LAB OF SOFTWARE ARCHITECTURES AND
INFORMATION SYSTEMS
FACULTY OF INFORMATICS
MASARYK UNIVERSITY, BRNO
LASARISSEMINAR
28.04.2022
Františka Romanovská, 433528@mail.muni.cz
Multi-level cybersecurity governance frameworks for public
administration
Goals andContent
• Global Cybersecurity Index
• Multi-level cybersecurity governance in the context of public administration
• Approach comparison of selected territorial units
• Regional cybersecurity framework
GlobalCybersecurity Index
• Initiative of the InternationalTelecommunication Union (United Nations), from 2015
• Capacity development tool as it identifies areas for improvement
• Reports aim to evaluate commitments to cybersecurity of individual countries
• The report is used by countries to:
• Facilitate discussion
• Gather insight about national cybersecurity initiatives
• Compare their efforts
• Benchmarking
• GCI evolves – questionnaires are updated to reflect changes
GCI – How is thereportcreated?
• 5 pillars, 20 indicators, 82
questions – the questions evolve
in time
• No reponse collected: publicly
available data are used
• Focal points
• Score 0 – 100, each pillar max 20
points
Pillars
Legal measures
• Existence of legal cybersecurity
frameworks
• Data Protection Regulations
• Critical Infrastructure Regulations
• Minimum foundation for cybersecuriy
capabilities
Technical measures
• Existence of technical institutions
• CIRT
• Existence of framework dealing with
cybersecurity
• Minimum-security criteria and
accrediation for software
• National/sector-specific agencies
Pillarscont.
Organisational measures
• Existence of coordination institutions,
policies, and strategies at the national
level
• Identification of cybersecurity goals
and strategic and delivery plans
• Definition of roles and responsibilities,
governance model and supervisory
body
Capacity development measures
• Socio-economical and political context
• Research and development
• Education and training programmes
• Certified experts
• Public sector agencies for capacity
building
• Public awareness campaigns
Pillarscont.
Cooperative measures
• Existence of partnership and
cooperative frameworks
• Between corporations, public agencies, and
countries
• Information sharing networks
GCI reportfor 2020
• Progress in legislation regarding privacy, unauthorized access, and online safety
• Emphasis on establishing strategies (to build capacity and mitigate cyber risks)
• 2/3 of countries have a national cybersecurity strategy
• Online identity protection and
data theft legislation lack attention
• 131 implemented CIRTs
• Only 1/3 has sector-specific CRITs
• Lack of sector-specific training
GCI 2020– Ranking
Global Europe
GCI 2020–CzechRepublic
GCI 2020-Australia
GCI 2020-Belgium
Multi-levelgovernance of cybersecurity
• Different responsibilities for different levels of governmentalinstitutions
• State, region, district, city
• EU's Regulation on the internal market in electricity (sectoral)
• EU: focus on EU's agencies and the national governments
• Regions and municipalities in the background
• Limitation: cybersecurity of a member state is a sensitive matter
• Advantages: closer connection to local and reginal cybersecurity actors, possible
improvement of GCI ranking
Australia'snationalcybrsecurity strategy
• GCI ranking globally: 12, regionally: 5 (97.47)
• Improving cybersecurity through actions of different stakeholders
• Governments, business, community
• Strong presence of public-private partnership
• The Government and large businesses will help SMEs with their cybersecurity
• No explicit mention of cybersecurity governance on regional (state) levels
• Actions of the government that mention state/territorial/local governments:
• Improving incident response procedures witih the state and territory governments in cooperation
with private sector and the Government
• Providing technical assistance and supporting law enforcement to [...] state, and territory law
enforcement agencies
• Investing in expansion of Joint Cyber Security Centres
Belgium's nationalcybersecurity strategy
• GCI ranking globally: 19, regionally: 12 (96.25)
• Three regions has their own governments with several authorities
• GCI: everyting except Organistional measures perfect
VS Belgium's cybersecurity strategy: insufficient capacity
• Cybersecurity is considered a shared responsibility
• Citizens, companies, government services, and organisations of vital interest
• Cybersecurity is considered a federal matter managed on the national level
• No regional responsibilities are mentioned in the strategy
High-levelComparison
Australia
• Technical, Organisational, Cooperative
Measures
• Cybersecurity = shared responsibility
• Governments, business, community
• No explicit mention of cybersecurity
governance on regional (state) levels;
however
• Improving incident response procedures witih
the state and territory governments
• Providing technical assistance and supporting
law enforcement to [...] state, and territory
law enforcement agencies
• Joint Cyber Security Centres
Belgium
• Organisational Measures
• Cybersecurity = shared responsibility
• Government services, organisations of vital
interest, companies, citizens
• No mention of cybersecurity governance
on regional levels
Victoria andQueenslandStates
Victoria
• The first Australian state with its own
cyber strategy
• The current strategy has 5-year
duration
• Current strategy has three main
missions:
1. Safe and reliable governmental services
2. Vibrant cyber economy
3. Cyber-safe place to work, live, and learn
Queensland
• Queensland's government has
cybersecurity department
• Doesn't have a cybersecurity strategy
• The department
• Provides information about cybersecurity
incident
• Operates team that assist in solving
incidents
• Offers training related to cybersecurity
• Provides cybersecurity services
Brussels-Capitaland FlemishRegions
Brussels-Capital Region
• Whitepaper Towards a regional
Cybersecurity plan (by Brussels Regional
Informatics Centre and Brussels Prevetion
& Security)
• Methodological framework as a response to
cyber threats
• Estalish cybersecurity on the regional level
• Focus on raising awareness and managin IT
policies, establish a knowledge and training
centre
• Cybersecurity plan for the region
• Regional Cybersecurity Centre
Flemish Region
• Focus on the private sector
• Foundation for the Cybersecurity action
plan (in making)
• Solely focused on the private sector,
secondary focus on research
• No development of governmental
organisations is required
• GCIOrganisational measures = least developed
• Action plan should focus on economic
sector and the capacity of human
resources
Low-levelComparison
• Both countries with high GCI score – no focus on multi-level governance
• No clear guidance
• Highly nonuniform
• Cybersecurity strategy
• Cybersecurity services for the public sector
• Focuson the private sector
• Regional Cyber Centre as a space for cooperation, no further elaboration
Regionalcybersecurity framework
• Multi-level cybersecurity governance
• Closer connection to regional stakeholders
• Regional cybersecurity centre
• Space for cooperation
• Provision of service for public administration in the region
• Education and training
• GCI
• Technical: Sectoral CIRT/CSIRT/CERT+ awareness activities + information sharing
• Organisational measures:Question concern only national level
• Capacity development measures: sector specific public awarenes campaigns, national sectorspecific
educationl programmes/training/courses, government incentive to encourage capacity
development
• Cooperative measures: Public-private partnership
Resources
• CGI report 2020: https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2021-PDF-E.pdf
• Kaklauskaité, M. (2020). Multi-level Governance inCybersecurity: What Role for the European Regions? European Cybersecurity
Journal, 6, 44–51. https://cybersecforum.eu/wp-content/uploads/2020/08/ECJ-VOLUME-6-2020-ISSUE-1.pdf
• European Parliament and Council of the European Union. (2019). Regulation (EU) 2019/943 of the European Parliament and of the
Council of 5 June 2019 on the internal market for electricity (recast) . Official Journal of theEuropean Union, 54–124. https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0943
• AustralianGovernment. (August 2020). Australia's Cyber Security Strategy 2020. Tech. rep. https://www.homeaffairs.gov.au/cyber-
security-subsite/files/cyber-security-strategy-2020.pdf
• Brussels Regional Informatics Centre. (2018). Towards a regional cybersecurity plan. Tech. rep.
https://bric.brussels/en/news_publications/publications/papers/towards-a-regional-cybersecurity-plan-september-2018
• Queensland Government Customer and Digital Group. (December 2021). Cyber Security. Cyber Security.
https://www.qgcio.qld.gov.au/information-on/cyber-security
• Victorian Government Melbourne. (April 2021). Victoria's Cyber Strategy 2021. Victorian Government Melbourne.
https://www.vic.gov.au/sites/default/files/2021-06/DPC_Cyber%20Security%20Strategy_Accessible%20PDF.pdf
• Centre for Cyber Security Belgium. (May 2021). Cybersecurity Strategy Belgium2.0 2021-2025. Tech. rep.
https://ccb.belgium.be/sites/default/files/CCB_Strategie%202.0_UK_WEB.pdf
• Vlaamse minister vanWerk, Economie, Wetenschap, Innovatie,en Sport. (2019). Quaternota aan de Vlaamseregering. Tech. rep.
https://www.ewi-vlaanderen.be/sites/default/files/quaternota_aan_de_vlaamse_regering_-
_vlaams_beleidsplan_cybersecurity.pdf