The SACC framework aims to help countries to achieve three aims: first, to develop interventions that address their specific needs and priorities; second, to identify gaps in any current or existing plans; and finally, to benefit from the established good practice and practical support available from the international community. The framework is designed to facilitate a structured conversation among policymakers from relevant ministries and agencies – such as ICT, interior and security ministries, and police and security agencies – on how to tackle cybercrime comprehensively and strategically.
There are no ‘right’ answers to the questions set out in the framework. Instead, the questions are designed to prompt discussion among decision-makers, practitioners and other stakeholders. Such discussions will facilitate choices that best suit a country’s circumstances.
The absence of any answer to a question will usually indicate that there is a gap in that country’s overall approach to tackling cybercrime and therefore in its strategic thinking around the issue. For example, if there is no clear answer to the question ‘What are the country’s specific national priorities when it comes to cybercrime?’, that could suggest a lack of proper analysis on the actual impact of cybercrime on the country, or perhaps that there is a lack of consensus on which crimes need to be tackled with the greatest urgency. Likewise, if there is no answer to the question ‘What role does the private sector play in preventing and/or
investigating cybercrime?’, that could suggest that the private sector has not been engaged with effectively.
It follows that there is little point in giving cursory answers to the questions in the framework. Instead, they should be seen as an opportunity to explore the options that might exist, and to engage relevant stakeholders in a meaningful debate about which of those options are best for the country concerned.
To be effective, such debates need to be:
- Inclusive. All relevant stakeholders need to be involved (or at least represented) in the process. For example, the framework includes a focus on EDI because the needs of otherwise marginalized groups risk being under-represented.
- Informed. It is difficult to make judgements on priorities if there is little data available. For example, on the actual harm being experienced by the victims of cybercrime, or on the impact of interventions made. Intelligence and evaluation are therefore both important features of the framework.
- Realistic. Policy options are viable only when policymakers have assurance regarding the availability of requisite resources, specialized capabilities and political commitment to support them. The framework therefore consistently emphasizes accountability, resource allocation and prioritization.
- Connected. Effective cybercrime interventions require collaboration both inside a country’s borders and with international partners. It is important to think through the kinds of partnerships needed and how they can be enabled both in practical terms and by law. Including partners in the SACC process is one way to draw out these issues.
Deployment options
Deployment of the SACC framework can take various forms, offering flexibility to accommodate different needs and preferences. This section elaborates on three distinct options for consideration. However, the decision regarding which deployment method to adopt ultimately depends on the specific circumstances, resources and objectives of the context in which the assessment if being conducted.
Option 1: Focus group methodology
The first option is to use independent experts to facilitate focus group interviews, supporting participants in answering the SACC framework questions. By involving different groups of stakeholders at the same time, multiple perspectives can be obtained.
This methodology has been used extensively for conducting maturity assessments, such as in the Cybersecurity Maturity Model for Nations (CMM). The benefit is that the independent experts can ‘facilitate a discussion between the participants, encouraging them to adopt, defend or criticise different perspectives… making it possible for a level of consensus to be reached among participants and for a better understanding of cybersecurity practices and capacities to be obtained’. The SACC framework is not a maturity model but it does lend itself to the focus group approach. In this approach, facilitators with experience and expertise in the various elements of the framework convene mixed groups of stakeholders over the period of one or two days in-country to examine the questions and identify where there are gaps or decisions to be made. Such a process would normally culminate in a final report, setting out the outstanding issues that the country can then take forward as part of their internal policy and capacity-building processes.
The SACC framework has been already deployed using the focus group methodology as part of the CMM for Fiji, delivered by the Oceania Cyber Security Centre (OCSC) in February 2024. As a regular feature of the CMM reviews, the OCSC uses a combination of in-country focus groups and desktop research to collect the necessary data to perform a national assessment. The participants in the focus groups are carefully selected based on their knowledge of the local cyber landscape, and are divided into groups in line with the different dimensions of the CMM. In preparation for the focus groups addressing Dimension 4 of the CMM – ‘Legal and Regulatory Frameworks’ – the OCSC used the SACC framework to redesign their question sets and develop a more comprehensive research agenda that better interrogated Fiji’s cybercrime enablers and barriers. Furthermore, the structure and quality of many of the questions, such as those on EDI, also proved useful in the non-legislative focus groups, contrary to the research team’s initial expectations. Overall, the rigorous scope of the framework broadened the team’s investigative focus compared to previous reviews, and facilitated a more holistic data-collection process. This data will inform the analysis and recommendations of the final report currently being written and help Fiji to further advance its national cyber strategy.
Option 2: Self-assessment
Countries may prefer to conduct their own internal reviews, using the framework as a prompt – for instance, at the very start of a strategy development process or as part of a periodic review. It is important to ensure that, irrespective of the reviewer(s), the process remains ‘informed, inclusive, realistic and connected’, and that the right stakeholders are involved. It is important to recognize that self-assessment by policymakers or operational practitioners alone may fail to uncover all pertinent issues, or could lead to a misleading assessment, due to issues such as biases, limited perspectives or incomplete information. For that reason, independent scrutiny is an important part of the process. This scrutiny could take the form of incorporating external experts to facilitate discussions and ensure an impartial review and assessment.
Option 3: Simulation exercises
A third way to deploy the framework is to use it as the basis for a simulation exercise. This approach was tested as part of the development process of the SACC project, and proved effective not only in getting the stakeholders to agree on gaps in their current responses, but also in identifying improvements to the framework itself. The test simulation exercise took place alongside the INTERPOL Global Cybercrime conference in Singapore in October 2023, and involved eight countries from the ASEAN region. The scenario featured advanced remote access Trojan (RAT) malware being sold in the region and used to commit financial fraud, blackmail and online sexual offences.
The framework was designed by the project team to draw out potential dilemmas for the participants to address at each of three phases of the storyline, which are:
- Immediate crisis response;
- Ongoing operation; and
- Post-crisis evaluation.
These three phases enabled individual country representatives to consider the various questions set out in the framework, such as:
- How to prioritize interventions to disrupt the buyers and sellers of the RAT vs direct measures to protect victims and potential victims.
- How to coordinate interventions across multiple local and regional law enforcement agencies.
- How to facilitate cross-border cooperation to disrupt the upper echelons of the organized crime group responsible.
- How to tell if the interventions being taken were having an effect.
Although no assessment was included in the exercise, this element could be added to the process through the participation of external assessors. In the event, individual country representatives were encouraged to take away their own learnings from the exercise and use them to inform their internal strategic planning processes.