As part of the SMESEC framework, Utrecht University will provide SMESEC information security maturity model (CySME) adjusted explicitly to SMEs.

At the core of the SMESEC framework are two security assessment models developed from 2011 onward at the Applied Data Science Lab in the Department of Information and Computing Sciences of Utrecht University: ISFAM and CYSFAM.

The Information Security Focus Area Maturity (ISFAM) model and the Cyber Security Focus Area Maturity (CYSFAM) model provide a highly complete security quick-scan for organisations based on both the state-of-the-art in scientific literature and industry standards including ISO27K. The assessment models have been evaluated successfully in various application domains such as telecom, logistics, healthcare, and finance.

The CYSFAM includes focus areas for application security, cybersecurity and network security, and a tentative relationship with internet security. Therefore, it is now becoming possible to attempt to create one harmonised, modular and federative maturity model for security focus areas that enables a complete security quick-scan tailored to specific organisational characteristics.

CySME will be developed by revising and extending the existing maturity models to make them better suitable for SMEs. Even more so, CySME will be designed in a way that SMEs can perform the security assessments themselves, without the help of IT experts. Also, the SMESEC technologies available from the SMESEC partners will be connected to the models to help implement the SME's desired security capabilities. The SMESEC pilots will be used as case studies to obtain in-depth feedback from end-users and experts. The validation results will be used to tailor the SMESEC assessment and improvement approach to the identified needs of SMEs and ecosystems.

UU's strategic goal is to contribute to establishing cybersecurity standardisation guidelines for organisations in general, and SMEs in particular.
UU's team consists of Bilge Yigit Ozkan, and Marco Spruit.