A Questionnaire Model for Cybersecurity Maturity Assessment of Critical Infrastructures

  • Bilge Yigit OzkanEmail author
  • Marco Spruit
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11398)


Critical infrastructures are important assets for everyday life and wellbeing of the people. People can be effected dramatically if critical infrastructures are vulnerable and not protected against various threats. Given the increasing cybersecurity risks and the large impact that these risks may bring to the critical infrastructures, assessing and improving the cybersecurity capabilities of the service providers and the administrators is crucial for sustainability.

This research aims to provide a questionnaire model for assessing and improving cybersecurity capabilities based on industry standards. Another aim of this research is to provide service providers and the administrators of the critical infrastructures a personalized guidance and an implementation plan for cybersecurity capability improvement.


Cybersecurity Assessment Capability Improvement Critical infrastructure 



This work was made possible with funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 740787 (SMESEC). The opinions expressed and arguments employed herein do not necessarily reflect the official views of the funding body.


  1. 1.
    ISO/IEC 27032:2012 - Information technology – Security techniques – Guidelines for cybersecurity.
  2. 2.
    National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. National Institute of Standards and Technology, Gaithersburg, MD (2018)Google Scholar
  3. 3.
    Paulk, M.C., Curtis, B., Chrissis, M.B., Weber, C.V.: Capability Maturity Model, Version 1.1. IEEE Softw. Los Alamitos. 10, 18–27 (1993). Scholar
  4. 4.
    Smart Grid Maturity Model, Version 1.2: Model Definition.
  5. 5.
    About the Business Process Maturity Model Specification Version 1.0.
  6. 6.
    People CMM: A Framework for Human Capital Management (SEI Series in Software Engineering Series) | ISBNdb.
  7. 7.
  8. 8.
  9. 9.
    Open Information Security Management Maturity Model (O-ISM3), Version 2.0.
  10. 10.
    Cybersecurity Capability Maturity Model.
  11. 11.
    Spruit, M., Roeling, M.: ISFAM: the information security focus area maturity model. In: ECIS 2014 Proceedings (2014)Google Scholar
  12. 12.
    van Steenbergen, M., Bos, R., Brinkkemper, S., van de Weerd, I., Bekkers, W.: Improving IS functions step by step: the use of focus area maturity models. Scandinavian J. Inf. Syst. 25, 2 (2013)Google Scholar
  13. 13.
    Blanchette, S., Keeler, J.K.L.: Self Assessment and the CMMI-AM – A Guide for Government Program Managers, p. 41Google Scholar
  14. 14.
    e-CF overview | European e-Competence Framework.
  15. 15.
    van Steenbergen, M., Bos, R., Brinkkemper, S., van de Weerd, I., Bekkers, W.: The design of focus area maturity models. In: Winter, R., Zhao, J.L., Aier, S. (eds.) DESRIST 2010. LNCS, vol. 6105, pp. 317–332. Springer, Heidelberg (2010). Scholar
  16. 16.
    ISO/IEC 27002:2013 - Information technology – Security techniques – Code of practice for information security controls.
  17. 17.
    ETSI: ETSI TR 103 305 .CYBER; Attribute Based Encryption for Attribute Based Access Control (2018)Google Scholar
  18. 18.
    ISO/IEC 27001:2013 - Information technology – Security techniques – Information security management systems – Requirements.
  19. 19.
    Fekete, A.: Common criteria for the assessment of critical infrastructures. Int. J. Disaster Risk Sci. 2, 15–24 (2011). Scholar
  20. 20.
    Mijnhardt, F., Baars, T., Spruit, M.: Organizational characteristics influencing SME information security maturity. J. Comput. Inf. Syst. 56, 106–115 (2016). Scholar
  21. 21.
    ISO/IEC 15504-2:2003 - Information technology – Process assessment – Part 2: Performing an assessment.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Information and Computing SciencesUtrecht UniversityUtrechtNetherlands

Personalised recommendations