0.370*** | 2.915 | −0.549 | −0.056 |
| Path Description | Path Coefficient and Significance | t-Score | CI Low* | CI High* |
|---|---|---|---|---|
| GDP per capita Internet users | −0.087+ | 1.956 | 0.037 | 0.210 |
| GDP per capita Percentage of population using Internet | 0.677*** | 13.699 | 0.560 | 0.752 |
| GDP per capita Indicators of cybersecurity capacity | 0.459*** | 3.828 | 0.238 | 0.689 |
| GDP per capita End-user cybersecurity problems | −0.457*** | 3.768 | −0.796 | −0.300 |
| Total population Percentage of population using Internet | −0.046 | 1.203 | 0.194 | 2.485 |
| Total population Number of Internet users | −0.640*** | 29.934 | 0.873 | 0.995 |
| Number of Internet users Percentage of population using Internet | 0.614 | 0.799 | −0.044 | 0.200 |
| Percentage of population using Internet Indicators of cybersecurity capacity | 0.437*** | 4.008 | 0.208 | 0.623 |
| Indicators of cybersecurity capacity End-user cybersecurity problems | −0.370*** | 2.915 | −0.549 | −0.056 |
Confidence intervals are bias corrected;
p = .05;
p < .001.
Results of Path Analysis
GDP indicates the economic resources available to a nation, and thus a factor in shaping the type of equipment used and the ability to maintain capacity indicators. Therefore GDP was seen as a key independent variable with number of Internet users as another independent variable. These both contribute to explaining centrality of the Internet, indicated by the percentage of the population online.
The ICSC is conceptualized as moderating variables, in shaping the experiences of end users. The end user's cybersecurity problems are the direct dependent outcome variable, the area of concerns.
As noted earlier, two separate analyses were run using SmartPLS,45 one without the ICSC and one with the ICSC indicators. Both analyses were done using a 5,000 bootstrap, and a path-weighting scheme with pairwise deletion for missing values. For the bootstrapping confidence interval method, the tests were set to bias corrected, no sign change, two-tailed confidence intervals at the .05 significance level.
Table 6 shows the path analysis results without the ICSC. This includes path beta values, t-scores, and bias-corrected confidence intervals. There was a strong inverse relationship (b = −0.650, t(111)5.161, p < .001) between a higher percentage of people online and end user cybersecurity problems such as infection rate.
There was a clear difference in the explanatory power of the path models when the indicators for cybersecurity capacity were included in the analysis. However, caution must be used when looking at the first number, since even though the indicators for cybersecurity capacity are not specifically included in the first model, the indicators' influence on the cybersecurity issues in each country would still be present, given the high correlation between such variables as GDP and ICSC.
Model 2, which includes the ICSC indicators, shows even more clearly how closely ICSC is tied to lower end-user problems. The path values for the model using the indicators related to cybersecurity capacity are shown in Table 7.
The complete model, showing item loadings, path betas, and significance levels is shown in Figure 2. The loadings and significance values are displayed as an array around the ICSC construct. The path betas and significance levels are also included in the diagram. Shortened names of the ICSC variables are included for ease of reference.
Overall, the path model in Figure 2 shows that the higher percentage of the population that a nation has online, the higher the ICSC. The number of Internet users did not relate directly to higher ICSC. Controlling for all contextual variables in the model, the higher a nation's cybersecurity capacity, measured by ICSC, the lower the end-user cybersecurity problems in that nation.
Discussion
It is most often simply assumed that the expected benefits of building national cybersecurity capacity will materialize, but these expectations are largely based on logical reasoning, limited case studies, anecdotal evidence, and expert opinion rather than systematic empirical evidence. One reason for a lack of more systematic empirical evidence is that measures to evaluate the efficacy of capacity-building efforts are a challenge to gather. This may be a result of capacity-building initiatives being at early stages but also because of some limitations on transparency of such data by many key stakeholders involved in cybersecurity efforts. Also, the real final payoff of cybersecurity is tied to whether the general population of Internet users in a nation actually experience the benefits of a more secure cyber environment, an outcome that is difficult to reliably measure.
The result of this analysis of the role of cybersecurity capacity is promising as it empirically establishes the benefits of increased capacity for end users. One of the more surprising findings was that even though GDP per capita was a strong predictor of lower end-user cybersecurity problems, a large part of that difference appears to be from the indicators that are part of the cybersecurity capacity. Thus, it is not just financial resources, but choices tied to how these resources are used that helps reduce threats. These findings tend to confirm the value of conventional wisdom that building cybersecurity capacity will be of value to end users and therefore to the larger economy and society. Even when controlling for the wealth of a nation, and the scale and centrality of Internet use in the nations, elements of cybersecurity capacity have a strong impact on reducing end-user exposure to security problems.
The principle outcome variables in this study focused on the problems experienced by end users of the Internet. While each indicator raises some concerns over its reliability and validity, such as indicators based on a single—albeit major—provider, all the indicators are well correlated, suggesting they are measuring the same underlying phenomenon. While further research should seek to broaden the range of outcomes to be studied, there is support for the reliability of these indicators of end-user problems.
Moreover, other research on Internet users has found that trust in the Internet is a major factor shaping its use for the multitude of services emerging online, from shopping to participating in politics. And when users experience problems online, their trust in and use of the Internet is likely to be affected.46 In this way, and others, the Internet has been found to be an “experience technology.” Thus, if capacity building can indeed reduce end-user problems, then a multiplicity of benefits can be derived by virtue of individuals, organizations, and governments being more comfortable in using this technology. This is one illustration of how cybersecurity can enable many of the benefits that can derive from use of the Internet.
However, we also found that there is a divide among nations based on wealth that shapes their differential access to cybersecurity capacity-building measures. Wealth enhances the ability of nations to introduce many capacity-building initiatives, such as technical advances and training programs. While capacity building helps lower income nations to reduce end-user problems, they are most often less capable of introducing some capacity-building measures.
Two policy implications flow from this analysis. First, this analysis supports greater focus on cybersecurity capacity building, as it is likely to not only reduce end-user problems, but also enable end-users and organizations to reap more of the benefits derived from Internet use. Second, evidence of this cybersecurity divide provides indication of a need for international support for subsidizing capacity-building efforts in lower income nations. This is already taking place through such organizations as UNESCO, the World Bank, Organization of American States, and the ITU, but the evidence of this analysis adds support to the value of such international assistance. In a global system, like the Internet, the security of every nation is more or less shaped by the security of others. It is therefore in every nation's interest to raise the cybersecurity capacity-building efforts of all nations, particularly those who cannot afford critical investments in this area.
Limitations
This research has limitations, primarily tied to challenging measurement issues that are prevalent in most cross-national comparative studies, but more the case in areas of governmental and commercial sensitivity, such as cybersecurity. Nevertheless, available and reliable data enables us to develop surrogate indicators for every concept of our theoretical model. Moreover, the use of these proximate indicators allowed us to incorporate more nations in this study, enhancing its generalizability beyond this particular sample of nations.
We are engaged in efforts to collect more specific indicators based on field research in over 60 nations. The collection and refinement of these indicators will enhance the reliability and validity of our measurements, and enable us to examine multiple dimensions of cybersecurity capacity building. That said, better data on each nation will lead to a reduction in the number of nations that can be incorporated in our analysis, and be limited to those with the requisite field research on cybersecurity capacity. However, by looking at more direct indicators on a smaller sample, we will be able to validate or refine our understanding of the relationships found in this study using more indirect indicators across a larger sample of nations. Together, the analysis of the societal implications of cybersecurity capacity building will benefit from more systematic research on a wide range of nations.
Footnotes
For example, in November, 2016, the UK government announced a £1.9 billion increase in cybersecurity funding for the next year.
ITU.
Hathaway et al.
Australian Strategic Policy Institute (ASPI).
Economist Intelligence Unit.
A discussion of the GFCE and related initiatives is presented in GCSCC, “Collaborative Approaches to a Wicked Problem.”
Europol.
National Crime Agency.
GCSCC, “Cybersecurity Capacity Maturity Model for the Nations (CMM).”
Gelbstein.
Pawlak and Barmpaliou.
National Institute of Standards and Technology.
Cheng, Sims, and Teegen.
Symantec Corporation.
Bada and Saase.
Shillair et al.
Dutton.
Rotman.
Kshetri.
World Bank.
Internet World Stats.
Baller, Dutta, and Lanvin.
Microsoft, “Microsoft Security Intelligence Report.”
Ibid.
Ibid.
Ibid., 52.
Ibid.
Symantec Corporation; Verizon Enterprise Solutions; Ponemon Institute.
World Economic Forum, “Networked Readiness Index.”
Ibid.
Statista.
World Bank.
Internet World Stats.
World Economic Forum, “The Global Risks Report.”
Baller, Dutta, and Lanvin.
Ibid.
Ibid.
Baller, Dutta, and Lanvin; Choo; Verizon Enterprise Solutions.
Hayes.
Hayes, Glynn, and Huge.
Beran and Violato.
Ringle, Wende, and Becker.
Henseler and Sarstedt.
Ringle, Wende, and Becker.
Dutton and Shepherd; Dutton and Meyer; Blank and Dutton.
