IST-Africa 2016 Conference Proceedings

Paul Cunningham and Miriam Cunningham (Eds)

IIMC International Information Management Corporation, 2016
ISBN: 978-1-905824-55-7

Cybersecurity Governance:
How can we measure it?
Rossouw DE BRUIN, SH von SOLMS
University of Johannesburg, Johannesburg, 2109, South Africa
Tel: +27 72 455 7161, Email: debruin.rossouw@gmail.com; basievs@uj.ac.za
Abstract: Any Corporate Governance aspect involves numerous steps when it
comes to determining how efficient and effective an organization’s governance
implementations are. Cybersecurity Governance is not much different in this regard.
As Cybersecurity Governance is a relatively new and very important concept, the
idea of assessing the efficacy of Cybersecurity and Cybersecurity Governance
implementation is still highly debated and researched. In this article, we discuss
adaptations to a Cybersecurity Governance Maturity Model and we will also discuss
a second and important aspect related to the Cybersecurity Governance Maturity
assessment; reporting. We will discuss how the maturity model can be used to create
descriptive and understandable reports for the various roles within the Board of
Directors and Executive Management.
Keywords: Information Security, Information Security Governance, Cyber Security,
Cyber Security Governance, Information Technology, Maturity Model, Cyber
Security Maturity Model, Reporting Tool, ISO/IEC 27032:2012.

1. Introduction
“Cyber war has already begun. In anticipation of hostilities, nations are already preparing
the battlefield. They are hacking into each other’s networks and infrastructures, laying in
trapdoor and logic bombs—now, during peacetime. This ongoing nature of cyber war, the
blurring of peace and war, adds a dangerous new dimension of instability.” - Richard A.
Clarke and Robert K. Knake [1]
In recent times the concept of Cyberspace [2, 3] increased the interest in – and
importance of – Cybersecurity.
Cyberspace introduced numerous new threats; threats related to the inter-connectivity of
systems. These new threats stressed the importance of Cybersecurity Governance.
Numerous attempts to define Cybersecurity Governance and numerous attempts to
understand Cybersecurity Governance have been made [4, 5, 6, 7], but the concept is
probably not established widely enough to help specifically corporates to safeguard their
Internet-facing electronic assets.
Boards of Directors and Executive Management have however started to realise the
importance of Cybersecurity and Cybersecurity Governance, both because of the threats
posed to their companies, as well as the demands made by Corporate Governance [8, 9].
These governance requirements have demanded models and sets of management,
measurement and monitoring tools to aid boards in understanding the efficacy of their
Cybersecurity efforts – however, these tools are yet to be properly developed.
In this paper, we propose one such model to help to improve Cybersecurity
Governance.
It is important to note that this paper is not a reflection of what Boards of Directors and
Executive Management have already done with regards to Cybersecurity Governance, nor
is it a report of Cybersecurity Governance. Rather, this paper introduces and discusses a

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 1 of 9

tool that can aid Boards of Directors and Executive Management to assess the efficacy of
their Cybersecurity and Cybersecurity Governance efforts.
The purpose and aim of this paper is to discuss a Cybersecurity Governance Maturity
Model. The model does not reflect any sort of technology or technological base rather, it
focuses on numerous aspects of an organization, some of which may include technology.
The methodology used within this paper is as follows:
We will base our discussion on a model that is discussed in [12] where we will include
additional components that can form part of our Cybersecurity Governance Maturity
Model. As the purpose of this article is not to form the foundation of this model, as it is
already done in [12], we will rather introduce another important concept of the model;
reporting. The last step of our discussion of the maturity model is to introduce the concept
of reporting the results of the maturity assessment to the various members of the Board of
Directors and Executive Management.
We will therefore, in section two, discuss what Cybersecurity is, how it is defined and
how it relates to information security.
Section three will discuss the threats introduced by Cyberspace and investigate how
these threats have added to conventional Information Security threats which existed before
the dawn of Cyberspace. These threats are not only technical, as this section will also
discuss. Boards of Directors and Executive Management have a responsibility towards
proper Cybersecurity Governance as demanded by Corporate Governance principles.
Section four introduces a maturity model with the purpose of assessing the maturity of
an organisation’s cybersecurity governance efforts, which would then require a reporting
mechanism, as discussed in section five, for boards and executive management to
understand their cybersecurity effort.
Section six concludes this article.

2. What is the Purpose of Cybersecurity and How Does it Relate to

Information Security?
The National Initiative for Cybersecurity Careers and Studies defines cybersecurity as
“Strategy, policy, and standards regarding the security of and operations in cyberspace,
and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence,
international engagement, incident response, resiliency, and recovery policies and
activities, including computer network operations, information assurance, law enforcement,
diplomacy, military, and intelligence missions as they relate to the security and stability of
the global information and communications infrastructure.”[4].
The Merriam-Webster dictionary goes about defining cybersecurity as “Measures taken
to protect a computer or computer system (as on the Internet) against unauthorized access
or attack” [5].
ITU defines cybersecurity as “Cybersecurity is the collection of tools, policies, security
concepts, security safeguards, guidelines, risk management approaches, actions, training,
best practices, assurance and technologies that can be used to protect the cyber
environment and organization and user’s assets. Organization and user’s assets include
connected computing devices, personnel, infrastructure, applications, services,
telecommunications systems, and the totality of transmitted and/or stored information in the
cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the
security properties of the organization and user’s assets against relevant security risks in
the cyber environment. The general security objectives comprise the following:
- Availability
- Integrity, which may include authenticity and non-repudiation
- Confidentiality” [6].

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 2 of 9

 Although these definitions do not seem to be uniform, we can sense that most of them
focus around a certain aspect; that there is relationship between Cybersecurity and
Information Security.
Fortunately, ISO 27032:2012 provides a good and clear illustration of what we should
recognise Cybersecurity to be and what precisely the relationship between Cybersecurity
and Information Security is, as illustrated in figure 1.
No matter how much connectivity Cyber Space introduced, the concepts of security
covered by Information Security is still applicable to Cybersecurity, the only changes are as
follows:
- Due to the increased connectivity, the need to be more protected has increased
because we are now exposed to more devices, equipment, users, etc. [10], and
- Due to the increased connectivity, Cyber Space introduced new security threats and
risks, as discussed in the next section.
The means and ways to protect against the above two mentioned points are not different
between Cybersecurity and Information Security.
We can therefore argue that Cybersecurity and Information Security are not separate
ideas. Rather, as clearly indicated in figure 1, Cybersecurity appropriately lives within
Information Security and the security principles are the same – only the way in which they
are implemented differs.

Figure 1 Relationship Between Cybersecurity and Other Security Domains

as Interpreted by ISO/IEC 27032:2012 [19]
As we will discuss later in this article, we need methods and tools to effectively govern
Cybersecurity. Methods such as maturity models are an effective means of governing
Cybersecurity [11] however, simple and non-technical reporting tools are yet to receive
much needed attention.
This model defined within the ISO/IEC 27032:2012 document is the driving idea
behind this article and the proposed model, which will be discussed later in this article.

3. What Threats Did the Cyber Space Introduce?

The following statement of the Federal Investigation Agency in the Ministry of Interior of
the Government of Pakistan [10], “our increasing connectivity to and through cyberspace
increases our exposure to traditional adversaries and a growing body of new ones”,
enables us to have a two-sided view on Cyber Space:
1. We enjoy the benefits of connectivity, and
2. Malicious users and other cybercriminals can deploy improved and additional threats
to compromise our sense of security.

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 3 of 9

As point two mentioned above indicates, not all the security risks and threats introduced by
Cyber Space are unique. Viruses, malware, spam, phishing, spoofing, etc. can also be found
in Information Security however, their reach and scope in Cyber Space have greatly
increased and causes additional pressures on Cybersecurity. There are numerous security
risks and threats introduced by the wider Cyber Space, such as:
- Ransomware,
- Distributed denial of service attacks,
- Bring your own device,
- Cyberbullying,
- Cyberterrorism,
- Cyber-espionage, etc.
Unfortunately, instances such as the above mentioned security threats and risks are not the
only concerns that companies need to concern themselves with.
Corporate governance plays just an important role in Cybersecurity as it did in
Information Security. Reports, standards and regulations such as King III, COBIT, etc.
clearly indicate that Boards of Directors and Executive Management need to be aware of
risks and threats related to the Cyber Space, as they are ultimately responsible for the well-
being of their companies [9].
If they are found to be careless, they can face severe penalties, including convictions
and fines.
With this in mind, what governance principles are available for Boards of Directors and
Executive Management to determine how efficient their Cybersecurity implementations
are? What can Boards of Directors and Executive Management do in order to measure and
improve their Cybersecurity?
Questions such as these are forcing Boards of Diretors and Executive Management to
look for resources to measure their Corporate Governance implementations. One of these
Corporate Governance implementations – as already mentioned – is Cybersecurity
Governance. However, as the authors have noticed during their research efforts for this
article, the “resources” available is not as promosing as we would have hoped for.
We have noticed that the available Maturity Models for certain aspects of Cybersecurity
Governance are very limited in what they cover and what they target. Also, none of the
identified models provide a comprehensive Maturity Model.
In the next section, we will provide a discussion of a Cybersecurity Governance
Maturity Model, as discussed in [12].

4. Cybersecurity Governance, a Board’s Perspective

Thus far, we have introduced Cybersecurity and how it relates to Information Security, and
we have also discussed additional threats that were introduced as a result of the wider
Cyber Space and the connectivity that it introduces.
In this section, we will briefly discuss Cybersecurity Governance – we have already
mentioned why it is important in section three. We will also provide an adaptation for a
Cybersecurity Governance Maturity Model as discussed in [12].
The consensus of the abovementioned article is as follows:
- Cybersecurity and Cybersecurity Governance is technical and there is a struggle
between IT personnel and Boards to effectively communicate IT – and cyber –
related information [13], this includes everyday information relating to
Cybersecurity as well as detailed reports and reporting tools produced by
Cybersecurity Governance Maturity assessments,

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 4 of 9

 - Although there are numerous models relating to Cybersecurity Governance Maturity
assessment, there is yet to be a Cybersecurity Governance Maturity Model developed
that can focus on an organisation as a whole,
- Not all Boards of Directors are concerned about Cybersecurity and Cybersecurity
Governance [14], etc.
With the above mentioned in mind, how does a Board proceed to measure their
Cybersecurity? What elements do they need to consider?
With this, we re-introduce the proposed Cybersecurity Governance Maturity Model as
discussed in [12], in figure 2.

Figure 2 Cyber Security Governance Maturity Model [12]

In this model, a Cybersecurity Governance Maturity model has been proposed with the
aim of assessing an organisation’s Cybersecurity efforts across numerous aspects [12]:
- Cybersecurity Capability
- Cybersecurity Contingency
- Cybersecurity Capacity Building
- Cybersecurity Conformance
- Cybersecurity Threat.
However, we feel that these five aspects are not enough, especially since Cybersecurity is
not only a technical issue anymore; it has evolved to include business issues [15]. There are
numerous legal aspects that an organisation needs to consider when they make use of the
Cyber Space and when they provide services, within the Cyber Space, to the customer.
Also, with the introduction of “Internet of Things”, computers and devices are getting much
closer to us. We can now perform medical procedures where the doctor(s) and patient can
be located on different ends of the globe, we have medical equipment that can be remotely
operated, vehicles are becoming smarter, drones are equipped with combat weapons and
they are designed to operated “intelligently”, etc.

Figure 3 Adapted Cyber Security Governance Maturity Model (created by author)

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 5 of 9

With this, we suggest that the model as discussed in [12] should also focus on the following
two aspects, as illustrated in figure 3:
1. Legal aspects, and
2. Ethics.
This model as proposed in figure 3 is intended to cover a wide range of aspects relating
to an organisation however, we accept that the model might not be complete, as there may
be aspects not included in the model which will show up in further studies of what should
be assessed.
Irrespective of how complete a Cybersecurity Governance Maturity model may ever be,
we still face an important issue as highlighted in the previous section: boards find
cybersecurity too technical and simple reporting mechanisms do not always cater for this.
Boards of Directors are comprised of numerous differently skilled people; business,
financial, IT, legal, etc. and these differently skilled people may not always be familiar – or,
at most, very familiar – with aspects related to IT and Cybersecurity. Therefore, in order for
a Board comprised of numerous differently skilled people to conduct and understand a
Cybersecurity Governance Maturity assessment, they need simple reporting tools that can
cater for:
a. The CEO and/or chairman of the Board of Directors which may not be technically
inclined, and
b. Across the Board, for each and every stakeholder (since each and every stakeholder
has a role to play within a Cybersecurity Governance Maturity assessment [16]).
As of yet, we have not come across a simple reporting tool that can successfully report
technical information related to Cybersecurity Governance Maturity regarding any one of
the two points mentioned above in a simple and non-technical manner – and we need a
simple reporting tool that can report on technical information related to Cybersecurity
Governance Maturity on both the above mentioned points in a simple, easy to understand
and non-technical manner.
For a more detailed discussion of how the Cybersecurity Governance Maturity Model
can be used, refer to [12].
In [12], along with proposing a Cybersecurity Governance Maturity model, a reporting
concept in a form of a dashboard has been proposed and it will be expanded upon in the
next section.

5. Reporting to Top-Level Management

As mentioned previously, Cybersecurity Governance has now become an issue that the
entire organisation has to deal with and Boards of Directors and Executive Management
have a responsibility to properly implement Cybersecurity Governance [9, 16].
What we have found throughout this study, is that a simple and non-technical reporting
tool is needed that can report technical information related to Cybersecurity Governance
Maturity assessments to every layer of the Board, in a non-technical and easy to understand
manner.
Up until now, we have discussed a Cybersecurity Governance Maturity model that aims
at assessing the maturity of Cybersecurity implementations on numerous levels. A proposal
for a dashboard has been discussed in [12], wherein a simple, high-level overview of an
intensive Cybersecurity Governance Maturity assessment has been proposed. We have
included an adaptation of the proposed dashboard in figure 4.

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 6 of 9

 Level 1 Level 2 Level 3 Level 4
Cybersecurity Capability *
Cybersecurity Contingency *
Cybersecurity Capacity Building *
Cybersecurity Conformance *
Cybersecurity Threat *
Cybersecurity Legal *
Cybersecurity Ethics *

Figure 4 Cybersecurity Governance Maturity Dashboard (adapted from [12])

Each aspect contained within the vertical axis is a cybersecurity sub-model illustrated in
figure 3 in the previous section.
The horizontal axis represents the overall maturity level of a particular aspect (vertical
axis) that has been assessed. This overall maturity level is calculated by making use of a
formula specified in [12] and the final result of the formula is plotted on the dashboard, as
illustrated in figure 4. The asterisk (*) used within the grid, provides an overall indication
of how the particular maturity assessment has performed, i.e., the “Cybersecurity
Capability” maturity assessment received a * under level 2, indicating that the “Cyber
Security Capability Maturity sub-model” received an overall value of two – by making use
of the formula described in [12].
Although this dashboard proposes a high-level overview for the entire board, we still
feel that this is not enough, especially since Cybersecurity is a growing concern for
organisations [17, 18]. We need specialised information in a form that is understandable by
the various skilled personnel constituting the Board of Directors, Executive Management
and lower level management, as mentioned in the previous section.
The contribution we feel this article would make is that the proposed maturity model
should be used in conjunction with the proposed dashboard, since it provides an overall
illustration of aspects that could be improved.
For example, as illustrated in figure 4, since the Board noticed that the “Cybersecurity
Capability” assessment received an overall value of two, the Board would probably want to
know how they can improve it – as it is not close to a maximum level maturity rating. The
benefit of the dashboard is therefore as follows:
Each member of the Board, Executive Management and lower level management
should receive an elaborate report of a section of the Cybersecurity Governance Maturity
Assessment performed, applicable to their role within the company. I.e, in figure 4, the
“Cybersecurity Capability” and “Cybersecurity Conformance” assessments could generate
highly detailed reports of the maturity assessments that have been done regarding the
“Cyber Security Capability Maturity sub-model” and “Cyber Security Conformance
Maturity sub-model”, respectively. These reports, since they deal with an organisation at a
“business” level – i.e., standards, policies, documentations, and industry-related
requirements, etc. – could be delivered directly to the CEO and Chairman of the Board.
These reports would also indicate what measures can be taken to improve upon areas that
needs improvement and therefore likely improve the overall rating of the “Cybersecurity
Capability” assessment from level two to level three – or even to level 4.
Similarly, the “Cybersecurity Contingency” and “Cybersecurity Threat” assessments, as
indicated in figure 4, could generate detailed – and technical – reports for the CIO/CISO,
since these two assessments deals with security threats, security risks and disaster recovery
plans.
In order for an organisation to improve their skillsets and overall Cybersecurity
awareness of the company’s personnel, the “Cybersecurity Capacity Building” and
“Cybersecurity Ethics” – unless the organisation has a specific department dealing with
ethics – assessments, as indicated in figure 4, could generate detailed reports for the HR
department.
Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 7 of 9
 Lastly, the legal department of the organisation could receive a detailed report regarding
the “Cybersecurity Legal” assessment performed, as it indicated what legal aspects the
organisation should focus on in order to have the necessary legal requirements in place
regarding Cybersecurity.
The important aspect of these reports, other than being generated to the relevant parties,
is that they contain information and instructions of how the organisation can proceed into
improving areas indicate to be improved and how they can improve their maturity rating.
This information would be beneficial to the overall maturity rating of the “Cybersecurity
Governance Maturity” assessment that was performed.

6. Conclusion
Cybersecurity is an internet expansion that we could have expected much sooner. However,
it brought along with it much needed technological improvements, security risks and
security threats.
Fortunately, we have standards that place an expectation on our shoulders for the
creation of tools to assess our cybersecurity implementations. These standards however, do
not always clearly depict how the tools should be created nor do they define what the tools
should cater for.
This caused organisations to be confused about how Cybersecurity and Cybersecurity
Governance should be handled – and the confusion is not helped by the reports available.
In this article, we have discussed what Cybersecurity and Cybersecurity Governance is
and how it relates to Information Security.
We have also discussed the risks and threats introduced by Cybersecurity and how some
of these risks and threats have evolved from Information Security.
We have adapted a Cybersecurity Governance Maturity Model to focus on additional
organisational aspects to be measured and we have discussed the importance of a reporting
tool that can be interpreted by non-technical board members as well as by technical board
members.
There are numerous steps that should be taken when the proposed Cybersecurity
Governance Maturity Model is used and we will conclude this paper by introducing these
steps:
- Step 1: Assess the Model scope
The design purpose of the proposed model it that it is dynamic in the sense that
organizations can remove sections, arts of components that do not fit in with their
organization. They can also add sections, parts or components that are missing from
the model but are needed for their organization.
- Step 2: Use the model as part of an audit session
When the organization is satisfied with the scope of the model, they should use the
model as part of their auditing sessions. If the organization does not have auditing
sessions, the model would be descriptive and detailed enough in order for it to act as
an auditing session.
- Step 3: Evaluate results
Once the auditing sessions has been completed and the model has been filled in, the
head of the auditing session or person that conducted the audit should finalize the
model by creating a dashboard for the model as discussed in [12].
- Step 4: Create Reports
Once the dashboard has been created, reports as discussed in section 5 should be
created. These reports should ae use of any recommendations made by the Maturity
model for steps that need improvement.
- Step 5: Present and Reassess

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 8 of 9

 Once the reports have been created, they should be presented to the Board of
Directors and Executive Management where they need to be analyzed by all parties
concerned. Once the reports have been analyzed and the recommendations have been
made, the maturity assessment should be conducted again, either as a control for
implementation or as part of an external auditing session.

References
[1] Clarke RA, Knake RK. Cyber War - The Next Threat to National Security And What to Do About It.
New York. 2010.
[2] Importance of Cyber Security; 2012. Available from: http://worldjusticeproject.org/blog/importance-
cyber-security.
[3] Cyberspace: What is it, where is it and who cares?; 2014. Available from:
http://www.armedforcesjournal.com/cyberspace-what-is-it-where-is-it-and-who-cares/.
[4] Explore Terms: A Glossary of Common Cybersecurity Terminology; n.d. Available from:
https://niccs.us-cert.gov/glossary#letter_c.
[5] Cybersecurity; n.d. Available from: http://www.merriam-webster.com/dictionary/cybersecurity.
[6] Definition of cybersecurity; n.d. Available from: http://www.itu.int/en/ITU-
T/studygroups/com17/Pages/cybersecurity.aspx.
[7] A brief introduction to cyber security for students who are new to the field; n.d. Available from:
http://www.umuc.edu/cybersecurity/about/cybersecurity-basics.cfm.
[8] Board and cybersecurity, a story of dangerous liaisons!; 2015. Available from: https://business-digital-
security.com/.
[9] 4 Steps to Integrate IT and Corporate Governance; 2014. Available from:
http://www.isaca.org/Knowledge-Center/Research/Documents/COBIT-Focus-4-Steps-to-Integrate-IT-
and-Corporate-Governance_nlt_Eng_1214.pdf.
[10] Introduction to National Response Center for Cyber Crime; n.d.. Available from:
http://www.fia.gov.pk/en/NR3C.php.
[11] Consultant’s Tool: What is a maturity model?; 2012. Available from:
http://consultantsmind.com/2012/07/01/maturity-model/.
[12] de Bruin R, von Solms SH. Modelling Cyber Security Governance Maturity. 2015 IEEE International
Symposium on Technology in Society (ISTAS); IEEE; 2015.
[13] One Big Threat to Cyber Security: IT Geeks Can’t Talk to Management; 2104. Available from:
http://www.tripwire.com/state-of-security/featured/one-big-threat-to-cyber-security-it-geeks-cant-talk-
to-management/.
[14] Do boards of directors actually care about cybersecurity?; 2015. Available from:
http://www.csoonline.com/article/2978020/security-leadership/do-boards-of-directors-actually-care-
about-cybersecurity.html.
[15] Cybersecurity: legal trends for a major business concern; 2014. Available from:
http://www.financierworldwide.com/cybersecurity-legal-trends-for-a-major-business-
concern/#.VlgvknYrJhE.
[16] Who is really accountable for Cyber Security? CISO? Think again...; 2015. Available from:
https://www.linkedin.com/pulse/who-really-accountable-cyber-security-ciso-think-umesh.
[17] The sad stats on state of cybersecurity: 70% attack go unchecked; 2015. Available from:
http://www.welivesecurity.com/2015/09/09/cybercrime-growing-concern-americans/.
[18] Cybersecurity Threats a Growing Concern for Small Business; n.d. Available from:
http://informationassurance.regis.edu/ia-programs/resources/ia-update/cybersecurity-threats-a-growing-
concern-for-small-business.
[19] SABS. ISO/IEC 20732:2012, Information Technology - Security techniques - Guidelines for
cybersecurity. 2015.

Copyright © 2016 The authors http://www.ist-africa.org/Conference2016 Page 9 of 9