Cyber Security Maturity Assessment Framework for Technology Startups: A Systematic Literature Review

Cybersecurity has gained increasing importance among firms of different sizes and industries due to the significant rise of cyber-attacks over time. Technology startups are particularly vulnerable to cyber-attacks due to the lack of cyber security measures. This is because of limited human capital and financial resources to quantify cyber risks and allocate appropriate investments to cyber security. Technology startups are suppliers and vendors to large organisations such as MNCs, government and financial institutions. They could possibly have a network connection back to the large organisations and might even store confidential information of these large organisations such as financial records, personal data and other proprietary information. As such, with the lack of appropriate cyber security measures, technology startups may be an attack vector for malicious hackers to gain entry to the large organisations. Focusing on technology startups, this study conducted a systematic literature review on cyber security maturity assessment frameworks. This study addressed five research questions on the existing cyber security maturity assessment frameworks in various industries, the target for implementation, cyber security maturity level, shared control domains of these frameworks, and the quantification of the return of cyber security investments. Referring to the Preferred Reporting Items for Systematic Reviews and Meta-Analysis (PRISMA) checklist, a detailed analysis was performed on 24 published research articles (out of 650) from reputable journals and conference proceedings from January 2011 to June 2022. The results revealed the lack of an end-to-end cyber security maturity assessment framework for technology startups. Despite the similarities in the cyber security maturity level for certain frameworks, the results revealed no singular framework that can evaluate the cyber security maturity level of technology startups. The results further revealed the lack of studies on the quantification of the return of cyber security investments in an end-to-end cyber security maturity assessment framework for technology startups. This put the startup in a vulnerable position since management is not able to obtain relevant data on the startup's cyber maturity posture and without such information, they are not able to appropriately justify their security investments to mitigate the evolving cyber risks.