Organisational Information Security Management Maturity Model

Information Security Management (ISM) is a systematic initiative in managing the organisation’s information security. ISM can also be defined as a strategic approach to addressing information security (IS) risks, breaches, and incidents that could threaten the confidentiality, integrity, and availability of information. Although organisations have complied with ISM requirements, security incidents are still afflicting numerous organisations. This issue shows that the current implementation of ISM is still ineffective. The ineffective ISM implementation illustrates the low maturity level. To achieve a higher level of maturity, organisations should always evaluate their ISM practices. Several maturity models have been developed by international organisations, consultants, and researchers to assist organisations in assessing their ISM practices. However, the current models do not evaluate ISM practices holistically. The measurement dimensions in current models are more focused on assessing certain factors only. This caused the maturity assessment to be not executed comprehensively. Therefore, this study aims to address this shortcoming by proposing a comprehensive maturity assessment model that takes into account ISM success factors to evaluate the effectiveness of the implementation. This study adopted a mixedmethod approach, which comprises qualitative and quantitative studies to strengthen the research finding. The qualitative study analyses the existing literature and conducts interviews with nine industry practitioners and six experts while the quantitative study involves a questionnaire survey. The data obtained from the qualitative study were analysed using content analysis while the quantitative data employed statistics analysis. The study identified fourteen success factors and fifty-seven maturity dimensions, which each contains five maturity levels. The proposed model was evaluated through experts’ reviews to ensure its accuracy and suitability. The evaluation shows that the model can identify the ISM maturity level systematically and comprehensively. This model will ultimately help the organisations to improve the weaknesses in the implementations thus diminishing security incidents. Keywords—Information security; information security management; maturity models; information security management


I. INTRODUCTION
Now-a-days, organisations' reliance on Information and Communication Technology (ICT) has increased severely due to the rapid development of technology [1], [2], [3], [4], [5]. ICT plays an imperative role in organisations daily operations to ensure the smoothness of the services [6], [7]. In line with the increasing use of ICT in daily operations, organisational information is extremely exposed to security threats and risks [8], [9], [10].
Various efforts have been done to ensure the information is protected. One of the efforts is establishing Information Security Management (ISM). ISM is a strategic approach to addressing information security risks and incidents that could threaten the confidentiality, integrity, and availability of information [10], [11], [12], [13]. However, security incidents endure occurring in organisations [14], [15]. For example, in October 2020, hackers targeted government agencies and telecommunications operators in Iraq, Kuwait, Turkey, and the UAE as part of a cyber espionage campaign [16]. In the latest statistical report released by the National Cyber Coordination and Command Centre, National Cyber Security Agency (NACSA) stated that a total of 4,194 security incidents against public and private organisations were reported in 2020 [17]. This issue shows that the current implementation of ISM is still ineffective [14]. The ineffective ISM implementation illustrates the low maturity level.
Although organisations have complied with ISM requirements set by the industry standards, there is a lack of objective mechanisms to gauge the maturity of the implementation [18]. Even though there are attempts on ISM maturity models [19], [20], [21], [22], they mainly appear as abstract concepts. The current maturity models are typically process-oriented, focusing on measuring security activities and technology aspects without giving much attention to the people aspect, which also contributes to the effectiveness of the ISM implementation [23]. This caused the maturity assessment not executed comprehensively. Thus, the maturity of ISM implementation remains low. A comprehensive maturity model should consider all aspects in ISM and should not limit to certain aspects only. This study aims to fulfil these needs by proposing a holistic maturity model that considers ISM success factors from four major aspects; People, Process, Organisational Document, and Technology to measure the implementation's effectiveness. This paper is organised as follows. Section II discussed a review of ISM success factors and the current maturity models. Section III provides the methodology used in this study. Section IV presents the findings and lastly, Section IV summarises the findings. www.ijacsa.thesai.org II. BACKGROUND

A. ISM Success Factors
ISM provides a strategic direction for implementing security processes and activities to assure security objectives are met, consistent risk management, and effective use of information resources [11], [24]. ISM is likewise a multidisciplinary discipline that should be given due attention to ensuring an appropriate and secure environment in protecting organisational information [25]. Previous studies have indicated that the success of ISM implementation depends on technical and non-technical factors. Those factors are organised into four aspects: People, Organisational Document, Process, and Technology as listed in Table I.
The people aspect consists of individuals or parties directly involved in the ISM. The organisational document refers to strategic and operational documents that need to be developed and adhered to during ISM implementation. Meanwhile, the process aspects consist of ISM key activities and finally, the technology aspect comprises the use of ICT Infrastructure to support the ISM operations. A comprehensive explanation of the factors and their elements can be found in [26].

B. ISM Maturity
ISM maturity guarantees the successful management of information security [27]. A maturity model is a staged structure where particular security aspects are measured, with the postulation that organisations develop and enhance their ISM implementation from the lowest level to the highest level [27], [28]. Thus far, industries and researchers have developed a few maturity models to assist the organisation in measuring the level of ISM implementation [12], [29].
Control Objectives for Information and Related Technology version 4.1 (COBIT 4.1) is widely used for IT governance [21]. It was developed by IT Governance Institute (ITGI) in the year 2007. This model helps measure an organisation's Information Technology (IT) processes, define a designated maturity level, and improve the process to achieve the preferred maturity level [30]. COBIT 4.1 has six maturity levels, which are from maturity level 0 to maturity level 5.
Another maturity model is Cybersecurity Capability Maturity Model (CMM), developed by Global Cyber Security Capacity Centre in 2014. This model was later revised and improved in 2016 and with a new name Cybersecurity Capability Maturity Model for Nations (CMM). The model allows the organisation to self-assess its current cybersecurity capacity [31]. Conversely, the Open Information Security Management Maturity Model (O-ISM3) by The Open Group assesses maturity based on management processes in four components; general, strategic, tactical, and operational [32]. O-ISM3 has five maturity levels, which look for evidence of the processes in those four components.

IS Policy
On the other hand, a maturity model developed by [57] aims to assess the organisation's ability to meet security objectives. The model defines the process of managing, measuring, and controlling security based on four aspects; governance, security management, system architecture, and service management. Each aspect has its indicators [12]. This model has five levels of compliance which starting from noncompliance to full compliance.
The comparison of the mentioned models is summarised in Table II. Table II shows several ISM success factors are being considered as the maturity dimensions in the existing model. However, the existing models are typically process-oriented which focus more on the process and technology factors and have less emphasis on the people factors. This causes the implementation of ISM is evaluated less comprehensively. People factors play a significant role in ISM [58]; thus, need to be emphasized as well [59]. Therefore, a holistic maturity model is required by incorporating all ISM success factors and their elements to ensure the effectiveness of the ISM implementation. This study adopts the mixed-method approach, which comprises both qualitative and quantitative data collection and analysis. This approach involves four main phases: theoretical, empirical, model development, and model validation. Fig. 1 illustrates the research design.

A. Phase 1: Theoretical
The theoretical study reviewed published and unpublished documents in multiple online databases such as ACM Digital Library, Web of Science, Science Direct, Google Scholar, Proquest, IEEE Explorer, Mendeley and CiteSeer to identify the ISM success factors and ISM maturity models. The selected documents were then analysed qualitatively using content analysis. The preliminary findings of this study have been reported in [44].

B. Phase2: Empirical
The empirical study is to verify the success factors and identify each success factor's maturity dimension and levels. As it involves various aspects, it is thus divided into three parts:  Empirical I: The purpose of Empirical I is to verify the ISM success factors derived from the theoretical study and discover other relevant factors from practitioners' views. This study used semi-structured interviews. A series of individual and focus group interviews with experienced ISM practitioners was conducted. The findings of this study have been reported in [26].
 Empirical II: The purpose of Empirical II is to confirm and refine the findings of Empirical I through a largescale survey. A total of 400 questionnaires were sent to respondents in public and private agencies. The data collected from the survey were analysed using Statistical Analysis. The findings of this empirical II have been reported in [60].
 Empirical III: A series of interviews with six experts were conducted to identify the ISM maturity dimensions and levels. The selection of experts was based on their experience, knowledge, and expertise in ISM. Contents analysis technique was used to analyse the data.

C. Phase 3: Model Development
The ISM maturity model was developed using the findings from Empirical I, II, and III. The identified success factors, dimensions, and levels were used as the components in the maturity model.
The development of this maturity model is guided by the International Standards ISO / IEC 33004: 2015 Information technology -Process assessment -Requirements for process reference, process assessment and maturity models [61]. In addition, the measurement theory of [62] and [63], which introduced the ordinal scale, was also used as a basis in the development of this ISM maturity model.

D. Phase 4: Model Validation
This phase evaluates the accuracy of the proposed model through expert review. A series of interviews with three experts were conducted to evaluate the accuracy and suitability of the proposed model. Based on the review, the proposed model was improved.

IV. RESULT AND FINDING
Based on the experts reviewed, the final Organisational ISM Maturity Model has 4 aspects, 14 factors, 42 elements, and 57 maturity dimensions. The 14 factors are grouped under four main aspects namely People, Organisational Document, Process and Technology. Each factor has its own elements. Each element has specific dimensions. Each dimension has five levels of maturity; maturity level 1 to maturity level 5 where Level 1 is the lowest level of maturity while Level 5 is the highest level of maturity. The finalised Organisational ISM maturity model is shown in Table III. This study has produced a comprehensive model of measuring organisational ISM maturity. In contrast to the existing model, this Organisational ISM Maturity Model contains factors from process and technology aspects and contains factors from non-technical aspects, namely People and Organisational Document. Every identified factor was then sorted according to its categories and subsequently determined its maturity dimensions. Based on the arrangement of categories and factors generated, this study helps the organisations to self-assessing the maturity level of their ISM implementation systematically. Through the assessment conducted, the organisation can identify their ISM maturity level while further improving the implementation of their ISM.

Knowledge
The percentage of understanding the objectives and security issues.
Less than 25% of objectives and security issues are understood.
At least 25% of the objectives and security issues are understood.
At least 50% of the objectives and security issues are understood.
At least 75% of the objectives and security issues are understood.
100% security objectives and issues are understood.

Commitment
The response rate on the ISM issue.
The response to the ISM issues is very slow.
The response to the ISM issues is slow.
The response to the ISM issues is fairly fast.
The response to the ISM issues is fast.
The response to the ISM issues is very fast. There is no understanding to achieve IS objectives.

IS
Lack of understanding to achieve IS objectives.
Quite understanding to achieve IS objectives.
Understanding to achieve IS objectives.
Very understanding to achieve IS objectives.

IS Audit Team
Knowledge 100% of employees comply with IS policy.

Motivation
The frequency of employees receiving appreciation.
Never received an appreciation.
Rarely receive an appreciation.
Quite often receive appreciation.
Often receive appreciation.
Very often receive appreciation. 100% IS procedures are understood by the personnel/ team in charge.

Complete
The level of IS procedures feasibility.
Most of the procedures are very difficult to implement/ follow.
Most of the procedures are difficult to implement/ follow.
Most of the procedures are quite easy to implement/ follow.
Most of the procedures are easy to implement/ follow.
Most of the procedures are very easy to implement/ follow.

Communicated
The frequency rate of the IS procedures communicated.
Most of the procedures are not communicated to the responsible officer.
Most of the procedures are rarely communicated to the responsible officer.
Most of the procedures are communicated to the responsible officer regularly.
Most of the procedures are communicated to the responsible officer as required.
Most of the procedures are communicated to the responsible officer periodically and as required.

Reviewed
The Percentage of IS procedures reviewed/ updated according to current needs. More than 4 different simulations were implemented over 5 years.

IS Audit Audit program
The level of audit scope.
The scope of the audit is not comprehensive.
The scope of the audit is less comprehensive.
The scope of the audit is quite comprehensive.
The scope of the audit is comprehensive.
The scope of the audit is comprehensive and has valueadded. www.ijacsa.thesai.org

Audit Findings and Reporting
The clarity percentage of the audit findings and reporting.
Less than 25% of audit findings are clearly reported.
At least 25% of audit findings are clearly reported.
At least 50% of audit findings are clearly reported.
At least 75% of audit findings are clearly reported.
100% of audit findings are clearly reported.

Follow-up Audit
The level of follow-up audit review.
The revision of the corrective and preventive actions is carried out incomplete.
The revision of the corrective and preventive actions is carried out less completely.
The revision of corrective and preventive actions is carried out quite completely.
The revision of the corrective and preventive actions is carried out completely.
The revision of the corrective and preventive actions is carried out completely and thoroughly.
The accuracy percentage of the implementation of the preventive and corrective actions.
Less than 25% of corrective and preventive actions are implemented appropriately.
At least 25% of corrective and preventive actions are implemented appropriately.
At least 50% of corrective and preventive actions are implemented appropriately.
At least 75% of corrective and preventive actions are implemented appropriately.
100% of corrective and preventive actions are implemented appropriately.
Technolog y IT Infrastructur e

Hardware
The percentage of hardware maintenance.
Less than 25% of hardware is maintained on schedule.
At least 25% of the hardware is maintained on schedule.
At least 50% of the hardware is maintained on schedule.
At least 75% of the hardware is maintained on schedule.
100% hardware is maintained on schedule.
The percentage of latest hardware used.
Less than 25% of the latest hardware is used.
At least 25% of the latest hardware is used.
At least 50% of the latest hardware is used.
At least 75% of the latest hardware is used 100% up-to-date hardware is used.

Software
The percentage of software maintenance (updated version/security features in software architecture).
Less than 25% of software is maintained on schedule.
At least 25% of the software is maintained on schedule.
At least 50% of the software is maintained on schedule.
At least 75% of the software is maintained on schedule.
100% software is maintained on schedule.
The percentage of use of software security functions.
Less than 25% of software security functions are used.
At least 25% of software security functions are used.
At least 50% of software security functions are used.
At least 75% of software security functions are used.
100% software security functions are used.

V. CONCLUSION
ISM is a strategic approach to address IS risks and breaches as well as to reduce IS incidents that can compromise the confidentiality, integrity and availability of organisational information. These IS risks, incidents and breaches can be minimised if the organisation implements ISM effectively. The effectiveness of ISM can be achieved if organisations assess the maturity of their ISM practices using a holistic maturity model. A holistic maturity model needs to consider the ISM success factors in every aspect to ensure that the assessment is made comprehensively. This study has successfully developed a holistic maturity model to help organisations in self-assessing the maturity level of their ISM implementation. This initiative encourages organisations to continue improving the implementation of their ISM from time to time. This model can also be used as guidelines and references to academicians and researchers involved in information security maturity.
Finally, here are some suggestions for further research that can be implemented in the future:  Specialise the model according to the type of organisation.
This study does not specialise in any particular type of organisation, whether public or private organisation. The nature of service is quite different between those two sectors, and it is believed that organisations in both sectors have relatively slightly different information security controls. Accordingly, detailed studies by the type of organisation can be done in the future to produce a more accurate model.
 Automate the maturity model.
Further studies are proposed to automate the Organisational ISM Maturity Model. The automated ISM maturity model not only simplifies the evaluation process but can also be used for record-keeping and report generating. This allows the organisation to monitor the progress of the ISM, compare the maturity level obtained each year, as well as predict the level of maturity that will be obtained in subsequent years more easily.