Comparative Study of Cybersecurity Capability Maturity Models

Rea-Guaman, Ángel Marcelo; Feliú, Tomás San; Calvo-Manzano, José A.; Sánchez-García, Isaac Daniel

doi:10.1007/978-3-319-67383-7_8

Cited by 24 publications

(13 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Mettler (2011) [15] provides insight into the development of maturity models from a design science research perspective. Rea-Guaman et al (2017) [16] introduce a taxonomy for assessing cybersecurity capability maturity models. Kour et al (2020) [17] discuss a cybersecurity maturity model specifically for the railway sector; however, the paper provides a useful general overview of the various CSMM models in existence.…”

Section: Availability Integrity Confidentialitymentioning

confidence: 99%

Pricing cyber-insurance for systems via maturity models

Skeoch¹,

Pym²

2023

Preprint

View full text Add to dashboard Cite

Risks associated with information technology systems present a complex modelling challenge, combining the disciplines of operations management, security, and economics. The challenge is to establish a representation of an organization's operational and systems architecture that allows an assessment of the security postures of its various components able to support an assessment of its insurance risk. This work proposes a socioeconomic model for cyber-insurance decisions compromised of entity relationship diagrams, security maturity models, and economic models, thereby linking systemstype and economic approaches to cyber-security assessments. The concept of a cyber-loss-adjuster is introduced, who reconciles cyber-incidents with economic losses. The work aims to bridge a number of disciplines to partly address a longstanding research challenge of accounting for organizational structure in the design and pricing of cyber-insurance. It is important to note the following: insurance companies have long experience of the magnitude and frequency of losses that arise in organizations based on their size, industry sector, and location. Consequently, their calculations of premia will start from a baseline determined by these considerations. The contribution of the methodology proposed here is to provide a framework for calculating the effects of cyber-based risk on the frequency and magnitude of losses. This is achieved through a security analysis of the relationship between the operational structure of an organization and its information systems. It also provides a consistent means for those seeking insurance to describe and understand their security posture and for an insurance company to price its offer of coverage.1 Comprehensive reviews of the cyber-insurance literature can be found in Eling et al ( 2016)[2], Marotta et al (2017) [3], Aziz (2020) [4] and Skeoch (2022) [5] 2 See, for example, Woods et al (2017) [7] and Romanosky et al (2019) [8] 1

show abstract

Section: Availability Integrity Confidentialitymentioning

confidence: 99%

Pricing cyber-insurance for systems via maturity models

Skeoch¹,

Pym²

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Rea-Guaman et al [4] reduce the categories to three, arguing that quality and result do not support the comparison of cybersecurity capability maturity models.…”

Section: Related Workmentioning

confidence: 97%

“…Rea-Guaman et al [3] describe a cybersecurity capability maturity model as a means by which an organisation can assess its current level of maturity of its practices. They provide a comparative study of cybersecurity capability maturity models that builds on a previous review [4]. The research presents an assessment of the differences, advantages and disadvantages of a systematic review of published studies from 2012 to 2017.…”

Section: Related Workmentioning

confidence: 99%

A NIS Directive Compliant Cybersecurity Maturity Assessment Framework

Drivas

Chatzopoulou²,

Μαγλαράς

et al. 2020

2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC)

View full text Add to dashboard Cite

The EU NIS Directive introduces obligations related to the security of the network and information systems for Operators of Essential Services and for Digital Service Providers. Moreover, National Competent Authorities for cybersecurity are required to assess compliance with these obligations. This paper describes a novel Cybersecurity Maturity Assessment Framework (CMAF) that is tailored to the NIS Directive requirements. CMAF can be used either as a self-assessment tool from Operators of Essential Services and Digital Service Providers or as an audit tool from the National Competent Authorities for cybersecurity.

show abstract

“…Previous studies have investigated information security and cybersecurity maturity models [26][27][28]. These maturity models have different focuses according to their purpose and target.…”

Section: Information Security and Cybersecurity Maturity Modelsmentioning

confidence: 99%

The Cybersecurity Focus Area Maturity (CYSFAM) Model

Özkan

Lingen

Spruit

2021

JCP

View full text Add to dashboard Cite

The cost of recovery after a cybersecurity attack is likely to be high and may result in the loss of business at the extremes. Evaluating the acquired cybersecurity capabilities and evolving them to a desired state in consideration of risks are inevitable. This research proposes the CYberSecurity Focus Area Maturity (CYSFAM) Model for assessing cybersecurity capabilities. In this design science research, CYSFAM was evaluated at a large financial institution. From the many cybersecurity standards, 11 encompassing focus areas were identified. An assessment instrument—containing 144 questions—was developed. The in-depth single case study demonstrates how and to what extent cybersecurity related deficiencies can be identified. The novel scoring metric has been proven to be adequate, but can be further improved upon. The evaluation results show that the assessment questions suit the case study target audience; the assessment can be performed within four hours; the organization recognizes itself in the result.

show abstract

Comparative Study of Cybersecurity Capability Maturity Models

Cited by 24 publications

References 4 publications

Pricing cyber-insurance for systems via maturity models

Pricing cyber-insurance for systems via maturity models

A NIS Directive Compliant Cybersecurity Maturity Assessment Framework

The Cybersecurity Focus Area Maturity (CYSFAM) Model

Contact Info

Product

Resources

About