This document summarizes a research study on developing a regional cybersecurity framework for Pacific Island nations. It found that while a regional approach could help small nations project their interests, national governments prioritize their own interests. The study identified opportunities for capacity building if supported aligned with domestic priorities. It proposed a framework consisting of affiliated national cyber emergency response teams (CERTs) collaborating on shared issues while serving domestic needs. Regional partners could aid strategic planning and "bespoke" capacity development targeting each nation's goals.

1. Cyber Security
Maturity in the
Pacific Islands
Informing a Regional CERT
Framework

2. Contents The Problem
Theoretical Background
Methodology
Findings
Discussion
Implications for Research and Practice
Limitations
Conclusions
Cover Page image is modified from "Why #corporates prefer #private #investigator to #cyber cops - #cybersecurity #infosec #technology… https:/
/t.co/UeXuHazJy7" by datacorpltd licensed under CC BY-NC 2.0

3. The
Problem
What is the Problem?
Who is impacted?
Why should it be addressed?
How does this research contribute to a
solution?

4. What is the
Problem?
Pacific Island nations do not use a
coordinated regional approach to
manage their cybersecurity threat
responses.
Cybersecurity impacts on national
governments’ national interests - defence,
economic, and social.
Governments protect their interests by
implementing policy frameworks that provide
cybersecurity detect and response capabilities.
Research confirms the importance of nations
collaborating within regional frameworks.
Pacific Island nations do not share a regional
framework.

5. Who is
impacted?
Pacific Island nations
Governments
Residents and communities
Companies
Universities
People doing business in the region
Neighboring governments
Visitors and tourists
Communities
Companies and partners

6. Why should it be
addressed?
Pacific Island governments are
saying “we need capacity, we need
to be able to respond”
Chris (FIRST), England
There are no laws in place that
allow Pacific Island CERT teams to
work together
Marwan (ITU), Switzerland
We have people and skills, but we
need help from our neighbors
Paula, Tonga

7. How does this
research
contribute to a
solution?
This research examined the factors that
influence the purpose, form and function of a
regional threat response capability.
We proposed an inductive model for a Pacific
Islands regional cybersecurity framework
based on:
Literature | Review of contemporary academic
literature
Personal narratives | Interviews with local
practitioners and partners
Qualitative analysis | Emergent semantic
themes and categories of observations
Regional perspective | Pacific Island
opportunities and challenges that test the
general academic approach

8. Theoretical
Background
Evolution of a multinational CERT
Regional approach to delivering CERT
services
Projecting the national interest in a
regional CERT

9. Evolution of a
multinational
CERT
Regional CERTs offer a coordinated
approach between national,
transnational & supranational
participants.
Contemporary literature (post 2010) provides a
framework for a regional, multinational CERT.
● Consensus | General CERT form and
function.
● CERTs are not homogenous | National and
sectoral CERTs will support the priorities of
their respective sponsoring organisations.
● Unique and shared interests | Nations have
both unique national interests, and areas of
mutual/shared interests with other nations.
● Regional framework | Small countries work
with regional and global partners and
neighbors to protect national interests and
advance shared interests > transnational
infrastructure, cooperative institutions,
complimentary CERT services.

10. Regional
approach to
delivering CERT
services
Regional approach needs to recognise that
different partners may or may not want to
participate, based on their unique and
shared interests.
What is the most appropriate way deliver
complementary CERT services across a regional
network of nations and partners?
● Small nations | Use regional groupings to
project their interests and presence onto a
larger stage.
● US, EU | Reluctance to subjugate their
national interests to a regional body. Stifling
of regional identity and norms.
● New Zealand | Reluctant to project into the
region as a dominant partner.
● Australia | Uses regional engagement to
advance its national interests, through
empowering regional neighbors.

11. Projecting the
national interest
in a regional
CERT
Smaller nations use the regional framework
to project their national interests to a
larger stage.
However, this comes at a cost.
Smaller nations use 3 approaches to project their
interests to a regional framework:
1. Form an alliance with the dominant regional
power
2. Build institutions across the region
3. Project their unique national identity , values
and norms into the region
Contradiction - Small nations rely on large nations
to help build their local capacity; in doing so, they
become beholden to the large nation.
In response, smaller nations will
● Protect the national interest | Retain
ownership of critical infrastructure. Assert
national interest through domestic policies
● Target support | Investment for skills
shortage and capacity building.

12. Methodology

13. Methodology
Participant 1 | United Kingdom
Consultancy & advisory services
Participant 2 | Switzerland
Training & capacity building
Participant 4 | Kiribati
Cybersecurity practitioner
Participant 3 | Tonga
Cybersecurity practitioner
Social constructivist philosophy – Pacific Island nations
development is grounded in a “developing nation” worldview.
Knowledge and context is constructed through social, cultural,
economic and ethnic interaction with regional neighbors.
Emergent design strategy – Flexibility and adaptation. One to one
semi-structured interviews. Open ended enquiry. Personal
narratives as the primary data source.
Qualitative data gathering and analysis - Personal narratives from
4 regional cybersecurity practitioners; identify emerging semantic
themes and categories of observations that inform the participants’
contextual realities.

14. Findings

15. Themes and Categories
Semantic Theme General Form Categories of observations
1 | Purpose, form
and function of a
regional CERT
Tangible, action
based outcomes
11 categories.
Participants described “how the
CERT should work”.
2 | Preserving the
national character
Abstract,
behaviour based
outcomes
9 categories.
Participants described “why the
CERT is important”
Analysis of the interview transcripts yielded
20 categories of observations, subjectively
grouped into two semantic themes.
Semantic Theme 1 | The purpose, form and
function of a Pacific Islands regional CERT
Semantic Theme 2 | National governments’
tendency to preserve their national
character

16. Findings
Current knowledge | Eleven categories were
consistent with the literature and tied the participants’
narratives to the theoretical framework.
New knowledge | Nine categories were not aligned
with the literature and may extend the theoretical
framework. Non-aligned findings included challenges
and opportunities for Pacific Island nations.
➔ Challenges | Four disincentives for Pacific Island
nations to commit to a regional framework
➔ Opportunities | Five opportunities for national
governments to reinforce their domestic
interests within a regional framework
New
Challenges
Current
Knowledge
New
Opportunities
11
4
5
Observations
20

17. Opportunities and Challenges
New
Opportunities
5
1. Improved government planning and preparation for domestic spending
2. Prioritise national policy and investment towards building local capability
maturity and resilience
3. Seek investment from regional and global partners, for local capability
maturity
4. National governments to ground policy in robust, strategic planning
5. National government to own and emphasise building local community
cybersecurity awareness

18. Opportunities and Challenges
New
Challenges
4
1. Monitoring outcomes as a measure of capability maturity
2. Over-reliance on overseas partners; subjugation of national identity
3. Partners’ lack of cultural awareness
4. Lack of regional legal framework

19. Discussion National CERT policies and practices can be
leveraged to inform a regional framework
Regional-specific constraints, opportunities
and challenges
Four actionable outcomes to enable the
semantic themes

20. Research Findings
National CERT policies and practices can be leveraged to inform a regional framework
● Purpose, form and function are shaped by domestic policy priorities
● Domestic priorities will be expected to override those of the regional framework
Contemporary research applies a “developed nation” perspective to consideration of a
regional framework supported by global practices, however… the research participants
challenge that perspective by identifying specific Pacific Island constraints, challenges and
opportunities.

21. Research Findings
The findings identified four outcomes that enact the semantic themes
1. The regional CERT framework requires an affiliation of independent national CERTS,
each serving their respective national interests, while collaborating on matters of
shared impact.
2. Regional partners have a critical role to play in providing support that targets national
and regional capacity-building.
3. Regional partners’ support should align with the policy priorities of the national
governments.
4. Support for capacity building should be based on sound strategic and policy planning,
with a focus on commercial investment opportunities and targeted domestic
investment in resources (including people and skills), infrastructure and industry.

22. Implications
for Research
and Practice

23. Conflict
Putting the two semantic themes into practice creates a conflict.
Theme 1 (Regional CERT framework)
Emerging sense of importance,
urgency and commercial
opportunities arising from a national
cybersecurity response capability
Theme 2 (National Identity)
Dependence on larger partners and
neighbors to provide resources, skills
and capability resilience

24. Domestic Policy Priorities
Domestic policy settings can address the conflict, by focusing on three drivers.
Driver 1 | Preserve the national interest
Driver 2 | Domestic funding priorities
Driver 3 | Developing domestic capability maturity and resilience
These drivers shape the national government's’ priorities for developing a cybersecurity
response capability. They also provide regional partners with markers for the type of capacity
building investment and support that will be required.

25. Actionable Outcomes
Outcome 1 | Regional framework consists of a network of affiliated national CERTs, each
supporting their domestic priorities and collaborating on shared interests
Outcome 2 | Regional partners provide support for domestic capacity building, improved
strategic planning, and creating a maturity model for current and emerging CERT standards
and practices
Outcome 3 | Regional partners provide bespoke (not a “one size fits all” approach) support that
targets national capability drivers - investment opportunities, education and training, CERT
brand differentiator
Outcome 4 | Regional partners should provide support based on transparent strategic
planning, funding and measurement of outcomes and benchmark returns.

26. Limitations

27. Limitations of this Research
COVID 19 | The global COVID 19 pandemic made it difficult to engage with isolated,
vulnerable Pacific Island participants.
Participant bias | The small number of participants introduced a bias towards those who
spoke more extensively about their experiences.
To overcome these two limitations, we engaged with global and regional partners to
supplement the Pacific Island participants’ views. This reflect a compromise outcome.
Additional research is in progress - this will extend this initial work and provide additional
participants and a greater plurality of views, to develop a deeper and more contextual
analysis of the semantic themes.

28. Conclusions

29. Conclusion 1
Pacific Island nations can use their
contrasting and complementary
domestic cybersecurity
capabilities to inform a regional
CERT framework.
Pacific Island nations can inform a
regional CERT framework.

30. Conclusion 2
Theme 1 | Purpose, form and
function of a regional framework
would reflect the domestic policy
considerations and priorities of the
participating nations
Theme 2 | Participating
governments are likely to prioritize
their national interests above
those of the regional framework.
The regional framework will be
grounded in two semantic themes.

31. Conclusion 3
Outcome 1 | Network of affiliated
national CERTs
Outcome 2 | Partner support for
domestic capacity building
Outcome 3 | Partner support for
“bespoke” national policy priority
areas that target capacity building
Outcome 4 | Partner support
grounded in strategic planning, and
benefit/outcome measurement
Pacific Island nations can enable
the framework through four (4)
actionable outcomes.

32. Tony Adams
PhD student
Faculty of Information Technology
Monash University
Clayton, Australia
anthony.adams@monash.edu
+614 0786 3600