Next Article in Journal
A New Model of Emergency Supply Management for Swift Transition from Peacetime to Emergency Considering Demand Urgency and Supplier Evaluation
Next Article in Special Issue
A Generalized Framework for Adversarial Attack Detection and Prevention Using Grad-CAM and Clustering Techniques
Previous Article in Journal
Forecasting Renewable Energy Consumption Using a Novel Fractional Grey Reverse Accumulation Model
Previous Article in Special Issue
Enhancing Cybersecurity: Hybrid Deep Learning Approaches to Smishing Attack Detection
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Systems
Volume 13
Issue 1
10.3390/systems13010052
systems-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review

by
Alenka Brezavšček
and
Alenka Baggia
*
Faculty of Organizational Sciences, University of Maribor, 4000 Kranj, Slovenia
*
Author to whom correspondence should be addressed.
Systems 2025, 13(1), 52; https://doi.org/10.3390/systems13010052
Submission received: 25 November 2024 / Revised: 10 January 2025 / Accepted: 13 January 2025 / Published: 15 January 2025
(This article belongs to the Special Issue Cybersecurity and Secure Information Systems: Challenges and Solutions in Digital Environment)
Browse Figures
Versions Notes

Abstract

:
This work represents a comprehensive and systematic literature review (SLR) that follows the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) guidelines for research assessing information and cyber security maturity. The period from 2012 to 2024 was considered and the final collection of 96 studies was taken into account. Our findings were summarised in two stages, a quantitative analysis and a qualitative synthesis. In the first part, various quantitative indicators were used to analyse the evolution of the information and cyber security maturity assessment domain over the last twelve years. The qualitative synthesis, which was limited to 36 research papers, categorises the studies into three key areas: the development of new maturity models, the implementation of established models and frameworks, and the advancement of methodologies to support maturity assessments. The findings reveal significant progress in sector-specific customisation, the growing importance of lightweight models for small and medium-sized enterprises (SMEs), and the integration of emerging technologies. This study provides important insights into the evolving landscape of information and cyber security maturity assessment and provides actionable recommendations for academia and industry to improve security resilience and support the adoption of tailored, effective maturity models.

1. Introduction

In the current complex and uncertain environment, organisations are increasingly subjected to threats from malicious actors, which can be critical for their business operations and performance. In these settings, organisations are likely to experience a high-cost impact if they are unprepared when a crisis strikes [1].
One of the most effective practices used by organisations to manage emergencies to continue or resume business operations and thus help strengthen organisational resilience is business continuity management (BCM). The evidence from the literature shows that the level of maturity of a company in terms of BCM is directly related to its level of resilience [1,2]. This was particularly evident during the recent COVID-19 pandemic, which was critical for many organisations [3]. Consequently, the pandemic experiences increased interest in studying business continuity [4].
However, combined with the digitalisation of modern societies, most businesses rely on cyberspace to manage their business processes, transfer information, and deliver services. Therefore, information/cyber security incidents pose significant risks to business continuity. Such unwanted events can disrupt an organisation’s operations, compromise sensitive information, and result in financial and reputational damage. Therefore, information and cyber security issues are no longer only an information technology (IT) problem. Information/cyber security risk has now become a business risk, which should be handled with due care at the highest level in the organisation [5]. As a result, information and cyber security management has become one of the most important principles and levers for ensuring business continuity.
As in many other important areas of the organisation, the concept of maturity assessment is also gaining acceptance in information and cyber security management. Namely, maturity assessments in information/cyber security management help organisations to gain a comprehensive understanding of their security capabilities, prioritise improvements, and drive continuous enhancement of their security posture. By identifying gaps, mitigating risks, and allocating resources effectively, organisations can strengthen their defences and protect critical assets from evolving cyber threats. Information/cyber security maturity models therefore play a central role in the conception of information/cyber security management systems. They provide organisations with a structured framework to evaluate their current security capabilities and identify areas for improvement with the aim of ensuring the organisation’s business continuity. Implementing a security maturity model helps organisations identify their vulnerabilities and develop a risk-based approach to protect against potential information/cyber security threats. Some industries, for instance, the German automotive industry, have even established security maturity levels as the de facto standard for measuring information/cyber security [6].
The goal of this paper is to provide a comprehensive and systematic review of the literature in the field of information and cyber security maturity assessment. Such an analysis serves two purposes. First, it allows the academic community to examine potential gaps in the literature, properly position new studies, and identify areas of security maturity assessment that require further research. Second, industry, the public sector, and other professional teams can also benefit from such a study by making informed decisions about whether it is advisable to develop their own model or adopt known best practices.
The remainder of the paper is organised as follows: first, the relevant literature is reviewed and the background for our research is defined. Furthermore, the methodology for conducting the systematic literature review (SLR) in accordance with the Preferred Reporting Items for Systematic Reviews and Meta-Analysis (PRISMA) guidelines [7,8] is presented. The actual research is then performed in three main steps: planning the review, conducting the review, and reporting the review. The results are summarised in two stages, quantitative analyses and qualitative synthesis. In the Section 6, six research questions are analysed, providing conclusions from the SLR results and identifying some opportunities and directions for further research in information/cyber security maturity assessment. The final section provides some concluding thoughts on the main contributions of the paper and highlights the limitations of our research.

1.1. The Concept of Maturity and Maturity Models

According to [9,10], “maturity” implies evolutionary progress in the demonstration of a specific ability or in the accomplishment of a target from an initial to a desired or normally occurring end stage. The concept of maturity has proven to be useful in the study of the development of organisations and their processes and has been applied through various maturity models. As summarised in [11], maturity models divide evolutionary progress into a sequence of levels or stages that form a logical path from an initial state to a final level of maturity [10,12]. These levels and stages are used to derive and prioritise improvement measures and control the progress of change [13].
Maturity models therefore provide information about a company’s current status and how to improve it [14]. They offer a simple but effective tool to measure organisations’ capabilities and contribute to transformation and the development of competencies in an organisation by initiating a change process [10,15]. The maturity models can also be used as benchmarking tools to compare organisations with each other to set development goals, or as self-review frames and managerial tools for self-improvement action [14,16,17].
Maturity models are therefore a widely used tool in evaluating certain aspects of organisations, since they represent an increasingly organised and systematic way to do business [18]. Moreover, they can also be used in developing an organisation’s future vision and path. In accordance with this, [19] has identified three different purposes for developing a maturity model: descriptive, comparative, and prescriptive [11]. Maturity models serve a descriptive purpose when they are used for ‘as-is’ assessments to evaluate the current capabilities of the organisation, usually according to specific criteria. A comparative purpose enables internal or external benchmarking and comparison of similar business units and organisations, while a prescriptive purpose is to indicate how to determine desirable maturity levels and provide guidance for improvement actions.
During the last two decades, maturity models have received increasing attention across a wide range of applications, including both professional and academic interests (see, e.g., [20]). They have been extended to different domains such as the industrial sector, energy, finance, government, healthcare, education, and general use [21]. As presented by [22], the maturity model has been deployed in diverse areas, from software engineering to project management, quality assurance, process improvements, and others. However, such diverse application areas result in many publications. Although it is difficult to draw parallels in such diversity, in our opinion, the maturity models can be roughly grouped as follows:
  • Organisational maturity models (OMM): These models look at the overall maturity of an organisation, including its culture, leadership, and strategic planning. The review and classification of OMM is provided by [23], while extensive SLR of enterprise maturity models is prepared by [24];
  • Process-related maturity models (PMM): These models focus on the level of maturity of an organisation’s processes and are typically used in areas such as project management, software development, and quality assurance. One of the first widely used and popular process-oriented maturity models was the Capability Maturity Model (CMM), introduced by the Software Engineering Institute [25] and originally proposed to objectively assess the software development process. Many existing maturity models have their roots directly in the CMM and have adopted its five-level approach (level 1—initial, level 2—managed, level 3—defined, level 4—quantitatively managed, and level 5—optimised), which describes an evolutionary path of increasingly organised and systematic maturity stages. As expressed by [14], PMM has become a prosperous approach to support business process management (BPM). A comprehensive overview of BPM maturity models is provided by [26,27,28], while an SLR of BMP maturity models for small and medium-sized enterprises (SMEs) was prepared by [11]. PMMs are frequently applied to the field of information systems (IS) and information system management (ISM). A systematic review of experience and findings in this area of maturity assessment can be found in the following studies: [18,29,30];
  • Technology-related maturity models: This category includes maturity models and frameworks that are used to assess and improve the maturity of an organisation’s technological capabilities. An important group in this category are models focussed on the maturity of IT. A comprehensive review of IT-related maturity models is provided by [31,32]. There are also contributions focussing on specific technology segments or specialised products (e.g., Industry 4.0 [33] or Industry 5.0 [34]). As [35] stated, organisations are facing increasing cyber security risks in the context of Industry 4.0 and 5.0, making it essential to adopt tailored risk management methodologies such as the NIST Cybersecurity Framework (NIST CSF), ISO/IEC 27001, and MAGERIT;
  • Data maturity models: These models assess an organisation’s level of maturity in managing and using data. A survey of maturity models in data management was prepared by [36]. A multivocal literature review of the maturity of open government data maturity is provided by [37], while [38] prepared an SLR on big data maturity assessment models;
  • Sustainability maturity models: These models assess an organisation’s level of maturity in sustainability practices, such as environmental management and social responsibility. Among others, examples of such studies are [39,40,41];
  • Resilience maturity models: This category includes maturity models and frameworks that help organisations assess and improve their ability to anticipate, prepare for, respond to, and recover from disruptions or crises. These models typically provide a set of best practices and benchmarks that organisations can use to evaluate their current resilience capabilities and identify areas for improvement. Examples of such approaches can be found in [42,43,44]. Moreover, this article examines relevant cyber security capability maturity models to identify the standards and controls available to providers of critical infrastructure, to improve their level of security preparedness. Information/cyber security maturity models that are the focus of our research (to be discussed in more detail in the next section) could be assigned to this category.
However, it is important to realise that the classification we have given is not entirely complete. The complexity of organisations and the turbulent environment in which they operate often give rise in practice to the need for so-called hybrid maturity models that should combine various aspects of different maturity models to provide a more comprehensive assessment of organisations’ maturity. In such a way, organisations can gain a more complete understanding of their strengths and weaknesses and develop a more targeted roadmap for improvement. For example, a hybrid maturity model might combine aspects of an organisational maturity model with a process maturity model to assess an organisation’s overall maturity in a particular area, such as project management [45,46].
In addition, technological developments and other societal trends are both dictating the development of new models of maturity and opening new areas of application. In recent years, one has often been able to find studies dealing with maturity assessment in various topical areas, such as digitalisation [22,47,48,49], artificial intelligence [50], and blockchain technology [51], etc.
While maturity models can be useful in assessing an organisation’s level of maturity and identifying areas for improvement, they also have several limitations and deficiencies. Some of these include:
  • “One-size-fits-all” approach: Maturity models are often designed to be generic and applicable across multiple industries and contexts. However, this means that they may not account for the unique characteristics of each organisation, such as their culture, size, or goals. In addition, maturity models have often been characterised as ’step-by-step recipes’ that simplify business reality [52];
  • Static and inflexible [45]: Maturity models tend to be static and prescriptive in nature, providing a linear path for organisations to follow. However, this may not be suitable for complex and rapidly changing environments, where a more flexible and adaptive approach may be necessary;
  • Lack of empirical evidence [9,52,53]: Many maturity models are based on expert opinions and best practices, rather than empirical evidence. As a result, their effectiveness in improving organisational performance may not be well supported by data. As cited in [11,53] observed that empirically validated maturity models are quite rare;
  • Limited scope and lack of a systematic approach [54]: Maturity models typically focus on a specific area or function within an organisation, such as IT or project management. This may lead to a narrow perspective on organisational maturity and overlook other important factors that affect organisational performance;
  • Narrow “compliance-oriented” approach: Maturity models often prioritise compliance and conformity over innovation and creativity. This may discourage organisations from pursuing novel approaches and taking risks, which can be important for staying competitive in today’s fast-paced business environment. Maturity models should not focus on a series of levels toward a predetermined ‘final state’ but on the factors that influence evolution and change [11,55].
It is important to be aware of these limitations and deficiencies when implementing maturity models and frameworks in practice. It should be ensured that they are applied in a way that is appropriate for the specific context and goals of the organisation under consideration.

1.2. Information/Cyber Security Maturity Models

In today’s digital era, the concepts of information security and cyber security have become matters of global interest and importance. The two concepts are so closely related that they are often wrongly considered synonyms, and incorrectly used interchangeably. Although there is considerable overlap between the two concepts, they are not analogous and have some important differences that need to be clarified to avoid confusion. The main differences between the concepts of information security and cyber security can be summarised as follows [56,57,58]: information security refers to the protection of information from unauthorised access, use, disclosure, disruption, modification, or destruction. It involves the implementation of policies, procedures, and technologies to ensure confidentiality, integrity, and availability of information. Information security focusses on protecting all forms of information, including digital and physical records, intellectual property, trade secrets, and personal identifiable information.
Cyber security, on the other hand, is about securing things that are vulnerable through ICT, including, but not limited to, information. Cyber security involves protecting networks, computers, servers, and other digital devices (IoT, industrial IoT, and industrial control systems, etc.) from unauthorised access, use, disclosure, disruption, modification, or destruction. It includes the implementation of technologies such as firewalls, intrusion detection systems, antivirus software, and encryption, as well as the development of policies and procedures to manage cyber risks.
In summary, information security is a broader concept that encompasses the protection of all forms of information, while cyber security is a narrower concept that focusses specifically on protecting digital information and systems from cyber threats. Therefore, cyber security that aims to protect digital assets is recognised as a part of information security, which targets information whether it is in digital or in physical space [58]. As cyberspace is growing rapidly, both information security and cyber security need to be continuously evaluated and innovated, to be updated with the most recent modifications [57]. To have a comprehensive security programme to ensure business continuity, organisations need to address both concepts. Therefore, when conducting our SLR, both concepts—information and cyber security maturity assessment—will be taken into consideration.
In general, information and cyber security maturity models (ICS MM) can be described as frameworks used to assess an organisation’s level of information/cyber security readiness and guide its journey towards a more mature and therefore resilient information/cyber security posture. In accordance with the need to ensure business continuity, the ICS MM can be implemented in the following main areas:
  • Governance: This includes establishing a governance structure for information and cyber security that defines roles and responsibilities, sets policies and standards, and provides oversight and accountability. Examples of such studies are, for example, [59,60,61];
  • Risk Management: Organisations need to identify, assess, and manage information and information/cyber security risks. This includes conducting risk assessments, implementing risk management processes and procedures, and continuously monitoring and updating the risk management programme. Representatives of such studies are [62,63,64];
  • Security Operations: This includes implementing security technologies and tools for security monitoring and establishing security incident response procedures [65,66], threat intelligence analysis [67], and establishing security training and awareness programmes [68,69];
  • Compliance: Organisations need to comply with regulatory requirements, industry standards, and best practices. This includes identifying applicable regulations and standards, assessing compliance, and implementing controls to ensure compliance. Such studies are [70,71,72].
  • Third-party risk management: Organisations need to manage information and cyber security risks associated with third-party vendors and suppliers. This includes assessing third-party risks, implementing controls to mitigate those risks, and monitoring third-party security posture over time. As an example, we can expose studies dealing with maturity associated with cloud service risks [73,74].
During the last two decades, the topic of information and/or cyber security maturity assessment has received considerable attention and has attracted many authors, from practitioners to those from academic societies. As the number of contributions increases, so does the need for an SLR. The aim of this research is to identify, evaluate, and synthesise all relevant research studies to provide a reliable and comprehensive summary of the current state of knowledge that can serve as a basis for future research, policy, and practice. After a detailed review of the existing literature, we realised that at least for the time being, there are not many such SLR contributions. Exceptions include the following few studies:
The only overview study in the domain of information security maturity assessment we have been able to find is the contribution of [75], who provided an overview of the following maturity models for assessing the organisation’s information security management maturity (ISM MM): The Bank of Russia’s ISM MM, ISMS Maturity Capability Model, NIST’s IS MM, Open Group’s ISM MM, Gartner’s Security and Risk Management ML assessment, IS Risk Management Process MM, Security Incident Management Models, and IS Monitoring MM. The authors intended to use the results of the study to develop their own maturity model called the Maturity Model for Network Security Intelligence Centers (NSICs MM). The concept of cyber security maturity is not covered in this study.
A slightly larger number of reviews studied address the concept of cyber security maturity assessment. Ref. [76] examined an SLR of published studies from 2012 to 2017. As a result, the authors described and compared the most used cyber security CMM. They have observed that all analysed variants of cyber security CMM have similar elements, because they use processes and levels of maturity. They also manage the risk, although at different levels of depth. Moreover, the authors found that each model has a different field of application due to its particularity. Very similar are later studies [77,78] which considered the time span from 2011 to 2019.
Marican et al. [5] produced an SLR on cyber security maturity assessment frameworks for technology startups in various industries. This study specifically examined the scope of the frameworks from an end-to-end perspective and the quantification of cyber investment returns. A detailed analysis of published research articles from reputable journals and conference proceedings from January 2011 to June 2022 was conducted. The results showed that there is a lack of appropriate cyber security maturity assessment frameworks for technology startups, which puts startups in a vulnerable position.
We found only two SLR studies that address both concepts, information and cyber security maturity. First is the research of [69], who prepared a scoping review of assessment approaches and maturity scales used for the evaluation of information security and cyber security user awareness and training programmes. The authors found that there is a gap in the current literature regarding the assessment of these programmes, as only five papers and two maturity models were found. As user awareness and training programmes play an important role in fighting against cyber attacks, researchers were encouraged to undertake further study in this area.
The most comprehensive study is provided by [79], carrying out an SLR on information and cyber security maturity models, published between 2007 and 2018. The authors highlighted the prevalent influence of the ISO/IEC 27001/27002 standard [80,81] but raised the necessity for an in-depth investigation of ISO 21827 [82]. Moreover, the authors found that, compared to the number of proposed models, implementation experiments are lacking. This could be due to the arduous task of validation, and it could also be the reason why specific models are dominant.
In this paper, we aim to continue the work started by [79]. Because the field of information and cyber security maturity assessment is recognised as a rapidly evolving area, we anticipate that the number of published papers has increased significantly over the past five years, necessitating a renewed SLR. As we are primarily interested in trends in scientific developments, we would like to expand the SLR to include important databases that were not included in previous studies (e.g., Web of Science). The main objective of this study is to provide a comprehensive overview of efforts to assess the maturity of information and cyber security in different sectors. However, we recognise that cyber security is a broad and complex field, and it is not possible to examine all sub-sectors in the desired depth in a single study. By identifying cross-sector trends and challenges, we aim to provide a basis for future research that could focus on more targeted analyses of specific sub-sectors.

2. Research Methodology

For the purpose of our research, we used an SLR approach, which provides a systematic, explicit, and reproducible method for identifying, selecting, evaluating, and critically appraising the existing body of completed and recorded research [83].
Following guidelines for creating a comprehensive SLR [84,85] and the experiences of other authors [86,87,88,89,90], we defined an SLR process for the purpose of this study. As suggested in some previous studies (see, e.g., [91,92]), we conducted our SLR in accordance with the PRISMA guidelines to ensure scientific rigour and minimise bias in the findings. To facilitate the identification, screening, visualisation, and bibliographic analysis of the study, the Mendeley Reference Management Software and Microsoft Excel were utilised.
It can be seen from Figure 1 that the process consists of three main steps: planning the review, conducting the review, and reporting the review.
The main tasks related to planning the review are determining the purpose of the review and the scope of the study, developing a review protocol, and defining the research questions.
The tasks associated with conducting the review are the identification of relevant sources, the identification of eligible studies (i.e., candidate studies), the selection process (i.e., the application of inclusion and exclusion criteria to determine the final collection of relevant studies), the validation of the selection process by independent reviewers, data extraction, and data synthesis.
Review reporting is the final step in the creation of an SLR and involves the systematic and smooth reporting and writing up of the results, so that the entire process is scientifically reproducible. The results of the review can be presented in the form of a quantitative analysis and qualitative synthesis of SLR findings.

3. Planning the Review

The purpose of our SLR is to discover recent trends in information and cyber security maturity assessment in organisations. To conduct the comprehensive systematic and fair evaluation of literature, a review protocol has been established, and is summarised in Table 1.
Search keywords used for database screening are given in Table 2. Inclusion and exclusion criteria are presented in Table 3.
The results of our SLR will be summarised in two stages, the first one being quantitative analysis and the second one qualitative synthesis.
Quantitative analysis should reveal various quantitative trends over the years according to the selected criteria. In this stage, the complete collection of relevant publications (i.e., conference papers as well as research articles) will be considered, and the following research question will be discussed:
  • RQ1: What are the general trends of ICS MM studies during the last twelve years (i.e., yearly distribution of publications (conference papers and research articles), distribution of publications by industry, or by information/cyber security domain, etc.)?
The aim of the qualitative synthesis is to show relationships between studies to gain a deeper understanding of the research topic. We aim to integrate key findings to identify parallels, variations, or divergent perspectives. In addition, we aim to identify potential gaps and suggest some directions for future research. If our final collection of relevant publications includes enough research articles (at least 10), we will limit the qualitative synthesis to those. Namely, in our opinion, research articles provide a more reliable basis for summarising conclusions. Through qualitative synthesis, we aim to answer the following research questions:
  • RQ2: How can recent studies on ICS MMs be categorised based on their contributions to the development of information/cyber security maturity assessment?
  • RQ3: In which sectors and industries have ICS MMs been applied most effectively and what type of organisations have found the concept of information/cyber security maturity assessment useful?
  • RQ4: What are the key drivers for ICS MM adoption?
  • RQ5: What are the main gaps or limitations that the authors have identified regarding the implementation of ICS MMs in organisations?
  • RQ6: What opportunities and future research directions in the field of information/cyber security maturity assessment have the authors identified?

4. Conducting the Review

Following a predefined review protocol, the selected source databases were searched. The query strings as well as the results of the searches are listed in Table 4. The search was conducted in August 2024. 281 studies were included in the selection process. Given the descriptive and qualitative nature of our systematic review, it was not possible to conduct formal sensitivity analyses as well as the detailed risk of bias assessment for each study. However, to enhance the robustness of our findings, we cross-validated our results with the existing literature and meta-analyses. This process provides confidence in the reliability of our results.
Figure 2 shows that after application of the inclusion criteria (IC) and exclusion criteria (EC) and validation of the selection process by two independent reviewers, 159 studies were excluded from the study, 1 because of a publication language other than English [76], 1 because the full text was not available [74], and 157 due to inappropriate scope. The final collection therefore contained 96 studies.
It was agreed that in the case of missing data, the two independent reviewers would analyse the available information and attempt to find additional material to fill any gaps identified.

5. Reporting the Review

The results were analysed using both quantitative and qualitative approaches. The quantitative analysis included indicators such as the distribution of publications per year, the sectoral focus, and geographical distribution trends. In contrast, qualitative synthesis categorised the studies into three main groups: those dealing with the development of new models, those applying existing frameworks, and those focussing on supporting methodologies. Preparing the data for synthesis involved systematically organising the extracted information into predefined categories.

5.1. Quantitative Analysis

The final collection for the quantitative analysis comprises 96 studies, of which 60 (62.5%) are conference papers and 36 (37.5%) research articles. To answer RQ1, we have extracted all the necessary quantitative indicators from the collection, which are presented below. We will discuss the results in more detail in Section 6.1.
The annual distribution of publications over the chosen time span (2012–2024) is presented in Figure 3, while the distribution of studies by the industry sectors is given in Table 5.
The distribution of studies by the information/cyber security domain and corresponding subdomains is illustrated in Figure 4, while Figure 5 shows the list of journals where the 36 research articles from our collection were published.

5.2. Qualitative Synthesis

In our qualitative synthesis, we focussed exclusively on journal articles (36 research articles), as these tend to provide a more in-depth analysis, a broader theoretical framework, and a longer timeframe for the development and testing of ideas. Journal articles also provide a more consistent overview of research methods and findings, which is essential for systematic comparison and the identification of trends in the field of information and cyber security maturity assessment. Conference papers, on the other hand, often present early-stage research findings or very specific case studies that do not always lend themselves to comprehensive qualitative analysis. A complete list of the articles examined can be found in the Appendix A. All 36 articles were reviewed by two independent reviewers in depth to extract all the information we needed to answer our research questions RQ2–RQ6. A summary of the results is presented below (see Table 6, Table 7, Table 8, Table 9, Table 10, Table 11, Table 12 and Table 13), with a more in-depth discussion in Section 6.2.
Table 6 shows that the studies included in the qualitative synthesis can be effectively categorised into three main groups: those that contribute to the development of a new maturity concept (see Table 7), those that focus on the implementation of already known maturity concepts (see Table 8), and those that provide supporting methodologies or frameworks that contribute to the understanding of information/cyber security maturity (see Table 9).
Table 10 presents a summary of the sectors and industries where ICS MMs have been applied effectively and the types of organisations that have benefited from the maturity assessment concepts.
Table 11 provides an overview of the key drivers for the adoption of ICS MMs in different sectors and industries and summarises the reasons why companies are using these models to improve their security practices.
Table 12 summarises the most important gaps and limitations in the implementation of ICS MMs and shows the obstacles that organisations face when introducing and implementing maturity models.
Table 13 summarises the key opportunities and future research directions identified in the 36 research articles reviewed and highlights areas for further development and innovation in cyber security maturity assessment.

6. Discussion and Research Questions Analysis

Aligned with our approach to SLR, we first discuss the findings of a quantitative analysis (RQ1), followed by the findings of a qualitative synthesis (RQ2–RQ6).

6.1. Findings from the Quantitative Analyses of SLR Results

The data for answering the RQ1 (What are the general trends of ICS MM studies during the last twelve years?) can be obtained from Section 5.1. Figure 3 shows that the trend of publications is continuously increasing, which confirms the relevance of the topic. This is particularly evident from 2019, when the total number of publications almost doubled compared to previous years. As only the first half of 2024 was considered, this trend is expected to continue. Analyses show that most authors come from Asia (32.29%) and Europe (31.25%). As shown in Table 5, most studies (31.25%) are general in nature and do not focus on a specific industry sector. Furthermore,13.54% of the studies are focussed on utilities (e.g., critical infrastructure, energy distribution, industrial control systems), while 9.38% of the studies deal with information technology. Government (8%), financial services, and the SME sector (both 7.29%) are also well represented.
Figure 4 shows that more studies focus on cyber security (53.1%) than on information security (29.17%), while 17.71% of the studies combine both approaches. Most studies focus on compliance with frameworks and standards (38.54%) and information/cyber security governance (27.08%).
The growing number of conferences from year to year (see Figure 3) is further proof that the concept of assessing the maturity of information/cyber security is becoming increasingly topical. Most conferences (41.67%) were held in Asia, which is consistent with the fact that most authors are of Asian origin.
Figure 3 also shows that before 2019, research articles on the topic of information security/cyber security maturity assessment were quite rare, while afterwards the number of research articles increased steadily. Consequently, this means that the field of information/cyber security maturity assessment is becoming a relevant and important scientific field. The vast majority (77.78%) of journals are indexed with the JCR impact factor. Furthermore, almost 90% (89.28%) of the journals are in the first two quartiles [95]. This confirms that reputable journals are interested in publishing research related to information/cyber security maturity assessment. In terms of JCR subject categories, the largest number of research articles were published in the ‘Computer Science, Information Systems’ category. Given the increasing relevance and rapid advances in information and cyber security, it would be highly beneficial to establish a new bibliographic category specifically for ‘Information/Cyber Security’. This would not only better reflect the specialisation of research, but also encourage more focussed and impactful studies in this area and meet the increasing demand for robust security frameworks across all industries.

6.2. Findings from the Qualitative Synthesis of SLR Results

The qualitative synthesis is one of the most difficult and time-consuming parts of our research, as each of the 36 articles had to be examined in detail. This process was carried out by two independent reviewers. Below we present the main findings, focussing on the answers to research questions RQ2–RQ6.
  • RQ2: How can recent studies on ICS MMs be categorised based on their contributions to the development of information/cyber security maturity assessment?
The results of our qualitative synthesis (Table 6) reveal that recent studies on ICS MMs can be categorised into three main groups based on their contributions to the development of information and cyber security maturity assessment: (1) the development of new maturity concepts, (2) the implementation of known maturity concepts in different contexts, and (3) the provision of supporting methodologies or frameworks that enhance the understanding or practical application of maturity models.
The first category comprises 16 of 36 (44%) studies (Table 7). These studies show clear progress towards more adaptable, sector-specific ICS MMs and reflect an evolving understanding of cyber security as a dynamic, ongoing process. The evolution of ICS MMs shows clear trends towards sector-specific customisation, resilience, simplification, and accessibility, as well as intelligence-driven adaptability. While the traditional approach focussed on broad applicability and often offered a one-size-fits-all solution, more recent studies are helping to broaden the field by developing sector-specific models that address the challenges in specific industries. For example, RA3 introduces a vulnerability-focussed cyber security maturity assessment model aimed at improving the security of critical infrastructure, while RA9 presents a holistic cyber security maturity assessment framework designed for higher education institutions. This trend highlights the growing demand for customised approaches that address sector-specific challenges. Some models, such as the CRMM in RA6, go beyond prevention to include organisational resilience—how effectively an organisation can recover from incidents. This recognises the inevitability of attacks and focusses on recovery and adaptability, as opposed to traditional models that emphasise prevention. Studies such as RA13 and RA14 focus on making cyber security assessment simpler and more accessible, especially for smaller organisations with limited resources. These lightweight frameworks fill a gap left by earlier, more complex models and encourage the wider adoption of cyber security best practices. In addition, some models are focussed on data-driven adaptability, integrating real-time threat data to enable dynamic and responsive cyber security assessments. RA18, for example, integrates real-time threat data, making assessments more dynamic and responsive to evolving threats. This adaptability represents a move away from traditional approaches that rely on fixed metrics and addresses the need for continuous adaptation in a rapidly changing cyber landscape.
As we can see from Table 8, 9 out of 36 (25%) articles were categorised in the second category. These studies contribute by demonstrating how established models and frameworks can be applied in real-world scenarios, addressing challenges and offering insights to improve their effectiveness. Several studies in this group are focussed on practical application and sector-specific adaptation. RA7, for example, adapts C2M2 for railway systems and shows how sector-specific needs are integrated into a general framework. Similarly, RA2 and RA8 provide case studies on how existing maturity models or frameworks (e.g., IT-CMF or NIST CSF) are applied in different organisational environments, such as critical infrastructures or SMEs. These implementations emphasise the versatility of established models and prove their usefulness in different industries. Some studies go beyond mere application by refining these frameworks. RA11, for example, develops a cyber security evaluation tool (CET) based on the NIST CSF and improves it for use in SMEs by simplifying the model for smaller organisations with limited resources. Similarly, RA20 integrates systems thinking into a cyber security resilience framework and refines its approach to incorporate broader organisational processes. The studies in this group also highlight the practical challenges in implementing existing maturity models. RA10 discusses the difficulties organisations face in integrating socio-technical aspects into security assessments and emphasises the need for a more holistic approach that considers both technical and human factors. RA27 focusses on cyber security culture, identifying it as a critical but often overlooked component of maturity assessments and offering a unique insight into the cultural challenges faced by organisations. 9 out of 36 (25%) articles were categorised in the second category. These studies contribute by showing how established models and frameworks can be applied in real-world scenarios, addressing challenges and providing insights to improve their effectiveness. Several studies in this group are focussed on practical application and sector-specific adaptation. RA7, for example, adapts C2M2 for railway systems and shows how sector-specific needs are integrated into a general framework. Similarly, RA2 and RA8 provide case studies on how existing maturity models or frameworks (e.g. IT-CMF or NIST CSF) are applied in different organisational environments, such as critical infrastructures or SMEs. These implementations emphasise the versatility of established models and prove their usefulness in different industries. Some studies go beyond mere application by refining these frameworks. RA11, for example, develops CET based on the NIST CSF and improves it for use in SMEs by simplifying the model for smaller organisations with limited resources. Similarly, RA20 incorporates systems thinking into a cyber security resilience framework and refines its approach to include broader organisational processes. The studies in this group also highlight the practical challenges of implementing existing maturity models. RA10 discusses the difficulties organisations face in integrating socio-technical aspects into security assessments and emphasises the need for a more holistic approach that incorporates both technical and human factors. RA27 focuses on the culture of cyber security, which is identified as a critical but often overlooked component of maturity assessments and provides a unique insight into the cultural challenges faced by organisations.
The focus of studies in the third group (see Table 9) is generally on analysing gaps, limitations, or challenges in cyber security maturity models and proposing theoretical insights or methodological improvements. Some studies in this group critically evaluate existing maturity models and identify areas for improvement. RA27, for example, emphasises the importance of assessing an organisation’s cyber security culture, a dimension that is often overlooked in traditional maturity models. The authors highlight how cultural maturity directly impacts the effectiveness of cyber security strategies, and call for models that integrate these softer, human-centred aspects. Other studies, such as RA21, examine practitioners’ skills in evaluating information security controls. This article demonstrates that there are inconsistencies in the measurement of security maturity across organisations, pointing to the need for standardised and more precise evaluation procedures. RA10 contributes to this discussion by focussing on the difficulties that organisations face in integrating socio-technical factors into their maturity assessments, showing that a purely technical evaluation often fails to capture the full picture of an organisation’s cyber security readiness. This group also includes articles that point to areas that should be explored in the future. RA30, for example, highlights the impact of the Cyber Trust Program on government cyber security maturity and points to the need for further study on how such programmes can improve maturity in other sectors. Similarly, RA27 and RA21 point to gaps in current maturity models that require more attention, particularly regarding cultural and human factors, thus offering directions for future research.
  • RQ3: In which sectors and industries have ICS MMs been applied most effectively and what type of organisations have found the concept of information/cyber security maturity assessment useful?
The results of the qualitative synthesis in Table 10 show that ICS MMs have been applied across a wide range of sectors, industries, and organisation types, particularly where cyber security is critical to business continuity and risk management. Key sectors where ICS MMs have proven successful include critical infrastructure, healthcare, education, and SMEs. These industries benefit from maturity assessments due to their high exposure to cyber threats, regulatory pressures, and the need to protect sensitive data.
Critical infrastructures, including railways, energy, utilities, and cyber-physical systems, have benefited significantly from ICS MMs such as the C2M2. These models help to improve resilience and preparedness against cyber threats, especially in high-risk sectors where business continuity is essential (RA3, RA4, RA7, RA35). The success of ICS MMs in these areas demonstrates their value in sectors where risk mitigation and security are prioritised due to the potential for serious disruption.
Government institutions have also found ICS MMs to be effective, using models such as the Cyber Trust Program (CTP) and tailored Capability Maturity Model Integration (CMMI) to improve incident response capabilities and ensure compliance with international standards. The ability of these models to improve both resilience and compliance demonstrates their adaptability in public sector organisations (RA18, RA20, RA30).
Furthermore, the healthcare sector has effectively utilised ICS MMs, particularly to comply with regulations and protect sensitive patient data. RA25 introduces an ISMM designed specifically for healthcare organisations to address the challenges of data security in a highly regulated environment. Lessons learned from recent security incidents, such as the WannaCry ransomware incident in May 2017, which crippled transport and other government systems worldwide and forced the UK healthcare system to turn away patients even though no patient data were compromised, show that such incidents not only have the potential to inflict financial loss on individuals and organisations, but also pose a very real threat to healthcare facilities in fulfilling their critical mission of patient care [96]. Therefore, due to compliance requirements such as HIPAA, healthcare organisations have determined that ICS MMs are essential to ensuring the confidentiality, integrity, and availability of sensitive data.
Higher education institutions facing challenges in balancing openness and security have also successfully applied ICS MMs, such as the HCYMAF. These models help universities protect research data and respond to the growing complexity of cyber threats in the academic environment (RA9, RA19).
The results of our analysis show that SMEs also benefit from cyber security maturity models, especially when these models are tailored to their unique constraints. RA11 presents a cyber security evaluation tool based on the NIST CSF to help SMEs improve their security posture despite limited resources. RA13 and RA14 develop lightweight models to support risk management in SMEs and show that even smaller organisations can use maturity models effectively if they are tailored to their needs.
  • RQ4: What are the key drivers for ICS MMs adoption?
The authors point out several key factors that motivate organisations to introduce and implement ICS MMs in different industries. The most influential factors are summarised in Table 11.
One of the strongest drivers is regulatory compliance, especially in sectors such as healthcare and finance, where strict data protection laws and regulations apply. For example, RA25 highlights the need for healthcare organisations to comply with regulations such as HIPAA, which is driving the adoption of ICS MMs to ensure compliance with data security standards. Similarly, RA30 emphasises regulatory requirements in government institutions where cyber security compliance is mandatory.
Resilience to cyber threats is another important factor, especially in sectors such as critical infrastructure. RA3 and RA7 show how the implementation of maturity models in critical infrastructure sectors increases resilience to cyber threats. These sectors, which are vital to national security and economic stability, require robust cyber security measures to protect against evolving threats. ICS MMs help these organisations assess their vulnerabilities and improve their ability to detect, respond to and recover from cyber incidents.
Data protection is an important concern for organisations that handle sensitive information, such as healthcare providers and educational institutions. RA9 and RA19 show that universities and research organisations apply maturity models to protect sensitive research data and personal information. Similarly, RA25 addresses the importance of data protection in healthcare, where data breaches can have serious consequences for patient privacy and safety. The need to protect sensitive information is a strong motivator for the adoption of maturity models that improve data security practices.
Risk management and risk mitigation are also important drivers for the adoption of ICS MMs, especially in sectors that are constantly exposed to cyber risks. RA11, RA13, and RA36 emphasise that organisations are adopting maturity models to manage cyber risks more effectively and implement targeted risk mitigation strategies. SMEs, which may not have the resources to develop internal risk management capabilities, are adopting simplified maturity models to manage their cyber security risks cost-effectively.
Another important driver is the need to ensure business continuity in the face of cyber threats. RA7, RA3, and RA35 highlight that industries such as transport, energy, and finance are adopting maturity models to ensure that they can maintain their operations during and after a cyber incident. Ensuring business continuity is essential in sectors where an unplanned downtime could lead to serious economic or societal disruption.
Finally, the introduction of maturity models is often driven by the need for cost-effective security solutions. RA13 and RA11 show how SMEs are adopting lightweight maturity models that provide a structured approach to cyber security without the high costs typically associated with more comprehensive models. The ability to implement effective cyber security practices without significant financial investment is therefore one of the key factors for the adoption of ICS MMs in resource-constrained environments.
  • RQ5: What are the main gaps or limitations that the authors have identified regarding the implementation of ICS MMs in organisations?
As can be seen from Table 12, the authors identified several gaps and limitations in the implementation of ICS MMs in organisations. Overcoming the challenges listed will be crucial for improving the usability and effectiveness of ICS MMs in various industries.
One of the most frequently mentioned barriers is limited resources, especially in SMEs. RA1, RA11, and RA13 emphasise that smaller organisations often struggle with the financial, human, and technical resources required to implement comprehensive maturity models. These organisations tend to have limited expertise in information and cyber security, making it difficult to apply complex models. This scarcity of resources is exacerbated by the need for ongoing assessments and improvements, which smaller organisations may find burdensome.
The complexity of models is another issue. RA11 and RA16 note that some ICS MMs are overly complex, making them difficult to understand and implement, especially for organisations with limited technical resources. These complex models may require a high level of information/cyber security maturity before an organisation can begin the assessment process, which can be a significant barrier for many organisations.
Another limitation is the lack of practical guidance on how to effectively implement and utilise ICS MMs. RA25 and RA26 emphasise that while many maturity models provide a conceptual framework, they do not provide the detailed guidance that organisations need to take concrete steps to improve their cyber security posture. This can lead to organisations not knowing how to prioritise and apply the recommendations resulting from maturity assessments, which reduces the effectiveness of these models.
Another challenge is the customisation of ICS MMs to specific sectors. RA7, RA25, and RA9 point to the need for sector-specific adaptations of maturity models, as generic models often do not meet the specific requirements of industries such as healthcare, higher education, and critical infrastructure. The lack of customised models limits the relevance and applicability of maturity assessments in these sectors.
In addition, another challenge is to harmonise maturity models with corporate goals. RA36 and RA13 point out that it can be difficult for organisations to align cyber security maturity goals with broader business goals such as cost reduction or operational efficiency. If maturity models are not aligned with an organisation’s strategic priorities, information/cyber security initiatives may be seen as a drain on resources rather than an enabler of the business. This misalignment can reduce executive commitment to supporting the necessary information/cyber security investments.
The lack of automation and tool support is another limitation identified in the literature. RA11 and RA31 mention that the manual processes required for many maturity assessments are time consuming and prone to human error. Organisations need automated tools that can streamline the assessment process and monitor the progress of information/cyber security maturity in real time. Without such tools, implementing ICS MMs can become a resource-intensive task, reducing their attractiveness to organisations.
Finally, the inconsistent metrics and evaluation criteria used across different maturity models pose a challenge for organisations attempting to benchmark their cyber security posture. RA21 and RA24 highlight the lack of standardisation in the way maturity is assessed, which can make it difficult for organisations to compare their results with industry standards or with the results of similar organisations. This inconsistency undermines the effectiveness of maturity models as a tool for measuring progress over time or against competitors.
Despite the many identified gaps or limitations in the implementation of ICS MMs, we agree with the assertions of many previous studies that information and cyber security maturity models can help organisations assess their capabilities, create a roadmap or action plan, and improve their progress in information/cyber security governance and management processes (see, e.g., [60,97,98]).
  • RQ6: What opportunities and future research directions in the field of information/cyber security maturity assessment have the authors identified?
The area of information and cyber security maturity assessment is still evolving, and several opportunities and future research directions have been identified in the literature. These findings are summarised in Table 13.
One of the main opportunities identified is the need for empirical validation of the models. Many of the conceptual maturity models that have been developed in recent years have not been rigorously tested in real-world environments. Studies such as RA6, RA9, and RA15 call for more empirical research to validate the effectiveness of these models in improving information/cyber security practices. Empirical validation would not only increase the credibility of the models, but also provide valuable feedback to refine and improve their design. Table 13 highlights several studies that emphasise the importance of empirical testing for progress in this area. Furthermore, this problem has already been emphasised by some authors in previous systematic literature reviews in the field of information and cyber security assessment (e.g., [53,79]).
As mentioned in earlier sections, another important research direction is the adaptation of maturity models to specific industries. RA7, RA9, and RA25 indicate that more sector-specific adaptations of maturity models are needed. Future research should therefore focus on the development of sector-specific maturity models and frameworks that meet the specific regulatory, technical, and operational requirements of different industries. However, [99] emphasises the need to support SMEs with tailored models that are more situational and can adapt to their specific needs. An adaptable maturity model has a higher value, because the resulting capabilities and areas for improvement match the expectations and characteristics of SMEs [100]. All this evidence confirms our assumptions about the lack of suitable ICS MM concepts for SMEs and open ideas for future research, which should continue to focus on developing models that are accessible to smaller organisations without compromising the robustness of maturity assessment.
The integration of emerging technologies into maturity models is another important area for future research. RA28 and RA32 discuss the need to incorporate technologies such as cloud computing, artificial intelligence, and blockchain into maturity assessments. These technologies are becoming increasingly important for managing cyber security risks, but many existing maturity models do not consider their unique challenges and opportunities. Research in this area would help ensure that maturity models remain relevant in a rapidly evolving technological landscape.
There is also a great opportunity to develop automated tools that support the implementation of maturity models. RA11 and RA31 highlight the potential benefits of automation by streamlining the assessment process, reducing human error, and enabling real-time monitoring of information/cyber security maturity. The development of automated tools would make it easier for organisations to adopt and maintain maturity models, especially in industries with limited information/cyber security resources. This could also help solve the problem of manual, time-consuming assessments, as described in RA11.
In addition to these technical opportunities, future research could focus on simplifying models for SMEs. RA13, RA14, and RA1 emphasise the need for maturity models that are accessible to smaller organisations with limited resources. Developing lightweight, cost-effective models that SMEs can easily adopt would broaden the applicability of maturity assessments and provide smaller organisations with the tools they need to improve their cyber security posture.
Finally, there is an opportunity to focus on cross-organisational comparisons by standardising the metrics and evaluation criteria used in maturity assessments. Significant differences in maturity levels across organisations have been identified, which calls for more consistent assessment and more precise definitions of maturity levels [6,65,101]. RA21 and RA24 call for more research to develop standardised metrics that would allow organisations to compare their information/cyber security maturity across industries and regions. This would increase the value of maturity models as benchmarking tools and provide organisations with better insight into their cyber security performance compared to their peers.
While this study provides a broad perspective on the assessment of information and cyber security maturity, we recognise that the depth of analysis for each sub-sector is limited by the scope of this review. Sub-sectors such as critical infrastructure, healthcare, or SMEs, as shown in Table 10, deserve specific studies to examine their particular challenges and requirements. Future research should build on this foundation to provide deeper, sector-specific insights to further improve our understanding of cyber security maturity.

7. Conclusions

This study provides critical insights into the drivers, challenges, and future opportunities for information and cyber security maturity. Our findings from qualitative synthesis (especially RQ4–RQ6) reveal that regulatory compliance, cyber threat resilience, and the demand for cost-effective solutions are the main drivers for the adoption of maturity models across various industries. However, significant challenges remain, including model complexity, insufficient sector-specific customisation, and limited resources, particularly for SMEs.
Future research should prioritise the development of simplified, adaptable frameworks tailored to specific sectors, with a focus on SMEs. Integrating emerging technologies such as AI, cloud computing, and automation into maturity models will improve their adaptability and responsiveness to evolving cyber threats. In addition, efforts to empirically validate these models in real-world environments will strengthen their credibility and practical relevance.
By bridging these gaps, maturity assessments can help organisations improve their resilience, align their security efforts with business objectives, and manage the complexity of digital transformation. This study highlights the critical role of information and cyber security maturity in driving organisational security and resilience and paves the way for wider adoption and innovation in this area.

Author Contributions

Conceptualisation, A.B. (Alenka Brezavšček); methodology, A.B. (Alenka Brezavšček); software, A.B. (Alenka Brezavšček); validation, A.B. (Alenka Baggia) and A.B. (Alenka Brezavšček); formal analysis, A.B. (Alenka Brezavšček); investigation, A.B. (Alenka Baggia) and A.B. (Alenka Brezavšček); resources, A.B. (Alenka Baggia) and A.B. (Alenka Brezavšček); data curation, A.B. (Alenka Brezavšček); writing—original draft preparation, A.B. (Alenka Brezavšček); writing—review and editing, A.B. (Alenka Baggia) and A.B. (Alenka Brezavšček); visualisation, A.B. (Alenka Brezavšček); supervision, A.B. (Alenka Baggia) and A.B. (Alenka Brezavšček); project administration, A.B. (Alenka Baggia) and A.B. (Alenka Brezavšček). All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Data will be made available upon reasonable request to the authors.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

AbbreviationDefinition
AISMAAdvanced Information Security Maturity Assessment
BCMBusiness Continuity Management
BPMBusiness Process Management
C2M2Cybersecurity Capability Maturity Model
CETCyber Security Evaluation Tool
CMMCapability Maturity Model
CMMICapability Maturity Model Integration
CRMMCybersecurity Resilience Maturity Measurement
CSCMMCyber Security Capability Maturity Model
CTICyber Threat Intelligence
CTI-SOC2M2Cyber Threat Intelligence-driven SOC Maturity Model
CTPCyber Trust Program
CyFErCybersecurity Vulnerability Mitigation Framework Through Empirical Paradigm
DCCIDynamic Capabilities in Cybersecurity Intelligence
DFRDigital Forensic Readiness
DSRDesign Science Research
ECExclusion Criteria
EPGAEnhanced Prioritised Gap Analysis
F4SLEFramework for Security Level Evaluation
GDPRGeneral Data Protection Regulation
HCYMAFHolistic Cybersecurity Maturity Assessment Framework
HDMHierarchical Decision Model
HEIHigher Education Institution
HIPAAHealth Insurance Portability and Accountability Act
ICInclusion Criteria
ICS MMInformation and Cyber Security Maturity Models
ICT Information Communication Technology
IoTInternet of Things
IPCAInformation Protection Culture Assessment
IRM3Incident Response Management Maturity Model
ISInformation System
ISFAMInformation Security Focus Area Maturity
ISMInformation System Management
ISM MMInformation Security Management Maturity
ISMSInformation System Management System
ITInformation Technology
IT-CMFIT Capability Maturity Framework
JCR Journal Citation Reports
LiSRALightweight Security Risk Assessment
MAISMMCMethod for Adaptive Information Security Maturity Modelling in Clusters
MILMaturity Indicator Level
MITRE ATT&CKGlobally accessible knowledge base of adversary tactics and techniques based on real-world observations
NIST CSFNational Institute of Standards and Technology Cybersecurity Framework
NRENNational Research and Education Networks
NSICNetwork Security Intelligence Center
OCOrganisational Characteristics
OMMOrganisational Maturity Models
PMMProcess Related Maturity Models
PRISMAPreferred Reporting Items for Systematic Reviews and Meta-Analyses
ProGReSSPromoting Global Cyber Resilience for Sectors and Society
SCMAFCybersecurity Maturity Assessment Framework
SLRSystematic Literature Review
SMESmall and Medium-Sized Enterprise
SOCSecurity Operations Center
SPICESoftware Process Improvement and Capability Determination

Appendix A

Table A1. List of research articles included in qualitative synthesis.
Table A1. List of research articles included in qualitative synthesis.
IDTitleReferenceDomainShort Description of the Study
RA1Maturity assessment and process improvement for information security management in small and medium enterprises[100]ISThe study proposes a method adapted to small and medium enterprises (SMEs) to conduct a first assessment of the enterprise’s information security maturity and improve its process accordingly.
RA2A Framework for Information Security Governance and Management[60]ISThe authors present a practitioner-oriented ISGM capability maturity framework that incorporates technical, process, and human dimensions. The framework is underpinned by the premise that the pace and manner with which an organisation can proactively respond to new and emerging security threats depends on the maturity of its ISGM capability.
RA3A vulnerability-driven cyber security maturity model for measuring national critical infrastructure protection preparedness[102]CSThis paper proposes a maturity model for measuring the readiness levels of national critical infrastructure protection efforts in Turkey. The development of the model involves two steps. The first step analyses data pertaining to national cyber security projects using grounded theory to extract the root causes of the susceptibility of critical infrastructures to cyber threats. The second step determines the maturity criteria by introducing the root causes to subject matter experts polled in a Delphi survey.
RA4Advanced approach to information security management system utilising maturity models in critical infrastructure[101]IS/CSThe authors have developed an information security maturity model that can measure and manage the information security capability of critical infrastructure based on information provided by an expert critical infrastructure information protection group.
RA5“Security Concern” as a Metric for Enterprise Business Processes[103]ISThe authors introduce a novel security metric (Security Concern) to assess the business process security. The metric quantitatively measures the “concern” due to various attributes of the security of a business process in the context of the threat scenario and asset sensitivity.
RA6Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework[104]CSThe study presents the conceptual design for a cyber security resilience maturity measurement (CRMM) framework to be applied in organisations, notably for critical information infrastructure (CII), as a part of cyber risk management treatment.
RA7Cybersecurity for railways—a maturity model[105]CSThe authors have developed the Railway-Cybersecurity Capability Maturity Model (R-C2M2) which is based on the C2M2. The application of this model allows railway organisations to improve their capability to reduce the impacts of cyber attacks and eradicate vulnerabilities. The approach can also be extended to other infrastructures with necessary adaptations.
RA8Cybersecurity vulnerability mitigation framework through empirical paradigm: Enhanced Prioritised Gap Analysis[106]CSThe authors have developed a framework and software application called the Cybersecurity vulnerability mitigation framework through an empirical paradigm (CyFEr). The detailed architecture of CyFEr’s Enhanced Prioritised Gap Analysis (EPGA) methodology and its application to CSF are presented in the paper.
RA9A Holistic Cybersecurity Maturity Assessment Framework for Higher Education Institutions in the United Kingdom[97]IS/CSThe study presents a light, web-based Holistic Cybersecurity Maturity Assessment Framework that can be used as a cyber security assessment tool for Higher Education Institutes (HEIs) in the United Kingdom. The framework incorporates all security and privacy regulations, as well as best practices that HEIs must comply with. It can be used as a self-assessment or a cyber security audit tool.
RA10A real-world information security performance assessment using a multidimensional socio-technical approach[61]ISThe study aims to present and validate the ISP 10×10M model used for evaluating the performance of information security in organisations.
RA11Calculated risk? A cybersecurity evaluation tool for SMEs[107]CSThe authors propose a cyber security evaluation tool (CET) which can be used for cyber security risk assessment in SMEs. The tool consists of a 35-question online survey to be completed by IT leaders to self-rate their maturity within the five NIST framework categories: identify, protect, detect, respond, and recover.
RA12Cybersecurity Vulnerability Mitigation Framework Through Empirical Paradigm (CyFEr): Prioritised Gap Analysis[108]CSThe content of the paper is similar to the paper RA8. The authors have developed a framework and a software application CyFEr. A detailed architecture of CyFEr is presented, as well as its application to CSF.
RA13LiSRA: Lightweight Security Risk Assessment for decision support in information security[109]ISThe authors propose the LiSRA framework to aid information domain-specific security decision-making. It incorporates domain-specific information provided by experts, allowing users to focus on specifying their security practices and organisational characteristics. This information is linked to attack paths and adverse impacts to assess the overall risk.
RA14Modelling adaptive information security for SMEs in a cluster[98]ISThe paper presents a method for adapting an Information Security Focus Area Maturity (ISFAM) model to the organisational characteristics (OCs) of a SME cluster. The purpose is to provide SMEs with a tailored maturity model enabling them to capture and improve their information security capabilities.
RA15Towards a Capability Maturity Model for Digital Forensic Readiness[110]IS/CSThe study provides a capability maturity model (CMM) to assess the current state of initiatives in digital forensic readiness (DFR). As such, this model shows guidance to turn efforts in the right direction.
RA16Towards Development of a Cyber Security Capability Maturity Model[111]IS/CSThe authors have performed a critical analysis of nine contemporary maturity models to develop a new maturity model, i.e., the cyber security capability maturity model (CSCMM).
RA17Adopting security maturity model to the organisations’ capability model[112]IS/CSAn Information Security Management model is proposed that classifies the organisations into five levels. Each level determines the technologies and process capability used by the organisations. There is a set of factors that can help in determining the security maturity level, such as technology, people, and infrastructure.
RA18CTI-SOC2M2—The quest for mature, intelligence-driven security operations and incident response capabilities[66]CSThe authors have developed a capability maturity model CTI-SOC2M2 that uses the degree of cyber threat intelligence (CTI) integration as a proxy for security operations service maturity. They examined existing maturity models in the domains of Security Operations Centers (SOCs), incident response, and CTI.
RA19Cybersecurity maturity assessment framework for higher education institutions in Saudi Arabia[113]IS/CSThe paper proposes a SCMAF for higher education institutions in Saudi Arabia. SCMAF is a comprehensive, customised security maturity assessment framework aligned with local and international security standards. It can be used as a self-assessment method to establish the security level and highlight the weaknesses and mitigation plans that need to be implemented.
RA20Incorporating Systems Thinking Into a Cyber Resilience Maturity Model[114]CSThe paper aims to address the challenge of achieving cyber resilience in critical infrastructure. It proposes a systems thinking approach, viewing critical infrastructure as a system of systems. The authors suggest exploring cyber resilience as a system property, considering the multiple dimensions of operation and different domains of practice within the sector. They discuss the concepts of dimensions of operation and domains of practice, which are incorporated into a sectoral cyber resilience maturity model.
RA21Maturity level assessments of information security controls: an empirical analysis of practitioners assessment capabilities[6]ISThe authors have conducted a case study to verify the quality of maturity level assessments where security experts assessed a subset of the ISO/IEC 27002 security controls for a hypothetical scenario using the COBIT maturity levels.
RA22CAESAR8: An Agile Enterprise Architecture Approach to Managing Information Security Risks[64]ISThe authors describe a novel approach that supports dynamic and holistic reviews of information security risks in IT projects, based on a checklist that assesses the maturity of security considerations in eight domains that often cause information security failures.
RA23Cyber Security Maturity Assessment Framework for Technology Startups: A Systematic Literature Review[5]CSThe authors have conducted an SLR which revealed the lack of an end-to-end cyber security maturity assessment framework for technology startups.
RA24Information Security Management Maturity Models[75]ISThe study compares eight different maturity models (The Bank of Russia’s ISM MM, ISMS Maturity Capability Model, NIST’s IS MM, Open Group’s ISM MM, Gartner’s Security and Risk Management ML assessment, IS Risk Management Process MM, Security Incident Management Models, and IS Monitoring MM). Comparison results are intended to be used for developing a new maturity model for Network Security Intelligence Centers (NSICs).
RA25Information Security Maturity Model for Healthcare Organisations in the United States[96]ISFollowing the hierarchical decision model (HDM) approach, the authors have provided a new maturity model for information security for healthcare organisations in the United States.
RA26Managing the Inevitable—A Maturity Model to Establish Incident Response Management Capabilities[65]IS/CSThe authors have followed a design science research (DSR) approach to develop an incident response management maturity model (IRM3). The proposed model is closely aligned with practice requirements under a socio-technical lens.
RA27Determining cybersecurity culture maturity and deriving verifiable improvement measures[115]CSThe authors analyse how to measure and improve the cyber security culture in a company. Using two surveys, the authors assessed the maturity of cyber security and introduced measures to improve key areas such as accountability and policy effectiveness.
RA28Dynamic Capabilities in Cybersecurity Intelligence: A Meta-Synthesis to Enhance Protection Against Cyber Threats[116]CSThe study proposes a Dynamic Capability in Cybersecurity Intelligence (DCCI) model to improve organisations’ protection against cyber threats. The paper summarises 47 case studies to identify technological, organisational, and management capabilities that help build cyber security intelligence and reduce cyber risks.
RA29Leveraging Taxonomical Engineering for Security Baseline Compliance in International Regulatory Frameworks[117]ISThe study presents a security baseline model for European National Research and Education Networks (NRENs). The authors have developed a security maturity model tailored to research and education institutions by applying taxonomic design principles to align security baseline requirements with various international security regulations such as ISO and GDPR.
RA30The impacts of the Cyber Trust Program on the cybersecurity maturity of government entities in the Kingdom of Bahrain[118]CSThe authors examine the CTP in Bahrain. The study concludes that the CTP has significantly improved cyber security awareness, reduced cyberattacks, and optimised resources in government entities, with strong support from top management being critical to its success.
RA31Zero trust cybersecurity: critical success factors and a maturity assessment framework[119]CSThe study identifies the key success factors for implementing zero trust cyber security and presents an eight-dimensional framework to guide organisations in assessing and improving their zero trust maturity, covering areas such as identity, endpoints, data, and infrastructure.
RA32A logging maturity and decision model for the selection of intrusion detection cyber security solutions[120]IS/CSThe authors propose a model to help organisations select appropriate intrusion detection and logging solutions based on their needs and constraints. They introduce a logging maturity model and a decision model that incorporates factors such as cost, complexity, and compliance to help organisations, especially SMEs, improve their cyber security capabilities.
RA33Create your own MUSE: a method for updating security level evaluation instruments[121]ISThe study introduces MUSE, a method for updating security evaluation instruments to maintain their validity and ensure result comparability over time. The method was tested with a case study updating the F4SLE (Framework for Security Level Evaluation) instrument based on the Estonian Information Security Standard and cross-referenced with ISO 27002 controls.
RA34Managing security evidence in safety-critical organisations[122]IS/CSThe authors analyse how security evidence is managed in safety-critical industries such as the automotive industry and medical technology. They highlight the challenges associated with the complexity of managing security artefacts and point to the need for structured processes and potential automation to meet growing regulatory requirements.
RA35Resilience-driven Cyber-physical Risk Assessment and Investment Planning for Power Substations[123] CSThe study is based on the C2M2, which is used to assess the cyber security readiness and capability of power substations. The model uses maturity indicator levels (MILs) to quantify vulnerabilities and inform cyber security investment decisions to improve the resilience of cyber-physical systems in power substations.
RA36Should firms invest more in cybersecurity?[124]CSThe authors analyse the relationship between investments in cyber security and cyber incidents in Dutch companies. They use survey data and administrative tax records to assess how cyber security maturity affects the likelihood of incidents and profitability. The study finds an inverted U-shaped relationship, where higher levels of cyber security maturity initially lead to more incidents due to better detection, but the highest levels of maturity reduce incident rates. However, the study found no significant correlation between cyber security measures and firms profitability.
Legend: IS—Information Security, CS—Cyber Security.

References

  1. De Matteis, J.; Elia, G.; Del Vecchio, P. Business Continuity Management and Organizational Resilience: A Small and Medium Enterprises (SMEs) Perspective. J. Conting. Crisis Manag. 2023, 31, 670–682. [Google Scholar] [CrossRef]
  2. Bhamra, R.; Dani, S.; Burnard, K. Resilience: The Concept, a Literature Review and Future Directions. Int. J. Prod. Res. 2011, 49, 5375–5393. [Google Scholar] [CrossRef]
  3. Groenendaal, J.; Helsloot, I. Cyber Resilience during the COVID-19 Pandemic Crisis: A Case Study. J. Conting. Crisis Manag. 2021, 29, 439–444. [Google Scholar] [CrossRef]
  4. Sánchez, M.A.; De Batista, M. Business Continuity for Times of Vulnerability: Empirical Evidence. J. Conting. Crisis Manag. 2023, 31, 431–440. [Google Scholar] [CrossRef]
  5. Marican, M.N.Y.; Razak, S.A.; Selamat, A.; Othman, S.H. Cyber Security Maturity Assessment Framework for Technology Startups: A Systematic Literature Review. IEEE Access 2023, 11, 5442–5452. [Google Scholar] [CrossRef]
  6. Schmitz, C.; Schmid, M.; Harborth, D.; Pape, S. Maturity Level Assessments of Information Security Controls: An Empirical Analysis of Practitioners Assessment Capabilities. Comput. Secur. 2021, 108, 102306. [Google Scholar] [CrossRef]
  7. Moher, D.; Liberati, A.; Tetzlaff, J.; Altman, D.G. Preferred Reporting Items for Systematic Reviews and Meta-Analyses: The PRISMA Statement. Int. J. Surg. 2010, 8, 336–341. [Google Scholar] [CrossRef] [PubMed]
  8. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 Statement: An Updated Guideline for Reporting Systematic Reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef]
  9. Mettler, T. Maturity Assessment Models: A Design Science Research Approach. Int. J. Soc. Syst. Sci. 2011, 3, 81–98. [Google Scholar] [CrossRef]
  10. Mettler, T.; Rohner, P.; Winter, R. Towards a Classification of Maturity Models in Information Systems; D’Atri, A., De Marco, M., Braccini, A.M., Cabiddu, F., Eds.; Physica-Verlag HD: Heidelberg, Germany, 2010; pp. 333–340. [Google Scholar]
  11. Virkkala, P.; Saarela, M.; Hänninen, K.; Kujala, J.; Simunaniemi, A.-M. Business Maturity Models for Small and Medium-Sized Enterprises: A Systematic Literature Review. Management 2020, 15, 137–155. [Google Scholar] [CrossRef]
  12. Becker, J.; Knackstedt, R.; Pöppelbuß, J. Developing Maturity Models for IT Management. Bus. Inf. Syst. Eng. 2009, 1, 213–222. [Google Scholar] [CrossRef]
  13. Iversen, J.; Nielsen, P.; Nørbjerg, J. Situated Assessment of Problems in Software Development. ACM SIGMIS Database Database Adv. Inf. Syst. 1999, 30, 66–81. [Google Scholar] [CrossRef]
  14. Roeglinger, M.; Poeppelbuss, J.; Becker, J. Maturity Models in Business Process Management. Bus. Process Manag. J. 2012, 18, 328–346. [Google Scholar] [CrossRef]
  15. Wendler, R. The Maturity of Maturity Model Research: A Systematic Mapping Study. Inf. Softw. Technol. 2012, 54, 1317–1339. [Google Scholar] [CrossRef]
  16. Felch, V.; Asdecker, B.; Sucky, E. Maturity Models in the Age of Industry 4.0—Do the Available Models Correspond to the Needs of Business Practice? In Proceedings of the 52nd Hawaii International Conference on System Sciencesm, Maui, HI, USA, 8–11 January 2019. [Google Scholar]
  17. Leino, S.-P.; Kuusisto, O.; Paasi, J.; Tihinen, M. VTT Model of Digimaturity. In Towards a New Era in Manufacturing; VTT Technical Research Centre of Finland Ltd.: Espoo, Finland, 2017; pp. 41–46. ISBN 978-951-38-8514-4. [Google Scholar]
  18. Proença, D. Methods and Techniques for Maturity Assessment. In Proceedings of the 2016 11th Iberian Conference on Information Systems and Technologies (CISTI), Gran Canaria, Spain, 15–18 June 2016; pp. 1–4. [Google Scholar]
  19. De Bruin, T.; Rosemann, M.; Freeze, R.; Kaulkarni, U. Understanding the Main Phases of Developing a Maturity Assessment Model. In Proceedings of the 16th Australasian Conference on Information Systems (ACIS); Sydney, NSW, Australia, 29 November–2 December 2005, Bunker, D., Campbell, B., Underwood, J., Eds.; Australasian Chapter of the Association for Information Systems: CD Rom; Queensland University of Technology: Brisbane, QLD, Australia, 2005; pp. 8–19. [Google Scholar]
  20. Tocto-Cano, E.; Paz Collado, S.; López-Gonzales, J.L.; Turpo-Chaparro, J.E. A Systematic Review of the Application of Maturity Models in Universities. Information 2020, 11, 466. [Google Scholar] [CrossRef]
  21. Lee, D.; Gu, J.-W.; Jung, H.-W. Process Maturity Models: Classification by Application Sectors and Validities Studies. J. Softw. Evol. Process 2019, 31, e2161. [Google Scholar] [CrossRef]
  22. Adekunle, S.; Ejohwomu, O.; Ikuabe, M.; Fatai, O. A Critical Review of Maturity Model Development in the Digitisation Era. Buildings 2022, 12, 858. [Google Scholar] [CrossRef]
  23. Kucińska-Landwójtowicz, A. Organizational Maturity Models—Review and Classification. In Proceedings of the CBU International Conference Proceedings, Prague, Czech Republic, 20–22 March 2019; Volume 7, pp. 186–192. [Google Scholar]
  24. Dos Santos-Neto, J.B.S.; Costa, A.P.C.S. Enterprise Maturity Models: A Systematic Literature Review. Enterp. Inf. Syst. 2019, 13, 719–769. [Google Scholar] [CrossRef]
  25. Paulk, M.C.; Curtis, B.; Chrissis, M.B.; Weber, C.V. Capability Maturity Model, Version 1.1. IEEE Softw. 1993, 10, 18–27. [Google Scholar] [CrossRef]
  26. Tarhan, A.; Turetken, O.; Reijers, H.A. Business Process Maturity Models: A Systematic Literature Review. Inf. Softw. Technol. 2016, 75, 122–134. [Google Scholar] [CrossRef]
  27. Kalinowski, T.B. Business Process Maturity Models Research: A Systematic Literature Review. Int. J. Manag. Sci. Bus. Adm. 2020, 7, 29–35. [Google Scholar] [CrossRef]
  28. Farkaș, L.; Băroiu, A. Systematic Literature Review of Process Management Maturity and Management Processes Maturity. J. Softw. Syst. Dev. 2022, 2022, 435363. [Google Scholar] [CrossRef]
  29. Poeppelbuss, J.; Niehaves, B.; Simons, A.; Becker, J. Maturity Models in Information Systems Research: Literature Search and Analysis. Commun. Assoc. Inf. Syst. 2011, 29, 505–532. [Google Scholar] [CrossRef]
  30. Mettler, T.; Ballester, O. Maturity Models in Information Systems: A Review and Extension of Existing Guidelines. In Proceedings of the Forty-Second International Conference on Information Systems, Austin, TX, USA, 12–15 December 2021. [Google Scholar]
  31. Li, C.H.; Lau, H.K. A Critical Review of Maturity Models in Information Technology and Human Landscapes on Industry 4.0. In Proceedings of the 2019 IEEE International Conference on Industrial Technology (ICIT), Melbourne, VIC, Australia, 13–15 February 2019; pp. 1575–1579. [Google Scholar]
  32. Pereira, R.; Serrano, J. A Review of Methods Used on IT Maturity Models Development: A Systematic Literature Review and a Critical Analysis. J. Inf. Technol. 2020, 35, 161–178. [Google Scholar] [CrossRef]
  33. Silva, F.; Tammela, I.; Narcizo, R. A Systematic Literature Review on Industry 4.0 Maturity Models. In Proceedings of the Conference: XXVIII Simpósio de Engenharia de Produção, Bauru, Brazil, 10–12 November 2021. [Google Scholar]
  34. Hein-Pensel, F.; Winkler, H.; Brückner, A.; Wölke, M.; Jabs, I.; Mayan, I.J.; Kirschenbaum, A.; Friedrich, J.; Zinke-Wehlmann, C. Maturity Assessment for Industry 5.0: A Review of Existing Maturity Models. J. Manuf. Syst. 2023, 66, 200–210. [Google Scholar] [CrossRef]
  35. Barraza De La Paz, J.V.; Rodríguez-Picón, L.A.; Morales-Rocha, V.; Torres-Argüelles, S.V. A Systematic Review of Risk Management Methodologies for Complex Organizations in Industry 4.0 and 5.0. Systems 2023, 11, 218. [Google Scholar] [CrossRef]
  36. Belghith, O.; Skhiri, S.; Zitoun, S.; Ferjaoui, S. A Survey of Maturity Models in Data Management. In Proceedings of the 2021 IEEE 12th International Conference on Mechanical and Intelligent Manufacturing Technologies (ICMIMT), Cape Town, South Africa, 13–15 May 2021; pp. 298–309. [Google Scholar]
  37. Çaldağ, M.T.; Gökalp, E. The Maturity of Open Government Data Maturity: A Multivocal Literature Review. Aslib J. Inf. Manag. 2022, 74, 1007–1030. [Google Scholar] [CrossRef]
  38. Al-Sai, Z.A.; Husin, M.H.; Syed-Mohamad, S.M.; Abdullah, R.; Zitar, R.A.; Abualigah, L.; Gandomi, A.H. Big Data Maturity Assessment Models: A Systematic Literature Review. Big Data Cogn. Comput. 2023, 7, 2. [Google Scholar] [CrossRef]
  39. Meza-Ruiz, I.D.; Rocha-Lona, L.; del Rocío Soto-Flores, M.; Garza-Reyes, J.A.; Kumar, V.; Lopez-Torres, G.C. Measuring Business Sustainability Maturity-Levels and Best Practices. Procedia Manuf. 2017, 11, 751–759. [Google Scholar] [CrossRef]
  40. Vásquez, J.; Aguirre, S.; Puertas, E.; Bruno, G.; Priarone, P.C.; Settineri, L. A Sustainability Maturity Model for Micro, Small and Medium-Sized Enterprises (MSMEs) Based on a Data Analytics Evaluation Approach. J. Clean. Prod. 2021, 311, 127692. [Google Scholar] [CrossRef]
  41. Machado, M.C.; Carvalho, T.C. Maturity Models and Sustainable Indicators—A New Relationship. Sustainability 2021, 13, 13247. [Google Scholar] [CrossRef]
  42. Vargas-Florez, J.; Ruiz-Cantisani, M.I.; Castro-Zuluaga, C.; Marquez-Gutierrez, M. Small and Medium Enterprise-SMEs’ Resilience Model Based on Maturity Cycle. In Proceedings of the Eighteen LACCEI International Multi-Conference for Engineering, Education Caribbean Conference For Engineering And Technology, Virtual, 27–31 July 2020; Latin American and Caribbean Consortium of Engineering Institutions: Bogota, Colombia, 2020. [Google Scholar]
  43. Stocker, J.; Herda, N.; Wolf, M.; Ruf, S. A Maturity Model to Assess and Foster the Resilience of Organizations. Art Soc. 2022, 1, 1–12. [Google Scholar] [CrossRef]
  44. Carías, J.F.; Arrizabalaga, S.; Labaka, L.; Hernantes, J. Cyber Resilience Progression Model. Appl. Sci. 2020, 10, 7393. [Google Scholar] [CrossRef]
  45. Backlund, F.; Chronéer, D.; Sundqvist, E. Project Management Maturity Models—A Critical Review: A Case Study within Swedish Engineering and Construction Organizations. Procedia Soc. Behav. Sci. 2014, 119, 837–846. [Google Scholar] [CrossRef]
  46. Fabbro, E.; Tonchia, S. Project Management Maturity Models: Literature Review and New Developments. J. Mod. Proj. Manag. 2022, 8, 31–45. [Google Scholar] [CrossRef]
  47. Kljajić Borštnar, M.; Pucihar, A. Multi-Attribute Assessment of Digital Maturity of SMEs. Electronics 2021, 10, 885. [Google Scholar] [CrossRef]
  48. Pham Minh, H.; Pham Thi Thanh, H. Comprehensive Review of a Digital Maturity Model and Proposal for a Continuous Digital Transformation Process with Digital Maturity Model Integration. Sist. Gestão 2022, 17, 89–103. [Google Scholar] [CrossRef]
  49. Teichert, R. Digital Transformation Maturity: A Systematic Review of Literature. Acta Univ. Agric. Silvic. Mendel. Brun. 2019, 67, 1673–1687. [Google Scholar] [CrossRef]
  50. Sadiq, R.B.; Safie, N.; Abd Rahman, A.H.; Goudarzi, S. Artificial Intelligence Maturity Model: A Systematic Literature Review. PeerJ Comput. Sci. 2021, 7, e661. [Google Scholar] [CrossRef] [PubMed]
  51. Yang, Y.; Shi, Y.; Wang, T. Blockchain Technology Application Maturity Assessment Model for Digital Government Public Service Projects. Int. J. Crowd Sci. 2022, 6, 184–194. [Google Scholar] [CrossRef]
  52. Poeppelbuss, J.; Roeglinger, M. What Makes a Useful Maturity Model? A Framework of General Design Principles for Maturity Models and Its Demonstration in Business Process Management. In Proceedings of the 19th European Conference on Information Systems, ECIS 2011, Helsinki, Finland, 9–11 June 2011. [Google Scholar]
  53. Lasrado, L.A.; Vatrapu, R.; Andersen, K.N. Maturity Models Development in IS Research: A Literature Review. IRIS Sel. Pap. Inf. Syst. Res. Semin. Scand. 2015, 6, 6. [Google Scholar]
  54. Nikolaenko, V.; Sidorov, A. Assessment of Project Management Maturity Models Strengths and Weaknesses. J. Risk Financ. Manag. 2023, 16, 121. [Google Scholar] [CrossRef]
  55. Naskali, J.; Kaukola, J.; Matintupa, J.; Ahtosalo, H.; Jaakola, M.; Tuomisto, A. Mapping Business Transformation in Digital Landscape: A Prescriptive Maturity Model for Small Enterprises. In Proceedings of the 7th International Conference, WIS 2018; Turku, Finland, 27–29 August 2018, Proceedings; Springer: Cham, Switzerland, 2018; pp. 101–116. ISBN 978-3-319-97930-4. [Google Scholar]
  56. Reid, R.; Niekerk, J.V. From Information Security to Cyber Security Cultures. In Proceedings of the 2014 Information Security for South Africa, Johannesburg, South Africa, 13–14 August 2014; pp. 1–7. [Google Scholar]
  57. Taherdoost, H. Cybersecurity vs. Information Security. Procedia Comput. Sci. 2022, 215, 483–487. [Google Scholar] [CrossRef]
  58. von Solms, B.; von Solms, R. Cybersecurity and Information Security—What Goes Where? Inf. Comput. Secur. 2018, 26, 2–9. [Google Scholar] [CrossRef]
  59. De Bruin, R.; Solms, S.H. von Modelling Cyber Security Governance Maturity. In Proceedings of the 2015 IEEE International Symposium on Technology and Society (ISTAS), Dublin, Ireland, 11–12 November 2015; pp. 1–8. [Google Scholar]
  60. Carcary, M.; Renaud, K.; McLaughlin, S.; O’Brien, C. A Framework for Information Security Governance and Management. IT Prof. 2016, 18, 22–30. [Google Scholar] [CrossRef]
  61. Prislan, K.; Mihelič, A.; Bernik, I. A Real-World Information Security Performance Assessment Using a Multidimensional Socio-Technical Approach. PLoS ONE 2020, 15, e0238739. [Google Scholar] [CrossRef] [PubMed]
  62. Aborujilah, A.; Al-Othmani, A.Z.; Hussien, N.S.; Mokhtar, S.A.; Long, Z.A.; Nizam, M. Cybersecurity Risk Assessment Approach for Malaysian Organizations: Malaysian Universities as Case Study. In Proceedings of the 2022 9th International Conference on Electrical and Electronics Engineering (ICEEE), Alanya, Turkey, 29–31 March 2022; pp. 440–450. [Google Scholar]
  63. Deshpande, V.M.; Desai, A. Smart Secure: A Novel Risk Based Maturity Model for Enterprise Risk Management during Global Pandemic. In Proceedings of the 2021 6th International Conference for Convergence in Technology (I2CT), Maharashtra, India, 2–4 April 2021; pp. 1–7. [Google Scholar]
  64. Loft, P.; He, Y.; Yevseyeva, I.; Wagner, I. CAESAR8: An Agile Enterprise Architecture Approach to Managing Information Security Risks. Comput. Secur. 2022, 122, 102877. [Google Scholar] [CrossRef]
  65. Bitzer, M.; Häckel, B.; Leuthe, D.; Ott, J.; Stahl, B.; Strobel, J. Managing the Inevitable—A Maturity Model to Establish Incident Response Management Capabilities. Comput. Secur. 2023, 125, 103050. [Google Scholar] [CrossRef]
  66. Schlette, D.; Vielberth, M.; Pernul, G. CTI-SOC2M2—The Quest for Mature, Intelligence-Driven Security Operations and Incident Response Capabilities: CTI-Driven SOC Capability Maturity Model. Comput. Secur. 2021, 111, 102482. [Google Scholar] [CrossRef]
  67. Jaquire, V.; von Solms, S. Developing a Cyber Counterintelligence Maturity Model for Developing Countries. In Proceedings of the 2017 IST-Africa Week Conference (IST-Africa), Windhoek, Namibia, 30 May–2 June 2017; pp. 1–8. [Google Scholar]
  68. Jeong, J.J.; Grobler, M.; Chamikara, M.A.P.; Rudolph, C. Fuzzy Logic Application to Link National Culture and Cybersecurity Maturity. In Proceedings of the 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC), Los Angeles, CA, USA, 12–14 December 2019; pp. 330–337. [Google Scholar]
  69. Muronga, K.; Herselman, M.; Botha, A.; Veiga, A.D. An Analysis of Assessment Approaches and Maturity Scales Used for Evaluation of Information Security and Cybersecurity User Awareness and Training Programs: A Scoping Review. In Proceedings of the 2019 Conference on Next Generation Computing Applications (NextComp), Réduit, Mauritius, 19–21 September 2019; pp. 1–6. [Google Scholar]
  70. Drivas, G.; Chatzopoulou, A.; Maglaras, L.; Lambrinoudakis, C.; Cook, A.; Janicke, H. A NIS Directive Compliant Cybersecurity Maturity Assessment Framework. In Proceedings of the 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), Madrid, Spain, 13–17 July 2020; pp. 1641–1646. [Google Scholar]
  71. Oliveira, A.d.S.; Santos, H. Continuous Industrial Sector Cybersecurity Assessment Paradigm: Proposed Model of Cybersecurity Certification. In Proceedings of the 2022 18th International Conference on the Design of Reliable Communication Networks (DRCN), Vilanova i la Geltrú, Spain, 28–31 March 2022; pp. 1–6. [Google Scholar]
  72. Yulianto, S.; Lim, C.; Soewito, B. Information Security Maturity Model: A Best Practice Driven Approach to PCI DSS Compliance. In Proceedings of the 2016 IEEE Region 10 Symposium (TENSYMP), Bali, Indonesia, 9–11 May 2016; pp. 65–70. [Google Scholar]
  73. Sen, N.; Atilla, D.C.; Karan, O. Decision Support System for Operational, Financial, Performance and Risk Indicators of Maturity Models over Cloud-Based Software. In Proceedings of the 2021 International Conference on Engineering and Emerging Technologies (ICEET), Istanbul, Turkey, 27–28 October 2021; pp. 1–6. [Google Scholar]
  74. Zhou, X.; Weng, H. Assessing Information Security Performance of Enterprise Internal Financial Sharing in Cloud Computing Environment Using Analytic Hierarchy Process. Int. J. Grid Util. Comput. 2022, 13, 256–271. [Google Scholar] [CrossRef]
  75. Miloslavskaya, N.; Tolstaya, S. Information Security Management Maturity Models. Procedia Comput. Sci. 2022, 213, 49–57. [Google Scholar] [CrossRef]
  76. Rea-Guaman, A.M.; San Feliu, T.; Calvo-Manzano, J.A.; Sanchez-Garcia, I.D. Comparative Study of Cybersecurity Capability Maturity Models BT—Software Process Improvement and Capability Determination; Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 100–113. [Google Scholar]
  77. Garba, A.A.; Siraj, M.M.; Othman, S.H. An Explanatory Review on Cybersecurity Capability Maturity Models. Adv. Sci. Technol. Eng. Syst. J. 2020, 5, 762–769. [Google Scholar] [CrossRef]
  78. Garba, A.A.; Musa Bade, A.; Yahuza, M.; Nuhu, Y. Cybersecurity Capability Maturity Models Review and Application Domain. Int. J. Eng. Technol. 2020, 9, 79–784. [Google Scholar] [CrossRef]
  79. Rabii, A.; Assoul, S.; Ouazzani Touhami, K.; Roudies, O. Information and Cyber Security Maturity Models: A Systematic Literature Review. Inf. Comput. Secur. 2020, 28, 627–644. [Google Scholar] [CrossRef]
  80. ISO/IEC Standard No. 27001:2022; ISO/IEC Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. ISO: Geneva, Switzerland, 2022.
  81. ISO/IEC Standard No. 27002:2022; ISO/IEC Information Security, Cybersecurity and Privacy Protection—Information Security Controls. ISO: Geneva, Switzerland, 2022.
  82. ISO/IEC Standard No. 21827:2008; ISO/IEC Information Technology—Security Techniques—Systems Security Engineering—Capability Maturity Model® (SSE-CMM®). ISO: Geneva, Switzerland, 2022.
  83. Fink, A. Conducting Research Literature Reviews: From the Internet to Paper, 5th ed.; SAGE Publications: Thousand Oaks, CA, USA, 2019; ISBN 978-1-5443-1845-5. [Google Scholar]
  84. Kitchenham, B.; Brereton, P. A Systematic Review of Systematic Review Process Research in Software Engineering. Inf. Softw. Technol. 2013, 55, 2049–2075. [Google Scholar] [CrossRef]
  85. Kitchenham, B.; Charters, S. Guidelines for Performing Systematic Literature Reviews in Software Engineering, Technical Report EBSE 2007-001; Keele University: Newcastle, UK; Durham University: Durham, UK, 2007. [Google Scholar]
  86. Bajaj, A.; Sangwan, O.P. A Systematic Literature Review of Test Case Prioritization Using Genetic Algorithms. IEEE Access 2019, 7, 126355–126375. [Google Scholar] [CrossRef]
  87. Cantu, J.; Tolk, J.; Fritts, S.; Gharehyakheh, A. High Reliability Organization (HRO) Systematic Literature Review: Discovery of Culture as a Foundational Hallmark. J. Conting. Crisis Manag. 2020, 28, 399–410. [Google Scholar] [CrossRef]
  88. Heiding, F.; Katsikeas, S.; Lagerström, R. Research Communities in Cyber Security Vulnerability Assessments: A Comprehensive Literature Review. Comput. Sci. Rev. 2023, 48, 100551. [Google Scholar] [CrossRef]
  89. Katsikeas, S.; Johnson, P.; Ekstedt, M.; Lagerström, R. Research Communities in Cyber Security: A Comprehensive Literature Review. Comput. Sci. Rev. 2021, 42, 100431. [Google Scholar] [CrossRef]
  90. Shukla, A.; Katt, B.; Nweke, L.O.; Yeng, P.K.; Weldehawaryat, G.K. System Security Assurance: A Systematic Literature Review. Comput. Sci. Rev. 2022, 45, 100496. [Google Scholar] [CrossRef]
  91. Onyemelukwe, I.C.; Ferreira, J.A.V.; Ramos, A.L. Human Energy Management in Industry: A Systematic Review of Organizational Strategies to Reinforce Workforce Energy. Sustainability 2023, 15, 13202. [Google Scholar] [CrossRef]
  92. Siksnelyte-Butkiene, I.; Streimikiene, D.; Balezentis, T.; Skulskis, V. A Systematic Literature Review of Multi-Criteria Decision-Making Methods for Sustainable Selection of Insulation Materials in Buildings. Sustainability 2021, 13, 737. [Google Scholar] [CrossRef]
  93. ISO/IEC Standard No. 27005:2022; ISO/IEC Information Security, Cybersecurity and Privacy Protection—Guidance on Managing Information Security Risks. ISO: Geneva, Switzerland, 2022.
  94. NIST Special Publication 800-30; Guide for Conducting Risk Assessments. National Institute of Standards and Technology: Gaithersburg, MA, USA, 2012.
  95. Clarivate. Clarivate. Clarivate Journal Citation Reports. In First Time Journal Citation Reports Inclusion List 2023; Clarivate: Philadelphia, PA, USA, 2023. [Google Scholar]
  96. Barnes, B.; Daim, T. Information Security Maturity Model for Healthcare Organizations in the United States. IEEE Trans. Eng. Manag. 2022, 71, 1–12. [Google Scholar] [CrossRef]
  97. Aliyu, A.; Maglaras, L.; He, Y.; Yevseyeva, I.; Boiten, E.; Cook, A.; Janicke, H. A Holistic Cybersecurity Maturity Assessment Framework for Higher Education Institutions in the United Kingdom. Appl. Sci. 2020, 10, 3660. [Google Scholar] [CrossRef]
  98. Yigit Ozkan, B.; Spruit, M.; Wondolleck, R.; Burriel Coll, V. Modelling Adaptive Information Security for SMEs in a Cluster. J. Intellect. Cap. 2020, 21, 235–256. [Google Scholar] [CrossRef]
  99. Mijnhardt, F.; Baars, T.; Spruit, M. Organizational Characteristics Influencing SME Information Security Maturity. J. Comput. Inf. Syst. 2016, 56, 106–115. [Google Scholar] [CrossRef]
  100. Cholez, H.; Girard, F. Maturity Assessment and Process Improvement for Information Security Management in Small and Medium Enterprises. J. Softw. Evol. Process 2014, 26, 496–503. [Google Scholar] [CrossRef]
  101. You, Y.; Oh, J.; Kim, S.; Lee, K. Advanced Approach to Information Security Management System Utilizing Maturity Models in Critical Infrastructure. KSII Trans. Internet Inf. Syst. 2018, 12, 4995–5014. [Google Scholar] [CrossRef]
  102. Karabacak, B.; Yildirim, S.O.; Baykal, N. A Vulnerability-Driven Cyber Security Maturity Model for Measuring National Critical Infrastructure Protection Preparedness. Int. J. Crit. Infrastruct. Prot. 2016, 15, 47–59. [Google Scholar] [CrossRef]
  103. Mukherjee, P.; Mazumdar, C. “Security Concern” as a Metric for Enterprise Business Processes. IEEE Syst. J. 2019, 13, 4015–4026. [Google Scholar] [CrossRef]
  104. Mbanaso, U.M.; Abrahams, L.; Apene, O.Z. Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework. Afr. J. Inf. Commun. 2019, 23, 1–26. [Google Scholar]
  105. Kour, R.; Karim, R.; Thaduri, A. Cybersecurity for Railways—A Maturity Model. Proc. Inst. Mech. Eng. Part F J. Rail Rapid Transit 2020, 234, 1129–1148. [Google Scholar] [CrossRef]
  106. Gourisetti, S.N.G.; Mylrea, M.; Patangia, H. Cybersecurity Vulnerability Mitigation Framework through Empirical Paradigm: Enhanced Prioritized Gap Analysis. Future Gener. Comput. Syst. 2020, 105, 410–431. [Google Scholar] [CrossRef]
  107. Benz, M.; Chatterjee, D. Calculated Risk? A Cybersecurity Evaluation Tool for SMEs. Bus. Horiz. 2020, 63, 531–540. [Google Scholar] [CrossRef]
  108. Gourisetti, S.N.G.; Mylrea, M.; Patangia, H. Cybersecurity Vulnerability Mitigation Framework Through Empirical Paradigm (CyFEr): Prioritized Gap Analysis. IEEE Syst. J. 2020, 14, 1897–1908. [Google Scholar] [CrossRef]
  109. Schmitz, C.; Pape, S. LiSRA: Lightweight Security Risk Assessment for Decision Support in Information Security. Comput. Secur. 2020, 90, 101656. [Google Scholar] [CrossRef]
  110. Englbrecht, L.; Meier, S.; Pernul, G. Towards a Capability Maturity Model for Digital Forensic Readiness. Wirel. Netw. 2020, 26, 4895–4907. [Google Scholar] [CrossRef]
  111. Dube, D.P.; Mohanty, R.P. Towards Development of a Cyber Security Capability Maturity Model. Int. J. Bus. Inf. Syst. 2020, 34, 104–127. [Google Scholar] [CrossRef]
  112. Al-Matari, O.M.M.; Helal, I.M.A.; Mazen, S.A.; Elhennawy, S. Adopting Security Maturity Model to the Organizations’ Capability Model. Egypt. Inform. J. 2021, 22, 193–199. [Google Scholar] [CrossRef]
  113. Almomani, I.; Ahmed, M.; Maglaras, L. Cybersecurity Maturity Assessment Framework for Higher Education Institutions in Saudi Arabia. PeerJ Comput. Sci. 2021, 7, e703. [Google Scholar] [CrossRef]
  114. Shaked, A.; Tabansky, L.; Reich, Y. Incorporating Systems Thinking into a Cyber Resilience Maturity Model. IEEE Eng. Manag. Rev. 2021, 49, 110–115. [Google Scholar] [CrossRef]
  115. Dornheim, P.; Zarnekow, R. Determining Cybersecurity Culture Maturity and Deriving Verifiable Improvement Measures. Inf. Comput. Secur. 2024, 32, 179–196. [Google Scholar] [CrossRef]
  116. Pigola, A.; Rezende Da Costa, P. Dynamic Capabilities in Cybersecurity Intelligence: A Meta-Synthesis to Enhance Protection Against Cyber Threats. Commun. Assoc. Inf. Syst. 2023, 53, 1099–1135. [Google Scholar] [CrossRef]
  117. Grigaliūnas, Š.; Schmidt, M.; Brūzgienė, R.; Smyrli, P.; Bidikov, V. Leveraging Taxonomical Engineering for Security Baseline Compliance in International Regulatory Frameworks. Future Internet 2023, 15, 330. [Google Scholar] [CrossRef]
  118. Shaheen, K.; Zolait, A.H. The Impacts of the Cyber-Trust Program on the Cybersecurity Maturity of Government Entities in the Kingdom of Bahrain. Inf. Comput. Secur. 2023, 31, 529–544. [Google Scholar] [CrossRef]
  119. Yeoh, W.; Liu, M.; Shore, M.; Jiang, F. Zero Trust Cybersecurity: Critical Success Factors and A Maturity Assessment Framework. Comput. Secur. 2023, 133, 103412. [Google Scholar] [CrossRef]
  120. Kern, M.; Landauer, M.; Skopik, F.; Weippl, E. A Logging Maturity and Decision Model for the Selection of Intrusion Detection Cyber Security Solutions. Comput. Secur. 2024, 141, 103844. [Google Scholar] [CrossRef]
  121. Seeba, M.; Affia, A.O.; Mäses, S.; Matulevičius, R. Create Your Own MUSE: A Method for Updating Security Level Evaluation Instruments. Comput. Stand. Interfaces 2024, 87, 103776. [Google Scholar] [CrossRef]
  122. Mohamad, M.; Steghöfer, J.-P.; Knauss, E.; Scandariato, R. Managing Security Evidence in Safety-Critical Organizations. J. Syst. Softw. 2024, 214, 112082. [Google Scholar] [CrossRef]
  123. Khanna, K.; Govindarasu, M. Resiliency-Driven Cyber–Physical Risk Assessment and Investment Planning for Power Substations. IEEE Trans. Control Syst. Technol. 2024, 32, 1743–1754. [Google Scholar] [CrossRef]
  124. Dinkova, M.; El-Dardiry, R.; Overvest, B. Should Firms Invest More in Cybersecurity? Small Bus. Econ. 2024, 63, 21–50. [Google Scholar] [CrossRef]
Systems 13 00052 g001
Figure 1. Systematic literature review process used in the study.
Figure 1. Systematic literature review process used in the study.
Systems 13 00052 g001
Systems 13 00052 g002
Figure 2. The selection process to obtain the final collection of relevant studies.
Figure 2. The selection process to obtain the final collection of relevant studies.
Systems 13 00052 g002
Systems 13 00052 g003
Figure 3. Distribution of studies by publication year.
Figure 3. Distribution of studies by publication year.
Systems 13 00052 g003
Systems 13 00052 g004
Figure 4. The distribution of studies by the information/cyber security domain (left panel) and subdomains (right panel).
Figure 4. The distribution of studies by the information/cyber security domain (left panel) and subdomains (right panel).
Systems 13 00052 g004
Systems 13 00052 g005
Figure 5. List of journals where the research articles were published (blue JCR, green not JCR).
Figure 5. List of journals where the research articles were published (blue JCR, green not JCR).
Systems 13 00052 g005
Table 1. Summary of the review protocol.
Table 1. Summary of the review protocol.
Time Span 2012–2024
Source selectionThe following databases will be included:
Search strategy
  • The candidate studies will be identified by screening the document title, abstract, and/or document keywords. Search keywords used for database screening are presented in Table 2.
Selection process
  • The final collection of relevant studies will be obtained through the application of inclusion and exclusion criteria, which are defined in Table 3.
  • The selection process will be validated by two independent reviewers.
Table 2. Search keywords.
Table 2. Search keywords.
TopicDescriptionKeywords
MaturityKeywords that address maturity-
related concepts
  • maturity model
  • maturity framework
  • maturity assessment
  • maturity evaluation
  • maturity level
Information securityKeywords that address information security-related concepts
  • information security
  • INFOSEC
  • information system security
  • IT security
  • IS security
Cyber securityKeywords that address cyber security-related concepts
  • cyber security
  • cybersecurity
Table 3. Inclusion and exclusion criteria.
Table 3. Inclusion and exclusion criteria.
IncludedExcluded
Year of publication between 2012 and 2024Year of publication outside the range 2012–2024
Found in the selected databasesDuplicated studies
Publication type “research article” or “conference paper”Publications of other types
Published in EnglishPublication language other than English
Focus on the domain «information security maturity» or «cyber security maturity»Outside the domains «information security maturity» and «cyber security maturity»
Studies with the following scopes (at least one):
  • Present/describe ICS MMs
  • Analyse/compare ICS MMs
  • Case studies about ICS MM implementation
  • Present/describe supporting methodologies for ICS MMs
Studies outside these scopes
Full text available for qualitative analysisFull text not available
Table 4. Query strings and results of selected databases search.
Table 4. Query strings and results of selected databases search.
SourceQueryNo. of Results
IEEE Xplore((((“Abstract”:“maturity”) AND (“Abstract”:“model” OR “Abstract”:“framework” OR “Abstract”:“assessment” OR “Abstract”:“evaluation” OR “Abstract”:“level”)) AND (“Abstract”:“information security” OR “Abstract”:“INFOSEC” OR “Abstract”:“information system security” OR “Abstract”:“IT security” OR “Abstract”:“IS security” OR “Abstract”:“cyber security” OR “Abstract”:“cybersecurity”)))
Filters Applied: Conferences, Journals, 2012–2024		126
ACM Digital Library[Abstract: “maturity”] AND [[Abstract: “model”] OR [Abstract: “assessment”] OR [Abstract: “evaluation”] OR [Abstract: “level”]] AND [[Abstract: “information security”] OR [Abstract: “infosec”] OR [Abstract: “information system security”] OR [Abstract: “it security”] OR [Abstract: “is security”] OR [Abstract: “cyber security”] OR [Abstract: “cybersecurity”]] AND [E-Publication Date: (1 January 2012 TO 31 July 2024)]
Filters Applied: Research Article		37
Web of
Science		(AB=(((“maturity”) AND (“model” OR “framework” OR “assessment” OR “evaluation” OR “level”)) AND (“information security” OR “infosec” OR “information system security” OR “IT security” OR “IS security” OR “cyber security” OR “cybersecurity”))) AND (DT==(“ARTICLE” OR “REVIEW”) AND DT==(“ARTICLE” OR “REVIEW”) AND LA==(“ENGLISH”) AND TASCA==(“COMPUTER SCIENCE INFORMATION SYSTEMS” OR “MANAGEMENT” OR “BUSINESS” OR “COMPUTER SCIENCE SOFTWARE ENGINEERING” OR “TELECOMMUNICATIONS” OR “ENGINEERING ELECTRICAL ELECTRONIC”))
Refined By: Document Types: Article or Review Article + Languages: English + Publication Years: 2012–2024		69
Science
Direct		“maturity” AND (“model” OR “assessment” OR “evaluation” OR “level”) AND (“information security” OR “cyber security” OR “cybersecurity”)
Custom range 2012–2024
Filters Applied: Review article + Research Article		49
Total 281
Table 5. The distribution of studies according to the industry sectors.
Table 5. The distribution of studies according to the industry sectors.
SectorNo. of Studies% of Studies
Organisations in General3031.25
Utilities1313.54
Information Technology99.38
Government88
Financial Services77.29
SME Sector77.29
Healthcare55.21
Education44
Public Sector33.13
Transportation33.13
Manufacturing22.08
n/a55.21
Total96100
Table 6. Categorisation of the studies into three groups.
Table 6. Categorisation of the studies into three groups.
Group of StudiesID
Group 1Development of new maturity conceptRA3, RA4, RA6, RA9, RA12, RA13, RA14, RA15, RA16, R18, RA19, RA25, RA26, RA28, RA31, RA32
Group 2Implementation of already known maturity conceptRA2, RA7, RA8, RA10, RA11, RA20, RA21, RA27, RA30
Group 3OtherRA1, RA5, RA17, RA22, RA23, RA24, RA29, RA33, RA34, RA35, RA36
Table 7. Studies that contribute to the development of a new information/cyber maturity concept.
Table 7. Studies that contribute to the development of a new information/cyber maturity concept.
IDTitle/Name of the New Maturity ConceptIs the New Concept Based on Already Known Maturity Concept?Is Validation or Testing of the New Concept Provided?
RA3Vulnerability-Driven Cybersecurity Maturity ModelNo.Yes, validated with critical infrastructure preparedness data.
RA4Advanced Information Security Maturity Assessment (AISMA)Yes. CMMI.Yes. Validation provided through simulation in critical infrastructure (thermal power plants).
RA6Cybersecurity Resilience Maturity Measurement (CRMM)Yes. CRMM adapts and integrates elements from several well-established frameworks, including NIST CSF, COBIT 5, CIS Controls, SoGP for IS, and ISO/IEC 27005 [93].Partly. The model has been partially validated through expert consultations, but lacks full practical implementation.
RA9Holistic Cybersecurity Maturity Assessment Framework (HCYMAF) for Higher Education Institutions in the United KingdomYes. CMM.Yes. Validation through case study in education UK institutions.
RA12Cybersecurity Vulnerability Mitigation Framework Through Empirical Paradigm (CyFEr)Yes. NIST CSF.Yes. Validation is provided through a real-world cyberattack demonstration.
RA13LiSRA (Lightweight Security Risk Assessment)Not directly but it incorporates general principles from ISO/IEC 27001 [80] or NIST SP 800-30 [94].Partly. The model has been validated through case studies but lacks broader practical testing.
RA14Method for Adaptive Information Security
Maturity Modelling in Clusters (MAISMMC)		Yes. Information Security Focus Area Maturity Model (ISFAM).Partly. The model has been validated through case studies but lacks broader practical testing.
RA15Digital Forensic Readiness Capability Maturity ModelYes. CMMI and Software Process Improvement and Capability Determination (SPICE).Partly. The application of the model is tested through a case study based on publicly available information about the Target Corporation data breach.
RA16Cyber Security Capability Maturity Model (CSCMM)No.Yes, validation of the model is based on an empirical study and view from almost 200 cross-sector cyber security experts.
RA18Cyber Threat Intelligence-driven SOC Maturity Mode (CTI-SOC2M2)Yes. CMMI.Yes, tested in SOC environments.
RA19Cybersecurity Maturity Assessment
Framework (SCMAF) for Higher Education Institutions in Saudi Arabia		Yes. HCYMAF.Yes. Validated through case studies in higher education institutions in Saudi Arabia.
RA25Information Security Maturity Model for Healthcare Organisations in the United StatesNo.Yes, validated through use cases in healthcare organisations.
RA26Incident Response Management Maturity Model (IRM3)No.Partly. Tested through simulations of incident response scenarios.
RA28Dynamic Capabilities in Cybersecurity Intelligence (DCCI) FrameworkNo.Partly. Based on a meta-synthesis of 47 case studies, but direct empirical testing is not provided.
RA31Zero Trust Cybersecurity Maturity Assessment FrameworkYes. NIST Zero Trust Architecture.Party. The model was designed and validated by cyber security experts from various industries, but the study does not describe practical validation in real organisations.
RA32Logging Maturity and Decision ModelNo.Yes. Validated using MITRE ATT&CK data and illustrative case studies.
Table 8. Studies that focus on the implementation of already known information/cyber maturity concepts.
Table 8. Studies that focus on the implementation of already known information/cyber maturity concepts.
IDMaturity Concept UsedShort Description
RA2IT Capability Maturity Framework (IT-CMF)Implements IT-CMF for assessing and improving IT capabilities, with a focus on security governance.
RA7Cybersecurity Capability Maturity Model (C2M2)Adapts the C2M2 in the railway sector, focussing on improving cyber security preparedness and resilience.
RA8NIST CSFUses NIST CSF to prioritise and mitigate vulnerabilities through empirical gap analysis.
RA10Socio-technical maturity models, CMMI, Information Security Governance FrameworksApplies socio-technical and governance frameworks for assessing information security performance.
RA11NIST CSFProposes a cyber security evaluation tool for SMEs, based on the five NIST CSF categories, to help assess and improve their cyber security maturity.
RA20Promoting Global Cyber Resilience for Sectors and Society (ProGReSS)Integrates systems thinking to enhance resilience maturity.
RA21COBITA case study is conducted where practitioners assessed a subset of the ISO/IEC 27002 security controls for a hypothetical scenario using the COBIT 5 maturity levels.
RA27Information Protection Culture Assessment (IPCA) assessment frameworkShows how IPCA can be applied to measure and improve the cyber security culture within an organisation through tailored surveys and actionable improvement measures.
RA30Bahrain Government framework Cyber Trust Program (CTP)Uses the CTP to assess and improve cyber security maturity in government entities in Bahrain.
Table 9. Studies that provide supporting methodologies or frameworks that contribute to the understanding of information/cyber security maturity.
Table 9. Studies that provide supporting methodologies or frameworks that contribute to the understanding of information/cyber security maturity.
IDShort DescriptionRelation to Information/Cyber Security Maturity
RA1Explores maturity assessment for information security management in SMEs.Provides a methodology for SMEs to assess and improve their information security maturity.
RA5Introduces a metric-based approach for evaluating security concerns in business processes.Provides metrics to evaluate and improve maturity in business processes.
RA17Adapts security maturity model to align with organisational capabilities.Suggests a way to align organisational capabilities with security maturity models, contributing to the understanding of maturity adaptation to different organisational contexts.
RA22Proposes an agile architecture approach for managing information security risks.Introduces agile approaches to information security risk management and provides an indirect framework for understanding risk-related aspects of security maturity.
RA23Conducts a systematic literature review on cyber security maturity models for startups.Reviews existing cyber security maturity models and provides insights into gaps and needs to support the development of future maturity models. Summarises existing models and frameworks to improve startup maturity.
RA29Utilises taxonomic engineering for security baseline compliance in regulatory frameworks.Focusses on compliance and provides a framework that indirectly measures maturity through adherence to security standards.
RA33Proposes a method for updating security-level evaluation instruments.Proposes improvements to evaluation instruments, contributing to the continuous development and understanding of security maturity.
RA34Explores managing security evidence in safety-critical organisations.Discusses the management of security evidence that indirectly contributes to maturity through operational effectiveness and security management.
RA35Assesses cyber-physical risk and investment planning for power substations.Examines risk and investment strategies for resilience and provides a context for understanding how cyber-physical systems affect maturity.
RA36Analyses cyber security investment and maturity among Dutch firms.Analyses whether higher investment in cyber security correlates with a higher level of maturity and thus contributes to understanding the readiness and maturity of organisations.
Table 10. Sectors and organisations where ICS MMs have been effectively applied.
Table 10. Sectors and organisations where ICS MMs have been effectively applied.
Sector/IndustryType of
Organisation		Related
Articles		Description of ICS MM Application
Critical infrastructureRailways, Energy, Utilities, Cyber-physical systemsRA3, RA4, RA7, RA35Focusses on improving preparedness and resilience in critical infrastructure through models like C2M2 and vulnerability-driven models.
Government institutionsGovernment agencies, Public sector organisationsRA18, RA20,
RA30		Government agencies have adopted models like the Cyber Trust Program and CTI-SOC2M2 for information/cyber security maturity and threat intelligence.
HealthcareHospitals, Healthcare providersRA25, RA26Healthcare Information Security Maturity Model helps ensure compliance with regulations and improves sensitive patient data security.
Higher educationUniversities, CollegesRA9, RA19Higher education institutions use customised maturity frameworks to address the specific information/cyber security challenges in academia and research.
Small and Medium-sized Enterprises (SMEs)Private sector,
SMEs		RA1, RA11, RA13, RA14, RA16Maturity models and evaluation tools tailored for SMEs help improve security readiness with limited resources.
Technology startupsStartups and emerging tech companiesRA23Maturity models help startups align cyber security practices with business growth and scalability.
Digital forensicsLaw enforcement, Cyber security teamsRA15The Digital Forensic Readiness Capability Maturity Model focusses on improving forensic readiness in organisations that need to handle digital evidence effectively.
Financial servicesFinancial institutionsRA36Focusses on analysing cyber security investments and improving maturity in banking and financial firms.
Table 11. Key drivers for the adoption of ICS MMs in different sectors and industries.
Table 11. Key drivers for the adoption of ICS MMs in different sectors and industries.
DriverSector/IndustryRelated ArticlesDescription
Regulatory complianceHealthcare, Government, Public sector, Critical infrastructureRA18, RA25, RA30, RA35ICS MMs ensure compliance with laws (such as Health Insurance Portability and Accountability Act (HIPAA) in healthcare) and regulations in critical infrastructure sectors. Government agencies implement ICS MMs to align with international standards and improve compliance (e.g., the Cyber Trust Program).
Cyber security threat resilienceCritical infrastructure, Energy, RailwaysRA3, RA4, RA7, RA18, RA35ICS MMs help to increase the resilience of critical infrastructure and the energy sector to cyber security threats.
Data protectionHealthcare, Higher educationRA9, RA19, RA25The protection of sensitive data (e.g., patient or research data) is a key driver in adopting ICS MMs in healthcare and academic institutions.
Risk management and mitigationSMEs, Financial services, Technology startupsRA11, RA12, RA13, RA23, RA36Managing and mitigating cyber security risks is critical for SMEs and financial institutions, especially for the protection of assets with limited resources.
Incident response preparednessGovernment, Critical infrastructureRA18, RA20, RA26Incident response maturity helps organisations, especially in critical infrastructures, to manage security incidents effectively.
Investment in cyber securityFinancial services, Startups, Large enterprisesRA23, RA36 ICS MMs support organisations in prioritising information/cyber security investments and aligning them with the company’s growth objectives.
Enhancing security cultureGovernment, Public institutions, SMEsRA9, RA18, RA27 Promote a security-conscious culture through maturity models, especially in government organisations and SMEs where cultural awareness is crucial.
Improving business continuityCritical infrastructure, RailwaysRA3, RA7, RA26, RA35Ensuring business continuity by improving maturity in sectors such as rail transport and electricity supply that rely on uninterrupted operations.
Cost-effective security solutionsSMEsRA11, RA13, RA16 Maturity models such as LiSRA help SMEs to introduce cost-effective security solutions that are tailored to their limited resources.
Table 12. Main gaps and limitations in the implementation of ICS MMs in organisations.
Table 12. Main gaps and limitations in the implementation of ICS MMs in organisations.
Gap/LimitationDescriptionRelated Articles
Resource constraintsSMEs often lack the resources (time, money, personnel) to effectively implement ICS MMs, which are usually designed for larger organisations.RA1, RA11, RA13, RA14, RA16
Complexity of modelsSome ICS MMs are considered too complex and difficult to understand and implement, especially in organisations with limited cyber security expertise.RA11, RA12, RA16, RA30
Customisation to specific sectorsA lack of sector-specific customisation in many models, leading to difficulties in implementation for sectors with specific requirements (e.g., healthcare, higher education).RA7, RA9, RA16, RA19, RA25
Lack of practical guidanceWhile many models offer assessments, they lack detailed, actionable guidance on how to implement the improvements needed to increase maturity.RA12, RA25, RA26
Cultural and human factor barriersResistance to change, lack of cyber security awareness and an inadequate security culture are barriers to successful ICS MM implementation in some organisations.RA18, RA27
Alignment with business objectivesDifficulties in aligning cyber security maturity models with broader business objectives, leading to a mismatch between security and strategic goals.RA13, RA36
Lack of automation and tool supportLimited integration of automation tools in ICS MMs, making the process of tracking, managing, and improving maturity tedious and resource intensive.RA11, RA31
Inconsistent metrics and evaluationThe lack of standardised metrics and evaluation methods for the various models makes it difficult for organisations to measure progress or compare it with industry standards.RA21, RA24
Integration with existing systemsChallenges in integrating ICS MMs into existing organisational processes (e.g., risk management systems, incident response) and adapting them to existing structures.RA10, RA20, RA26
Financial barriersHigh implementation costs are a common constraint, especially in resource-limited organisations that cannot afford the full range of tools and expertise required for ICS MMs.RA13, RA36
Limited focus on emerging technologiesSome models do not adequately account for emerging technologies and modern threats (e.g., cloud computing, AI), making them less relevant to today’s rapidly evolving cyber security landscape.RA28, RA32
Time-consuming assessmentsThe time required to assess and reassess information/cyber security maturity is often considered too high, especially for organisations that need a quick assessment.RA11, RA30
Table 13. Opportunities and future research directions in information/cyber security maturity assessment.
Table 13. Opportunities and future research directions in information/cyber security maturity assessment.
Opportunity/Future DirectionDescriptionRelated Articles
Empirical validation of modelsThe need to test existing conceptual models more empirically in different sectors and validate them in practice.RA6, RA9, RA12, RA15, RA16, RA19
Sector-specific customisationDevelopment and refinement of models that meet the specific needs of different industries and sectors (e.g., healthcare, education, SMEs).RA7, RA9, RA13, RA16, RA19, RA25
Integration with emerging technologiesResearch on how maturity models can adapt to new technologies and threats such as cloud computing and AI-driven attacks.RA28, RA32
Automation and tool supportThe opportunity to improve maturity models through automation and better tools for managing assessments and tracking improvements.RA11, RA31
Simplified models for SMEsDevelopment of lightweight and cost-effective models tailored to the specific challenges of SMEs.RA1, RA11, RA13, RA14
Cross-organisational comparisonsCreation of standardised metrics and frameworks to enable cross-organisational comparisons of cyber security maturity.RA21, RA24
Integration with risk managementExpanding models to more fully integrate risk management practices to help organisations better align security with risk mitigation efforts.RA10, RA20, RA26
Alignment with business goalsFuture research could focus on better aligning maturity models with strategic business objectives, especially for SMEs and startups.RA13, RA36
Focus on incident response maturityOpportunities to refine models that focus specifically on incident response capabilities to ensure rapid recovery from cyber attacks.RA12, RA18, RA26
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Brezavšček, A.; Baggia, A. Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review. Systems 2025, 13, 52. https://doi.org/10.3390/systems13010052

AMA Style

Brezavšček A, Baggia A. Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review. Systems. 2025; 13(1):52. https://doi.org/10.3390/systems13010052

Chicago/Turabian Style

Brezavšček, Alenka, and Alenka Baggia. 2025. "Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review" Systems 13, no. 1: 52. https://doi.org/10.3390/systems13010052

APA Style

Brezavšček, A., & Baggia, A. (2025). Recent Trends in Information and Cyber Security Maturity Assessment: A Systematic Literature Review. Systems, 13(1), 52. https://doi.org/10.3390/systems13010052

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop