Create your own MUSE: A method for updating security level evaluation instruments

Number of security evaluation instruments and security maturity models have been developed to evaluate the security level of organizations. These instruments provide results that can be compared with industry-based benchmarks and track the dynamics of organizations' security posture internally. Threat landscape is constantly changing and security evaluation instruments should be updated accordingly. These updates should preserve the instrument's validity and ensure comparability with previous versions' results. Although several studies describe the creation of maturity models, surveys, and other security evaluation instruments, there has been little discussion about instrument attribute maintenance and updating methods for security evaluation instruments. This study presents a method for updating the security level evaluation instrument (MUSE). The MUSE can be used to update the maturity model or questionnaire-based survey-type instrument attributes. Each MUSE activity supports different aspects of instrument attribute validation and states the criteria for successfully passing the activity or returning to previous activities. The MUSE process is evaluated with the case study to update security maturity evaluation instrument F4SLE which is based on the Estonian Information Security Standard (E-ITS) and cross-referenced with ISO27002 standard controls.