Cybersecurity maturity assessment framework for higher education institutions in Saudi Arabia

Importance of HEIs security

Digitizing the educational services makes the HEIs more targeted by cybersecurity attacks, like any other organization. However, HEIs lack the security awareness needed to handle these security issues (Hina & Dominic, 2018). Therefore, they could use systems such as m-learning systems with security risks (Badwelan, Drew & Bahaddad, 2016). This could happen because there is neither standards nor guidelines to be applied or forced in HEIs. Moreover, most organizations do not monitor their users’ misbehavior (Hina & Dominic, 2018). Since not all IT departments in higher education institutions/universities have the same experience and understanding of how important cybersecurity is, they do not treat it as a continuous process. Therefore, they are relying on the security of well-known systems, which is not always enough. For example, Michigan University (MU) data was breached, which caused private information to be stolen (Al-Serhani et al., 2018). Another data leakage in HEIs was occurred at the University of Texas, Austin. In this incident, nearly 200,000 students’ electronic records were accessed illegally (Marks, 2007). The risk of security vulnerabilities rises because of the lack of technical knowledge and social awareness of these threats (Makupi & Masese, 2019).

Hence, the higher education institutions and universities should learn lessons from the previous hacking scenarios in the HEI services and be always ready to defend against all possible attacks that might target their digital, computer-based systems and start improving the security at all the levels: technical, physical, and administrative (Al-Serhani et al., 2018; Makupi & Masese, 2019). This is important because if the platforms used in HEIs are not secure enough, the copyright of learning materials might not be secure as well (Alrasheedi & Capretz, 2013). Furthermore, cybersecurity experts find that improving cybersecurity education helps in preventing security attacks in other critical sectors such as health. This is because the education sector is the entry point to any professional life (Ajmi et al., 2019).

In Saudi Arabia, the government is investing a lot in improving information technology sectors, especially education. However, challenges arise to handle the security threats that target these organizations (Alotaibi & Elnaim, 2020).

Related cybersecurity maturity models and standards

Many methodologies have been proposed to improve cybersecurity practices within organizations. There are different types of methods used to do such proposals. For instance, Gerl et al. (2021), stated that to improve organizations’ security, framework standards such as COBIT can be applied. Proença & Borbinha (2018) presented a maturity model based on ISO/IEC 27001 to improve information security management systems. Another method, followed by Altameem (2013) which uses qualitative research to propose different factors to improve the security of systems.

Differently, various cybersecurity maturity models were developed according to the needs of organizations. Nowadays, the most common cybersecurity maturity models are created using different national and international standards such as ISO/IEC 27001, the National Institute of Standards and Technology (NIST), and European & American standards for cybersecurity. Moreover, ISO/IEC 27001 was created based on ISO/IEC 17799 and the British Standard BS7799. Its purpose is to improve and maintain the Information Security Management System (ISMS) by providing related requirements. Also, ISO/IEC 27001 considers ISMS as a component of the management system. ISMS takes care of establishing, implementing, operating, monitoring, reviewing, maintaining, and improving information security.

Even though the current used maturity models provide a way for assessing the security maturity level in different systems and organizations, it is not easy to create cybersecurity models and establish mechanisms for protecting cyberspace because both cyberspace & cybersecurity definitions and scopes are still not well defined. Additionally, existing maturity models establish basic compliance models and not flexible security models responsive to the new emerging security threats. Moreover, these models should enable users of various perspectives from all levels, such as practitioners, security experts, and management. This helps in measuring the overall security level of the organization/system and addressing its weaknesses. Finally, current maturity models use qualitative metrics or processes without considering quantitative metrics as an essential aspect for security assessment (Aliyu et al., 2020). Almuhammadi & Alsaleh (2017) presented a maturity model based on NIST Cyber Security Framework (CSF). The proposed maturity model compares NIST CSF to other security-related standards and frameworks such as COBIT and ISO/IEC 27001 (Almuhammadi & Alsaleh, 2017).

For higher education institutions, different maturity models were presented. Makupi & Masese (2019) introduced a model based on ISO 27001 to know the maturity level of cybersecurity in universities using clauses and compliance levels related to higher education institutions. Another model was proposed by Bass (2011) called ICT Maturity Model. The model consists of eight levels derived from different documents and results of the chosen higher education institutions and schools’ analysis. Yaokumah & Dawson (2019) used ISO/IEC 21827 maturity model for measuring the security controls in Ghanaian higher educational institutions. Suwito et al. (2016) created a maturity assessment model for Indonesian higher education institutions by combining different standards and models such as COBIT® 4.1, ITIL v3, and ISO/IEC 27001. Hung, Hwang & Liu (2013) did a study to improve Taiwanese universities’ Information Security Governance (ISG) maturity by doing a questionnaire survey. Then, the ISG maturity model was built by extracting the relevant features. Ismail et al. (2010) designed information security framework specific for higher education institutions in Malaysia. The authors in Aliyu et al. (2020), presented a web-based maturity model as an assessment tool for cybersecurity in higher education institutions in the UK. The model is called Holistic Cybersecurity Maturity Assessment Framework (HCYMAF) that covers privacy and cybersecurity regulations in higher education institutions. HCYMAF basic idea was to map the general security requirements derived from cybersecurity best practices (e.g., NIST Framework) with certification tools and regulations such as PCI DSS, GDPR, and DSPT. Bolanio et al. (2021) used ISO 27033 standard to help in improving network security in higher education institutions. Another approach proposed by Aedah & Hoga (2020) applied ISO 27001:2013 standard as a way to measure the maturity level of information system security practices in HEIs.

Saudi Arabia security, maturity frameworks, and standards

In Saudi Arabia (SA), securing an organization is very important because of the high percentage of attacks compared to other countries. SA was targeted by many attacks, such as the Triton attack at ARAMCO and the Interior Ministry attack, called TASNEE (Ajmi et al., 2019). For HEIs, unlike Europe and North America, when it comes to universities, there might be a shortage of IT staff in KSA universities with immature ICT infrastructure (Alharthi et al., 2017). Chan & Mubarak (2012) did a study on the higher education sector and found that employees lack information security awareness. Therefore, security issues should be taken seriously when developing an infrastructure for universities (Ahmed, Buragga & Ramani, 2011). To face such issues, the Saudi Arabia government introduced multiple laws two of them are: e-transactions law, to regulate online transactions, and anti-cybercrime law, to limit the crimes of abusing IT, computers, and Internet (Ministry of Communications and Information Technology of Saudi Arabia, 2010; Ministry of Communications and Information Technology of Saudi Arabia, 2007). The National Cybersecurity Authority (NCA) developed Essential Cybersecurity Controls (ECC) based on national and international standards and laws to help organizations follow the best cybersecurity practices (National Cybersecurity Authority of Saudi Arabia, 2018). Based on these controls and other international standards, the Communications and Information Technology Commission (CITC) created a framework for the ICT sector entitled Cybersecurity Regulatory Framework (CRF) (Communications and Information Technology Commission of Saudi Arabia (CITC), 2019) which will be discussed in the following section. Moreover, a security policies framework for government agencies in need of such standards in cybersecurity were formerly developed (Communications and Information Technology Commission of Saudi Arabia (CITC), 2011). To regulate and secure financial services, the Saudi Arabian Monetary Authority (SAMA) developed two frameworks. First, Cyber Security Framework to identify and handle the risks that face financial transactions (Saudi Arabian Monetary Authority (SAMA), 2017b). Second, Business Continuity Management (BCM) framework for organizations to ensure the availability and continuity of the services (Saudi Arabian Monetary Authority (SAMA), 2017a). For higher education, National eLearning Center introduced a guide to general quality control standards such as data privacy standard (National eLearning Center KSA, 2020). In academic literature, Alnatheer & Nelson (2009), proposed a conceptual framework to identify factors that aid in improving information security culture in Saudi Arabia. Another work was done to improve online retailing sector by (AlGhamdi, Drew & Alhussain, 2012). In this paper, the authors presented a five-part conceptual model to enable trust in online retailing, and one of the parts was improving the security of consumers in Saudi Arabia (AlGhamdi, Drew & Alhussain, 2012). A security legal framework was built for Saudi Arabia by using institutional theory (Singh & Alshammari, 2020). The authors (Al Hamed & Alenezi, 2016) developed a maturity model to measure the capability of business continuity management and disaster recovery (BCM/DR) for IT companies in Saudi Arabia. The objective of the model was to compare BCM/DR to CITC practices along with the security standard ISO 22301:2012 (Al Hamed & Alenezi, 2016).

Saudi Arabia HEIs frameworks

To improve the security in Saudi Arabia’s higher education institutions, some models proposed in the literature and will be highlighted in this section. The authors of Ajmi et al. (2019) proposed a holistic cybersecurity model to create an effective collective measure that incorporates three sub-models (Educational, Healthcare, and Commerce) that target Small and Medium Enterprises (SMEs). These models are linked together such that one type of SMEs can share its expertise and intelligence to fulfill the needs of the other types of SMEs (Ajmi et al., 2019). Aziz & Shahzad (2015) proposed factors to measure the quality of Information Technology Enabled Services (ITES) in higher education institutions. One of these factors was related to security features implemented in ITES. However, this model was simple and did not consider Saudi Arabia’s regulations and recognized standards.

Table 1 shows a comparative analysis among the related, existing cybersecurity maturity frameworks in terms of their purposes, the scope they cover, whether generic or HEI-specific, the standards they followed, and if their coverages were national or international. In the context of SA HEIs, the table highlights (a) if the proposed Saudi maturity assessment framework has followed the critical SA cybersecurity standards, including CRF and ECC, and (b) if the framework is implemented as a service (IaS). This allows the institution to self-measure its cybersecurity maturity level against Saudi and international standards using a lightweight and user-friendly tool. For examples, some of the proposed frameworks were general such as (Proença & Borbinha, 2018; Almuhammadi & Alsaleh, 2017). Others were HEI-specific like (Makupi & Masese, 2019; Bass, 2011; Yaokumah & Dawson, 2019; Aliyu et al., 2020) that based mainly on international standards. In Saudi Arabia, different approaches were presented to improve cybersecurity in general and HEIs in particular (Alnatheer & Nelson, 2009; Singh & Alshammari, 2020; Ajmi et al., 2019). The rest of comparisons are shown in Table 1. Even though there are attempts to propose maturity models for HEIs, these models neither fit the current SA regulatory standards and policies nor complete enough to provide practical maturity models. For example, there are no existing models that have considered CRF or/and ECC. Moreover, the proposed models were not implemented in terms of software-based services. Additionally, the current models are either international-based only or local-based only but not an integration of both. Therefore, this research incorporates the current cybersecurity regulations and standards in SA and internationally to propose a practical model to assess the cybersecurity maturity in HEIs’ systems in specific.

Essential cybersecurity controls (ECC)

In 2018, The National Cybersecurity Authority (NCA) introduced Essential Cybersecurity Controls (ECC) to ensure organizations’ minimum cybersecurity requirements in Saudi Arabia in both public and private sectors. ECC’s main objective is to safeguard and force confidentiality, integrity, and availability of the organization’s information and technology assets. Moreover, ECC is used by the government as a compliance assessment method. ECC was built based on national and international cybersecurity frameworks and standards along with KSA national laws. As shown in Fig. 2, ECC covers five main domains, which are Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third-Party & Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity. Under these domains, there are 29 sub-domains with 114 security controls (National Cybersecurity Authority of Saudi Arabia, 2018).

Cybersecurity regulatory framework (CRF)

To increase the maturity level in the Information and Telecommunications sector (ICT), the Communications and Information Technology Commission (CITC) has developed a cybersecurity maturity framework to regulate the best practices. The framework is called the Cybersecurity Regulatory Framework (CRF). It was built originally to be used by licensed service providers in Saudi Arabia to fulfill the minimum security requirements. However, CRF is comprehensive in a way that makes it applicable in other types of organizations as well. CRF is developed to regulate the cybersecurity domain and increases its maturity. Moreover, it helps establish best practices in information security in the ICT sector by defining different cybersecurity requirements. Additionally, CRF ensures that the organization’s services have confidentiality, integrity, and availability (CIA). This framework is based on different international standards, such as ISO/IEC 27001, NIST, KSA NCA Essential Cybersecurity Controls (more details were provided in the previous section). Moreover, CRF follows the Saudi laws in E-Transaction and E-Crimes.

As shown in Fig. 3, CRF requirements are categorized into six domains: Governance, Asset Management, Cybersecurity Risk Management, Logical Security, Physical Security, and Third-Party Security. CRF incorporates three compliance levels: basic, advanced, and efficient monitoring & continuous improvement. The purpose of the last level is to monitor the efficiency of the basic and advanced security controls. The requirements are categorized by different compliance levels using a risk-based method. To comply with a CRF high level, there should be compliance with all the preceding levels (Communications and Information Technology Commission of Saudi Arabia (CITC), 2019).

As can be concluded from the above Saudi frameworks, CRF is a general cybersecurity regulatory framework, whereas ECC provides security controls for any ITC based system. Firstly, we could not find any existing research studies that highlight these two standards and define the relationship between them. Moreover, There is no clear, published, practical assessment approach that can be followed to ensure continuous compliance with ECC and CRF and to measure the security level of the HEI IT systems.

Holistic cybersecurity maturity assessment framework (HCYMAF)

Aliyu et al. (2020) presented a maturity model called Holistic Cybersecurity Maturity Assessment Framework (HCYMAF) for HEIs in the United Kingdom (UK). This model aims to measure the cybersecurity maturity of an organization by comparing it to the security best practices. Additionally, HCYMAF can serve as a gap-analysis and compliance-checking tool. The framework was built by reviewing the security requirements applicable to HEIs and with compliance to UK-recognized standards and regulations, including General Data Protection Regulation (GDPR) (EU, 2016), Payment Card Industry Data Security Standard (PCI DSS) (PCI Security Standards Council, 2018), and Data Security and Protection Toolkit (DSPT) (NHS Digital, 2020). HCYMAF has considered 15 general security requirements along with their sub-requirements. These requirements were selected based on various controls and standards, such as NIST framework (Barrett, 2018) and the Center for Internet Security (CIS) controls (Keller, 2019), and then were refined to be used for HEIs. These requirements were categorized into three groups: IDENTIFY (I), PROTECT & DETECT (P), and RESPOND & RECOVER (R) as shown in Fig. 4.

IDENTIFY requirements are important to understand the institution business and its operational ecosystem. For PROTECT & DETECT requirements, they are essential to detect different types of incidents and provide all kinds of protection to the institution’s services and assets. RESPOND & RECOVER requirements are necessary to respond properly when an incident happens and to recover after the attack. The division of the requirements is as follows:

• IDENTIFY requirements are from I1 to I4.

• PROTECT & DETECT requirements are from P5 to P13.

• RESPOND & RECOVER requirements are from R14 to R15.

The chosen regulations and standards (GDPR, PCI DSS, and DSPT) are then mapped with the HCYMAF requirements. Figure 4 also highlights this mapping. The numbers next to each requirement indicate the number of the standard’s requirements mapped to each HCMAF requirement. For example, requirement P5 in HCYMAF is mapped to two requirements in GDPR, one requirement in PCI-DSS, and one requirement in DSPT.

Moreover, the HCYMAF model consists of six maturity levels, ranges between 0 (the lowest) and five (the highest). To evaluate the framework and prove its effectiveness, interviews with security experts and a case study were conducted. Also, the model was validated by getting feedback from the scientific communities that were in charge of reviewing their academic articles related to HCYMAF model.

SCMAF security requirements and mappings

As can be concluded from work done in assessing the cybersecurity maturity level in SA organizations in general and HEIs in particular, there is a need to build a SA Cybersecurity Maturity Assessment Framework for HEIs (SCMAF). This framework needs to be comprehensive by considering the international standards and customized to fulfill the SA local cybersecurity regulatory frameworks. Also, this framework should offer a lightweight, automated assessment process to the HEIs so they can self-assess their security maturity level in a convenient and confidential way.

Therefore, to build SCMAF, all the requirements and security controls defined in CITC’s CRF and NCA’s ECC by the governmental agencies in Saudi Arabia were collected and studied. Then, a recent international cybersecurity maturity assessment model specialized for HEI was selected, which is HCYMAF that is introduced by Aliyu et al. (2020). Table 2 defines the list of SCMAF requirements and show their mappings with all related frameworks, HCYMAF, ECC, and CRF.

We followed the same categorization of the security requirements in HCYMAF, which are "IDENTIFY", "PROTECT & DETECT", and "RESPOND & RECOVER". For example, the first requirement in the proposed framework "SCMAF I1" under IDENTIFY category was mapped to HCYMAF I1, ECC 1–1, 1–2, 1–3, 1–4, and CRF 1.1, 1.2, 1.3. The requirements of the three existing standards and their identifiers were highlighted in the above two subsections.

The mapping results reveal that almost all CRF requirements were included in ECC. Also, HCYMAF and SA standards have much in common. Figure 5 illustrates the overlapping among the three frameworks and how the proposed SCMAF is comprehensive enough to (a) include all the requirements defined by them, (b) add missing security requirements, and (3) exclude the requirements that are not applicable in the context of higher education.

For example, one of the requirements (SCMAF P14) is added by the proposed SCMAF, inspired by CRF, but is missing in HCYMAF. SCMAF P14 is related to utilizing standardized security mechanisms for email and web browser protection. This is an essential requirement that needs to be considered and assessed in HEIs as these two services are highly demanded and used in the education sector.

On the other hand, there are requirements in CRF and ECC that do not apply to HEIs, such as those related to industrial control systems. In this case, they were considered not applicable and were excluded from the framework’s requirements. The complete list of SCMAF requirements and their descriptions in addition to the entire mapping with the SA and international security frameworks are shown in Table 2.

The implementation of the proposed SCMAF framework

To implement the proposed SCMAF and illustrate how it could be applied to assess the HEI systems and measure their cybersecurity maturity levels, a demonstration study is presented in this section. This study provides an exercise that (a) goes through the general flow of the proposed framework, (b) examines the level of maturity for each requirement by raising well-designed questions that address the degree of fulfilling the requirement, and (c) calculates an overall score and attaches it with a summary report.

Figure 6 shows the SCMAF system flow. As mentioned before, SCMAF is offered to the HEIs in terms of a lightweight automated tool that can be used online or downloaded to be executed offline. To get a copy of the assessment tool, the institution has to register with the tool’s provider and fill its information in order to login and access the tool. Then, based on the choice of the institution, the online or the offline version of the tool can be executed.

The SCMAF requirements are measured one by one. If the requirement is applicable by the institution, the related questions of the first level will be displayed. If these questions are answered with yes, then the following level’s questions will appear, and so forth. The level’s questions won’t be shown unless all preceding levels within the same requirement are achieved. Once the levels per requirement are examined, the tool moves to the following requirement and repeats the same process. The system follows client-server architecture with approximate computational complexity of O(n*k), where n is the number of requirements and k is the number of questions per requirement. The complexity was computed by considering all steps in the flow diagram to run in a constant time except going through the requirements and their corresponding questions.Thus, these steps will cost n*k operations, based on the number of requirements and questions.

A total of six levels of maturity are considered by SCMAF similar to HCYMAF model. The levels are summarized as follows:

• Level 0: INCOMPLETE. The requirement is either unknown, not applicable, ad hoc, or may not get completed.

• Level 1: INITIAL. The requirement is reactive and unpredictable. It could be achieved but with delay and over budget.

• Level 2: MANAGED. The achievement of the requirement is well planned, implemented, measured and under control.

• Level 3: DEFINED. The institution process to achieve the requirement is proactive, standardized and well-guided.

• Level 4: QUANTITATIVELY MANAGED. The institution is data-driven with quantitative performance indicators to streamline with the internal and external stakeholders’ needs.

• Level 5: OPTIMIZED. The institution approves a continuous improvement strategy for the requirement to ensure well adaptation to future changes.

The description of each level for each requirement is displayed to the institution to answer whether this level is achieved by the institution or not. The institution has only to reply by ‘yes’ to the level it is achieving per requirement. Otherwise, it replies with ‘no’ as shown in Fig. 7. Table 3 shows the levels of requirements that might be provided by an institution based on its status. For example, SCMAF I1 was not applicable by the institution, so it selected level 0 for it. Whereas, SCMAF R15, SCMAF R16, SCMAF P11.1, SCMAF I2, and SCMAF 14 are given levels of security 1–5 respectively.

Figure 8 illustrates how the institution observes the level of each requirement after their inputs by answering the questions. So, by only checking the chart, the institution can conclude the maturity level achieved by each requirement. Therefore, in this demo study, the institution reached the following levels for its requirements:

• INCOMPLETE: SCMAF I1, and SCMAF P11.2.

• INITIAL: SCMAF P6.1, SCMAF P8.1, SCMAF P9.1, SCMAF P10, SCMAF P10.2, SCMAF P14, and SCMAF R15.

• MANAGED: SCMAF P5, SCMAF P6.3, SCMAF P7, SCMAF P13, and SCMAF R16.

• DEFINED: SCMAF P11.1.

• QUANTITATIVELY MANAGED: SCMAF I2, and SCMAF P8.2.

• OPTIMIZED: SCMAF I4, SCMAF P6.3, SCMAF P8.3, SCMAF P9.2, and SCMAF P12.

After all requirements are assessed, the overall cybersecurity maturity score of the institution is calculated. Figure 9 provides a screenshot from the tool where it shows (a) the final score achieved by the institution, (b) the requirements levels chart, and (c) a summary of each requirement and which level it secures. From this screenshot, we can see that SCMAF I1 is not applicable. SCMAF I2 achieves level 4 where a description of level 4 is provided, SCMAF I3 reaches level 2, and also level 2 description is provided. This applies to the rest of the requirements. The institution can download and print the full report as well.

Based on the assessment results, the institutions become aware of their shortcomings regarding cybersecurity and start preparing enhancement plans according to their priorities.