Cybersecurity Capacity Maturity Model for Nations (CMM) Revised Edition

60 Pages Posted: 31 Aug 2020 Last revised: 8 Apr 2021

Date Written: March 31, 2016


The goal of the Global Cyber Security Capacity Centre (Capacity Centre) is to increase the scale and effectiveness of cybersecurity capacity-building, both within the UK and internationally by gaining a more comprehensive and nuanced understanding of the cybersecurity capacity landscape. It is our aim to ensure that the knowledge and research collected and produced by the Capacity Centre can assist nations improve their cybersecurity capacity in a systematic and substantive way. By helping understand national cybersecurity capacity, the Capacity Centre hopes to help promote an innovative cyberspace in support of well-being, human rights and prosperity for all.

In order to achieve this aim, the Capacity Centre developed its prototype National Cybersecurity Capacity Maturity Model in 2014, and deployed it in 2015 during 11 national cybersecurity capacity reviews, as well as a regional assessment of the Latin American and Caribbean Region (led by the Organization of American States in collaboration with the Inter-American Development Bank). The reviews were conducted alongside several international organisations and leading ministries, and convened stakeholders from across all sectors of society in order to gain a comprehensive understanding of the maturity of cybersecurity capacity of the nation. During the reviews, the Capacity Centre was able to gauge whether the content of the model is consistent with the cybersecurity capacity landscape, as well as determine ways to enhance the overall content, structure and deployment of the model through lessons learnt.

Therefore, the Capacity Centre has developed a revised edition of the model, called the Cybersecurity Capacity Maturity Model for Nations (CMM) based on the lessons learnt through the deployment of the model. The Capacity Centre proposed a series of modifications based on the lessons learnt to a panel of cybersecurity experts from various disciplines. These expert consultations confirmed several proposed amendments, and produced additional inputs for consideration in the revision of the CMM. Once the amended content was curated by senior academics leading the development of the respective cybersecurity capacity dimensions, the revisededitionof the CMM was produced.

Most of the alterations that have been made in the revised edition of the CMM are structural rather than substantial. Certain factors and aspects have been combined or reconfigured to improve the clarity and precision of the model as a whole, while ensuring the continuity ofthe content. For example, in Dimension 3, several review participants expressed confusion regarding the differences between factors, which resulted in a reconfiguration of this dimension in order to more clearly communicate the intention of each factor. Other revisions, such as adding factors to certaindimensions, were made to ensure the essence of the cybersecurity capacity dimensions is more accurately reflected. In Dimension 5, in particular, several new factors were added so that the focus of the dimension is drawn toward technical standards, controls and products rather than the existing ambiguous scope. Finally, some factors were added as a direct result of feedback from the various country reviews, such as the addition of a factor on the role of media in Dimension 2 and a factor on international cooperation in Dimension 4. This effort to enhance the content of the CMM is not intended to be a static exercise. As the Capacity Centre continues to deploy the model across the world (by 2020 it was deploy in over 80 countries), new lessons will be learnt that can be used to further enhance the CMM. Our aim is to ensure the CMM remains applicable to all national contexts and reflects the global state of cybersecurity capacity maturity.

Keywords: assessments, model, cybersecurity capacity, cyber capacity building, cybersecurity policy, cybersecurity strategy, cyber culture, cybersecurity education, legal and regulatory frameworks, cybersecurity standards, cybersecurity skills

Suggested Citation

(GCSCC), Global Cyber Security Capacity Centre, Cybersecurity Capacity Maturity Model for Nations (CMM) Revised Edition (March 31, 2016). Available at SSRN: or

Global Cyber Security Capacity Centre (GCSCC) (Contact Author)

University of Oxford - Department of Computer Science ( email )

Wolfson Building, Parks Road
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics