National cybersecurity strategies : review and analysis of evaluation frameworks
Haaga, Juha (2021-06-10)
Haaga, Juha
J. Haaga
10.06.2021
© 2021 Juha Haaga. Tämä Kohde on tekijänoikeuden ja/tai lähioikeuksien suojaama. Voit käyttää Kohdetta käyttöösi sovellettavan tekijänoikeutta ja lähioikeuksia koskevan lainsäädännön sallimilla tavoilla. Muunlaista käyttöä varten tarvitset oikeudenhaltijoiden luvan.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:oulu-202106178384
https://urn.fi/URN:NBN:fi:oulu-202106178384
Tiivistelmä
National cybersecurity strategies (NCSS) are becoming increasingly important for society. They provide essential support for the development of both digital and traditional infrastructure, and a well-designed strategy can have a tremendous positive impact on a country. Therefore, for developers of a new strategy or researchers of previously published ones, it is good to understand the current state of the art on evaluating national cybersecurity strategy documents. Unfortunately, while there is some research on these strategies and comparisons between them, the published work is superficial. Moreover, the publications do not disclose their research methods, so it is challenging to evaluate their results. These limitations make it difficult to rely on previous research.
Objectives and proposed activities to achieve the desired outcomes form an essential part of a national cybersecurity strategy. However, little research on them exists. The relevant NCSS guides focus on structuring the entire drafting process at a high level, without details or suggestions on subtopics such as typical objectives or activities. This thesis addresses the research question: How are activities and objectives defined in the evaluation frameworks, and how do they relate to each other? In particular, can they be analyzed in a replicable way so that a body of knowledge of common and valuable objectives and activities in NCSS could be built?
It turns out that the existing definitions for objectives are lax. There is no consensus between NCSS writers or researchers in this domain on defining an objective or activity. As a result, these are readily mixed in the source documents, and the analytical frameworks that were studied are not extracting them reliably from the source documents.
The constructive analysis is one way of consistently defining the objectives and activities and applying a practical inference method to discover the connections between them. This approach was tested with the source material available from the previous works.
By applying the method in this research, objectives, and activities were classified more rigorously. The classification work enabled a better understanding of the activities and further analysis of their relationships, which were then documented and organized into a graph representation. That graph of objectives and activities can help readers and developers of future strategies to think about how to organize the goals of their NCSS. Furthermore, this research could provide a way for systematically expanding the body of knowledge about the requirements and dependencies, thus making it more straightforward to include objectives and activities in future strategies.
Finally, several future research avenues are discussed, which would expand the knowledge about the NCSS documents and begin to track their evolution more robustly over time. For example, there are avenues for both manual analysis and machine-learning-based unsupervised learning methods that could be applied for further insights.
Objectives and proposed activities to achieve the desired outcomes form an essential part of a national cybersecurity strategy. However, little research on them exists. The relevant NCSS guides focus on structuring the entire drafting process at a high level, without details or suggestions on subtopics such as typical objectives or activities. This thesis addresses the research question: How are activities and objectives defined in the evaluation frameworks, and how do they relate to each other? In particular, can they be analyzed in a replicable way so that a body of knowledge of common and valuable objectives and activities in NCSS could be built?
It turns out that the existing definitions for objectives are lax. There is no consensus between NCSS writers or researchers in this domain on defining an objective or activity. As a result, these are readily mixed in the source documents, and the analytical frameworks that were studied are not extracting them reliably from the source documents.
The constructive analysis is one way of consistently defining the objectives and activities and applying a practical inference method to discover the connections between them. This approach was tested with the source material available from the previous works.
By applying the method in this research, objectives, and activities were classified more rigorously. The classification work enabled a better understanding of the activities and further analysis of their relationships, which were then documented and organized into a graph representation. That graph of objectives and activities can help readers and developers of future strategies to think about how to organize the goals of their NCSS. Furthermore, this research could provide a way for systematically expanding the body of knowledge about the requirements and dependencies, thus making it more straightforward to include objectives and activities in future strategies.
Finally, several future research avenues are discussed, which would expand the knowledge about the NCSS documents and begin to track their evolution more robustly over time. For example, there are avenues for both manual analysis and machine-learning-based unsupervised learning methods that could be applied for further insights.
Kokoelmat
- Avoin saatavuus [31933]