Authors : Dr. Muneer Abduallh Saeed Hazaa; Ali Mohammed Ali Al-Aomari

Volume/Issue : Volume 10 - 2025, Issue 11 - November

Google Scholar : https://tinyurl.com/4ehzrt99

Scribd : https://tinyurl.com/m89j3445

DOI : https://doi.org/10.38124/ijisrt/25nov619

Note : A published paper may take 4-5 working days from the publication date to appear in PlumX Metrics, Semantic Scholar, and ResearchGate.

Note : Google Scholar may take 30 to 40 days to display the article.

Abstract : The accelerating digital transformation of higher education has expanded institutions’ exposure to cyber threats, a challenge that is particularly acute in resource-constrained settings where budgets, regulatory guidance, and security awareness remain limited. While international frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework (CSF) are robust, their complexity, cost, and limited contextual fit often hinder effective adoption in low- resource environments. This study introduces ISOGMAF—an Institutional Security Governance Maturity Assessment Framework tailored to Yemeni higher-education institutions (HEIs). ISOGMAF is developed through a multi-stage methodology that integrates international best practices, local regulatory considerations, and sector-specific requirements, translating controls into measurable components spanning 34 governance/control domains. The framework is empirically validated via a survey administered across Yemeni HEIs using a six-point Likert scale maturity instrument to rate and classify cybersecurity governance levels. Findings reveal substantive gaps across governance, awareness, and technical preparedness, yet indicate tangible potential for phased improvement guided by a context-aware, scalable roadmap. The contribution is twofold: (i) it operationalizes the localization of global cybersecurity frameworks for developing-country HEI contexts, and (ii) it provides an objective self-assessment mechanism that supports benchmarking and targeted enhancement of institutional cyber resilience.

Keywords : ISOGMAF; Cybersecurity Governance; Maturity; Higher Education; ISO/IEC 27001; NIST CSF; Readiness; Yemen.

References :

1. 1M. Rizun and M. Pankowska, “Maturity model for assessment of personalization of higher education,” in Proc. KDIR, 2022, pp. 43–53.
2. S. P. Don Appuhamilage and R. M. D. U. Rathnayake, “Gap analysis of information security management systems in Sri Lankan higher education institutes,” unpublished, 2023.
3. B. Ulven and G. Wangen, “A systematic review of cybersecurity risks in higher education,” Future Internet, vol. 13, art. 39, 2021.
4. N. M. De Ramos and F. D. E. II, “Cybersecurity program for Philippine higher education institutions: A multiple-case study,” International Journal of Evaluation and Research in Education, 2022, p. 1199.
5. J. Li, W. Xiao, and C. Zhang, “Data security crisis in universities: Identification of key factors affecting data breach incidents,” Humanities and Social Sciences Communications, vol. 10, no. 1, pp. 1–18, 2023.
6. A. Aliyu, L. Maglaras, Y. He, I. Yevseyeva, E. Boiten, A. Cook, and H. Janicke, “A holistic cybersecurity maturity assessment framework for higher education institutions in the United Kingdom,” Applied Sciences, vol. 10, no. 10, 3660, 2020.
7. J. B. Bolanio, R. K. Paredes, and R. E. II, “Network security policy for higher education institutions based on ISO standards,” Mediterranean Journal of Basic and Applied Sciences, 2021.
8. S. Dwivedi and S. Vig, “Blockchain adoption in higher-education institutions in India: Identifying the main challenges,” Cogent Education, vol. 11, no. 1, 2292887, 2024.
9. M. S. A. A. Almekhlafi, Balanced information security maturity model based on ISO/IEC 27001:2013 and O-ISM3. Sana’a, Yemen: Yemen Academy for Graduate Studies, 2023.
10. A. B. Nassoura, “Cybersecurity technologies and practices in higher education institutions: A systematic review,” Webology, vol. 19, no. 3, 2022.
11. W. H. Hayes, Cyber insurance and small community banks: A mixed-methods exploration. Capitol Technology University, 2022.
12. E. Kenneally, L. Randazzese, and D. Balenson, “Cyber risk economics capability gaps research strategy,” in 2018 Int. Conf. on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA), 2018, pp. 1–6. IEEE.
13. J. Wolff and W. Lehr, “Roles for policy-makers in emerging cyber insurance industry partnerships,” in TPRC, Mar. 2018.
14. P. W. Coopers, Insurance 2020 & beyond: Reaping the dividends of cyber resilience. Price Waterhouse Cooper Insurance, 2015.
15. F. H. Katz, “The effect of a university information security survey on instruction methods in information security,” in Proc. 2nd Annu. Conf. on Information Security Curriculum Development, 2005, pp. 43–48.
16. A. R. Aedah and S. Hoga, “Maturity framework analysis ISO 27001:2013 on Indonesian higher education,” International Journal of Engineering & Technology, vol. 9, no. 2, pp. 429–436, 2020.
17. C. Biener, M. Eling, and J. H. Wirfs, “Insurability of cyber risk: An empirical analysis,” The Geneva Papers on Risk and Insurance—Issues and Practice, vol. 40, pp. 131–158, 2015.
18. D. Makupi and N. Masese, “Determining information security maturity level of an organization based on ISO 27001,” unpublished, 2019.
19. Z. Ismail, M. Masrom, Z. Sidek, and D. Hamzah, “Framework to manage information security for Malaysian academic environment,” Information Assurance & Cybersecurity, 2010, pp. 1–16.
20. I. Almomani, M. Ahmed, and L. Maglaras, “Cybersecurity maturity assessment framework for higher education institutions in Saudi Arabia,” PeerJ Computer Science, vol. 7, e703, 2021.
21. A. Gerl, M. von der Heyde, R. Groß, R. Seck, and L. Watkowski, “Applying COBIT 2019 to IT governance in higher education,” in INFORMATIK 2020, 2021, pp. 517–530. Gesellschaft für Informatik, Bonn.
22. H. P. Singh and T. S. Alshammari, “An institutional theory perspective on developing a cyber security legal framework: A case of Saudi Arabia,” Beijing Law Review, vol. 11, p. 637, 2020.
23. S. Almuhammadi and M. Alsaleh, “Information security maturity model for NIST cyber security framework,” Computer Science & Information Technology (CS & IT), vol. 7, no. 3, pp. 51–62, 2017.
24. J. Bass, “An early-stage ICT maturity model derived from Ethiopian education institutions,” International Journal of Education and Development using ICT, vol. 7, no. 1, pp. 5–25, 2011.
25. M. H. Suwito, S. Matsumoto, J. Kawamoto, D. Gollmann, and K. Sakurai, “An analysis of IT assessment security maturity in higher education institution,” in Information Science and Applications (ICISA) 2016, Springer Singapore, 2016, pp. 701–713.
26. L. Ajmi, N. Alqahtani, A. U. Rahman, and M. Mahmud, “A novel cybersecurity framework for countermeasure of SMEs in Saudi Arabia,” in 2019 2nd Int. Conf. on Computer Applications & Information Security (ICCAIS), IEEE, 2019, pp. 1–9.
27. T. Al Hamed and M. Alenezi, “Business continuity management & disaster recovery capabilities in Saudi Arabia ICT businesses,” International Journal of Hybrid Information Technology, vol. 9, no. 11, pp. 99–126, 2016.
28. R. Aziz and B. Shahzad, “Factors for measurement of ITES quality for higher education institutions in Saudi Arabia,” Global Journal of Computer Science and Technology, vol. 15, no. 3, pp. 1–11, 2015.
29. A. Y. M. A. N. Altameem, “What drives successful e-learning? An empirical investigation of the key technical issues in Saudi Arabian universities,” Journal of Theoretical & Applied Information Technology, vol. 53, no. 1, 2013.
30. M. Alnatheer and K. Nelson, “Proposed framework for understanding information security culture and practices in the Saudi context,” unpublished, 2009.
31. A. Nsamba, “Maturity levels of student support e-services within an open distance e-learning university,” International Review of Research in Open and Distributed Learning, vol. 20, no. 4, pp. 60–78, 2019.
32. M. Peñafiel, S. Luján-Mora, S. Vásquez, J. Zaldumbide, A. Cevallos, and D. Vásquez, “Application of e-learning maturity model in higher education,” in EDULEARN17 Proc., 2017, pp. 4396–4404.
33. G. Secundo, S. Elena-Perez, Ž. Martinaitis, and K. H. Leitner, “An intellectual capital maturity model (ICMM) to improve strategic management in European universities: A dynamic approach,” Journal of Intellectual Capital, vol. 16, no. 2, pp. 419–442, 2015.
34. Payment Card Industry, Data Security Standard: Requirements and Security Assessment, ver. 3, 2010.
35. D. Proença and J. Borbinha, “Information security management systems—a maturity model based on ISO/IEC 27001,” in Business Information Systems—BIS 2018, Proc. 21, Springer, 2018, pp. 102–114.
36. S. Marshall, “A quality framework for continuous improvement of e-learning: The e-learning maturity model,” International Journal of E-Learning & Distance Education / Revue internationale du e-learning et la formation à distance, vol. 24, no. 1, pp. 143–166, 2010.
37. McCuen, T. L., & MSCS, M. (2008). Building information modeling and the interactive capability maturity model. Associated Schools of Construction, 1–10.
38. Nazar, S., & Abbasi, E. (2008, April). CMMI and OPM3: Are they compatible? In International Multi Topic Conference (pp. 235–242). Berlin, Heidelberg: Springer.
39. Li, S., Liu, C., Xi, X., Zhao, C., Tian, Y., & Liu, C. (2019, August). Diagnosis platform development of partial discharge data based on CMMI model. In IOP Conference Series: Materials Science and Engineering, 605(1), 012006. IOP Publishing.
40. I. A. Humied, “Cybersecurity as emerging challenge to Yemen security,” International Journal of Information Security and Cybercrime, vol. 11, no. 2, pp. 35–44, 2022. [Online]. Available: https://www.ijisc.com
41. Revaclier, A. R. (2021). SOC-AM: An Accessible Maturity Model for Security Operation Centers (Master’s thesis, Eindhoven University of Technology, Netherlands). Retrieved from https://pure.tue.nl/ws/portalfiles/portal/198120514/Revaclier_A. R..pdf

42. NHS Digital. (n.d.). Data Security and Protection Toolkit: Help – Attachment 851. Retrieved June 13, 2025, from https://www.dsptoolkit.nhs.uk/Help/Attachment/851