Enhancing Malaysia’s cyber defences

As cyber threats become increasingly sophisticated, there's a critical need to measure and improve cyber defence capabilities. University of Melbourne researchers are helping Malaysia’s critical infrastructure operators strengthen their cybersecurity by developing an evidence-based tool that allows organisations to measure their cyber resilience, drawing on empirical studies of Malaysian banks and telcos.

The outcome

“We believe that this maturity model will be one of the tools Malaysian organisations can use in measuring where they are, what their gaps are, and where they should be in terms of raising their cybersecurity baseline,” says Ms Shariffah Rashidah, Director of Cyber Security Policy and International Cooperation at NACSA.

University of Melbourne project lead Professor Atif Ahmad explains that the team developed the model by measuring the cyber defences of partner organisations in Malaysia.

“We collected a considerable amount of empirical data on how Malaysian critical infrastructures behaved when under cyber-attack,” Prof Ahmad says. “From that evidence, we built a maturity model which we then tested against the Malaysian government, industry, and academics.”

The need

As cyber threats become increasingly sophisticated, there's a critical need for a standardised way to measure and improve cyber defence capabilities, especially for critical infrastructure operators. Our project addressed that need by creating a comprehensive, context-specific model to assess the maturity of Malaysia’s cyber defences in critical infrastructure industries.

The urgency of this need is well-recognised by industry leaders. “The maturity model developed by the University of Melbourne with the National University of Malaysia really presents something that corporations like ours are keen to explore,” says Dr Amir Abdul Samad, Chief Information Security Officer of Malaysian energy company, Petronas.

“Being able to have good situational awareness and the right intelligence is absolutely critical for organisations because you need to know what you're up against in order to be able to defend against it.”

The research

The team conducted extensive field research, including multiple case studies of cybersecurity practices in Malaysian critical infrastructure organisations. The findings were then benchmarked against a leading Australian organisation to identify best practices and areas for improvement.

“We were able to get a high concentration of telecommunications providers involved in validation,” says Associate Professor Sean Maynard. “So, we have a high level of confidence that the model is accurate for the telecommunications sector.”

Developing the solution

The project team designed a maturity model that serves as a ‘yardstick’ for measuring cyber incident response capability. This model was rigorously tested and validated with Malaysian government agencies, industry leaders, and academics to ensure its relevance and effectiveness.

“This model is interesting because it focused on strategic thinking, decision-making, and how to deal with threat intelligence on an organisational – and even national – scale,” says Dawud Wilmot, Chief Information Security Officer of Maxis Telecommunications.

Partners

• National Cyber Security Agency of Malaysia (NACSA)
• Academic Centre for Cyber Security Excellence, University of Melbourne
• Centre for Cyber Security, National University of Malaysia (UKM)
• Various Malaysian critical infrastructure organisations

Funding support

• Funded by the Australian Government's Cyber and Critical Tech Cooperation Program (CCTCP)

People

• Professor Atif Ahmad, University of Melbourne
• Associate Professor Sean Maynard, University of Melbourne
• Dr Jongkil Jay Jeong, University of Melbourne