Assessing Cybersecurity Policy Effectiveness in Africa via a Cybersecurity Liability Index
21 Pages Posted: 19 Mar 2018 Last revised: 16 Aug 2018
Date Written: March 16, 2018
Africa is a continent of approximately 1.24 billion people, yet it is estimated that there are only 7,000 certified security professionals, or one for every 177,000 people. Africa's information and communications technology (ICT) sector grew by 7,000 percent between 2000 and 2016, with Internet penetration increasing to nearly 28%. The use of ICT, and in particular the Internet, has become a matter of strategic importance. Not only do these technologies spur economic development, but they also improve productivity, efficiency, and innovation across the continent, and encourage the free flow of ideas and information. The rapid growth of the Internet has also created new opportunities for perpetrating cybercrime, which costs African economies an estimated total of over one billion US dollars every year. Once considered a trivial matter in Africa, cybercrime is now identified as a significant barrier to development. With African nations increasingly aware of the issue, they are starting to take legislative and regulatory steps to counter the rising trend of cyber attacks. However, as of 2016, only 11 out of 54 African countries have enacted specific laws against cybercrime. Another 12 countries have partial laws, and 30 have no meaningful cyber-crime laws. There is no global consensus on how to regulate and respond to cyberattacks; therefore, African countries tend to adopt policies and laws intended for developed nations that possess much higher response capabilities. Even countries with cybercrime laws remain vulnerable as efforts to date have been mostly ineffective in preventing or prosecuting attacks. The goal of this paper is to provide insight regarding the current cybersecurity status in six representative countries in Africa that have enacted laws against cybercrime. Particularly, to investigate why security policy frameworks and legislation in these countries currently have had little or no impact on preventing cybercrime. A combination of qualitative and quantitative methods are used. These methods aim to identify and review the implementation of cybersecurity policies and relevant literature relating to security in each of these countries. The following key performance indicators (KPIs) are measured and analyzed for each country in the study: - The existence of computer emergency response teams (CERTs). - Threat landscape identification. - The existence of cybercrime legislation. - The number of security professionals. - Security breach notifications. - Conviction rates for cybercriminals. - Accession to the Budapest convention. The quantitative evaluation is based on analyzing statistical data related to cybersecurity incidents to: - Measure the cost of cybercrime before and after legislation. - Quantify the impact of cybersecurity legislation and policies. - Develop a security index based on KPIs. - Perform a sensitivity analysis to measure the impact of KPIs on legislation. We use these measures to construct a Cybersecurity Liability Index (CLI) using an additive utility function. A swing-weighting approach is used to design the CLI, where individual attributes are compared to other alternatives with a goal of quantifying the KPIs. The findings and results of this analysis form the foundation to provide policy recommendations to improve existing regulatory infrastructures and guide countries that have not yet adopted relevant legislation.
Keywords: Africa, cyber, attack, cybersecurity, cybercrime, policy, regulation, law, index
Suggested Citation: Suggested Citation