ABSTRACT
Cybersecurity landscape is evolving rapidly, and the threats associated with it are not new to most organizations in Kenya, be it small, medium, or large. With the rise of cyber risks such as high- profile cyber-attacks and data breaches, businesses across all industries have stepped up and are making cybersecurity a top priority and a key objective. Conducting a cyber maturity assessment for an organization provides an assurance to the board of directors, senior management, employees, clients, and any other stakeholder on the ability to protect information assets and its preparedness against cyber threats. With this in place, an organization can identify, assess, prioritize, and mitigate its cybersecurity risks in a timely manner.
This study proposes a framework and a toolkit that is meant to help organizations conduct assessments that is crucial in providing informed overview of the organization’s cybersecurity posture and data for cybersecurity-related decisions. The toolkit exists in Microsoft Excel that has been designed to have IT security controls that can be implemented to ensure a sound information security management program by organizations. This has been automated into a prototype that will enable a cloud-based assessment to organizations through a software as a service (SaaS) platform.
TABLE OF CONTENTS
DECLARATION i
DEDICATION ii
ACKNOWLEDGMENTS iii
ABSTRACT iv
TABLE OF CONTENTS v
DEFINITION OF TERMS ix
ABBREVIATION/ACRONYMS x
LIST OF FIGURES xi
LIST OF TABLES xii
CHAPTER ONE: INTRODUCTION AND BACKGROUD INFORMATION
1.1 Background 1
1.2 Research problem 1
1.3 Objectives of the study 2
1.3.1 Overall objective 2
1.3.2 Specific objectives 2
1.4 Research questions 3
1.5 Justification of the research 3
1.6 Scope of the research 3
1.7 Assumptions 3
CHAPTER TWO: LITERATURE REVIEW
2.1 Essential components of a cybersecurity maturity model 5
2.2 Existing work on maturity models, cybersecurity frameworks and regulatory requirements 5
2.2.1 The CREST Maturity Assessment Model 5
2.2.2 Cybersecurity Capability Maturity Model (C2M2) 6
2.2.3 The NICE Capability Maturity Model (NICE-CMM) 6
2.2.4 CERT Resilience Management Model (CERT-RMM) 6
2.2.5 NIST Cybersecurity Framework (CSF) 6
2.2.6 COBIT Capability Maturity Model 7
2.2.7 Central Bank of Kenya Guidance Note on Cybersecurity 8
2.3 Existing work on cybersecurity maturity assessment tools 8
2.4 Summary of review of literature and identified gap 8
2.5 Proposed solution 9
CHAPTER THREE: METHODOLOGY
3.1 Research design 10
3.2 Research site 10
3.3 Target population and sampling 10
3.4 Data collection instruments and techniques 11
3.5 Data analysis 12
3.6 System development methodology 12
3.7 Ethical considerations 13
CHAPTER FOUR: SYSTEM ANALYSIS, SYSTEM DESIGN & IMPLEMENTATION
4.1 System analysis 14
4.1.1 Feasibility analysis 14
4.1.1.1 Economic feasibility 14
4.1.1.2 Technical feasibility 14
4.1.1.3 Operational feasibility 14
4.1.1.4 Schedule feasibility 15
4.1.2 Requirement elicitation 15
4.1.2.1 Functional requirements 15
4.1.2.2 Non-Functional Requirements 15
4.1.3 System modelling 16
4.1.3.1 Use case diagrams 16
4.1.3.2 Context diagram 18
4.2 System design 18
4.2.1 Conceptual design 18
4.2.2 Database Design 19
4.2.3 User interface design 20
4.3 System implementation 22
4.3.1 Hardware Resources 22
4.3.2 Software Resources 22
4.3.3 Choice of Programming tools, techniques, and technologies 22
4.3.3.1 Java and Spring framework 22
4.3.3.2 MySQL 23
4.3.3.3 Angular JS 23
4.3.3.4 Docker 23
4.4 System testing 23
4.4.1 Walkthroughs with information security experts 23
4.4.2 Module testing 23
4.4.3 Regression testing 23
4.4.4 Integration testing 23
4.4.5 System testing 24
4.4.6 User acceptance testing 24
4.4.7 Test cases 24
4.4.8 Sample screenshots of the toolkit 25
CHAPTER FIVE: RESULTS AND DISCUSSIONS
5.1 Prototype evaluation and results 31
5.1.1 Functional evaluation 31
5.1.2 User testing results 31
5.2 Discussion 32
CHAPTER SIX: CONCLUSION AND RECOMMENDATIONS
6.1 Summary of findings 36
6.2 Conclusion 36
6.3 Contributions of the study 37
6.4 Future work 37
REFERENCES 38
APPENDIX 40
DEFINITION OF TERMS
Information Security – This is the practice of protecting the confidentiality, integrity, and availability of information system data from those with malicious intentions.
Cyber security – Refers to the body of technologies, processes, and practices designed to protect information assets from attack, damage, or unauthorized access.
Maturity model – This is a measurement of the ability of an organization for continuous improvement in a particular discipline such as cyber security / information security. Basically, it shows how good an organization, system or a process is.
Cyber security maturity assessment – Refers to rapid assessment of an organization’s readiness to prevent, detect, contain, and respond to cyber threats.
SANs 20 Critical Security Controls – Refers to a list of controls designed to provide maximum benefits toward improving information security posture against real-world threats.
NIST Cybersecurity Framework – Is a framework based on existing standards, guidelines, and practices on how organizations can manage and reduce cybersecurity risks.
ABBREVIATION/ACRONYMS
NIST – National Institute of Standards and Technology
SANs – SysAdmin, Audit, Network, Security
CSC – Critical Security Controls
CIS – Center for Internet Security
COBIT – Control Objectives for Information and Related Technologies
CIA – Confidentiality, Integrity, and Availability
GDPR – General Data Protection Regulation
ISM – Information security model
CMA – Cyber Maturity Assessment
LIST OF FIGURES
Figure 1 COBIT 5 Assessment indicators 8
Figure 2 Conceptual framework 9
Figure 3 Research process used in this study. 10
Figure 4 High level study of information security management 11
Figure 5: Iterative development (prototyping) process 13
Figure 6: Service provider and customer super admin use case diagram 17
Figure 7: Customer inputter and reviewer use case diagram 17
Figure 8: Context diagram 18
Figure 9: Conceptual design 19
Figure 10: Database design 20
Figure 11: User interface design – Login screen 21
Figure 12: User interface design – Control procedure execution screen 21
Figure 13 Microsoft Excel Cybersecurity Maturity assessment framework showing overall maturity level of an organization. 25
Figure 14 Sample summary scoring for an individual cybersecurity domain 26
Figure 15 Updating customer risk profile based on the organization’s annual risk assessment 26
Figure 16 Control requirements in the toolkit 27
Figure 17 Prototype subscription portal 27
Figure 18 Service provider portal for administration of the toolkit 28
Figure 19 Customer risk profile 28
Figure 20 Execution of a procedure based on the control requirements 29
Figure 21 Control attributes to ascertain level of implementation for the control requirements 29
Figure 22 Overall cyber maturity score for an assessment 30
Figure 23 User experience results 32
Figure 24 Toolkit content 32
Figure 25 A flowchart showing how the toolkit computes a score for a particular control procedure 34
LIST OF TABLES
Table 1 Content analysis for in-depth interviews and focus groups data 12
Table 2 Sample test case 25
Table 3 End user functional evaluation results 31
Table 4 Defined maturity levels 35
CHAPTER ONE
INTRODUCTION AND BACKGROUD INFORMATION
1.1 Background
Cybersecurity landscape is evolving rapidly, and the threats associated with it are not new to most organizations in Kenya, be it small, medium, or large. With the rise of cyber risks such data breaches and network attacks, businesses across all industries have stepped up and are making cybersecurity a top priority and a key objective. The truth is that the importance of cybersecurity has become an undeniable fact. In their research, Serianu (2018) highlighted key challenges in the cybersecurity space such as lack of solid experience and skills, high renumeration rates for the available professionals, increase in organizational spending in cybersecurity and increase in targeted attacks. They also discussed the fact that the country was facing a shortage of skilled people, but also an even more shortage of software developers who can design secure information systems, write safe programs and create solutions needed to contain cyber threats.
Organizations have critical assets that are exposed to cyber threats which exploit vulnerabilities that in turn affect confidentiality, integrity, and availability of information. Information security has become an essential tool for managing security risks. When implemented properly, it creates confidence and trust leading to the success of the business. Already several cybersecurity maturity models have been developed to mitigate security risks to organizations. KPMG (2015), during the ISACA Kenya Annual Conference-Secure Kenya II, defines cyber maturity assessment as an assessment of the readiness level of an organization to protect itself from cyber threats. There is need to adopt a strategy that should outline the expression of the vision, high-level objectives, guiding policy principles and explicit accepted priorities by an organization in a bid to address specific cybersecurity issues (Silensec, 2016). Businesses already have controls at their disposal to help them keep their systems and network safe. This included information security models or frameworks to provide a way for measuring and communicating the cybersecurity readiness to relevant stakeholders thereby ensuring regulatory compliance, corporate responsibility, and improved brand quality (Wilde, 2014).
Conducting a cyber maturity assessment for an organization will therefore provide an assurance on the preparedness against cybersecurity threats. With this in place, an organization can identify, assess, prioritize, and mitigate its cybersecurity risks in a timely manner. This study proposes a maturity model designed from the existing maturity models, frameworks, information security standards and regulations. It also provides an automation of the model through a prototype that aims at enabling organizations carry out self-assessment of their maturity level and security posture without hiring an expert.
1.2 Research problem
An inadequate assessment of an organization’s cyber maturity level could lead to miscalculated priorities and / or sometimes wasted investments. It is therefore important to be aware of the current security posture and the controls in place (Rabii et al., 2020). Organizations must know what threats they are exposed to and which assets can be targeted. After all, there are limited funds available for investing in cyber security and thus need to mitigate related risks in a resource efficient manner. To mitigate these the risks, an organization needs to assess their preparedness towards information security management through knowing their cybersecurity maturity level which acts as an indicator of the ability to identify and protect information assets against cyber threats. Basically, they need to be aware of the cyber threat landscape they face and should have clear measurement tool and roadmap to improve their cybersecurity risk assessment.
Conducting cybersecurity maturity assessment has been a problem for many since skilled talent remains a challenge even though there are models which can be used. The existing models as discussed in the literature review may not be easily adopted to cover all critical security controls as well as regulations by governments or regulatory bodies, hence the need for customization. In addition, an expert such as cybersecurity consultant or specialist would still be hired to interpret the models and conduct the assessment. This can be expensive since for the assessment to be effective, it should be made a continuous process in the organization’s policy and procedures. For instance, in industries such as banking, financial institutions are compelled to outsource the service from consulting firms i.e., the “Big-four” audit firms. These services mostly come at a cost thus growing the organization’s budget. This leads towards the following problem statement:
The aim of this study is to design a cyber maturity toolkit for self-assessment that can be used by organizations in different industries without requiring to hire a human expert or consultant.
1.3 Objectives of the study
1.3.1 Overall objective
The aim of this study is to provide a cyber maturity model and toolkit to aid self-assessment for different industries in Kenya especially banking.
1.3.2 Specific objectives
1. To review and evaluate existing cybersecurity models and frameworks that can be used for maturity level assessment across.
2. To design and develop a model for cybersecurity maturity assessment from the already existing models, security frameworks and other applicable regulations.
3. To examine requirements arising from the designed model and determine how they can be transformed into software modules.
4. To develop a prototype that automates the model through a toolkit for self-assessment.
1.4 Research questions
The research questions included:
1. How can industries in Kenya perform cyber maturity assessments?
2. How can a cyber maturity assessment model based on existing models and information security standards be designed?
3. How can the designed model be automated to aid self-assessment?
1.5 Justification of the research
The adoption of information technology by organizations to drive their business and processes, clearly calls for the need for better management of information security. This is due to the rapid growth of the cyberattack surface. According to the global risks report, cyberattack took the second position as the risk of greatest concern for businesses. The expert network also rated cyberattacks on critical infrastructure as the fifth top risk in 2020 (World Economic Forum, 2020).
In this context, an assessment is crucial to provide an informed overview of the current cybersecurity posture and data for decision making. Any organization should understand their cyber preparedness to ensure that top management does not underestimate cyber threats that can cause massive damage. Hence, determining the maturity level helps in identifying gaps and highlighting key areas of focus. Eventually guiding the organization in developing a road map for mitigation of the identified gaps.
1.6 Scope of the research
The scope was the banking sector in Kenya. This sector was considered since the industry is well regulated by the Central Bank of Kenya (CBK) and data could be easily obtained, hence supported the research effectively. Since financial institutions follow guidelines from the same regulator, the findings and results across different banks were not expected to vary with a big margin.
1.7 Assumptions
The assumptions included:
1. Prevailing operational procedures and systems in place are the same in most of the financial institutions.
2. Information from available cybersecurity frameworks and regulatory requirements on cybersecurity was sufficient to aid designing and developing a maturity model especially for local industries.
3. The requirements arising from the designed cybersecurity model could be transformed into software modules and that the modules can be used to validate against what any information security framework implements.
Login To Comment