Towards design and development of a cyber security capability maturity model

Abstract

newline Cyber Security Risk is now very prominent and is recognized by all relevant stakeholders. newlineWorld Economic Forum in their global risk report has been flagging Cyber Security Risk as newlineone of the top 5 (five) global risks for the last3 (three) years. Cyber Security governance newlineresearch has now been at the center stage. Literature study around Cyber Security newlinegovernance research reveals that substantial work have been done around, developing newlineframework, model standard etc. However researches around performance evaluation, newlinecapability maturity model (MM) etc, are the emerging areas and need more focus. While newlinethere are multiple MMs for Information/Cyber Security, none of them seem to be up to date newlinewith all emerging digital technology and are validated empirically. Most of the MMs are newlineessentially continuous improvement programs meant to increase the internal efficiency of newlineCyber Security organization. There seems to be a lack of research in linking this factor of newlineinternal efficiency to the business expectation, that is, the external effectiveness. In this newlinecontext, there are broadly 3 (three) objectives for this research: a) Formulating a Cyber newlineSecurity Capability Maturity Model (CSCMM), b) Constructing the factors of efficiency newlineand effectiveness for Cyber Security, and c) Identify the impact of internal efficiency newlinefactors on the external effectiveness of Cyber Security. This research is done in 3 (three) newlinephases, corresponding to the three (3) distinct objectives stated above and three (3) newlinedifferent set of samples are used for each of these phases. newlineIn the first phase a Cyber Security Capability Maturity Model (CSCMM) is proposed, newlinewhich is based on comparative analysis of existing 9 (nine) contemporary maturity models newlineon Cyber Security. The gaps found in the comparative analysis are eliminated in the newlineformulation of the new maturity model, that is, CSCMM. The structural validation of newlineCSCMM is done based on an empirical analysis and views from almost 200 cross sector newlinecyber security experts. In the contemporary literature there is no evidences of a MM in newlinecyber security domain which is structurally validated with empirical analysis. However, newlinethere is a scope for further research in validating this model by testing this in big newlineenterprises and making this sector specific and benchmarking against global standard for newlinethat sector. newlinevi newlineWhile Maturity Models help in increasing the efficiency of Cyber Security function, the newlineimpact of these efficiency on the business performance (external effectiveness) is equally newlineimportant. Therefore, the objective of the second phase of this research is to construct the newlineinternal efficiency and external effectiveness factors of Cyber Security. In this research newline Constructivist Grounded Theory Methodology is used to construct the factors of internal newlineefficiency and external effectiveness of Cyber Security. A focussed group of cyber