Developing Cybersecurity Capacity m o c . 5 A proof-of-concept implementation guide Jacopo Bellasio, Richard Flint, Nathan Ryan, Susanne Søndergaard, Cristina Gonzalez Monsalve, Arya Sofia Meranto, Anna Knack h t i g b u For more information on this publication, visit www.rand.org/t/RR2072 m o c . 5 b u Published by the RAND Corporation, Santa Monica, Calif., and Cambridge, UK © Copyright 2018 RAND Corporation R® is a registered trademark. h t i g RAND Europe is a not-for-profit organisation whose mission is to help improve policy and decisionmaking through research and analysis. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org www.rand.org/randeurope Preface This report constitutes the second output of a project commissioned by the United Kingdom (UK) Foreign and Commonwealth Office (FCO), under which RAND Europe was tasked with developing a proof-of-concept operational toolbox to facilitate the development of national-level cybersecurity capacity. This project was financed through the UK FCO Cyber Security Capacity Building Programme. m o The purpose of the toolbox is to support countries in their efforts to develop holistic policy and investment strategies to tackle the complex challenges they face in the cyber domain. In particular, the c . 5 project seeks to enable a better translation of the results of national cyber maturity reviews and assessments into tangible policy recommendations and investment strategies, allowing policymakers to develop their countries’ cybersecurity capacity. b u This project comprised two main research and development phases. The first phase of the project entailed a requirements analysis and architecture-design effort. For further details on this phase, please refer to the first study report. The second phase of the project entailed the development of a proof-of-concept h t i g toolbox. This report presents the proof-of-concept toolbox. RAND Europe is an independent not-for-profit policy research organisation that helps to improve policy and decision making through research and analysis. RAND Europe’s clients include European governments, institutions, non-governmental organisations and firms with a need for rigorous, independent, multidisciplinary analysis. This report has been peer-reviewed in accordance with RAND’s quality-assurance standards. For more information about this study or this report, please contact: Giacomo Persi Paoli Research Leader, Defence, Security and Infrastructure RAND Europe Westbrook Centre, Milton Road Cambridge CB4 1YG United Kingdom Tel. +44 (1223) 353 329 gpersipa@rand.org iii m o h t i g b u c . 5 Table of contents Preface ..................................................................................................................................................... iii Table of contents....................................................................................................................................... v Figures .................................................................................................................................................... vii m o Tables ...................................................................................................................................................... ix Boxes ....................................................................................................................................................... xi Acknowledgements ................................................................................................................................ xiii c . 5 Abbreviations ............................................................................................