Towards maturity of information security maturity criteria: six lessons learned from software maturity criteria

Traditionally, information security management standards listing generic means of protection have received a lot of attention in the field of information security management. In the background a few information security management‐oriented maturity criteria have been laid down. These criteria can be regarded as the latest promising innovations on the information security checklist‐standard family tree. Whereas information security maturity criteria have so far received inadequate attention in information security circles, software maturity endeavours have been the focus of constructive debate in software engineering circles. Aims to analyze what the alternative maturity criteria for developing secure information systems (IS) and software can learn from these debates on software engineering maturity criteria. First, advances a framework synthesized from the information systems (IS) and software engineering literatures, including six lessons that information security maturity criteria can learn from. Second, pores over the existing information security maturity criteria in the light of this framework. Third, presents, on the basis of results of this analysis, implications for practice and research.