Developing a Maturity Model for Information System

Security Management within Small and Medium Size

Enterprises

Luis Enrique Sánchez

, Daniel Villafranca

, Eduardo Fernández-Medina

and Mario Piattini

SICAMAN Nuevas Tecnologías. Departament I+D

Juan José Rodrigo, 4. Tomelloso, Ciudad Real, Spain

Castilla-La Mancha, ALARCOS Research Group,

TSI Department, UCLM-Soluziona Research and Development Institute.

University of Castilla-La Mancha, Paseo de la Universidad 4, Ciudad Real, Spain

Abstract. For enterprises to be able to use information and communication

technologies with guarantees, it is necessary to have an adequate security

management available. This requires that enterprises always know their current

maturity level and to what extend their security must evolve. Current maturity

models are showing us that they are inefficient in small and medium size

enterprises since these enterprises have a series of additional problems when

implementing security management systems. In this paper, we will make an

analysis of the maturity models oriented to security existing in the market by

analysing their main disadvantages regarding small and medium size enterprises

using as a reference framework ISO17799. This approach is being directly

applied to real cases, thus obtaining a constant improvement in its application.

1 Introduction

Information and processes supporting systems and nets are the most important assets

for any organization [1], and they are the main differentiation factor in a company’s

evolution. These assets are submitted to a great variety of risks that can critically

affect enterprises. There are many sources that provide us with figures that show the

importance of the problems caused by the lack of adequate security measures [2]. In

this way, the CGI/FBI Computer Crime and Security Survey [3] estimates that the

total losses in the US in 2004 as a result of security breaches was 141.496.560$.

However, the majority of the losses are unknown since the lack of adequate controls

to carry out the information tracking avoids that enterprises know the existence of

information leaks and therefore they cannot quantify their cost. Organizations,

independently of their size or activity, need to implement an Information Security

Management System (ISMS) to protect their most sensitive assets [4][5]. However, to

develop these ISMS not only we have to face technological aspects [6] but also we

have to develop management as well as legal and ethical aspects.

Enrique S

anchez L., Villafranca D., Fern

andez-Medina E. and Piattini M. (2006).

Developing a Maturity Model for Information System Security Management within Small and Medium Size Enterprises.

In Proceedings of the 4th Inter national Workshop on Security in Information Systems, pages 256-266

 SciTePress

Anyway, although many new rules are appearing, the current tendency [7] to face

an ISMS consists of homogenizing some of its basic aspects such as maturity models

and best practices guides into a stable set that let us face each particular case with the

ISMS model that better adapts to it.

As a core of the new security orientation as a management system, security

policies containing sets of rules and regulations to determine how an organization

must protect itself have been created [8]. Thus, Cabrera Martin [9] puts forward that

the way to planify security within an organization must always start from the

definition of a Security Policy that determines the organization’s objectives in the

security field and from this determination, we could decide through an adequate

implementation plan how the fixed objectives will be reached.

Before starting a project for implementing an information security management

system within an enterprise, it is necessary to determine the level of the Information

Security Governance of the company since the absence of it guarantees the failure of

the security management. It is not viable to start implementing a security management

system with the absence of a stable and defined information security governance.

[10]. The following step for the implementation of an ISMS is to establish the security

maturity level of the enterprise and to where it should evolve although these maturity

levels can be established in different ways. Thus, Von Solms [11] defines security as

a discipline of multiple dimensions that must be covered to obtain a security plan,

through an incremental certification of security, and for Von Solms, the most

important phase of the plan is to determine the maturity level of the company ISMS

and compare that level to the losses that it can cause to the business. The maturity

model that we propose states an evolution of the maturity levels similar in some

aspects to that stated by Von Solms, in a way that enterprises will be able to certify

themselves in the different levels of the maturity model. This will let them face

projects with a shorter temporary vision as well as analyse the results of the plan

earlier.

Nowadays, it is very complex for a small or medium size enterprise to face the

implementation of a security management system. Concerning security, the

enterprises’ tendency is to slowly migrate their culture to the creation of an ISMS,

although this progression is very slow in such a way that René Sant-Germain [3]

estimates that with the current models, in 2009, only a 35% of the enterprises with

more than 2000 employees in the world will have an ISMS implemented and figures

regarding small and medium size enterprises will be much worse.

The majority of enterprises have found many problems at the time of

implementing systems such as BS7799 certification and UNE71502 since they are

total certifications and this avoids that enterprises have intermediate points to focus

the reach of their objectives. It also avoids that system departments obtain

intermediate success that allow them to obtain the support of the Direction Board. The

maturity model that we state allows us to obtain intermediate certification, being able

to face each maturity level in 1 or 2 years periods instead of the 3 to 6 years that are

currently needed in a medium size enterprise. Audit, certification and accreditation of

the management system is important to provide the security environment, customers

and providers with credibility. For this reason, our proposed maturity model is based

on the certification by levels instead of an only total certification. Our maturity level

proposes to divide UNE71502 certification and ISO27001 into three certification

levels [1 to 3], each one having a subset of controls extracted from ISO17799.

257

This paper proposes a maturity model oriented to small and medium size

enterprises with the purpose of solving the problems detected in the classic maturity

models which are shown not to be efficient at the time of implementing them into

small and medium size enterprises due to their complexity and other series of factors

that will be analysed in a detailed way in the following sections of this paper. The

paper continues with Section 2, in which the existing maturity models, their current

tendency and the new proposals that are emerging will be described. In Section 3, our

proposal of a maturity model oriented to small and medium size enterprises is

introduced. Finally, in Section 4, we will conclude by indicating our future work.

2 Related Work

Security Maturity Models have the aim of establishing a standardized valoration with

which it can be determined the state of information security within an organization

and that allows us to be able to planify the way to reach the desired security goals.

These maturity levels will be progressive in such a way that the implemented

information increases as the maturity levels increase. These levels are the ideal

mechanisms to know the security of the enterprises to be analysed and that of third

companies with which these enterprises have to interact. The problem is that although

there are maturity models in the market, they are only total security certifications and

this fact avoids that many companies can have a valoration of their current maturity

level. Therefore, our model suggests the certification by maturity levels instead of the

unique certification existing today, this certification will be periodically revised and

the company could increase or decrease its maturity level. This model is similar to the

appreciations by Eloff and Eloff [5] that suggest a progressive controls

implementation that allows the enterprise to adapt itself to the security evolution in a

non-traumatic way.

The vision of how to face these maturity levels differs regarding the authors taken

as a reference. In this way, some authors insist on using ISO17799 in security

management models but always in an incremental way, taking into consideration the

particular security needs [11], by using maturity models. Other models such as that

proposed by the Information Security Institute of South Africa (ISIZA) [11] put

forward a progressive increase of security. ISIZA Level 1 consists of selecting a basic

level of a small subset of ISO17799 controls related to security policy, virus control

and personnel security. Following the model proposed by ISIZA, time reductions

when certifying companies according to the BS7799 regulation [11] have been

achieved.

For our maturity model, we have used the standard ISO17799 as a starting point,

coinciding with the research being carried out by Pittsburgh University for the

development and putting into practice of a comprehensive standard of security based

on the guides provided by ISO17799 [12]. Other studies consider the regulation

important but they complement it in some way with other aspects [13], such as

Endorf [14], that incorporates the American HIPAA requirements into a security

program complementing ISO17799; or Von Solms [15], that considers a whole and

complementary application of COBITs and the regulation; or even Masacci that apart

258

from the regulation, considers controls related to the fulfilment of the Italian

legislation in the field of data protection and privacy.

Other aspects that are being studied for their application to the maturity models is

the management of costs associated to security management since they can influence

model dimensioning. Thus, Rebecca Mercuri [16] proposes to associate the cost-

benefit analysis(CBA) as a fundamental part of ISMS development in the risk

analysis phase; Kim&Choi [17] analyses a methodology oriented to processes models

and criteria of analysis of cost and benefit factors that support the economic

justification of the investment in security and that can be applied to estimate the

maximum level of maturity that the enterprise can face; and Peltier [13] states that

controls must be selected regarding the cost-efficiency in relation to the risk that they

reduce and the potential losses that security breaches can cause.

2.1 Other Security Maturity Models

Among the information security maturity models [18] that are currently being most

often applied within enterprises, we can highlight SSE-CMM, COBIT and ISM3 [19],

although at present, new models that try to solve the problems detected in these

models are being developed. Now, we will show a brief description of the main

maturity models existing today and some of the most promising proposals:

- ISO 21827/SSE-CMM: The Capability Maturity Model in Systems Security

Engineering is a model derived from the maturity model of CMM software

and it is oriented to security. This model describes the essential

characteristics of processes that must exist within an organization to assure a

proper systems security. In Lobree 2002 [20], a comparison of the most

important good practices guides with the maturity model SSE-CMM is made

and they come to the conclusion that all of them basically consider the same

security aspects but with different depth level.

- ISM3 [12]: It is oriented to define different security levels where each of

them can be the final objective of an organization. In other words, it is not a

model that can be used to improve but it is useful to classify the security

level required by an enterprise. ISM3 defines five security maturity levels of

an enterprise [0 a 4]. These levels will be associated to processes in a way

that, depending on the maturity level, the enterprise will be forced to comply

with a series of processes. Thus, a level 0 will imply the fact of not fulfilling

any process.

- COBIT: The maturity model COBIT [18] offers us the basis for the

understanding and evaluation of the current conditions of security and

processes control of the IT environment within an organization. This model

provides us with the bases for the understanding and evaluation of the main

functions of IT area, through the consideration of each one of its key

processes that will be assigned a value between [0-5], thus indicating the

effort level (“maturity”) that is suggested to invest in the activity of control

of such process to guarantee a good relation cost-benefit by assuring the

strictly required security level. The maturity model COBIT is based on the

software development maturity model CMM-SW, and for this reason, it is

not an updated model since today CMMI is the most commonly used model.

259

Von Solms [13] [15] has studied the coexistence and complementary use of

COBIT and ISO 17799 by developing a mapping for the synchronization of

both frameworks and by analysing the reasons why they are complementary.

Some of ISO17799 detractors state as a disadvantage that it is a support

guide but it does not reach the necessary framework for information

technology governance. Its main advantage with respect to COBIT is that it

is more detailed and has more guides oriented to how to do things. A recent

report made by the IT Governance Institute solves the problem of

synchronization by developing the mapping between COBIT´s DCO´s and

ISO17799. There are plenty of scenarios [11] where we can see how

ISO17799 and COBIT are complementary.

- CC_SSE-CCM: Common Criteria (CC) only provides us with standards to

evaluate product and security systems information. On the other hand, SSE-

CMM provides us with security standards for the evaluation of process

engineering. Jongsook Lee [7] proposes to integrate CC and SSE-CMM to

create CC-SSE-CMM that is a maturity model including the advantages of

both models. This new model is divided into processes, products and

environment. The advantage of this model is that it is useful when an

organization that was developed with CC wants to be evaluated with SSE-

CMM to improve its level with respect to the security process. CC_SSE-

CMM consists of 23 process areas with 5 maturity levels. Each process area

(PA) has BP (base practices) and the capacity levels have GP (generic

practices).

- Eloff and Eloff [5]: They prefer to define four different protection classes

that allow us to progressively increase the security levels, basing on the

sections of ISO17799 to do so.

- Karen & Barrientes [21]: This proposal of maturity model consists of

carrying out an analysis related to computer security to identify the

vulnerability degree as well as determine the improvement aspects to be

performed in the organization with the purpose of reducing risk. This model

supports the evaluation of the information security and lets us determine

which level the organization is at regarding security and thus, we will be able

to establish its strengths and weaknesses at the time of protecting

information. The proposed model has the five levels stated by CMMI

adapted to agree with information security. Each level has a definition and a

general description in which it is indicated the organization behaviour with

respect to information security. Such behaviour determines the maturity level

of information security. Practices of each level correspond to the controls

defined in the international standards ISO17799 [22]. This model takes into

account that organizations have different internal structures, and so, it is

considered that controls defined in each level are the minimum or the most

general that should be established by organizations, independently of their

internal structure.

The main problem of all presented maturity models is that they are not being

successful at the time of being implemented into small and medium size enterprises

mainly due to the fact that they were developed thinking of big organizations and the

organizative structures associated to them.

260

3 SSE-PYME: Security Maturity Model Oriented to Small and

Medium size Enterprises

The Information Security Maturity Model that we propose allows any organization to

evaluate the state of its security but it is mainly oriented to small and medium size

enterprise since they are experiencing the greater failure rate and also they are the

enterprises where the existing maturity models are being less successful. Furthermore,

small and medium size companies represent more than 95% of Spanish companies

and for this reason, we could not consider the Spanish set of enterprises mature from a

technological viewpoint until we could not achieve an adequate security level in small

and medium size enterprises. The most outstanding characteristics of our model are

that it has three security levels [1 to 3] instead of the 5-6 levels proposed by classic

models and that it proposes that each level can be certified instead of the total

certification existing today. Finally, in our model, the maturity level is associated to

the characteristics of the enterprise and it is not compulsory (and sometimes not even

advisable) that all companies reach level 3.

In this way and from the information obtained through the SICAMAN

implementation into customers, we have developed a maturity model following the

spiral structure showed in Fig. 1. This model has the aim of facilitating the

performance of fast and economic cycles that let us create a security culture within

the organization, in a constant and progressive way. Our model proposes to carry out,

in the first place, an estimation of the enterprise maturity level in a way that, with a

low cost and in a short period of time, a project planning could be determined to

present it to the direction board. Other characteristic of our model is that it has the

purpose of carrying out the proposed plans in a short term instead of the plans derived

from the current models that have a long duration and this fact makes them totally

inadequate for the current changing structure of small and medium size enterprises.

Through this model, we could estimate, in a minimum period of time, the maturity

level of the enterprise ISMS as well as identify the set of rules that better adapt

themselves to it. Thus, we could propose short-term realistic goals of the expected

evolution of the company for each spiral cycle. Once we have identified the current

maturity level of the enterprise, an improvement plan will be created and will be

presented to the direction board. Its main objective will be that of complementing the

current maturity level to reach the following maturity level.

261

Fig. 1. Spiral model for ISMS maturity.

Although in Fig. 1, the maturity model only presents eight sections of ISO17799,

our final maturity model is being developed over the ten sections of this regulation.

Nowadays, we are analysing the possibilities of migrating the obtained results through

the action research method to the new version of ISO17799:2005. In addition,

although the main core of the model that we have developed is based on ISO17799,

we have not refused to complement it with other kind of standards and

recommendations in the field of security and security management that can solve the

lack detected in ISO17799 and that have been analysed in the section 2 of this paper.

Our model defines three maturity levels to value the state of the information

system security of the enterprise. In this way, an enterprise that, according to the

employees and turnover parameters is considered small, it should only apply the

maturity level ISO17799-1 that is a subset of the controls recommended by

ISO17799 (Table 1). Any of the other two versions of the regulation would suppose

over-dimensioning the enterprise security. This would give place to an increase in the

risk of the fact that the implemented controls are not maintainable and it would

produce a continuous degradation of the controls and the maturity level. Other factors

to be taken into account is that even though the different sections could advance in an

independent way, the most logical thing to do is to planify to improve those aspects

that need lower security.

As a first step to put into practice our model within a company, we will determine

what level of regulations we should applied regarding the characteristics of the

company. Once we have identified the appropriate level, we will carry out an analysis

of controls to determine the plan that allows us to complement this maturity level. In

our model, the security level of the company will evolve in an interval from 0 to 100

%, for each one of the three proposed maturity levels that in turn, will be divided into

six sublevels to help the direction board in the monitoring of the project.

262

Table 1. Proposed models according to the type of enterprise and maturity level.

Maturity Level

(According pre-audit

performed about

ISO17799)

Enterprise type

(according to number of employees and turnover)

Small Medium Big

0 – 25 Employees 25 – 250 Employees >250 Employees

Security

Evaluation

Maturity

Level

0 – 1 Million € 1 – 100 Million € >100 Million €

0 – 100% Low ISO17799-1 (100) ISO17799-1 (100) ISO17799-1 (100)

100% - 200% Medium ISO17799-1 (100) ISO17799-2 (300) ISO17799-2 (300)

200 - 300% High ISO17799-1 (100) ISO17799-2 (300) ISO17799-3 (500)

Some of the main and most valuable conclusions obtained from the feedback of

SICAMAN customers in which these models have been analysed are listed below:

- The overdimensioning of the security level of an enterprise with respect to

its size finishes generating a degradation of the overdimensioned controls

until they reach their natural balance. The final consequence is that the

enterprise invests more resources than the strictly necessary that will not

provide any value. In Fig. 2, we can see a simulation of how, according to

the size of the company, security systems have a natural tendency to find

their balance.

Simulations of tendency of maturity levels overdimensiones in enterprises

100

150

200

250

300

12345678

Years

Maturity Level

Small Medium Big

Fig. 2. Simulation of tendency of overdimensioned maturity levels.

In Fig. 2, the percentage from 0 to100 % represents maturity level 1, the

percentage from 100 to 200% represents maturity level 2 and the percentage

from 200 to 300% represents maturity level 3. There are some exceptions in

some sectors and types of enterprises where this tendency is not fulfilled and

therefore, the model is being improved by adding it variables.

263

- Enterprises are more receptive to short-term implementation plans (1 to 2

years) than to long-term plans (4 to 6 years). The certification by levels

offers us a guarantee for the valoration of the short-term project evolution.

We are currently working on other models that include new factors that can affect

when deciding about the fulfilment level that must be applied: the enterprise’s type of

activity, the dependency on departments (such as Research and Development), etc.

4 Conclusions and Future Work

In spite of the enormous efforts that are being made to create maturity models

appropriate for mediating and managing security in small and medium size

enterprises, these models do not fit properly with the environment where they must be

implemented yet. The most probable reason is the lack of maturity of enterprises and

the fact that we have tried to make too general and ambitious models. Sometimes, this

makes that companies do not know the objective they must fulfil or how to start to

perform their systems reestructuration or that the stated goals seem very far away and

the direction board becomes discouraged. One of the documents generated by the

standardization international group considered most important worldwide is the code

of good practices ISO17799, that defines a very vast set of security controls and that it

is being used in some of the most innovating maturity models in the market.

Nevertheless, this code of good practices does not offer a global solution and must be

complemented with other regulations and management mechanisms more appropriate,

although it means a very good starting point for the development of new maturity

models.

In this paper, we have presented from our practical experience, a first

approximation to the development of a new maturity model oriented to small and

medium size enter that takes as a basis the regulation that we have mentioned so many

times in this paper and adapts it to adjust it to the size of the company in which we

want to implement it as well as to its maturity level. This model is being developed

taking as a basis the currently existing maturity models analysing their main

disadvantages and testing them in our customers to determine the success and failure

factors of the model.

The presented maturity model reduces the systems implementation costs and

improves the success percentage of implementations.

As this proposal is very preliminary, our short and long term objective is that of

studying in depth maturity models to carry out the complete development of a new

maturity model that means a bigger percentage of success in small and medium size

companies. Through the research method, “action research” and with the help of the

feedback directly obtained from our customers, we hope to achieve a continuous

improvement of these implementations.

This maturity model and the methodology which it belongs to will be

complemented with a security systems management tool, mainly oriented to the

direction board, to facilitate decision making when performing security systems

planning.

264

Acknowledgements

This research is part of the following projects: DIMENSIONS, partially financed by

FEDER and the Consejería de Educación y Ciencia de la Junta de Comunidades de

Castilla-La Mancha (PBC-05-012-1), CALIPO (TIC2003-07804-C05-03) and

RETISTIC (TIC2002-12487-E) financed by “Dirección General de Investigación del

Ministerio de Ciencia y Tecnología” (España).

References

1. Dhillon, G. y Backhouse, J. Information System Security Management in the New

Millennium, Communications of the ACM, (2000) 43(7).

2. Computer Security Institute – CSI. Computer Crime and Security Survey. (2002)

3. René Sant-Germain. Information Security Management Best Practice Based on ISO17799.

Setting Standars, The information Management Journal – July/August 2005.

4. María Eugenia Corti, Gustavo Betarte, and Reynaldo de la Fuente. Hacia una

implementación Exitosa de un SGSI. 3er Congreso Iberoamericano de seguridad

Informática, Nov, (2005).

5. Eloff, J. y Eloff, M. Information Security Management – A New Paradigm. Proc. of the

2003 annual research conference of the South African institute of computer scientists and

information technologists on Enablement through technology SAICSIT´03, (2003) 130-

136.

6. Tsujii, S. Paradigm of Information Security as Interdisciplinary Comprehensive Science.

Proc. of the 2004 International Conference on Cyberworlds (CW’04), IEEE Computer

Society, (2004) 1-12.

7. Jongsook Lee, Jieun Lee, Seunghee Lee and Byoungju Choi. A CC-based Security

Engineering Process Evaluation Model. Proceedings of the 27th Annual International

Computer Software and Applications Conference (COMPSAC`03)

8. Rodriguez, Luis Ángel. Seguridad de la Información en Sistemas de Computo. Ventura

Ediciones, México, (1995).

9. Cabrera Martin, Álvaro. Políticas de Seguridad. Boletín del Criptonomicón #71.Madrid,

(2000).

10. Isg, Information Security Governance a call to action, Abril 2004.

11. Von Solms, B. y Von Solms, R. Incremental Information Security Certification. Computers

& Security 20, (2001) 308-310.

12. Walton, J.P. Developing an Enterprise Information Security Policy. Proc. of the 30th annual

ACM SIGUCCS conference on User services, (2002) 153-156.

13. Peltier, T.R. Preparing for ISO 17799. Security Management Practices, jan/feb, (2003) 21-

28.

14. Endorf, C. Outsourcing Security: The Nedd, the Risks, the Providers, and the Process.

Information Security Management, (2004) 17-23.

15. Von Solms, B. Information Security governance: COBIT or ISO 17799 or both? Computers

& Security 24, (2005) 99-104.

16. Rebecca T. Mercuri. Analysing Security Costs. Communications of the ACM, June

2003/vol.46, nº 6.

17. S. Kim and I.Choi. Cost-Benefit Análisis of Security Investments: Methodology and Case

Study. P. Gervasi et al. (Eds.): ICCSA 2005, LNCS 3482, pp. 1239 – 1248, 2005.

265

18. Karen A. Areiza, Andrea M. Barrientos, Rafael Rincón, and Juan G. Lalinde-Pulido. Hacia

un modelo de madurez para la seguridad de la información. 3er Congreso Iberoamericano

de seguridad Informática, Nov, (2005).

19. Vicente Aceituno. Ism3 1.0: Information security management matury model, 2005. 12

Karen A. Areiza et al.

20. Bruce A. Lobree, CISSP. Impact of legislation and information security management.

Security Management Practices, November/December 2002

21. Andrea M. Barrientos Karen A. Areiza. Integración de un sistema de gestión de seguridad

de la información conun sistema de gestión de calidad. Master’s thesis, Universidad

EAFIT, 2005.

22. ISO/IEC. International standard ISO17799 (2000). information technology - code of

practice for information security management, 2000.

266