{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,17]],"date-time":"2026-01-17T19:59:33Z","timestamp":1768679973509,"version":"3.49.0"},"reference-count":66,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2021,2,13]],"date-time":"2021-02-13T00:00:00Z","timestamp":1613174400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000780","name":"European Commission","doi-asserted-by":"publisher","award":["740787"],"award-info":[{"award-number":["740787"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>The cost of recovery after a cybersecurity attack is likely to be high and may result in the loss of business at the extremes. Evaluating the acquired cybersecurity capabilities and evolving them to a desired state in consideration of risks are inevitable. This research proposes the CYberSecurity Focus Area Maturity (CYSFAM) Model for assessing cybersecurity capabilities. In this design science research, CYSFAM was evaluated at a large financial institution. From the many cybersecurity standards, 11 encompassing focus areas were identified. An assessment instrument\u2014containing 144 questions\u2014was developed. The in-depth single case study demonstrates how and to what extent cybersecurity related deficiencies can be identified. The novel scoring metric has been proven to be adequate, but can be further improved upon. The evaluation results show that the assessment questions suit the case study target audience; the assessment can be performed within four hours; the organization recognizes itself in the result.<\/jats:p>","DOI":"10.3390\/jcp1010007","type":"journal-article","created":{"date-parts":[[2021,2,14]],"date-time":"2021-02-14T02:08:12Z","timestamp":1613268492000},"page":"119-139","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":26,"title":["The Cybersecurity Focus Area Maturity (CYSFAM) Model"],"prefix":"10.3390","volume":"1","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6406-356X","authenticated-orcid":false,"given":"Bilge","family":"Yigit Ozkan","sequence":"first","affiliation":[{"name":"Department of Information and Computing Sciences, Utrecht University, Princetonplein 5, 3584 CC Utrecht, The Netherlands"}]},{"given":"Sonny","family":"van Lingen","sequence":"additional","affiliation":[{"name":"Department of Information and Computing Sciences, Utrecht University, Princetonplein 5, 3584 CC Utrecht, The Netherlands"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9237-221X","authenticated-orcid":false,"given":"Marco","family":"Spruit","sequence":"additional","affiliation":[{"name":"Leiden Institute of Advanced Computer Science, Leiden University, Niels Bohrweg 1, 2333 CA Leiden, The Netherlands"},{"name":"Public Health and Primary Care, Leiden University Medical Center, Campus The Hague, Turfmarkt 99, 2511 DP The Hague, The Netherlands"}]}],"member":"1968","published-online":{"date-parts":[[2021,2,13]]},"reference":[{"key":"ref_1","unstructured":"World Economic Forum (2020). The Global Risks Report 2020, World Economic Forum."},{"key":"ref_2","unstructured":"Center for Strategic and International Studies (CSIS) (2019). Significant Cyber Incidents Since 2006, Center for Strategic and International Studies."},{"key":"ref_3","unstructured":"Symantec (2018). Internet Security Threat Report, Symantec."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"1129","DOI":"10.1177\/0954409719881849","article-title":"Cybersecurity for Railways\u2014A Maturity Model","volume":"234","author":"Kour","year":"2020","journal-title":"Proc. Inst. Mech. Eng. Part F J. Rail Rapid Transit"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"105837","DOI":"10.1016\/j.aap.2020.105837","article-title":"Cyber-Attacks in the next-Generation Cars, Mitigation Techniques, Anticipated Readiness and Future Directions","volume":"148","author":"Khan","year":"2020","journal-title":"Accid. Anal. Prev."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"102136","DOI":"10.1016\/j.cose.2020.102136","article-title":"A Multidisciplinary Approach to Internet of Things (IoT) Cybersecurity and Risk Management","volume":"102","author":"Choo","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1773","DOI":"10.1007\/s42452-020-03559-4","article-title":"Artificial Intelligence and Machine Learning in Dynamic Cyber Risk Analytics at the Edge","volume":"2","author":"Radanliev","year":"2020","journal-title":"SN Appl. Sci."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"e23692","DOI":"10.2196\/23692","article-title":"Cybersecurity Risks in a Pandemic","volume":"22","author":"Williams","year":"2020","journal-title":"J. Med. Internet Res."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"98","DOI":"10.1007\/s10916-019-1507-y","article-title":"Transforming Healthcare Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations","volume":"44","author":"Bhuyan","year":"2020","journal-title":"J. Med. Syst."},{"key":"ref_10","unstructured":"International Organization for Standardization (ISO) (2019, June 08). Benefits of Standards. Available online: http:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/home\/standards\/benefits-of-standards.html."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1109\/52.219617","article-title":"Capability Maturity Model, Version 1.1","volume":"10","author":"Paulk","year":"1993","journal-title":"IEEE Softw. Los Alamitos"},{"key":"ref_12","unstructured":"Capability Maturity Model Institute (CMMI) (2018). CMMI Development, CMMI Institute."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"2927","DOI":"10.17705\/1CAIS.02927","article-title":"Maturity Models in Information Systems Research: Literature Search and Analysis","volume":"29","author":"Poeppelbuss","year":"2011","journal-title":"CAIS"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"van Steenbergen, M., Bos, R., BrinkkemperInge, S., van de Weerd, I., and Bekkers, W. (2010). The Design of Focus Area Maturity Models. Global Perspectives on Design Science Research, Springer.","DOI":"10.1007\/978-3-642-13335-0_22"},{"key":"ref_15","unstructured":"Spruit, M., and Roeling, M. (2014, January 9\u201311). ISFAM: The Information Security Focus Area Maturity Model. Proceedings of the European Conference on Information Systems (ECIS) 2014, Tel Aviv, Israel."},{"key":"ref_16","unstructured":"European Union Agency for Cybersecurity (ENISA) (2020, December 24). Definition of Cybersecurity\u2014Gaps and Overlaps in Standardisation. Available online: https:\/\/www.enisa.europa.eu\/publications\/definition-of-cybersecurity."},{"key":"ref_17","unstructured":"International Organization for Standardization (ISO)\/International Electrotechnical Commission (IEC) (2017, December 14). ISO\/IEC 27032:2012-Information\u2014Security Techniques\u2014Guidelines for Cybersecurity. Available online: https:\/\/www.iso.org\/standard\/44375.html."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Scarfone, K., Benigni, D., and Grance, T. (2009). Cyber Security Standards. Wiley Handbook of Science and Technology for Homeland Security, American Cancer Society.","DOI":"10.1002\/9780470087923.hhs439"},{"key":"ref_19","unstructured":"European Cyber Security Organisation (ECSO) (2017). State of the Art Syllabus V2, ESCO."},{"key":"ref_20","unstructured":"International Organization for Standardization (ISO)\/International Electrotechnical Commission (IEC) (2017, December 15). ISO\/IEC 27001:2013-Information Technology\u2014Security Techniques\u2014Information Security Management Systems\u2014Requirements. Available online: https:\/\/www.iso.org\/standard\/54534.html."},{"key":"ref_21","unstructured":"International Organization for Standardization (ISO)\/International Electrotechnical Commission (IEC) (2017, December 15). ISO\/IEC 27033-1:2015-Information Technology\u2014Security Techniques\u2014Network Security\u2014Part 1: Overview and Concepts. Available online: https:\/\/www.iso.org\/standard\/63461.html."},{"key":"ref_22","unstructured":"International Organization for Standardization (ISO)\/International Electrotechnical Commission (IEC) (2017, December 15). ISO\/IEC 27034-1:2011-Information Technology\u2014Security Techniques\u2014Application Security\u2014Part 1: Overview and Concepts. Available online: https:\/\/www.iso.org\/standard\/44378.html."},{"key":"ref_23","unstructured":"International Organization for Standardization (ISO)\/International Electrotechnical Commission (IEC) (2017, December 15). ISO\/IEC 27035-1:2016-Information Technology\u2014Security Techniques\u2014Information Security Incident Management\u2014Part 1: Principles of Incident Management. Available online: https:\/\/www.iso.org\/standard\/60803.html."},{"key":"ref_24","unstructured":"International Organization for Standardization (ISO)\/International Electrotechnical Commission (IEC) (2020, February 19). ISO\/IEC 27036-1:2014. Available online: https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/05\/96\/59648.html."},{"key":"ref_25","unstructured":"International Organization for Standardization (ISO)\/International Electrotechnical Commission (IEC). ISO\/IEC (2020, February 19). ISO\/IEC 29100:2011(En), Information Technology\u2014Security Techniques\u2014Privacy Framework. Available online: https:\/\/www.iso.org\/obp\/ui\/#iso:std:iso-iec:29100:ed-1:v1:en."},{"key":"ref_26","unstructured":"Mas, A., Mesquida, A., O\u2019Connor, R.V., Rout, T., and Dorling, A. Comparative Study of Cybersecurity Capability Maturity Models. Proceedings of the Software Process Improvement and Capability Determination."},{"key":"ref_27","unstructured":"Akinsanya, O.O., Papadaki, M., and Sun, L. (2019, January 29\u201330). Current Cybersecurity Maturity Models: How Effective in Healthcare Cloud?. Proceedings of the 5th Collaborative European Research Conference (CERC 2019), Darmstadt, Germany."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"627","DOI":"10.1108\/ICS-03-2019-0039","article-title":"Information and Cyber Security Maturity Models: A Systematic Literature Review","volume":"28","author":"Rabii","year":"2020","journal-title":"Inf. Comput. Secur."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1108\/JIC-05-2019-0128","article-title":"Modelling Adaptive Information Security for SMEs in a Cluster","volume":"21","author":"Ozkan","year":"2019","journal-title":"JIC"},{"key":"ref_30","unstructured":"Christopher, J.D., Gonzalez, D., White, D.W., Stevens, J., Grundman, J., Mehravari, N., and Dolan, T. (2014). Cybersecurity Capability Maturity Model (C2M2)."},{"key":"ref_31","unstructured":"SSE-CMM Project (2003). Systems Security Engineering Capability Maturity Model SSE-CMM Model Description Document."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Newhouse, W., Keith, S., Scribner, B., and Witte, G. (2017). National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.","DOI":"10.6028\/NIST.SP.800-181"},{"key":"ref_33","unstructured":"The Open Group (2017). Open Information Security Management Maturity Model (O-ISM3), Version 2.0., The Open Group."},{"key":"ref_34","unstructured":"Koomen, T., and Pol, M. (1999). Test Process Improvement: A Practical Step-by-Step Guide to Structured Testing, Addison-Wesley Longman Publishing Co., Inc."},{"key":"ref_35","first-page":"35","article-title":"Improving IS Functions Step by Step: The Use of Focus Area Maturity Models","volume":"25","author":"Bos","year":"2013","journal-title":"Scand. J. Inf. Syst."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"75","DOI":"10.2307\/25148625","article-title":"Design Science in Information Systems Research","volume":"28","author":"Hevner","year":"2004","journal-title":"MIS Q."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"45","DOI":"10.2753\/MIS0742-1222240302","article-title":"A Design Science Research Methodology for Information Systems Research","volume":"24","author":"Peffers","year":"2007","journal-title":"J. Manag. Inf. Syst."},{"key":"ref_38","unstructured":"Baskerville, R., Pries-Heje, J., and Venable, J. Soft Design Science Methodology. Proceedings of the 4th International Conference on Design Science Research in Information Systems and Technology."},{"key":"ref_39","unstructured":"International Telecommunication Union (ITU) (2020, February 21). ICT Security Standards Roadmap. Available online: https:\/\/www.itu.int\/en\/ITU-T\/studygroups\/com17\/ict\/Pages\/default.aspx."},{"key":"ref_40","unstructured":"European Union Agency for Cybersecurity (ENISA) (2012). National Cyber Security Strategies: An Implementation Guide, ENISA."},{"key":"ref_41","unstructured":"International Electrotechnical Commission (IEC) (2013). Industrial Communication Networks: Network and System Security. Pt. 3,3: System Security Requirements and Security Levels, International Electrotechnical Commission (IEC)."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Nieles, M., Dempsey, K., and Pillitteri, V.Y. (2017). An Introduction to Information Security.","DOI":"10.6028\/NIST.SP.800-12r1"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Swanson, M., and Guttman, B. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems.","DOI":"10.6028\/NIST.SP.800-14"},{"key":"ref_44","unstructured":"North American Electric Reliability Corporation (NERC) (2010). Critical Infrastructure Protection Standards, NERC."},{"key":"ref_45","unstructured":"North American Electric Reliability Corporation (NERC) (2018, August 30). NERC Security Guidelines. Available online: https:\/\/www.nerc.com\/comm\/CIPC\/SecurityGuidelinesCurrent\/Electricity%20Sector%20Physical%20Security%20Guideline%20(Approved%20by%20CIPC%20-%20October%2028,%202013).pdf."},{"key":"ref_46","unstructured":"SANS Institute (2018). Critical Security Controls for Effective Cyber Defense, SANS Institute."},{"key":"ref_47","unstructured":"Office of the Superintendent of Financial Institutions (OSFI) (2013). Cyber Security Self-Assessment Guidance, OSFI."},{"key":"ref_48","unstructured":"National Institute of Standards and Technology (NIST) (2013). Security and Privacy Controls for Federal Information Systems and Organizations."},{"key":"ref_49","unstructured":"Information Assurance for Small and Medium Enterprises (IASME) Consortium (2018). The IASME Governance Standard for Information and Cyber Security, IASME."},{"key":"ref_50","unstructured":"Kostick, C. (2010). A Maturity Model for Enterprise Key Management, Ernst & Young."},{"key":"ref_51","unstructured":"Information Security Forum (ISF) (2018). The ISF Standard of Good Practice for Information Security, ISF."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Souppaya, M., and Scarfone, K. (2013). Guidelines for Managing the Security of Mobile Devices in the Enterprise.","DOI":"10.6028\/NIST.SP.800-124r1"},{"key":"ref_53","doi-asserted-by":"crossref","unstructured":"Souppaya, M., and Scarfone, K. (2013). Guide to Enterprise Patch Management Technologies.","DOI":"10.6028\/NIST.SP.800-40r3"},{"key":"ref_54","unstructured":"SANS Institute (2016). Security Awareness Roadmap, SANS Institute."},{"key":"ref_55","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q)","volume":"42","author":"Parsons","year":"2014","journal-title":"Comput. Secur."},{"key":"ref_56","doi-asserted-by":"crossref","unstructured":"Jajodia, S., Shakarian, P., Subrahmanian, V.S., Swarup, V., and Wang, C. (2015). The Human Factor in Cybersecurity: Robust & Intelligent Defense. Cyber Warfare: Building the Scientific Foundation, Springer International Publishing.","DOI":"10.1007\/978-3-319-14039-1"},{"key":"ref_57","doi-asserted-by":"crossref","first-page":"e00346","DOI":"10.1016\/j.heliyon.2017.e00346","article-title":"Human Factors in Cybersecurity; Examining the Link between Internet Addiction, Impulsivity, Attitudes towards Cybersecurity, and Risky Cybersecurity Behaviours","volume":"3","author":"Hadlington","year":"2017","journal-title":"Heliyon"},{"key":"ref_58","unstructured":"Spruit, M., and de Boer, T. (2020, February 25). Business Intelligence as a Service: A Vendor\u2019s Approach. Available online: www.igi-global.com\/article\/business-intelligence-as-a-service\/126896."},{"key":"ref_59","unstructured":"Spruit, M., van Lingen, S., and Ozkan, B.Y. (2019, June 06). The CYSFAM Questionnaire: Assessing Cyber Security Focus Area Maturity. Available online: http:\/\/www.cs.uu.nl\/research\/techreps\/UU-CS-2019-003.html."},{"key":"ref_60","first-page":"9","article-title":"Mixed Methods: Combining Expert Interviews, Cross-Impact Analysis and Scenario Development","volume":"10","author":"Muskat","year":"2012","journal-title":"Electron. J. Bus. Res. Methods"},{"key":"ref_61","unstructured":"(ISC)2 (2020, February 21). Cybersecurity Certification|CISSP-Certified Information Systems Security Professional|(ISC)2. Available online: https:\/\/www.isc2.org:443\/Certifications\/CISSP."},{"key":"ref_62","first-page":"1329","article-title":"Capability Maturity Model and Metrics Framework for Cyber Cloud Security","volume":"18","author":"Ngoc","year":"2017","journal-title":"Scalable Comput. Pract. Exp."},{"key":"ref_63","unstructured":"Guenther, J., and Falk, I. (2007, January 8\u201310). Generalising from Qualitative Research: Case Studies from VET in Contexts. Proceedings of the AVETRA 10th Annual Conference, Footscray, VIC, Australia."},{"key":"ref_64","unstructured":"Kertysova, K., Bhattacharyya, K., Frinking, E., van der Dool, K., Mari\u010di\u0107, A., and Bhattacharyya, K. (2018). Cybersecurity: Ensuring Awareness and Resilience of the Private Sector across Europe in Face of Mounting Cyber Risks-Study."},{"key":"ref_65","unstructured":"Mayer, N. (2010, January 1\u20133). A Cluster Approach to Security Improvement According to ISO\/IEC 27001. Proceedings of the 17th European Systems & Software Process Improvement and Innovation Conference (EUROSPI\u201910), Grenoble, France."},{"key":"ref_66","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1186\/s40165-016-0022-1","article-title":"An Analytics Approach to Adaptive Maturity Models Using Organizational Characteristics","volume":"3","author":"Baars","year":"2016","journal-title":"Decis. Anal."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/1\/7\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T05:23:42Z","timestamp":1760160222000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/1\/7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,2,13]]},"references-count":66,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2021,3]]}},"alternative-id":["jcp1010007"],"URL":"https:\/\/doi.org\/10.3390\/jcp1010007","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,2,13]]}}}