A Structured Comparison of the Corporate Information Security Maturity Level

  • Michael SchmidEmail author
  • Sebastian PapeEmail author
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 562)


Generally, measuring the information security maturity is the first step to build a knowledge information security management system in an organization. Unfortunately, it is not possible to measure information security directly. Thus, in order to get an estimate, one has to find reliable measurements. One way to assess information security is by applying a maturity model and assess the level of controls. This does not need to be equivalent to the level of security. Nevertheless, evaluating the level of information security maturity in companies has been a major challenge for years. Although many studies have been conducted to address these challenges, there is still a lack of research to properly analyze these assessments. The primary objective of this study is to show how to use the analytic hierarchy process (AHP) to compare the information security controls’ level of maturity within an industry in order to rank different companies. To validate the approach of this study, we used real information security data from a large international media and technology company.


Information security Information security management ISO 27001 Analytic hierarchy process Information security controls Capability maturity model Security maturity model Security metrics framework 


  1. 1.
    Abbas Ahmed, R.K.: Security metrics and the risks: an overview. Int. J. Comput. Trends Technol. 41(2), 106–112 (2016)CrossRefGoogle Scholar
  2. 2.
    Al-Shameri, A.A.N.: Hierarchical multilevel information security gap analysis models based on ISO 27001: 2013. Int. J. Sci. Res. Multidisc. Stud. 3(11), 14–23 (2017)Google Scholar
  3. 3.
    Anderson, R., et al.: Measuring the cost of cybercrime. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 265–300. Springer, Heidelberg (2013). Scholar
  4. 4.
    Axelrod, C.W.: Accounting for value and uncertainty in security metrics. Inf. Syst. Control J. 6, 1–6 (2008)Google Scholar
  5. 5.
    Bodin, L.D., Gordon, L.A., Loeb, M.P.: Evaluating information security investments using the analytic hierarchy process. Commun. ACM 48(2), 78–83 (2005)CrossRefGoogle Scholar
  6. 6.
    Böhme, R.: Security metrics and security investment models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010). Scholar
  7. 7.
    Choo, K.K., Mubarak, S., Mani, D., et al.: Selection of information security controls based on AHP and GRA. In: Pacific Asia Conference on Information Systems, vol. 1, no. Mcdm, pp. 1–12 (2014)Google Scholar
  8. 8.
    Eisenführ, F., Weber, M.: Rationales Entscheiden, p. 415. Springer, Heidelberg (2003). Scholar
  9. 9.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRefGoogle Scholar
  10. 10.
    Haufe, K.: Maturity based approach for ISMS. Ph.D. thesis, University Madrid (2017)Google Scholar
  11. 11.
    Ishizaka, A., Labib, A.: Review of the main developments in the analytic hierarchy process. Expert Syst. Appl. 38(11), 14336–14345 (2011)Google Scholar
  12. 12.
    ISO/IEC 27001: Information Technology—Security Techniques—Information Security Management Systems—Requirements. International Organization for Standardization (2013)Google Scholar
  13. 13.
    Khajouei, H., Kazemi, M., Moosavirad, S.H.: Ranking information security controls by using fuzzy analytic hierarchy process. Inf. Syst. e-Bus. Manag. 15(1), 1–19 (2017)CrossRefGoogle Scholar
  14. 14.
    Le, N.T., Hoang, D.B.: Capability maturity model and metrics framework for cyber cloud security. Scalable Comput.: Pract. Exp. 18(4), 277–290 (2017)Google Scholar
  15. 15.
    Lee, M.C.: Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. Int. J. Comput. Sci. Inf. Technol. (IJCSIT) 6(February), 29–45 (2014)Google Scholar
  16. 16.
    Liu, D.L., Yang, S.S.: An information system security risk assessment model based on fuzzy analytic hierarchy process. In: 2009 International Conference on E-Business and Information System Security, pp. 1–4 (2009)Google Scholar
  17. 17.
    Majumder, M.: Impact of Urbanization on Water Shortage in Face of Climatic Aberrations. Springer, Singapore (2015). Scholar
  18. 18.
    Millet, I.: Ethical decision making using the analytic hierarchy process. J. Bus. Ethics 17(11), 1197–1204 (1998)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Mu, E., Pereyra-Rojas, M.: Pratical Decision Making: An Introduction to the Analytic Hierarchy Process (AHP) Using Super Decisions (v2). Springer, Heidelberg (2017). Scholar
  20. 20.
    Nasser, A.A.: Measuring the information security maturity of enterprises under uncertainty using fuzzy AHP. Int. J. Inf. Technol. Comput. Sci. 4(April), 10–25 (2018)Google Scholar
  21. 21.
    Peters, M.L., Zelewski, S.: Analytical Hierarchy Process (AHP) – dargestellt am Beispiel der Auswahl von Projektmanagement-Software zum Multiprojektmanagement. Institut für Produktion und Industrielles Informationsmanagement (2002)Google Scholar
  22. 22.
    Rudolph, M., Schwarz, R.: Security indicators – a state of the art survey public report. FhG IESE VII(043) (2012)Google Scholar
  23. 23.
    Saaty, T.L., Vargas, L.G.: Decision Making with the Analytic Network Process: Economic, Political, Social and Technological Applications with Benefits, Opportunities, Costs and Risks. Springer, Heidelberg (2006). Scholar
  24. 24.
    Saaty, T.L., Vargas, L.G.: Models, Methods, Concepts & Applications of the Analytic Hierarchy Process, vol. 175. Springer, Heidelberg (2012). Scholar
  25. 25.
    Syamsuddin, I., Hwang, J.: The application of AHP to evaluate information security policy decision making. Int. J. Simul.: Syst. Sci. Technol. 10(4), 46–50 (2009)Google Scholar
  26. 26.
    Vaughn, R.B., Henning, R., Siraj, A.: Information assurance measures and metrics - state of practice and proposed taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, HICSS 2003 (2003)Google Scholar
  27. 27.
    Watkins, L.: Cyber maturity as measured by scientific-based risk metrics. J. Inf. Walfare 14.3(November), 60–69 (2015)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Chair of Mobile Business & Multilateral SecurityGoethe University FrankfurtFrankfurtGermany
  2. 2.Hubert Burda Media Holding KGMunichGermany
  3. 3.Chair of Information SystemsUniversity of RegensburgRegensburgGermany

Personalised recommendations