2020 International Conference on Information Technology Systems and Innovation (ICITSI)

Bandung - Padang, October 19 - 23, 2020

ISBN: 978-1-7281-8196-7

Maturity Assessment of Cyber Security in The

Workforce Management Domain: A Case Study in
Bank Indonesia
1st Adyan Pamungkas Ganefi Putra 2nd Figur Humani 3rd Faishal Wafiq Zakiy
Faculty of Computer Science Faculty of Computer Science Faculty of Computer Science
Universitas Indonesia Universitas Indonesia Universitas Indonesia
Jakarta, Indonesia Jakarta, Indonesia Jakarta, Indonesia
adyan.pamungkas@ui.ac.id figur.humani@ui.ac.id faishal.wafiq@ui.ac.id

4th Muhammad Rifki Shihab 5th Benny Ranti

Faculty of Computer Science Faculty of Computer Science
Universitas Indonesia Universitas Indonesia
Jakarta, Indonesia Jakarta, Indonesia
shihab@cs.ui.ac.id ranti@ui.ac.id

Abstract— In the growth of information technology that is management of cybersecurity in the organization becomes an
very fast, it brings the era to be completely digital or so-called important thing to consider.
digital age. This phenomenon leads an institution or Bank Indonesia is the central bank of Indonesia with many
organization to involve an information technology that can help branch offices operating all over the country and in other
increase efficiency in carrying out activities and achieving
business goals. The use of an information technology does not
countries. There are dozens of information systems working
only have a positive impact. The higher utilization of together operated by hundreds of workers to support business
information technology, the higher the gaps in security incidents operations and achieve organizational goals. With this
and the potential for cybercrimes, so that cybersecurity becomes organizational wide IT operation the potential for security
an important factor to minimize this issue. On the business incidents is also huge with high impact on business continuity.
processes of financial institutions that focus on economic In an organization such as Bank Indonesia the role of IT is
stability and the role of IT as an enabler, however, workforce only as an enabler. However, since the daily operation of this
management that focuses on cybersecurity must be managed bank is very much depends on a working IT system, a
properly. This study attempts to assess cybersecurity maturity workforce with strong expertise in cybersecurity is necessary.
within the scope of Workforce Management in a case study in
Bank Indonesia. The framework used in conducting this
In addition, information security should be the responsibility
assessment is C2M2 Framework which focuses on the and awareness of all employees. Upgrading the skills of the
Workforce Management Domain. The results of this study existing workforce and hiring personnel with the appropriate
indicate that cybersecurity in the workforce management level of cybersecurity experience, education and training is a
domain at Bank Indonesia has not reached MIL 3. The results challenge for Bank Indonesia. Employment issues are an
of the assessment will serve as a reference for improving important aspect of successfully addressing cybersecurity
cybersecurity in the field of workforce management at Bank and risk management for this system [3].
Indonesia. To help address this issue, we conducted an assessment of
cybersecurity management in Bank Indonesia within the
Keywords—assessment, cyber security management, maturity,
workforce management scope of workforce management. There are several
cybersecurity maturity models that can be used for example,
Cybersecurity Capability Maturity Model (C2M2) and
Community cybersecurity Maturity Model (CCSMM) [4].
I. INTRODUCTION
C2M2 developed by The U.S. Department of Energy. C2M2
The introduction of information technology in an can be used to strengthen an organization's cybersecurity
organization will bring efficiency and productivity, as well as capabilities, enable organizations to effectively and
new problems such as new potential for cybercrime [1]. consistently evaluate cybersecurity capabilities, enable an
Cyber Crime encompass different malicious activities such as organization to prioritize actions and investments in
stealing people's identities, manipulating digital financial improving cybersecurity [3]. The difference between C2M2
data, downloading illegal data files, damaging the network and CCSMM is that in C2M2 there is a domain that focuses
system as well as the information systems of a targeted on workforce management [4]. So this research is conducting
institution or organization [2]. the maturity of cybersecurity assessment in Bank Indonesia
The greater the potential for cyberattacks to happen in an using C2M2 framework in the Workforce Management
institution or organization, the more important are awareness domain scope. The results of the assessment are expected to
and preparedness for preventive actions that must be done so be considered to improve the deficiency in the workforce
that the business continuity of an institution or organization management domain.
can be maintained. Therefore, in order to the full benefits of
utilizing information technology in an organization, the

978-1-7281-8196-7/20/$31.00 ©2020 IEEE 89

Authorized licensed use limited to: University of Technology Sydney. Downloaded on May 23,2021 at 19:09:51 UTC from IEEE Xplore. Restrictions apply.
 II. LITERATURE REVIEW capability [4]. Models that are often discussed in research or
scientific articles include C2M2, SSE-CMM, CCSMM, and
A. Cybercrime NICE.
Cybercrime is a crime that happened in cyberspace
committed by irresponsible people or communities. Attacks or D. Cybersecurity Capability Maturity Model (C2M2)
crimes can occur anytime and anywhere including in cyber C2M2 is a model to measure the maturity of cyber security
space. The higher the use of internet technology, the greater which is included in the type of capability model. C2M2 for
the potential for cybercrime, so awareness must be raised IT services is presented to help IT services organizations for
about the importance of understanding the potential for all sectors, types to enhance cyber security programs [8].
cyberattacks and crime. Threats and vulnerabilities are usually C2M2 was developed by The U.S. The first Department of
artifacts in the online world that can be exploited by attackers Energy was released in 2012 and updated in 2014. C2M2
to endanger victims. For example, an attacker can exploit focuses on the implementation and management of cyber
buffer overflow to compromise a computer and use it to send security practices related to information, information
SPAM [5]. technology, and asset operations technology [3]. This model
B. Cyber Security can be used to:
Cybersecurity is a process and control designed to protect x Strengthen the cybersecurity capabilities of an
information technology systems from cyberattacks or crimes. organization
With the effectiveness of the implementation of x Enables organizations to effectively and consistently
evaluate and benchmark against cybersecurity
cybersecurity, the risk of crime or attacks on the system can
capabilities of of other organizations
be reduced. Cybersecurity seeks to protect computer systems
x Providing knowledge, best practice, relevant
and all components such as hardware, software, data and all
references across organizations to improve
digital infrastructure from attacks. cybersecurity capabilities.
Cybersecurity is a collection of tools, policies, security
x Enables organizations to prioritize actions and
concepts, security protections, guidelines, risk management
investments to improve cybersecurity.
approaches, actions, training, best practices, guarantees and
technology that be used to protect the environment and cyber
organizations, as well as user assets. User organization and III. METHODOLOGY
assets encompass connected computing devices, services,
infrastructure, applications, telecommunications systems, and This research follows the case study methodology. Case
total information transmitted or stored in a cyber environment studies are a description and analysis of individual problems
[6]. or cases with the aim of identifying variables, structures,
forms, and sequences of interactions between participants in
C. Cyber Security Maturity Models situations, or to conduct work performance assessments or
Today there are several frameworks to measure the extent progress in development [9]. This case study method is an
of cybersecurity capabilities possessed by a company or approach to focus deeply on a problem. This study uses
organization. Cyber Security Maturity Model is a framework qualitative methods in determining the results of
or model used to measure the ability of a company or cybersecurity management assessment in Bank Indonesia
organization to conduct cybersecurity. Cybersecurity model from Workforce Management domain based on the control
can be understood as a description of how cybersecurity parameters in C2M2 framework.
systems operate together with measurement tools to In C2M2 there are 10 domains used in cybersecurity
determine the level or state of cybersecurity from cyber analysis as in the following list:
space, strategies and actions to strengthen and prevent 1) Risk Management
exploitation of weaknesses in the future [4]. The structure of 2) Asset, Change, and Configuration Management
cybersecurity maturity models can be explained in terms of 3) Identity an Access Management
functions, main components, and types of maturity models 4) Threat and Vulnerability Management
[7]. The main functions of the maturity model are: a means to 5) Situational Awareness
assess and compare performance; roadmap for model-based 6) Event and Incident Response
improvement; and means to identify gaps and develop 7) Supply Chain and External Dependencies
improvement plans. The key components are: maturity level Management
is a scale of security measurement or transition state; security 8) Workforce Management
domains are logical groups of practices, processes; attribute
9) Cybersecurity Architecture
is the core content of the model compiled by domain and
10) Cybersecurity Program Management
level; diagnostic methods for assessment, measurement,
identification of gaps, and comparisons; roadmap for The structure of C2M2 can be seen in the following figure:
improvement to guide improvement efforts such as Plan-Do-
Check-Act or Observe-Orient-Decide-Act [4].
There are three types of maturity models, namely
progression, capability, and hybrid. The progress model
describes the level as a higher level of achievement, the
capability model shows the extent to which certain practices
have been established. Hybrid models are a combination of
the best features of the progression model and the capability
model, where the level of maturity expresses progression and

90

Authorized licensed use limited to: University of Technology Sydney. Downloaded on May 23,2021 at 19:09:51 UTC from IEEE Xplore. Restrictions apply.
 5) Cybersecurity responsibilities and job
requirements are reviewed and updated in
accordance with organization-defined triggers
(e.g., time elapsed, personnel changes, process
changes). Q5
6) Assigned cybersecurity responsibilities are
managed to ensure adequacy and redundancy of
coverage, including succession planning. Q6
B. Develop Cybersecurity Workforce
a) MIL1
Fig. 1. C2M2’s Structure 1) Cybersecurity training is made available to
personnel with assigned cybersecurity
To get the results of the analysis, required data were responsibilities, at least in an ad hoc manner. Q1
collected by conducting interview and study of documents, 2) Cybersecurity knowledge, skill, and ability
then an assessment of data was carried out. The interviewees requirements and gaps are identified for both
in this study were employees who were members of the current and future operational needs. Q2
Information Systems Security and Cyber Security Working b) MIL2
Team at Bank Indonesia. Study of Document was conducted 3) Training, recruiting, and retention efforts are
on the work plan documents of the Department of aligned to address identified workforce gaps. Q3
Information System Management at Bank Indonesia, 4) Cybersecurity training is provided as a prerequisite
monthly performance evaluation reports, documents of to granting access to assets that support the
cybersecurity team organizational structure in which there are delivery of the function (e.g., new personnel
roles and responsibilities of personnel, as well as documents training, personnel transfer training). Q4
of audit from the ISO 27001 audit program. c) MIL3
This research focuses on the Workforce Management 5) The effectiveness of training programs is
domain. The purpose of this domain is establish and maintain evaluated at an organization-defined frequency,
plans, procedures, technologies, and controls to create a and improvements are made as appropriate. Q5
culture of cybersecurity and to ensure the ongoing suitability 6) Training programs include continuing education
and competence of personnel, commensurate with the risk to and professional development opportunities for
critical infrastructure and organizational objectives [3]. The personnel with significant cybersecurity
Workforce Management domain comprises five objectives: responsibilities. Q6
B. Assign Cybersecurity Responsibilities
C. Develop Cybersecurity Workforce C. Implement Workforce Controls
D. Implement Workforce Controls a) MIL1
E. Increase Cybersecurity Awareness 1) Personnel vetting (e.g., background checks, drug
F. Management Activities tests) is performed, at least in an ad hoc manner, at
Each objective consists of a list of assessment controls hire for positions that have access to the assets
grouped by MIL1, MIL2, and MIL3 according to their required for delivery of the function. Q1
respective levels. Every MIL is a prerequisite for reaching the 2) Personnel termination procedures address
next MIL level. The model contains no practices for MIL0. cybersecurity, at least in an ad hoc manner. Q2
MIL0 simply means that MIL1 in a given objective has not b) MIL2
been achieved [3]. The following is a detailed list of 3) Personnel vetting is performed at an organization-
assessments that have been mapped to MIL for each defined frequency for positions that have access to
objective: the assets required for delivery of the function. Q3
4) Personnel transfer procedures address
A. Assign Cybersecurity Responsibilities cybersecurity. Q4
a) MIL1 c) MIL3
1) Cybersecurity responsibilities for the function are 5) Vetting is performed for all positions (including
identified, at least in an ad hoc manner. Q1 employees, vendors, and contractors) at a level
2) Cybersecurity responsibilities are assigned to commensurate with position risk. Q5
specific people, at least in an ad hoc manner. Q2 6) A formal accountability process that includes
b) MIL2 disciplinary actions is implemented for personnel
3) Cybersecurity responsibilities are assigned to who fail to comply with established security
specific roles, including external service providers policies and procedures. Q6
(e.g., Internet service providers, security as a
service providers, cloud service providers, IT/OT D. Increase Cybersecurity Awareness
service providers). Q3 a) MIL1
4) Cybersecurity responsibilities are documented 1) Cybersecurity awareness activities occur, at least
(e.g., in position descriptions, in performance in an ad hoc manner. Q1
criteria). Q4 b) MIL2
c) MIL3 2) Objectives for cybersecurity awareness activities
are established and maintained. Q2

91

Authorized licensed use limited to: University of Technology Sydney. Downloaded on May 23,2021 at 19:09:51 UTC from IEEE Xplore. Restrictions apply.
 3) Cybersecurity awareness objectives are aligned implemented. The attacks that occurred in Bank Indonesia
with the defined threat profile. Q3 became a reference to see the type of attack, then adjusted to
c) MIL3 the current handling strategy whether it is still relevant or not.
4) Cybersecurity awareness activities are aligned However, there are weaknesses, namely, the review activities
with the predefined states of operation. Q4 are not carried out periodically, but are carried out only when
5) The effectiveness of cybersecurity awareness an attack occurs that needs to be coordinated. Therefore, Q5
activities is evaluated at an organization defined is only partially implemented.
frequency, and improvements are made as
B. Develop Cybersecurity Workforce
appropriate. Q5
In developing the skills and competencies of its
E. Management Activities
employees, Bank Indonesia has a training program in the
a) MIL1
form of regular training, seminars, or workshops. The
No practice at MIL 1
implementation of employee competency development is
b) MIL2
adjusted to the positions, roles and responsibilities of
1) Documented practices are established, followed,
employees and takes into account current knowledge and
and maintained for activities in the WORKFORCE
ability gaps. In addition, personnel who are devoted to
domain. Q1
entering the cyber team, are required to attend training in
2) Adequate resources (people, funding, and tools)
advance or already have cybersecurity certification. The
are provided to support activities in the
competency development program at Bank Indonesia is
WORKFORCE domain. Q2
carried out continuously and has the opportunity to make its
3) Personnel performing activities in the
employees become professionals. With this, Bank Indonesia
WORKFORCE domain have the skills and
has fulfilled Q1, Q3, Q4, and Q6. The management of
knowledge needed to perform their assigned
identifying knowledge gaps in Bank Indonesia is not focused
responsibilities. Q3
on planning for future needs, only focusing on the present. So
4) Responsibility and authority for the performance
that Q2 is only partially implemented. In addition, there was
of activities in the WORKFORCE domain are
no evaluation of the effectiveness of the training program in
assigned to personnel. Q4
Bank Indonesia, so there was no assessment of whether the
c) MIL3
training program was effective or not, this resulted in Q5 not
5) Policies or other organizational directives are
being implemented in Bank Indonesia.
established and maintained that enact specific
organizational requirements for the C. Implement Workforce Controls
implementation of activities in the WORKFORCE
domain. Q5 In the recruitment process Bank Indonesia there are a
6) Performance objectives for activities in the series of tests and background checks as well as history of
WORKFORCE domain are established and health. But there are no special examinations or series of tests
monitored to track achievement. Q6 on employees to be part of the cyber team in Bank Indonesia.
7) Documented practices for activities in the The selection is only based on how competent the employee
WORKFORCE domain are standardized and is in terms of cybersecurity. Other than that there is no special
improved across the enterprise. Q7 inspection based on the position of function to be held, all
generalized. This makes Q1 and Q5 only partially
implemented. There is a procedure that requires all
IV. ANALYSIS AND DISCUSSION confidential data to be fully returned to Bank Indonesia if
there are employees who leave Bank Indonesia, but there is
The following is an analysis for each objective based on
no specific procedure related to the dismissal of personnel
data obtained from interview and study of documents.
from the cyber team, so Q2 is only partially implemented.
A. Assign Cybersecurity Responsibilities Implementation of cybersecurity in terms of information
security, refers to the ISO 27001 standard, where one of the
Bank Indonesia has a department that focuses on
controls is to review employee access rights on a two-
managing its information technology, wherein within that
monthly basis, so that Q3 is implemented. The transfer of
department there is a special team that focuses on
knowledge to fellow teams or to new personnel is done
cybersecurity, namely Information Systems Security and
informally, there are no formal rules set, so Q4 is only
Cyber Security Working Team. This cybersecurity team was
implemented partially. If there are personnel who perform
decided by the head of the IT department, and has 3 functions,
undisciplined actions, the cyber team in Bank Indonesia has
namely: The Function of Information Systems Security and
implemented the established rules, this makes Q6
Cyber Security Policy, The Function of Information System
implemented.
Vulnerability and Cyber Security Management, and The
Function of Threat Monitoring and Information System D. Increase Cybersecurity Awareness
Security Incident Response and Cyber Security. Each
The cybersecurity awareness program in Bank Indonesia
function has been determined membership, job descriptions,
was formed and implemented by the cyber team by setting
and responsibilities, and has been assigned to specific
goals based on current conditions and threat profiles that have
personnel. This has been documented which refers to the
occurred or are currently trending. The cybersecurity
Decree of the Head of the IT Department in Bank Indonesia.
awareness program is carried out for all employees in Bank
Therefore, for Q1, Q2, Q3, Q4, and Q6 have been fully
Indonesia with various types such as notifications through

92

Authorized licensed use limited to: University of Technology Sydney. Downloaded on May 23,2021 at 19:09:51 UTC from IEEE Xplore. Restrictions apply.
posters, email blasts, or questionnaires given to all employees. Assign
Not
Based on this, QI, Q2, Q3 and Q4 have been implemented. Cybersecurity Achieved Achieved MIL 2
Achieved
Responsibilities
However, there is no routine evaluation of the cybersecurity Develop
awareness program in Bank Indonesia, so Q5 is not Not Not
Cybersecurity Achieved MIL 0
Achieved Achieved
implemented in Bank Indonesia. Workforce
Implement Not Not Not
MIL 0
E. Management Activities Workforce Controls Achieved Achieved Achieved
Increase
The practices in Bank Indonesia's cybersecurity team are Not
Cybersecurity Achieved Achieved MIL 2
Achieved
reviewed and compiled at the beginning of the year together Awareness
with the preparation and determination of the work programs Management Not Not
Achieved MIL 0
Activities defined Achieved
of other divisions in Bank Indonesia's IT department. These
practices or duties and responsibilities as well as performance We can find out that cybersecurity at Bank Indonesia in the
targets are stated in the Key Performance Indicator (KPI) workforce management domain needs improvement in terms
document along with the mapping of its personnel. The of:
practices compiled refer to ISO 27001 standards. KPI
documents are reviewed and monitored on a monthly basis A. Assign Cybersecurity Responsibilities
led by the head of the IT department. Based on this, Q1, Q4, In order to align responsibilities and job requirements
Q5, Q6, Q7 have been implemented. The resources in the with updated vulnerability situations, a special review is
cyber team in Bank Indonesia in terms of funding are already needed regarding the processes and programs of the cyber
very adequate, and the tools used are in accordance with best team at Bank Indonesia on a regular basis. With frequent and
practice, but the people in the cyber team are still very few, routine reviews, the cyber team's duties and responsibilities
so Q2 is only partially implemented, but the skills and will remain relevant to the latest conditions of cyber
abilities of people in terms of cybersecurity is sufficient, so vulnerability.
Q3 has been implemented.
B. Develop Cybersecurity Workforce
TABLE I. RESULT OF ASSESSMENT
In conducting the strategy of managing the gap of
Objectives MIL Control Result knowledge, skills and abilities of the cyber team personnel at
Q1 Implemented Bank Indonesia, planning for future operations is needed, not
MIL1
Q2 Implemented
just focusing on the current period. The development of
Assign Cybersecurity Q3 Implemented
Responsibilities
MIL2
Q4 Implemented effective and innovative cyberattack defense mechanisms has
Q5 Partially Implemented been considered an urgent requirement in the cybersecurity
MIL3
Q6 Implemented community [10]. In addition, the competency development
Q1 Implemented program at Bank Indonesia must be reviewed whether the
MIL1
Q2 Partially Implemented competency development program is effective enough or not,
Develop
Q3 Implemented
Cybersecurity MIL2
Q4 Implemented
so that if not, improvements can be made so that the addition
Workforce of knowledge and skills of cyber team personnel runs
Q5 Not Implemented
MIL3
Q6 Implemented effectively.
Q1 Partially Implemented
MIL1
Q2 Partially Implemented C. Implement Workforce Controls
Implement Workforce Q3 Implemented
Controls
MIL2
Q4 Not Implemented
Required a special inspection of prospective personnel
Q5 Partially Implemented who will enter the cyber team at Bank Indonesia, the
MIL 3
Q6 Implemented inspection must be adapted to the function they will enter, so
MIL 1 Q1 Implemented that each function in the cyber team requires different
Increase Q2 Implemented requirements specifications. In addition, in the case of
MIL 2
Cybersecurity Q3 Implemented
Awareness
dismissal of the cyber team personnel there must be
Q4 Implemented
MIL 3
Q5 Not Implemented procedures governing it, so that ownership of confidential
Q1 Implemented data can be maintained. In the case of knowledge
MIL 2
Q2 Partially Implemented management in the cyber team, it is strongly recommended
Q3 Implemented that a procedure for transferring knowledge between
Management
Q4 Implemented personnel be made so that knowledge can be evenly
Activities
Q5 Implemented
MIL 3 Q6 Implemented distributed.
Q7 Implemented D. Increase Cybersecurity Awareness
Because C2M2 requires each MIL is a prerequisite for The cybersecurity awareness program at Bank Indonesia
reaching the next MIL, so that the final MIL of each objective is required to have a routine evaluation, because the
is as follows: development of cyberattacks is very fast and there are various
TABLE II. END OF RESULT OF ASSESSMENT ways of attack, so that routine and frequent evaluations must
Objectives of be carried out so that the program will continue to be relevant.
Workforce End of In running a cybersecurity awareness program, make sure
MIL 1 MIL 2 MIL 3
Management Result users understand the dangers of certain activities, such as
Domain sharing passwords. Help them understand the reasons for

93

Authorized licensed use limited to: University of Technology Sydney. Downloaded on May 23,2021 at 19:09:51 UTC from IEEE Xplore. Restrictions apply.
security measures that might make them uncomfortable. x Increase Cybersecurity Awareness objective achieved
Involve them to be a part in maintaining security [11]. MIL 2 because Q5 is not implemented so that MIL 3
is still not achieved.
E. Management Activities
x Management Activities objective have not been able to
To make a strong and solid cyber team, adequate resources reach MIL 2 even though MIL 3 has all been
are needed. Resources can be people, funds, and tools. Due implemented because Q2 which is one of the
to the lack of resources of people on the cyber team at Bank prerequisites for achieving MIL 2 is only partially
Indonesia, the recruitment of competent people in the field of implemented.
cybersecurity is very much needed. Successful recruitment
requires experienced recruitment teams with expertise in The results of this study can be a reference and
developing networks, identifying groups of qualified consideration for improving workforce management in cyber
individuals, managing the recruitment lifecycle, and building security at Bank Indonesia. This study, only one domain is
relationships with sources of talent [12]. The security policy included in C2M2. Further research is expected to be able to
established at least can answer questions like the following carry out an assessment using C2M2 in other domains.
[11]:
x What types of passwords are permitted by users to be
used on the system, and how often do users have to REFERENCES
change passwords?
[1] A. Bendovschi, "Cyber-attacks – trends, patterns and security
x Who is allowed to have an account on the company countermeasures," in Procedia Economics and Finance, Bucharest,
system? 2015.
x What security features must be activated on the [2] E. Ramdinmawii, S. Ghisingh and U. Mary Sharma, "A Study on the
computer before it can connect to the corporate Cyber-Crime and Cyber Criminals: A Global Problem," in
network? International Journal of Web Technology, India, 2014.
x What services are allowed to operate on the company's [3] Department of Energy USA, "Cybersecurity Capability Maturity
network? Model," Department of Energy USA, Washington DC, 2019.
x What do users allow to download? [4] N. T. Le and D. B. Hoang, "Can maturity models support cyber
security?," in IEEE, 2016.
[5] T. SysSec, The Red Book: A Roadmap for Systems Security Research,
The SysSec Consortium, 2013.
V. CONCLUSION [6] R. Reid and J. V. Niekerk, "From Information Security to Cyber
Security Cultures," Port Elizabeth, 2014.
This paper reviews the maturity of cybersecurity in Bank
[7] J. Allen and D. N. Mehravari, "How to Be a Better Consumer of
Indonesia. We conducted the assessment using the C2M2 Security Maturity Models," Carnegie Mellon University, 2014.
framework, which limits the scope of research in the [8] P. Curtis, N. Mehravari and J. Stevens, "Cybersecurity Capability
Workforce Management domain. From the results of the Maturity Model for Information Technology Services (C2M2 for IT
study it can be concluded that cybersecurity in the workforce Services), Version 1.0," Carnegie Mellon University, 2015.
management domain at Bank Indonesia has not reached MIL [9] A. B. Starman, "The case study as a type of qualitative research," in
3. Based on the analysis discussed in the previous section that: Journal of Contemporary Educational Studies, 2013.
[10] J. Jang-Jaccard and S. Nepal, "A survey of emerging threats in
x Assign Cybersecurity Responsibilities objective cybersecurity," in Journal of Computer and System Sciences, 2014.
achieved MIL 2 because Q5 which is one of the [11] l. M. Applegate, R. D. Austin and D. L. Soule, Corporate Information
prerequisites to achieving MIL 3 is only partially Strategy and Management: Text and Cases, Eight Edition, New York:
implemented. McGraw-Hill/lrwin, 2009.
x Develop Cybersecurity Workforce objective cannot [12] O. o. P. M. U. States, "Strategic Requirement for Cybersecurity,"
2017.
reach MIL 1 even though the requirements in MIL 2
have been fulfilled because Q2 which is one of the
prerequisites for achieving MIL 1 only partially
implemented.
x Implement Workforce Controls objective, cannot
reach MIL 1 because Q1 and Q2 are only partially
implemented.

94

Authorized licensed use limited to: University of Technology Sydney. Downloaded on May 23,2021 at 19:09:51 UTC from IEEE Xplore. Restrictions apply.