Skip to main content
SpringerLink
Log in

Towards an Information Security Awareness Maturity Model

  • Conference paper
  • First Online:
Learning and Collaboration Technologies. Human and Technology Ecosystems (HCII 2020)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12206))

Included in the following conference series:

Abstract

In order to achieve continuous improvement Maturity Models (MM) are often used to assess the abilities of employees. Moreover, the continuous improvement is also required in the field of Information Security Awareness (ISA). This is due to the fact, that ISA trainings have to be repeated frequently in order to keep the level of awareness of the employees up and to stay in their mind. Within our research project, we are using the Integrated Behavorial Model (IBM) as definition of ISA. The IBM includes many different aspects like knowledge, attitude, and habit. We carried out a systematic literature review to determine if a MM based on the IBM can be defined to assess the maturity of ISA. Since the IBM covers aspects of psychology, we did not only search for MM for information security, since the human factor is often neglected. Moreover, the awareness is often only assessed via the knowledge of employees. However, knowledge is only one aspect of the IBM. At the end, none of the uncovered MMs considers all aspects of the IBM. In contrast to MM for information security, MM of other fields of research are considering psychological aspects if they are dealing with human factors. Therefore, it is possible to create a MM based on the IBM for ISA. Moreover, we can easily derive some of the used assessments for our MM.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aggestam, L.: Towards a maturity model for learning organizations - the role of knowledge management. In: 17th International Workshop on Database and Expert Systems Applications (DEXA 2006), pp. 141–145, September 2006. https://doi.org/10.1109/DEXA.2006.138. ISSN: 2378-3915

  2. Almuhammadi, S., Alsaleh, M.: Information security maturity model for Nist cyber security framework. In: ICIT 2017 (2017). https://doi.org/10.5121/csit.2017.70305

  3. Bada, M., Sasse, A.M., Nurse, J.R.: Cyber security awareness campaigns: why do they fail to change behaviour? Global Cyber Security Capacity Centre: Draft Working Paper, pp. 188–131 (2014)

    Google Scholar 

  4. Barclay, C.: Sustainable security advantage in a changing environment: the cybersecurity capability maturity model (CM2). In: Proceedings of the 2014 ITU Kaleidoscope Academic Conference: Living in a Converged World - Impossible Without Standards? pp. 275–282, June 2014. https://doi.org/10.1109/Kaleidoscope.2014.6858466. ISSN: null

  5. Boughzala, I., Vreede, T.D., Nguyen, C., Vreede, G.J.D.: Towards a maturity model for the assessment of ideation in crowdsourcing projects. In: 2014 47th Hawaii International Conference on System Sciences, pp. 483–490, January 2014. https://doi.org/10.1109/HICSS.2014.67. ISSN: 1530-1605

  6. Brocke, J.V., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., Cleven, A.: Reconstructing the giant: on the importance of rigour in documenting the literature search process. In: ECIS (2009)

    Google Scholar 

  7. de Bruin, R., von Solms, S.H.: Modelling cyber security governance maturity. In: 2015 IEEE International Symposium on Technology and Society (ISTAS), pp. 1–8, November 2015. https://doi.org/10.1109/ISTAS.2015.7439415. ISSN: 2158-3412

  8. de Bruin, R., von Solms, S.H.: Cybersecurity governance: how can we measure it? In: 2016 IST-Africa Week Conference, pp. 1–9, May 2016. https://doi.org/10.1109/ISTAFRICA.2016.7530578. ISSN: null

  9. Canal, V.A.: ISM3 1.0. Information security management maturity model. Institute for Security and Open Methodologies (2004)

    Google Scholar 

  10. Carvalho, J.V., Rocha, A., van de Wetering, R., Abreu, A.: A maturity model for hospital information systems. J. Bus. Res. 94, 388–399 (2019). https://doi.org/10.1016/j.jbusres.2017.12.012. http://www.sciencedirect.com/science/article/pii/S0148296317305076

    Article  Google Scholar 

  11. Cornu, C., Chapurlat, V., Quiot, J.M., Irigoin, F.: A maturity model for the deployment of Systems Engineering processes. In: 2012 IEEE International Systems Conference SysCon 2012, pp. 1–6, March 2012. https://doi.org/10.1109/SysCon.2012.6189535. ISSN: null

  12. Da Veiga, A., Martins, N.: Information security culture and information protection culture: a validated assessment instrument. Comput. Law Secur. Rev. 31(2), 243–256 (2015). https://doi.org/10.1016/j.clsr.2015.01.005. http://www.sciencedirect.com/science/article/pii/S0267364915000060

    Article  Google Scholar 

  13. Dzazali, S., Sulaiman, A., Zolait, A.H.: Information security landscape and maturity level: case study of Malaysian public service (MPS) organizations. Gov. Inf. Q. 26(4), 584–593 (2009). https://doi.org/10.1016/j.giq.2009.04.004. http://www.sciencedirect.com/science/article/pii/S0740624X09000859

    Article  Google Scholar 

  14. Fertig, T., Schütz, A.: About the measuring of information security awareness: a systematic literature review. In: 53rd Hawaii International Conference on System Sciences, January 2020. http://scholarspace.manoa.hawaii.edu/handle/10125/64540

  15. Ghaffari, F., Arabsorkhi, A.: A new adaptive cyber-security capability maturity model. In: 2018 9th International Symposium on Telecommunications (IST), pp. 298–304, December 2018. https://doi.org/10.1109/IS.2018.8661018. ISSN: null

  16. Gundu, T., Flowerday, S., Renaud, K.: Deliver security awareness training, then repeat: deliver; measure efficacy. In: 2019 Conference on Information Communications Technology and Society (ICTAS), pp. 1–6, March 2019. https://doi.org/10.1109/ICTAS.2019.8703523

  17. Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications, pp. 326–330, September 2014. https://doi.org/10.1109/DEXA.2014.71

  18. Harigopal, U., Satyadas, A.: Cognizant enterprise maturity model (CEMM). IEEE Trans. Syst. Man Cybern. Part C (Appl. Rev.) 31(4), 449–459 (2001). https://doi.org/10.1109/5326.983928

    Article  Google Scholar 

  19. Helisch, M., Pokoyski, D.: Security awareness: Neue Wege zur erfolgreichen Mitarbeiter-Sensibilisierung. Vieweg+Teubner Verlag/GWV Fachverlage GmbH Wiesbaden, Wiesbaden (2009). https://doi.org/10.1007/978-3-8348-9594-3

  20. Ifenthaler, D., Egloffstein, M.: Development and implementation of a maturity model of digital transformation. TechTrends 64, 302–309 (2019). https://doi.org/10.1007/s11528-019-00457-4

    Article  Google Scholar 

  21. Jacob, A., Teuteberg, F.: Development of a social media maturity model for logistics service providers. In: Abramowicz, W., Corchuelo, R. (eds.) BIS 2019. LNBIP, vol. 354, pp. 96–108. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20482-2_9

    Chapter  Google Scholar 

  22. Jørgensen, F., Boer, H., Laugen, B.T.: CI implementation: an empirical test of the CI maturity model. Creat. Innov. Manag. 15(4), 328–337 (2006). https://doi.org/10.1111/j.1467-8691.2006.00404.x. https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1467-8691.2006.00404.x

    Article  Google Scholar 

  23. Karokola, G., Kowalski, S., Yngström, L.: Secure e-government services: towards a framework for integrating it security services into e-government maturity models. In: 2011 Information Security for South Africa, pp. 1–9, August 2011. https://doi.org/10.1109/ISSA.2011.6027525. ISSN: 2330-9881

  24. Karokola, G., Kowalski, S., Yngström, L.: Towards an information security maturity model for secure e-government services: a stakeholders view. In: HAISA (2011)

    Google Scholar 

  25. Klötzer, C., Pflaum, A.: Toward the development of a maturity model for digitalization within the manufacturing industry’s supply chain. In: Hawaii International Conference on System Sciences 2017 (HICSS-50), January 2017. https://aisel.aisnet.org/hicss-50/in/digital_supply_chain/5

  26. Lasrado, F.: “How are we doing?” using a maturity model assessment. Fostering Creativity and Innovation, pp. 89–126. Springer, Cham (2019). https://doi.org/10.1007/978-3-319-99121-4_4

    Chapter  Google Scholar 

  27. Le, N.T., Hoang, D.B.: Can maturity models support cyber security? In: 2016 IEEE 35th International Performance Computing and Communications Conference (IPCCC), pp. 1–7, December 2016. https://doi.org/10.1109/PCCC.2016.7820663. ISSN: 2374-9628

  28. Lebek, B., Uffen, J., Breitner, M.H., Neumann, M., Hohler, B.: Employees’ information security awareness and behavior: a literature review. In: 2013 46th Hawaii International Conference on System Sciences, pp. 2978–2987, January 2013. https://doi.org/10.1109/HICSS.2013.192

  29. Lima, M.V.M., Lima, R.M.F., Lins, F.A.A.: A multi-perspective methodology for evaluating the security maturity of data centers. In: 2017 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 1196–1201, October 2017. https://doi.org/10.1109/SMC.2017.8122775. ISSN: null

  30. Lutteroth, C., Luxton-Reilly, A., Dobbie, G., Hamer, J.: A maturity model for computing education. In: Proceedings of the Ninth Australasian Conference on Computing Education, ACE 2007, vol. 66. pp. 107–114. Australian Computer Society Inc., Ballarat, January 2007

    Google Scholar 

  31. Marshall, S., Mitchell, G.: Applying spice to e-learning: an e-learning maturity model? In: Proceedings of the Sixth Australasian Conference on Computing Education, ACE 2004, vol. 30. pp. 185–191. Australian Computer Society Inc., Australia (2004)

    Google Scholar 

  32. Matrane, O., Talea, M.: A maturity model for information security management in small and medium-sized Moroccan enterprises: an empirical investigation. Int. J. Adv. Res. Comput. Sci. 5(6), 61–69 (2014)

    Google Scholar 

  33. Matrane, O., Talea, M., Okar, C.: Towards a new maturity model for information security management. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 4(6), 268–275 (2014)

    Google Scholar 

  34. Montaño, D.E., Kasprzyk, D.: Theory of reasoned action, theory of planned behavior, and the integrated behavior model. In: Glanz, K., Rimer, B.K., Viswanath, K. (eds.) Health Behavior and Health Education, pp. 67–96. APA PsycNet (2008)

    Google Scholar 

  35. Muthukrishnan, S.M., Palaniappan, S.: Security metrics maturity model for operational security. In: 2016 IEEE Symposium on Computer Applications Industrial Electronics (ISCAIE), pp. 101–106, May 2016. https://doi.org/10.1109/ISCAIE.2016.7575045. ISSN: null

  36. Park, J.O., Kim, S.G., Choi, B.H., Jun, M.S.: The study on the maturity measurement method of security management for ITSM. In: 2008 International Conference on Convergence and Hybrid Information Technology, pp. 826–830, August 2008. https://doi.org/10.1109/ICHIT.2008.251. ISSN: null

  37. Paulk, M.C., Curtis, B., Chrissis, M.B., Weber, C.: Capability maturity model for software (Version 1.1). Technical report CMU/SEI-93-TR-024, Carnegie Mellon University (1993). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=11955

  38. Rojas, R., Muedas, A., Mauricio, D.: Security maturity model of web applications for cyber attacks. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, ICCSP 2019, pp. 130–137. Association for Computing Machinery, Kuala Lumpur, January 2019. https://doi.org/10.1145/3309074.3309096

  39. Saleh, M.F.: Information security maturity model. Int. J. Comput. Sci. Secur. 5(3), 316–337 (2011). https://www.cscjournals.org/library/manuscriptinfo.php?mc=IJCSS-497

    Google Scholar 

  40. Sánchez, L.E., Villafranca, D., Fernández-Medina, E., Piattini, M.: Developing a maturity model for information system security management within small and medium size enterprises. In: Proceedings of the 4th International Workshop on Security in Information Systems, pp. 256–266 (2006). https://www.scitepress.org/PublicationsDetail.aspx?ID=HU/Pb1mEyuY=&t=1

  41. Schütz, A.E.: Information security awareness: it’s time to change minds! In: Proceedings of International Conference on Applied Informatics Imagination, Creativity, Design, Development - ICDD 2018, Sibiu, Romania (2018)

    Google Scholar 

  42. Schütz, A.E., Weber, K., Fertig, T.: Analyze before you sensitize: preparation of a targeted ISA training. In: 53rd Hawaii International Conference on System Sciences (2020)

    Google Scholar 

  43. Thomson, K.L., von Solms, R.: Towards an information security competence maturity model. Comput. Fraud Secur. 2006(5), 11–15 (2006). https://doi.org/10.1016/S1361-3723(06)70356-6. http://www.sciencedirect.com/science/article/pii/S1361372306703566

    Article  Google Scholar 

  44. Wahlgren, G., Kowalski, S.: A maturity model for IT-related security incident management. In: Abramowicz, W., Corchuelo, R. (eds.) BIS 2019. LNBIP, vol. 353, pp. 203–217. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20485-3_16

    Chapter  Google Scholar 

  45. Weber, K., Schütz, A.E.: ISIS12-Hack: Mitarbeitersensibilisierenstatt informieren. In: Drews, P., Funk, B., Niemeyer, P., Xie, L. (eds.) Multikonferenz Wirtschsinformatik 2018, vol. IV, pp. 1737–1748. Lüneburg, Germany (2018)

    Google Scholar 

  46. Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q. 26(2), xiii–xxiii (2002). https://www.jstor.org/stable/4132319

  47. White, G.B.: The community cyber security maturity model. In: 2011 IEEE International Conference on Technologies for Homeland Security (HST), pp. 173–178, November 2011. https://doi.org/10.1109/THS.2011.6107866. ISSN: null

  48. Woodhouse, S.: An ISMS (Im)-maturity capability model. In: 2008 IEEE 8th International Conference on Computer and Information Technology Workshops, pp. 242–247, July 2008. https://doi.org/10.1109/CIT.2008.Workshops.46

  49. Xiao-yan, G., Yu-qing, Y., Li-lei, L.: An information security maturity evaluation mode. Procedia Eng. 24, 335–339 (2011). https://doi.org/10.1016/j.proeng.2011.11.2652. http://www.sciencedirect.com/science/article/pii/S1877705811055044

    Article  Google Scholar 

  50. Yulianto, S., Lim, C., Soewito, B.: Information security maturity model: a best practice driven approach to PCI DSS compliance. In: 2016 IEEE Region 10 Symposium (TENSYMP), pp. 65–70, May 2016. https://doi.org/10.1109/TENCONSpring.2016.7519379. ISSN: null

Download references

Acknowledgements

Tobias Fertig and Andreas E. Schütz were supported by the BayWISS Consortium Digitization.

Author information

Authors and Affiliations

  1. Faculty of Computer Science and Business Information Systems, University of Applied Sciences Würzburg-Schweinfurt, Sanderheinrichsleitenweg 20, 97074, Würzburg, Germany

    Tobias Fertig, Andreas E. Schütz, Kristin Weber & Nicholas H. Müller

Authors
  1. Tobias Fertig
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas E. Schütz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kristin Weber
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nicholas H. Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tobias Fertig .

Editor information

Editors and Affiliations

  1. Cyprus University of Technology, Limassol, Cyprus

    Panayiotis Zaphiris

  2. Cyprus University of Technology, Limassol, Cyprus

    Andri Ioannou

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fertig, T., Schütz, A.E., Weber, K., Müller, N.H. (2020). Towards an Information Security Awareness Maturity Model. In: Zaphiris, P., Ioannou, A. (eds) Learning and Collaboration Technologies. Human and Technology Ecosystems. HCII 2020. Lecture Notes in Computer Science(), vol 12206. Springer, Cham. https://doi.org/10.1007/978-3-030-50506-6_40

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-50506-6_40

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-50505-9

  • Online ISBN: 978-3-030-50506-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation