**7. Conclusions**

The national cybersecurity strategy is a system mainly comprising stakeholders from the justice, crime prevention, and security cluster of South Africa. However, industry, civil society, and other governmen<sup>t</sup> entities such as the water and wastewater sector are recognised as important stakeholders in the national cybersecurity system. A systems thinking approach was employed to analyse the national cybersecurity and water and wastewater systems. Through the stated stakeholders (system elements/actors) and legislation and policies (system interconnections), the ultimate purpose (system function) of the national cybersecurity system was found to be the establishment of a conducive environment and the provision of guidelines, standards, and best-practices for key cybersecurity stakeholders in South Africa. The interconnected relationships among these key stakeholders were found to be determined largely by the Cybercrimes Bill, CIPA, ECT Act, NCPF, POPI Act, RICA and PAIA in particular, and other cybersecurity-relevant pieces of legislation and policies.

It is concluded that the water and wastewater sector can immediately address its cybersecurity requirements without the need to propose any new legislation and/or governmen<sup>t</sup> policies or amend existing ones. The aim of the study has therefore been achieved. But the water and wastewater sector will need to identify where changes and concomitant actions in the underlying structure of the national cybersecurity system can result in significant and lasting improvements for the sector. This can only be achieved by establishing a sector CSIRT that should continuously monitor the changes in the underlying structure of the national cybersecurity programme. This is especially important as changing cybersecurityrelevant legislation and policies greatly impact the entire national cybersecurity system, including the water and wastewater sector's cybersecurity responsibilities.

Future research work could use systems thinking or system dynamics to analyse the impact of the national cybersecurity legislation and policies in South Africa since 2015. Other research projects could explore the recommendations discussed above. Moreover, a review of how other countries deal with cybersecurity in the water and wastewater sector in contrast to South Africa should form part of future research works. After all, the exchange of international experiences is crucial in the advancement of cybersecurity practices. As the country embarks on a digital transformation strategy future research could look at related challenges in the water and wastewater sector. For example, noting that some municipalities have already embarked upon installing smart meters, legislation and policies governing security and privacy of smart water meters and other Internet of Things (smart) devices could be explored.

**Author Contributions:** Conceptualization, All authors; methodology, M.M.; writing—original draft preparation, M.M.; review, A.L.M. and S.v.S.; visualization, M.M.; supervision, A.L.M.; project administration, A.L.M.; funding acquisition, All authors. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was funded by the Water Research Commission (WRC) of South Africa, gran<sup>t</sup> number 2021/2023-00354, and the article processing charge was also funded by WRC.

**Institutional Review Board Statement:** Not applicable for studies not involving humans or animals.

**Informed Consent Statement:** Not applicable for studies not involving humans or animals.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **Appendix A Analysis of the National Cybersecurity Policy Framework System**

A literature review of the previous analysis work on the National Cybersecurity Policy Framework (NCPF) was conducted in this appendix. This looked at mainly the stakeholders involved, legislation and policies underpinning the national cybersecurity strategy, and challenges in the implementation of the NCPF.






198

development

cybersecurity

continuous

awareness campaigns for the

general public.

cybersecurity

 of the required

 expert level, and

