Adopting security maturity model to the organizations’ capability model

Abstract

Each organization faces threats and risks in daily operations. One of the main risks is how to assess the security level to protect from the increasing risks associated with technology evolution. So, organizations can specify the required approaches and skills. In this paper, we propose a security maturity model that classifies the organizations into five levels. Each level determines the technologies and process capability used by the organizations. There is a set of factors that can help in determining the security maturity level, such as technology, people, and infrastructure. This paper adopts an Information Security Management model to assess organization’s security level. The authors make a correspondence between maturity levels and security levels in an organization. Also, the proposed process capability controls influence both levels. The proposed model helps the organizations bridging the cybersecurity gaps. These gaps relate to talent, technology, organizational units, financial, management and operations gaps. Thus, the model helps the cybersecurity auditors to create a comprehensive plan for measuring the security level of the organization. This plan can manage and develop the organization’s automated countermeasures. Also, it can help in applying the suitable standard and framework based on the organization’s daily operation. Cybersecurity auditors use cybersecurity techniques and tools to assess the organization’s postures. Finally, the authors applied the security maturity controls in two case studies: retirement organization and public telecommunication corporation in the Republic of Yemen.