Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of All Answers.
Critical Success Factors Towards Performance of Critical National Infrastructure in Malaysia
This study evaluates the current practice from owners/ operators of Critical National Infrastructure (CNI) installations throughout Malaysia to ensure the best practice will be taken by owners or operators of CNI to protect CNI from security threats and underline the best performance. Previously, there is no study focusing on success factor as guidelines to all owners and operators of CNI in managing their own installation. The aim of this research is to identify the priority of key success factors towards the performance of CNI installation in Malaysia that focus on three CNI such as water supply, telecommunication and power electricity sectors among all thirteen sectors. The other ten sectors are waterworks, finance, transportation, broadcasting, oil, gas, chemical, radiation, weaponry and security printing. Since there is a high dependency among three sectors to the national security and resilience, this study identifies the critical point on what is the most important way in managing the CNI installation. The main research model includes four key success factors: CNI’s owners and operator’s commitment, business continuity management, physical security protection and partnership dependency/ interdependency towards the performance of CNI. The data were collected by questionnaires and the results were analyzed with SPSS software. Analysis obtained from mean analysis, pearson correlation and multiple regression. The mean analysis is to highlight the current performance of CNI. The pearson correlation is to examine the relationship of four success factors towards the CNI performance and multiple regression suggests that owners and operator’s commitments is the most critical success factors to maintain a good performance in their own CNI installations. This research also discusses the huge implication to the CNI owners and operator’s daily practices and also the policy that can improvised the CNI performance of security and resilience as a whole.
Bissmillahirrahmanirrahim, Alhamdulillahirobbilalamin. A great thankful to Allah S.W.T for everything and give me this opportunity, strength and rahmah to finally complete this research. This research was prepared for Faculty of Administrative Science and Policy Studies, Universiti Teknologi Mara (UiTM), basically for student Executive Master Administrative Science (EMAS) program.
Firstly, I would like to extend my deepest gratitude to Associate Professor Dr. Jasmine binti Ahmad, my great supervisor who always give full support and guidance to accomplish my research. I also would like to thank Professor Hazman Shah Abdullah for his guidance during my research proposal preparation. My sincerest thanks to my Deputy Director General (Operation Sector), Mr. Capt. Rusli bin Abd Rahman (rtd.), PCIP as my mentor to teach me about the importance of CNI protection and resilience. I would also wish to extend my thanks to my classmates, interviewees and the people who giving me a very good cooperation during this accomplishment.
Very special thanks to my parents, my family especially my wife for her spirit, encouragement, patience, constructive suggestion and full of support during my research completion.
Finally, thank you to my department Chief Government Security Office (CGSO), Prime Minister Department as the Secretariat of Critical National Infrastructure for giving me opportunity and support.
TABLE OF CONTENTS
CONFIRMATION BY PANEL EXAMINERS i
AUTHOR’S DECLARATION ii
TABLE OF CONTENT v – vii
LIST OF TABLES viii
LIST OF FIGURES x
LIST OF ABBREVIATION xi – xii
CHAPTER ONE: INTRODUCTION 1
1.1 Introduction 1 – 3
1.2 Problem Statement 3 – 6
1.3 Research Questions 6
1.4 Research Objectives 6 – 7
1.5 Scope of Study 7
1.6 Significance of the Proposed Study 7
1.7 Definition of Terms, Terminology and Concepts 8 – 9
CHAPTER TWO: LITERATURE REVIEW 10
2.1 Background of Critical National Infrastructure (CNI) 10
2.1.1 Malaysia Perspective on Critical National Infrastructure 11 – 16
2.1.2 United States Views about Critical Infrastructure Protection 16 – 20
2.1.3 Critical Infrastructure protection in Netherlands 21 – 22
2.1.4 Australia Critical Infrastructure Protection 22 – 23
2.1.5 Canada View About Critical Infrastructure Protection 24 – 25
2.1.6 South African Key point or Critical Infrastructure
Protection 26 – 28
2.2 Critical Success Factor for CNI Performance 29
2.2.1 Owners and Operator’s Commitment 29 – 32
2.2.2 Business Continuity Management 32 – 36
2.2.3 Physical Security Management 36 – 40
2.2.4 Partnership 40 – 46
2.3 Gaps in The Research 46 – 48
2.4 Review of Critical Success factors or Key Success Factors
In General 48 – 50
2.5 Conceptual Framework 50 – 53
2.6 Hypothesis 53 – 54
2.7 Summary 54
CHAPTER THREE: RESEARCH METHODOLOGY 55
- Introduction 55
- Research Design 55 – 56
- Unit of Analysis 57
- Sample Size 57
- Sampling Technique 58
- Measurement /Instrumentation of Variables 58 – 61
- Data Collection 61
- Pilot Test 61 – 63
- Reliability Test 63
- Data Analysis 63
CHAPTER FOUR: FINDINGS AND ANALYSIS 64
4.1 Introduction 64
4.2 Data Screening and Cleaning 65
4.3 Data Reduction and Factoring 65 – 68
4.4 Test of Data Accuracy 68
4.4.1 Reliability Test 68 – 69
4.4.2 Normality Test 69 – 70
4.4.3 Data Outlier 70 – 71
4.5 Testing The Assumption of Multicollinearity and Singularity,
Assessing Linearity, Normality and Homoscedasticity 71 – 72
4.6 Demographic Profile of Respondents 72 – 75
4.7 Data Analysis by Objectives 75 – 80
4.8 Summary of Findings 80 – 81
CHAPTER FIVE: DISCUSSION AND CONCLUSION 82
5.1 Introduction 82
5.2 Mains Findings Revisited 82 – 88
5.3 Recommendation to Increase the Level of Performance of Critical
National Infrastructure 88 – 91
5.4 Research Implications 91 – 92
5.5 Limitations and Suggestions for Future Research 92
5.6 Conclusion 93
REFERENCES 94 – 104
LIST OF TABLES
|Table 2.1||CNI Sectors in Malaysia||12|
|Table 2.2||CNI Central Committee Structure||13|
|Table 2.3||CNI State Committee Structure||14|
|CNI Inspection Team
CNI State Inspection Team
U.S 16 Sectors of Critical Infrastructure
|Table 2.7||Netherlands 11 Sectors of Critical Infrastructure||21|
|Table 2.8||Australia 8 Sectors of Critical Infrastructure||23|
|Table 2.9||Canada 10 Sectors of Critical Infrastructure||25|
|Table 3.1||Statistic of Population Sampling in 3 Sectors||57|
|Table 3.2||Measurement of Questionnaire||59 – 61|
|Table 3.3||Reliability Test Analysis||62|
|Table 4.1||Structure Matrix||66 – 67|
|Table 4.2||KMO and Bartlett’s Test||68|
|Table 4.3||Summary of Cronbach’s Alpha of the 5 Factors||69|
|Table 4.4||Summarized of Skewness and Kurtosis of the 5 Variables||70|
|Table 4.5||Frequency Table for Profile Respondents||74|
|Table 4.6||Mean Value for CNI Performance||76|
|Table 4.7||Pearson Correlation||77|
|Table 4.8||Model Summary||79|
LIST OF FIGURES
|Secretariat of CNI Central Committee Website – Chief Government Security Office
U.S Critical Infrastructure Website – Department of Homeland Security
|Figure 2.3||Australia Critical Infrastructure Website – Attorney-General’s Department||23|
|Figure 2.4||Canada Critical Infrastructure Website – Public Safety Canada||25|
|Figure 2.5||Canada Implement an All-Hazards Risk Management Approach||35|
|Figure 2.6||The National Plan’s Approach to Building and Sustaining Unity of Effort||43|
|Figure 2.7||U.S Sector and Cross-Sector Coordinating Structures||44|
|Figure 2.8||The Complex Web (High and Total) Dependencies and Interdependencies||46|
|Figure 2.9||Conceptual Framework||51|
|Figure 5.1||Critical Success factors based on Rank||86|
LIST OF ABBREVIATION/ NOMENCLATURE
AGD Attorney-General’s Department
ATSP Arahan Tetap Sasaran Penting
CGSO Chief Government Security Office
CNI Critical National Infrastructure
CNII Critical National Information Infrastructure
CIP Critical Infrastructure Protection
CI Critical Infrastructure
CSFs Critical Success Factors
DHS Department of Homeland Security
EO Executive Order
GAO General Accounting Office
I.S Islamic State
ICT Information and Communication Technology
ICS Industrial Control Systems
ISASc Information Sharing and Analysis Centre
ISMS Information Security Management System
ISO International Standard Organization
JPSP Jawatankuasa Pusat Sasaran Penting
JSPN Jawatankuaa Sasaran Penting Negeri
NIPP National Infrastructure Protection Plan
NPPD National Protection and Programs Directorate
PCCIP President’s Commission on Critical Infrastructure Protection
PDDs Presidential Decision Directives
PSC Public Safety Canada
OECD Organization for Economic Cooperation and Development
R2K Right to Know
SCADA Supervisory Control and Data Acquisition
TNSP Tim Naziran Sasaran Penting
- RESEARCH BACKGROUND
Natural disaster such as flood, drought, earthquake and cyclone threatened the security and safety of critical infrastructure. Apart from that, the incidents and threats especially from terrorist like Abu Sayyaf, Daesh and Islamic State (I.S) call to lies the importance of key success factors to the Critical National Infrastructure (CNI) owners and operators. Every nation especially the developed countries are studying seriously on the critical infrastructure protection.
In Malaysia; CNI or in some other word called key point is the installations that very vital to the nation. These installations provide the essentials products and services that underpin the Malaysia society and serve as the backbone of our economy, national security, government image and public confidence. If the functions of critical national infrastructure completely or partly destroy, it will affect the economy, defense, national security and also may tarnish the government image (CNI Standing Order, 1993).
Knowing that we have the electricity that we use in our homes, water for drinking and also we rely on telecommunication every time to stay in touch with family and friends and even for office work purposes. These products and services actually supply by installations called CNI. For example, for the electricity supply, the power generates initially by power plant (from 30MW to max 4100MW) and then carry the electricity through transmission lines to the substation (from 11kV to 500kV). From the substation, it will distribute and carry low voltage electricity kWh to homes, offices and factories for lighting and power appliances. All these process involve the infrastructure that is critical for our daily life routine. If these critical infrastructures were damage or become malfunction, it will affect the government image especially when it gives impact on the public confidence, individuals and businesses. In the context of securing public harmony and security, it is very important to ensure the CNI products and services will always available and reliable to the Nation.
Every day, we use the products and services from the critical national infrastructure in our daily activities. If there were any disruption to these products or services, it will affect a lot of people. People will keep complaining to the providers if there were no electricity and water supply. Moreover, just imagine; if the electricity and water disruption happen in Greater Kuala Lumpur area, which is the most critical area that focuses on business and the investment for the nation’s development. The reliance on these products and services is ever more critical to the nation. Permanent or temporary loss of these products and services will create negative impact across the sector which is dependent each other. That’s the reason why CNI or Critical Infrastructure (CI) is very important for the developed nation such as United States (U.S), Australia, United Kingdom, Canada, Netherland and South Africa. They provided a large amount of budget to this sector.
However, critical infrastructures are vulnerable and can be damaged, destroyed or disrupted by breakdowns, negligence, natural disasters, accidents, cyber incidents, illegal criminal activity and malicious damage. Based on these possibilities and other reasons has drives the need to protect the continuity of supply against such hazards and threats. It has become the aim of the government policy and also for the infrastructure providers and operators; to ensure the continuity of supply through identifying and implementing improved security, protective safeguards and analysis in response to the identified threats, vulnerabilities and weaknesses posed (Scott, 2005; Bentley, 2006).
The importance to create a security for the CNI by focusing of success factors is very important as a preventive action and also the contingency plan when any disaster, damage, or disruption occur in CNI installation. Owners and operators of CNI should emphasis on the success factors in order to maintain a good performance of each installation. Success factor is the option that could provide guidelines and focus on how owners and operators manage the CNI better and lead to the best practices.
The purpose of this research is to highlight the main success factor that can become a reference to CNI providers and help the government through CNI committee; to protect the CNI and minimize the impact if any disaster, damage or disruption matter. It is also hope that the findings of this research would be able to (i) help the CNI committee identify the best method to protect CNI, (ii) educate the owners and operators about the importance to protect CNI in term of National Security apart from their business priority, (iii) minimize the impact to the CNI if contingency plan and preventive measure has been taken earlier.
In order to increase and maintain an effective management by CNI’s owners and operators, this study focus towards the success factor which is the most likely that owners and operators can implement and focus when preserving their CNI performance. To remain a good performance of CNI, this study suggesting four success factors listed as below:
- owner’s and operator’s commitment;
- business continuity management;
- physical security protection; and
- Partnership (dependency and interdependency).
CNI management needs to perform well in term of managing all the assets in their installation. Commitment from all areas in each CNI is imperatives and the respond from the lower level of people up to the higher level of people are important. There are few incidents happened in CNI caused by lack of attention and commitment towards the security awareness. CSFs target is to ensure that the compliance of CNI Standing Order can be maintained by the owners and operators of the CNI in order to minimize the incident or impact that can affect the product and service delivery.
1.2 PROBLEM STATEMENT
One of the challenges in CNI is to ensure the CNI installation free from security threats. If there are any security threats, immediate action has to be taken to warn and alarm the CNI installation community. Government through the cabinet has approved the CNI Standing Order or Arahan Tetap Sasaran Penting (ATSP) in October 13, 1993 as the government aware the importance of CNI protection of the country. Apart from impact on national security, CNI also very important to ensure the production and services deliver and reach the people (rakyat) or customer and even the stakeholders. For example: in the case of electricity supply, CNI installation such as power generation, transmission and distribution must be functional all the time. As Tenaga Nasional Berhad (TNB) goals ‘customer cannot be affected’ shows that the importance of CNI to the country.
The history of widespread power shortage in Peninsular Malaysia began at 17:17 on 3rd August 1996. The state of Peninsular Malaysia including Kuala Lumpur, Selangor, Putrajaya, Johor, Melaka, and Negeri Sembilan has lost power for several hours. A transmission line near Sultan Ismail Power Station in Paka, Terengganu tripped at 5:17pm causing all power stations in Peninsular Malaysia to collapsed, resulting a massive power failure. Supply was back to normal around 11pm (The Star, 2009). In economical view, this incident affects the customer and stakeholders, resulting of the reduction the confident level from the investors on that time. Furthermore, the image of the government also being tarnished due to this incident, causing many of Malaysian especially in Peninsular Malaysia without power supply within 6 hours.
The security threat in CNI caused by sabotage can destroy and damage the CNI installation. In the current issue, the Islamic State (IS) group was planned to attack Malaysia especially the Putrajaya Government Administrative Centre and Palace of Justice at Putrajaya suddenly shocked the citizen of Malaysia (AgendaDaily, 2015). This issue considered very dangerous especially the IS might be attacking the CNI installation. As the issue rise up, CNI committee through the Ministry of Home Affairs General Secretary as the CNI chairman issue a circular about the action that need to be taken by the CNI’s owner to protect their installation from IS threat.
Poor management of CNI will cause very severe impact to the nation. Leadership is very important to understand what is the needs and requirement of security towards the CNI installation. In case CNI installation’s owners / operators like microwave station was not following the rules and advice given by the Inspection Federal and State Team. Since 2011, a lot of findings from four (4) states (Kelantan, Pulau Pinang, Kedah and Terengganu) reported but no action taken by the owners/ operators to rectifying the problems (CNI Secretariat Discussion Minute, 2015). This shows that, some of the CNI owners take for granted regarding the security issue of their own installation. The Manager or Security Officer in each CNI installation should give more attention to improve and enhance the CNI protection. The owner/operators of the CNI installation must put awareness to their officers and staffs about the importance of CNI. Otherwise, they will never know the vital part of CNI to the country. In fact, it can give huge impact to the area of installation and in some serious situation can even cause death.
The CNI’s committee held meeting quarterly to review the policies regarding the CNI development towards essential of national security, economy, defense and the country image. It also assists the CNI to overcome the problem in term of security threat align to the current situation (CNI Central Committee Minute Meeting, 2015). The maintenance of the physical security on the installation may reduce the threat of security and safety. The physical security also very important as it is the first defense to deter, delay and detect the CNI installation from any security threat such as militant attack, bombing or natural disaster. But some of the owners and operators have ignoring the importance of physical security requirement. The sad thing is when owners/ operators were not maintaining their CNI installation in term of physical security to reduce the impact to the CNI itself and to the national security as well. The scope of physical security is very wide, in term of maintaining the CNI to ensure the minimum impact to the CNI installation if any incident happens. Refer to the CNI Standing Order (1993), Attachment D1, it mentions that all the physical security measures that should be followed and practiced by the owner in CNI installation for both Priority I and Priority II.
Another issue is owners and operators do not review their Business Continuity Management (BCM). BCM must be reviewed all the time, followed by any current threats and situation. Some owners and operators only prepare the BCM for the sake of security audit purposes, neglecting the long term action that should be taken during crisis or malfunction. They also did not engage to the community by educating awareness to the people about safety measures if any disaster happens to their CNI installation and the possibility of death. These issues portray the poor management and could give a bad sign to the national security.
Nowadays, the technology growth makes the system easily to handle and control. Apparently, most of the CNI systems are using automation control system. Supervisory Control and Data Acquisition (SCADA) is one of the technologies that control the whole of the system in CNI installation using Industrial Control System (ICS). The owners and operators rely with SCADA system to control the input and output of their products and services. For example, National Load Despatch Center (NLDC) is the nerves that control the whole electricity system in peninsular Malaysia by using SCADA. NLDC function is to ensure the supply and demand of electricity is always in balance within 50Hz level. When this system attacked or hacked by cyber troopers, it will lead the cascading failure in national power grid.
Cyber-attack is one of the main threats that can destroy or disrupt CNI function. Cyber-attacks can damage or destroy vital equipment such as transformers, boilers, turbines (Weiss, 2015). To make sure the performance of CNI in good condition, a good management is very significant. Good and effective management will ensure that the product and services of CNI will always being delivered to the customers and stakeholders without failure.
1.3 RESEARCH QUESTIONS
The research objectives are to ensure the success factor can contribute and help the CNI owners and operators towards performance of CNI. The research questions are as below: –
1.3.1 What is the level of performance of CNI?
1.3.2 How is the relationship between owners and operator’s commitment, business continuity management, physical security protection and partnership towards performance of CNI?
1.3.3 What is the most critical factor towards performance of CNI?
1.4 RESEARCH OBJECTIVES
The objectives of this study are:
1.4.1 To measure the level of performance of CNI;
1.4.2 To analyze the relationship between owners and operator’s commitment, business continuity management, physical security protection and partnership towards performance of CNI;
1.4.3 To examine the most critical factor towards performance of CNI;
1.5 SCOPE OF STUDY
The excellent performance of CNI installation depends on the commitment from the owners and operators towards the list of critical success factors. The current and previous situation leads to the exact figure to describe the objective of the study. The sampling group is 201 from CNI’s owners and operators comprise of CNI installations from water sector (water treatment plant and dam), power electricity sector and telecommunication sector.
- SIGNIFICANCE OF THE PROPOSED STUDY
This study becomes the benchmark and practical guidelines for the owners and operators of the CNI installations, in every 13 sectors of CNI. The outcomes of the study help the CNI’s owners and operators to enhance a good management and performance of CNI installation by looking at main four critical success factors. Apart from that, this study assists CNI’s owners and operators to identify their strengths, weaknesses, opportunities and threats in order to face with current and new challenges of security threats. The success factors then become the benchmarking to all 495 CNI installations throughout Malaysia. If the result gives high score of the dependency between critical success factors and performance, it is good for the national agenda in order to ensure the CNI protection and resiliency for the national security and public confidence. If the result shows the high score, the top management will maintain and relate the critical success factors with the level of performance of CNI installations. In the contrary, if the result shows the low score, the CNI’s owners or operators will rectify the problem and find other success factor that correlate with the performance of CNI.
- DEFINITION OF TERMS, TERMINOLOGY AND CONCEPTS
Critical National Infrastructures (CNI) or Key point is the installations that very vital to the nation. Any form of destruction, disruption or malfunction has a great impact to the economy, defense and national security and also may tarnish the government reputation.
CNI’s committee is the committee that reviews the policies regarding the CNI development towards the essential of national security, economy, defense and the country image. It also assists the CNI to overcome the problem in term of security threat in conjunction with the current situation.
Critical Infrastructure is the installation with the same function as CNI in Malaysia but this term, it is widely used internationally.
Critical Infrastructure Protection is the way forward to all countries in order to take any necessary and immediate action towards critical infrastructure resiliency.
Owner is the government or private sector that owned and responsible to the CNI installation.
Operator is the person who occupying the CNI installation or having charge, maintain, manage or control it either on its own or as agent for another person.
Owners and Operators Commitment is the responsibility and accountability to take security measures, maintain and operate the security and safety of their own CNI installation to ensure the CNI products and services always available to the Nation.
Business Continuity Management defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
Physical Security Protection defined as the method or way that owners and operators should apply to deter, detect, delay and response to protect the CNI installation.
Partnership is the dependency and interdependency through cooperation, sharing information and sharing intelligence among the government, private sector, NGOs, owners and operators to increase the CNI protection and resilience.
- LITERATURE REVIEW
The purpose of this chapter is to develop a basic theoretical foundation and understanding of the issues pertaining to the research questions and aims stated in Section 1.3. This chapter explains the following ideas:
- Background of Critical National Infrastructure (Section 2.1)
- Critical Success Factors for CNI Performance (i) owners and operator’s commitment (ii) business continuity management (iii) physical security protection (iv) partnership (dependency & interdependency) (Section 2.2)
- Gaps in The Research (Section 2.3)
- Review of Critical Success Factors or Key Success Factors in General (Section 2.4)
- Conceptual Framework (Section 2.5)
- Summary (Section 2.6)
- BACKGROUND OF CRITICAL NATIONAL INFRASTRUCTURE (CNI)
Under this section, background of CNI is discussed in vary perspectives, and they are:
- Malaysia Perspective on Critical National Infrastructure (Section 2.1.1)
- United States (U.S) views about critical infrastructure protection (Section 2.1.2)
- critical infrastructure protection in Netherlands (Section 2.1.3)
- Australian critical infrastructure protection (Section 2.1.4)
- Canada views about critical infrastructure (Section 2.1.5)
- South African key point (Section 2.1.6)
2.1.1 Malaysia Perspective on Critical National Infrastructure
Malaysian government is very concern about CNI protection in order to protect the infrastructure from espionage, sabotage and terrorism elements. In the year 1955 until 1989, the government took so many actions to protect CNI or key point from being sabotage by Malayan Communist Party (PKM). Most of the CNI facilities that can attract PKM for espionage and sabotage activity were listed as critical infrastructure and protected by law under Protected Areas and Protected Places Act 1959 (Act 298). Now with the current and new threats such as Abu Sayyaf in Sabah and Sarawak, Islamic State (I.S) or Daesh militant, Malaysian government has increased the efforts to ensure the critical infrastructure across the sectors always be ready to conduct any protection plan towards the man-made threats, such as bombing or by natural threats such as flood, drought, cyclone, and earthquake.
CNI Standing Order (1993, p.2) interpret Critical National Infrastructure or Key Point as “any installations whereby its product and services is very vital and if any damage or destroy or disruption will cause huge lost to the economy, defense or national security or affect the government’s function and national image”. The damage, destroy or disruption that could stop the function of the installation will give a bad impact to the nation especially where other infrastructure dependent on. Besides that, the government’s image also definitely affected when no water supply, no electricity and telecommunication where public use it every day.
The CNI are divided into two categories; Priority (I) and Priority (II). Priority (I) is the CNI installation that there is (a) no alternative or option if the function of products and services are loss or facing severe damage, it would impair to the national economy, national security, national defense and image or due functioning of the government while (b) Priority (II) is the CNI installation that contain an alternative of products and services but difficult to replace. And if the products and services are loss and experience severe damage, it would impair to the national economy, national security, national defense and image or due functioning of the government (CNI Standing Order, 1993).
The cost to replace the installation is high and the cost of losses if the installation is not function anymore also high. For example, the Pedu Dam in Kedah function is to irrigate the water to all paddy areas in Kedah and Perlis. The water supply from dam will ensure that 40 percent of national rice production must meet target on the government agricultural policy. If Pedu Dam is not functioning, it will give imperative impact to the nation especially to the public which the main consumer of rice and at the same time will tarnish the government image. Furthermore, the cost to repair the dam is very high and will take until 3-5 years.
CNI Sectors in Malaysia
|No.||Sector||Vital products or service|
|1.||Electricity Power||Power plant
Hydro power plant
|2.||Telecommunication||Permanent telecom infrastructure (e.g. POTS, leased lines, microwave links), Mobile telecommunication, Radio communication and navigation
Internet-infrastructure and access
|3.||Water Supply||Water Dams
Water treatment plant
|5.||Finance||Central Bank of Malaysia|
Immigration, Customs, Quarantine and Security Complex (ICQS)
Ports & Shipping
|9.||Gas||Natural Gas Depot Terminal|
|12.||Weaponry||manufacturing and marketing of ordnance|
|13.||Security Printing||Classified map and bank note|
CNI consist thirteen sectors which the assets, systems and networks, whether physical or virtual, are very vital to the Nation. The sectors identify as Table 2.1.
Federal government, state government and private sectors are working together in order to maintain the CNI performance level. There is a committee that appointed by Prime Minister to look into CNI called CNI Central Committee (Jawatankuasa Pusat Sasaran Penting) chaired by Secretary General of Ministry of Home Affairs in Federal Administration. The State Secretary in State Administration is the chairman of the CNI in CNI State Committee (Jawatankuasa Sasaran Penting Negeri). Both CNI in federal and state committee are responsible to preserve, maintain and enhance all installations security facilities. The objective is to ensure the products and services of each CNI installation always available to the consumers. CNI’s committee create policy and gives directive to the CNI’s owners and operators about compliance of security measure and to develop the management of CNI performance in accordance with the current demand and needs to protect it (CNI Standing Order, 1993). Table 2.2 show the structure.
CNI Central Committee structure
|CNI Central Committee (JPSP)|
Ministry of Home Affairs
|Chief of Staff
Malaysia Armed Forces
Department of Internal Public Security and Order, Royal Malaysian Police
Special Branch, Royal Malaysian Police
National Security Council
Chief Government Security Office
|Department of Immigration
Department of Civil Aviation
Royal Malaysian Customs Department
Malaysia Maritime Enforcement Agency
Malaysia Communication & Multimedia Commission
CNI State Committee structure
|CNI State Committee (JSPN)|
|Chief of State Division Army
Malaysia Armed Forces
|Chief of State Police
Royal Malaysian Police
|Special Branch, Royal Malaysian Police||Members|
National Security Council
Chief Government Security Office
|Fire and Rescue Department of Malaysia
National Disaster Management Agency
The meeting was conducted three times a year in federal committee and state committee will conduct the meeting quarterly (CNI Central Committee Minute Meeting No.2, 2015). The CNI meeting will present and discuss the paper consist of (i) new listed CNI consideration paper (ii) change of CNI priority status consideration paper (iii) paper to inform the issues in CNI and (iv) paper for consideration of the development near CNI installation that can give an impact to CNI’s products or services.
CNI Inspection Team
|CNI Inspection Team (Tim Naziran Sasaran Penting)|
|Director General of CGSO||Chairman|
|National Security Council||Members|
|Malaysia Armed Forces||Members|
|Special Branch, Royal Malaysian Police||Members|
|Policing and Border Security Department, MOHA||Members|
|Malaysia Communication & Multimedia Commission||Members|
|Key point Division, CGSO||Secretariat|
Apart from that, under both committees, inspection team was developed to help the committee in term of security audit to every CNI installations. The inspection team was designated to ensure that all the policies, rules and regulations set up in CNI Central Committee are complied. CNI Inspection Team (Tim Naziran Sasaran Penting) comprises of members as Table 2.4.
The state inspection team was also developed to help the committee in term of security audit, to ensure every CNI installations that have been set up in CNI State Committee to be complied. CNI State Inspection Team (Jawatankuasa Kecil Pemeriksaan Keselamatan Sasaran Penting) comprises of members as below:
CNI State Inspection Team
|CNI State Inspection Team|
|State Director of CGSO||Chairman|
|National Security Council||Members|
|Malaysia Armed Forces||Members|
|Special Branch, Royal Malaysian Police||Members|
|Fire and Rescue Department of Malaysia||Members|
|National Disaster Management Agency||Members|
|CGSO State Security Officer||Secretariat|
The reference of main policy, rules and regulation was written in CNI Standing Order that was approved by Cabinet in October 13, 1993. Basically, this standing order consists of six chapters that become a reference to all CNI’s owners and operators. The CNI committee may issue any additional rules or regulations, reference and guidelines in order to protect CNI installations from time to time.
The vulnerable points include any part or area related with the CNI installation, whereby if anything happen in probability or damage will affect the CNI functions itself. Sometimes the vulnerable points located outside from CNI installation (CNI Standing Order, 1993).
Government of Malaysia put the responsibility to CGSO as a Secretariat of CNI Central and State Committee. Approval from government security officer should be applied before any action taken which not stated in CNI Standing Order (CNI Standing Order, 1993, p.9)
Figure 2.1: Secretariat of CNI Central Committee Website – Chief Government Security Office, Prime Minister Department
2.1.2 United States (U.S) views about Critical Infrastructure Protection
United States look the importance of Critical Infrastructure Protection (CIP) since President Bill Clinton era. It was started when President Bill Clinton declared through the President’s Commission on Critical Infrastructure Protection (PCCIP) was set up under the Clinton administration through Executive Order 13010, which states the following:
“Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States. These critical infrastructures include telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government. Threats to these critical infrastructures fall into two categories: physical threats to tangible property (“physical threats”), and threats of electronic, radiofrequency, or computer-based attacks on the information or communications components that control critical infrastructures (“cyber threats”). Because many of these critical infrastructures are owned and operated by the private sector, it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation.
(Clinton, 1996, p. 37347) “
Fisher (2013) quote in his studies; “infrastructure” has become a challenging task during the past two decades owing to its complexity and importance to our nation’s security. Presidential Decision Directives (PDDs), executive orders, and legislative acts have all expanded on the basic definition first used by President Roosevelt during World War II. During the 1990s, the focus shifted from “infrastructure adequacy” to “infrastructure protection.”
“President Clinton’s Executive Order 13010, issued on July 15, 1996, and established the CIP, defined “infrastructure” as the framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and economic security of the United States, the smooth functioning of government at all levels, and society as a whole.
(Clinton, 1996, p. 37347)”
Hemme (2015) argues that critical infrastructure protection typically only addressed after a major disaster or catastrophe due to the extreme scrutiny that follows these events. Whereby critical infrastructure protection has been addressed repeatedly since Presidential Decision Directive Sixty-Three (PDD Sixty-Three) signed by President Bill Clinton on May Twenty-Second, 1998. This directive highlighted critical infrastructure known as “a growing potential vulnerability” and recognized that the United States has to view the U.S. national infrastructure from a security perspective due to its importance to national and economic security.
Look back in year 2001, the terrorist attacks shocked the world by the tragic incident happened in the country. On 2001, September 11, estimated nearly 3,000 people were killed, 400 were police officers and firefighters, in the terrorist attack to the World Trade Center in NYC, the Pentagon building in Washington, D.C., and in a plane crash near Shanksville, PA (DoSomething.org, 2016). Since the terrorist attacks, U.S strengthens the critical infrastructure protection from being sabotage by terrorist. The terrorist attacks of September 11, 2001, and the subsequent creation of the Department of Homeland Security (DHS), have added a further degree of complexity to this issue (Jackson, 2007).
In U.S government, assessments of U.S. critical infrastructure have generally indicated that, up until February 2013, there was no unified effort to protect the interrelated aspect of critical infrastructure due to nonexistent consensus on the interrelationships between sectors. Critical infrastructure protection improved its defense against and awareness of possible threats posed by man-made disasters after the 1995 Oklahoma City bombings when President Clinton issued Presidential Decision Directive Thirty-Nine, calling for a government wide evaluation and re-examination of its ability to protect critical infrastructure (Hemme, 2015).
This effort has been taken by U.S government to ensure the availability of critical infrastructure, to ensure the readiness to the nation. There are so many programs, guidelines and rules that have been issued by DHS to ensure the partnership within government, owners and operators always align with the government’s demand of protection.
The Department of Homeland Security’s National Protection and Programs Directorate (NPPD) Office of Infrastructure Protection leads the coordinated national effort to manage the risks to our Nation’s critical infrastructure. IP acts on behalf of the Secretary of Homeland Security, implementing the national critical infrastructure protection responsibilities set forth in Presidential Policy Directive (PPD) 21: Critical Infrastructure Security and Resilience. PPD-21 and Executive Order (EO) 13636 on Critical Infrastructure Cybersecurity reaffirmed the essential mission of IP in driving resilience across the Nation’s infrastructure (Department of Homeland Security (DHS), 2016).
Critical infrastructure in U.S interpret as any systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. U.S underlined sixteen (16) sectors that identified as the critical infrastructures which is the products and services very important to the nations. The sectors of critical infrastructure identified in the Table 2.6:
U.S 16 sectors of Critical Infrastructure
|U.S 16 sectors of CI|
|Chemical Sector||Financial Services Sector|
|Commercial Facilities Sector||Communications Sector|
|Critical Manufacturing Sector||Dams Sector|
|Defense Industrial Base Sector||Emergency Services Sector|
|Energy Sector||Food and Agriculture Sector|
|Government Facilities Sector||Healthcare and Public Health Sector|
|Information Technology Sector||Nuclear Reactors, Materials, and Waste Sector|
|Transportation Systems Sector||Water and Wastewater Systems Sector|
At the current level of critical infrastructure protection in U.S, DHS look seriously into the complex agenda to make the preparedness towards I.S and Daesh militant threat. To ensure the full protection of critical infrastructure, DHS implemented a lot of policies and activities to enhance the critical infrastructure resiliency such as to developed 2015 Sector-Specific Plans, conduct Critical Infrastructure Security and Resilience Month, Critical Infrastructure Vulnerability Assessment and Training. Involvement at all levels; the public, private sectors, owners and operators, were needed to increase their competencies to undergo situation during disaster, damage or disruption incident happen to the critical infrastructure.
The 2015 Sector-Specific Plans established goals and priorities for the sector that address their current risk environment, such as the nexus between cyber and physical security, interdependence between various sectors, risks associated with climate change, aging and outdated infrastructure, and the need to ensure continuity in a workforce that is rapidly approaching retirement. Representing key aspects of national economic and physical security, these sectors include services people rely on every day, like transportation, communication, energy, water, food and agriculture, chemical, financial, healthcare, and other essential services that sustain the economic vitality and a high standard of living for Americans (DHS, 2016).
Now, the U.S is looking forward to improvise the critical infrastructure protection through enhancing the Act related to critical infrastructure. Critical Infrastructure Protection Act (CIPA) 2015 was passed in May 25, 2015 to protect Americans from electromagnetic pulse and to reduce the vulnerability of critical infrastructure. CIPA directs and empowers DHS to harden and protect our critical infrastructure including power production, generation, and distribution systems (Homeland Security Committee, 2015).
Figure 2.2: U.S Critical Infrastructure Website – Department of Homeland Security
2.1.3 Critical Infrastructure Protection in Netherlands
In Netherlands, critical infrastructure refers to products, services and the accompanying processes that, in the event of disruption or failure, could cause major social disturbance. This could be in the form of tremendous casualties and severe economic damage. The Netherlands ‟ critical infrastructure policy refers to infrastructure whose disruption would cause “major social disturbance”, “tremendous loss of life” and “economic damage”. Thus, the word “critical” refers to infrastructure which, if disabled or destroyed, would result in catastrophic and far-reaching damage (Organization for Economic Co-operation and Development (OECD), 2008).
Netherlands started reconsidering the vulnerability towards critical infrastructures in early 2002. Here, the critical infrastructure protection is combining together with the importance of Critical Infrastructure Information Protection (CIIP) whereby almost 100 percent of their critical infrastructure depends with the systems. The millennium problems increase the awareness of Dutch’s owners and operators about the criticality of such an important infrastructure. Besides, the 9/11 event also influence the Dutch government to take the comprehensive way in order to protect their CI.
Luiijf, Burger and Klaver (2003) mentioned that some sectors and parts of the Dutch national infrastructure are that essential to the Netherlands that serious disruption or even loss of service could lead to a severe impact to the Dutch society, government and industry as well as to neighboring countries.
Dutch critical infrastructure consists of eleven vital sectors and thirty-one vital products and services as below:
Netherlands 11 sectors of Critical Infrastructure
|Dutch 11 vital sectors of CI|
|Management of surface water||Public order and public safety|
Since the critical infrastructure protection is dependent on Information and Communication Technology (ICT), Dutch government looking forward on the critical infrastructure protection and resilience to ensure no disruption to their product and services especially on cyber-attacks. The government gives more attention to the vulnerability of their critical infrastructure in order to protect society against disturbances of these products and services. The events on 11th of September 2001 increased the need and urgency to start such an integrated critical infrastructure protection approach in the Netherlands (Luiijf et al., 2013). According to (Luiijf et al., 2003), The Netherlands, the Infodrome project by the government in the period 2000 – 2002 looked at policy issues stemming from the deep penetration of ICT into all aspects of society. The involvement of Dutch government in Critical Infrastructure Protection and Resilience Europe program as a host shows the concern of the government in critical infrastructure protection.
Action line 10 of the Dutch counter- terrorism plan (Tweede Kamer, 2001) started the project Bescherming Vitale Infrastructuur (Protection of the Dutch Critical Infrastructure) with the objective: ‘The development of an integrated set of measures to protect the infrastructure of government and industry (including ICT)’.
2.1.4 Australia Critical Infrastructure Protection
Australia also plays the same movement in critical infrastructure protection with U.S government. Apart from the U.S, Wenger, Metzger and Dunn (2002) documented the critical information infrastructure protection activities in seven other countries: Australia, Canada, Germany, Norway, Sweden, Switzerland, and The Netherlands. Their work describes different critical infrastructure protection and CIIP analysis methodologies used by these countries. Apart from that, (Danila, 2011) also highlighted the initial action by Australia government in the protection of critical infrastructure:
“In the past two years, a number of European countries, members of EU, Australia and Canada have initiated substantive actions in PIC area, establishing bodies responsible, defining procedures and methodologies, allocating significant resources to protect critical infrastructure considered essential or vital”
(Danila, 2011 vol. 3, no. 1, pp. 5-17)
The Australian Government is seeking to ensure that there are adequate levels of protective security for national critical infrastructure, minimal single points of failure and rapid, tested recovery arrangements (Dudgeon, Waters & Ball, 2008).
Critical infrastructure is defined as those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct national defense and ensure national security” (Warren et al., 2010).
Based on the above definition, critical infrastructure provides services that are essential for everyday life such as energy, food, water, transport, communications, health and banking and finance. A disruption to critical infrastructure could have a range of serious implications for business, governments and the community (Attorney-General’s Department (AGD), 2016).
Different with other country, Australia give the responsibility of critical infrastructure protection to AGD that becomes the lead agency to ensure the critical infrastructure always available to produce and supply the products and services to the people. Compare with other countries like U.S, Netherlands and Malaysia, the protection and resiliency of critical infrastructure in Australia was putting under Attorney-General.
Australia 8 sectors of Critical Infrastructure
|8 Australia sectors of C.I|
Figure 2.3: Australia Critical Infrastructure Website – Attorney-General’s Department
2.1.5 Canada view about Critical Infrastructure Protection
Critical infrastructure protection in Canada just declared as the important strategy to the country on May 28, 2010 through National Strategy for Critical Infrastructure and Action Plan for Critical Infrastructure. Thus, the government of Canada takes immediate action to get cooperation from United States of America (U.S) in order to learn lesson about critical infrastructure protection. Canada and U.S then become counterpart in term of country partnership in protection their critical infrastructure. Canada-United States Action Plan for Critical Infrastructure or Canada-U.S. Action Plan (2010) strongly put an objective to strengthen the safety, security and resiliency of Canada and the United States by establishing a comprehensive cross-border approach to critical infrastructure resilience.
Canada define critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government (Public Safety Canada (PSC), 2016). In order to protect the infrastructure, the definition was always similar among other countries like Malaysia, U.S, Australia and South Africa.
PSC (2016) also mentioned that Critical infrastructure can’t be stand alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects and significant harm to public confidence. In term of any disruption or destruction, all countries include the importance of public confidence, government image and economic impact.
Canada classified their critical infrastructure sectors into 10 sectors. Canada also looks the partnership terms as a main factor to make the critical infrastructure secure and resilience to provide its products and services. The sector of Canadian critical infrastructure as stated in table 2.9:
Based on the PSC (2016) the government are taking care the security of the critical infrastructure.
Canada 10 sectors of Critical Infrastructure
|10 Canada sectors of C.I|
|Information and Communication Technology||Finance|
|Manufacturing||Energy and utilities|
The PSC have their own website to tell the public about the government effort and seriousness to overcome the current threats especially terrorism. By doing this, the government will increase the level of confidence from public itself. Thus, PSC form the Critical Infrastructure Protection Initiative at Dalhousie University. The Critical Infrastructure Protection Initiative is a hub for citizens, industry, NGOs and governments to engage with questions and ideas about the management of Canada’s critical assets (Dalhousie University, 2016). This initiative is doing research in the field of critical infrastructure protection for a long term action to preserve the critical infrastructure performance, security and resiliency.
Figure 2.4: Canada Critical Infrastructure Website – Public Safety Canada
2.1.6 South African Key point or Critical Infrastructure Protection
This country facing a different challenge when incident has happened in 2015 regarding the National Key Point Act, 1980 that classified as a secret against by public. Public insist the transparency of the South African government to release 204 Key Points installation’s list from government. The movement lead by ‘Right to Know’ (R2K) force government to release the list as there are so many accusations the government of Jacob Zuma involved in corruption with the owner and operator of National Key Points and also the issue of the rights of public in the matter of National Key Points.
In year 2016, South African government has been reviewed the previous act and the act was amended to Critical Infrastructure Protection Act 2016. The government allow public to access the content of Critical Infrastructure Protection Bill 2016 and ask for their written comments. Now, the draft was submitted to Cabinet for approval.
South Africa government was concern with critical infrastructure protection since introduced the Key Point Act 1980. The act later was amended and will provide the following needs related with critical infrastructure protection. Critical Infrastructure Protection Bill 2016 later will call South African Critical Infrastructure Protection Act 2016 provides the main needs as below:
- To provide for the identification and declaration of infrastructure as critical infrastructure;
- to provide for guidelines and factors to be taken into account to ensure transparent identification and declaration of critical infrastructure;
- to provide for measures to be put in place for the protection, safeguarding and resilience of critical infrastructure;
- to provide for the establishment of the Critical Infrastructure Council and its functions; the administration of the Act under the control of the National Commissioner as well as the functions of the National Commissioner in relation to the Act;
- to provide for the establishment of committees and their functions;
- to provide for the designation and functions of inspectors; to provide for the powers and duties of persons in control of critical infrastructure;
- to provide for reporting obligations;
- to provide for transitional arrangements;
- to repeal the National Key Points Act, 1980 (Act No. 102 of 1980); and to provide for matters connected therewith.
(South African Critical Infrastructure Protection Bill, 2016)
Critical infrastructure defined by Critical Infrastructure Protection Bill (2016) as “infrastructure” means any building, center, establishment, facility, installation, premises or systems needed for the functioning of society, the government or enterprises of the Republic, and includes―
(a) ‘consumer installation’ as defined in the Water Services Act, 1997 (Act No. 108 of 1997);
(b) ‘installation’ as defined in the Maritime Zones Act, 1994 (Act No. 15 of 1994);
(c) ‘major hazard installation’ as defined in the Occupational Health and Safety Act, 1993 (Act No. 85 of 1993);
(d) ‘nuclear installation’ as defined in the National Nuclear Regulator Act, 1999 (Act No. 47 of 1999) and the Nuclear Energy Act, 1993 (Act No. 131 of 1993);
(e) ‘offshore installation’ as defined in the Marine Traffic Act, 1981 (Act No.2 of 1981); and
(f) any other installation as may be declared as such for the purposes of this Act;
Based on is to provide for critical infrastructure and the safeguarding thereof and for matters connected therewith, critical infrastructure sabotage, espionage or subversion. Critical infrastructure means any place or area which has under section two (2) been declared a National Key Point by the Minister of Defense. The Critical Infrastructure Protection will control by Ministry of Defense. South Africa give so much power to the administrative body rather than give power to government ministry or agency to manage the critical infrastructure protection. For example, the detail of the critical infrastructure declaration, Critical Infrastructure Protection Bill (2016) written as below:
Section 20, (1) The Critical Infrastructure Council must, after considering the report from the National Commissioner and all other facts pertaining to the matter, make recommendations to the Minister—
(a) whether to declare the infrastructure as critical infrastructure or not; and
(b) any risk categorization, with reference to the prescribed guidelines, which must be assigned to the infrastructure.
This is one of the main reasons why people argue to the government action taken towards critical infrastructure in South Africa. There are so many groups or movement against the critical infrastructure protection the government of the day. R2K and SAHA NGOs organized a campaign against the government.
Definition of ‘National Key Points Complex’ or ‘Key Points Complex’ inserted by s. 1 (b) of Act 47 of 1985 – ‘owner’, in relation to a place or area declared a National Key Point under section 2, includes-
(a) the person registered as the owner of the land constituting such place or area;
(b) the person who by virtue of any right acquired from a person referred to in paragraph (a), lawfully occupies such place or area;
(c) Where the person referred to in paragraph (a) or (b) is deceased, a minor, insolvent, insane or otherwise legally incompetent, an executor, administrator, guardian, trustee, liquidator, curator or other person who controls the estate and assets of that person or represents him;
(d) where the State owns or occupies such place or area, the head of the department under the control of which the place or area is;
(e) any person under whose control or management such place or area is;
(South Africa’s National Key Points Act, 1980)
Thus, the responsibility of the owners, operators and the illegal person written in this Critical Infrastructure Protection Bill 2016 in order to take action towards critical infrastructure protection. Now, the South Africa government is still waiting the Critical Infrastructure Protection Bill become Act after the screening process by public. After the Critical Infrastructure Protection Bill 2016 to amend the constitution, the Critical Infrastructure Protection Act will conduct the appropriate action to increase the public confidence.
- CRITICAL SUCCESS FACTOR FOR CNI PERFORMANCE
Under this section, critical success factor for CNI Performance discuss in vary perspectives, and they are:
- Owners and operator’s commitment (Section 2.2.1)
- Business Continuity Management (Section 2.2.2)
- Physical Security Protection (Section 2.2.3)
- Partnership – dependency and interdependency (Section 2.2.)
2.2.1 Owners and operator’s commitment
Owners and operator’s commitment is very important towards CNI performance. According to CNI Standing Order (1993) the responsibility of owners and operators was stated in chapter 1 section (1.3) that owners and operators are required to comply with instructions contained in the CNI Standing Order and any other instructions given by the government from time to time. Even though we put the best security system, a very good security control and sophisticated infrastructure but if the commitment of the people is not there, the best and sophisticated system become useless.
Lou Holtz Jr. said “if you don’t make a total commitment to whatever you’re doing, then you start looking to bail out the first time the boat starts leaking”. That is the significant of owners and operator’s commitment towards the performance of CNI installation. When the government held a ‘Meeting to Move Again The CNI Committee on November 27, 1992’, the government review the previous directive and changed the State Key Points/ Counter Sabotage Committee Standing Policy Directive that been used since 1962 with CNI Standing Order or ATSP. The meeting was discussed and emphasizing the responsibility from owners and operators during that time. In 1992, the total CNI installation is 317 (after reviewed) and among them, only 10 per cent CNI installation own by government and the rest is own by private sector. All operation cost involve including CNI installation maintenance, patrolling by military bear by the owners and operators.
At this point, government since the establishment of critical national infrastructure in Malaysia was concern regarding the owners and operator’s commitment to ensure better performance in term of supply the products and services. DHS (2016) in the policy stated critical infrastructure owners and operators need to be aware of malicious cyber activity and take measures to protect their assets. In another fact, U.S CIPA (2015) insists the responsibility and accountability by owners and operators.
“Section (33) (1) the owners and operators of critical infrastructure assets shall—
- propose and submit the Unit such assets as meet the requirements of the Act for designation as Critical Infrastructure Assets;
- provide the Unit with information and maps regarding the location of the Critical Infrastructure Assets;
- prepare and submit their plans for the development and deployment of Critical Infrastructure Assets including any reviews thereof;
- co-operate with other owners of Critical Infrastructure Assets, where the Critical Infrastructure Assets are interconnected or interdependent.
“Section (33) (2) The owners of Critical Infrastructure Assets shall—
- co-operate with the Unit in implementing security measures prescribed by the Unit;
- share with the Unit their respective Service Continuity Plans;
- report any incidents of security violation or threat to the Critical Infrastructure Assets;
- co-operate with the Unit and take steps recommended by the Unit in the event of a security violation or in the event of a natural disaster;
- provide access to Critical Infrastructure Assets in the event of national disaster or security issue.
(U.S CIPA, 2015)
DHS (2016) also highlight while the U.S. power grid is highly resilient, it’s important for owners and operators of electric and other critical infrastructure sector assets to be aware of this particular threat and to implement mitigation steps that will reduce their vulnerabilities to similar cyber-attacks and other malicious activity employing these tactics, techniques, and procedures.
White House Washington (2003) urged to address the threat posed by those who wish to harm the United States, critical infrastructure owners and operators are assessing their vulnerabilities and increasing their investment in security. This is due to tragic incident on September 11, 2001 when terrorist attacks damage the World Trade Centre (WTC) building including the soul of American.
At this juncture, it is important to call the full commitment from owners and operators in our critical infrastructure and resilience to remain in a good performance. National Security Strategy (2015) calls for a more integrated approach by stating, “We are working with the owners and operators of our nation’s critical cyber and physical infrastructure across every sector – financial, energy, transportation, health, information technology, and more to decrease vulnerabilities and increase resilience.”
It is the aim of government policy and also that of infrastructure owners and operators, to ensure continued supply through identifying and implementing improved security, protective safeguards and analysis in response to the identified threats, vulnerabilities and weaknesses posed (Scott, 2005; Bentley, 2006). That is the reason the owners and operators chosen as the success factors towards CNI performance. Three hundred and sixty degrees is control by owners and operators. Lack of attention and effort will lead to destruction, attacks, disruption and malfunction the CNI installations products and services.
CNI Inspection Team during security audit will check immediately related with owners and operators based on three criteria:
- action taken to gazette CNI installation as Protected Area and Protected Place under Act298;
- appoint the senior officer or engineer as Head of Security that will in charge overall in term of security control;
- to conduct awareness program among to all officers and workers in CNI installation.
Gazette the CNI installation is a vital part that owners and operators should take action in order to protect their CNI installation legally by law towards any intrusion. CNI Security Checklist Form 2/94 Amended (2015) identify whether the CNI installation gazette as protected area or protected place under area or place description. Once any installation listed as critical national infrastructure it was consider under government jurisdiction to give protection. If not, the implication is very high especially with regard national security.
Protected Areas and Protected Places Act 1959 (Act298) explained:
“Section 4(1) if as respect any area it appears to the Minister to be necessary or expedient that special measures should be taken to control the movements and conduct of persons therein he may order declare the area to be protected area for the purpose of this Act”.
“Section 5(1) if as respects any premises it appears to the Minister to be necessary or expedient that special precautions should be taken to prevent the entry therein of un authorized persons he may by order declare the premises to be a protected place for the purposes of this Act; and so long as the order is in force no person shall be in those premises unless he is in possession of a pass-card or permit issued by such authority or person as may be specified in the order, or has received the permission of an authorized officer on duty at those premises to enter the same”.
“From both section 4(1) and 5(1) Act 298, even though the Minister have power to declare the area but the most necessary part is the responsibility of the CNI installation take immediate action to get the process of gazette before Minister approval. Apart from that, the term ‘authorized person’ in the mention section was refer to the owners and operators. Only owners and operators have power under Act 298 to enforce any measures inside their own CNI installation.
Protected Areas and Protected Places Act 1959 (Act298)
2.2.2 Business Continuity Management
In this section, we will discuss the important of success factor business continuity management towards CNI performance. Business continuity management is a vital part in critical infrastructure as the CNI performance should be maintain in terms of supply of the product and services. The business continuity management purpose is to ensure the way need to be taken in order to keep continue the main function of critical infrastructure.
According to Disaster Recovery Institute International Business Continuity Management Education and Certification (DRI) (2016) business continuity management is a management process that identifies risk, threats and vulnerabilities that could impact an entity’s continued operations and provides a framework for building organizational resilience and the capability for an effective response. The objectives of business continuity management are to make the entity more resilient to potential threats and allow the entity to resume or continue operations under adverse or abnormal conditions. This is accomplished by the introduction of appropriate resilience strategies to reduce the likelihood and impact of a threat and the development of plans to respond and recover from threats that cannot be controlled or mitigated.
The resiliency of the critical infrastructure PPD-21 defines resilience as the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Examples of resilience measures are developing a business continuity plan (DHS, 2016).
Business continuity management in this study comprises of business continuity planning, risk management, establish recovery plan and critical national information infrastructure (CNII). Business continuity planning is a part under business continuity management. This planning is very important for owners and operators provide a strategic planning for critical infrastructure protection. This is including on how to preserve the critical infrastructure and resilience towards any disruption, destruction and malfunction in CNI installation.
Resilience as defined by (National Infrastructure Protection Plan (NIPP), 2013) is:
“the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions…[it] includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”
Having accurate information and analysis about risk is essential to achieving resilience. Resilient infrastructure assets, systems, and networks must also be robust, agile, and adaptable. Mitigation, response, and recovery activities contribute to strengthening critical infrastructure resilience. In the first step, physical security protection has a strong relationship with the critical infrastructure resiliency.
A good practice of business continuity planning will help owners and operators respond to any security threats and disruption. DHS (2016) in the Guidelines of Tools and Resources to Help Businesses Plan, Prepare, and Protect from an Attack mentioned to develop plans, including security, emergency response, emergency communications, and business continuity plans, while considering the protection of your employees and customers, access control, closed-circuit television, signage, suspicious activity reporting, and parking security.
In addition, risk management is compulsory for every critical infrastructure. Risk management and assessment is to identify any threats and put the readiness on how to overcome the problems such as security threats, natural disaster, cyber-attacks or terrorism threat. One critical component of the risk assessment methodology is determining the vulnerability of a system (Ezell et al. 2000a, 200b). Blaike (1994), Buckle (200a, b), NOAA (2002) indicate a link the concept of vulnerability and risk. Ezell (2005) defined risk assessment methodologies are often employed to help understand what can go wrong, estimate the likelihood and the consequences, and to develop risk mitigation strategies to counter risk. Without a proper risk management will give a bad impact in term of response towards hazards.
Canada in critical infrastructure protection put the risk management and risk assessment as a prior action need to be taken by all parties in critical infrastructure protection. Risk Management Guide for Critical Infrastructure Sectors of Canada (2010) put the overview;
The practice of risk management is well-developed within the insurance, engineering, finance, and political risk industries. It is clear, however, that risk management remains relatively immature in its application to the homeland security field. Some might argue that the implementation of risk assessment and management in the homeland security and counterterrorism fields may be more complex than in its industrial application where the primary objective is to protect against financial loss.
“The Department of Homeland Security’s Risk Assessment
Methodology: Evolution, Issues, and Options for Congress”,
Congressional Research Service, February 2007
Thus, Action Plan for Critical Infrastructure (2014 – 2017) indicate the needs of risk management when the government put eight (8) measures to be implemented for critical infrastructure protection. The progress for the action plan on risk management as mentioned in table 2.6:
|Implement the Regional Resilience Assessment Program (RRAP) across Canada||1 and ongoing|
|Provide an overall description of key risks for critical infrastructure, including dependencies and emerging trends||1 and ongoing|
|Assess impacts of potential high impact / low frequency events on critical infrastructure sectors to increase awareness and understanding of risks to critical infrastructure||1 and ongoing|
|Promote the adoption of existing standards and determine whether additional standards are needed to improve critical infrastructure resilience||1 and ongoing|
|Conduct exercises to strengthen readiness and response efforts||1 and ongoing|
|Develop targeted risk assessment products in response to emerging critical infrastructure issues||2 and ongoing|
|Finalize national application of an interdependencies model||2|
|Measure progress toward resilience to demonstrate results and monitor progress||2 and ongoing|
In order to ensure the products and services of CNI deliver to the nation as well as public, ‘priority list’ is a necessary to take immediate action to give the priority for the products and services during disruption to the most needed. Prior to this kind of list, if any disruption of products and services, the owners and operators will ensure the critical
Figure 2.5: Canada Implement an All-Hazards Risk Management Approach
area must become priority. In example of power grid supply, NLDC of TNB has the priority list based on the critical area. In Putrajaya, the priority list to give power supply by NLDC is the Prime Minister Office, Prime Minister Residence House, Gas District Cooling (GDC) Putrajaya, Water Treatment Plant Precinct 19 and banking services. NLDC will give priority for the right needs based on the criticality and national security priority list of supply.
Information Security Management System (ISMS) also include in business continuity management. Most and majority of critical infrastructure system run using ICT and ICS to help in the process of daily system’s activities in CNI.
SCADA system for example is the system that controls all products and services as a whole depend much to the SCADA. SCADA refers to ICS used to control infrastructure processes (water treatment, wastewater treatment, gas pipelines, wind farms, etc.), facility-based processes (airports, space stations, ships, etc.,) or industrial processes (production, manufacturing, refining, power generation, etc.) (SCADA Systems, 2016).
Every input and output controlled by SCADA system. Current cyber-attacks raise the concern in all developed country to protect their critical infrastructure from terrorist attacks. Therefore, ISMS undertaking the risk to ensure all ICS system especially SCADA operate in resilience and if any attacks happen it will overcome with back-up plan. ISMS ISO/IEC 27001 should be a strategic decision for an organization. The basic intent of ISO 27001 is to ensure the “Confidentiality”, “Integrity” and “Availability” of information within an organization designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties (ISO/IEC 27001, 2002).
ISO/IEC 27000:2014 ISMS (2014) defined ISMS (a) is an approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives (b) consist of the policies, procedures, guidelines and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets (c) it is based upon a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks. Cybersecurity Malaysia (2016) has workout the information security framework whereby explained protection of information can be achieved by identifying and implementing a suitable set of controls. The implementation of controls can be managed systematically by implementing information security management system. Currently, government through Malaysian Communications and Multimedia Commission (MCMC) and Cybersecurity Malaysia put an effort to ensure all organizations including the CNI installations certified with ISMS ISO/IEC 27001:2013 and ISMS ISO/IEC 27002:2013 as followed by the Cabinet Directive 2010.
2.2.3 Physical Security Protection
In this section, the discussions focus on the importance of success factor physical security protection towards CNI performance. Basically the requirement of physical protection was stated in CNI Standing Order 1993. The basic guideline has been mentioned in CNI Standing Order in Attachment D1 where nine requirements for physical security measures comprise of:
- Security officer
- Physical barrier
- Notification signage for CNI and Protected Area Protected Place
- Security guard house and equipment
- Notification signage for visitor entry rules
- Security pass system
- Alarm system
- Fire alarm system
- Security vetting
The requirement must be complied by every CNI’s owners and operators. CNI Inspection Team will look into this during the security audit every year. Under CNI Security Checklist Form 2/94 Amended (2015) physical security protection include in Section 3. Physical security is the first line of defense in CNI installations. In this section, the critical success factor towards the performance of CNI underlines the criteria of security fencing, security personnel, access control and surveillance by close circuit television (CCTV). The main objective to put the physical security protection is to deter, detect, delay and response with any security threats and intrusion or attacks CNI installation.
Deterrence, detection, delay and response elements are very important in physical security protection. Deterrence was defined by Garcia (2007) as those measures implemented that are perceived by adversaries as too difficult to defeat. Detection was defined as the probability of determining that an unauthorized action has occurred or is occurring including sensing, communicating alarm to control center, and assessing the alarm. Delay was defined as the time, measured in minutes that an element of a physical protection system designed to impede adversary penetration into or exit from the protected area (Garcia 2007). Response was defined as time (minutes) to respond to a threat (Garcia 2007).
PACE (2003) emphasized that clearly a major goal of any physical security plan is to ensure employees, customers, visitors and vendors are secure. In reality, accomplishing this goal requires security planners to look beyond the arrangement of barriers, the institution access control, etc. Physical security protection must involve all groups within an organization. From the start, security must be viewed by all as part of every employee’s responsibility. All personnel must understand that they play an important role in the organization’s security program.
The facilities, the systems, and the functions that comprise our critical infrastructures are highly sophisticated and complex. They include human assets and physical and cyber systems that work together in processes that are highly interdependent. They also consist of key nodes that, in turn, are essential to the operation of the critical infrastructures in which they function (DHS, 2003). Furthermore, U.S effort in physical security protection to the critical infrastructure as we begin to address the myriad of physical protection challenges, we must keep in mind the complex nature of the infrastructures and assets we aim to protect.
Jackson (2007) in Critical Infrastructure Protection Program mentioned that among the many topics explored are cyber and physical security; information sharing between public and private sectors; regional, state, and local issues; energy; and privacy concerns. In particular, the CIP Program has researched critical infrastructure protection through prisms of law and economics, and this focused research has brought a rich branch of inquiry and knowledge to the national research agenda.
The lack of attention regarding the physical security protection makes the ineffective management in CNI installation. Based to the Inspection Team Report (2016) reported that most of the CNI installations not even maintain the physical security elements especially when related with security fencing, CCTV (including storage device), fire alarm system and Protected Areas Protected Places signage. Without owners and operator’s commitment, the physical security protection elements will give a long term impact to the CNI security and resilience. Moreover, the owners and operators need to put an enough allocation of funding to makes maintenance on physical security elements.
A critical infrastructure system failure produces two types of impacts. The first type constitutes the negative impacts within the critical infrastructure system when the failure of one infrastructure sector causes a failure of another sector or its elements (i.e., cascading effect). The second type corresponds to the negative impacts outside the system, specifically, on society, including national interests such as security, the economy and basic human needs. When lacking attention to be put on the importance of physical security protection, it will affect much to the CNI. The bomb blasts for example can cause damage if there is no deterrence at the first stage of defense.
Vulnerability is a function of 1) threat scenario, 2) protection and 3) importance. Critical infrastructure vulnerability is measured by a system’s 1) deterrence, 2) detection, 3) delay and 4) response capabilities. Importance implies that some subsystems are more critical to overall system performance than other subsystems (Ezell, 2005).
CIP improved its defense against and awareness of possible threats posed by man-made disasters after the 1995 Oklahoma City bombings when President Clinton issued Presidential Decision Directive Thirty-Nine, calling for a government-wide evaluation and re-examination of its ability to protect critical infrastructure. As a result, the Attorney General provided an assessment of CIP that highlighted the government’s lack of attention to multiple vulnerabilities within the physical infrastructure and to gaps in cyber-infrastructure and computer network protection (GAO, 2015).
Interagency Security Committee (ISC) highlighted the directives of DHS to enhance the physical security protection. ISC (2015) describes in 2013, the ISC released The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (RMP) which includes a list of physical security criteria. The intent of the document is to provide cohesive guidance for the application of physical security countermeasures at Federal facilities. In May 2013, the ISC established the Facility Security Plan Working Group in response to concerns raised by its membership. The Working Group was tasked with preparing reference guidance for agencies to use in developing and implementing an operable and effective Facility Security Plan (FSP) as required by the physical security criteria set forth in the RMP. Besides, ISC also mention that the guideline in FSP provides a lot of recommendation to federal government facilities.
FSP guideline was introduced by ISC (2015) is a critical component of an effective security program. The guidelines contained in this document are based on recognized industry best practices and provide broad recommendations for the protection of Federal facilities and Federal employees, contractors, and visitors within them. Facility Security Plan: An Interagency Security Committee Guide identifies and defines the basic guidelines and procedures used in establishing and implementing an FSP. This document is generally applicable to all buildings and facilities in the United States occupied by Federal employees, including:
- Buildings and facilities owned or leased by the Federal government;
- Federally leased rooms or suites within privately owned buildings;
- Stand-alone Federal facilities;
- Federal campuses; and
- Individual facilities on Federal campuses and special-use facilities where appropriate.
This document is intended to provide the initial guidance to be used by all agencies and facilities. When developing an FSP, departments and agencies may make the necessary adjustments to the basic guidelines and procedures presented to meet specific requirements or needs. Regardless of the FSP developed by an agency, it should have mechanisms in place to validate the plan’s effectiveness and manage its maintenance. This guidance may be used to assist Federal agencies in selecting, implementing, and evaluating appropriate protective measures and practices against identifiable security risks and threats; and to implement appropriate responses and countermeasures. When utilizing this guidance, an agency may choose to consider all or part of its overall facility security strategy. This document is not meant to supersede agency policies and funding guidelines, or impose any undue burdens on an agency.
2.2.4 Partnership (Dependency and Interdependency)
In this section, the discussion lays the importance of success factor partnership towards CNI performance. Partnership comprises of dependency and interdependency as the critical infrastructure protection must get together with partnership. We cannot deny the fact of partnership in critical infrastructure protection as all parties including government sector, private sector, owners and operators work together to preserve the performance of critical infrastructure.
Hemme (2015) in his article mentioned that President’s Commission on Critical Infrastructure Protection, which called for cooperation between the federal government and its private sector partners. This partnership is essential because the vast majority (approximately eighty-five percent) of the nation’s critical infrastructure is owned and operated by the private sector.
NIPP (2013) defined partnerships enable more effective and efficient risk management. Within the context of this National Plan, a partnership is defined as close cooperation between parties having common interests in achieving a shared vision. For the critical infrastructure community, leadership involvement, open communication, and trusted relationships are essential elements to partnership.
We believe that one of the greatest challenges to improving cyber security practices through adoption of the Cybersecurity Framework will be the creation of successful public-private partnerships (Honeycutt, 2013). Strong partnership between public-private partnerships will minimize the security threats and lead for ongoing critical infrastructure protection.
The CNI sectors in Malaysia are dependent and interdependent each other to keep perform in their own supply of products and services to the national security. Water sector depend to the energy sector to remain operate and running their machine especially to control water out and water in, booster pump and filtration tank. Without electricity, water treatment plant cannot produce their products and services to the public needs. Then, the impact will tarnish the government image and economic factor. Same goes to the power station in term of dependency on treated water. Power station, located in Manjung for example is the CNI installation that very important to national grid and the main source of combustion is coal. To remain perform in term of produce 4000MW of electric to national grid, the power station must be operating with clean and treated water to run the boiler. The boiler cannot process the energy production without treated or clean water. Again, the impact will tarnish the government image and economic security when outage of power disrupts the supply.
Canada-United States Action Plan for Critical Infrastructure emphasized the needs of partnership. Our resilience is our ability to respond and recover from a disruption – depends on the readiness of people and institutions, as well as redundancies (where they exist) in the complex critical infrastructure systems. It also depends on our many partnerships, especially with other levels of government, private sector stakeholders and international allies. We must cooperate to strengthen the resiliency of our critical infrastructure and enhance the safety and economic stability of our communities to ensure, for example, safe food, secure transportation and working electricity (Canada-United States Action Plan, 2010).
In order to protect the critical infrastructure from terrorism, Australia-New Zealand Counter Terrorism Committee (2015) underlined the importance of intelligence and information management through partnership. Governments and business recognize the need to share intelligence and information on threats and vulnerabilities and appropriate measures and strategies to mitigate risk. From time to time, specific risks or threats may emerge that require an immediate response. On these occasions, a well-coordinated but more operationally focused response will be required from governments and business towards prevention and preparedness of terrorism.
The CIP Program partners public and private sector critical infrastructure stakeholders to produce innovative, actionable solutions to critical infrastructure protection challenges. The CIP Program has convened public officials and private sector members in various conferences and symposiums to address common interests. These meetings bridge the public and private sectors and grant a neutral location for all parties to examine complex issues (Jackson, 2007).
Partnership element is very important to ensure good relationship among public agencies, private sectors, NGOs and owners/ operators of CNI to minimize risk and impact for critical infrastructure in most of the country. U.S comes forward with its NIPP and focusing on partnering for critical infrastructure security and resilience. Partnerships enable more effective and efficient risk management. Within the context of this National Plan, a partnership is defined as close cooperation between parties having common interests in achieving a shared vision. For the critical infrastructure community, leadership involvement, open communication, and trusted relationships are essential elements to partnership (NIPP, 2013).
Figure 2.6: The National Plan’s Approach to Building and Sustaining Unity of Effort
Voluntary collaboration between private sector owners and operators (including their partner associations, vendors, and others) and their government counterparts has been and will remain the primary mechanism for advancing collective action toward national critical infrastructure security and resilience. The Federal Government must make economic calculations of risk while also considering many non-economic values, such as privacy concerns, when addressing its role in national and homeland security. As a result, government may have a lower tolerance for security risk than a commercial entity. Both perspectives are legitimate, but in a world in which reliance on critical infrastructure is shared by industry and government and where industry may be on the front lines of national defense, such as in a cyber-attack, a sustainable partnership must be developed to address both perspectives. In addition, through trusted relationships and information sharing, Federal agencies gain a better understanding of the risks and preparedness posture associated with critical infrastructure. This allows entities to make more informed decisions when identifying and addressing national critical infrastructure priorities. Participation in this effort is based on a clear and shared interest in ensuring the security and resilience of the Nation’s critical infrastructure and an understanding of the comparative advantage each element of the partnership can bring to achieve this shared interest (NIPP, 2013). Herewith the figure of partnership among 16 sectors of critical infrastructures that cross sector and dependency each other:
Figure 2.7: U.S Sector and Cross-Sector Coordinating Structures
With approximately eighty-five percent of U.S. key infrastructures privately owned or operated (DHS, 2016), the private sector is an increasingly important actor in the new security issues associated with homeland security. While an integral part of national security, homeland security, differs in that it is a shared responsibility that cannot be met by the federal government alone. It requires coordinated action on the part of government (federal, state, and local) and the private sector. New forms of public-private partnerships are essential to meet the challenges posed by new technologies and non-traditional threats. Prior to September 11th, DHS (2016) highlighted that independent advisory groups and government agencies warned of possible attacks on U.S. soil and the need for the public and private sectors to work together to address such risks.
Eckert (2005) in his study has found that the attacks prompted renewed attention to the issue and motivated both government and industry to pursue cooperative mechanisms that had previously languished. One of the most significant of these initiatives is the Information Sharing and Analysis Centers (ISACs). ISACs are intended to promote collaboration and information-sharing both between government and industry and within key industries with respect to threats. They are the primary means of partnering for the protection of critical infrastructure, although little public attention or analysis has been focused on them.
General Accounting Office (GAO) (2001) in reporting to Senator Robert F. Bennett, Ranking Minority Member, Joint Economic Committee, Congress of the United States about ‘Practices That Can Benefit Critical Infrastructure Protection’ explained that organizations identified several critical success factors that they viewed as essential to establishing, developing, and maintaining effective information-sharing relationships, which could benefit critical infrastructure protection efforts. These factors included (1) fostering trust and respect; (2) establishing effective, timely, and appropriately secure communication; (3) obtaining top management support; (4) ensuring organization leadership continuity; and (5) generating clearly identifiable membership benefits.
Deputy Prime Minister in his press conference after officiates National Key Targets Seminar 2016 at Sasana Kijang Auditorium, Sasana Kijang said that:
“The government will ensure the protection of National Key Target throughout the country has always given serious attention and make it the main agenda for the preservation of the people, the integrity of service and administration”
“This seminar is important for cooperation between the private sector and government can establish plans and strategies to ensure the management of critical national infrastructure are always ready to face any kind of global threat,” he said.
(Zahid Hamidi, April 14 2016)
In Netherlands, the sectors that are considered vital to society are at risk due to the increasing complex dependencies and interdependencies of the critical infrastructures. Luiijf et al., (2013) in his study explain taking only isolated objects into account is no longer valid, since many infrastructures have dependencies and interdependencies with other critical infrastructures. Therefore, a more process-oriented analysis is required. ICT is an important factor of influence in this analysis since many of these (inter)dependencies are largely driven by ICT. Thus, the complexity in critical infrastructure insists the collaboration with all CNI’s owners and operators that always dependent and interdependent among the CNI installations.
Figure 2.8: The complex web of (high and total) dependencies and interdependencies
- GAPS IN THE RESEARCH
In the context of Malaysia, there is only little research done in the field of critical infrastructure. CGSO under Prime Minister Department is the only agency that given the responsibility by government to manage CNI in term of develops the management of CNI Central Committee from time to time in accordance with new changes of environment and technology. Any approval which is not stated in CNI Standing Order must get approval from CGSO (CNI Standing Order, 1993).
In addition, few researches done in this field of CNI is due to only the competent and well verse people with critical infrastructure protection are able to do the research. Furthermore, most of the information was classified as secret as it involves a lot of government policy and secret information in order to protect the CNI function. The process to get the information is difficult and need to undergo the process of declassify to let the information become an open document or information. This kind of constraint not keens so many peoples to do research on CNI in Malaysia.
A study conducted by Rusli Abd Rahman (2016) reflect new effective critical infrastructure protection for offshore oil and gas installation in Malaysia examine threats to offshore installations in the past and the proliferation of terrorist organizations and persistent separatist threats. It argues that in pursuit of national and commercial objectives, significant and often shared risks exist to Malaysia’s interest. It then looks at the existing security approaches regarding offshore installation and articulates on their effectiveness.
However, there are still gaps in the research such as dependency and interdependency of critical infrastructures. Further analyses were needed to explore these dependencies and interdependencies. In addition, the analyses must examine by each sectors so that it can give a clear picture on how to take special counter measures against terrorist threats. The approach of the study is good for oil and gas installation as those installations are vulnerable to terrorist threats especially in the area South China Sea near Sabah and Sarawak. It is suggested that, further analyses by quantitative study conducted to focus on oil and gas rig manager as main respondent.
Compare to Malaysia perspective, a lot of researches conducted in the international level. This is due to the new threats insisting prolonged study to protect critical infrastructure from terrorist and minimize impact from natural disaster all the time. A study by McNeill and Wietz (2010) demonstrated that to: reflect new developments among the evolving risks to US critical infrastructure, the NIPP [National Infrastructure Protection Plan] is reviewed and reissued by DHS every three years. Sector-specific plans are reviewed and addressed in the interim period between full updates (para. 8).
Graham House conducted a study on cyber dependency and critical. However, this study failed to address the protection of critical infrastructures. Furthermore, a study was conducted by Bochman and Bucci about oversight of power grid sector. The study did not examine the critical infrastructure entirely and recommend improvements to cyber security protection of the infrastructure.
2.4 REVIEW OF CRITICAL SUCCESS FACTORS OR KEY SUCCESS FACTORS IN GENERAL
John Rockard, a professor at MIT’s Sloan School of Business, has codified critical success factors as, “those things that must be done if a company is to be successful” (Freund, 1988). By identifying critical success factors, we can create a common point of reference to help us.
John Rockard, a professor at MIT’s Sloan School of Business, has codified critical success factors as, “those things that must be done if a company is to be successful” (Freund, 1988). By identifying critical success factors, we can create a common point of reference to help us direct and measure the success of your business or project. As a common point of reference, CSFs help everyone in the team to know exactly what’s most important. And this helps people perform their own work in the right context and so pull together towards the same overall aims (Mindtools, 2011).
Cooke-Davies (2002) defines critical success factors as the inputs that lead either directly or indirectly to the success of a project. According to Muller and Turner (2007), critical success factors are elements of a project that can be influenced to increase the likelihood of success. These are independent variables that make success more likely. The success of a project in this study is to avoid performance failure with regards of products and services towards effective management of CNI.
The term critical success factor (CSF) was first introduced by Rockart (1982) to define those few activities in which favorable results are absolutely necessary for a particular manager to reach his or her goals. In other words, CSFs are factors that help predict success rather than just the pure survival of projects (Sanvido et al. 1992; Ghosh et al. 2001). The most recent definition from Toor and Ogunlana (2009) explains that a CSF denotes a certain element which significantly contributes to and is crucially vital for the success of a project. Therefore, to examine and even ensure project success, one must first and foremost be able to determine factors affecting project success and project failure. Nonetheless, there is not a universal definition for CSFs or their measurement. Toor and Ogunlana (2009) stated that it is unlikely that a single comprehensive list of success factors can be developed due to the diverse nature of construction projects.
Rockart (1982) first used critical success factor CSF in the context of information systems and project management and defined it as under:
“Those few key areas of activity in which favorable results are absolutely necessary for a particular manager to reach his or her own goals those limited number of areas where ‘things must go right.”
Rowlinson (1999) states that critical success factors are those fundamental issues inherent in the project, which must be maintained in order for team working to take place in an efficient and effective manner. They require day-to-day attention and operate throughout the life of the project.
Projects are aimed at a successful outcome; however, in reality only few projects are successful. Why is it so? This question has been a cause of concern. Studies have been carried out and the reasons influencing the success or failure of a project have also been found to vary, as some are within the organization and others are external and many of these factors are also contextual (Nagesh & Thomas, 2015).
Balachandra (1997) has identified 78 critical factors of success and failure of R&D projects and new product development. He has classified them into four categories on basis of being related to market, technology, organization, and environment. He concluded that impact of many of these factors is contextual.
CSFs are the essential areas of activity that must be performed well if you are to achieve the mission, objectives or goals for your business or project. By identifying your Critical Success Factors, you can create a common point of reference to help you direct and measure the success of your business or project. As a common point of reference, CSFs help everyone in the team to know exactly what’s most important. And this helps people perform their own work in the right context and so pull together towards the same overall aims (mindtools, 2011).
According to Freund (1988) in his article review, CSFs must be:
- Important to achieving overall corporate goals and objectives;
- Measurable and controllable by the organization to which they apply;
- Relatively few in number—not everything can be critical;
- Expressed as things that must be done—not the end point of the process;
- Applicable to all companies in the industry with similar objectives and strategies;
- Hierarchical in nature—some CSFs will pertain to the overall company, while others will be more narrowly focused in one functional area.
The most recent definition from Toor and Ogunlana (2009) explains that a CSF denotes a certain element which significantly contributes to and is crucially vital for the success of a project. Therefore, to examine and even ensure project success, one must first and foremost be able to determine factors affecting project success and project failure. Nonetheless, there is not a universal definition for CSFs or their measurement. Toor and Ogunlana (2009) stated that it is unlikely that a single comprehensive list of success factors can be developed due to the diverse nature of construction projects.
2.5 CONCEPTUAL FRAMEWORK (CF)
The framework as showed below provides a broad view on the relevant construct to be discussed in the paper.
The conceptual framework of Figure 210, explains that the study of this research are to examines the followings; (1), the level of the performance of CNI, (2), the relationship between owners and operator’s commitment, business continuity management, physical security protection and partnership towards CNI performance and (3) the most critical factor towards CNI performance.
The outcome (dependent variable) of this research, which is CNI performance are shaped and informed by a number of relationships of these casual factors (independent variables) of such namely are; owners and operators commitment, business continuity management, physical security protection and partnership by having a strengthen or diminishing relationships.
Owner’s and Operator’s Commitment
Business Continuity Management
Performance of Critical National Infrastructure
Physical Security Protection
Partnership (Dependency and Interdependency)
Independent Variable Dependent Variable
Figure 2.9: Conceptual Framework
Owners and operator’s commitment is the main part in terms of how the management involve in the CNI protection. It reflects how owners and operator’s effort in order to ensure their own CNI installation perform especially the products and services to the nation. The commitment to safeguard their CNI installation indicated through the responsibility of owners and operators to look after the overall security elements such as appoint senior officer as Head of Security, appoint Assistant Security Officer to assist Head of Security, gazette their CNI installation under Protected Areas and Protected Places Act 1959, CNI Standing Order compliance as mentioned in CNI Standing Order 1993, expose Head of Security/ Assistant Security Officer with CNI Management Course conduct by CGSO and the commitment on awareness program whereby people inside CNI installation must understand the purpose of its installation listed as CNI based on the significance. The responsibility by owners and operators in comply all the security elements lead towards the performance of CNI.
Business continuity management was seen as become the top priority among all the variables. Owners and operators must ensure the products and services of their CNI installation always available to the nation. From this perspective, the continuity element is important since the products and services always supply to the customers without fail. Failure to supply products and services will give a bad impact as highlighted in CNI definition. To ensure there is continuity, few elements such as contingency planning, risk management, priority list, and protection in ICT such as ISMS certification towards cyber-attack are very significant to minimize the impact during disruption and malfunction and meet the criteria of CNI performance.
CNI installation in overall must be safeguard with element of physical security. To deter, detect, delay and respond with man-made threats or natural disaster, physical security is the first layer of defense that can assist owners and operators to protect their own CNI installation from bad impact when they can control access through security fencing, perimeter patrol, and detect intruders when any trespassing. The most important physical element from researcher’s experience is Closed Circuit Television (CCTV), Control Access Management System (CAMS) and guarding by Military or Auxiliary Police. CNI’s owners and operator’s compliance towards physical security protection will give indication that the CNI installation is in a good performance.
This element is very important to most of developed country. The cooperation, sharing information and intelligence is a vital part in term of dependency and interdependency due to all CNI installations are rely each other. The government is the policy maker, private sector is function to catalyze fund and owners and operators is the person responsible in CNI installation. The public and private sector work together in cross sector level. Dependency is very high to all CNI installation. The partnership indicators are strengthening cooperation, understand and addressing risk from cross sectors dependency and interdependency, good relationship with surrounding people and has a good sharing intelligence. Good practices of all elements in partnership maintain a good performance of CNI.
All the above variables are the success factors of CNI performance. This study indicates the CNI performance when owners and operators comply the success factors through five-star rating and compliance of International Standard Organization (ISO)/ IEC 27001 or ISMS certificate whether the performance of CNI is excellent or not. CNI Inspection Team from federal and state will assure and determine the CNI performance of each installation. If the rating given by CNI Inspection Team or State Inspection Team is four and five star, the performance of CNI is excellent. Certified by SIRIM in ISMS compliance also indicate the CNI installation is in good performance.
In the context of this study, hypotheses are established to gauge the expectation and possibility of the findings.Owners and operator’s commitment is considered to be the first hypothesis. According to CNI Inspection Team Report (2016), the owners and operator’s commitment give high rating with five-star rating and above ninety percent when fulfill all the requirement in CNI Security Checklist 2/94 Amended 2015. The hypothesis is developed based on the assumption that, owners and operators are the person who has fully responsible of their own CNI performance. However, analysis will be conducted to measure their tendency towards the performance of CNI compared to other factors.
Business continuity management is considered to be most influence factor in this hypothesis. Based on DRI (2016), the objective of Business Continuity Management is to make the entity more resilient to potential threats and allow the entity to resume or continue operations under adverse or abnormal conditions. This is accomplished by the introduction of appropriate resilience strategies to reduce the likelihood and impact of a threat and the development of plans to respond and recover from threats that cannot be controlled or mitigated. The hypothesis is developed based on the assumption that, business continuity management is determinant on the CNI performance during disaster, malfunction or any attacks. However, analysis was conducted to measure its tendency towards the performance of CNI compared to other factors.
The third hypothesis is the physical security protection has relationship with CNI performance. The hypothesis is developed based on the assumption that; physical security protection is the first line of defense in protects the whole CNI installation compound with physical appearance. However, analysis was conducted to measure its tendency towards the performance of CNI compared to other factors.
The partnership success factor is considered the most important element in CNI performance. Critical infrastructure partnerships can bring great value in improving the understanding of risk to both cyber and physical systems and assets (NIPP, 2013). The hypothesis is developed based on the assumption that partnership with dependency and interdependency is vital when respond with preventive and proactive measures before, during and after incident. However, analysis was conducted to measure its tendency towards the performance of CNI compared to other factors.
It can be concluded that, the success factors should give benefit and practice by the CNI owners and operators in order to ensure the effective management and also reduce or even avoid failure in deliver the products and services of CNI. It is important to understand and adapt the success factor in aim the successful of project management as well as high performance in CNI installation. The success factors mentioned above will absorb by all the owners and operators in CNI installation and would increase their awareness about the CNI performance of security and resiliency.
This chapter describes in detail the research design and methodology of this study. The description of the location of study, population and sampling procedures, the instrument that the researcher used to collect data for the study, as well as the procedure of data collection and analysis are presented. In addition, the reliability and validity of the instrument are also discussed in this chapter.
- RESEARCH DESIGN
In this study, the objective is to ensure that the performance of CNI’s, is the successful goals of the project by practicing the CSFs such as the owners and operator’s commitment, business continuity management, physical security protection and partnership as the independent variables. At the end, the study aims to ensure that there is minimum impact of CNIs installations in term of deliver or giving their product and services to the customers while facing attacks, destruction or disruption.
This study was using the experimental of quasi-experimental design. The selected group was experimental by selecting CNI installation to implement the survey. The selections of CNIs are taken from water supply sector (water treatment plant and dams), power electricity sector and telecommunication sector whereas in each sector there must be 2 groups to give respond during this study. First group is for technical operation and another group is for administration. The group is well understood about the CNI and knows the importance of all 493 CNI installations respectively according to their installation. Basically, the owners and operators comprises among this responsibility person. (a) chief executive officer / chief operation officer (b) managing director (c) senior manager / manager (d) engineer / head of security. The groups identified and study each variable aspect that contributes to the successful of the project (CNI performance), without a control group and with a control group in the pretest and posttest. A control group evaluate with the inspection team attend to the installation to do assessment regarding implementation of security part in CNI installation as the intervention while conducting an experimental project.
In this study, researcher has identified there are strong correlations between selected success factor and CNI performance as the hypotheses. Owners and operator’s commitment plays important roles in increasing and maintain the performance level of CNI installation in any field of sector. With the commitment by owners and operators, it will determine the way forward in their own installation. Owners and operators acknowledge the capacity of their own CNI installation in term of products and services. Business continuity management will also create an impact to CNI performance. Most of the installation experience different situation and will face different problems while managing the CNI installation. In managing the CNI installation, how they respond with incident determines their performance of CNI. Business continuity management will give an effect on how to evaluate what are the next procedures to minimize the security threats or minimize the impact of incident if it’s happen again during the installation. Business continuity management correlate with risk management, whereby the risk management also studies the past experience to ensure that risk will be reduce or minimize in the future. The vital part in these causes contributes the less effect towards the failure operation by installation. Besides, physical security protection needs the contribution by the internal community and external community in terms of managing the CNI installation. The commitment in maintaining the physical security of CNI will determine CNI performance. The physical security known as the first line of defense, maintain and ensure ongoing operation by security system ensure the effective management of CNI installation. The partnership will evaluate terms of the cooperation and sharing information among government agencies, private sector, local authorities and CNI owners and operators. Good cooperation and sharing information will assist much when encounter any problems especially related to the security threat, terrorist attack or disruption of the CNI products and services. Good performance contributed by sharing culture in managing CNI installation and handles any situation. All the independent variables correlate to ensure a better performance of CNI installation.
- UNIT/ LEVEL OF ANALYSIS
The study is focusing on the CNI installation practice; the success factors as independent variable towards CNI performance for each installation and avoiding the failure of deliver the product and services to the nation, public and customers.
The focus of the study level is referring to the unit of analysis. The unit analysis is important to the conceptual framework, the data collection, the sample size, the analysis, the findings and the discussion. In this study, the unit of analysis is based on the population in CNI installation for three sectors. Even though the analysis is in the organization, the conducts of study focus on owners and operators’ responsible for each CNI installation. The CNI installation is become the organization that will impact the CNI performance in practicing the success factors.
- SAMPLE SIZE
Based on the CNI Central Committee (August, 9 2016). Minute of Meeting No.2/ 2016 there are 495 CNI installations as to date. 152 installations are Priority I and another 343 installations are Priority II. From thirteen CNI sectors, three sectors from water supply (water treatment plant and dam) sector, power electricity sector and telecommunication sector was selected. The sample size is with the population of CNI installation. Three selected sectors based on their prioritization whereby all sectors depend with water, electricity and telecommunication to remain the operation. Too high dependency and interdependency tend the researcher to select these three sectors. From 495 CNI installation, the population of water, power and telecommunication sectors as below:
Statistic of population sampling in 3 sectors
|Water supply (water treatment plant and dams) Sector||94|
|Power electricity Sector||101|
In accordance to the performance of CNI installations, the questionnaires were distributed to 201 owners and operators as a sample sizes with population of three sectors that including priority I and II. 315 CNI installations in three sectors not reflect with the same numbers of owners and operators. Mostly in water supply and power electricity sector, one (1) owner or operator was in-charge 5 or 6 or even 7 CNI installations. For example, the Central Region of TNB Manager looks after 7 substation 275kV/132kV under his responsibility. Each owner and operator have their 1 group consist of technical operation and security operation who required to answer the questionnaire together. Ideally researcher would like to study entire all 493 installations but the time constraint and the security reason become a factor to minimize the study within the given time.
- SAMPLING TECHNIQUE
In this study, the quantitative survey is chosen and the population is being used. Population is the process of taking a subset of subjects that is representative of the entire population. The sample must have sufficient size to warrant statistical analysis. Population was done by selecting the 315 CNI installations from three sectors and generates to have 201 sample sizes comprises of owners and operators that responsible for which their CNI installation.
3.6 MEASUREMENT/ INSTRUMENTATION OF VARIABLES
A descriptive analysis was used to elaborate the demographic profile of the respondents as well as the CNI performance. In order to answer three primary objectives of the study, the respondents were communicated in group that consist of technical operation and security operation and decided with owners and operators through the use of 5 point Likert scale questions. There were 5 questions that been asked in the questionnaire to measure the level of performance of CNI as the first objective (i.e. (a) The rating performance of My CNI installation is excellent as reported by CNI Federal Inspection Team (Tim Naziran Sasaran Penting), (b) The rating performance of My CNI installation is excellent as reported by CNI State Inspection Team (Jawatankuasa Kecil Pemeriksaan Keselamatan), (c) My CNI installation certified for compliance of ISMS ISO/IEC 27001 Standard by SIRIM, (d) My CNI has a blueprint of Business Continuity Plan (i.e. contingency planning response team/ emergency response team), (e) The contingency planning response team/ emergency response team is always available for any incident and (f) Overall, the performance of my CNI installation is excellent).
Next, to answer the second objective of the study, to examine the relationship between owners and operator’s commitment, business continuity management, physical security protection and partnership, Pearson correlation coefficient was conducted to ensure there is relationship between independent and dependent variables. On the other hand, multiple regression analysis was constructed to answer third objective is to examine the most critical factors towards CNI performance. According to Berger (2013), the multiple regression analysis is a flexible method to test relationship between dependent and independent variables. This statement is further supported by Cohen, Cohen, West, and Aiken (2003) stated that multiple regressions can also be used to test the effects of a single variable or multiple variables with or without the effects of other variables taken into consideration.
Once the measurement for every variable was constructed, the reliability of the instrument was tested by the researcher. Pilot study was carried out prior to real survey conducted to ensure its validity and reliability of the instruments used in the study. These tests will be further explained at the later topic of this chapter. Below is the measurement of questionnaire items that all questions are self-developed and no questionnaires were adapted in any previous study.
Measurement of questionnaire
|Success Factor||Measurement of questionnaire items||Questionnaire Adaptation or self-developed|
|Owners and operator’s commitment
|Business continuity management
|Physical security protection
|Partnership – Dependency & Interdependency
- DATA COLLECTION
In this study, the process of collecting data started by asking permission through official letter and was emailed to the CNI installation’s owners and operators. Because of majority of CNI information classified as secret, the permission is needed for preserve any secret information and avoid the leak of information. Two weeks before inspection, official letter have been issued and inform the owners and operators regarding the objectives and purpose of the study. The discussion then continues and explains in detail on what is the main objective of the study and the impact to the national security. The study takes three months to complete involve of 201 samples. The questionnaire is distributed to each installation. Each installation then appoints the focal point to handle the questionnaire. Basically, the Head of Security or Engineer will take charge.
Based on the feedback received, majority of the respondent answer the questionnaire with honest and voluntary manner. This is due the owners and operators will have benefit for their CNI security and resiliency in long term period.
- PILOT TEST
The instrument of questionnaire was pre-tested via conducting a pilot test to a small number of respondents (30 respondents) and it was modified, where necessary, prior to the commencement of distributing the questionnaire to the actual populations. According to Sekaran (2003), pilot test conducted in order to ensure that there will be no problems with wording and measurements, as well as ensure the appropriateness and comprehensiveness of the questions, while reducing bias. Then, after pilot test is done, reliability test was conducted.
This pilot study was done to ensure that the items in the questionnaire are reliable and able to be used in the study, pilot test need to be conducted before we finally decided to distribute the questionnaire to the target respondent. Pilot test is vital to distinguish whether the items is compliant to the purpose of the study. Sekaran (2009) stated that reliability test is perform o identify whether the item used in the questionnaire are free error and reliability measurement across the various items is achieved. The cronbach alpha is the common method using by researcher to conduct reliability test. Alpha was developed by Lee Cronbach in 1951 to provide a measure of the internal consistency of a test or scale and it is expressed as a number between 0 and 1 (Tavakol et al., 2011). It is used to estimate the proportion of variance that is systematic or consistent with a test of set score. It can range from 0.00 (no variance is consistent) to 1.00 (all variance is consistent. The value of Cronbach Alpha Coefficient ranges below than 0.4 is considered low reliability. While, the coefficient value range from 0.5 to 0.6 is acceptable and can be refers as moderate reliable. In reliability test, coefficient value 0.7 and above is consider highly reliable. The questionnaire distributed to 30 respondents in water supply (dams & treatment plant) sector to ensure there is no error in the questionnaire before distribute to all owners and operators of CNI in 3 sectors. The table below shows the result of reliability test by using IBM SPSS Statistics Version 22.0
Reliability Test Analysis
|Variables||No of Items||Alpha Value|
|Owners and operators commitment||6||0.891|
|Business continuity management||6||0.951|
|Physical security protection||5||0.752|
From the checking of questionnaire by each variable, the highest reliable is business continuity management which the cronbach alpha value is 0.951 and the lowest value among six items is physical security protection which is the cronbach alpha value is 0.752.
The overall Cronbach’s alpha reliability coefficient of the questionnaire is 0.965. The value of this coefficient is considered high and acceptable. Thus, the questionnaire can be used to collect data in the actual study in order to get the final required information from respondent.
- RELIABILITY TEST
The reliability test was conducted by researcher with pilot test prior to real survey to address the reliability of content and to ensure measurement of items in questionnaire is satisfactory for the study. The questionnaire was developed with the guidelines provided through the CNI Standing Order, CNI existing guidelines and regulation and review of literature review of similar topics. Cronbach’s alpha coefficient was utilized to determine the reliability based on the internal consistency of the questionnaires.
- DATA ANALYSIS
All the data and information collected then to be analyzed using Statistical Package for the Social Sciences (SPSS) version 22.0. All the feedback and answer from the questionnaire were analyzed and presented in the form of descriptive statistics and other inferential statistics such as mean analysis, pearson correlation and multiple regression.
FINDINGS AND ANALYSIS
In this chapter, the empirical data was collected by self-questionnaire that distributed to all respondent. The analysis of data consists of findings the demographic of the respondents and then each question was analyzed to identify the key success factor of CNI performance. Finally, the data analysis consists of identifying the most influence factor that contributes to the CNI performance. The data analysis is using the Data Statistical Software Version 22.0 (SPSS) demographic using frequency, normality analysis, reliability analysis, factor analysis, descriptive analysis, Pearson’s correlation analysis and multiple regression analysis. Apart from that, the chapter also explained the research findings based on the research objectives.
4.2 DATA SCREENING AND CLEANING
The first vital step earlier in analyzing data is to ensure that the data is free from errors (Pallant, 2010). Therefore, for this research, as to ensure that the data is cleaned from any problem like missing information and other invalid data problem, the researchers had conducted the data screening and cleaning. The result of the data screening and cleaning shows that there are no missing values in this research and the information of all items is full. All questionnaires were accepted in this study. Thus, the analysis of the findings is based on 201 respondents.
4.3 DATA REDUCTION AND FACTORING
The 28 Items have been tested using Factor Analysis, Using Oblique Rotation with Eigenvalue is set to be greater than 0.5, while Suppress small coefficients of Absolute value is set below than 0.5, the SPSS has generated the Total Variance Explained with 16 Component. Therefore, after identified factor loadings which are greater than 0.5 and those items have been sorted by loading on each factor, the 16 components are retain to 5 factors. For each factor which has less with two loading factors has not been printed. Kaiser-Meyer-Olkin measured to identity correlation matrix. The KMO statistic is a Measure of Sampling Adequacy, both overall and for each variable (Kaiser 1970; Cerny and Kaiser 1977; Dziuban & Shirkey, 1974). The overall KMO is printed in the “KMO and Bartlett’s Test” table of the Factor output. The KMO statistic is a summary of how small the partial correlations are, relative to the original (zero-order) correlations.
Refer to Table 4.2, The Kaiser-Meyer-Olkin Measure verified the sampling adequacy for the analysis, KMO = .933; where Bartlett’s Test of Sphericity is significant where P is less than .05. Then, values below than 0.5 should be deleted or removed. Furthermore, values between 0.5 to 0.7 as mediocre, values between 0.7 and 0.8 are good, values between 0.8 and 0.9 are great and values above 0.9 are superb (Hutcherson & Sofroniou, 1999).
Factor analysis was conducted on the 28 items with oblique rotation (Promax). The Kaiser-Meyer-Olkin measure verified the sampling adequacy for the analysis, KMO = .933; and all KMO values for the individual items were greater than .5, which is well above the accepted limit of .5 (Field, 2013). Table 4.1 shows the factor loading after rotation. The items that cluster on the same factor suggest that; Factor 1 represents owners and operator’s commitment, Factor 2 represents business continuity management, Factor 3 represents physical security protection, Factor 4 represents partnership and Factor 5 represents CNI performance.
|FACTOR 1: OWNERS AND OPERATORS’ COMMITMENT|
|E1||Partnership within government, private sector, owners and operators effort is necessary to strengthen and maintain security, functioning and resilient of CNI.||.733|
|E2||Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing CNI security and resilience.||.698|
|E3||A secure and resilient Nation maintain the capabilities required across the whole community to prevent, protect against, mitigate, respond to and recover from threats and hazards that pose greatest risk.||.810|
|E4||Good relationship with people surrounding installation will help to minimize security threat from outsider.||.711|
|E5||The sharing of intelligence and other information relating to threats and vulnerabilities from terrorism will assist owners/operators of CNI to better manage risk||.809|
|FACTOR 2: BUSINESS CONTINUITY MANAGEMENT|
|C3||Recovery/Back-up plan is important to ensure your product and services always available to the Nation.||.673|
|B1||I have appointed the senior officer or engineer as the Head of Security/ Safety responsible in CNI security & safety.||.573|
|B2||I have appointed the Assistant Security Officer to assist the Head of Security/ Safety.||.518|
|B3||I always refer to CNI Directive as a guideline in my installation.||.545|
|B6||My management conduct awareness program to all personnel regarding the importance of my CNI installation.||.595|
|C1||Contingency planning is important in order to prepare the CNI to respond well in any disruption and disaster||.687|
|C2||Risk management is a vital criterion in Business Continuity Plan.||.665|
|C4||Preparing priority list (security or business) in any disruption or disaster will help owners/operators to supply the product and services to the most critical||.665|
|C5||CNI provide the Information Communication Technology Protection Plan towards cyber-attacks||.665|
|C6||CNI should be certified for Information Security Management System (ISMS) ISO/IEC 270001 by SIRIM.||.548|
|FACTOR 3: PHYSICAL SECURITY PROTECTION|
|B4||My CNI installation is gazette as Protected Area and Protected Place under Act 298.||.544|
|F1||The rating performance of My CNI installation is excellent as reported by CNI Federal Inspection Team||.626|
|F2||The rating performance of My CNI installation is excellent as reported by CNI State Inspection Team||.638|
|F4||My CNI installation has a blueprint of Business Continuity Plan||.665|
|F5||The contingency planning response team/ emergency response team is always available for any incident.||.710|
|F6||Overall, the performance of my CNI installation is excellent||.739|
|FACTOR 4: PARTNERSHIP|
|D1||: Installing security fence is the first layer of deterrence to protect CNI from crime and disruption||.744|
|D2||CNI Priority (I) must be guarded by Military/ Auxiliary Police/ Internal Security Personnel.||.673|
|D4||CNI area and buildings must be safeguard with access system and security passes as control mechanism.||.612|
|D5||CNI must be safeguard with Close Circuit Television (CCTV) as a detection mechanism||.749|
|FACTOR 5: CNI PERFORMANCE|
|B5||Head of Security/ Safety is exposed with CNI Management Course provided by CGSO||.745|
|D3||CNI Priority (II) must be guarded by Private||.748|
|F3||My CNI installation certified for compliance of ISMS ISO/IEC 27001 Standard by SIRIM.||.710|
Extraction Method: Principal Component Analysis.
Rotation Method: Promax with Kaiser Normalization.
KMO and Bartlett’s Test
|KMO and Bartlett’s Test
|Kaiser-Meyer-Olkin Measure of Sampling Adequacy.||.933|
|Bartlett’s Test of Sphericity||
4.4 TEST OF DATA ACCURACY
Before conducting the inferential analysis, the statistical assumptions must be met. For Pearson correlation, the required assumptions are normality and linearity. For multiple regression, two more assumptions are to be met are homoscedasticity and multicollinearity (Hassan & Ghazali, 2012). The explanation of each assumption is presented in the following segments.
4.4.1 Reliability Test
Validity is a necessary but not sufficient condition of a measure. The reliability test is to ensure whether an instrument can be interpreted consistently across different situation (Field, 2013). In order to ensure questionnaire that provided to the respondent is reliable information, reliability test need to be conducted. The most commonly used by researcher in reliability test is the cronbach alpha coefficient (Pallant, 2010). In this test, the average correlation of item is identified and assesses to determine the items standardization within each variable. It is conducted to make sure that the items test in the study is consistent and reliable to be used as an instrument to gain information. According to Zikmund et al. (2012), if the reliability of research is between 0.7 to 1.0 means it is very good, 0.6 to 0.7 considered as good, 0.5 to 0.6 is average whereas if the reliability is below 0.5 is considered as poor.
Summary of Cronbach’s Alpha of the 5 Factors
|Items||Cronbach’s Alpha||Cronbach’s Alpha Based on Standardized items||N of items|
|Owners and operators commitment||.839||.848||6|
|Business continuity management||.929||.929||6|
|Physical security protection||.740||.809||5|
The reliability test result in the Table 4.3 is for 201 respondents. According to Sekaran (2006), the closer the alpha values to 1, the better the tools. As mentioned earlier, coefficient range below than .06 is considered low. Based on the above table, independent and dependent variable in range more than 0.7 values. The table shows that, among four independent variables, partnership (dependency & interdependency) is the highest coefficient (0.922) and physical security protection is the lowest coefficient (0.740). Owners and operators having 0.839 and business continuity management is (0.929). The dependent variable of CNI performance coefficient value is 0.837. Overall, when the reliability test running for both independent and dependent variables, the coefficient value also indicates a good coefficient value (0.951).
4.4.2 Normality Test
The normality analysis is important for many further statistical tests. There are several methods in assessing normality of the data including the Kolmogorov-Smirnov test for normality, the Shapiro-Wilk W test, and the Lilliefors test. Besides that, probability plots and normal probability plots can be reviewed to assess whether the data are accurately modelled by a normal distribution. Normality also can be examined by using the values of skewness and kurtosis. While skewness has to do with symmetry, kurtosis indicates the extent to which the data is peak or flat (Tabachnich & Fidell, 2007).
For the purpose of this research, Skewness and Kurtosis has been selected to ensure distribution of scores approximately normal with acceptable value in range of -2 and 2. The range used in the Skewness and Kurtosis is from-2 to 2 that determines the information gathered by using the questions meet the normality standards. The result of normality test shows that the data in this study are normal as the values are within the range of -2 to 2.
Referring to the rule, if kurtosis and Skewness is in the range of -2 till +2, it is assumed that the distribution is normal. The value of Skewness and Kurtosis for all variables namely owners and operators (-0.133, -0.577), business continuity management (-0.485, -0.518), physical security protection (-0.070, -0.801), partnership dependency and interdependency (-0.133, -0.462), CNI performance (-0.163, 0.444) are all within the range of -/+2, thus all variable are reported to be normal.
Summarized of Skewness and Kurtosis of the 5 Variables
|IV_ Owners and operators commitment||-0.133||-0.577|
|IV_ Business continuity management||-0.485||-0.518|
|IV_ Physical security protection||-0.070||-0.801|
|DV_ CNI Performance||-0.163||0.444|
4.4.3 Data Outlier
Outlier can be defined as a pattern in data that do not confirm to a well-defined notion of normal behavior (Singh, 2012). As this study consists of four independent variables, there is a possibility to have outliers. Denis Cousineau (2010) describe outliers as observations or measures that are suspicious since they appeared much lower or much higher than the vast majority of the observations. (Pallant, 2010) also mentioned that the existence of outliers indicates problem or non-normality. Many statistical techniques are sensitive towards outliers and may influence the result thus it is best to reduce the impact of these outliers.
4.5 TESTING THE ASSUMPTION OF MULTICOLLINEARITY AND SINGULARITY, ASSESSING LINEARITY, NORMALITY AND HOMOSCEDASTICITY
The normality test is prerequisite for many other statistical data as normal data is the essential assumption in parametric testing. It involves comparing the shape of the sample distribution with the normal curve shape. Assume that the normal of the distribution shape is normal; the population involved in the study is also normally distributed. Thus, normality is assumed. It is vital before proceed with other analysis or drawing into conclusion, the distribution of major variables of interest being review and assess. In making judgement for normality would bring advantage to the researcher, in term of statistical test. However, being insensitive with the sample size or overly sensitive with large sample size could jeopardize the purpose of performing normality test.
As many variables involve in the study, the possibility of one variable is redundant with another variable. According to Pallant (2005), the multicollinearity can be explain as the relationship among independent variables are exist when there are highly correlated. In analysing multicollinearity, two values need to be distinguished. There is Variance Influence factor (VIF) and tolerance. In this analysis tolerance is refer to the indicator for variability of one independent variable not explaining other independent variable in the model. The tolerance value that is small (less than .01) it signify that multicollinearity with other variable is high. Thus possibility of multicollinearity is assumed. Other value to assess multicollinearity is VIP. The value of VIP that is above 10 indicates multicollinearity. The table provided below shows the multicollinearity statistic in his study.
According to Coake and Steed (2009) the analysis enables the researcher to assess on the scatter plot to make sure that there is no inappropriate departure from the linearity. The scatter plot is analysing by reviewing the straight line or the curve produced in the study. In addition, the presence of outlier can also be identified on scatter plot. The outlier would result the standard residual of more than 3.3 or less than 3.3 or less than -3.3.
According to Osborn and Water (2002), homoscedasticity refers to the variance of errors identified in all levels of independent variables. In order to assume homoscedasticity and independent of residual the points are linger or close to the straight line. Homoscedasticity helps in determined whether the residual is independent. When variances of errors vary at different value of IV, heteroscedasticity is assuming. Heteroscedasticity would result in huge distortion in findings and weaken the data analysis. Ideally, the points or residual are found scatter around 0 or near horizontal line that provide are relatively even distribution.
4.6 DEMOGRAPHIC PROFILE OF RESPONDENTS
Table 4.5 shows the descriptive statistic of gender that involve in this study. From the above table, majority of the respondents is male compare to female. No of male respondent are 154 and female is 47 respondents. The male respondents contribute of 76.6% from the total respondents while the other 23.4% are from female respondents out of the total 201 respondents. The reason is the nature of work for head of security is ground work. The nature of work needs more involvement of male compare to female. The rest of female respondents are from senior manager and managing director.
As stated in the table, majority of the respondents are age between 31 to 40 years’ old which contribute to 86 from the total of 201 respondents which contribute of 42.8%. The second one is the respondent age between 41-50 years old with the frequency of 75 which contribute 37.3%. The data of age followed by the respondent age between 20-30 years old with 20 respondents and contribute of 10%. While the respondents that age between 51 years old and above constitute of 19 peoples from the total 201 respondents which contribute of 9.5 %. The least number of respondents came from the range of age below 20 years’ old which is only 1 respondent that contribute of 0.5%.
The demographic of respondents also distinguish the educational background of the respondents. The most is Bachelor’s degree that the frequency is 101 respondents that contribute of 50.2%. The second highest of frequency is Master’s degree among the total of 201 respondents. The frequency of master’s level is 43 respondents and contributes of 21.4%. Then, respondent those have Diploma education background is 37 peoples who is contribute of 18.4%. The number of respondent from PhD’s holder is 9 respondents that contribute of 4.5%. Others category consists of SPM and STPM level are 11 respondents (5.5%).
In terms of current position and responsibility, distribution comprises of owners and operators of CNI. From the total of 201 respondents, the highest 66 respondents are from engineer/ head of security position which contribute 32.8%. The second highest coming from senior manager/ manager contributes of 50 or 24.9%. The respondent from managing director is 23 peoples that contribute of 11.4%. Then, the second last is from others. Most of the respondents from this group are executive level and number of respondent is 47 peoples or 23.4%. CEO/ COO contribute of 15 respondents or 0.5% which is the lowest number from this section of demographic.
From the Table 4.5, it shows that respondent with more than 10 years’ duration of work is reaching the highest number. Among the 201 respondents, 86 (2.8%) respondents are working more than 10 years. Besides, 78 or 38.7% respondents are working with their company within 5 to 10 years. The number of people that working within 1 to 3 years is
Frequency Table for Profile Respondents
|Profile||No. of Respondent/ Frequency||Percentage|
|Below 20 years||1||0.5|
|51 and above||19||9.5|
|Current position and responsibility|
|Senior Manager/ Manager||50||24.9|
|Engineer/ Head of Security||66||32.8|
|Duration of work|
|Less than 1 year||4||2.0|
|1 to 3 years||17||8.5|
|3 to 5 years||16||8.0|
|5 to 10 years||78||38.8|
|More than 10 years||86||42.8|
|Water supply (dams and treatment plant)||63||31.3|
17 respondents or 8.5 % and the lowest is people working less than 1 year which contribute only 4 respondents or 2.0%.
The CNI priority only consist two categories. Among 201 respondents, there are 113 (56.2%) owners or operators look after in CNI Priority 1 and 88 (43.8%) owners or operators responsible in CNI Priority 2.
For CNI sector, majority of respondents are from telecommunication sector which is 71 (35.3%) followed by respondents from electricity energy contribute 67 (33.3%) respondent while 63 (31.3%) respondents are from water sector.
4.7 DATA ANALYSIS BY OBJECTIVE
The analysis findings aim to have discussion about the research objectives. This analysis will distinguish to three research objectives in this study.
4.7.1 Level of performance of CNI
Level of performance measured using mean analysis. Mean analysis run through SPSS whereby the questionnaire from Section F represent the CNI Performance. The range of questionnaire between strongly disagree until strongly agree. Feedback from respondent in majority choose in range agree and strongly agree with 4 to 5.
This mean was seated in the highest mean which is mean value has been classified as 3.7 – 5.0 (high mean), 2.7 – 3.6 (moderate mean) and 1 – 2.6 (low mean) by Norafefah, et, al. (n.d).
Table 4.6 reports the mean and standard deviation of six items in dependent variables. All items in CNI performance variables are relatively high with values of (4.11), (4.05), (3.75), (4.32), (4.33) and (4.35). Only item number three is lay in the boundary of high and medium while the rest of items shows high mean value. In addition, means for DV_CNI Performance is high with mean reported of 4.1524. It can be concluded that the CNI level of performance is high.
Mean Values for CNI Performance
|Factors of Job Satisfaction||Mean Value||SD|
|The rating performance of My CNI installation is excellent as reported by CNI Federal Inspection Team (Tim Naziran Sasaran Penting).||4.11||.639|
|The rating performance of My CNI installation is excellent as reported by CNI State Inspection Team (Jawatankuasa Kecil Pemeriksaan Keselamatan).||4.05||.660|
|My CNI installation certified for compliance of ISMS ISO/IEC 27001 Standard by SIRIM.||3.75||.906|
|My CNI has a blueprint of Business Continuity Plan (i.e contingency planning response team/ emergency response team)||4.32||.624|
|The contingency planning response team/ emergency response team is always available for any incident.||4.33||.595|
|Overall, the performance of my CNI installation is excellent||4.35||.647|
|Total CNI performance||4.1524||.50990|
Strongly disagree Strongly agree
CNI level of performance
Mean = 4.1524
4.7.2 Relationship between owners and operator’s commitment, business continuity management, physical security protection and partnership towards the performance of CNI
In this study, Pearson correlation coefficient was conducted in order to determine whether there is a significant relationship between (owners and operator’s commitment, business continuity management, physical security protection and partnership) towards CNI Performance among CNI installation. Based on the definition by Field (2013), correlation coefficient is a measure of the strength of association or relationship between two variables. Correlation analysis has been presented to test the hypothesis. Specifically, correlation analysis was employed to test H1, H2, H3 and H4. Below were the results on the analysis as showed in Table 4.7. Correlation is an effect size and so we can verbally describe the strength of the correlation using the guide that Evans (1996) suggests for the absolute value of r: (i) .00-.19 “very weak” (ii) .20-.39 “weak” (iii) .40-.59 “moderate” (iv) .60-.79 “strong” (v) .80-1.0 “very strong”.
Table 4.7; describe the correlation coefficient between the independent variable and the independent variable. Referring to the output, all of the variables have significant correlation coefficient with each other.
** p<0.01, *p<0.05
First, independent variable owners and operator’s commitment and dependent variable CNI Performance have a positive relationship (r=.736 at p<0.05), follows with independent variable business continuity management and dependent variable CNI Performance have a correlation coefficient (r=.592 at p<0.05), independent variable physical security protection and dependent variable CNI Performance have a correlation coefficient (r= .615 at p<0.05) and independent variable partnership and dependent variable CNI Performance have a correlation coefficient (r=.623 at p<0.05).
Second is the correlation coefficient between independent variable owners and operator’s commitment and independent variable business continuity management (r= .661 at p<0.05), independent variable owners and operator’s commitment and independent variable physical security protection (r= .616 at p<0.05), and owners and operator’s commitment and independent variable partnership (r= .574 at p<0.05).
Third is the correlation coefficient between independent variable business continuity management with independent variable physical security protection (r=.632 at p<0.05) and independent variable business continuity management with Partnership (r=.728 at p<0.05).
Finally, is the correlation coefficient between independent variable physical security protection with independent variable partnership(r=.627 at p<0.05).
All of the significance values are below the standard criterion of 0.05, indicating a statistically significant relationship (Field, 2013). Then we can conclude that the correlation between the dependent variable and Independent variables is strong and significant. Therefore, the hypothesis is accepted.
4.7.3 Most critical factor towards performance of CNI
Multiple regression can be used to explore relationship between IVs and DV (continuous variable). Although multiple regression is based on correlation, it allows a more sophisticated exploration of interrelationship among a set of variables (Pallant, 2013). Multiple regression can (i) predict a particular outcome from a set of variables (ii) provide information about the model as a whole (iii) relative contribution of each of the variables that involved in the model. Thus, regression analysis is useful in predicting scores on the dependent variable on the basis of scores on the independent variable (Kaplan & Saccuzzo, 2009). This analysis attempts to identify the most influence of relationship between independent variables factors (owners and operator’s commitment, business continuity management, physical security protection and partnership) towards CNI performance among the CNI installation in Malaysia as well as to identify the most critical factor. The regression analysis applied to evaluate the research objective 3 as tabulated in table below.
The fit regression model can be assessed using the Model Summary and ANOVA table produces by the SPSS. According to table 4.8, Model 1 refer to the four predictor (IV_O_commit (owners and operator’s commitment), IV_BCM (business continuity management, IV_Physical (physical security protection, IV_Partnership) are used. The variance in the table explained the predictors and outcome of 61.5% the influence of CNI performance with the variance which is (R² = .615) and the assumption of that errors are independents is likely to be met since Durbin-Watson is 1.767 which is close to 2 (and between 1 and 3). In other words, the findings of this study are 61.5% fits the whole model used in the research.
|Model||R||R Square||Adjusted R Square||Std. Error of the Estimate||Durbin-Watson|
a. Predictors: (Constant), IV_O_commit IV_BCM, IV_Physical, IV_Partnership
b. Dependent Variable: DV_CNI Performance
|Model||Sum of Squares||df||Mean Square||F||Sig.|
a. Predictors: (Constant), IV_O_commit IV_BCM, IV_Physical, IV_Partnership
b. Dependent Variable: DV_CNI Performance
Table 4.9 is referred. The best fit of the model is explained, Since R² = .615, F=78.215 (df=4) at p<0.05, thus derived from this its indicated that it is a good model and significant.
|Owners and operators commitment||.514||8.153||.000||.494||2.024|
|Business continuity management||-.032||-.439||.661||.368||2.715|
|Physical security protection||.162||2.563||.011||.491||2.038|
|Partnership (Dependency & Interdependency)||.250||3.654||.000||.421||2.375|
a. Dependent Variable DV_CNI performance
Refer to Table 4.10, based on the standardized Beta coefficient, beta value for owners and operator’s commitment (0.514), business continuity management (-0.032), physical security protection (0.162) and partnership (0.250).
It makes owners and operator’s commitment variable is the strongest unique contribution in explaining the dependent variable while business continuity management was the lowest indicate that it made less unique contribution. The value owners and operator’s commitment and partnership is less than 0.05 where Sig=0.000, p< 0.05 and it shows some significant predictors to the CNI performance. The value for physical security protection is less than 0.05 where Sig=0.011, p< 0.05. While the value for variable business continuity management is more than 0.05 where Sig=0.661, p< 0.05.
Based on all the results, it can be concluded that the third objective is achieved where the most critical factor towards CNI performance in CNI installation is owners and operator’s commitment. Then it followed by partnership, physical security protection and business continuity management.
4.8 SUMMARY OF FINDINGS
Based on findings we collected from the entire data statistic, the summary can be made into three categories as mentioned in research objectives. First research objective is to measure the level of performance of CNI. In this study, the researcher using the mean value derived from descriptive analysis. The dependent variables which have 6 items in questionnaire were identified in detail by looking at the percentage of respondent’s feedback and strong mean value. By measuring the level of performance of CNI, the highest mean value showed in the dependent variable of CNI performance is 4.1524. It can be generalized that the level of CNI performance is good in all 3 sectors CNI installations.
Apart from that, the next research objective is to analyse the relationship between owners and operator’s commitment, business continuity management, physical security protection and partnership towards the performance of CNI. Pearson correlation coefficient was conducted in order to determine whether there is a significant relationship between independent variable towards the dependent variable. Four hypothesis is accepted where the correlation coefficient indicate that all value of coefficient is high. There was a significant relationship between owners and operator’s commitment and CNI performance where r=0.736, p<0.01. The strong relationship indicates hypothesis is accepted. Furthermore, there was a significant relationship between business continuity management and CNI performance where r=0.592, p<0.01. The moderate relationship indicates hypothesis also accepted. Besides, there was a significant relationship between physical security protection and CNI performance where r=0.615, p<0.01. The strong relationship indicates hypothesis is accepted. Then, there was a significant relationship between partnership and CNI performance where r=0.623, p<0.01. The strong relationship indicates hypothesis is highly accepted. The second research objective is achieved when all independent variables have strong relationship towards performance of CNI.
Next, multiple regression was conducted to examine the most critical factor towards performance of CNI. The analysis is to identify all independent variable (owners and operator’s commitment, business continuity management, physical security protection and partnership) and looking which variable is most influence towards CNI performance. Among four independent variables, the beta coefficient and significance shows that owners and operator’s commitment in the first rank result followed by partnership in second rank. Then, physical security protection in the third rank and business continuity management in rank number four. The third research objective is achieved and the result shows that owners and operator’s commitment is very important to ensure that CNI level of performance is in best level and products and services of CNI always available to the Nation and people.
DISCUSSION AND CONCLUSION
The present chapter explains an overall summary of the research and demonstrates the primary findings of the research as well as the result of data analysis of empirical study employed. This chapter also reports the limitations of the research and demonstrates specific applicable suggestions for CNI performance. After that, the implication of this study is deliberated before final conclusion is summarized at the end of the chapter. The report also included limitations and some recommendations for further research in the future.
5.2 MAIN FINDINGS REVISITED
The discussion of the findings elaborated in the previous chapter is in accordance to three (3) research objectives. The first objective will be addressed in Section 5.1, while the second objective will be addressed in Section 5.2. And, last section will be addressed about the third objective.
5.2.1 Level of Performance of CNI
The aim of the first objective of the study is to measure the level of performance of CNI installation. Interestingly, the level of performance is good according to the findings indicate in chapter four. The response from CNI owners and operators in term of level of performance shows a good result based on mean analysis. CNI performance shows high mean with the value (4.153). The result obtained is a good indicator because it might show that respondents are slowly trying to change towards a good performance in order to undergo the current challenges and global threats. The owners and operators as respondents might realize that their change will benefit them and the national security as well. From the variables, the importance of CNI performance is very important as most of respondents give a good and very good feedback in term of owners and operators implementation of rules and regulations insist by government as well as regulatory body of Malaysia CNI installations i.e. CGSO.
Based on overall CNI Federal Inspection Team Report (2016) average the score of performance given by secretariat in five-star rating is four (4) stars and five (5) stars. The owners and operators has been followed the criteria as mentioned in CNI Security Checklist Form 2/94 Amended 2015. Owners and operators basically fulfill seven criteria mentioned inside the security checklist. CNI Federal Inspection Team and CNI State Inspection Team will identify which CNI installation having a good performance to be presented in the CNI Central and State Committee Meeting. Apart from that, the level of performance was affected in terms of unperformed when involve of CNI installation whether the installation was certified for compliance of ISMS ISO/IEC 27001 Standard by SIRIM or not. Majority of respondents agree that they were implementing and certified for compliance of ISMS ISO/IEC 27001. The requirement of being certified for compliance of ISMS ISO/IEC 27001 was discussed in Cabinet Memorandum (2010) where the cabinet decision agreed that all CNI including CNII to implement ISMS and to be certified within 3 years until 2013. As mentioned in Chapter 1 and 2, certification for ISMS ISO/IEC 27001 is mandatory especially those CNI installations operate with full automation or SCADA system. The basic intent of ISO 27001 is to ensure the “Confidentiality”, “Integrity” and “Availability” of information within an organization designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties (ISO/IEC 27001, 2002).
The level of performance also gives a good indicator when majority of respondents were having their blueprint of business contingency planning and at the same time perform with their emergency response team. The result from CNI Security Checklist Form 2/94 Amended (2015) shows that majority of owners and operators have their business contingency planning and form their emergency response team to respond with any incident in their CNI installation. CNI Federal Inspection Team Report (2016) for Sungai Semenyih Water Treatment Plant reported that both of these installations have their contingency planning and emergency response team will immediately respond when incident like fire, flood and disruption of supply happen. However, it is important to take note that even tough respondent expressing their opinion that they are in good level of performance, it does not mean that they will do so in their actual practice. In this case, success factor i.e. owners and operator’s commitment, business continuity management, physical security protection and partnership will play a huge role as indicators in determining whether the level of performance of CNI is good or it is just a mere thought. These success factors will greatly influence in level of performance of CNI.
5.2.2 Relationship between Owners and Operators Commitment, Business Continuity Management, Physical Security Protection and Partnership towards the Performance of CNI
From the analysis findings, the results show that there is strong relationship between owners and operator’s commitment, business continuity management, physical security protection and partnership towards the performance of CNI indicated all six success factors at (61.5%). To support this analysis, study conducted by Caldwell and Wilshusen (2014) through DHS U.S, indicated that there is the identification of key factors in DHS’S implementation of its partnership approach. The key factors are (1) recognizing and addressing barriers to sharing information; (2) sharing the results of DHS assessments with industry and other stakeholders; and (3) measuring and evaluating the performance of DHS’s partnership efforts.
These key factors contribute to critical infrastructure protection and maintain its performance. Partnership and sharing information among the agency whether government, private sector or other CNI installations is a vital part in order to protect our CNI and increase the level of performance of CNI. The Partnership for Critical Infrastructure Security (PCIS), formed in 1999, provided an overall forum for dialogue on infrastructure security issues across sectors (National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, 2003). Furthermore, Eckert (2011) also stated in his study on protecting critical infrastructure that ISACs were modeled on mechanisms such as the Centers for Disease Control and Prevention that have proven effective, particularly in extensive interchanges with the private and non-federal sectors.
In terms of physical security protection, National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (2003) emphasizing the importance of physical security to preserve the CI protection. In other words, physical security protection is the first line of defense in order to deter, delay, detect and respond to any threats or even intrusion in CNI installation. The strong relationship between physical security protections was support by the needs of security fencing, CCTV, security passes and security personnel towards CNI protection. The Physical (Environmental) Security domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information (Gordon & Hernandez, 2016).
Besides, the main key factor that influences the relationship between owners and operator’s commitment is ‘people’. A person who manages the CNI protection is accountable towards CNI performance. High commitment of the owners and operators will contribute towards high level of CNI performance. According to CNI Standing Order (1993) the responsibility of owners and operators was stated in chapter 1 section (1.3) that owners and operators are required to comply with the instructions contained in the CNI Standing Order and any other instructions given by the government from time to time.
5.2.3 Most Critical Factor towards Performance of CNI
The objective of the study is mainly to identify the most contributed factor that can influence towards the performance of CNI in Malaysia. From the results, it is interesting to note that owners and operator’s commitment, business continuity management, physical security protection and partnership as the contribute factor towards CNI performance.
The rank of the most critical factor that influence to the CNI performance shows in the figure below:
|Critical Success Factors||Rank|
|Owners and operators commitment||1|
|Business continuity management||4|
|Physical security protection||3|
|Partnership (dependency & interdependency)||2|
Figure 5.1: Critical Success Factors Based on Rank
Result from the analysis conducted in this study revealed owners and operator’s commitment turns out to be the most important factor in influencing the performance of CNI installations (B= 0.472; t-value 8.153; p<0.05). This result is supported by previous research done by Hemme (2015) emphasis owners and operators have main role to the critical infrastructure protection and maintain the performance level of CI.
“We are working with the owners and operators of our nation’s critical cyber and physical infrastructure across every sector – financial, energy, transportation, health, information technology, and more – to decrease vulnerabilities and increase resilience”
As the cabinet instruction in CNI Standing Order, owners and operators must responsible in their own CNI installation. CNI Standing Order (1993) stated in Chapter 3 section (1.3.1 – 1.3.5) regarding the owners and operator’s commitment on maintenance to ensure the level of CNI performance is in line with protection of CNI. Furthermore, appointment of head of security and assistant security officer is very important to show the commitment by owners and operators. The importance of Head of Security and Assistant Security Officer appointment stated in stated in CNI Security Checklist Form 2/94 Amended (2015). The requirement was located in the first question to be asked by CNI Inspection Team to owners and operators based on the checklist. Apart from that, the commitment by owners and operators also involve the legal implication in term of gazettement of their CNI area and place under Act298. Once the installation listed as Critical National Infrastructure by government, owners and operators must take initial step to comply the requirement of gazettement of CNI under Act298. One of the current decision made by government regarding the gazettement, CNI Central Committee Meeting (2016) urged the owner of Kebabangan Oil and Gas Platform in Sabah take action regarding gazettement process before submit to Minister of Home Affairs for declaration. It was decided to protect Kebabangan installation legally by law if any intrusion or encroachment by illegal parties such as Abu Sayyaf militant because this installation located offshore and vulnerable for any threats and incident.
Even though, owners and operator’s success factor is in rank number one, but the awareness about the importance of CNI protection not show a good sign especially when addressing about awareness training organized by Secretariat. Awareness program is very important to determine the current security measure need to be practiced and implemented by owners and operators. Strong fact to support the importance of awareness program and training was established by U.S government. Department of Homeland Security (2016) put the training need as requirement to improve and enhance the knowledge of owners and operators towards CNI performance. The training was organized by The Department’s Office of Infrastructure Protection (IP), DHS. The training also focusses on very critical CNI such as Chemical Sector Training, Commercial Facilities Training, Dams Sector Training, Emergency Services Training and Nuclear Reactors, Materials, and Waste Sector Training under sector – specific training. CNI Security Checklist Form 2/94 Amended (2015) also stated the requirement of owners and operators attend awareness program especially organized by Secretariat. The awareness programs like training also become the prior requirement. Critical Infrastructure Protection and Resilience also organized by International Association of critical infrastructure protection Professional. Critical Infrastructure Protection and Resilience Asia brings together leading stakeholders from industry, operators, agencies and governments to debate and collaborate on securing South East Asia’s critical infrastructure and its valuable information and data (Critical Infrastructure Protection, 2016).
The CNI directive also must become the main reference for government involve in CNI, security agency, owners and operators of CNI installation as a guideline in order to manage and maintain the CNI performance. Apparently, some of CNI owners and operators not make this CNI directive as their main reference. And even worst, some of them don’t have this directive for them to refer. Even though this study found that the owners and operators become the most critical factor towards the performance of CNI, but the capacity of CNI directive must be the vital part for owners and operators make it as norm. DHS (2016) put the CI Directive as the main reference in term of collaboration where The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration.
Therefore, overall in rank one of the most critical factor towards performance of CNI, owners and operator’s commitment should be look into to ensure the management, support and cooperation among the people inside the CNI installation responsible for their own task.
5.3 RECOMMENDATIONS TO INCREASE THE LEVEL OF PERFORMANCE OF CRITICAL NATIONAL INFRASTRUCTURE
When this research was carried out, many of the respondents aware and take serious action about what is the need to be emphasized by CNI owners and operators to protect and resilient their installation especially when regard with the current threat. Besides, researcher also need to highlight the importance of their CNI to the national security based on the CNI definition for Priority 1 and Priority 2 to some of owners and operators. Ironically, when there is no awareness especially those people who are responsible for their CNI installation it will lead for destruction, malfunction and disruption of CNI products and services. When any incident happens, it will give bad impact to the economy of the country, defense system, public security and government function and image.
This recommendation underlined a number of ways to increase the CNI performance in order to preserve the CNI protection and resilience.
- Provide the CNI or Critical Infrastructure Protection Act to ensure a good management by government agencies, private agencies, owners and operators.
This approach is a long term process and it will take time to ensure the Critical Infrastructure Protection Act become reality. For the current status, in Malaysia only have CNI Standing Order 1993 as the administrative order by cabinet. Apart from that, we also covered by Protected Areas and Protected Places Act 1959 (Act298) to control or conduct person and to prevent the illegal entry of an authorized person in CNI installations. But, we still do not have a strong power to enforce the action to protect our CNI in Malaysia. Previously, the enforcement for owners and operators was stated in Malaysia Emergency (Essential Powers) Act 1969, Essential (Key Points) Regulations 1965 and Protected Area Protected Place 1959. This act just mentioned about the punishment of person responsible to the CNI installation but not for overall action to protect and preserve the CNI security.
In future, Critical Infrastructure Protection Act will enforce the government directive, rules and regulation to ensure Malaysia CNI installation well protected and resilience to maintain the products and services always available to the Nation. In the study of enhance the South African Critical Infrastructure Protection Act, it was mentioning the objective of the act. South African Critical Infrastructure Protection Bill (2016) stated the act will have the purpose to provide for measures to be put in place for the protection, safeguarding and resilience of critical infrastructure also to provide for the establishment of the Critical Infrastructure Council and its functions. Besides, the act also emphasizes the role of owners and operators who is the person responsible to CNI installation. It is also to provide for the powers and duties of persons in control of critical infrastructure and to provide for reporting obligations (South African Critical Infrastructure Protection Bill, 2016).
The U.S government also established the critical infrastructure protection through establishment of The Critical Infrastructure Protection 2015. Clause in Section 4 explained the object and purpose of the act whereby the clause mention ten clause about the purpose of the act. One of the purposes is “establishment or identification of an institutional framework for the designation and protection of critical infrastructure” (CIPA, 2015). This act is the improvement on comprehensive way the Presidential Decision Directive declared by U.S President.
Researcher strongly suggests that government through Secretariat and CNI Central Committee might consider producing special act for critical infrastructure in Malaysia for long term impact.
- To review the Standard Operating Procedure (SOP) in CNI
At this point, from the researcher observation, most of the CNI installations have their Standard Operating Procedure (SOP) but it was not standardized in all CNI installation. As the important part in order to confront future challenges, all owners and operators must have standard SOP as an additional guideline when facing any disaster, attacks, destruction, disruption and malfunction. This review also is necessary to improve previous SOP and also SOP own by each installation. Deputy Prime Minister in his speech during CNI Seminar in Kuala Lumpur urged to review SOP for security management due to the rising and ever challenging threats of terrorism in the country.
“Deputy Prime Minister Datuk Seri Dr Ahmad Zahid Hamidi said the definition of strategic asset, which used to emphasize on important government-owned assets, should be reviewed and scrutinized as many of the current assets, including power plants and television stations, belonged to the private sector. The existing SOP for strategic asset security management was formulated 40 years ago and focused mainly on government-owned assets which were among the key targets during the communist insurgency, which ended in 1990, but most of those assets had been privatized or corporatized ever since, he told reporters after opening the National Key Targets Seminar 2016 here Thursday.”
Apart from that, from the order made by Deputy Prime Minister the Ministry of Home Affairs again called the CNI Secretariat organized workshop to study on the criteria (a) the current threat as militant IS and Daesh (b) examine the need to include buildings or places of public are for example shopping centers, hospitals, public transport stations or hotels as critical national infrastructure (c) places where public safety may be compromised and place where the possibility of violence (CNI Secretariat Minute of Meeting, 2016). Currently, the review processes are still ongoing in federal level as the review will involve the main CNI Central Committee, CNI State Committee and relevant agencies before the main content of SOP convey to the CNI owners and operators including the relevant private sectors.
In addition, this study of success factor for CNI performance might be included in the SOP. The success factor then might become the reference factor for all owners and operators in order to ensure their performance of CNI installation.
5.4 RESEARCH IMPLICATIONS
This study adds support to previous studies; with theoretical part highlighted the available information on success factors (owners and operator’s commitment, business continuity management, physical security protection and partnership) on CNI performance. There are lack of study has been done related with critical infrastructure protection. Previous study was done by Rusli bin Abd Rahman (2016) focus on protection in CNI Oil and Gas Sector. Hopefully there are many study will be conduct on how to improvised the critical infrastructure protection in Malaysia. This finding also might be presented in the CNI Central Committee Meeting to be endorsed before shortlist as content in CNI SOP review process by next year.
As a whole, the findings of this study offer a new forward motion to the comprehensive way by emphasizing the success factor towards CNI performance especially with current and challenging threat from militant IS, Daesh, Abu Sayyaf and cyber-attack. This study will help the CNI owners and operators in Malaysia as a part of secure their own CNI installation. Besides, it also will become the awareness to those owners and operators whose lack attention with the importance of CNI protection and resilience. The success factors in this study might become the preventive measure to protect the CNI. Initial action need to be taken by owners and operators. We don’t want the great incident happen in our CNI installations that will affect our National security as well as the credibility of the government.
Furthermore, researcher believes that this study will contribute with new valuable study in the area of CNI protection and resilience in the Malaysian to be presented in Critical Infrastructure Protection and Resilience East Asia, Asia and Europe. Malaysia effort on CNI protection and performance in East Asia may become an example by our neighboring country like Indonesia, Thailand, Singapore, Brunei and Philippine like what has been taken by U.S and Canada Partnership. In the partnership of both countries, Canada-United States Action Plan for Critical Infrastructure (2010) describes The Canada-United States Action Plan for Critical Infrastructure (Canada-U.S. Action Plan) promotes an integrated approach to critical infrastructure protection and resilience by enhancing coordination of activities and facilitating continuous dialogue among cross-border stakeholders.
5.5 LIMITATIONS AND SUGGESTIONS FOR FUTURE RESEARCH
Future research is beneficial to be conducted to improve the generalization of the findings obtained in this study and it is recommended that future researchers conducting the survey on another 12 CNI sectors which have a similar culture for example (Sector Oil and Gas), (Sector Security Printing and Finance) and (Sector Radiation and Chemical). In addition, it will also recommend that researchers conducting research on the same topic or similar field with qualitative approach to get the viewpoint and from the perspectives of government, non-government organizations, manufacturers and/or individuals responsible in the critical national infrastructure protection and performance in the country.
There is some limitation while conduct and distribute the questionnaire. Some of respondent were in the remote area especially in water dams sector. Respondents cannot retrieve email and Google forms questionnaire due to no internet service. The problem then overcome with help the secretariat from state but still it will take time and affect the process of collecting data. Another problem was some of the information and documents related with CNI classified as SECRET. Researcher need to get permission and approval to get only open information and document. This study is only opinion from researcher and might not meet all the requirement need to be taken for CNI performance.
This research has demonstrated that Malaysia has many challenges that must be addressed by the government-mandated organized by CNI Central and State Committee. Despite the mission and goals provided by the CNI Standing Order 1993, it is impossible to protect critical infrastructure from all possible risks and threats. Critical infrastructure must become resilient in the face of a catastrophic disaster or attack. Any government guidelines and regulations in CNI must be able not only to protect infrastructure from attack or disaster, but also keep sectors in service through the development of plans that prepare sectors to handle most threats. This type of resilience calls for government through CNI Central and State Committee to structure guidelines and SOP to be able to absorb, adapt, and recover from catastrophic events and helps determine whether or not government has been successful in providing critical infrastructure in a best performance.
This research was unable to evaluate all aspects of Malaysia critical infrastructure. Due to the immense size and scope of the entire of the CNI system a full team of data collectors and researchers would be needed. Fortunately, to meet this end, in March 2017, CNI Central committee established a current SOP comprised of eight working groups, each focused on specific policy implementations, to evaluate and guide owners and operators in implementing the SOP. Additionally, further research is needed to evaluate critical infrastructure cyber security. Cyber security is the new frontier in risk assessment and its full implementation as directed by government needs to be further researched.
Action Plan for Critical Infrastructure. (2014 – 2017). Renewing Canada’s Action Plan for Critical Infrastructure. Public Safety Canada.
AGD. (2016). Critical Infrastructure Protection, Australian Government Attorney-General’s. Retrieved November 01, 2016, from http://www.ag.gov.au/www/agd/agd.nsf/Page/Nationalsecurity_CriticalInfrastructureProtection
Agenda Daily. (2015). Kumpulan militan rancang serang Putrajaya http://www.agendadaily.com/Muka-Hadapan/kumpulan-militan-rancang-serang-putrajaya.html 15 September 2015
Australia-New Zealand Counter Terrorism Committee. (2015). National Guidelines for Protecting Critical Infrastructure from Terrorism.
AWANI. (2015). Astro Awani. Kaji SOP aspek keselamatan di lokasi sasaran pengganas – Zahid Hamidi. Retrieved December, 15 from, http://www.astroawani.com/berita-malaysia/kaji-sop-aspek-keselamatan-di-lokasi-sasaran-pengganas-zahid-hamidi-102424
Balachandra, R., & Friar, J. H. (1997). Factors for success in R&D projects and new product innovation: a contextual framework. IEEE Transactions on Engineering management, 44(3), 276-287.
Bentley A. (2006) Infrastructure: Critical Mass, CSIRO Solve, No.7.
Blaikie, P., Cannon, T., Davis, I., & Wisner, B. (2014). At risk: natural hazards, people’s vulnerability and disasters. Routledge.
Brody, J. E. (2007). Mental reserves keep brain agile. The New York Times. Retrieved December 11, 2016, from http://www.nytimes.com.
Caldwell, S. L., & Wilshusen, G. C. (2014). Critical Infrastructure Protection: Observations on Key Factors in DHS’s Implementation of Its Partnership Approach (No. GAO-14-464T).
Canada-U.S. Action Plan. (2010). Canada-United States Action Plan for Critical Infrastructure. Homeland Security. Public Safety Canada.
Cerny, B. A., & Kaiser, H. F. (1977). A study of a measure of sampling adequacy for factor-analytic correlation matrices. Multivariate Behavioral Research, 12(1), 43-47.
CIP [email protected] University. (2016). Critical Infrastructure [email protected] University. Retrieved November17, 2016, from https://www.dal.ca/faculty/management/research/research_profiles/critical_infrastructure.html
CNI Secretariat Discussion Minute. (2015). Mesyuarat Pelarasan Berkenaan Sasaran Penting Dan Kawasan Larangan Dan Tempat Larangan Di Bawah Kawal Selia TM Bhd.
CNI Central Committee Minute Meeting. (2015). Mesyuarat Jawatankuasa Pusat Sasaran Penting.
CNI Security Checklist Form 2/94 Amended (2015).
CNI Standing Order. (1993). Arahan Tetap Sasaran Penting.
Coakes, S. J., & Steed, L. (2009). SPSS: Analysis without anguish using SPSS version 14.0 for Windows. John Wiley & Sons, Inc.
Cooke-Davies, T. (2002). The “real” success factors on projects. International journal of project management, 20(3), 185-190.
Dănilă, V. B. (2012). The Economic Value regarding the Protection Activities of Critical Infrastructures. Acta Universitatis Danubius. Administratio, 3(1).
Department of Homeland Security. (2016). Critical Infrastructure Protection Act (CIPA) Passage Out of Homeland Security Committee is Decisive Step to Protect the Nation. Retrieved November 14, 2016, from https://homeland.house.gov/press/critical-infrastructure-protection-act-critical infrastructure protection-passage-out-homeland-security-committee/
DHS. (2016). Department of Homeland Security. Retrieved May 15, 2015, from https://www.dhs.gov/topic/critical-infrastructure-security
DRI. (2016). Disaster Recovery Institute. Professional Practices. Retrieved November 16, 2016, from https://www.drii.org/certification/professionalprac.php
DOsomething.org. (2016). 11 Facts About 9/11. Retrieved November 13, 2016, from https://www.dosomething.org/us/facts/11-facts-about-911
Dudgeon, I., Waters, G., & Ball, D. (2008). Australia and Cyberwarfare (p. 173). ANU Press.
Eckert, S. (2005). Protecting Critical Infrastructure: The Role of the Private Sector. Guns and Butter: The Political Economy of International Security, in: P. Dombrowski (Ed.), Lynne Rienner Publishers, Boulder, Colorado.
Ezell, B. C. (2005). Infrastructure Vulnerability Assessment Model (I‐VAM). Risk Analysis, 27(3), 571-58
Ezell, B. C. (2005). Quantifying vulnerability to critical infrastructure (Doctoral dissertation, Old Dominion University).
Field, A. (2013). Discovering statistics using IBM SPSS statistics. Sage.
Firdhous, M., Ghazali, O., & Hassan, S. (2012). Trust management in cloud computing: A critical review. arXiv preprint arXiv:1211.3979.
Freund, Y. P. (1988). Critical success factors. Planning Review, 16(4), 20-23.
Fisher, R. E. (2013). Taking a normative approach to organizational culture change on critical infrastructure protection (Doctoral dissertation, Benedictine University).
Garcia, M. L. (2007). Design and evaluation of physical protection systems. Butterworth-Heinemann.
GAO. (2001). United States General Accounting Office. Practices That Can Benefit Critical Infrastructure Protection
GAO. (2015). United States Government Accountability Office
Giannopoulos, G., Filippini, R., & Schimmer, M. (2012). Risk assessment methodologies for critical infrastructure protection, part I: A state of the art. Publications Office of the European Union: Luxembourg.
Gordon, A., & Hernandez, S. (2016). The Official (ISC) 2 Guide to the SSCP CBK. John Wiley & Sons.
Gordon, K., & Dion, M. (2008). Protection of’ Critical Infrastructure’ and the role of investment policies relating to national security. Investment Division, Directorate for Financial and Enterprise Affairs, Organization for Economic Co-operation and Development, Paris, 75116
Haron, S., & Ahmad, N. (2000). The effects of conventional interest rates and rate of profit on funds deposited with Islamic banking system in Malaysia. International
Hardinga, B., & Cousineaua, D. GRD 2.0: An extended SPSS extension command for generating random data.
Hemme, K. (2015). Critical Infrastructure Protection: Maintenance is National Security. Journal of Strategic Security, 8(5), 25-39.
Honeycutt, D. (2013). Developing a Framework to Improve Critical Infrastructure Cybersecurity.
Hwang, B. G., & Lim, E. S. J. (2012). Critical success factors for key project players and objectives: case study of Singapore. Journal of Construction Engineering and Management, 139(2), 204-215.
Inspection Team Report. (2015). Laporan Tim Naziran Sasaran Penting
Inspection Team Report. (2016). Laporan Tim Naziran Sasaran Penting
ISC. (2013). The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard.
ISO/IEC 2700. (2000). Information security standard–Code of Practice for Information Security Management.
ISO/IEC 27000:2014 ISMS. (2014). Information technology — Security techniques — Information security management systems — Overview and vocabulary. Retrieved October 18, 2016, from http://www.iso.org/iso/catalogue_detail?csnumber=63411
Johnson, R. L. (2012). An Analysis of IT Governance Practices in the Federal Government: Protecting US Critical Infrastructure from Cyber Terrorist Attacks. ProQuest LLC.
Jackson, L. (2007). Critical Infrastructure Protection Program. George Mason University School of Law.
Kaplan, R. M., & Saccuzzo, D. P. (2009). Standardized tests in education, civil service, and the military. Psychological testing: Principles, applications, and, 7, 325-327.
Lucus-McEwen, V., & CEM, C. (2011). FEMA Deputy Administrator Challenges Emergency Managers. IAEM Bulletin, 28(12).
Luiijf, H. A. M., Burger, H., & Klaver, M. (2003). Critical infrastructure protection in the Netherlands: a quick-scan. Copenhagen, Denmark: EICAR Denmark.
Lewis, T. G. (2014). Critical infrastructure protection in homeland security: defending a networked nation. John Wiley & Sons.
McNeill, J. B., & Weitz, R. (2010). How to fix critical infrastructure protection plans: a guide for congress. Heritage Foundation.
Mills, R. J., Young, C. A., Pallant, J. F., & Tennant, A. (2010). Rasch analysis of the Modified Fatigue Impact Scale (MFIS) in multiple sclerosis. Journal of Neurology, Neurosurgery & Psychiatry, jnnp-2008.
Müller, R., & Turner, R. (2007). The influence of project managers on project success criteria and project success by type of project. European Management Journal, 25(4), 298-309.
Nagesh, D. S., & Thomas, S. (2015). Success factors of public funded R&D projects. CURRENT SCIENCE, 108(3), 357.
National Strategy for Critical Infrastructure. (2016). Public Safety Canada. Retrieved October 8, 2016, form http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-eng.aspx
NIPP. (2013). Partnering for Critical Infrastructure Security and Resilience. U.S Homeland Security.
OECD. (2008). Organization for Economic Co-operation and Development. Development of Policies for Protection of Critical Information Infrastructures. Ministerial Background Report
Osborne, J., & Waters, E. (2002). Four assumptions of multiple regression that researchers should always test. Practical assessment, research & evaluation, 8(2), 1-9.
PACE. (2003). Security PACE 1 – Security Principles and Operations. Underwriter Laboratories.
Pallant, J. (2005). SPSS Survıval Manual: A Step by Step Guıde to Data Analysis Using SPSS for Wındows. Australia: Australian Copyright.
Pallant, J. (2013). SPSS survival manual. McGraw-Hill Education (UK).
Pallant, J. F., & Bailey, C. M. (2005). Assessment of the structure of the Hospital Anxiety and Depression Scale in musculoskeletal patients. Health and quality of life outcomes, 3(1), 1.
Pearson, J.M., Pearson, A. and Green, D. (2007), “Determining the importance of key criteria in web usability”, Management Research News, Vol. 30 No. 11, pp. 816‐28.
Protected Areas and Protected Places Act of 1959 (Act 298)
Preund, Y. P. (1988). Critical success factors. Planning Review, 16(4), 20-23.
PSC. (2016). Public Safety Canada Critical Infrastructure. Retrieved October 8, 2016, from http://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-eng.aspx
Public Safety Canada (2016). Risk Management Guide for Critical Infrastructure Sectors. Critical Infrastructure Policy
Public Safety Canada (2014 – 2017). Action Plan for Critical Infrastructure Public Safety Canada
Quigley, K. (2013), “Man plans, God laughs”: Canada’s national strategy for protecting critical infrastructure. Can Public Admin, 56: 142–164. doi:10.1111/capa.12007
Risk Management Guide for Critical Infrastructure Sectors of Canada. (2010). Critical Infrastructure Policy, Public Safety Canada.
Rockart, J. F., & Sloan, W. P. (1982). Information Systems Executive: A Critical Success Factors Perspective.
Rowlinson, S. (1999). Selection criteria. Procurement systems: A guide to best practice in construction, 276-299.
Rusli Abd Rahman. (2016). Effective Critical Infrastructure Protection for Offshore Oil and Gas Installation in Malaysia. International Islamic University Malaysia.
Scott G. (2005) Protecting the Nation, AUSGEO News (Geoscience Australia), Issue No.79.
Sekaran, U. (2003), Research Methods for Business: A Skill Building Approach, 4th ed., Willey, Hoboken, NJ.
Sekaran, U. (2006). Metodologi penelitian untuk bisnis. Jakarta: Salemba Empat.
Shwani, H. G. (2014). Critical infrastructure protection (Doctoral dissertation, Utica College).
Smith, M., Factors influencing an organization’s ability to manage innovation: a structured literature review and conceptual model. Int. J. Innov. Manage., 2008, 12(4), 655–676.
Singh, K., & Upadhyaya, S. (2012). Outlier detection: applications and techniques. International Journal of Computer Science Issues, 9(1), 307-323.
Somers, T. M., & Nelson, K. (2001, January). The impact of critical success factors across the stages of enterprise resource planning implementations. InSystem Sciences, 2001. Proceedings of the 34th Annual Hawaii International Conference on (pp. 10-pp). IEEE.
South African Critical Infrastructure Protection Bill of 2016, Section 20 (1)
South African National Key Point Act of 1980, Section 2
Tabachnick, B. G., & Fidell, L. S. (2007). Multilevel linear modeling. Using multivariate statistics, 781-857.
Tavakol, M., & Dennick, R. (2011). Making sense of Cronbach’s alpha. International journal of medical education, 2, 53.
The Star. (2009). “Major blackouts in Malaysia”. Archived from the original on 2009-05-11. Retrieved November 20, 2015, form https://www.revolvy.com/main/index.php?s=Power%20outages%20in%20Malaysia
The White House Washington (2013). The National Strategy for The Physical Protection of Critical Infrastructures and Key Assets.
Toor, S. U. R., & Ogunlana, S. O. (2009). Construction professionals’ perception of critical success factors for large-scale construction projects. Construction Innovation, 9(2), 149-167.
Tweede Kamer (2001). Eerste voortgangsrapportage m.b.t. actieplan Terrorismebestrijding en veiligheid van 5 oktober 2001 [First progress report w.r.t. the action plan counter-terrorism and safety dated 5 October 2001]. Tweede Kamer der Staten-Generaal vergaderjaar 2001-2002, 27925(21), The Hague, The Netherlands.
U.S. General Accounting Office, Critical Infrastructure Protection: Federal Efforts Require a More Coordinated and Comprehensive Approach for Protecting Information Systems, GAO 02–474 (Washington D.C.: GAO): Retrieved October 8, 2016, from http://www.gao.gov/assets/240/235055.pdf
United States. President (2001-2009: Bush), & Bush, G. W. (2003). National Strategy for the Physical Protection of Critical Infrastructures and Key Assests. White House.
US Critical Infrastructure Protection Act of 2015, Section 33 (1), (2)
United States General Accounting Office (2001) Practices That Can Benefit Critical Infrastructure Protection
White House Washington. (2003). “The National Strategy for Homeland Security: Office of Homeland Security,”. Retrieved October 16, 2016, from http://www.whitehouse.gov/homeland/book/nat_strat_hls.pdf.
Witteman, H. O., & Zikmund-Fisher, B. J. (2012). The defining characteristics of Web 2.0 and their potential influence in the online vaccination debate. Vaccine, 30(25), 3734-3740.
Weiss, J. (2015). Even former ex-CIA officers don’t understand ICS cyber security.
Warren, M., Pye, G., & Hutchinson, W. (2010, January). Australian Critical Infrastructure Protection: A case of two tales. In SECAU 2010: Proceedings of the 11th Australian Information Warfare and Security Conference (pp. 30-36). SECAU Security Research Centre.
365 NEWS. (2016). SOP for Strategic Asset Security Management Needs Review – Ahmad Zahid. Retrieved November 16, 2016, from http://wp.news365.my/?p=605092
You are invited to participate in this survey, a partial requirement for completing Executive Master of Administrative Science, Faculty of Administrative Science & Policy Studies, Universiti Teknologi MARA. In this survey, approximately 200 respondents comprising of owner & operator of Critical National Infrastructure (CNI) will participate to share about the CNI management. Completion of this survey will take approximately 15-20 minutes.
Your participation in this study is completely voluntary. There are no foreseeable risks associated with this project. However, if you feel uncomfortable answering any questions, you can withdraw from the survey at any point. It is very important for us to learn your opinions.
Your survey responses will be strictly confidential and data from this research will be reported only in the aggregate. Your information will be coded and will remain confidential. If you have questions at any time about the survey or the procedures, you may contact Yusva Mochtar bin Hj. Jade by email at the email address specified below, or my supervisor, Associate Prof. Dr Jasmine Ahmad at [email protected] Thank you very much for your time and support.
Name :Yusva Mochtar bin Hj. Jade
Mobile: (6)019-320 1330
SECTION A: Respondent Information
Instruction: Please mark the relevant answer
- Male ( )
- Female ( )
- Below 20 ( )
- 20 – 30 ( )
- 30 – 40 ( )
- 40 – 50 ( )
- Above 50 ( )
A3. Education background
- Doctor of Philosophy (PhD) ( )
- Master’s degree ( )
- Bachelor’s degree ( )
- Diploma ( )
- Others (please specify):______________________________
A4. Your current position and responsibility
- Chief Executive Officer ( )
- Managing Director ( )
- Senior Manager/ Manager ( )
- Engineer/ Head Security Officer ( )
- Others (please specify):______________________________
A5. How long have you worked at your organization?
- less than 1 year ( )
- 1 to 3 years ( )
- 3 to 5 years ( )
- 5 to 10 years ( )
- More than 10 years ( )
A6. Your Critical National Infrastructure priority?
- Priority I ( )
- Priority II ( )
A7. Your Critical National Infrastructure sector?
- Electricity ( )
- Water supply (dams & treatment plant) ( )
- Transportation ( )
Instruction: Please circle at the number that best reflect your opinion for questions in section (B) to (F).
Strongly disagree Disagree Neutral Agree Strongly agree
1 2 3 4 5
SECTION B: Owner’s and operator’s commitment towards Critical National Infrastructure performance.
|B1||I have appointed the senior officer or engineer as the Head of Security/ Safety responsible in CNI security & safety.||1||2||3||4||5|
|B2||I have appointed the Assistant Security Officer to assist the Head of Security/ Safety.||1||2||3||4||5|
|B3||I always refer to CNI Directive (Arahan Tetap Sasaran Penting) as a guideline in my installation.||1||2||3||4||5|
|B4||My CNI installation is gazette as Protected Area and Protected Place under Act 298.||1||2||3||4||5|
|B5||Head of Security/ Safety is exposed with CNI Management Course provided by Chief Government Security Office (CGSO)||1||2||3||4||5|
|B6||My management conduct awareness program to all personnel regarding the importance of my CNI installation.||1||2||3||4||5|
SECTION C. Business Continuity Management
|C1||Contingency planning is important in order to prepare the CNI to respond well in any disruption and disaster.||1||2||3||4||5|
|C2||Risk management is a vital criterion in Business Continuity Plan.||1||2||3||4||5|
|C3||Recovery/Back-up plan is important to ensure your product and services always available to the Nation.||1||2||3||4||5|
|C4||Preparing priority list (security or business) in any disruption or disaster will help owners/operators to supply the product and services to the most critical i.e government agency, military, hospitals, state palace, banking service etc.||1||2||3||4||5|
|C5||CNI provide the Information Communication Technology Protection Plan towards cyber-attacks such as online subterfuge, stealing information, undermining government confidence, interrupting communication, and disruption and denial of government service.||1||2||3||4||5|
|C6||CNI should be certified for Information Security Management System (ISMS) ISO/IEC 270001 by SIRIM.||1||2||3||4||5|
SECTION D. Physical Security Protection
|D1||Installing security fence is the first layer of deterrence to protect CNI from crime and disruption.||1||2||3||4||5|
|D2||CNI Priority (I) must be guarded by Military/ Auxiliary Police/ Internal Security Personnel.||1||2||3||4||5|
|D3||CNI Priority (II) must be guarded by Private Security Guard.||1||2||3||4||5|
|D4||CNI area and buildings must be safeguard with access system and security passes as control mechanism.||1||2||3||4||5|
|D5||CNI must be safeguard with Close Circuit Television (CCTV) as a detection mechanism.||1||2||3||4||5|
SECTION E. Partnership (Dependency and Interdependency)
|E1||Partnership within government, private sector, owners and operators effort is necessary to strengthen and maintain security, functioning and resilient of CNI.||1||2||3||4||5|
|E2||Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing CNI security and resilience.||1||2||3||4||5|
|E3||A secure and resilient Nation maintain the capabilities required across the whole community to prevent, protect against, mitigate, respond to and recover from threats and hazards that pose greatest risk.||1||2||3||4||5|
|E4||Good relationship with people surrounding installation will help to minimize security threat from outsider.||1||2||3||4||5|
|E5||The sharing of intelligence and other information relating to threats and vulnerabilities from terrorism will assist owners/operators of CNI to better manage risk.||1||2||3||4||5|
SECTION F. Performance Level
|F1||The rating performance of My CNI installation is excellent as reported by CNI Federal Inspection Team (Tim Naziran Sasaran Penting).||1||2||3||4||5|
|F2||The rating performance of My CNI installation is excellent as reported by CNI State Inspection Team (Jawatankuasa Kecil Pemeriksaan Keselamatan).||1||2||3||4||5|
|F3||My CNI installation certified for compliance of ISMS ISO/IEC 27001 Standard by SIRIM.||1||2||3||4||5|
|F4||My CNI installation has a blueprint of Business Continuity Plan i.e (contingency planning response team/ emergency response team) and always refer to it if any incident happen||1||2||3||4||5|
|F5||The contingency planning response team/ emergency response team is always available for any incident||1||2||3||4||5|
|F6||Overall, the performance of my CNI installation is excellent||1||2||3||4||5|
END OF QUESTION
This survey is strictly for academic purposes
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have the essay published on the All Answers website then please: