Cybersecurity wellness index evaluation framework for critical organisations

Cyber threats pose serious security challenges to organisations and nation states. To deal with the dynamics of such cyber threats, governments as well as international organisations introduced initiatives to measure performance at both organisational and national levels to counter such cyber threats. For instance, United Nations agency, the International Telecommunication Union (ITU) developed the Cyberwellness Index while countries like Estonia developed the Government National Cybersecurity Index while the UK developed the National Cyber Security Centre Maturity Framework. These measurement tools and indexes, however, are very resource intensive, time consuming and are not effective enough to respond to the dynamic and fluid changes in today’s cyber threat environment. It is critical that such measurement tools function like real time technical solutions. This research introduces a new Management Model and Framework that not only simplify the performance measurement framework but when deployed in practice, it is able to respond fast to counter the rapidly changing threat environment. The research designs a symptomatic based Cybersecurity Wellness Index Evaluation Framework that uses symptomatic Cybersecurity Vital Signs to evaluate cybersecurity risks for Critical Organisations. This new and dynamic model uses the simplest and quickest indicators to generate faster results thus allowing organisations to be better prepared to cope with the rapidly changing cyber threats dynamics. The Framework evaluates cybersecurity wellness of Critical Organisations at the operational level with the data aggregated as a group index to serve sectoral and strategic level evaluation. This proposed Framework adapts the NIST Framework for Improving Critical Infrastructure Cybersecurity Core Functions as the main basis or template of evaluation and at the same time makes use of Annex A of ISO/IEC 27001:2013 to generate Cybersecurity Vital Signs that are needed for the proposed Framework to function efficiently and effectively. The proposed Framework evaluates cybersecurity wellness of 20 critical organisations using a Multiple Case Studies Research Method. It uses the Purposive Sampling Method to select the target organisations. Each of 114 vital signs selected contributes to an accumulated score that makes up the Cybersecurity Wellness Index of the evaluated organisations. A mixed research method was selected as the overall research design. Data was collected and vital signs were evaluated using semi-structured interviews and focus group discussions on 20 critical organisations with 12 trained trusted facilitators being deployed. Thematic Analysis was used to analyse all data collected and triangulated respectively against thematic functions and categories to generate scorecard that makes up Cybersecurity Wellness Index of each organisation and a group of 20 organisations collectively. The research findings validate that the proposed Framework works and offers a simplified index based cybersecurity wellness maturity model that can be used to measure organisations’ cybersecurity performance against evolving cyber threats dynamics.