{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,26]],"date-time":"2026-04-26T04:45:06Z","timestamp":1777178706755,"version":"3.51.4"},"reference-count":47,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,8,20]],"date-time":"2025-08-20T00:00:00Z","timestamp":1755648000000},"content-version":"vor","delay-in-days":231,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The conventional approach to managing a cybersecurity program typically involves building an Information Security Management System based on one or a combination of security standards. However, this approach is inadequate for meeting the requirements of modern cybersecurity programs. It lacks a systematic and structured method for efficiently managing and comprehensively measuring cybersecurity efforts. In response, we conducted a three-round Delphi study to develop a hierarchical cybersecurity management process model consisting of 6 strategic processes, 11 tactical processes, and 19 operational processes. Based on these findings, we developed the Cybersecurity Management and Performance Assessment model, which helps organizations to assess process maturity and control effectiveness. Our study contributes to the theoretical knowledge in the field of cybersecurity management. By adopting our model, organizations can enhance their cybersecurity assurance and identify pathways to improve the effectiveness and maturity of their cybersecurity programs.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf020","type":"journal-article","created":{"date-parts":[[2025,8,20]],"date-time":"2025-08-20T13:24:54Z","timestamp":1755696294000},"source":"Crossref","is-referenced-by-count":1,"title":["Toward effective cybersecurity management: a hierarchical process model with performance assessment"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-8752-706X","authenticated-orcid":false,"given":"Marina","family":"Liu","sequence":"first","affiliation":[{"name":"Deakin University Deakin Cyber Research and Innovation Centre, , 221 Burwood Highway, Burwood, VIC 3125 ,","place":["Australia"]},{"name":"Deakin University School of Information Technology, , 221 Burwood Highway, Burwood, VIC 3125 ,","place":["Australia"]}]},{"given":"Malcolm","family":"Shore","sequence":"additional","affiliation":[{"name":"Deakin University Deakin Cyber Research and Innovation Centre, , 221 Burwood Highway, Burwood, VIC 3125 ,","place":["Australia"]}]},{"given":"William","family":"Yeoh","sequence":"additional","affiliation":[{"name":"Hong Kong Metropolitan University Lee Shau Kee School of Business and Administration, , Ho Man Tin , Hong Kong SAR"}]},{"given":"Frank","family":"Jiang","sequence":"additional","affiliation":[{"name":"Deakin University Deakin Cyber Research and Innovation Centre, , 221 Burwood Highway, Burwood, VIC 3125 ,","place":["Australia"]},{"name":"Deakin University School of Information Technology, , 221 Burwood Highway, Burwood, VIC 3125 ,","place":["Australia"]}]},{"given":"Sherali","family":"Zeadally","sequence":"additional","affiliation":[{"name":"University of Kentucky College of Communication and Information, , 308 Lucille Little Library, Lexington, KY 40506 ,","place":["United States"]},{"name":"Imam Abdulrahman bin Faisal University (IAU) , Dammam ,","place":["Saudi Arabia"]}]}],"member":"286","published-online":{"date-parts":[[2025,8,20]]},"reference":[{"key":"2025082009244970600_bib1","volume-title":"Information Security, Cybersecurity and Privacy Protection\u2014Information Security Management Systems\u2014Requirements","author":"ISO"},{"key":"2025082009244970600_bib2","volume-title":"Security and Privacy Controls for Information Systems and Organizations","author":"NIST"},{"key":"2025082009244970600_bib3","first-page":"257","article-title":"Methodology of ISMS establishment against modern cybersecurity threats","volume-title":"Proceedings of the Fourteenth IEEE International Conference on Advanced Trends in Radio electronics","author":"Susukailo","year":"2018"},{"key":"2025082009244970600_bib4","volume-title":"ISO\/IEC 27002: Code of Practice for Information Security Management","author":"ISO"},{"key":"2025082009244970600_bib5","doi-asserted-by":"crossref","first-page":"97","DOI":"10.1016\/j.cose.2013.04.004","article-title":"From information security to cyber security","volume":"38","author":"Solms","year":"2013","journal-title":"Comput Secur"},{"key":"2025082009244970600_bib6","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1145\/3285957.3285971","article-title":"Shifting from information security towards a cybersecurity paradigm","volume-title":"Proceedings of the 2018 Tenth International Conference on Information Management and Engineering","author":"Althonayan","year":"2018"},{"key":"2025082009244970600_bib7","first-page":"1","article-title":"From information security to cyber security cultures","author":"Reid","year":"2014","journal-title":"Proceedings of the\u00a02014 Information Security for South Africa"},{"key":"2025082009244970600_bib8","doi-asserted-by":"publisher","first-page":"2181","DOI":"10.3390\/electronics11142181","article-title":"Understanding cybersecurity frameworks and information security standards\u2014a review and comprehensive overview","volume":"11","author":"Taherdoost","year":"2022","journal-title":"Electronics"},{"key":"2025082009244970600_bib9","doi-asserted-by":"publisher","first-page":"7","DOI":"10.1365\/s43439-021-00045-4","article-title":"Cyber governance studies in ensuring cybersecurity: an overview of cybersecurity governance","volume":"3","author":"Savas","year":"2022","journal-title":"Int Cybersecur Law Rev"},{"key":"2025082009244970600_bib10","doi-asserted-by":"publisher","first-page":"1641","DOI":"10.1109\/COMPSAC48688.2020.00-20","article-title":"A NIS directive compliant cybersecurity maturity assessment framework","volume-title":"Proceedings of the 2020 IEEE Forty-Fourth Annual Computers, Software, and Applications Conference (COMPSAC)","author":"Drivas","year":"2020"},{"key":"2025082009244970600_bib11","volume-title":"Recommended Security Controls for Federal Information Systems","author":"NIST"},{"key":"2025082009244970600_bib12","volume-title":"Cybersecurity Framework","author":"NIST"},{"key":"2025082009244970600_bib13","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyaa005","article-title":"Integrating cost\u2013benefit analysis into the NIST cybersecurity framework via the Gordon\u2013Loeb model","volume":"6","author":"Gordon","year":"2020","journal-title":"J Cybersecur"},{"key":"2025082009244970600_bib14","volume-title":"The NIST Cybersecurity Framework (CSF) 2.0","author":"NIST"},{"key":"2025082009244970600_bib15","volume-title":"COBIT 2019 Framework: Governance and Management Objectives","author":"ISACA"},{"key":"2025082009244970600_bib16","first-page":"151","article-title":"Desirable characteristics for an ISMS oriented to SMEs","volume-title":"Proceedings of the Eighth International Workshop on Security in Information Systems (WOSIS11)","author":"Santos-Olmo","year":"2011"},{"key":"2025082009244970600_bib17","doi-asserted-by":"publisher","first-page":"339","DOI":"10.1016\/j.procs.2016.09.167","article-title":"ISMS core processes: a study","volume":"100","author":"Haufe","year":"2016","journal-title":"Proc Comput Sci"},{"key":"2025082009244970600_bib18","first-page":"134","article-title":"IT security management in small and medium enterprises","volume":"16","author":"Polkowski","year":"2017","journal-title":"Sci Bull Econ Sci"},{"key":"2025082009244970600_bib19","volume-title":"Cybersecurity Framework","author":"NIST"},{"key":"2025082009244970600_bib20","doi-asserted-by":"crossref","first-page":"102306","DOI":"10.1016\/j.cose.2021.102306","article-title":"Maturity level assessments of information security controls: an empirical analysis of practitioners assessment capabilities","volume":"108","author":"Schmitz","year":"2021","journal-title":"Comput Secur"},{"key":"2025082009244970600_bib21","doi-asserted-by":"crossref","first-page":"627","DOI":"10.1108\/ICS-03-2019-0039","article-title":"Information and cyber security maturity models: a systematic literature review","volume":"28","author":"Rabii","year":"2020","journal-title":"Inf Comput Secur"},{"key":"2025082009244970600_bib22","volume-title":"Information Technology\u2014Security Techniques\u2014Systems Security Engineering\u2014Capability Maturity Model (SSE-CMM)","author":"ISO"},{"key":"2025082009244970600_bib23","volume-title":"Open Information Security Management Maturity Model (O-ISM3)","author":"OpenGroup"},{"key":"2025082009244970600_bib24","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1016\/j.eij.2020.08.001","article-title":"Adopting security maturity model to the organizations\u2019 capability model","volume":"22","author":"Al-Matari","year":"2021","journal-title":"Egypt Inf J"},{"key":"2025082009244970600_bib25","doi-asserted-by":"publisher","first-page":"3660","DOI":"10.3390\/app10103660","article-title":"A holistic cybersecurity maturity assessment framework for higher education institutions in the United Kingdom","volume":"10","author":"Aliyu","year":"2020","journal-title":"Appl Sci"},{"key":"2025082009244970600_bib26","first-page":"277","article-title":"Capability maturity model and metrics framework for cyber cloud security","volume":"18","author":"Le","year":"2017","journal-title":"Scalable Comput"},{"key":"2025082009244970600_bib27","first-page":"975","article-title":"A maturity level framework for measurement of information security performance","volume":"141","author":"Rosmiati","year":"2016","journal-title":"Int J Comput Appl"},{"key":"2025082009244970600_bib28","doi-asserted-by":"publisher","first-page":"10","DOI":"10.5815\/ijitcs.2018.04.02","article-title":"Measuring the information security maturity of enterprises under uncertainty using fuzzy AHP","volume":"10","author":"Nasser","year":"2018","journal-title":"IJITCS"},{"key":"2025082009244970600_bib29","volume-title":"Information Technology\u2014Security Techniques\u2014Information Security Management\u2014Monitoring, Measurement, Analysis and Evaluation","author":"ISO"},{"key":"2025082009244970600_bib30","doi-asserted-by":"publisher","first-page":"224","DOI":"10.1109\/SECURWARE.2008.7","article-title":"Appraisal of the effectiveness and efficiency of an information security management system based on ISO 27001","volume-title":"Proceedings of the 2008 Second International Conference on Emerging Security Information, Systems and Technologies","author":"Boehmer","year":"2008"},{"key":"2025082009244970600_bib31","doi-asserted-by":"crossref","first-page":"224","DOI":"10.1109\/CNMT.2009.5374634","article-title":"Measuring effectiveness of information security management","volume-title":"Proceedings of the 2009 International Symposium on Computer Network and Multimedia Technology","author":"Liu","year":"2009"},{"key":"2025082009244970600_bib32","first-page":"1","article-title":"The measurement design of Information Security Management System","volume-title":"Proceedings of the Eighth International Conference on Telecommunication Systems Services and Applications (TSSA)","author":"Nancylia","year":"2014"},{"key":"2025082009244970600_bib33","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1371\/journal.pone.0163050","article-title":"Measuring information security performance with 10 by 10 model for holistic state evaluation","volume":"11","author":"Bernik","year":"2016","journal-title":"PLoS One"},{"key":"2025082009244970600_bib34","doi-asserted-by":"crossref","first-page":"398","DOI":"10.1016\/j.im.2013.05.005","article-title":"Understanding the most critical skills for managing IT projects: a Delphi study of IT project managers","volume":"50","author":"Keil","year":"2013","journal-title":"Inf Manag"},{"key":"2025082009244970600_bib35","doi-asserted-by":"publisher","first-page":"1785","DOI":"10.1016\/j.procs.2023.01.474","article-title":"Model to improve an ERP implementation based on agile best practice: a Delphi study","volume":"219","author":"Salas","year":"2023","journal-title":"Proc Comput Sci"},{"key":"2025082009244970600_bib36","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1016\/j.im.2003.11.002","article-title":"The Delphi method as a research tool: an example, design considerations and applications","volume":"42","author":"Okoli","year":"2004","journal-title":"Inf Manag"},{"key":"2025082009244970600_bib37","doi-asserted-by":"publisher","first-page":"1525","DOI":"10.1016\/j.techfore.2012.04.013","article-title":"Consensus measurement in Delphi studies: review and implications for future quality assurance","volume":"79","author":"Gracht HAvd","year":"2012","journal-title":"Technol Forecast Soc Change"},{"key":"2025082009244970600_bib38","doi-asserted-by":"crossref","first-page":"103412","DOI":"10.1016\/j.cose.2023.103412","article-title":"Zero trust cybersecurity: critical success factors and a maturity assessment framework","volume":"133","author":"Yeoh","year":"2023","journal-title":"Comput Secur"},{"key":"2025082009244970600_bib39","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.mex.2020.101081","article-title":"A modified Delphi method to elicit and compare perceptions of industry trends","volume":"7","author":"Egfjord","year":"2020","journal-title":"MethodsX"},{"key":"2025082009244970600_bib40","volume-title":"Research Design : Qualitative, Quantitative, and Mixed Methods Approaches","author":"Creswell","year":"2018"},{"key":"2025082009244970600_bib41","doi-asserted-by":"publisher","first-page":"1358","DOI":"10.1002\/jac5.1441","article-title":"Research and scholarly methods: semi-structured interviews","volume":"4","author":"Adeoye-Olatunde","year":"2021","journal-title":"J Am Coll Clin Pharm"},{"key":"2025082009244970600_bib42","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyac004","article-title":"Cybersecurity service level agreements: understanding government data confidentiality requirements","volume":"8","author":"Nugraha","year":"2022","journal-title":"J Cybersecur"},{"key":"2025082009244970600_bib43","doi-asserted-by":"publisher","first-page":"589","DOI":"10.1080\/2159676X.2019.1628806","article-title":"Reflecting on reflexive thematic analysis","volume":"11","author":"Braun","year":"2019","journal-title":"Qual Res Sport Exercise Health"},{"key":"2025082009244970600_bib44","doi-asserted-by":"crossref","first-page":"308","DOI":"10.1177\/152715440000100409","article-title":"Building consensus using the policy Delphi method","volume":"1","author":"Rayens","year":"2000","journal-title":"Pol Polit Nurs Pract"},{"key":"2025082009244970600_bib45","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1080\/10437797.1994.10672215","article-title":"The Delphi study in field instruction revisited: expert consensus on issues and research priorities","volume":"30","author":"Raskin","year":"1994","journal-title":"J Soc Work Educ"},{"key":"2025082009244970600_bib46","doi-asserted-by":"publisher","first-page":"195","DOI":"10.1093\/her\/cyg111","article-title":"Determinants of forward stage transitions: a Delphi study","volume":"20","author":"Vet","year":"2005","journal-title":"Health Educ Res"},{"key":"2025082009244970600_bib47","doi-asserted-by":"publisher","DOI":"10.1201\/b17776","volume-title":"Enterprise Security Architecture: A Business-Driven Approach","author":"Sherwood","year":"2005"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf020\/64094497\/tyaf020.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf020\/64094497\/tyaf020.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,20]],"date-time":"2025-08-20T13:24:59Z","timestamp":1755696299000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf020\/8238597"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf020","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf020"}}