Building an Architected Cyber Security Management Process Model Integrated with Maturity and Effectiveness Measurement

The traditional approach to managing a cyber security program is to implement an Information Security Management System (ISMS), based on one or a combination of standards such as ISO 27001, COBIT, or the NIST Cyber Security Framework. The effectiveness of the program may then be assessed with annual audits. However, the ongoing success of cyber attacks through phishing, ransomware and other means as demonstrated through data breach reporting suggests that the current approach to managing the cyber security program still needs improvement. To address this issue, we present an architected process model for cyber security management which through its design enables measurement of both its process maturity and control effectiveness. The model comprises 6 strategic processes, 13 tactical processes and 21 operational processes. To verify the usefulness of this operating model, we tested it with a multinational company. The case study reveals that the proposed model can provide valuable and instructive insights for managing cyber security within an organization. By adopting the model, organizations can enhance cyber security assurance and identify pathways to increase the effectiveness and maturity of their cyber security program.