Abstract
In order to achieve continuous improvement Maturity Models (MM) are often used to assess the abilities of employees. Moreover, the continuous improvement is also required in the field of Information Security Awareness (ISA). This is due to the fact, that ISA trainings have to be repeated frequently in order to keep the level of awareness of the employees up and to stay in their mind. Within our research project, we are using the Integrated Behavorial Model (IBM) as definition of ISA. The IBM includes many different aspects like knowledge, attitude, and habit. We carried out a systematic literature review to determine if a MM based on the IBM can be defined to assess the maturity of ISA. Since the IBM covers aspects of psychology, we did not only search for MM for information security, since the human factor is often neglected. Moreover, the awareness is often only assessed via the knowledge of employees. However, knowledge is only one aspect of the IBM. At the end, none of the uncovered MMs considers all aspects of the IBM. In contrast to MM for information security, MM of other fields of research are considering psychological aspects if they are dealing with human factors. Therefore, it is possible to create a MM based on the IBM for ISA. Moreover, we can easily derive some of the used assessments for our MM.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aggestam, L.: Towards a maturity model for learning organizations - the role of knowledge management. In: 17th International Workshop on Database and Expert Systems Applications (DEXA 2006), pp. 141–145, September 2006. https://doi.org/10.1109/DEXA.2006.138. ISSN: 2378-3915
Almuhammadi, S., Alsaleh, M.: Information security maturity model for Nist cyber security framework. In: ICIT 2017 (2017). https://doi.org/10.5121/csit.2017.70305
Bada, M., Sasse, A.M., Nurse, J.R.: Cyber security awareness campaigns: why do they fail to change behaviour? Global Cyber Security Capacity Centre: Draft Working Paper, pp. 188–131 (2014)
Barclay, C.: Sustainable security advantage in a changing environment: the cybersecurity capability maturity model (CM2). In: Proceedings of the 2014 ITU Kaleidoscope Academic Conference: Living in a Converged World - Impossible Without Standards? pp. 275–282, June 2014. https://doi.org/10.1109/Kaleidoscope.2014.6858466. ISSN: null
Boughzala, I., Vreede, T.D., Nguyen, C., Vreede, G.J.D.: Towards a maturity model for the assessment of ideation in crowdsourcing projects. In: 2014 47th Hawaii International Conference on System Sciences, pp. 483–490, January 2014. https://doi.org/10.1109/HICSS.2014.67. ISSN: 1530-1605
Brocke, J.V., Simons, A., Niehaves, B., Riemer, K., Plattfaut, R., Cleven, A.: Reconstructing the giant: on the importance of rigour in documenting the literature search process. In: ECIS (2009)
de Bruin, R., von Solms, S.H.: Modelling cyber security governance maturity. In: 2015 IEEE International Symposium on Technology and Society (ISTAS), pp. 1–8, November 2015. https://doi.org/10.1109/ISTAS.2015.7439415. ISSN: 2158-3412
de Bruin, R., von Solms, S.H.: Cybersecurity governance: how can we measure it? In: 2016 IST-Africa Week Conference, pp. 1–9, May 2016. https://doi.org/10.1109/ISTAFRICA.2016.7530578. ISSN: null
Canal, V.A.: ISM3 1.0. Information security management maturity model. Institute for Security and Open Methodologies (2004)
Carvalho, J.V., Rocha, A., van de Wetering, R., Abreu, A.: A maturity model for hospital information systems. J. Bus. Res. 94, 388–399 (2019). https://doi.org/10.1016/j.jbusres.2017.12.012. http://www.sciencedirect.com/science/article/pii/S0148296317305076
Cornu, C., Chapurlat, V., Quiot, J.M., Irigoin, F.: A maturity model for the deployment of Systems Engineering processes. In: 2012 IEEE International Systems Conference SysCon 2012, pp. 1–6, March 2012. https://doi.org/10.1109/SysCon.2012.6189535. ISSN: null
Da Veiga, A., Martins, N.: Information security culture and information protection culture: a validated assessment instrument. Comput. Law Secur. Rev. 31(2), 243–256 (2015). https://doi.org/10.1016/j.clsr.2015.01.005. http://www.sciencedirect.com/science/article/pii/S0267364915000060
Dzazali, S., Sulaiman, A., Zolait, A.H.: Information security landscape and maturity level: case study of Malaysian public service (MPS) organizations. Gov. Inf. Q. 26(4), 584–593 (2009). https://doi.org/10.1016/j.giq.2009.04.004. http://www.sciencedirect.com/science/article/pii/S0740624X09000859
Fertig, T., Schütz, A.: About the measuring of information security awareness: a systematic literature review. In: 53rd Hawaii International Conference on System Sciences, January 2020. http://scholarspace.manoa.hawaii.edu/handle/10125/64540
Ghaffari, F., Arabsorkhi, A.: A new adaptive cyber-security capability maturity model. In: 2018 9th International Symposium on Telecommunications (IST), pp. 298–304, December 2018. https://doi.org/10.1109/IS.2018.8661018. ISSN: null
Gundu, T., Flowerday, S., Renaud, K.: Deliver security awareness training, then repeat: deliver; measure efficacy. In: 2019 Conference on Information Communications Technology and Society (ICTAS), pp. 1–6, March 2019. https://doi.org/10.1109/ICTAS.2019.8703523
Hänsch, N., Benenson, Z.: Specifying IT security awareness. In: 2014 25th International Workshop on Database and Expert Systems Applications, pp. 326–330, September 2014. https://doi.org/10.1109/DEXA.2014.71
Harigopal, U., Satyadas, A.: Cognizant enterprise maturity model (CEMM). IEEE Trans. Syst. Man Cybern. Part C (Appl. Rev.) 31(4), 449–459 (2001). https://doi.org/10.1109/5326.983928
Helisch, M., Pokoyski, D.: Security awareness: Neue Wege zur erfolgreichen Mitarbeiter-Sensibilisierung. Vieweg+Teubner Verlag/GWV Fachverlage GmbH Wiesbaden, Wiesbaden (2009). https://doi.org/10.1007/978-3-8348-9594-3
Ifenthaler, D., Egloffstein, M.: Development and implementation of a maturity model of digital transformation. TechTrends 64, 302–309 (2019). https://doi.org/10.1007/s11528-019-00457-4
Jacob, A., Teuteberg, F.: Development of a social media maturity model for logistics service providers. In: Abramowicz, W., Corchuelo, R. (eds.) BIS 2019. LNBIP, vol. 354, pp. 96–108. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20482-2_9
Jørgensen, F., Boer, H., Laugen, B.T.: CI implementation: an empirical test of the CI maturity model. Creat. Innov. Manag. 15(4), 328–337 (2006). https://doi.org/10.1111/j.1467-8691.2006.00404.x. https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1467-8691.2006.00404.x
Karokola, G., Kowalski, S., Yngström, L.: Secure e-government services: towards a framework for integrating it security services into e-government maturity models. In: 2011 Information Security for South Africa, pp. 1–9, August 2011. https://doi.org/10.1109/ISSA.2011.6027525. ISSN: 2330-9881
Karokola, G., Kowalski, S., Yngström, L.: Towards an information security maturity model for secure e-government services: a stakeholders view. In: HAISA (2011)
Klötzer, C., Pflaum, A.: Toward the development of a maturity model for digitalization within the manufacturing industry’s supply chain. In: Hawaii International Conference on System Sciences 2017 (HICSS-50), January 2017. https://aisel.aisnet.org/hicss-50/in/digital_supply_chain/5
Lasrado, F.: “How are we doing?” using a maturity model assessment. Fostering Creativity and Innovation, pp. 89–126. Springer, Cham (2019). https://doi.org/10.1007/978-3-319-99121-4_4
Le, N.T., Hoang, D.B.: Can maturity models support cyber security? In: 2016 IEEE 35th International Performance Computing and Communications Conference (IPCCC), pp. 1–7, December 2016. https://doi.org/10.1109/PCCC.2016.7820663. ISSN: 2374-9628
Lebek, B., Uffen, J., Breitner, M.H., Neumann, M., Hohler, B.: Employees’ information security awareness and behavior: a literature review. In: 2013 46th Hawaii International Conference on System Sciences, pp. 2978–2987, January 2013. https://doi.org/10.1109/HICSS.2013.192
Lima, M.V.M., Lima, R.M.F., Lins, F.A.A.: A multi-perspective methodology for evaluating the security maturity of data centers. In: 2017 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 1196–1201, October 2017. https://doi.org/10.1109/SMC.2017.8122775. ISSN: null
Lutteroth, C., Luxton-Reilly, A., Dobbie, G., Hamer, J.: A maturity model for computing education. In: Proceedings of the Ninth Australasian Conference on Computing Education, ACE 2007, vol. 66. pp. 107–114. Australian Computer Society Inc., Ballarat, January 2007
Marshall, S., Mitchell, G.: Applying spice to e-learning: an e-learning maturity model? In: Proceedings of the Sixth Australasian Conference on Computing Education, ACE 2004, vol. 30. pp. 185–191. Australian Computer Society Inc., Australia (2004)
Matrane, O., Talea, M.: A maturity model for information security management in small and medium-sized Moroccan enterprises: an empirical investigation. Int. J. Adv. Res. Comput. Sci. 5(6), 61–69 (2014)
Matrane, O., Talea, M., Okar, C.: Towards a new maturity model for information security management. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 4(6), 268–275 (2014)
Montaño, D.E., Kasprzyk, D.: Theory of reasoned action, theory of planned behavior, and the integrated behavior model. In: Glanz, K., Rimer, B.K., Viswanath, K. (eds.) Health Behavior and Health Education, pp. 67–96. APA PsycNet (2008)
Muthukrishnan, S.M., Palaniappan, S.: Security metrics maturity model for operational security. In: 2016 IEEE Symposium on Computer Applications Industrial Electronics (ISCAIE), pp. 101–106, May 2016. https://doi.org/10.1109/ISCAIE.2016.7575045. ISSN: null
Park, J.O., Kim, S.G., Choi, B.H., Jun, M.S.: The study on the maturity measurement method of security management for ITSM. In: 2008 International Conference on Convergence and Hybrid Information Technology, pp. 826–830, August 2008. https://doi.org/10.1109/ICHIT.2008.251. ISSN: null
Paulk, M.C., Curtis, B., Chrissis, M.B., Weber, C.: Capability maturity model for software (Version 1.1). Technical report CMU/SEI-93-TR-024, Carnegie Mellon University (1993). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=11955
Rojas, R., Muedas, A., Mauricio, D.: Security maturity model of web applications for cyber attacks. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, ICCSP 2019, pp. 130–137. Association for Computing Machinery, Kuala Lumpur, January 2019. https://doi.org/10.1145/3309074.3309096
Saleh, M.F.: Information security maturity model. Int. J. Comput. Sci. Secur. 5(3), 316–337 (2011). https://www.cscjournals.org/library/manuscriptinfo.php?mc=IJCSS-497
Sánchez, L.E., Villafranca, D., Fernández-Medina, E., Piattini, M.: Developing a maturity model for information system security management within small and medium size enterprises. In: Proceedings of the 4th International Workshop on Security in Information Systems, pp. 256–266 (2006). https://www.scitepress.org/PublicationsDetail.aspx?ID=HU/Pb1mEyuY=&t=1
Schütz, A.E.: Information security awareness: it’s time to change minds! In: Proceedings of International Conference on Applied Informatics Imagination, Creativity, Design, Development - ICDD 2018, Sibiu, Romania (2018)
Schütz, A.E., Weber, K., Fertig, T.: Analyze before you sensitize: preparation of a targeted ISA training. In: 53rd Hawaii International Conference on System Sciences (2020)
Thomson, K.L., von Solms, R.: Towards an information security competence maturity model. Comput. Fraud Secur. 2006(5), 11–15 (2006). https://doi.org/10.1016/S1361-3723(06)70356-6. http://www.sciencedirect.com/science/article/pii/S1361372306703566
Wahlgren, G., Kowalski, S.: A maturity model for IT-related security incident management. In: Abramowicz, W., Corchuelo, R. (eds.) BIS 2019. LNBIP, vol. 353, pp. 203–217. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20485-3_16
Weber, K., Schütz, A.E.: ISIS12-Hack: Mitarbeitersensibilisierenstatt informieren. In: Drews, P., Funk, B., Niemeyer, P., Xie, L. (eds.) Multikonferenz Wirtschsinformatik 2018, vol. IV, pp. 1737–1748. Lüneburg, Germany (2018)
Webster, J., Watson, R.T.: Analyzing the past to prepare for the future: writing a literature review. MIS Q. 26(2), xiii–xxiii (2002). https://www.jstor.org/stable/4132319
White, G.B.: The community cyber security maturity model. In: 2011 IEEE International Conference on Technologies for Homeland Security (HST), pp. 173–178, November 2011. https://doi.org/10.1109/THS.2011.6107866. ISSN: null
Woodhouse, S.: An ISMS (Im)-maturity capability model. In: 2008 IEEE 8th International Conference on Computer and Information Technology Workshops, pp. 242–247, July 2008. https://doi.org/10.1109/CIT.2008.Workshops.46
Xiao-yan, G., Yu-qing, Y., Li-lei, L.: An information security maturity evaluation mode. Procedia Eng. 24, 335–339 (2011). https://doi.org/10.1016/j.proeng.2011.11.2652. http://www.sciencedirect.com/science/article/pii/S1877705811055044
Yulianto, S., Lim, C., Soewito, B.: Information security maturity model: a best practice driven approach to PCI DSS compliance. In: 2016 IEEE Region 10 Symposium (TENSYMP), pp. 65–70, May 2016. https://doi.org/10.1109/TENCONSpring.2016.7519379. ISSN: null
Acknowledgements
Tobias Fertig and Andreas E. Schütz were supported by the BayWISS Consortium Digitization.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Fertig, T., Schütz, A.E., Weber, K., Müller, N.H. (2020). Towards an Information Security Awareness Maturity Model. In: Zaphiris, P., Ioannou, A. (eds) Learning and Collaboration Technologies. Human and Technology Ecosystems. HCII 2020. Lecture Notes in Computer Science(), vol 12206. Springer, Cham. https://doi.org/10.1007/978-3-030-50506-6_40
Download citation
DOI: https://doi.org/10.1007/978-3-030-50506-6_40
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50505-9
Online ISBN: 978-3-030-50506-6
eBook Packages: Computer ScienceComputer Science (R0)