
tified and validated by [15][16]. Adopting these definitions and findings, the proposed 
PRM for ISG analysis (Cf. Fig. 1) focuses on how a structure of ISG in an organiza-
tional environment impacts the capability of a process in terms of mitigating vulnera-
bilities. Therefore, a high process capability leads to fewer flaws in an          organiza-
tion’s security mechanisms, i.e. vulnerabilities that can be exploited by an attacker.  
The qualitative part of the PRM consists of classes, reference slots, attributes and 
their parents. A total of six classed were identified Organizational Unit, Process, 
Activity, Artifact, Role, and Actor. The main class in the PRM is OrganizationalUnit 
that represents an organization. An organization consists of processes and in our case; 
processes to mitigate security vulnerabilities. The OrganizationalUnit has therefore 
the reference slot ConsistOf  whose range is the class Process. Each Process further 
consists of a set of activities that defines a process and takes and creates artifacts such 
as security policies, back-up storage, etc. This is represented by the two classes  
Activity and Artifact with an IsapartOf reference slot for the Activity  class and an 
ExistsIn reference slot for the Artifact class. In a PRM, classes can further be specia-
lized through inheritance relationships. The classes are related to each other using 
subclass relation. For instance, the AccessControlProcess is a subclass of Process 
(AccessControlProcess << Process) and then Process class is a superclass of Ac-
cessControlProcess. In the PRM this inheritance relationships is represented by an 
IsakindOf reference slot. 
A role (e.g. a security manager) is assigned to a process. This relation is illustrated 
by the class Role with an IsResponsibleFor/IsAccountableFor  reference slot whose 
range is the class Process. This Role  class has further an IsakindOf reference slot 
illustrating that there exist several specializations of a role.  The SecurityManageRole 
is for instance a subclass of the class Role  (SecurityManagerRole << Role),  and 
Role is then a superclass of SecurityManagerRole. A role is further a resource in the 
organization; this relation is represented by the class Role with an IsaResourceIn 
reference slot whose range is the OrganizationalUnit. Finally, an actor fills the role, 
and is illustrated in the PRM with the class Actor
 and a FillsA reference slot with the 
range Role. 
Regarding the attributes in the PRM, The Process capability attributes is first and 
foremost influenced if formal processes are effectively implemented. Further, the 
capability of a process is influenced by an organization’s security culture, i.e. shared 
attitudes, values, goals, and practices related to information security. The organization 
further need to promote and communicate security awareness, establish security 
awareness programs, provide education of employees about security policies, etc. 
[11][13][14][15][18]. 
Internal efficiency in terms of the execution of activities, production of artifacts 
and the capability of roles has earlier been identified to influence process capability in 
[3][19]. We therefore, include an attribute considering if the process is efficiently 
managed. The effective implementation of security processes in organizations is 
strongly influenced by organizational factors such as top  management  support,     
organizational size, how reliant the organization is on information technology, i.e. IT   
reliance, and the environmental uncertainty [15][16][18]. Top management support 
may take the form of guidance during planning, participation during design or      
involvement during deployment. Besides the ability to secure adequate resources, top 
management can also encourage positive user attitude towards the use of information 
security. The size of the organization matters as smaller organizations suffer from a 
145