Cybersecurity Capabilities in a Critical Infrastructure Sector of a Developing Nation

When information technology is incorporated into the operations of financial critical infrastructure, it brings with it a range of cyber risks, and mitigating them requires that firms and regulators develop capabilities to foster protection. The sophistication of cyber threats to the financial sector has been growing rapidly. Developed nations have worked hard to improve their knowledge of these threats and establish strategies to respond accordingly. However, in developing nations, both the understanding of the risks posed by cyber threats and the ability to address those risks have been slower to evolve. Developing the needed cybersecurity capabilities in developing countries encounter challenges that need to be identified and addressed. In order to begin to do that, this thesis reports on three studies conducted in the context of Ecuador. The first study identifies and assesses incident experiences, challenges, barriers, and desired actions reported by financial security managers with the objective of identifying strategies to enhance incident response capabilities. The second study begins with the security incidents reported by the Ecuadorian financial stakeholders during the first study and assesses the potential effectiveness of the government policy that is intended to address IT risk in the financial sector. The third study explores the challenges that universities face in order to provide cybersecurity instruction to protect critical infrastructure and explores potential strategies to advance cybersecurity education at the university level. In support of this work we collected data from national practitioners involved in responding to security incidents and in developing cybersecurity skills. Sixty-one in-depth, semi-structured interviews across five cities were conducted (95% in person, the rest by telephone) with respondents who had good knowledge in the subjects. Respondents come mainly from: the financial sector (CISOs, risk and IT managers, security chiefs, security officers, authorities); telecommunications sector, especially ISPs (managers, directors, engineers, authorities); and academia (deans, directors, professors). We transcribed all the interviews, coded them and conducted qualitative text analysis. This research finds that (1) the financial sector is already facing risks driven by outsiders and insiders that lead to fraud and operational errors and failures. The main barriers to improving protection are small team size, network visibility, inadequate internal coordination, technology updating, lack of training, and lack of awareness. The sector has little community support to respond to incidents, and the national legal framework has not supported appropriate prosecution of cyber criminals; (2) the national IT risk management policy has reasonably covered most countermeasures related to reported security incidents. There are however, several areas of gap, one of the most important is network security, which can enable sophisticated malware attacks; (3) today the level of cybersecurity education is mostly elementary in Ecuador. Academic interviewees at only four of the thirteen universities studied expressed confidence that they can provide students with reasonable preparation. Ecuador needs to design a national cybersecurity plan that prioritizes protection for critical infrastructure and should support strategies that allow the country to enhance cybersecurity capabilities. Properly designed these initiatives should allow the nation to develop a core structure to confront current and emergent cyber challenges in the financial sector and other critical national operations, and build the human resources necessary to continue that effort.