Semi-automated Information Security Risk Assessment Framework for Analyzing Enterprises Security Maturity Level

While organizations spend millions of dollars on developing security systems at the highest level, one of the most significant areas of weaknesses, and loss remain their employees. Lack of employee training and security expertise, therefore, can cause huge loss, despite other measure being put in place. Cyberattacks are often able to commit cybercrime due to a lack of qualified cyber-security staff and the limited number of IT staff employed to keep pace with continuing security development and advancement. Testing, training and employing staff therefore is a critical measure for all organizations to reduce the vulnerabilities yet seems to be an area still not fully addressed. Businesses and organizations need to provide training to promote understanding for staff at every level, so they are aware of their roles and responsibilities in protecting against security threats. However, this is a colossal undertaking, and until this learning gap is resolved, financial institutions must continue to fight and efficiently manage cybersecurity threats. The aim of the current research paper is to present and propose a semi-automated risk assessment framework and a security maturity model, which can be helpful for auditors, security officers and managers. It is based on the ISO 27001 and utilize the relevant standards as well. The related risk management solution is a web-based software application. The current study targeted information security in Kosovo, specifically in the banking sector, IT industry and insurance field.