*2.4. Systems Interrelationships*

The previous sections discussed three interdependent cybersecurity systems, each with its own unique purpose. These were the international, national, and sector cybersecurity systems. The interdependent relationships between these dynamic systems as well as how they can interoperate effectively is illustrated in Figure 3 as derived from [26].

The arrows in Figure 3 represent cybersecurity information flow within and between the three interdependent systems. Clough [33] indicated that nation states should put in place domestic legislation that is conducive for international cooperation such as the Budapest Convention. Coleman [39] concurs with this and argues that collaborations such as the AU Convention on Cyber Security and Personal Data Protection provide a legal template that could be aligned with but also customised according to domestic legislation and policy requirements. This indicates that the dynamic relationships within and between the three systems are governed by legislation and governmen<sup>t</sup> policy. While the international and national systems in Figure 3 have clear cybersecurity-related policies and/or legislation, no cybersecurity-related legislation and/or governmen<sup>t</sup> policy is defined specifically for the water and wastewater sector. By utilising the systems thinking approach, the interrelationships between the water and wastewater sector (sector system

in Figure 3) and national cybersecurity legislative and policy environment (national system in Figure 3) were examined further. The research methodology on how to achieve this is described in the next section.

**Figure 3.** Cybersecurity systems dynamic interrelationships.

## **3. Materials and Methods**

The systems thinking approach [84,85] is employed to achieve the research aim of this study. The approach is deemed suitable as it helps examine dynamic patterns and events by holistically focusing on the interrelationships between a system's parts rather than seeing the constituent parts as static, standalone, and unrelated elements [84,85]. It is an analysis tool to identify and understand how the parts interconnect within the entire system [86]. This is especially useful when considering the complex nature of governmen<sup>t</sup> policy and the different parties involved in effecting legislation. In this study, a system is perceived as a group of interdependent elements assembled to create an emergen<sup>t</sup> character or behaviour of the group as a whole [22,23,87,88]. As shown in Figure 4, the national cybersecurity strategy of South Africa is considered a system in this study, and its underlying structure comprises three main parts: (i) Function; (ii) Elements; and (iii) Interconnections.

Firstly, the stated function of a system is its purpose, which sets out how that system is expected to behave [87]. Altering the function of a system has the greatest impact on the entire system and may render it unrecognisable [84]. Secondly, the elements of a system are the most visible and are the actors in the system [87]. It is however acknowledged that some elements can be more important than others [84]. Changing system elements has the least impact on a system [84], provided that the function of the system remain unaltered [87]. Thirdly, interconnections are oftentimes harder to see but more critical in the system than elements [84,87]. They are the signals that enable one element of a system to respond to other elements through action or decision points [84]. Oftentimes, interconnections are not physical flows [84,87], but rather the flow of influences, energy, or information inside and outside the system as it strives towards a state of equilibrium [22,23]. The interconnections of a system's elements are configured in such a way as to generate their own characteristic or emergen<sup>t</sup> behaviour, which may start to differ from the espoused or defined purpose [22,84,87]—which is why systems are firm and very difficult to change [89].

**Figure 4.** Systems thinking approach.

In addition to system elements/actors, interconnections and function, three more parts make up a system [84]: (i) Stocks, which are the snapshots or historical views of a system, showing the changing flows in the system; (ii) Flows, which are the inflow and outflow activities of a system impacting the levels of stock; and (iii) Feedback loops, which occur when a change—reinforcing or balancing loop [85]—in stock levels leads to additional positive or negative changes [84,87,89,90]. However, these did not form the central aim of the study. To closely examine the interrelationships between the water and wastewater sector and national cybersecurity legislative and policy environment, the four steps in Figure 4 are sequentially operationalised.

Ultimately, the goal of a systems thinking approach is leverage—identifying where changes and concomitant actions in the underlying structure of a system can result in significant and lasting improvements [86]. In the next section, a review of the national and sector cybersecurity literature is conducted to identify the underlying structure of the national cybersecurity system. This should shed light on the key stakeholders and governmen<sup>t</sup> policies and legislation required to realise significant and lasting improvements to national and, more specifically, water and wastewater sector, cybersecurity endeavours.
