CYBER SECURITY CAPABILITY MATURITY MODELS FOR CRITICAL INFORMATION TECHNOLOGY INFRASTRUCTURE AMONG NIGERIA FINANCIAL ORGANIZATIONS
The effectiveness of Nigeria Cybersecurity strategy can have serious effect on the Cybersecurity stance of the country and significantly impact how well the country financial critical IT infrastructures are protected. In order to measure the strength and weaknesses of Cybersecurity, organizations can implement the develop Cybersecurity Capability Maturity Model. Cybersecurity Capability Maturity Model (C2M2) for Nigeria financial organizations as a security oriented model to determine the level of Cybersecurity strength in Nigeria financial organizations. The develop model provided five maturity levels; Nothing Exists, Basic, Progressed, Advanced, and Innovative. The goal of this research is to build up a model that will validate the level of Cybersecurity strength in Nigeria financial organizations. Seven organizations which includes Guarantee Trust Bank , United Bank for Africa, Union Bank of Nigeria, First Bank of Nigeria, Stanbic-IBTC Bank, Federal Mortgage Bank, and Polaris Bank all located in Damaturu are chosen to measure their Cybersecurity preparedness using the develop model. Fully in-structured interview are performed with IT officers in case study. Results analysis show that all organizations in case study are at Advanced level.
TABLE OF CONTENTS
TABLE OF CONTENTS vi
LIST OF TABLES x
LIST OF FIGURES xi
LIST OF APPENDICES xii
CHAPTER 1 INTRODUCTION 1
1.1 Introduction 1
1.2 Problem Background 2
1.3 Problem Statement 3
1.4 Research Aims 4
1.5 Research Objectives 4
1.6 Research Questions 4
1.7 Research Scope 5
1.8 Research Significance 5
1.9 Research Structure 5
1.10 Chapter Summary 6
CHAPTER 2 LITERATURE REVIEW 7
2.1 Introduction 7
2.2 Cybercrime in Nigeria 7
2.2.1Types of Cybercrime in Nigeria8
2.2.2Courses of Cybercrime in Nigeria8
2.2.3Impact of Cybercrime in Nigeria9
2.2.4 Problems of combating Cybercrime in Nigeria 10
Nigeria Cybersecurity Framework11
Critical Infrastructure Sector Identification12
Critical Infrastructure Protection13
Overview of Maturity Model14
Importance of using Maturity Models15
Limitations of Maturity Models16
Types of Maturity Models17
Progression Maturity Models (PMM)17
Capability Maturity Models (CMM)18
Hybrid Maturity Models (HMM)19
Components of Maturity Models19
Cybersecurity Capability Maturity Model (C2M2)21
Information Security Management Maturity Model(ISM3)21
Maturity Model (SSE-CMM) 22
Maturity Model (CCSMM) 23
AfricanUnionMaturityModelfor Cybersecurity (AUMMCS)23
Federal Financial Institutions Examination Council Capability Maturity Model (FFIEC-
Comparison of Cybersecurity Capability Maturity
Identification of Research Gap26
CHAPTER 3 RESEARCH METHODOLOGY 27
3.1 Introduction 27
3.2 Research Methodology 27
3.3 Research Framework 28
3.4 Research Design 30
3.4.1Phase I: Investigating the existing C2M230
3.4.2Phase I: Model Development30
3.4.3Phase III: Data Collection and Analysis31
22.214.171.124Cybersecurity Capability Maturity Model Documentations
3.5 Chapter Summary 32
CHAPTER 4 DESIGN AND IMPLEMENTATION 33
4.1 Introduction 33
4.2 Phase I: Planning 35
4.3 Phase II: Design 36
4.4 Phase III: Validation of C2M2-NF V1.0 40
4.4.1C2M2-NF V1.0 against C2M2 for IT Services40
4.4.2C2M2-NF V1.0 against C2M2-NF Version 1.0
against Electrical Subsector Cyber Security Capability Maturity Model (ES-C2M2 )
4.4.3C2M2-NF V1.0 against Systems Security
Engineering Capability Maturity Model (SSE-
4.4.4C2M2-NF V1.0 against Global Cyber Security
Capability Maturity Model (C2M2)46
4.4.5C2M2-NF V1.0 against Community Cyber
Security Maturity Model(CCSMM)47
4.4.6C2M2-NF V1.0 against Capability Maturity
Model andmetrics framework for Cyber Cloud Security (CMMCCS)
4.4.7 C2M2-NF V1.0 against Cybersecurity
Capability Maturity Model (C2M2) 50
4.5 Estimating Degree of Confidence of C2M2-NF
4.6 Using the Validated C2M2-NF Version 2.0 57
4.7 Chapter Summary 64
CHAPTER 5 DATA ANALYSIS 65
5.1 Introduction 65
5.2 Results 65
5.3 Overall Results 74
5.4 Chapter Summary 76
CHAPTER 6 DISCUSSION AND CONCLUSION 77
6.1 Introduction 77
6.2 Summary of Research Achievements 77
6.3 Dissertation Limitations 78
6.4 Future Work Recommendations 78
6.5 Conclusion 79
LIST OF TABLES
TABLE NO. TITLE PAGE
Table 4.1 Sources of Model Components 35
Table 4.2 Description of C2M2-NF V1 Maturity Indicator Levels
Table 4.3 Support of the concepts in C2M2-NF V1.0 by C2M2 for IT
Table 4.4 Support of the concepts in C2M2-NF Version 1.0 by ES-C2M2 43
Table 4.5 Support of the concepts in C2M2-NF Version 1.0 by SSE-
Table 4.6 Support of the concepts in C2M2-NF Version 1.0 by Global
Cyber Security Capacity Centre-C2M2 46
Table 4.7 Support of the concepts in C2M2-NF Version 1.0 by Community Cyber Security Maturity Model(CCSMM) 48
Table 4.8 Support of the concepts in C2M2-NF Version 1.0 by Capability Maturity Model and metrics framework for
Cyber Cloud Security (CMMCCS) 49
Table 4.9 Support of the concepts in C2M2-NF Version
Cybersecurity Capability Maturity Model (C2M2)1.0by
Table 4.10 Degree of Confidence Result interpretation 52
Table 4.11 Comparison of C2M2-NF V1.0 against other valid with frequency and DoC valuesmodels
Table 5.1 Respondent Organization and their Code 66
Table 5.2 Respondent practice on Legal Regulation domain 66
Table 5.3 Respondent practice on Governance domain 68
Table 5.4 Respondent practice on Risk Management domain 69
Table 5.5 Respondent practice on Security Culture domain 71
Table 5.6 Respondent practices on incidence management domain 73
Table 5.7 Summary of overall Maturity Indicator Levels 74
Table 5.8 Recommendations to achieve the Innovative Level 75
LIST OF FIGURES
FIGURE NO. TITLE PAGE
Figure 2.1 Critical Infrastructure Sectors 12
Figure 2.2 Phases of Critical Infrastructure Protection 13
Figure 2.3 National Infrastructure Protection Plan framework 13
Figure 2.4 Capability Maturity Model Version 1.1 16
Figure 2.5 Maturity Progression for Counting 18
Figure 2.6Comparison of Cybersecurity Capability Maturity Models 25
Figure 3.1 Research Framework 29
Figure 4.1 C2M2-NF Development Process 34
Figure 4.2 C2M2-NF Version 1.0 (Block View) 36
Figure 4.3 Maturity Indicator Levels (MiLs) of C2M2-NF V1.0 37
Figure 4.4 C2M2-NF Version 1.0 (Tree View) 39
Figure 4.5 C2M2 for IT Services 41
Figure 4.6 Electrical Subsector Cyber Security Capability Maturity 43
Figure 4.7 Systems Security Engineering Capability Maturity Model 44
Figure 4.8 Community Cyber Security Maturity Model (White, 2011) 47
Figure 4.9 Capability Maturity Model and metrics framework for Cyber
Figure 4.10 Cybersecurity Capability Maturity Model (C2M2) 50
Figure 4.11 Degree of Confidence values of C2M2-NF Version 1.0 54
Figure 4.12 Degree of Confidence values of C2M2-NF Version 2.0 55
Figure 4.13 C2M2-NF Version 2.0 (Block View) 55
Figure 4.14 C2M2-NF Version 2.0 (Tree View) 56
Figure 4.15 Recommended Approach for Using C2M2 57
Figure 4.16 Legal Regulation flow diagram 59
Figure 4.17 Governance flow diagram 60
Figure 4.18 Risk Management flow diagram 61
Figure 4.19 Security Culture flow diagram 62
Figure 4.20 Incident Management flow diagram 63
Figure 5.1 Analysis of Legal Regulations Domain 67
Figure 5.2 Analysis of Governance Domain 68
Figure 5.3 Analysis of Risk Management domain 70
Figure 5.4 Analysis of Security Culture 72
Figure 5.5 Analysis of Incidence Management 74
Figure 5.6 Analysis of Overall Maturity Indicator Levels 75
LIST OF APPENDICES
APPENDIX TITLE PAGE
Appendix A Quesionnaire Error! Bookmark not defined.
Cisco Inc define Cybersecurity as the practice of protecting network systems from digital attacks (Cisco, 2018). These attacks are usually planned at accessing, changing, or damaging sensitive data or interrupting common business processes(Cisco, 2018). Implementing efficient Cybersecurity procedures is mostly difficult today because the number of devices are more than the number of people (Cisco, 2018). Possible Cybersecurity threat nowadays as identify by Cisco Inc includes; Ransom ware, Malware, Social engineering and Phishing.
Cyberspace offer avenue for communications, Cybercriminals are lawbreakers that violet the use of Cyberspace whereas Cybersecurity is mean to protect Cyberspace. Also Cybersecurity is all about protecting data that is initiated in electronic form.
Cybercrime has become a new trend that is progressively rising as the IT continues to penetrate every aspect of our daily life and no one can guess its future (Omodunbi, Odiase, Olaniyan, & Esan, 2016). Casey consider Cybercrimes to be any illegal activities that involves computers and internet, including crimes that do not rely heavily on computers (Casey, 2005). According to (Adesina, 2017) Cybercrimes refers to any criminal activities which take place through the internet. Thus in general, Cybercrime refers to any crimes committed with the use of internet as a tools to target any victim. It consist of crimes that have been made by computers, such as dissemination of computer viruses, network intrusions, identity theft and stalking.
For any organization to achieve the security of its cyberspace against cyber crime, the organization need to evaluate the level of their Cybersecurity capability and search for their problem and solve them. Cybersecurity Capability Maturity Model (C2M2) is develop as a tool to analyze the capability maturity level of organization to protect it critical infrastructure in cyberspace.
1.2 Problem Background
The development of the information technology (IT) and the increase access to web resources has give rise to new opportunities for financial transactions, as well as those who engage in illegal activities. Financial systems, all over the globe, play fundamental roles in the development and growth of the economy (Dai, Huu, & Zoltán, 2017). The rise of, and rapid progress in, IT based systems, are primary to essential changes in how financial organizations interact with their clients. Internet banking has turn into the self-service deliverance canal that allows banks and various other business to provide information and offer services to their clients more handiness via the internet (OECD, 2008). However, the presence of bank in the cyberspace has also give chance to cyber criminals to infiltrate into customers sensitive information such as credit card information. Over twenty years, dishonest cyber space groups have continued to use the internet to commit offenses; this has suggested mixed reaction of panic in the society along with a rising unease concerning the state of cyberspace security (Barclay, 2014).
Earlier to the year 2001, the trend of cyber crime was not internationally related with Nigeria (Adesina, 2017). From then, the country has acquired an international dishonor in cyber criminality, particularly identity theft, aided through the use of the internet. Since the issue of cyber security is raising attention in the mind of Nigerians, This dissertation give an overview of Cybercrime issues in Nigeria financial organizations, identify the categories of attack against the financial institutions in Nigeria, identify who are those actors and finally explain the challenges of mitigating such criminalities and to examine current Cybersecurity
maturity models and propose a model that will be use by Nigerian financial organizations to evaluate their critical IT infrastructures applicability.
1.3 Problem Statement
Nigeria has a status for having a class of Cyber Threat actors popularly called 419 scams. These 419 scammers trick people into revealing their financial identities in other to use it and making money transfer. While these abuses have resulted in real financial damages, these Cyber Threat actors are seen as funny in the society. However, this is far from actuality and our image of Nigerian Cyber Threat actors must to be reorganize. Research carryout by professionals (Ibikunle & Eweniyi, 2013) shows that Nigeria has only 1,500 certified Cybersecurity Professionals and that the Nigeria is the most targeted nation of such attacks in Africa (Odumesi, 2014).
Strengthen the negative aspects of the problem is inadequate standards against which the Nigerian financial organizations can measure their current security status. To properly secure IT critical infrastructure and accurately report on its readiness to survive Cyberthreat, the Nigerian financial organizations need a common measurement tools in addition to NCSS standard controls and AUMMCS- 1, to provide a framework for assessing and reporting Cybersecurity readiness. The Inadequate standard tools, Inadequate IT security professionals, immature cyber laws are the weakness to secure critical IT infrastructure among Nigeria financial organizations (Hassan, 2012).
To truly be effective, a Cybersecurity program must continually evolve and improve. This research focuses on addressing Inadequate standard tools by developing a Cybersecurity capability maturity model for Nigeria financial organizations.
1.4 Research Aims
The main aim of this research is to develop a Cybersecurity Capability Maturity Model (C2M2) for Nigeria financial organizations.
1.5 Research Objectives
The objectives of the research are :
(a) To identify and investigate Cybersecurity capability security domain components based on the existing Cybersecurity capability models which are relevant to the financial organizations
(b) To develop Cybersecurity capability maturity model specific for critical IT Infrastructure security in financial organizations
(c) To evaluate the maturity level of the Cybersecurity capabilities for critical IT infrastructure among Nigeria financial organizations.
1.6 Research Questions
This research is carried out based on the following questions
(a) What are the Cybersecurity capability security domain components based on the existing Cybersecurity capability models relevant to the financial organizations.
(b) How to develop the Cybersecurity capability maturity model specific for critical IT infrastructure security in financial organizations.
(c) How to evaluate the maturity level of the Cybersecurity critical IT infrastructure among Nigeria financial organizations.
1.7 Research Scope
In order to reach the objectives stated above, the scope of this study is limited to the following:
(a) The study is focusing on Cybersecurity Capability Maturity Models and specially to Nigeria finacial organizations.
(b) Research assessment is accomplished by performing a fully in-structured interview with IT Officers in order to assess the maturity level of the selected case study as mention above.
1.8 Research Significance
The main significance of this research is to contribute to the development of the Cybersecurity area that will be easy for the Nigeria Financial organizations to apply to their organization in other to evaluate their strength in protecting their critical IT Infrastructure against any Cyberthreat.
1.9 Research Structure
This dissertation is structured into six chapters. To accelerate understandings to the dissertation, a brief overview of the contents of each chapter are as follows:
Chapter 1 Introduction of the research and serves as a road map to reader through brief description on the contributions of this dissertation.
Chapter 2 Literature Review for the dissertation through previous related published papers. This includes the reviews of research related to the method and process of C2M2 development.
Chapter 3 Research Design provides the methodology used on this dissertation. The research design comprises of three phases namely; 1) Investigating the existing C2M2 2) Model Development and 3) Data Collection and Analysis.
Chapter 4 Performs three steps of development process, Model validation using Comparison with other validated models and Frequency-based selection techniques.
Chapter 5 Data analysis provide details on how respondent organizations practices are measure to find out their C2M2-level. Seven organizations responded name Union Bank, Guarantee Trust Bank, First Bank, Polaris Bank, Stanbic-IBTC Bank, United Bank for Africa and Federal Mortgage Bank of Nigeria. at the end of the analysis, recommendations to achieve the Innovative Level for responded organizations are listed.
Chapter 6 Summary of achievement, research limitations, recommendation for future work and Conclusion.
1.10 Chapter Summary
In conclusion, this chapter mainly discussed about the preliminary information about the research. Problem background and research aim is pointed out for reader to have a better understanding on the reason this research are needed. Besides that, the objectives, research scope, and research contribution are also provided to clear information on areas that been focused on this dissertation. In the next chapter (Chapter two), literature review of the thesis will be elaborate, discuss, and discussion of relevant C2M2...