An Ontological Model for a National Cyber-attack Response in South Africa


  • Aphile Kondlo University of the Western Cape
  • Louise Leenen Centre for AI Research
  • Joey Jansen van Vuuren Tshwane University of Technology



South Africa is increasingly targeted by cyber criminals and is often ranked under the top five countries suffering the most cyber-attacks. In an initiative to counter these attacks, the South African government has initiated various measures such as a National Cybersecurity Policy Framework Policy (NCPF) and a Cybercrimes Act. However, the structures and policies that follow from these measures have not been fully implemented yet. Although the government published the NCPF in 2015 and enacted the Cybercrimes Act in May 2021, there is still a gap in terms of interoperability and shared understanding within the environment. In addition, numerous new structures have been established and others are still being planned. One example of a new structure is the Cybersecurity Hub, the national CSIRT, which is mandated to co-ordinate attack information and provide support for cyber incidents. In addition, the Hub must also implement a national Cybersecurity Awareness program.

This paper presents a model for the Cybersecurity Hub in the event of a cyber incident in South Africa. The model is based on different attack scenarios and depicts the complex interoperability problem of the various roles, responsibilities, and interactions of role players when there is a cyber incident. One of the scenarios is an attack on critical infrastructure. The model is a prototype of a semantic knowledge base (an ontology) that will help with planning and decision making. Core queries that should be answered concern the critical role players during and after a cyber event; the communication activities that have to take place; and the response actions and the skills required to handle the event.