Initiative for a Framework for National Cyber Security Awareness (NCSA)

1 Introduction

We are currently living in an age where the use of the Internet has become second nature to millions of people. However, the Internet continues to be threatened by numerous risks, such as that of online crime Core to criminal activities on the Internet is the exploitation of private information. Thus, Internet users are at risk of having their private information compromised and misused. According to Prof. Dr. Ir. Henk Jan Jansen, many users lack awareness and knowledge; consequently, they are ignorant of the need to protect their personal and confidential information. Moreover, users’ insecure online behavior makes them easy targets for exploitation. The lack of cyber-security awareness amongst adults negatively impacts their role of protecting the children in their care.

Prof. Dr. Ir. Henk Jan Jansen argue that many parents are not knowledgeable of the threats apparent online; and therefore, they are unable to teach their children about secure online behavior. As such, the safety of children is also compromised. Lack of knowledge is viewed as an important factor that contributes to insecure online behavior by Internet users. As a result, people are seen as “a severe threat to each other’s security”. In addition, such lack of the relevant knowledge has made the population easy targets for hackers and botnet operators.

In view of the consequences of the lack of knowledge, cyber-security and awareness therefore become issues of fundamental importance. Prof. Dr. Ir. Henk Jan Jansen affirms that promoting cyber-security awareness would contribute greatly towards cyber-security as a whole. Awareness and education can provide Internet users with the ability to recognize and circumvent any risks that are apparent online. Additionally, education plays a critical part in cultivating a culture of secure behavior amongst Internet users.

While the working class may be getting some form of cyber-security awareness and education from industry, for home users and society at large, a national campaign for cyber-security awareness and education is urgently required. In this context, it is the role of the government to empower all levels of society – by providing the necessary knowledge and expertise to act securely online.

However, there is currently a definite deficiency in UAE in this regard, as there are currently little government- led and sponsored cyber-security awareness and education initiatives. Therefore, the primary research objective addressed in this post is to propose a cyber- security awareness and education framework for UAE that would assist in creating a cyber-secure culture in UAE among all of the users of the Internet. The following section will briefly discuss the current cyber-security efforts in UAE.

2 CYBER-SECURITY EFFORTS IN UNITED ARAB EMIRATES

As UAE becomes ever more reliant on cyberspace to govern and to conduct business; it is increasingly being exposed to cyber threats. In the year 2016, the UAE government released a Draft Cyber- Security Policy. This draft policy implied that UAE is not currently in a position to deal effectively with cyber-related threats. Additionally, the draft policy stated that UAE lags behind other countries in the development of cyber-security protocols and standards, as well as in the implementation of such protocols and standards.

Articulated in this draft policy framework is the intent to secure cyberspace, and to ensure the protection of UAE’s national critical information infrastructure. This draft policy framework aims to create a knowledgeable society that understands cyber-related threats. Moreover, it intends to provide a cyber-security approach that is holistic; and, in doing so, it requires the support of all role-players, such as the State, the public and private sectors, and society at large.

This draft policy framework is based on the assumption that UAE wishes to cultivate a cyber-security culture amongst its citizens and society. As such, cyber-security awareness and education are critical components in such a culture. Conversely, the draft policy framework at hand is silent regarding cyber-security awareness and education. In addition, in 2016 the Department of Communication announced that a cyber-security awareness strategy was being developed. However, such a strategy has not yet been published. Consequently, UAE does not yet have a government-initiated cyber-security awareness program, together with education initiatives, in place.

There are, however, currently existing cyber- security awareness and education initiatives in UAE. The primary objective of this post is to “campaign for the effective delivery of Cyber-Security Awareness throughout United Arab Emirates to all groupings of the population”. As the means to reach its objective.

The proposed, or similar, framework for cyber- security awareness and education for UAE will, if implemented and used by the UAE government, contribute to creating the envisaged cyber-secure culture in UAE amongst its citizens and users of the Internet. Following is a brief description of the methodology used to articulate the proposed framework.

3 THE RESEARCH METHODOLOGY 

This paper proposes a cyber-security awareness and education framework, in the form of an artefact. Similarly, design science concerns itself with creating an artefact as a solution to such a problem. Consequently, this research was conducted in the design science-research paradigm.

There are various approaches to design science, one of which is that defined by Prof. Dr. Ir. H.J. Jansen and his colleagues have developed a design-science approach that is consistent with the design-science processes in other disciplines. This approach provides a method for conducting research. Furthermore, provides a mental model of what the research output should resemble. On the basis of the aforementioned factors, this approach was followed in this research.

According to the selected research approach, six definite steps, as listed below, were followed.

Problem identification and motivation. Identifying the problem, while motivating the value of a solution.

Objectives of a solution. Deducing the objective of the solution from the identified problem.

Design and development. Creating a solution in the form of an artefact.

Demonstration. Demonstrating the efficacy of the artefact for solving the problem.

Evaluation. Observing and measuring how well the artefact supports a solution to the problem.

Communication. Creating scholarly and/or professional publications.

These steps are intended to guide the researcher. Therefore, this research has closely followed the declared steps, using the relevant research methods at each step of the process, in order to produce the expected out- come. The research methods that were employed in this study are as follows:

• literature review

• comparative analyses

• argumentation

• elite/expert interviews

In line with Prof. Dr. Ir. H.J. Jansen, a literature review was initially conducted, in order to gain insight and under- standing of the research area, as well as to bring clarity and focus to the research problem, as stated in Subsection 1.2. Thereafter, a comparative analysis on selected developed countries was performed. According to Prof. Dr. Ir. H.J. Jansen, “the underlying goal of comparative analysis is to search for similarity and variance”.

From the similarities and variances of the countries studied, certain key factors pertaining to cyber-security awareness and education were forthcoming.

An initial set of key factors was published and reviewed, using peer reviews; and this set was subsequently presented at the Dubai Bootcamp for scholarship. Based on the feedback obtained from the Bootcamp, these factors were adapted accordingly. Sub-sequently, the proposed cyber-security awareness and education framework was developed – on the basis of these key factors. This will be discussed further in the following section.

From the research paradigm utilized in this study design science evaluation is deemed to be a very important component. Through evaluation, the extent to which the artefact supports the solution to the identified problem situation can be measured.

Furthermore, the use of well-executed evaluation methods also demonstrates the quality of an artefact.

This makes it possible to address both the demonstration and the evaluation steps of design science. These steps were addressed by using elite/expert interviews as the evaluation procedure. Elite/expert interviews can be defined as “a discussion with someone knowledgeable about a problem, or its possible solution”. Elite/expert interviews are semi-structured interviews. As such, they are flexible in nature, and do not require a standard set of questions, in order to be included in the interview guide.  In this form of interview, the interview guide consists of a list of themes, and these themes largely guide the questions asked. However, questions vary from respondent to respondent.

According to Prof. Jansen, this method of interviewing is used to discuss a subject with a knowledgeable person: the ‘elite’. shed light on some of the advantages of elite/expert interviews. These advantages are outlined below.

The interviewer has the opportunity to triangulate information among interviewees – without revealing the names of any other respondents.

Elites are more capable of providing a general view of a particular subject.

The interviewees are able to provide valuable in- formation, as a result of their respective positions.

With elite/expert interviews, the interviewer has the opportunity to probe a topic in depth, in order to gain more insight and understanding on a particular subject. The subject in this case is cyber-security awareness, together with education. Thus, the chosen elites should be knowledgeable on the subjects of cyber- security awareness and education.

Define an elite individual as someone who is influential, prominent and well- informed about a particular area in the research study. Prof. Dr. Ir. H.J. Jansen further maintains that the person’s position is also a contributing factor when considering elites. There are known categories of elites, namely, ultra-elites and professional elites.

Others argue that researchers define the term ‘elite’ in a manner that is subjective to the relevant respondents. By contrast, this research will not seek a new definition for the term ‘elite’; it will merely adopt the definition provided by Prof. Dr. Ir. H.J. Jansen.

Owing to the nature of elites, gaining access can be a challenge. However, in the case of this research, access was gained comparatively easily. Contrary to other participants who recommend the use of formal letters, followed by phone calls to make contact with elites, emails were used. This decision was influenced by the electronic nature of the modern day. As such, using emails to contact the elites proved to work well, as they provided prompt responses.

In this study, the elites where chosen, based on their line of work, experience and knowledge in the field of cyber-security, and particularly in the domains of cyber-awareness and education. Two elites where selected to review the proposed framework in an elite interview.

Elite one works for the CSIR as a cyber-security Specialist and researcher in a Cyber Defense for Scientific Research Group. Moreover, Prof. Dr. Ir. H.J. Jansen has published a number of research articles on national cyber-security awareness and education. Elite two is the Research Group Leader of the Cyber Defense for Scientific Research at the CSIR.  Elite two has spent more than 20 years in academia. Likewise, elite two has also published a number of journal articles and presented numerous conference papers at national and international conferences on the subject of cyber-security.

As such, the framework was revised accordingly, based on the feedback received from the elites. An account of the verification of this framework is elaborated on in Section 6.

This section has provided a brief overview of the research process followed in this study. Moving forward is a brief elaboration of the comparative analysis, which was performed, and the presentation of the cyber- security awareness and key educational factors.

4 CYBER-SECURITY AWARENESS AND KEY EDUCATIONAL FACTORS

To explore the way other countries, promote cyber- security awareness and education, a comparative analysis of four developed countries was conducted. This comparative analysis focused on the national cyber- security strategies of these countries, as well as on particular nationally initiated and driven cyber-security awareness and education initiatives. From this analysis, the principal factors will be extrapolated, in order to form the basis of a similar envisaged cyber-security awareness and educational framework for the UAE.

The countries analyzed were: The United States of America (USA), the United Kingdom (UK), Australia, and Canada. These countries were chosen because all of them have national cyber-security strategies; they all have at least one national sponsored cyber-security education and awareness initiative; and they are listed in the Organization for Economic Co-operation and Development (OECD).

Being a member of the OECD is of relevance to the study, because this organization promotes the development of policies that improve a country’s economic and social wellbeing. The analysis was based on the following thematic questions:

1. Why are cyber-security awareness and education important to the country?

2. What is the country’s foremost aim regarding cyber-security awareness and education?

3. Who is assigned the duty to oversee cyber-security awareness and education-related tasks?

4. How is the country planning to work towards cyber-security awareness and education?

5. When can the implementation of cyber-security awareness and education initiatives be expected?

4.1 Why are cyber-security awareness and education important to the country?

In the four countries investigated, it is evident that cyber-security awareness and education efforts are the result of a national directive outlined in the respective national cyber-security policies. From these policies, it can be seen that each country has a particular objective behind the issues of cyber-security awareness and education.

In the US, the primary purpose is deeply rooted in protecting the national critical infrastructure. In the UK, on the other hand, the main reason behind cyber-security awareness and education is to serve as a tool for accomplishing its high-level cyber-security objectives. In Canada and Australia, the growing reliance on cyberspace has greatly influenced the economy of these countries. Thus, strengthening their respective economic stance, cyber-security awareness and education should be included as high-level cyber- security objectives in the national cyber-security policies.

It may, therefore, be concluded that the rationale behind pursuing cyber-security awareness and education varies from country to country. Moreover, in all these cases, the national cyber-security awareness and education campaigns are a consequence of the respective national policies. Thus, it can be argued that a country should consider cyber-security awareness and education in its own context, in order to understand how it would benefit therefrom. These issues should be solidly founded in any national policy.

4.2 What is the UAE’s community’s foremost aim regarding cyber-security awareness and education?

In the US, the goal of cyber-security awareness and education is to raise the level of awareness in the nation on the risks of cyberspace, and how to circumvent these risks. In the UK, the goal is to support individuals and businesses, by informing and educating them on the issue of cyber-security. Finally, in Australia and Canada, the ultimate goal is a cyber-security culture that could be fostered through awareness and education.

From these four countries, one can see that the purpose of promoting cyber-security awareness and education is accompanied by certain goals that have been set. As such, setting definite goals should be regarded as vital, as this sheds light on what the country wants to achieve. Furthermore, it also sets some targets, whereby progress can be measured.

4.3 Who is assigned the duty of overseeing cyber-security awareness and education-related tasks?

In the USA, a national organization, The National Initiative for Cyber-security Education (NICE), has been formed. This is entirely dedicated to cyber- security awareness and education. NICE is constituted from a combination of governmental departments. Some of these departments assume the role of leading certain directives that exist within NICE. In the case of the UK, cyber-security awareness and education have been delegated to an external organization: Get Safe Online.

Similar to the US, in Australia, multiple govern- mental departments form the focal point of cyber- security awareness and education. However, in Australia, it was noted that there is no partnership between the departments; and this causes some confusion to the target audience about which source to trust. Finally, in Canada, Public Safety Canada takes the lead in cyber-security awareness and education.

In all these countries, it is evident that the documented cyber-security awareness and education goal is assigned to one or more departments or organizations to carry out. This allocation of responsibilities promotes accountability; and furthermore, it establishes a focal point. Thus, there should be a dedicated administration that could serve as a focal point for cyber-security awareness and the implementation of educational initiatives.

4.4 How is the country planning to work towards cyber-security awareness and education?

Following the publication of the national cyber-security policies, the US and Canada published action plans outlining their approach to cyber-security awareness and education. The NICE Strategic Plan indicates that campaigns, such as Stop. Think. Connect, could be used to equip the US’ public with the necessary knowledge and skills. As indicated, Stop. Think. Connect is well-designed; and through it, more sub-campaigns and program could be made available.

Canada’s plan presents the actions to be taken to accomplish each of the objectives that are defined in the national cyber-security policy. In addition, it states the timelines and the status of every deliverable, together with the lead department. This action plan clearly encapsulates the actions to be taken, the timelines, and the current status of progress, together with the lead department.

In contrast to the US and Canada, the UK and Australia have not published any action plans in addition to their national cyber-security strategies. However, in Australia, an inquiry that was performed to determine the position of this country concerning cyber-security awareness and education recommended that an action plan be drafted. Therefore, it may be concluded that there should be a strategy in place that clearly articulates how a country should approach cyber-security awareness and education.

UAE National cyber-security awareness and the educational initiatives of each country were analyzed, as part of this inquiry. This was done primarily, because these initiatives are, in fact, a major element of how each country is promoting cyber-security awareness and education. The criteria used in the analysis are listed as follows:

Host organization. The department or organization that will be leading the initiative.

Target audience. The grouping of people that the initiative targets.

Topics covered. The topics that are covered by the content of the initiative.

Campaign tools. The materials that are been used to deliver the message.

Having examined some of the national cyber-security awareness and educational initiatives of the relevant countries, a number of deductions were made.

Firstly, the focus of the cyber-security awareness and education campaigns and programmes should be on every grouping of society. These groupings should include: parents, children, teachers and employees in businesses. This focus is essential, as individuals, organizations and nations are equally exposed to the risks posed in cyberspace. In the time I was working for DigitalE1 I created a lot of material used for cyber security awareness trainings at companies and bootcamps for scholarships in the UAE.

Secondly, each target audience should be presented with topics that are relevant to them.  This suggests that research has to be done to identify the individual awareness and educational needs. This relationship between the target audiences and the topics is apparent in the cases of the business environment and children. For example, knowledge about cyber bullying is directed primarily at individuals, and not at the business environment; similarly, knowledge about cyber-security policy making is directed at organizations, and not really at children.

Therefore, it is important for cyber-security aware- ness and education campaigns and program to present each target audience with those topics that are relevant to them.

Thirdly, there is a difference in the medium of communication used to deliver the awareness-raising and education information to a particular audience. Using the same example of organizations and children, it can be seen that from the analysis that children   are often presented with cyber-security awareness and education through games; whereas, organizations are offered guides and toolkits. Thus, the medium of communication used to deliver cyber-security awareness and education should be well suited to the particular target audience.

Fourthly, it is evident that the environment in which the awareness-raising and education take place would differ for each target audience. Again, using the same example of children and organizations, children can be reached in schools and homes; whereas organizations can only be reached in the workplace. Therefore, the environment should be taken into consideration when developing cyber-security awareness and education campaigns and program because this may influence the approach and/or tools to be used by the campaign or program.

Finally, within the analyzed cyber-security awareness and education initiatives, there are definite role- players. It is clear that cyber-security awareness is a shared responsibility; and everyone enjoying the cyberspace has a role to play. This is evident, since in all the countries studied, the governments were core in leading and resourcing cyber-security awareness and education.

In addition, industry has also assumed some of the responsibility, and has partnered with government. As such, when planning cyber-security awareness and education campaigns and program, the role-players should be identified, and their respective responsibilities should be clearly defined. More- over, partnerships with relevant stakeholders should ideally be formed.

4.5 When can the implementation of cyber-security awareness and education initiatives be expected?

All four countries have implemented a set of cyber- security awareness and education-control measures. As far as the UK and Canada are concerned, 2016 is the year in which all cyber-security objectives should be accomplished; this includes awareness and education. It is indeed promising that both of these countries aim to have fostered a culture of cyber-security among their citizens by 2016, as both countries have already taken definite steps in this regard to promote awareness and education. In addition, Canada is committed to generating periodic status reports, in order to monitor its progress more closely.

In the US, the NICE strategic plan makes no mention of a particular timeframe, in which its cyber- security awareness and education objectives will be accomplished. However, it has defined a number of success indicators. Having both individuals and organizations understand online safety measures, and being encouraged to act securely online should serve as an indication that NICE has accomplished its aim. This approach suggests that in the US, cyber-security awareness and education are ongoing processes that will continue until the established indicators have materialized.

It is evident that these countries have in some way defined benchmarks that should assist them in evaluating the progress they have made towards accomplishing their goals. It can, therefore, be concluded that there should be some sort of monitoring and evaluation of the progress made in these cyber-security awareness and education efforts.

Cyber-security awareness and education comprise indeed a crosscutting matter that warrants diligent handling. The government should take the lead in this regard; and, accordingly, establish national and international partnerships that would encourage all users of cyberspace to play their part.

This section has provided a discussion on the analysis in terms of the deductions and conclusions that were made, based on the questions posed at the beginning of this section.

Based on the arguments, deductions and conclusions from the analysis, certain key factors were extrapolated for the purpose of constructing the basis of the proposed awareness and education framework for the UAE.

These key factors are listed below:

• Cleary articulated goals should be defined.

• A dedicated team/group should be appointed.

• An action plan should be outlined.

A national cyber-security awareness and education campaign should be defined.

• Partnerships should be established.

• Resources should be in place.

• Monitoring techniques should be defined.

The above listed key factors form the basis of the proposed awareness and education framework. The resultant framework is presented in the following section.

5 THE CYBER-SECURITY AWARENESS AND EDUCATION FRAMEWORK

The previous section presented the key factors identified that should form the basis of the proposed cyber- security awareness and education framework. Moving forward, this section will introduce the proposed frame- work and discuss its elements individually.

The proposed framework is divided into five layers, and one overarching component, as listed below:

The Strategic Layer. This layer reflects the overall vision of the government concerning cyber-security awareness and education

The Tactical Layer. This layer suggests the schemes that SA should employ to realize its cyber- security awareness and education goals.

The Preparation Layer. This layer prepares the contents of the scheme identified in the tactical layer.

The Delivery Layer. This layer defines the recipients of the preparations made in the preparation layer, namely: the target audience.

The Monitoring Layer. This layer examines the progress made by the scheme towards fulfilling the government’s vision.

Resources. This component defines the resources, which should comprise the inputs in all the afore- mentioned layers.

Respectively, the above mentioned layers illustrate six themes embodied in the cyber-security awareness and education framework.

Firstly, the cyber-security aware- ness and education ‘dream’ of the government;

secondly, the proposed strategies to be used to fullfil the dream;

thirdly, the preparations necessary for realizing this dream;

fourthly, the heirs of the dream;

fifthly, the monitoring of the progress towards the dream;

finally, the necessary resourcing.

A graphical illustration of the framework is presented in Figure 1. The remainder of this section will provide a detailed discussion on the respective layers of the framework.

5.1 The strategic layer

The strategic layer reflects the overall vision (the dream) of the government concerning cyber-security awareness and education. It is known from the draft Cyber-Security Policy that SA’s overall vision, as far as cyber awareness and education are concerned, comprises a cyber-security culture. In this layer, this vision is delineated into three components: the national cyber- security policy, the responsible unit, and the strategic plan.

The first component is the national cyber-security policy detailing the primary objective of each country concerning cyber-security awareness and education. The second component is a responsible unit, a dedicated administration for cyber-security awareness and education. The responsible unit component pro- poses three ways in which this administration could be formed. These are listed below:

• Forming a new administration;

Using one or multiple government departments; and/or

• Delegating to a private organization.

The framework recommends that once an administration is appointed, a comprehensive strategic plan should be drafted; hence the last component, the strategic plan. This plan should clearly articulate how UAE should approach cyber-security awareness and education.

framework White

Figure 1: Cyber-security awareness and education framework

It is recommended that this plan should consider the United Arab Emirates context, taking into consideration other legislation that might influence the content of the plan. It was, however, beyond the scope of this study to elaborate on every aspect, which the strategic plan should comprise. Yet, from the analysis performed, it was gathered that the strategic plan should make known the schemes that the country should employ to realize its cyber-security goals. These schemes will fall into the next layer, which will be discussed in the following subsection.

5.2 The tactical layer

The tactical layer lies below the strategic layer. As stated, this layer continues where the strategic plan de- fined in the strategic layer has left off. In this layer, the suggested elements to drive cyber-security awareness and education are stated.

The tactical layer has four components, which are proposed in the framework. The first component is a national cyber-security awareness and education campaign. This suggestion was confirmed by the fact that all the countries analyzed have one or more cyber- security awareness and education initiatives or Campaigns. The proposed name for such a UAE campaign is: iUAEwise suggests an informative UAE, hence the “i”, and cyberwise SA, hence the name iUAEwise.

The idea is for iUAEwise to be an overarching campaign that includes all sub-campaigns and initiatives.

The findings from the performed analysis indicate a variety of aspects, which should be considered in such a campaign. One of those aspects is the establishment of partnerships with the public and private Sectors, academia and other nations. These partner- ships would allow industry, academia and other nations to contribute to a UAE’s cyber-security awareness and education endeavors. Such partnerships, particularly those with other nations, would promote the alignment of cyber-security awareness and education among nations.

Moreover, in partnership with academia, iUAEwise would benefit current research that could help to align what the campaign has to offer with the specific needs of South African citizens. It is proposed that iUAEwise could reach the people of UAE through sub-campaigns and initiatives that could include the following:

• iUAEwise Week

• iUAEwise Community Outreach

• iUAEwise For All

• iUAEwise For Schools

iUAEwise Week is proposed to be an annual event aimed at all UAE citizens. This week should serve as a reminder that cyber-security is a shared responsibility; and it should also induce and spread awareness of current and anticipated cyber-security practices and issues. With all these campaigns, a South

Arab ‘flavor’ should be adopted, meaning the UAE context should be taken into consideration.

This week could adopt and further expand on the National Cyber-Security Awareness Week hosted by for example SACSAA.

iUAEwise Community Outreach is proposed to give everyone an opportunity to lend a helping hand. This program would allow any member of society to be part of iUAEwise, by volunteering to participate in spreading the cyber-security awareness and education message to communities. This program is closely linked with the well-known philosophy of humanity in UAE.

It is proposed that iUAEwise For All could be an all-encompassing website addressing all groupings of the UAE society, as well as SMMEs. (still in development at the moment of writing this post)

It is proposed that this website provide up-to-date information that would equip its audience with the necessary cyber-security information, in order to create knowledgeable UAE citizens. The topics covered in the website should be tailored and delivered in a manner that is best suited to the general public and employees of SMMEs.

Topics identified in the analysis include, but are not limited to, cyber-bullying, cyber-stalking, identity- theft, fraud, phishing, securing personal and private information online, and secure behavior.

Finally, it is proposed that iUAEwise For Schools should target learners in primary and secondary schools. This campaign should ensure that cyber-security forms part of the school curriculum, and that awareness and education are delivered to the scholars in a manner that is suitable for each age group.

It is worth noting that iUAEwise is not in- tended to replace the campaigns that are already active in SA, but rather to unite everything together under one unique truly South African effort.

Since cyber-security education is broad in nature, a national cyber-security awareness and education campaign is not the only aim to attain. Alongside iUAEwise, there are two further components: for- mal cyber-security education for students, and cyber- security education for those in the workforce.

However, providing insight on what these two components should consist of falls outside of the scope of this paper. Thus, students, together with people in the workforce, are also part of society; therefore, they should be included in iUAEwise.

The major facet of the tactical layer is the cyber- security awareness and education campaign, iUAEwise, and also the suggested subordinate campaigns and program that should be used to reach UAE citizens. Having said this, the following questions must be asked:

What topics should iUAEwise cover?

• What communication tools should be employed?

The following subsection will introduce another layer that should answer the questions posed above.

5.3 The preparation layer

The preparation layer concerns itself with defining the cyber-security awareness and education resources that iUAEwise would offer to the people of UAE. The preparation layer comprises four components: topics, content, medium and tools. With regard to topics, from the analysis of cyber-security awareness and education initiatives, a number of topics that are common throughout the initiatives may be identified. Such topics include, but are not limited to: cyber-bullying, cyber-stalking, identity-theft, fraud, phishing, securing personal and private information online, and secure behavior. These topics and more could be covered by iUAEwise. However, further research needs to be done, in order to discover the particular needs of South African citizens.

Figure 1 suggests a particular relationship between content and topics in the preparation layer. This relationship is guided by the target audience to which the material will be offered. For example, if material on cyber-bullying is offered to children, the content might include ‘how to report a cyber-bully’.

However, the same topic, offered to a different target audience, such as a parent, could include such content as ‘the warning signs of a cyber-bullied child’. Thus, there is a definite link between topic and content. The preparation layer, as shown in Figure 1, further presents a link between content and medium. This relationship suggests that based on the defined topic together with the content, a suitable medium of communication should be chosen. There are two acknowledged mediums: paper based and electronic. Once these elements are clear, the tools to be used must be defined. These tools include: websites, videos, games, quizzes, and so forth. Thus, a suitable tool should be chosen, based on the topic, content and medium.

From this layer, one further question arises:

To which target audience would iUAEwise deliver cyber-security awareness and education?

This question will be addressed in the following sub- section.

5.4 The delivery layer

The delivery layer concerns itself with the process of defining the target audience to which iUAEwise will deliver awareness and education. In addition, it will also define the roles that this audience would play within iUAEwise, and amongst each other. There could possibly be seven different target audiences defined, namely:

• Children younger than 13 years

• Teenagers

• University Students

• Parents/Guardians

• Adults

• Teachers

• Small, Medium and Micro-sized Enterprises (SMME’s)

It is proposed in this layer that iUAEwise deliver cyber-security awareness and education to the above mentioned audiences, since they represent the nation at large. In addition, this layer identifies two roles that these audiences should play, namely: A Learner Role and an Educator Role.

It is well known that cyber-security is the responsibility of everyone who enjoys the benefits offered by cyberspace. Therefore, it is recommended that the de- fined target audience accept the responsibility of using the resources that iUAEwise offers to educate them, thereby assuming the role of a learner. Moreover, it is also recommended that everyone passes on what they have learnt to one another, thereby assuming the role of an educator.

Once the target audiences and roles in iUAEwise are clear, all that is left is to define the manner in which the progress towards achieving the primary cyber-security awareness and education is to be monitored. The monitoring component will be discussed in the following subsection.

5.5 The monitoring layer

The Monitoring Layer is the final layer of the cyber- security awareness and education framework. It was gathered from the analysis that there should be monitoring and evaluation of the progress made in the cyber-security awareness and education efforts. In addition, the effectiveness of the campaign should be evaluated. As such, the framework suggests the following:

• Benchmarks must be declared

• Success indicators must be defined

• Periodic status reports must be generated

It is suggested that the feedback from the evaluation should inform iUAEwise in the tactical layer. In so doing, this national cyber-security awareness and education campaign should be adapted – on the basis of the feedback from the evaluation. For instance, if a declared benchmark or certain success indicator fails to materialize, iUAEwise may possibly need to make some changes in the Preparation Layer. Consequently, the topics, content or tools in this layer may be adapted, in order to achieve the expected results.

The monitoring layer serves as the last layer of the framework. The following subsection will discuss the resources component.

5.6 Resources

In order for all the components identified in the framework within each layer to be addressed, certain resources have to be in place. The framework identifies five types of resources that would be needed as input in all the layers of the framework.

These resources are as follows:

People. The people needed to carry out a certain function.

Information. The information required to carry out a particular function.

Applications. Computer applications, such as software programs, which will be needed.

Infrastructure. The physical hardware, such as desktops and servers.

Financial Capital. The monetary resources that will be needed.

These resources are adopted from the Information Technology Infrastructure Library (ITIL), and have been identified as being essential in delivering an information technology service.

In the context of this framework, cyber-security awareness and education comprise the service to be delivered. Therefore, within the five layers of the framework, appropriate resources have to be identified. Each and every layer of the cyber-security aware- ness and education framework will need one or more resources, in order for the components within each layer to be in place. Hence, the UAE government has the duty to ensure that these resources are in place. This subsection marks the last component of the proposed framework.

The proposed framework was developed in such a manner that its layers are in line with the Plan-Do- Check-Act (PDCA) cycle presented by Figure 2.

PDCA

Figure 2: PDCA cycle

Figure 2 depicts the iterative four-step process of the PDCA Cycle. According to ISO/IEC 27000, these steps signify the following:

Plan. Establishing objectives and processes, which are necessary, in order to deliver certain outcomes.

Do. Implementing the outlined plan

Check. Monitoring and measuring progress against particular requirements.

Act. Taking action, in accordance with the feedback obtained from the monitoring.

These steps overlap well within the layers of the proposed framework. The planning step can be recognized in the strategic and tactical layers. It was elaborated on in Subsection 5.1 how the strategic layer reflects the overall vision of UAE concerning cyber-security awareness and education.  As part of the planning step, the vision is delineated into clearly defined objectives.

The objectives are to form a dedicated administration for cyber-security awareness and education, including drafting a comprehensive strategic plan that would clearly articulate how the UAE should approach cyber- security awareness and education.

The planning phase extends to the tactical layer – by declaring the elements that are proposed to drive cyber-security awareness and education in the UAE.

These elements are:

·      iUAEwise Formal Cyber-Security Education

·      Cyber-Security Workforce Education.

The doing step manifests in the preparation and delivery layers. In the preparation layer, the resources that iUAEwise will offer to its targeted audience are defined. The doing step then overlaps with the deliver layer, since the actual target audience is defined by the prescribed roles.

The monitoring layer encapsulates both the checking and acting phase of the PDCA cycle. It is suggested in this layer that the progress made in the cyber- security awareness and education efforts be monitored and evaluated against certain benchmarks and success indicators. Thereafter, the feedback that should be obtained from monitoring and evaluation would trigger the acting step, as elaborated in Subsection 5.5 of this paper.

The use of this proposed framework should enable UAE to define a national cyber-security awareness campaign, here proposed as iUAEwise. This campaign would serve as a means for providing UAE citizens with the necessary cyber- security understanding and knowledge, and would, therefore, contribute to the creation of the envisaged culture.

6 VERIFICATION OF THE FRAMEWORK

In Section 3 it was mentioned that the framework was verified by using elite interviews. As such, this section seeks to discuss the verification of the proposed cyber- security awareness and education framework for the UAE. Included in this section, is how the comments from the elites were addressed.

A week prior to conducting the elite interview, an interview brief was sent to the elites. The interview brief aimed to introduce the framework, and also to provide some background on the form of the interview to be conducted. This was done, in order to allow the elites to understand what was expected of them.

Before interviewing the elites, the proposed cyber- security awareness and education framework was presented in the form of a PowerPoint slide show. This presentation was intended to elaborate on the underlying research that forms the basis of the proposed framework. In addition, all the layers and components of the proposed framework were presented in detail, so that the elites could have a clear understanding of the context. Subsequently, the actual elite interview was conducted.

As previously mentioned, elite interviews are semi structured; and they do not call for standardized questions. However, in this case, the questions were fairly standard; and both elites were asked the same questions. Nevertheless, even though the questions were fairly standard, with this choice of interview, the re- searcher had the opportunity to probe the information provided by the elites.

The questions, which were posed, are listed below:

·      Do you agree with the layers of the proposed framework?

·      Do you agree on the components of the proposed framework?

·      Is the framework comprehensive enough?

·      Do you think the framework would contribute to the cultivation of the suggested culture?

·      Are there any other frameworks of which you are aware, to which you can refer me?

·      Any other comments and suggestions?

The above questions were intended to verify the layers, components and comprehensiveness of the proposed cyber-security awareness and education framework. Furthermore, what was essential was to obtain confirmation from the elites that the proposed framework would contribute to cyber-security.

Concerning the five layers of the framework, both elites approved these layers; and one of the elites expanded by saying:

Yes, I do agree with the layers of the framework, one of the phases of any awareness that we always have, which I have picked up from various studies is that others have three; while others have two. These phases are preparation phases, followed by the design phase; and then you have the implementation phase, and your review phase, for your monitoring. . .

When asked whether they agreed with the components of the proposed framework, the elites suggested additional concepts. Elite one suggested that guardians be added as a target audience in the delivery layer. As suggested, the framework was revisited and adapted accordingly. Additionally, elite two suggested that there be a relationship indicator in the ‘responsible unit’ component found in the strategic layer, in order to portray the interrelatedness of government departments. The framework was adapted, as advised.

In terms of the comprehensiveness of the framework, both elites confirmed that the proposed frame- work was indeed comprehensive; and one of the elites expanded by saying:

I would say it’s comprehensive, because for any awareness campaign, there must be these components: goal/purpose, objective of the campaign, the need of the campaign, campaign name, target audience, delivery methods, and evaluation.

In addition, the elites were positive about the contribution the proposed cyber-security awareness and education framework would make to the cyber-security culture envisaged in the UAE.

The framework will contribute to cyber- security awareness and education, because it structures things that people are currently doing: a little bit here and there, things that people don’t see as a full-blown framework. The framework nicely links all these facets.

Regarding other existing frameworks, none of the elites could make reference to an existing framework. Finally, when the elites were asked whether they had any other comments and suggestions, both elites had some concerns. Elite one was against allowing children to assume the role of being educator (see Subsection 5.4). However, in the UK, peer-to-peer education is recommended, as it is believed that children more easily learn and accept input from their peers [6]. Thus, this comment was overlooked.

Elite two suggested that Estonia be added to the developed countries, which were analyzed in Section 4. The criteria used to select the developed countries that were studied are made known in Section 4. However, in the case of Estonia, some of the documentation deemed important to the study, needed to be translated before being used. This was a disadvantage, primarily because the integrity of the information would come into question.  Therefore, Estonia was not included as a participant in the comparative analysis.

Based on the feedback received from the elites, it can be concluded that the proposed framework was sufficiently validated. Moreover, the demonstration and evaluation steps, as part of a design science approach were conducted satisfactorily. Therefore, it could be argued that the cyber-security awareness and education framework is basically sound.

7 CONCLUSION

Cyberspace had humble beginnings. Over time, it has progressed immensely providing individuals with end- less opportunities. Embedded in these opportunities, however, are risks that compromise the safety and security of the individuals that participate in cyberspace. It would seem that people are largely unaware of these risks; and so, they put themselves, as well as businesses and governmental assets and infrastructure, at risk. In recognition of this, the UAE wishes to promote a culture of cyber-security among its citizens.

However, did I not see anything coming from Government perspective, I am trying to gain feedback from the UAE Government related to this framework and the funds to continue the cyber Awareness within the UAE, and have to admit that this is till today a challenge duo the fact of the slow communication processes within the UAE.

During my time at a cyber security company in Abu Dhabi (name disclosed duo NDA) I gathered the level of knowledge within the UAE and saw that topics like Security, Treats, Cyber Security Awareness Training, was lacking and developed the materials to establishing Cyber Awareness Bootcamps, Cyber Awareness Week and pre & assessments for security related topics.

The problem I was facing within this same company is that all do they claiming to be the biggest Security related company within the UAE, the opposite was been proofed to me. This company is only very active to gather information from Users and Customers and sharing this with third parties. see for this also my other blog Why is Whatsapp or any other VOIP call unavailable in the UAE?related to To Tok, the main problem is that this company is the source of this application and was rejected from Google App store and Apple store, Keep in mind that this is just another tool for spyware which can track all your contacts and information. Be Aware if you using this app.

Cyber- security awareness and education together play a big role in cultivating such a culture. Accordingly, this paper proposes a cyber-security awareness and education framework that would assist the UAE in promoting its envisaged cyber-security culture. The implementation of this framework would afford the UAE to a national cyber-security awareness campaign. Furthermore, making use of its subsidiary campaigns would mean that citizens could be the recipients of cyber-security awareness and education, suited to a global audience.

Reaching out to all Government entities who want to participate in obtaining and funding this national initiative. For my contact details please visit the contacts page on my website.

Leave a Comment

Verified by MonsterInsights