A Comparative and Effectiveness Analysis of International and Regional Information Security Standards, Frameworks, and Legislation
Mirza, Muhammad Zubair (2025)
Avaa tiedosto
Lataukset:
2025
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
Hyväksymispäivämäärä
2025-12-18
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-2025121711829
https://urn.fi/URN:NBN:fi:tuni-2025121711829
Tiivistelmä
The escalation of cyber threats has been growing at an unprecedented pace, and that has caused a corresponding increase in the field of information security. Information security has, therefore, been increasingly acknowledged as a strategic priority of both enterprises and regulatory bodies alike, all across the globe. Over the last decade, an increasing number of international and regional standards, frameworks, and legislation instruments have been issued to provide guidance for securing information and technological resources. Nevertheless, these documents vary greatly in scope, emphasis, and granularity of their implementation requirements. This thesis takes on the task of conducting a systematic inquiry into the extent to which these standards, frameworks, and statutes are coherent and where they are not, and to what extent they accomplish their intended protective outcomes in operational settings.
A mixed-methods research design was used, consisting of two phases with a time gap. The first phase was a criticality assessment aimed at identifying information security sub-domains that security practitioners consider to be of "Extremely" or "Highly" critical importance to maintaining a strong security posture. The following phase aimed to investigate the implementation maturity and effectiveness of the identified critical sub-domains using a CMMI-based maturity model. Data were gathered using structured survey instruments that were distributed to information security professionals in a range of diverse sectors and geographical locations.
Preliminary empirical results indicate that some areas are considered extremely and highly critical: cybersecurity strategy, risk management, incident response, data and information protection, business continuity management, and third-party cyber risk. The subsequent assessment of maturity provides an insight into the degree of implementation of these domains according to different standards, frameworks, and legislation, and hence reveals the differential efficacy of the current protective measures
A mixed-methods research design was used, consisting of two phases with a time gap. The first phase was a criticality assessment aimed at identifying information security sub-domains that security practitioners consider to be of "Extremely" or "Highly" critical importance to maintaining a strong security posture. The following phase aimed to investigate the implementation maturity and effectiveness of the identified critical sub-domains using a CMMI-based maturity model. Data were gathered using structured survey instruments that were distributed to information security professionals in a range of diverse sectors and geographical locations.
Preliminary empirical results indicate that some areas are considered extremely and highly critical: cybersecurity strategy, risk management, incident response, data and information protection, business continuity management, and third-party cyber risk. The subsequent assessment of maturity provides an insight into the degree of implementation of these domains according to different standards, frameworks, and legislation, and hence reveals the differential efficacy of the current protective measures