Comparing Cyber Security Maturity and Information Security Maturity Models and Identifying Common Cyber Security Indicators

Document Type : Original Article

Authors

1 Department of Information Technology Management, Central Tehran Branch, Islamic Azad University, Tehran, Iran

2 Department of Industrial Management,central tehran branch, Islamic Azad University, tehran, iran

3 Department of Information Technology Management, center tehran branch, Islamic Azad University, tehran, iran

Abstract

With the advent of the digital age, the need for governments and companies to use information technology to optimize performance, Business process smartening and provide remote services has increased. Thus, information technology and cyber security and information have also found a special place in the digital arena. Accordingly, one of the most serious dangers that governments face, which can also undermine national security, is cyber-attacks. These attacks cover a wide range of targets, one of the main of which is to damage critical infrastructure. Therefore, the sustainability of critical infrastructure in the face of such threats is crucial. This study, considering that the security of vital infrastructure is one of the most important factors in ensuring national security and passive defense, seeks to obtain the indicators of security of critical infrastructure through a comparative study method using library resources. In this study, 10 of the most important models of cyber security and information security maturity have been analyzed. The results of this study indicate that the studied models have a total of 93 indicators. Cyber security and information security maturity models are significantly similar; Therefore, some of the counted indicators overlap. Overlapping indicators were identified and classified into 17 groups. The results show that the "incident management" index with a frequency of 11 is the most important index in securing critical infrastructure, as well as physical security, monitoring, access-identity control, security policies and other indicators in They are next.

Keywords


Smiley face

  • [1] Nye, & W. Jisi, “The Rise of China’s Soft Power and Its Implications for the United States,” in Richard Rosecrance and Gu Guoliang, Power and Restraint: A Shared Vision for the U.S.–China Relationship (New York: Public Affairs), pp. 28-30, 2006.
  • [2] Whitman, & H. Mattord “Roadmap to Information Security: For IT and Infosec Managers,” Cengage Learning, 1st edition, 2011.
  • [3] Mcafee, 2014, “Mcafee-report-global-cost-cybercrime," https://www.csis.org/events/2014-mcafee-report-global-cost-cybercrime
  • [4] R. Javaheri & Others, “Improvement in the Ransomwares Detection Method with New API Calls Feature,” In Journal of Electronical & Cyber Defence, Vol. 8, pp. 107-118, 2021.
  • [5] ITU "Corporate Annual Report 2008 ", https://www.itu.int/osg/csd/stratplan/AR2008_web.pdf
  • [6] ISO/IEC 27032:2012, “Information technology – Security techniques – Guidelines for cybersecurity”, https://www.iso.org/standard/44375.html
  • [7] Shoushian and Others, “Probabilistic Modeling of Obfuscated Multi- Stage Cyber Attacks”, In Journal of Electronical & Cyber Defence, Vol 8, 2020
  • [8] S Department of Energy, Office of Cybersecurity, Energy Security and Emergency Response,” CyberSecurity Capability Maturity Model (C2M2)” 2021
  • [9] Khazaei, “Passive defense from the point of view of the Supreme Leader and the Commander-in-Chief”, vol 36, pp. 151-190, 2016 (In Persian)
  • Shabaninezhad and Others, “The Strategic Study of Reducing the Vulnerability of power Systems Against Electromagnetic Pulses”, In Journal of Passive Defence, vol 3, pp. 71-86, 2021 (In Persian)
  • Miryousefi, R. Ghaffarpour “New Critical Infrastructure Protection Strategies”, In Journal of Passive Defence, vol 3, pp. 1-14, 2021 (In Persian)
  • A, Gharamaleki “Methodology of religious studies”, Razavi University of Sciences Publisher, 2006 (In Persian)
  • Akhavan, R. Radfar, “a model for monitoring information security maturity”, In Journal of Technology growth, Vol 64, 2021 (In Persian)
  • Afshar & Others, “Review of the Types of Strategies to Improve Security of Industrial Control Systems and Critical Infrastructure”, In Journal of Passive Defence, Vol 2, 2018 (In Persian)
  • Bilge, S. Marco, “A Questionnaire Model for Cybersecurity Maturity Assessment of Critical Infrastructures”, In Springer Nature Switzerland AG Conference paper, 2019
  • Bilge and Others,” A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness”, In international journal of critical infrastructure protection, ScinceDirect, Elsevier, pp. 47 – 59 – 2019
  • Marcelo and Others, “Comparative Study of Cybersecurity Capability Maturity Models” In Springer International Publishing AG – pp. 110-113 – 2017
  • Aliyu and Others, “A Holistic Cybersecurity Maturity assessment framwork for higher education institution in United Kingdom” In Applied Sciences, 2020
  • Ide, “cybersecurity capability maturity model for critical information technology infrastructure among nigeria financial organizations” PhD. Thesis, Teknologi Malaysia Univ, 2019
  • Aghaei and Others, “a logical conceptual model for classifying critical infrastructure cyber threats” In Journal of National Security, Vol 2, 2019 (In Persian)
  • Bridget, “Information Security Maturity Model for Healthcare Organizations in the United State”, Ph.D. Thesis, Portland State Univ, 2021
  • Yigit and Others, “The Cybersecurity Focus Area Maturity (CYSFAM) Model”, In Journal Cybersecure Privacy, pp. 119-139, 2021
  • Kavand, V. Hakimzadeh, “Identifying, evaluating and classifying high-risk infrastructures”, Bostan Publisher, 2020 (In Persian)
  • Zarghani, H. Azami, “Analysis of security considerations in planning and location of military centers and bases with emphasis on Khorasan Razavi province”, In Journal of Planning and arranging space, Vol 15, pp. 112-127, 2016
  • US Department of Homeland Security, “Cybersecurity Capability Maturity Model: Version 1.0. White paper, Department of Homeland Security”, 2014.
  • ITU “Guide to developing a national cybersecurity strategy 2end edition”, https://ncsguide.org/wp-content/uploads/2021/11/2021-NCS-Guide.pdf, 2021
  • N. Singh, M.P. Gupta, A. Ojha, “Identifying critical infrastructure sectors and their dependencies: An Indian scenario”, International Journal of Critical Infrastructure Protection, 7(2), pp.71–85.
  • C Paulk and Others, “Capability Maturity Model version 1.1 IEEE Softw”. In Los Alamitos Journal, Vol 10, pp. 18–27, 1993
  • S, Department of Defence, “Cybersecurity Maturity Model Certification (CMMC)”, DoD, 2020
  • B, White, “The community cyber security maturity model”. In IEEE International Conference on Technologies for Homeland Security, HST, pp.173–178, 2007
  • Saleh, “Information Security Maturity Model”, In International Journal of Computer Science and Security (5), pp.316-337, 2011
  • Karokola, S. Kowalski & L. Yngström, “Towards an Information Security Maturity Model for Secure e-Government Services: A Stakeholders View”, In Proceedings of the 5th HAISA2011, Conference, pp. 58–73, 2011
  • Gillies, “Improving the quality of information security management systems with ISO27000”, In the TQM Journal, 23(4), pp.367–376, 2011, http://doi.org/10.1108/17542731111139455
  • W. Humphrey, “Managing the Software Process”, In Omega International Journals of Management Science, Vol 16, 1989
  • W. Coelho, G.F. Lemes, “GAIA-MLIS: A Maturity Model for Information Security”. In SECURWARE Journal vol 61, pp.50–55, 2014
  • Spruit and M. Roeling, “ISFAM: the information security focus area maturity model”. In Proceedings of the European Conference on Information Systems (ECIS), 2014
  • S, Department of Defence, “Cybersecurity Maturity Model Certification (CMMC)”, DoD, 2020
  • United States Agency for International Development (USAID), “understanding cybersecurity maturity models within the context of energy regulation”, 2020
  • Y. Ozkan, S. Lingen, M. Spruit, “The Cybersecurity Focus Area Maturity (CYSFAM) Model” In Journal of Cybersecurity and Privacy, Vol 1, pp. 119-139, 2021
  • British Standards Institution, Moving from ISO 27001:2005 to ISO 27001:2013, BSI, London, 2013
  • Zechariah, J. Shi, “Business Continuity Management System: A Complete Guide to Implementing ISO 22301 1st Edition”, Kogan Page Publisher, 2014.