An Assessment Model to Improve National Cyber Security Governance Unal Tatar 1 , Bilge Karabacak 2 and Adrian Gheorghe 1 1 Engineering Management and Systems Engineering Department, Old Dominion University, Norfolk, USA 2 Graduate School of Informatics, Middle East Technical University, Ankara, Turkey utatar@odu.edu bilgek@gmail.com agheorgh@odu.edu Abstract: Today, cyber space has been embraced by individuals, organizations and nations as an indispensable instrument of daily life. Accordingly, impact of cyber threats has continuously been increasing. Critical infrastructure protection and fighting against cyber threats are crucial elements of national security agendas of governments. In this regard, governments need to assess the roles and responsibilities of public and private organizations to address the problems of current cyber protection postures and to respond with reorganization and reauthorization of these postures. A risk management approach is critical in placing these efforts in an ongoing lifecycle process. In this paper, a model is proposed to be used in national cyber security risk management processes. We argue that this model simplifies and streamlines national risk management processes. For this purpose, a matrix is created to partition the problem space. Cyber threat detection and response activities constitute one dimension of the matrix. The second dimension divides the timeline of cyber incidents into three: before, during and after incidents. The resulting matrix is then populated with responsible bodies which need to address each case. As a result, a national cyber security responsibility model is proposed for policy/decision makers and academics. We believe that the proposed model would be useful for governments in analyzing their national responsibility distribution to address gaps and conflicts in their current cyber security postures and for academics in analyzing natural cyber security systems and comparative studies. Keywords: national security, national governance, national cyber security roles and responsibilities, cyber thresholds, risk analysis, risk management 1. Introduction Critical infrastructures are vital assets whose destruction or impairment would cause loss of life, damage to the economy, and/or debilitation in national security (USA 2001). For proper maintenance and operation of national economy, public order and national security, critical infrastructures are required to be protected against physical or cyber threats in accordance with certain strategies, policies and procedures. Today, cyber systems are extensively utilized in the operation of critical infrastructures. In addition to finance and telecommunications infrastructures that have long been integrated with information technologies, the ones such as smart electric networks, transportation and intercity gas distribution systems which are operated via full remote control, are also now part of our lives. It is easy to access the news about cyber-attacks against nuclear plants, electric networks, sewerage systems, flight control systems and seaports (Farwell & Rohozinski 2011; Condron 2007). The intense employment of cyber systems in critical infrastructures obliges countries to discover effective fighting methods against cyber-attacks. In this context, developed countries have begun to consider critical infrastructure protection efforts as a subset of the high-level national security studies, and carry out their arrangements, studies and audit mechanisms accordingly (Harrop & Matteson 2013). This article concentrates on two issues in the effective fighting of countries against cyber threats: the threshold- based risk management approach, and roles and responsibilities matrix. The propositions regarding these issues are anticipated to contribute to the programs for the protection of critical infrastructures, already seen as a subset of national security studies. The second part of the article is the literature review, which summarizes the concept of threshold level in cyber security, the concept of risk management, and the challenges in fighting against cyber threats. The third part is dedicated to problem statement, and the fourth part covers the proposed model that includes roles and responsibilities matrix. The fifth and final sixth parts of the article are evaluation and future work, respectively. 312