Developing an Agile, Analytics-Based Information Security Maturity Framework for Malaysian SMEs: A Systematic Literature Review
DOI:
https://doi.org/10.24191/xjsx9r29Keywords:
Agile, Information security, Security maturity, Malaysian SMEs, AnalyticsAbstract
In the age of technology, information security is an essential component especially for small and medium enterprises (SMEs), which are highly vulnerable to cyber risks. Unfortunately, Information Security Maturity Models (ISMM) have little or no provisions for the SME context, particularly in Malaysia, owing to limited resources, intricate systems, and hostile organizational cultures towards new methodologies. This research synthesized content from 30 scientific articles from journals and conference proceedings to examine gaps on the approaches to ISMM. In addition, this research also classifies relevant models for SMEs and assesses how current models can be accessed for SMEs, as well as developing new agile models and new analytics. The results revealed that there is a need for lighter and more flexible ISMM models that facilitate automated digital self-assessment. Therefore, this article presents a conceptual three-dimension framework that combines elements of agility, suitability for SMEs, and analytic functionalities as a base for contextual ISMM model for SMEs in Malaysia.
References
Ali, A., & Wasim, A. (2022). Innovative framework for assessing the impact of agile manufacturing in small and medium enterprises (SMEs). Sustainability, 14(18), 11503. https://doi.org/10.3390/su141811503
Ardo, A., Bass, J., & Gaber, T. (2022). Towards secure agile software development process: A practice-based model. 2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), 149–156. https://doi.org/10.1109/SEAA56994.2022.00031
Arnarson, H., Kanafi, F. S., Kaarlela, T., Seldeslachts, U., & Pieters, R. (2022). Evaluation of cyber security in agile manufacturing: Maturity of Technologies and Applications. 2022 IEEE/SICE International Symposium on System Integration (SII), 784–789. https://doi.org/10.1109/SII52469.2022.9708888
Brasoveanu, R., Karabulut, Y., & Pashchenko, I. (2022, August 23). Security maturity self-assessment framework for software development lifecycle. ACM International Conference Proceeding Series. https://doi.org/10.1145/3538969.3543806
Braun, V., & Clarke, V. (2022). Thematic analysis: A practical guide. SAGE Publications.
Brezavšček, A., & Baggia, A. (2025). Recent trends in information and cyber security maturity assessment: A systematic literature review. Systems, 13(1), 52. https://doi.org/10.3390/systems13010052
Corona, B., Muñoz, M., & Mejía, J. (2022). A proposal for assessing and evolving an agile software development method. 2022 10th International Conference in Software Engineering Research and Innovation (CONISOFT), 11–18. https://doi.org/10.1109/CONISOFT55708.2022.00013
CyberSecurity Malaysia. (2025). SR-029.022025: MyCERT Report - Cyber Incident Quarterly Summary Report - Q4 2024. https://www.mycert.org.my/portal/advisory?id=SR-029.022025
Edú, M., Alexis, G., & Lenis, W. (2023). Cybersecurity framework for SMEs in Peru based on ISO/IEC 27001 and CSF NIST controls. 2023 18th Iberian Conference on Information Systems and Technologies (CISTI), 1–7. https://doi.org/10.23919/CISTI58278.2023.10211874
Handri, E., Sensuse, D., & Tarigan, A. (2024). Developing an agile cybersecurity framework with organizational culture approach using Q methodology. IEEE Access, 12, 108835–108850. https://doi.org/10.1109/ACCESS.2024.3432160
Kadenic, M., Koumaditis, K., & Junker-Jensen, L. (2023). Mastering scrum with a focus on team maturity and key components of scrum. Information and Software Technology, 153, 107079. https://doi.org/10.1016/j.infsof.2022.107079
Lange, F., & Kunz, I. (2024). Evolution of secure development lifecycles and maturity models in the context of hosted solutions. Journal of Software: Evolution and Process, 36(12). https://doi.org/10.1002/smr.2711
Lee, G. S., Kim, S. H., Lee, I. Y., Brown, S., & Carbajal, Y. A. (2025). Adapting cybersecurity maturity models for resource-constrained settings: A case study of Peru. Electronic Journal of Information Systems in Developing Countries, 91(1). https://doi.org/10.1002/isd2.12350
Liyanage, L., Arachchilage, N., & Russello, G. (2024). SoK: Identifying Limitations and Bridging Gaps of Cybersecurity Capability Maturity Models (CCMMs). http://arxiv.org/abs/2408.16140
Loft, P., He, Y., Yevseyeva, I., & Wagner, I. (2022). CAESAR8: An agile enterprise architecture approach to managing information security risks. Computers & Security, 122, 102877. https://doi.org/10.1016/j.cose.2022.102877
Mihelič, A., Vrhovec, S., & Hovelja, T. (2023). Agile development of secure software for small and medium-sized enterprises. Sustainability, 15(1), 801. https://doi.org/10.3390/su15010801
Nägele, S., Schenk, N., Fechtner, N., & Matthes, F. (2024). Balancing autonomy and control: An adaptive approach for security governance in large-scale agile development. Proceedings of the 26th International Conference on Enterprise Information Systems, 17–28. https://doi.org/10.5220/0012605000003690
Nägele, S., Schenk, N., & Matthes, F. (2023). The Current state of security governance and compliance in large-scale agile development: A systematic literature review and interview study. 2023 IEEE 25th Conference on Business Informatics (CBI), 1–10. https://doi.org/10.1109/CBI58679.2023.10187439
Omowole, B., Olufemi-Phillips, A., Ofodile, O., Eyo-Udo, N., & Ewim, S. (2024). Conceptualizing agile business practices for enhancing SME resilience to economic shocks. International Journal of Scholarly Research and Reviews, 5(2), 070–088. https://doi.org/10.56781/ijsrr.2024.5.2.0049
Ozkan, B., & Spruit, M. (2022). Adaptable security maturity assessment and standardization for digital SMEs. Journal of Computer Information Systems, 63(4), 965–987. https://doi.org/10.1080/08874417.2022.2119442
Re, N., Ghezzi, A., Balocco, R., & Rangone, A. (2023). Supporting the digitalization of SMEs through maturity models. European Conference on Innovation and Entrepreneurship, 18(2), 763–771. https://doi.org/10.34190/ecie.18.2.1822
Sallam, S., Fouad, M., & Hemeida, F. (2023). Relationship between agile maturity and digital transformation Success. Journal of Advanced Research in Applied Sciences and Engineering Technology, 33(3), 154–168. https://doi.org/10.37934/araset.33.3.154168
Sarkar, T., Moharana, B., Rakhra, M., & Cheema, G. (2024). Comparative analysis of empirical research on agile software development approaches. 2024 11th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions), ICRITO 2024. https://doi.org/10.1109/ICRITO61523.2024.10522134
Selva-Mora, A., & Quesada-López, C. (2024). Security practices in agile software development: A mapping study. Proceedings of the 7th ACM/IEEE International Workshop on Software-Intensive Business, 56–63. https://doi.org/10.1145/3643690.3648241
Sharma, S., Singh, G., Jones, P., Kraus, S., & Dwivedi, Y. (2022). Understanding agile innovation management adoption for SMEs. IEEE Transactions on Engineering Management, 69(6), 3546–3557. https://doi.org/10.1109/TEM.2022.3148341
SME Corporation Malaysia. (2022). MSME Insights: MSMEs towards sustainable recovery (2021 edition).
Surya, I. C., Mulyana, R., & Nugraha, R. A. (2024). BPRDCo SME digital transformation by designing information security using ISO 27001:2022. Jurnal JTIK (Jurnal Teknologi Informasi Dan Komunikasi), 8(4), 1242–1253. https://doi.org/10.35870/jtik.v8i4.3148
Tøndel, I., Cruzes, D., Jaatun, M., & Sindre, G. (2022). Influencing the security prioritisation of an agile software development project. Computers & Security, 118, 102744. https://doi.org/10.1016/j.cose.2022.102744
Van De Poll, J., & Duricic, J. (2024). Redesigning maturity models when rolling out agile transformations. European Journal of Business and Management Research, 9(1), 15–20. https://doi.org/10.24018/ejbmr.2024.9.1.2039
Vasylieva, K., Kuhrmann, M., Xavier, M., & Klünder, J. (2023). How agile are you? Discussing maturity levels of agile maturity models. 2023 49th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), 270–277. https://doi.org/10.1109/SEAA60479.2023.00049
Wilson, M., & McDonald, S. (2025). One size does not fit all: Exploring the cybersecurity perspectives and engagement preferences of UK-Based small businesses. Information Security Journal, 34(1), 15–49. https://doi.org/10.1080/19393555.2024.2357310
Zaini, M. K., Masrek, M. N., & Abdullah Sani, M. K. J. (2020). The impact of information security management practices on organisational agility. Information & Computer Security, 28(5), 681-700.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Siti Zaleha Abd Goni, Qamarul Nazrin Harun
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright of articles that appear in the journal belongs exclusively to Faculty of Information Science, Universiti Teknologi MARA (Publisher). This copyright covers the rights to reproduce the article, including reprints, electronic reproductions or any other reproductions of similar nature.
