Towards Rule-based Information Security Maturity

Abstract

There is a growing need for information security. Not complying with the demand of having high level information security will affect the market position of an organization. Using an information security maturity model can help organizations visualize and identify the steps that need to be taken in order to mature. Maturity in the field of security indicates the degree of development and the strength of the organization’s security measures to mitigate risks that threatens its assets. Unfortunately, one maturity model does not fit all organizations, because organizations have different organizational profiles. According to previous research, eleven organizational characteristics affect the information security, i.e. a financial institution requires different security measures than a bakery. It is necessary to have a well fitted information security maturity model for every organizational profile in order to support the organization. According to research, the organizational characteristics affect a special kind of maturity model, the focus area maturity model. This type of model consists of focus areas or aspects in a certain domain and uses capabilities, improvement actions in order to reach a level of maturity, in order to assess whether a maturity level has been reached. Although it is clear that organizational characteristics affect the focus area level of the model, it is not clear what happens on the capability level. The research at hand has been set up to study the effects of a selection of the identified organizational characteristics on the capability level of the focus area maturity model in the information security domain. In order to do this, the existing Information Security Focus Area Maturity (ISFAM) model for SMEs is used and based on the experience of information security experts, the effects on the ISFAM model is researched. The experts were selected based on their knowledge and experience in the information security domain in different types of organizations. Looking at previous research, it is expected that the organizational characteristics have an effect on the capability level of the ISFAM model. In order to handle these effects, the rule-based approach is used in the research. The rule-based approach is an approach that makes it possible to use rules, any bit of knowledge that can be expressed as: when ‘something’ is true, then do ‘this’, in a rule-based system, a system using rules, so that non-programmers can make adjustments to a maturity model based on the organizational profile, in order to create a more fitting model for the organization. Although the rule-based approach has been used in other information security maturity models, the combination of the rule-based approach and a focus area maturity model has not been done before. During the research, however, the interviewed information security experts did not find effects on the lower levels of the ISFAM model. According to the experts, the improvement actions in the ISFAM model to reach a certain maturity level are too generically defined and therefore work for organizations with different organizational characteristics. This is backed-up by the fact that the model has been successfully assessed at multiple case organizations with different profiles. Although no effects were found, the prototype of the rule-based information security focus area maturity model is still valuable in a way that it gives insight on the possibilities of the rule-based approach in combination with the ISFAM model. The research sets a base for future research where the rule-based approach can be used for other focus area maturity models.