An architected cyber security management process model integrated with maturity and effectiveness measurement

Organisations use information security management standards to guide the establishment, ongoing operation, and improvement of their cybersecurity programs, such as the ISO 27000 series of standards and the NIST Cybersecurity Framework. These standards utilise a control-driven, compliance-first approach to information security management and have had varying degrees of success in encompassing the cyber environment. While existing information security management standards provide a common set of controls that can guide audits, they offer limited guidance on the processes required to manage a cybersecurity program and on measuring the performance of cybersecurity management. Cybersecurity programs are typically architected in an ad hoc manner. Apart from occasional technical testing and annual control audits, the effectiveness of security controls in protecting the business is seldom systematically assessed. As a result, the real success of a security program is often elusive and can lead to severe consequences such as system outages and data breaches.

As such, our presentation introduces an enhanced cybersecurity management process model, providing guidance and measurement for cybersecurity programs. Our model evaluates both maturity and effectiveness, addressing the limitations of relying on a singular method. This combined method of measuring performance can support cybersecurity stakeholders in making informed and effective decisions.

We conducted a Delphi study with a panel of 12 cybersecurity experts to identify a set of critical processes for cybersecurity management. We further developed the model with maturity assessment and effectiveness evaluation capabilities to enable organisations to systematically assess the performance of their cybersecurity programs. Our proposed model can guide cybersecurity managers to establish, operate, and continuously improve cybersecurity programs as a reference guide for cybersecurity management. It can also help organisations assess the performance of their cybersecurity programs in a comprehensive and integrated manner to continually address existing management shortfalls and improve cybersecurity assurance.