The Three-Dimensional Model for a Community

Introduction

The 2-Dimensional model was the initial step to creating a roadmap for communities to follow when developing their cybersecurity program. The established characteristics help to define a community’s cybersecurity posture at each level. As a reminder, the characteristics are organized by awareness, information sharing, policy, and planning dimensions. They also establish the three building blocks; a yardstick, a roadmap, and a common point of reference as previously discussed. It wasn’t long after the characteristics were developed, that the CIAS researchers were discussing how cybersecurity guidelines affecting individuals in the community could be integrated into the CCSMM or how cybersecurity concepts for states should be integrated. This led to the realization that the model didn’t have enough depth to address these other areas. After many discussions, it was determined that the model needed to be 3-Dimensional (3-D). The model needed to be able to incorporate what individuals would need to do to improve their cybersecurity posture. It also needed to address organizations, states and ultimately the nation. There are two major considerations supporting this:

• 1)

  Everyone should have a role in cybersecurity

• 2)

  Effective cybersecurity is a collaborative effort

These concepts became the “The Whole Community Approach” theme for the Department of Homeland Security’s cybersecurity initiatives many years later.

The 3-Dimensional Model

The purpose of the 3-D Model is to broaden the capability of the framework allowing it to be flexible and scalable to address all aspects of a cybersecurity program. Consider the idea that individuals make up organizations; individuals and organizations make up communities; individuals, organizations and communities make up a state, tribe or territory; and the states, tribes and territories make up the nation. The change from a 2-D model to the 3-D model was a pivotal point in the creation of the Community Cyber Security Maturity Model. This shift created a model that can provide the improvement progression for everyone in the nation because the model can now support a roadmap for individuals, organizations, communities, states and the nation. In addition, it can integrate other frameworks such as the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF) (NIST, 2018) outlining the security controls necessary for an organization. It can also support the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework) (NIST, 2017) a resource that categorizes and describes cybersecurity work and the cybersecurity workforce. Communities should be able to advance their cybersecurity posture naturally, but a defined program that provides step by step guidance is the assistance that is realistically needed.

Once the 3-D Model was accepted, all the major concepts needed to be brought together. A visual was developed that could show the primary concepts in an easy and understandable fashion. The visual depiction of the 3-D Community Cyber Security Model is a cube as shown in Figure 1. The cube contains blocks representing the dimensions, the levels of improvement, and the scope areas. Across the top there are 5 blocks that identify the progression levels of cybersecurity maturity. The lowest level of maturity is Level 1 – Initial, and the most mature is Level 5 - Vanguard. Each level is a different color making the distinction of levels easier to see. The 4 vertical blocks represent the dimensions. The dimensions are the focus areas where cybersecurity is being improved. The blocks are 5 deep. Each of these blocks represents the scope areas. The scope areas are individual, organization, community, state and nation. These represent who is improving their cybersecurity posture.

Figure 1.