Cyber Security Capability Maturity Model using Maqasid al-Shari'ah approach

Abstract

Knowing how vulnerable an organisation or a country is towards cyberattacks, is referred to as Cyber Security Index or Maturity Level. Such an index is important to evaluate one’s level of vulnerability to cyber threats and its defense readiness. Various cyber security models are initiated and applied across the globe as tools towards measuring the mentioned index. These models in particular provide us with indicators as to how ready an organisation or a country react to attacks and what are the steps to be taken to alleviate the situation. However, although most of the existing cyber security models excel in determining one’s cyber security maturity level, the results produced only indicated the degree of practice based on the evidence presented by a country or an organisation for each criterion underlined in each model. It stops short from further explaining what the fundamental problem is: the human factor. Human beings play a very important role in cyber security. Unlike policy, technology and process which are deterministic in nature, human beings are by nature random and complex. Consequently, this unpredictive nature of people and morality issue causes humans to be regarded as the major factor affecting the level of cyber security readiness. Maqasid Al-Shari‘ah supports the objectives of Shari‘ah through the preservation of five elements: (1) Protection of Deen (faith), (2) Protection of Nafs (life), (3) Protection of ‘Aql (intellect), (4) Protection of Nasl (lineage) and (5) Protection of Mal (wealth). Preservation of these five elements is significant for cyber security maturity. Therefore, this research is proposing the use of Maqasid Al-Shari‘ah to address the human factor centred on morality as described above. Results will be categorised into the aforementioned five elements. Based on this approach, an organisation will not only be able to determine its maturity level, but interestingly the result will reveal to what extent the organisation’s decision making to protect its assets comply with Islamic morality. This work aims to develop a Cyber security Capability Maturity Model guided by Maqasid Al-Shari‘ah (known as MS-C2M2) which comprehensively covers both moral and physical aspects of human beings. Its success will undoubtedly demonstrate the usefulness of Maqasid Al-Shari‘ah principle, as well as benefiting cyber security maturity models. The MS-C2M2 will be manifested through the development of a prototype system known as Maqasid al Shari‘ah Cyber Security Barometer that captures organisations’ input which later produces the corresponding cyber security maturity levels. A few subject matter experts in both areas i.e. Cyber security and Maqasid Al-Shari‘ah were referred to, to evaluate and validate the reliability of the prototype’s content and functionality. After being validated, eighteen organisations from various industries and backgrounds were approached to test the prototype tool. However, only three organisations had gotten back and participated. Coincidentally, the participating organisations were those with good cyber security readiness. For the purpose of comparison, two additional mock organisations were created with poor performances (after going through the barometer) to give ideas on what results do organisations with poor cyber security readiness produced. The feedback received from the survey circulated afterwards showed that the respondents are satisfied with the results produced by the Maqasid al Shari‘ah Cyber Security Barometer.