Cybersecurity Maturity Assessment and Standardisation

Abstract

Organisations’ cybersecurity requirements have several origins, including the need to protect their business from cyberattacks, comply with laws and regulations, and build trust. Cyber threats and new regulations emerge, thus the need to implement measures and assure compliance. Cybersecurity maturity assessments and cybersecurity standardisation can be used to implement measures and provide assurance for regulators. Therefore, this dissertation investigates cybersecurity maturity assessment and cybersecurity standardisation to improve organisations' cybersecurity. We state our research objective as follows: To support the improvement of organisations' cybersecurity by means of maturity assessment and standardisation. We employ the Design Science Research approach and investigate our problem space by identifying the stakeholders' needs, goals, and requirements using several research methodologies and propose design artifacts to solve the identified problems. The dissertation is organized into three parts: adaptivity in cybersecurity maturity assessments, cybersecurity standardisation, and the integration of cybersecurity maturity assessments and standardisation. The first part is titled “Adaptivity in cybersecurity maturity assessments”. Chapter 2 investigates the adaptivity of an existing maturity assessment model to organisational contexts. The artifact proposed in this research provides organisations with a method to adapt an existing information security maturity model to their organisational characteristics. Chapter 3 presents an assessment instrument that is adaptable by design through the posed situational questions. The questionnaire model proposed as an artifact helps organisations tailor the assessment instrument interactively by the given answers to the situational questions. Finally, in the first part, Chapter 4 investigates how organisational context affects the design of information security maturity assessment models using design principles and the proposed design requirements can be used for designing maturity assessment models. Enterprises can also use the design requirements to understand what to look for when selecting an assessment model for use within their organisation. The second part is titled, “Cybersecurity standardisation”. Chapter 5 focuses on cybersecurity standardisation and identifies gaps resulting from an international workshop organised with relevant stakeholders. We propose a reseach agenda to fill the identified gaps. Following this research, in Chapter 6, we present the cybersecurity essesntials through five standards and frameworks and a step-by-step process for SMEs to help them establish and improve their cybersecurity based on standards and frameworks. The third part is titled “Integrating cybersecurity maturity assessments and standardisation”. Chapter 7 investigates how to integrate security assessment and standardiation to meet stakeholder requirements and proposes the adaptable security maturity assessment and standardisation (ASMAS) framework. We demonstrate the ASMAS framework through a user-friendly, web-based software prototype. We conduct seven evaluation interviews with six SMEs from five countries. We used the evaluation constructs based on the Technology Acceptance Model to explain and predict the utility of the ASMAS framework. The evaluation constructs using a Likert scale (1-5), on average, score 4.29 for perceived usefulness, 4.14 for perceived ease of use, and 3.62 for intention to use evaluation constructs. These outcomes reinforce this thesis’ holistic approach to facilitate and consolidate SMEs' independent security assessment and security standardisation efforts in daily practice.