CYBER SECURITY CAPABILITY MATURITY MODEL FOR CRITICAL INFORMATION TECHNOLOGY INFRASTRUCTURE AMONG NIGERIA FINANCIAL ORGANIZATIONS


CYBER SECURITY CAPABILITY MATURITY MODEL FOR CRITICAL INFORMATION TECHNOLOGY INFRASTRUCTURE AMONG NIGERIA FINANCIAL ORGANIZATIONS  

ABSTRACT

The effectiveness of Nigeria Cybersecurity strategy can have serious effect on the Cybersecurity stance of the country and significantly impact how well the country financial critical IT infrastructures are protected. In order to measure the strength and weaknesses of Cybersecurity, organizations can implement the develop Cybersecurity Capability Maturity Model. Cybersecurity Capability Maturity Model (C2M2) for Nigeria financial organizations as a security oriented model to determine the level of Cybersecurity strength in Nigeria financial organizations. The develop model provided five maturity levels; Nothing Exists, Basic, Progressed, Advanced, and Innovative. The goal of this research is to build up a model that will validate the level of Cybersecurity strength in Nigeria financial organizations. Seven organizations which includes Guarantee Trust Bank , United Bank for Africa, Union Bank of Nigeria, First Bank of Nigeria, Stanbic-IBTC Bank, Federal Mortgage Bank, and Polaris Bank all located in Damaturu are chosen to measure their Cybersecurity preparedness using the develop model. Fully in-structured interview are performed with IT officers in case study. Results analysis show that all organizations in case study are at Advanced level.

TABLE OF CONTENTS

TITLE PAGE

DECLARATION ii

DEDICATION iii

ACKNOWLEDGEMENT iv

ABSTRACT v

ABSTRAK vi

TABLE OF CONTENTS vii

LIST OF TABLES xi

LIST OF FIGURES xii

LIST OF APPENDICES xiv

CHAPTER 1 INTRODUCTION 1

1.1 Introduction 1

1.2 Problem Background 2

1.3 Problem Statement 3

1.4 Research Aims 4

1.5 Research Objectives 4

1.6 Research Questions 4

1.7 Research Scope 5

1.8 Research Significance 5

1.9 Research Structure 5

1.10 Chapter Summary 6

CHAPTER 2 LITERATURE REVIEW 7

2.1 Introduction 7

2.2 Cybercrime in Nigeria 7

2.2.1Types of Cybercrime in Nigeria8

2.2.2Courses of Cybercrime in Nigeria8

2.2.3Impact of Cybercrime in Nigeria9

2.2.4 Problems of combating Cybercrime in Nigeria 10

Nigeria Cybersecurity Framework11

Critical Infrastructure11

Critical Infrastructure Sector Identification12

Critical Infrastructure Protection13

Overview of Maturity Model14

Importance of using Maturity Models15

Limitations of Maturity Models16

Types of Maturity Models17

Progression Maturity Models (PMM)17

Capability Maturity Models (CMM)18

Hybrid Maturity Models (HMM)19

Components of Maturity Models19

Levels20

Domains20

Attributes20

Cybersecurity Capability Maturity Model (C2M2)21

Information Security   Management   Maturity Model(ISM3)21

CybersecurityCapabilityMaturityModel

(C2M2) 22

SystemsSecurityEngineeringCapability

Maturity Model (SSE-CMM) 22

CommunityCyberSecurityCapability

Maturity Model (CCSMM) 23

AfricanUnionMaturityModelfor Cybersecurity (AUMMCS)23

Federal Financial Institutions Examination Council Capability Maturity Model (FFIEC-

CMM) 23

Comparison of   Cybersecurity   Capability   Maturity

Models 24

Identification of Research Gap26

Chapter Summary26

CHAPTER 3 RESEARCH METHODOLOGY 27

3.1 Introduction 27

3.2 Research Methodology 27

3.3 Research Framework 28

3.4 Research Design 30

3.4.1Phase I: Investigating the existing C2M230

3.4.2Phase I: Model Development30

3.4.3Phase III: Data Collection and Analysis31

3.4.3.1Questionnaire31

3.4.3.2Cybersecurity Capability Maturity Model Documentations

31

3.4.3.3Data Analysis32

3.5 Chapter Summary 32

CHAPTER 4 DESIGN AND IMPLEMENTATION 33

4.1 Introduction 33

4.2 Phase I: Planning 35

4.3 Phase II: Design 36

4.4 Phase III: Validation of C2M2-NF V1.0 40

4.4.1C2M2-NF V1.0 against C2M2 for IT Services40

4.4.2C2M2-NF V1.0 against C2M2-NF Version 1.0

against Electrical Subsector Cyber Security Capability Maturity Model (ES-C2M2 )

42

4.4.3C2M2-NF V1.0   against   Systems   Security

Engineering Capability Maturity Model (SSE-

CMM)44

4.4.4C2M2-NF V1.0 against Global Cyber Security

Capacity Centre(GCSCC)Cybersecurity

Capability Maturity Model (C2M2)46

4.4.5C2M2-NF V1.0   against   Community Cyber

Security Maturity    Model(CCSMM)47

4.4.6C2M2-NF V1.0 against Capability Maturity

Model andmetrics framework for Cyber Cloud Security (CMMCCS)

48

4.4.7 C2M2-NF V1.0 against Cybersecurity

Capability Maturity Model (C2M2) 50

4.5 Estimating   Degree   of Confidence of   C2M2-NF

Version 1.052

4.6 Using the Validated C2M2-NF Version 2.0 57

4.7 Chapter Summary 64

CHAPTER 5 DATA ANALYSIS 65

5.1 Introduction 65

5.2 Results 65

5.2.1Legal Regulations66

5.2.2Governance67

5.2.3Risk Management69

5.2.4Security Culture70

5.2.5Incidence Management72

5.3 Overall Results 74

5.4 Chapter Summary 76

CHAPTER 6 DISCUSSION AND CONCLUSION 77

6.1 Introduction 77

6.2 Summary of Research Achievements 77

6.3 Dissertation Limitations 78

6.4 Future Work Recommendations 78

6.5 Conclusion 79

REFERENCES 81

LIST OF TABLES

TABLE NO. TITLE PAGE

Table 4.1 Sources of Model Components 35

Table 4.2 Description of C2M2-NF V1 Maturity Indicator Levels

(MiLs) 38

Table 4.3 Support of the concepts in C2M2-NF V1.0 by C2M2 for IT

Services 41

Table 4.4 Support of the concepts in C2M2-NF Version 1.0 by ES-C2M2 43

Table 4.5 Support of the concepts in C2M2-NF Version 1.0 by SSE-

CMM 45

Table 4.6 Support of the concepts in C2M2-NF Version 1.0 by Global

Cyber Security Capacity Centre-C2M2 46

Table   4.7   Support of   the   concepts   in   C2M2-NF   Version   1.0   by Community Cyber Security Maturity Model(CCSMM) 48

Table 4.8 Support of the concepts in C2M2-NF Version 1.0 by Capability Maturity Model and metrics framework for

Cyber Cloud Security (CMMCCS) 49

Table 4.9 Support of   the   concepts   in   C2M2-NF   Version

Cybersecurity Capability Maturity Model (C2M2)1.0by

51

Table 4.10 Degree of Confidence Result interpretation 52

Table 4.11 Comparison of C2M2-NF V1.0 against other valid with frequency and DoC valuesmodels

53

Table 5.1 Respondent Organization and their Code 66

Table 5.2 Respondent practice on Legal Regulation domain 66

Table 5.3 Respondent practice on Governance domain 68

Table 5.4 Respondent practice on Risk Management domain 69

Table 5.5 Respondent practice on Security Culture domain 71

Table 5.6 Respondent practices on incidence management domain 73

Table 5.7 Summary of overall Maturity Indicator Levels 74

Table 5.8 Recommendations to achieve the Innovative Level 75

LIST OF FIGURES

FIGURE NO. TITLE PAGE

Figure 2.1 Critical Infrastructure Sectors 12

Figure 2.2 Phases of Critical Infrastructure Protection 13

Figure 2.3 National Infrastructure Protection Plan framework 13

Figure 2.4 Capability Maturity Model Version 1.1 16

Figure 2.5 Maturity Progression for Counting 18

Figure 2.6Comparison of Cybersecurity Capability Maturity Models 25

Figure 3.1 Research Framework 29

Figure 4.1 C2M2-NF Development Process 34

Figure 4.2 C2M2-NF Version 1.0 (Block View) 36

Figure 4.3 Maturity Indicator Levels (MiLs) of C2M2-NF V1.0 37

Figure 4.4 C2M2-NF Version 1.0 (Tree View) 39

Figure 4.5 C2M2 for IT Services 41

Figure 4.6 Electrical Subsector Cyber Security Capability Maturity 43

Figure 4.7 Systems Security Engineering Capability Maturity Model 44

Figure 4.8 Community Cyber Security Maturity Model (White, 2011) 47

Figure 4.9 Capability Maturity Model and metrics framework for Cyber

Cloud 49

Figure 4.10 Cybersecurity Capability Maturity Model (C2M2) 50

Figure 4.11 Degree of Confidence values of C2M2-NF Version 1.0 54

Figure 4.12 Degree of Confidence values of C2M2-NF Version 2.0 55

Figure 4.13 C2M2-NF Version 2.0 (Block View) 55

Figure 4.14 C2M2-NF Version 2.0 (Tree View) 56

Figure 4.15 Recommended Approach for Using C2M2 57

Figure 4.16 Legal Regulation flow diagram 59

Figure 4.17 Governance flow diagram 60

Figure 4.18 Risk Management flow diagram 61

Figure 4.19 Security Culture flow diagram 62

Figure 4.20 Incident Management flow diagram 63

Figure 5.1 Analysis of Legal Regulations Domain 67

Figure 5.2 Analysis of Governance Domain 68

Figure 5.3 Analysis of Risk Management domain 70

Figure 5.4 Analysis of Security Culture 72

Figure 5.5 Analysis of Incidence Management 74

Figure 5.6 Analysis of Overall Maturity Indicator Levels 75

LIST OF APPENDICES

APPENDIX TITLE PAGE

Appendix A Quesionnaire Error! Bookmark not defined.

CHAPTER 1

INTRODUCTION

1.1 Introduction

Cisco Inc define Cybersecurity as the practice of protecting network systems from digital attacks (Cisco, 2018). These attacks are usually planned at accessing, changing, or damaging sensitive data or interrupting common business processes(Cisco, 2018). Implementing efficient Cybersecurity procedures is mostly difficult today because the number of devices are more than the number of people (Cisco, 2018). Possible Cybersecurity threat nowadays as identify by Cisco Inc includes; Ransom ware, Malware, Social engineering and Phishing.

Cyberspace offer avenue for communications, Cybercriminals are lawbreakers that violet the use of Cyberspace whereas Cybersecurity is mean to protect Cyberspace. Also Cybersecurity is all about protecting data that is initiated in electronic form.

Cybercrime has become a new trend that is progressively rising as the IT continues to penetrate every aspect of our daily life and no one can guess its future (Omodunbi, Odiase, Olaniyan, & Esan, 2016). Casey consider Cybercrimes to be any illegal activities that involves computers and internet, including crimes that do not rely heavily on computers (Casey, 2005). According to (Adesina, 2017) Cybercrimes refers to any criminal activities which take place through the internet. Thus in general, Cybercrime refers to any crimes committed with the use of internet as a tools to target any victim. It consist of crimes that have been made by computers, such as dissemination of computer viruses, network intrusions, identity theft and stalking.

For any organization to achieve the security of its cyberspace against cyber crime, the organization need to evaluate the level of their Cybersecurity capability and search for their problem and solve them. Cybersecurity Capability Maturity Model (C2M2) is develop as a tool to analyze the capability maturity level of organization to protect it critical infrastructure in cyberspace.

1.2 Problem Background

The development of the information technology (IT) and the increase access to web resources has give rise to new opportunities for financial transactions, as well as those who engage in illegal activities. Financial systems, all over the globe, play fundamental roles in the development and growth of the economy (Dai, Huu, & Zoltán, 2017). The rise of, and rapid progress in, IT based systems, are primary to essential changes in how financial organizations interact with their clients. Internet banking has turn into the self-service deliverance canal that allows banks and various other business to provide information and offer services to their clients more handiness via the internet (OECD, 2008). However, the presence of bank in the cyberspace has also give chance to cyber criminals to infiltrate into customers sensitive information such as credit card information. Over twenty years, dishonest cyber space groups have continued to use the internet to commit offenses; this has suggested mixed reaction of panic in the society along with a rising unease concerning the state of cyberspace security (Barclay, 2014).

Earlier to the year 2001, the trend of cyber crime was not internationally related with Nigeria (Adesina, 2017). From then, the country has acquired an international dishonor in cyber criminality, particularly identity theft, aided through the use of the internet. Since the issue of cyber security is raising attention in the mind of Nigerians, This dissertation give an overview of Cybercrime issues in Nigeria financial organizations, identify the categories of attack against the financial institutions in Nigeria, identify who are those actors and finally explain the challenges of mitigating such criminalities and to examine current Cybersecurity

maturity models and propose a model that will be use by Nigerian financial organizations to evaluate their critical IT infrastructures applicability.

1.3 Problem Statement

Nigeria has a status for having a class of Cyber Threat actors popularly called 419 scams. These 419 scammers trick people into revealing their financial identities in other to use it and making money transfer. While these abuses have resulted in real financial damages, these Cyber Threat actors are seen as funny in the society. However, this is far from actuality and our image of Nigerian Cyber Threat actors must to be reorganize. Research carryout by professionals (Ibikunle & Eweniyi, 2013) shows that Nigeria has only 1,500 certified Cybersecurity Professionals and that the Nigeria is the most targeted nation of such attacks in Africa (Odumesi, 2014).

Strengthen the negative aspects of the problem is inadequate standards against which the Nigerian financial organizations can measure their current security status. To properly secure IT critical infrastructure and accurately report on its readiness to survive Cyberthreat, the Nigerian financial organizations need a common measurement tools in addition to NCSS   standard controls and AUMMCS- 1, to provide a framework for assessing and reporting Cybersecurity readiness. The Inadequate standard tools, Inadequate IT security professionals, immature cyber laws are the weakness to secure critical IT infrastructure among Nigeria financial organizations (Hassan, 2012).

To truly be effective, a Cybersecurity program must continually evolve and improve. This research focuses on addressing Inadequate standard tools by developing a Cybersecurity capability maturity model for Nigeria financial organizations.

1.4 Research Aims

The main aim of this research is to develop a Cybersecurity Capability Maturity Model (C2M2) for Nigeria financial organizations.

1.5 Research Objectives

The objectives of the research are :

(a) To identify and investigate Cybersecurity capability security domain components based on the existing Cybersecurity capability models which are relevant to the financial organizations

(b) To develop Cybersecurity capability maturity model specific for critical IT Infrastructure security in financial organizations

(c) To evaluate the maturity level of the Cybersecurity capabilities for critical IT infrastructure among Nigeria financial organizations.

1.6 Research Questions

This research is carried out based on the following questions

(a)       What are the Cybersecurity capability security domain components based on the existing Cybersecurity capability models relevant to the financial organizations.

(b) How to develop the Cybersecurity capability maturity model specific for critical IT infrastructure security in financial organizations.

(c) How to evaluate the maturity level of the Cybersecurity critical IT infrastructure among Nigeria financial organizations.

1.7 Research Scope

In order to reach the objectives stated above, the scope of this study is limited to the following:

(a) The study is focusing on Cybersecurity Capability Maturity Models and specially to Nigeria finacial organizations.

(b) Research assessment is accomplished by performing a fully in-structured interview with IT Officers in order to assess the maturity level of the selected case study as mention above.

1.8 Research Significance

The main significance of this research is to contribute to the development of the Cybersecurity area that will be easy for the Nigeria Financial organizations to apply to their organization in other to evaluate their strength in protecting their critical IT Infrastructure against any Cyberthreat.

1.9 Research Structure

This dissertation is structured into six chapters. To accelerate understandings to the dissertation, a brief overview of the contents of each chapter are as follows:

Chapter 1 Introduction of the research and serves as a road map to reader through brief description on the contributions of this dissertation.

Chapter 2 Literature Review for the dissertation through previous related published papers. This includes the reviews of research related to the method and process of C2M2 development.

Chapter 3 Research Design provides the methodology used on this dissertation. The research design comprises of three phases namely; 1) Investigating the existing C2M2 2) Model Development and 3) Data Collection and Analysis.

Chapter 4 Performs three steps of development process, Model validation using Comparison with other validated models and Frequency-based selection techniques.

Chapter 5 Data analysis provide details on how respondent organizations practices are measure to find out their C2M2-level. Seven organizations responded name Union Bank, Guarantee Trust Bank, First Bank, Polaris Bank, Stanbic-IBTC Bank, United Bank for Africa and Federal Mortgage Bank of Nigeria. at the end of the analysis, recommendations to achieve the Innovative Level for responded organizations are listed.

Chapter 6 Summary of achievement, research limitations, recommendation for future work and Conclusion.

1.10 Chapter Summary

In conclusion, this chapter mainly discussed about the preliminary information about the research. Problem background and research aim is pointed out for reader to have a better understanding on the reason this research are needed. Besides that, the objectives, research scope, and research contribution are also provided to clear information on areas that been focused on this dissertation. In the next chapter (Chapter two), literature review of the thesis will be elaborate, discuss, and discussion of relevant C2M2.

.

CYBER SECURITY CAPABILITY MATURITY MODEL FOR CRITICAL INFORMATION TECHNOLOGY INFRASTRUCTURE AMONG NIGERIA FINANCIAL ORGANIZATIONS



TYPE IN YOUR TOPIC AND CLICK SEARCH.




TESTIMONIES FROM OUR CLIENTS


Please feel free to carefully review some written and captured responses from our satisfied clients.

  • "Exceptionally outstanding. Highly recommend for all who wish to have effective and excellent project defence. Easily Accessable, Affordable, Effective and effective."

    Debby Henry George, Massachusetts Institute of Technology (MIT), Cambridge, USA.
  • "I saw this website on facebook page and I did not even bother since I was in a hurry to complete my project. But I am totally amazed that when I visited the website and saw the topic I was looking for and I decided to give a try and now I have received it within an hour after ordering the material. Am grateful guys!"

    Hilary Yusuf, United States International University Africa, Nairobi, Kenya.
  • "Researchwap.net is a website I recommend to all student and researchers within and outside the country. The web owners are doing great job and I appreciate them for that. Once again, thank you very much "researchwap.net" and God bless you and your business! ."

    Debby Henry George, Massachusetts Institute of Technology (MIT), Cambridge, USA.
  • "Great User Experience, Nice flows and Superb functionalities.The app is indeed a great tech innovation for greasing the wheels of final year, research and other pedagogical related project works. A trial would definitely convince you."

    Lamilare Valentine, Kwame Nkrumah University, Kumasi, Ghana.
  • "I love what you guys are doing, your material guided me well through my research. Thank you for helping me achieve academic success."

    Sampson, University of Nigeria, Nsukka.
  • "researchwap.com is God-sent! I got good grades in my seminar and project with the help of your service, thank you soooooo much."

    Cynthia, Akwa Ibom State University .
  • "Sorry, it was in my spam folder all along, I should have looked it up properly first. Please keep up the good work, your team is quite commited. Am grateful...I will certainly refer my friends too."

    Elizabeth, Obafemi Awolowo University
  • "Am happy the defense went well, thanks to your articles. I may not be able to express how grateful I am for all your assistance, but on my honour, I owe you guys a good number of referrals. Thank you once again."

    Ali Olanrewaju, Lagos State University.
  • "My Dear Researchwap, initially I never believed one can actually do honest business transactions with Nigerians online until i stumbled into your website. You have broken a new legacy of record as far as am concerned. Keep up the good work!"

    Willie Ekereobong, University of Port Harcourt.
  • "WOW, SO IT'S TRUE??!! I can't believe I got this quality work for just 3k...I thought it was scam ooo. I wouldn't mind if it goes for over 5k, its worth it. Thank you!"

    Theressa, Igbinedion University.
  • "I did not see my project topic on your website so I decided to call your customer care number, the attention I got was epic! I got help from the beginning to the end of my project in just 3 days, they even taught me how to defend my project and I got a 'B' at the end. Thank you so much researchwap.com, infact, I owe my graduating well today to you guys...."

    Joseph, Abia state Polytechnic.
  • "My friend told me about ResearchWap website, I doubted her until I saw her receive her full project in less than 15 miniutes, I tried mine too and got it same, right now, am telling everyone in my school about researchwap.com, no one has to suffer any more writing their project. Thank you for making life easy for me and my fellow students... Keep up the good work"

    Christiana, Landmark University .
  • "I wish I knew you guys when I wrote my first degree project, it took so much time and effort then. Now, with just a click of a button, I got my complete project in less than 15 minutes. You guys are too amazing!."

    Musa, Federal University of Technology Minna
  • "I was scared at first when I saw your website but I decided to risk my last 3k and surprisingly I got my complete project in my email box instantly. This is so nice!!!."

    Ali Obafemi, Ibrahim Badamasi Babangida University, Niger State.
  • To contribute to our success story, send us a feedback or please kindly call 2348037664978.
    Then your comment and contact will be published here also with your consent.

    Thank you for choosing researchwap.com.