A Concept & Compliance Study of Security Maturity Models with

ISO 21827

Rabii Anass

, Assoul Saliha

and Roudi

es Ounsa

Mohammed V University in Rabat, EMI, Siweb Team, Morocco

Mohammed V University in Rabat, ENSMR, Siweb Team, Morocco

Keywords:

Information Security, Cyber Security, Information Systems, Maturity Model, ISO 21827, SSECMM,

CCSMM, MMISS-SME.

Abstract:

Ever since the success of maturity models in software engineering, the creation of security maturity models

began enlarging the choice pool for organizations. Yet their implementation rate has been low and their impact

difﬁcult to perceive. This security maturity model choice grew even larger in the last decade regardless of the

existence of the standard security maturity model ISO 21827. Amongst governmental approaches, CCSMM is

the US national security maturity model supported by a presidential policy for national preparedness. MMISS-

SME is one of the only validated security maturity model created by academia between 2007 and 2018. Our

research aims to study the added value and compliance of CCSMM and MMISS-SME with the ISO 21827

standard and their shared core concepts. We presented each security maturity model’s main lines and modeled

their core concepts. Our study shows that the standard encompasses all security engineering concepts yet

leaving room for characterization and customization to the organizations. However, CCSMM and MMISS-

SME provide nuances in both functions and concepts seeing that they were created for speciﬁc contexts such

as SMEs or the US local government and their vital organisms.

1 INTRODUCTION

The term ”maturity” describes the capacity to pro-

gressively improve a speciﬁc ability until it reaches

a desired goal or a normally occurring culmination

(Mettler, 2011). Maturity manifests in all aspects ca-

pable of change and improvement. Maturity mod-

els serve as a means to evaluate how organizations

manage that speciﬁc aspect and how they could im-

prove their current state. In our context, we address

security maturity models (SMM). The main func-

tions of a security maturity model usually are to as-

sess the state of security and to provide a road-map

for improvement (Le and Hoang, 2016). Therefore,

a maturity model deﬁnes multiple milestones an or-

ganization must reach to be at a certain ”Maturity

Level” by meeting a set of requirements. SMMs

rose to prominence after the success of the Capability

Maturity (CMM) Model used in software engineer-

ing (Humphrey, 1988). They stood out from the al-

ready used security standards ISO 27001/27002 (ISO,

2019b) or NIST framework (Barrett, 2020) for their

progressive improvement aspect. They provide bet-

ter insight for organizations in terms of security pri-

orities and targeted sets of actions (Mckinsey, 2017).

Security maturity models have become more abun-

dant with the creation of 20 newer SMM between

2007 and 2018 (Kassou and Kjiri, 2012) (Rigon et al.,

2014) (Barclay, 2014). Governments have also ac-

knowledged their utility by adopting existing secu-

rity maturity models or creating their own (ANSSI,

2009). Each of these security maturity models eval-

uates maturity differently by using different metrics

and therefore having different prerequisites to reach a

maturity level. The ISO initiative culminates with the

release of the ISO 21827 (ISO, 2019a) standard pro-

duced in 2002 and recently conﬁrmed in 2014. This

diversity joined to the domain dynamicity leads to

indecisiveness amongst organizations as well as the

academic community (ReaGuaman, 2017) (Le and

Hoang, 2016). Therefore, we think there is a need

to conduct an in-depth analysis of emerging SMMs in

relation to ISO 21827.

Our study focuses on 2 representative security ma-

turity models: The Community Cyber Security Ma-

turity Model (CCSMM) and the Maturity Model for

Information System Security in Small and Medium

Enterprises (MMISS-SME). We chose CCSMM for

our study because it is one of the most prominent

available governmental security maturity models in

Anass, R., Saliha, A. and Ounsa, R.

A Concept Compliance Study of Security Maturity Models with ISO 21827.

DOI: 10.5220/0009569703850392

In Proceedings of the 22nd International Conference on Enterprise Information Systems (ICEIS 2020) - Volume 2, pages 385-392

ISBN: 978-989-758-423-7

385

use (White, 2007). In fact, in 2011, it was chosen

as the USA’s governmental security maturity model

through the Presidential Policy Directive PPD-8: Na-

tional Preparedness (Department of Homeland Secu-

rity, 2018). On the other hand, according to recent

systematic literature review, most studies presenting

a security maturity model produced by academia be-

tween 2007 and 2018 haven’t evaluated the impact of

their models on the implementing organization (Ra-

bii A., 2020). This is presumably due to the difﬁculty

of implementing a security maturity model or the sen-

sitivity of this task. We have chosen MMISS-SME

amongst SMMs made by academia for having been

tested in 11 organizations providing an automated

tool for its implementation and guidance (S

anchez,

2007) (Sanchez et al., 2008). Our study seeks to an-

swer the following research questions:

• Given the existence of the ISO 21827 standard,

what is CCSMM’s and MMISS-SME’s speciﬁc

added value?

• What is the common core of concepts for these

security maturity models?

• Are CCSMM and MMISS-SME compliant with

ISO 21827?

To that end, we ﬁrst describe each SMM’s genesis

highlighting their objective. Then we present their

architecture by the means of our package diagrams

highlighting their different facets. Then, we detail

their core concepts. Afterwards, we verify concept

similarities and differences with ISO 21827 and what

they entail for the model’s main functions. We ﬁnally

discuss their compliance with the standard.

2 OVERVIEW OF ISO 21827,

CCSMM AND MMISS-SME

In this section we present ISO 21827, CCSMM and

MMISS-SME. We will discuss the context of their

genesis,outline their main functions through their ar-

chitectural model. Finally we analyze the concepts

they set forth.

2.1 ISO 21827

2.1.1 Genesis

ISO 21827 or SSECMM was created by the “Informa-

tion security, cyber security and privacy protection”

committee (ISO/IEC JTC 1/SC 27) to support organi-

zations in improving their security engineering prac-

tices for all security systems. Similarly to any ISO

standard, it went through many veriﬁcation phases

and ﬁnally approved by the Common Criteria and the

Alternative Assurance Working Groups. It was ﬁrst

published in 2002, revisited in 2008, validated in 2014

and is currently under review.

2.1.2 Main Lines & Architecture

ISO 21827 is used by organizations as a tool to eval-

uate their security engineering actions and provide an

improvement plan. As is shown in the domain model

in Fig 1, it is structured into 2 dimensions: Capabil-

ity dimension and Domain dimension. The capability

dimension contains the 6 maturity levels: Not Per-

formed, Performed Informally, Planned & Tracked,

Well Deﬁned, Qualitatively Controlled, and Contin-

uously Improving. Each maturity level is described

by a set of “Common Features” that encompass in-

stitutionalization of processes reﬂecting how secu-

rity is managed within the organization. For exam-

ple, “Deﬁning a standard process”, “Performing the

standard process” and “Coordinate practices” are the

”Common Features” for level 3. Each common fea-

ture is described by a set of “Generic Practices” (GP).

Figure 1: ISO 21827 Domain Model.

In the domain dimension, ISO 21827 deﬁnes 11

security engineering “Process Areas” (PA) and 11

project and organization PAs covering all aspects of

security engineering. Each process area has a set of

goals that represent the expected state of an orga-

nization that is successfully performing the process

area. Each PA includes all ”Base Practices” (BP) that

are required to meet its goals. The security maturity

evaluation grid is constituted of the pairing of all the

“Base Practices” of a PA with the GPs of all common

features.

2.1.3 Core Concepts

The concepts SSECMM details in its BPs and GPs

aim to thoroughly encompass all aspects of security

ICEIS 2020 - 22nd International Conference on Enterprise Information Systems

386

engineering as the SMM deﬁnes it. We propose the

package diagram in Fig 2 modeling these different as-

pects and which concepts they interact through.

Figure 2: ISO 21827 Domain Class Diagram.

First, the “Risk Management” aspect includes the

concepts involved in risk reduction. In fact, all As-

sets have Vulnerabilities and thus are under Threats.

This package also contains, the ensuing Risks, their

calculated Impact, the responsible Threat agent and

the probable Incident.

Figure 3: ISO 21827 Engineering Class Diagram.

In the “Engineering” package shown in Fig 3 ,we

modeled the Security Requirements that the System

has. Every requirement is either derived from in-

ternally expressed Security Goals or externally en-

forced Security Needs. The organization then imple-

ments a Security Control to fulﬁll these requirements.

A control is deﬁned as any asset designed to reduce

the level of an unaccepted risks by addressing one or

multiple security requirement. Finally, these controls

are periodically evaluated to see if they fulﬁll their

task or are in need of change, improvement or de-

commissioning.

The “Assurance” Package models the assurance

the system procures through each control’s Assurance

Evidence. The evidences ensure that every Assurance

Objective is met providing a guarantee that all Secu-

rity Needs and Security Goals are met.

Figure 4: ISO 21827 Process Management Class Diagram.

Lastly, the “Process Management” package mod-

eled in Fig 4 contains a set of Processes designed to

reach speciﬁc Goals while meeting a set of Quality

Requirements. Each process has Actors with differ-

ent Skills involved, follows a Planning and produces

Work products. Processes can also coordinate with

one another if needed.

2.2 CCSMM

2.2.1 Genesis

In 2006, The Center of Infrastructure Assurance and

Security (CIAS) at the University of Texas at San An-

tonio conducted multiple security exercises for the lo-

cal community determining that vital organisms re-

quired better security policies. The CCSMM was then

created to improve cyber readiness as a scaling model

aiming to reach nationwide use. It emphasizes the im-

portance of collaboration between entities, spreading

relevant and useful information for a better security

posture. The CCSMM distinguishes between differ-

ent scales of entities: organization, community, state,

and nation. The model remains unchanged from its

2006 version.

2.2.2 Main Lines & Architecture

The CCSMM offers a framework for security ma-

turity evaluation and model-based improvement, yet

does not precise the means. It urges for the implemen-

tation of the most adequate standards or approaches

A Concept Compliance Study of Security Maturity Models with ISO 21827

387

depending on the organization’s context such as the

recommended NIST’s “Framework for Improving

Critical Infrastructure Cyber Security”. This lets or-

ganizations choose which approach to implement de-

pending on internal context, changes in the ﬁeld or

policies.

The CCSMM aims to evaluate 4 areas of security

called “Dimensions”: Awareness, Information Shar-

ing, Policies and Planning. The human aspect being

the most important and the weakest link in security,

it is important to make sure that communities within

or outside the organization understand the importance

of cyber-threats, their own actions and their prepared-

ness. Information sharing sheds light on the impor-

tance of collaboration in order to improve the cur-

rent state of security or defend against an escalating

breach. Policies include all day to day activities de-

tailing the recommended course of action. Finally,

Planning deals with recovery and continuity plans.

Each of these dimensions has its own capability

level: Initial, Established, Self-Assessed, Integrated

and Vanguard. The capability level evaluation is done

through a set of predeﬁned exercises designed for

each dimension, capability level and scale. In order

to reach a certain maturity level, an organization must

work on:

• Metrics to watch for in assessments and how to

conduct them,

• Technologies that should be implemented,

• Training to achieve the necessary skill set for

stakeholders to have,

• Documented processes to follow.

2.2.3 Core Concepts

Since the CCSMM does not specify security require-

ments, the concepts it uses are either related to ”Risk

Management” or ”Capability Evaluation”.

The ”Capability Evaluation” package in Fig 5

models the evaluation of the Entity’s components us-

ing Exercises. An entity contains, a set of Actors, Ac-

tivities and Technologies. Every actor possesses Skills

and has had or must undergo Training. The entities

also have Communication Mechanisms for coopera-

tion. The CCSMM dictates that actors, technologies,

activities and communication mechanisms have to be

evaluated using speciﬁc Evaluation Metrics and Eval-

uation Mechanisms.

On the other hand, the ”Risk Management” pack-

age contains the base concepts such as Threat, the tar-

geted Entity, the exploited Vulnerability. However,

the CCSMM provides a typology of threats depend-

ing on Resources allocated and the Threat Agent’s

Figure 5: CCSMM Capability Evaluation.

Skill and Motives: Unstructured Threats, Structured

Threats and Highly Structured Threats.

2.3 MMISS-SME

2.3.1 Genesis

MMISS-SME was created through the joint efforts

of SICAMAN Nuevas Tecnolog

ıas and the ALAR-

COS Research Group as a security maturity model

speciﬁcally oriented towards Small and Medium En-

terprises (SME). This SMM was created to support

SMEs in creating their Information Security Manage-

ment System at a low implementation and mainte-

nance cost. Through their research, they sought to

adapt an existing security maturity model to the SME

context choosing ISO 27002 as the appropriate ap-

proach. This SMM was later validated through test

cases in 11 different organizations from different sec-

tors. Further plans were made aiming to facilitate the

creation of the improvement plan and keep updating

the tool to keep up with changes.

2.3.2 Main Lines & Architecture

MMISS-SME’s main contribution is helping SMEs

build a simple, cheap, rapid, automated, progressive

and maintainable security management system. The

model has only 3 maturity levels and reaching each

level provides the organization with a certiﬁcate ma-

terializing their progress. First, it sets to determine

which maturity level the organization should strive for

depending on several weighted factors such as num-

ber of employees, annual turnover and dependency on

the information system. Once the desired maturity

level is known, a security audit is conducted in or-

der to determine the current maturity level using the

ICEIS 2020 - 22nd International Conference on Enterprise Information Systems

388

Figure 6: MMISS-SME Risk Management Class Diagram.

controls from a detailed checklist. This checklist con-

sists of 735 sub-controls organized in dominions and

distributed over the maturity levels. To reach the fol-

lowing level, the SME must fulﬁll at least 75% of the

previous level’s controls; this accounts for normally

occurring time degradation. Next, in the risk analy-

sis phase, MMISS-SME uses association matrices to

minimize this phase’s cost and yield the best results

with minimum effort. Finally, the automated tool

provides adequate course of actions for improvement

highlighting which controls should be implemented

and deﬁning a priority order for efﬁciency.

2.3.3 Core Concepts

The MMISS-SME is centered around 2 packages: the

”Risk Management” package and the ”Information

Security Management System” (ISMS) package.

The MMISS-SME is centered on the “Risk Man-

agement” facet as it uses several matrices in order

to generate a risk model. The ISO 27002 standard

is used to supplement controls and common risks to

the association matrices. The matrices incorporate

and associate emphVulnerability, Threat, and Asset as

well as Security Controls subjected to an unaccepted

Risk. The level of fulﬁllment of these controls inﬂu-

ences the ISMS generation algorithm. Fig 6 models

the concepts intervening in this phase of this risk anal-

ysis phase.

In the third and ﬁnal ”ISMS Generation Phase”,

the ”ISMS” package incorporates all the results from

the previous phase to determine what Procedures,

Technical Instructions, Registers, etc must activate for

the organization. In this pha se, the tool relies on asso-

ciation matrices to deﬁne which objects of the ISMS

library to implement. These matrices use the rela-

tionship between existing Regulations, Documenta-

tion, and the Security Controls recommended by ISO

27002. The output of this phase is a set of regulations

and procedures that must be satisﬁed in order to im-

prove the organization’s security level. The tool also

provides priority levels for each requirement as well

as Metrics to measure security progression.

3 RESULTS

• Research Question 1: Given the existence of

the ISO 21827 standard, what is CCSMM’s and

MMISS-SME’s speciﬁc added value?

First of all, CCSMM and MMISS-SME share gen-

erally the same main function as ISO 21827: secu-

rity maturity evaluation. However, each of them was

designed for a different scope and purpose therefore

yielding different realizations. ISO 21827 is a stan-

dard designed to be used by all organizations of all

types and sizes. It encompasses the entire engineer-

ing life cycle, the whole organization as well as in-

teractions with other facets and other organizations.

MMISS-SME on the other hand acknowledges the

challenge small and medium organizations face and

therefore its added value is providing a model less

complex, less demanding and also providing an au-

tomated tool for its usage. Upon reaching a maturity

level, MMISS-SME also provides a certiﬁcation fur-

ther rewarding SMEs with tangible advantages. CC-

SMM on the other hand was made to bring together

different US entities and assist them to scale towards a

cyber-ready nation. The CCSMM also provides more

ﬂexibility so that organizations implement more suit-

able approaches to their contexts. CCSMM also pro-

vides a framework evaluating the maturity and efﬁ-

ciency of the implemented approaches.

• Research Question 2: What is the common core

of concepts for these security maturity models?

Secondly, we created the Venn Diagram in Fig 7 to

showcase the common core of concepts as well as the

differences. Evidently, we ﬁnd the evaluated organi-

zation and the capability or maturity model it seeks

to ascertain. We see that the risk management as-

pect uses the same concepts in all 3 security maturity

models such as risk, vulnerability, threat and impact.

We also see that all 3 models are aimed towards com-

plex systems as we see systems composed of differ-

ent objects such as processes or technology as well as

actors and their skills for CCSMM and ISO 21827.

These components are called assets in MMISS-SME

and ISO 21827. Since the evaluation mechanism is

automated in MMISS-SME, we only explicitly see it

in CCSMM and ISO 21827.

A Concept Compliance Study of Security Maturity Models with ISO 21827

389

Figure 7: Security Maturity Model Concept Venn Diagram.

As for the differences, The CCSMM includes the

resources available to the threat agent as well as their

motive. This separation results in a typology of the

scale of the threat in order to treat them differently.

Unstructured threats are the most common and are

dealt with on the daily. structured and highly struc-

tured threats are a higher level of priority as their have

bigger impacts and might need the involvement of

multiple entities. Since each model is structured dif-

ferently, each introduces completely distinct concepts

such as base practices, common features or process

area for ISO 21827 or dominion for MMISS-SME,

CCSMM even measures maturity through exercises.

Finally, the major difference between MMISS-SME,

CCSMM and ISO 21827 is handling the process man-

agement and assurance aspects. We ﬁnd the concept

of a process and its goal, planning, quality require-

ment and performance. ISO 21827 also requires an

assurance argument containing evidence that all as-

surance objectives are met.

• Research Question 3: Are CCSMM and MMISS-

SME compliant with ISO 21827?

Lastly, In terms of compliance of MMISS-SME and

CCSMM with the standard ISO 21827, we will dis-

cuss their requirements and the concepts they in-

volve. First off, the CCSMM does not specify which

processes to implement or what their characteristics

might be. This makes the CCSMM compatible with

most existent approaches including ISO 21827. We

also see a major compatibility in concepts as the dif-

ferences are mostly due to the structure and organiza-

tion of each security maturity model. We have the as-

surance and process management that can be incorpo-

rated in the CCSMM through concepts such as evalu-

ation metric and mechanisms. The rest of the differ-

ences are the different natures of threats. We can de-

duce that CCSMM is compliant with ISO 21827. As

for MMISS-SME, it was created to be a customized

security maturity model with less requirements for

SMEs. It also provides fewer maturity levels based

on controls extracted from ISO 27002. These con-

trols were created to supplement the ISO 27001 stan-

dard that provides requirements for the creation and

maintenance of an ISMS. The requirements of the

ISO 21827 and 27001 differ in their purpose as the

former provides a progressive scale of improvement

while the latter a baseline of requirements for ISMS

management. A study evaluating MMISS-SME and

ISO 21827’s requirements and mapping their levels

could evaluate their compliance.

ICEIS 2020 - 22nd International Conference on Enterprise Information Systems

390

4 DISCUSSION

Each of the models that we studied has a different

context thus having different purposes. CCSMM was

made for a segregated context explaining why it fo-

cuses on collaboration and ﬂexibility. It understands

the changing nature of security where approaches,

frameworks and methods are constantly changing pin-

ning the responsibility of choosing the adequate ap-

proach on the entities themselves. MMISS-SME has

a different added value as it aims to be easy to imple-

ment and maintain for SMEs. The ISO 21827 stan-

dard on the other hand is meant to be an all-inclusive

approach that handles all aspects of security engineer-

ing. It also has the most rigorous update mechanism

while CCSMM does not require one and MMISS-

SME has to keep up with the changes to, inter alia,

ISO 2700.

This difference in intent and context echoes

through the common core of concepts as well. We

see that, ISO 21827 provides more concepts covering

the assurance and process management aspects that

are not addressed in MMISS-SME and CCSMM. We

also see that the concepts that make up the risk man-

agement aspect are almost identical. We can also see

that the missing concepts can be derived from the ex-

isting ones in ISO 21827. We can use this large base

of concepts to model the requirements of any secu-

rity maturity model. Regardless from the differences

in structure, both MMISS-SME and ISO 21827 use

the concept security control while CCSMM does not

provide any at all allowing the adoption of external

ones.

Lastly, we saw that CCSMM supports the imple-

mentation of any approach the entity deems adequate

for their context, thus organizations can implement

the ISO 21827 practices. However, since they have

different evaluation methods and different thresholds

for their maturity levels, they will yield different lev-

els. On the other hand, MMISS-SME consists of re-

quirements that are within the reach of SMEs while

also providing an implementation tool. Further stud-

ies are required to prove the correspondence between

each security maturity model’s levels.

5 CONCLUSION

In this study, we set out to study 2 security matu-

rity models from different contexts and compare their

concepts as well as study their added value and com-

pliance with the ISO 21827 standard. The ISO 21827

or SSECMM standard provides a thorough model en-

compassing all aspects of security engineering. It

thoroughly encompasses all security engineering as-

pects and is compatible with other disciplines. We

have chosen to study the CCSMM a security matu-

rity model adopted by the U.S. government aiding

communities in their quest to be cyber-ready through

collaboration. MMISS-SME, a vetted approach, de-

signed to assist small and medium enterprises to reach

higher maturity level through the use of a tool while

also providing a certiﬁcation per level. We found

that ISO 21827 provides most of the core concepts

needed to model the other 2 security maturity mod-

els.The standards’ concepts could be also extended

to ﬁt speciﬁc contexts or customization through spe-

cialization. That is the case with both CCSMM and

MMISS-SME, their additional concepts are used to

support the nuance in main functions or scope.We saw

that both CCSMM and MMISS-SME were made for

the USA governmental and vital organism structure

and SMEs respectively. Finally, while CCSMM is

compliant with the standard, the correspondence be-

tween MMISS-SME and ISO 21827.

6 FUTURE WORK

Future studies could focus on different security matu-

rity models studying how their requirements can be

expressed and modeled. These studies can rely on

the base concepts provided by ISO 21827 and study

if specialised concepts are needed depending on the

context. This can enable compliance or validation

studies of novel security maturity models with the ex-

isting standard. Modeling security maturity models’

requirements can also help create generic SMM im-

plementation tools. Finally, seeing that security con-

stantly evolves, studies can also concern the security

engineering ontology.

REFERENCES

ANSSI (2009). Publication : Guide relatif

a la maturit

e ssi.

Barclay, C. (2014). Sustainable security advantage in a

changing environment: The cybersecurity capability

maturity model (cm2). Proceedings of the 2014 ITU

kaleidoscope academic conference: Living in a con-

verged world - Impossible without standards?

Barrett, M. P. (2020). Framework for improving critical

infrastructure cybersecurity version 1.1.

Department of Homeland Security (2018). Presidential pol-

icy directive 8: National preparedness.

Humphrey, W. (1988). Characterizing the software process:

a maturity framework. IEEE Software, 5(2):73–79.

ISO (2019a). Iso 21827 : Systems security engineering —

capability maturity model.

A Concept Compliance Study of Security Maturity Models with ISO 21827

391

ISO (2019b). Iso/iec 27001 information security manage-

ment.

Kassou, M. and Kjiri, L. (2012). Soasmm: A novel service

oriented architecture security maturity model. 2012

International Conference on Multimedia Computing

and Systems.

Le, N. T. and Hoang, D. B. (2016). Can maturity mod-

els support cyber security? 2016 IEEE 35th Interna-

tional Performance Computing and Communications

Conference (IPCCC).

Mckinsey (2017). Deployment models: How mature are

your operational practices?

Mettler, T. (2011). Maturity assessment models: a design

science research approach. International Journal of

Society Systems Science, 3(1/2):81.

Rabii A., Assoul S., R. O. (2020). Information & cyber

security maturity models: A systematic literature re-

view.

ReaGuaman, San Feliu, C.-M. S.-G. (2017). Compara-

tive study of cybersecurity capability maturity mod-

els. Communications In Computer And Information

Science, pages 100–113.

Rigon, E. A., Westphall, C. M., Santos, D. R. D., and West-

phall, C. B. (2014). A cyclical evaluation model of

information security maturity. Information Manage-

ment & Computer Security, 22(3):265–278.

Sanchez, L. E., Piattini, M., and Medina, E. F. (2008). Prac-

tical application of a security management maturity

model for smes based on predeﬁned schemas. Pro-

ceedings of the International Conference on Security

and Cryptography.

anchez, Piattini, M. (2007). Mmiss-sme practical develop-

ment: Maturity model for information systems secu-

rity management in smes. Proceedings of the 5th In-

ternational Workshop on Security in Information Sys-

tems.

White, G. (2007). The community cyber security maturity

model. 2007 40th Annual Hawaii International Con-

ference on System Sciences (HICSS07).

ICEIS 2020 - 22nd International Conference on Enterprise Information Systems

392