A Maturity Model for IT-Related Security Incident Management

  • Gunnar WahlgrenEmail author
  • Stewart Kowalski
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 353)


The purpose of the study is to validate the ability of a maturity model for measuring escalation capability of IT-related security incident. First, an Escalation Maturity Model (EMM) and a tool were developed to measure the maturity of an organization to escalate IT-related security incidents. An IT tool for self-assessment was used by a representative from three organizations in the Swedish health sector to measure the organization’s ability to escalate IT-related security incident. Second, typical security incident scenarios were created. The incident managers from the different organizations were interviewed about their organization’s capabilities to deal with these scenarios. Third, a number of independent information security experts, none of whom had seen the results of EMM, ranked how the three different organizations have handled the different scenarios using a measurable scale. Finally, the results of EMM are compared against the measurable result of the interviews to establish the predictive ability of EMM. The findings of the proof of concept study shows that the outcome of EMM and the way in which an organization would handle different incidents correspond well, at least for organizations with low and medium maturity levels.


Incident escalation Incident management Maturity models Self-assessment 


  1. 1.
    ISO - International Organization for Standardization: Information technology: information security risk management, ISO/IEC 27005 (2011)Google Scholar
  2. 2.
    NIST - National Institute of Standards and Technology: Guide for applying risk management framework to federal information systems. NIST Special Publication 800-37 Revision 1 (2010)Google Scholar
  3. 3.
    NIST - National Institute of Standards and Technology: Guide for conducting risk assessment. NIST Special Publication 800-30 Revision 1 (2011)Google Scholar
  4. 4.
    NIST - National Institute of Standards and Technology: Managing information security risk. NIST Special Publication 800-39 (2011)Google Scholar
  5. 5.
    NIST - National Institute of Standards and Technology: Information security continuous monitoring (ISCM) for federal information system and organizations. NIST Special Publication 800-137 (2011)Google Scholar
  6. 6.
    Kahn, H.: On Escalation: Metaphors and Scenarios. Praeger, Santa Barbara (1986)Google Scholar
  7. 7.
    ISO - International Organization for Standardization: Information technology – security techniques — information security incident management, ISO/IEC 27035 (2016)Google Scholar
  8. 8.
    Brewster, E., Griffiths, R., Lawes, A., Sansbury, J.: IT Service Management: A Guide for ITIL Foundation Exam Candidates, 2nd edn. BCS, The Chartered Institute for IT (2012)Google Scholar
  9. 9.
    NIST - National Institute of Standard and Technology: Computer Security Incident Handling Guide. NIST Special Publication 800-61 Revision 2 (2012)Google Scholar
  10. 10.
    Palilingan, V., Batmetan, J.: Incident management in academic information system using ITIL framework. In: IOP Conference Series: Materials Science and Engineering, vol. 306 (2018)CrossRefGoogle Scholar
  11. 11.
    Nolan, R.: Managing the computer resource: a stage hypothesis. Commun. ACM 16(7), 399–405 (1973)CrossRefGoogle Scholar
  12. 12.
    Humphrey, W., Edwards, R., LaCroix, G., Owens, M., Schulz, H.: A method for assessing the software engineering capability of contractors Technical report, Software Engineering Institute, Carnegie Mellon University (1987)Google Scholar
  13. 13.
    ISO - International Organization for Standardization: Information technology – process assessment; assessment of organizational maturity, ISO/IEC Technical report 15504-7 (2008)Google Scholar
  14. 14.
    Pöppelbuβ, J., Röglinger, M.: What makes a useful maturity model? A framework of general design principles for maturity models and its demonstration in business process management. In: Proceedings of the Nineteenth European Conference on Information Systems - ECIS 2011, Association for Information Systems electronic Library – AISeL (2011)Google Scholar
  15. 15.
    Philips, M.: Using a Capability Maturity Model to Derive Security Requirements. SANS Institute, Bethesda (2003)Google Scholar
  16. 16.
    ISACA: The risk IT framework. Rolling Meadows, IL (2009)Google Scholar
  17. 17.
    Aguiar, J., Pereira, R., Vasconcelos, J., Bianchi, I.: An overlapless incident management maturity model for multi-framework assessment (ITIL, COBIT, CMNI-SVC). Interdisc. J. Inf. Knowl. Manag. 13, 137–163 (2018)Google Scholar
  18. 18.
    Vaishnavi, V., Kuechler, W.: Design research information systems. Accessed Jan 2019
  19. 19.
    Wahlgren, G., Kowalski, S.: A maturity model for measuring organizations escalation capability of IT-related security incidents in Sweden. In: Proceedings of the 11th Pre-ICIS Workshop on Information Security and Privacy, Dublin, Association for Information Systems electronic Library - AISeL (2016)Google Scholar
  20. 20.
    Wahlgren, G., Kowalski, S.: IT security risk management model for handling IT-related security incidents: the need for a new escalation approach. In: Maleh, Y. (ed.) Security and Privacy Management, Techniques, and Protocols, pp. 129–151. IGI Global, Hershey (2018)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer and System ScienceStockholm UniversityStockholmSweden
  2. 2.Faculty of Computer Science and Media TechnologyGjøvik University College, Norwegian University of Science and TechnologyGjøvikNorway

Personalised recommendations