Assessing Cybersecurity Policy Effectiveness in Africa via a Cybersecurity Liability Index

21 Pages Posted: 19 Mar 2018 Last revised: 16 Aug 2018

See all articles by Kwasi Adomako

Kwasi Adomako

Carnegie Mellon University Africa

Nabeel Mohamed

Carnegie Mellon University

Aminata Garba

Carnegie Mellon University; Carnegie Mellon University - Department of Electrical and Computer Engineering

Martin Saint

Carnegie Mellon University

Date Written: March 16, 2018

Abstract

Africa is a continent of approximately 1.24 billion people, yet it is estimated that there are only 7,000 certified security professionals, or one for every 177,000 people. Africa's information and communications technology (ICT) sector grew by 7,000 percent between 2000 and 2016, with Internet penetration increasing to nearly 28%. The use of ICT, and in particular the Internet, has become a matter of strategic importance. Not only do these technologies spur economic development, but they also improve productivity, efficiency, and innovation across the continent, and encourage the free flow of ideas and information. The rapid growth of the Internet has also created new opportunities for perpetrating cybercrime, which costs African economies an estimated total of over one billion US dollars every year. Once considered a trivial matter in Africa, cybercrime is now identified as a significant barrier to development. With African nations increasingly aware of the issue, they are starting to take legislative and regulatory steps to counter the rising trend of cyber attacks. However, as of 2016, only 11 out of 54 African countries have enacted specific laws against cybercrime. Another 12 countries have partial laws, and 30 have no meaningful cyber-crime laws. There is no global consensus on how to regulate and respond to cyberattacks; therefore, African countries tend to adopt policies and laws intended for developed nations that possess much higher response capabilities. Even countries with cybercrime laws remain vulnerable as efforts to date have been mostly ineffective in preventing or prosecuting attacks. The goal of this paper is to provide insight regarding the current cybersecurity status in six representative countries in Africa that have enacted laws against cybercrime. Particularly, to investigate why security policy frameworks and legislation in these countries currently have had little or no impact on preventing cybercrime. A combination of qualitative and quantitative methods are used. These methods aim to identify and review the implementation of cybersecurity policies and relevant literature relating to security in each of these countries. The following key performance indicators (KPIs) are measured and analyzed for each country in the study: - The existence of computer emergency response teams (CERTs). - Threat landscape identification. - The existence of cybercrime legislation. - The number of security professionals. - Security breach notifications. - Conviction rates for cybercriminals. - Accession to the Budapest convention. The quantitative evaluation is based on analyzing statistical data related to cybersecurity incidents to: - Measure the cost of cybercrime before and after legislation. - Quantify the impact of cybersecurity legislation and policies. - Develop a security index based on KPIs. - Perform a sensitivity analysis to measure the impact of KPIs on legislation. We use these measures to construct a Cybersecurity Liability Index (CLI) using an additive utility function. A swing-weighting approach is used to design the CLI, where individual attributes are compared to other alternatives with a goal of quantifying the KPIs. The findings and results of this analysis form the foundation to provide policy recommendations to improve existing regulatory infrastructures and guide countries that have not yet adopted relevant legislation.

Keywords: Africa, cyber, attack, cybersecurity, cybercrime, policy, regulation, law, index

Suggested Citation

Adomako, Kwasi and Mohamed, Nabeel and Garba, Aminata and Saint, Martin, Assessing Cybersecurity Policy Effectiveness in Africa via a Cybersecurity Liability Index (March 16, 2018). TPRC 46: The 46th Research Conference on Communication, Information and Internet Policy 2018, Available at SSRN: https://ssrn.com/abstract=3142296 or http://dx.doi.org/10.2139/ssrn.3142296

Kwasi Adomako

Carnegie Mellon University Africa ( email )

8 KG Ave
Telecom House
Kigali, Kigali
Rwanda

Nabeel Mohamed

Carnegie Mellon University ( email )

Pittsburgh, PA 15213-3890
United States

Aminata Garba

Carnegie Mellon University ( email )

Boulevard de l'Umuganda, 4th Floor Telecoms House
Kigali, 6150
Rwanda

Carnegie Mellon University - Department of Electrical and Computer Engineering

5000 Forbes Avenue
Pittsburgh, PA 15213
United States

Martin Saint (Contact Author)

Carnegie Mellon University ( email )

Pittsburgh, PA 15213-3890
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
1,098
Abstract Views
4,175
Rank
41,183
PlumX Metrics