In an age when cybersecurity vulnerabilities can be used as a pretext for a blockade, as in the case of Qatar prompted by a hack of the Qatar News Agency, it becomes incumbent upon states to consider legislating the capability maturity measurement and the development of their cybersecurity programs across the community. This paper proposes a Qatar Cybersecurity Capability Maturity Model (Q-C2M2) with a legislative framework. The paper discusses the origin, purpose and characteristics of a capability maturity model and its adoption in the cybersecurity domain. Driven by a thematic analysis under the document analysis methodology, the paper examines existing globally recognized cybersecurity capability maturity models and Qatar’s cybersecurity framework using publicly available documents. This paper also conducts a comparative analysis of existing cybersecurity capability maturity models in light of the Qatari cybersecurity framework, including a comparative analysis of cybersecurity capability maturity model literature. The comparative document analysis helped identify gaps in the existing Qatar National Information Assurance Policy and specifically the Qatar National Information Assurance Manual. The proposed Q-C2M2 aims to enhance Qatar’s cybersecurity framework by providing a workable Q-C2M2 with a legislative component that can be used to benchmark, measure and develop Qatar’s cybersecurity framework. The Q-C2M2 proposes the USERS domains consisting of Understand, Secure, Expose, Recover and Sustain. Each domain consists of subdomains, under which an organization can create cybersecurity activities at initial benchmarking. The Q-C2M2 uses the following five levels to measure the cybersecurity capability maturity of an organization: Initiating, Implementing, Developing, Adaptive and Agile.
Cybersecurity Qatar Capability maturity model C2M2 Blockade Q-C2M2
Arnold, Tom, Hadeel Al Sayegh, and Tom Finn, UPDATE 3-Qatari riyal under pressure as Saudi, UAE banks delay Qatar deals, CNBC, June 6, 2017, https://www.cnbc.com/2017/06/06/reuters-america-update-3-qatari-riyal-under-pressure-as-saudi-uae-banks-delay-qatar-deals.html.
Atoum, Issa, Ahmed Ali Otoom, and Amer Abu Ali, A holistic cyber security implementation framework, 22 Information Management & Computer Security 3, 251–264(14) (2014).
Barclay, Corlane, Sustainable security advantage in a changing environment: The Cybersecurity Capability Maturity Model (CM2), Proceedings of the 2014 ITU Kaleidoscope Academic Conference: Living in a converged world – Impossible without standards? (July 21, 2014).
BBC, Qatar crisis: What you need to know, BBC News, July 19, 2017, http://www.bbc.com/news/world-middle-east-40173757.
Becker, Jörg, Ralf Knackstedt, and Jens Pöppelbuß, Developing maturity models for IT Management: A procedure model and its application, 1(3) Bus & Inf Systems Engineering 213–222 (2009).
Bowen, Glenn A., Document analysis as a qualitative research method, 9(2) Qual Research J 27–40 (2009).
Boyle, Kip, International use of NIST Cybersecurity Framework, 2016, http://kipboyle.com/2016/05/international-use-of-nist-cybersecurity-framework/.
Buss, Terry F., The adoption and transformation of capability maturity models in government, in Encyclopedia of Information Science and Technology (4th ed. 2018).
Butkovic, Matthew J., and Richard A. Caralli, Advancing cybersecurity capability measurement
using the CERT®-RMM maturity indicator level scale, Software Engineering Institute, Carnegie Mellon University Research Showcase, 2013, http://repository.cmu.edu/cgi/viewcontent.cgi?article=1766&context=sei.
Calamur, Krishnadev, What just happened with Qatar? The Atlantic, June 5, 2017, https://www.theatlantic.com/news/archive/2017/06/what-just-happened-with-qatar/529128/.
Caralli, Richard A., et al., CERT® Resilience Management Model, Version 1.2, Software Engineering Institute, February 2016, https://www.cert.org/resilience/products-services/cert-rmm/.
Centre for Protection of National Infrastructure, Critical National Infrastructure, 2017, https://www.cpni.gov.uk/critical-national-infrastructure-0.
CERT, Cyber risk and resilience management: Overview, 2017, https://www.cert.org/resilience/.
Chapin, D.A., and S. Akridge, How can security be measured? 2 Information Systems Control J 43–47 (2005).
CMMI Institute, Published appraisal results, https://sas.cmmiinstitute.com/pars/pars.aspx.
Commission of the European Communities, Communication from the Commission on a European Programme for Critical Infrastructure Protection COM, 2006, 786 final, December 12, 2006, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2006:0786:FIN:EN:PDF.
Council Directive (EC) 2008/114 on European Critical Infrastructures, 2008, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:345:0075:0082:EN:PDF.
Datz, Todd, SCADA system security: Out of control, CSO Online, August 1, 2004, www.csoonline.com/article/219486/scada-system-security-out-of-control.
Debreceny, R.S., Re-engineering IT internal controls: Applying capability maturity models to the evaluation of IT controls, IEEE, HICSS’06, Proceedings of the 39th Annual Hawaii International Conference on System Sciences 8: 196c–196c (2006).
DeYoung, Karen and Ellen Nakashima, UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials, The Washington Post, July 16, 2017, https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html?utm_term=.af380f2295ce.
Doumar, George et al., Crisis in the Gulf Cooperation Council: Challenges and Prospects (Arab Center Washington DC 2017).
Downton, Ben, NESA – the new standard of information security in the UAE, MWR Security, April 6, 2015, https://www.mwrinfosecurity.com/our-thinking/nesa-the-new-standard-of-information-security-in-the-uae/.
Dunn, Myriam, Information risks and countermeasures: Problems, prospects, and challenges of securing the information infrastructure, in Theodor Winkler, Anja H Ebnöther, Ernst M Felberbauer (eds), 6th International Security Forum: Proceedings of the Conference (Peter Lang, 2005).
European Commission, Critical Infrastructure, Migration and Home Affairs, July 20, 2014, https://ec.europa.eu/home-affairs/what-we-do/policies/crisis-and-terrorism/critical-infrastructure_en.
Ferraiolo, Karen, The Systems Security Engineering Capability Maturity Model (SSE-CMM), International Systems Security Engineering Association (ISSEA), 2000, https://csrc.nist.gov/csrc/media/publications/conference-paper/2000/10/19/proceedings-of-the-23rd-nissc-2000/documents/papers/916slide.pdf.
Fetais, Noora, director of KINDI Computer Research Center, Qatar University, email correspondence (October 19, 2017) (copy on file with the author).
Financial Times, The blockade against Qatar damages all sides, July 23, 2017, https://www.ft.com/content/213cfae6-6e28-11e7-bfeb-33fe0c5b7eaa?mhq5j=e7.
Framework Nazionale per la Cyber Security, Il cybersecurity report 2016, 2016, http://www.cybersecurityframework.it/.
González-Rojas, Oscar, Dario Correal, and Manuel Camargo, ICT capabilities for supporting collaborative work on business processes within the digital content industry, 80 Computers in Industry 16–29 (2016).
Gupta, Rahul, The challenges and recommended steps to improve cybersecurity within industrial control systems, Wood Group Mustang, Petroleum and Power Automation (PPA) Meet, New Delhi, India, 2016, https://www.woodgroup.com/__data/assets/pdf_file/0011/3143/2016-04-ISA-Delhi-power-and-petroleum.pdf.
Harb, Imad K., Stupendous hubris…and its damage, in George Doumar et al., Crisis in the Gulf Cooperation Council: Challenges and Prospects (Arab Center Washington DC, 2017).
Ibrahim, Jamaludin et al., A cybersecurity capability maturity model based on Maqasid Shari’ah (MS-C2M2), International Conference on Maqasid Al-Shari’ah in Public Policy and Governance (IAIS Malaysia, 2015).
International Telecommunications Union, Cyberwellness profile: Qatar, 2014, http://www.itu.int/en/ITU-D/Cybersecurity/Documents/Country_Profiles/Qatar.pdf.
International Telecommunications Union, Cyberwellness profile: Qatar, in Global Cybersecurity Index & Cyberwellness Profiles: Report, 382, ABI Research, 2015, https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-SECU-2015-PDF-E.pdf.
International Telecommunications Union, Global Cybersecurity Index 2017, 2017, https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf. Kiblawi, Tamar et al., Qatar rift: Saudi, UAE, Bahrain, Egypt cut diplomatic ties, CNN, July 27, 2017, http://edition.cnn.com/2017/06/05/middleeast/saudi-bahrain-egypt-uae-qatar-terror/index.html.
Krutz, Ronald L., Methodology for assessing the maturity and capability of an organization’s computer forensics processes, U.S. Patent Application 10/952537 (2006).
Lahrmann, Gerrit et al., Inductive design of maturity models: Applying the Rasch algorithm for design science research, Service-Oriented Perspectives: Design Science Research, 176–191 (Springer, 2011).
Li, Xiao-Juan, and Huang Li-Zhen, Vulnerability and interdependency of critical infrastructure: A review, Third International Conference on Infrastructure Systems and Services: Next Generation Infrastructure Systems for Eco-Cities (INFRA) (2010).
Lindström, Madelene, and Stefan Olsson, The European programme for critical infrastructure protection, in Stefan Olsson (ed.), Crisis Management in the European Union (Springer, 2009).
Ministry of Information and Communications Technology, Information Security Framework for School Networks, 2014, http://www.qcert.org/library/36.
Ministry of Information and Communications Technology, National Information Assurance Manual, 2014, http://www.qcert.org/library/36.
Ministry of Information and Communications Technology, National Information Assurance Policy, 2014, http://www.qcert.org/library/36.
Ministry of Information and Communications Technology, National Information Classification Policy, 2014, http://www.qcert.org/library/36.
Ministry of Transport and Communications, Guidance for Assurance Manual v. 2.0, 2014, http://www.motc.gov.qa/sites/default/files/guidance_nia_manual-v2.0_english_1.pdf.
Ministry of Information and Communications Technology and Q-CERT, National Information Assurance Manual, 2014, http://www.qcert.org/sites/default/files/public/documents/nia_policy__manual_english_v2.0_0.pdf.
Miron, Walter, and Kevin Muita, Cybersecurity capability maturity models for providers of critical infrastructure, 4(10) Tech Innovation Management Rev 33–39 (2014).
National Initiative for Cybersecurity Education (NICE), Cybersecurity capability maturity model, October 3, 2012, https://www.tdisecurity.com/about-tdi/cybersecurity_education.pdf.
National Institute of Standards and Technology (NIST), Framework for improving
critical infrastructure cybersecurity, February 12, 2014, https://www.nist.gov/cyberframework.
National Strategy for Critical Infrastructure, Canada, 2009, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/srtg-crtcl-nfrstrctr-eng.pdf.
O’Leary, Zina, The Essential Guide to Doing Your Research Project (2nd ed., SAGE Publications, 2014).
Osborne, Charlie, Script kiddies delight at ‘easy’ hack which caused Qatar diplomatic crisis, Zero Day Net, June 8, 2017, http://www.zdnet.com/article/it-was-easy-to-cause-the-qatar-diplomatic-crisis/.
Palmer, Adam, A model framework for successful cybersecurity capacity building, J of Internet L 15 (2016).
Paulk, Mark C. et al., Capability maturity model version 1.1, 10(4) IEEE Software 18–27 (1993).
Qatar Critical Information Infrastructure Protection Law (CIIP) (not yet published).
Qatar Cybercrime Law, Decree Law No (14) of 2014, available in pdf (Arabic) at International Labour Organization (ILO) http://www.ilo.org/dyn/natlex/natlex4.detail?p_lang=en&p_isn=100242.
Qatar Data and Privacy Protection Law, Decree Law No (13) of 2016, available in pdf (English) at Sultan Al-Abdullah and Partners https://qatarlaw.com/wp-content/uploads/2017/05/Personal-Data-Privacy-Law-No.-13-of-2016.pdf.
Qatar Decree Law No (16) of 2010 on the Promulgation of the Electronic Commerce and Transactions Law, available in English at Al Meezan http://www.almeezan.qa/LawPage.aspx?id=2678&language=en.
Qatar National Cybersecurity Strategy, May 2014, http://www.motc.gov.qa/en/documents/document/national-cyber-security-strategy.
Q-CERT, About Q-CERT, 2017, http://www.qcert.org/about-q-cert.
Q-CERT, Critical Information Infrastructure Protection Interdependency Database, http://www.qcert.org/services/critical-information-infrastructure-protection-interdependency-database.
Q-CERT, National Information Assurance Policy Ver 2.0 Control Types, http://www.qcert.org/sites/default/files/public/documents/cs-niap_controls_classification_eng_v1.0.pdf.
Q-CERT, Qatar National Information Assurance Framework 2014, available in English, https://www.scribd.com/document/273021971/Qatar-National-Information-Assurance-Framework-Ismael.
Rea-Guamán, Angel Marcelo et al., Comparative study of cybersecurity capability maturity models, in Antonia Mas et al. (eds), Software Process Improvement and Capability Determination, SPICE Conference 2017, Communications in Computer and Information Science, vol. 770 (Springer, 2017).
Rea-Guamán, Angel Marcelo et al., Maturity models in cybersecurity: A systematic review, 2017 12th Iberian Conference on Information Systems and Technologies (CISTI) (2017).
Rogers, Everett M., Diffusion of Innovations (Free Press, 1983).
Saudi Arabia Monetary Authority (SAMA), Cyber security framework v. 1 (May 2017), available in (English) pdf at http://www.sama.gov.sa/en-US/Laws/BankingRules/SAMA%20Cyber%20Security%20Framework.pdf.
Siponen, Mikko, Towards maturity of information security maturity criteria: Six lessons learned from software maturity criteria, 10(5) Inf Management & Comp Security 210–224 (2002).
Stewart, David, Qatar’s resilience – a lesson for all on how to respond positively to a crisis, Gulf Times, October 10, 2017, http://www.gulf-times.com/story/566847/Qatar-s-resilience-a-lesson-for-all-on-how-to-resp.
Sultanate of Oman, Information Technology Authority, Annual report 2015, available in (English) pdf at https://www.ita.gov.om/ITAPortal/MediaCenter/Document_detail.aspx?NID=115.
United Nations Officer of Disarmament Affairs (UNODA), Developments in the field of information and telecommunications in the context of international security, https://www.un.org/disarmament/topics/informationsecurity/.
United Nations Secretary General, Report of the group of governmental experts on developments in the field of information and telecommunications in the context of international security, 2015, available in (English) pdf http://undocs.org/A/70/174.
U.S. Department of Energy, Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) v.1.1., February 2014, https://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/electricity-subsector-cybersecurity (“U.S. DoE ES-C2M2”).
U.S. Department of Energy, Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) v.1.1., February 2014, https://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/oil-and-natural-gas-subsector-cybersecurity (“U.S. DoE ONG-C2M2”).
U.S. Department of Energy and U.S. Department of Homeland Security, Cybersecurity Capability Maturity Model (C2M2) v.1.1., February 2014, https://energy.gov/oe/services/cybersecurity/cybersecurity-capability-maturity-model-c2m2-program/cybersecurity.
U.S. Department of Homeland Security, NIPP 2013: Partnering for critical infrastructure security and resilience, 2013, https://www.dhs.gov/sites/default/files/publications/NIPP%202013_Partnering%20for%20Critical%20Infrastructure%20Security%20and%20Resilience_508_0.pdf.
Uzoka, Faith-Michael E., A CMM assessment of information systems maturity levels in Botswana, 16 MIS Rev 53–84 (2010).
Vijayan, Jaikumar, Web site offline as police, FBI investigate $10M
extortion bid, Computer World, May 7, 2009, www.computerworld.com/s/article/9132678/Web_site_offline_as_police_FBI_investigate_10M_extortion_bid.
Wendler, Roy, The maturity of maturity model research: A systematic mapping study, 54(12) Information and Software Tech 1317–1339 (2012).
Westcott, Ben, Richard Roth, and Ralph Ellis, Qatar says embargoing nations behind news agency hack, CNN, July 27, 2017, http://edition.cnn.com/2017/07/20/middleeast/qatar-ambassador-un-demands/index.html.
Yusta, Jose M., Gabriel J.Correa, and Roberto Lacal-Arántegui, Methodologies and applications for critical infrastructure protection: State-of-the-art, 39(10) Energy Policy 6100–611 (2011).