Towards an Information Security Awareness Maturity Model

In order to achieve continuous improvement Maturity Models (MM) are often used to assess the abilities of employees. Moreover, the continuous improvement is also required in the field of Information Security Awareness (ISA). This is due to the fact, that ISA trainings have to be repeated frequently in order to keep the level of awareness of the employees up and to stay in their mind. Within our research project, we are using the Integrated Behavorial Model (IBM) as definition of ISA. The IBM includes many different aspects like knowledge, attitude, and habit. We carried out a systematic literature review to determine if a MM based on the IBM can be defined to assess the maturity of ISA. Since the IBM covers aspects of psychology, we did not only search for MM for information security, since the human factor is often neglected. Moreover, the awareness is often only assessed via the knowledge of employees. However, knowledge is only one aspect of the IBM. At the end, none of the uncovered MMs considers all aspects of the IBM. In contrast to MM for information security, MM of other fields of research are considering psychological aspects if they are dealing with human factors. Therefore, it is possible to create a MM based on the IBM for ISA. Moreover, we can easily derive some of the used assessments for our MM.