Evolution of Information Security Awareness towards Maturity: A Systematic Review
How to cite (IJASEIT) :
E. A. Metwally et al., "Hacking Human: Hacking the Weakest Link in the Security Chain," Medicon Engineering Themes, vol. 2, no. 4, pp. 45-58, 2022.
T. Ncubukezit, “Human Errors: A Cybersecurity Concern and the Weakest Link to Small Businesses,” International Conference on Cyber Warfare and Security, vol. 17, no. 1, pp. 395–403, Mar. 2022, doi: 10.34190/iccws.17.1.51.
G. Klein and M. Zwilling, “The Weakest Link: Employee Cyber-Defense Behaviors While Working from Home,” Journal of Computer Information Systems, vol. 64, no. 3, pp. 408–422, Jun. 2023, doi:10.1080/08874417.2023.2221200.
M. Schmid and S. Pape, “A Structured Comparison of the Corporate Information Security Maturity Level,” ICT Systems Security and Privacy Protection, pp. 223–237, 2019, doi: 10.1007/978-3-030-22312-0_16.
M. Bitzer, B. Häckel, D. Leuthe, J. Ott, B. Stahl, and J. Strobel, “Managing the Inevitable – A Maturity Model to Establish Incident Response Management Capabilities,” Computers & Security, vol. 125, p. 103050, Feb. 2023, doi: 10.1016/j.cose.2022.103050.
R. Adriko and J. R. C. Nurse, “Cybersecurity, cyber insurance and small-to-medium-sized enterprises: a systematic Review,” Information & Computer Security, Jun. 2024, doi: 10.1108/ics-01-2024-0025.
M. A. Rizal and B. Setiawan, “Information Security Awareness Literature Review: Focus Area for Measurement Instruments,” Procedia Computer Science, vol. 234, pp. 1420–1427, 2024, doi:10.1016/j.procs.2024.03.141.
A. K. Gwenhure and F. Sapty Rahayu, “Gamification of Cybersecurity Awareness for Non-IT Professionals: A Systematic Literature Review,” International Journal of Serious Games, vol. 11, no. 1, pp. 83–99, Mar. 2024, doi: 10.17083/ijsg.v11i1.719.
M. N. Y. Marican, S. A. Razak, A. Selamat, and S. H. Othman, “Cyber Security Maturity Assessment Framework for Technology Startups: A Systematic Literature Review,” IEEE Access, vol. 11, pp. 5442–5452, 2023, doi: 10.1109/access.2022.3229766.
N. Ukeje, J. Gutierrez, and K. Petrova, “Information security and privacy challenges of cloud computing for government adoption: a systematic review,” International Journal of Information Security, vol. 23, no. 2, pp. 1459–1475, Jan. 2024, doi: 10.1007/s10207-023-00797-6.
S. Chaudhary, V. Gkioulos, and S. Katsikas, “A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises,” Computer Science Review, vol. 50, p. 100592, Nov. 2023, doi: 10.1016/j.cosrev.2023.100592.
M. J. Page et al., “The PRISMA 2020 statement: an updated guideline for reporting systematic reviews,” BMJ, p. n71, Mar. 2021, doi:10.1136/bmj.n71.
H. A. Mohamed Shaffril, S. F. Samsuddin, and A. Abu Samah, “The ABC of systematic literature review: the basic methodological guidance for beginners,” Quality & Quantity, vol. 55, no. 4, pp. 1319–1346, Oct. 2020, doi: 10.1007/s11135-020-01059-6.
B. Barnes and T. Daim, “Information Security Maturity Model for Healthcare Organizations in the United States,” IEEE Transactions on Engineering Management, vol. 71, pp. 928–939, 2024, doi:10.1109/tem.2021.3139836.
A. Abouzahra, A. Sabraoui, and K. Afdel, “Model composition in Model Driven Engineering: A systematic literature review,” Information and Software Technology, vol. 125, p. 106316, Sep. 2020, doi: 10.1016/j.infsof.2020.106316.
A. Kő, G. Tarján, and A. Mitev, “Information security awareness maturity: conceptual and practical aspects in Hungarian organizations,” Information Technology & People, vol. 36, no. 8, pp. 174–195, Jul. 2023, doi: 10.1108/itp-11-2021-0849.
M. A. H. Almekhlafi, “A Balanced Information Security Maturity Model based on ISO/IEC 27001: 2013 and O-ISM3,” Int. J. Innov. Sci. Res. Technol., vol. 8, no. 6, pp. 2444-2459, Jun. 2023.
A. J. S. Rojas, E. F. P. Valencia, J. Armas-Aguirre, and J. M. M. Molina, “Cybersecurity maturity model for the protection and privacy of personal health data,” 2022 IEEE 2nd International Conference on Advanced Learning Technologies on Education & Research (ICALTER), pp. 1–4, Nov. 2022, doi:10.1109/icalter57193.2022.9964729.
T. Alharbi, “A Holistic Evaluation Model for Information Security Awareness Programs in Work Environment,” 2023 Eighth International Conference On Mobile And Secure Services (MobiSecServ), pp. 1–4, Nov. 2023, doi:10.1109/mobisecserv58080.2023.10329041.
M. Niazi, A. M. Saeed, M. Alshayeb, S. Mahmood, and S. Zafar, “A maturity model for secure requirements engineering,” Computers & Security, vol. 95, p. 101852, Aug. 2020, doi:10.1016/j.cose.2020.101852.
M. Omrani, M. Shafiee, and S. Khorsandi, “A Model to Measure Cyber Security Maturity at the National Level,” 2023 31st International Conference on Electrical Engineering (ICEE), pp. 110–116, May 2023, doi: 10.1109/icee59167.2023.10334826.
E. Arenas, J. Palomino, and J.-P. Mansilla, “Cybersecurity Maturity Model to Prevent Cyberattacks on Web Applications Based on ISO 27032 and NIST,” 2023 IEEE XXX International Conference on Electronics, Electrical Engineering and Computing (INTERCON), pp. 1–8, Nov. 2023, doi: 10.1109/intercon59652.2023.10326028.
P. Dornheim and R. Zarnekow, “Determining cybersecurity culture maturity and deriving verifiable improvement measures,” Information & Computer Security, vol. 32, no. 2, pp. 179–196, Oct. 2023, doi:10.1108/ics-07-2023-0116.
T. Fertig, A. Schütz, and K. Weber, “Developing a maturity model for information security awareness using a polytomous extension of the Rasch model,” Hawaii International Conference on System Sciences 2023 (HICSS-56), 2023.
C. Schmitz, M. Schmid, D. Harborth, and S. Pape, “Maturity level assessments of information security controls: An empirical analysis of practitioners assessment capabilities,” Computers & Security, vol. 108, p. 102306, Sep. 2021, doi: 10.1016/j.cose.2021.102306.
O. Malhotra, S. Dey, E. Foo, and M. Helbig, “Cyber Security Maturity Model Capability at The Airports,” ACIS 2021 Proceedings, vol. 55, 2021.
J. Domnik and A. Holland, “On Data Leakage Prevention Maturity: Adapting the C2M2 Framework,” Journal of Cybersecurity and Privacy, vol. 4, no. 2, pp. 167–195, Mar. 2024, doi:10.3390/jcp4020009.
J. G. Alayo, P. N. Mendoza, J. Armas-Aguirre, and J. M. Molina, “Cybersecurity maturity model for providing services in the financial sector in Peru,” 2021 Congreso Internacional de Innovación y Tendencias en Ingeniería (CONIITI), pp. 1–4, Sep. 2021, doi:10.1109/coniiti53815.2021.9619733.
B. Yigit Ozkan and M. Spruit, “Addressing SME Characteristics for Designing Information Security Maturity Models,” Human Aspects of Information Security and Assurance, pp. 161–174, 2020, doi:10.1007/978-3-030-57404-8_13.
G. Drivas, A. Chatzopoulou, L. Maglaras, C. Lambrinoudakis, A. Cook, and H. Janicke, “A NIS Directive Compliant Cybersecurity Maturity Assessment Framework,” 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Jul. 2020, doi: 10.1109/compsac48688.2020.00-20.
O. M. M. Al-Matari, I. M. A. Helal, S. A. Mazen, and S. Elhennawy, “Adopting security maturity model to the organizations’ capability model,” Egyptian Informatics Journal, vol. 22, no. 2, pp. 193–199, Jul. 2021, doi: 10.1016/j.eij.2020.08.001.
A. Selamat, M. N. Y. Marican, S. H. Othman, and S. A. Razak, “An End-To-End Cyber Security Maturity Model For Technology Startups,” 2022 IEEE International Conference on Computing (ICOCO), pp. 185–190, Nov. 2022, doi:10.1109/icoco56118.2022.10031900.
G. Sharkov, “Assessing the Maturity of National Cybersecurity and Resilience,” Connections: The Quarterly Journal, vol. 19, no. 4, pp. 5–24, 2020, doi: 10.11610/connections.19.4.01.
I. Bashofi and M. Salman, “Cybersecurity Maturity Assessment Design Using NISTCSF, CIS CONTROLS v8 and ISO/IEC 27002,” 2022 IEEE International Conference on Cybernetics and Computational Intelligence (CyberneticsCom), pp. 58–62, Jun. 2022, doi: 10.1109/cyberneticscom55287.2022.9865640.
S. Huamán, L. Ponce, and L. Wong, “Maturity Model for Information Access Management of Peruvian IT Service Providers based on ISO/IEC 27001 and CMMI Security Controls,” 2024 35th Conference of Open Innovations Association (FRUCT), pp. 259–266, Apr. 2024, doi: 10.23919/fruct61870.2024.10516387.
T. Shimels and L. Lessa, “Maturity of information systems security in selected private Banks in Ethiopia,” 2021 International Conference on Information and Communication Technology for Development for Africa (ICT4DA), pp. 184–189, Nov. 2021, doi:10.1109/ict4da53266.2021.9672221.
N. A. Azam, A. Geogiana Buja, M. Y. Darus, and N. Masri Sahri, “SCSAM-Elderly: A New Synergistic Cyber Security Model for the Elderly for IR4.0 Readiness in Malaysia,” 2022 IEEE 12th Symposium on Computer Applications & Industrial Electronics (ISCAIE), pp. 117–122, May 2022, doi: 10.1109/iscaie54458.2022.9794521.
O. O. Akinsanya, M. Papadaki, and L. Sun, “Towards a maturity model for health-care cloud security (M2HCS),” Information & Computer Security, vol. 28, no. 3, pp. 321–345, Dec. 2019, doi:10.1108/ics-05-2019-0060.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).