saucis Sakarya University Journal of Computer and Information Sciences 2636-8129 Sakarya University 10.35377/saucis...1734132 Software Engineering (Other) Yazılım Mühendisliği (Diğer) A Novel Cybersecurity Ethical Maturity Model Based on AHP Method https://orcid.org/0000-0002-1195-2344 Ozarpa Cevat ANKARA MEDİPOL UNIVERSITY https://orcid.org/0000-0001-7032-8018 Avcı İsa KARABUK UNIVERSITY https://orcid.org/0009-0006-7591-4247 Zakrya Khan Yahya KARABUK UNIVERSITY 12 29 2025 8 4 740 761 07 03 2025 11 02 2025 Copyright © 2018, Sakarya University Journal of Computer and Information Sciences 2018 Sakarya University Journal of Computer and Information Sciences

This study uses the Analytic Hierarchy Process (AHP) method to evaluate the importance of ethical values in the cybersecurity profession and to measure ethical maturity. In a study with 37 cybersecurity professionals from Türkiye, 27 ethical values were organized based on international ethical standards, including those of the ACM, IEEE, ISACA, (ISC)², NIST, and the UK Cyber Security Council. The AHP analysis identified Confidentiality and Privacy, Awareness of Responsibility, and Cyber Sovereignty and Independence Ethics as the most vital values, representing 11.98% of the total. Conversely, values such as Transparency, Respect for Cultural Diversity, and Traceability were considered less important. The study also introduced a new Cybersecurity Ethical Maturity Model, outlining ethical development across five stages, and compared this model with selected cyber incidents in Türkiye. It highlights the effect of ethical violations on public trust and offers recommendations for policy and training strategies. Overall, the study contributes a unique, quantitative ethical assessment tool aligned with international standards and provides a strategic framework for fostering a sustainable digital security culture.

 Cybersecurity Cyber Ethical Values Analytic Hierarchy Process (AHP) Ethical Maturity Model Privacy and Confidentiality A. Benlahcene, R. B. Zainuddin, N. Syakiran, and A. B. Ismail, “A narrative review of ethics theories: teleological & deontological ethics,” J. Humanities Soc. Sci. (IOSR-JHSS), vol. 23, no. 1, pp. 31–32, 2018. “Ethical theories: Virtue ethics, utilitarianism, deontology.” Philosophos [Online]. Available: https://www.philosophos.org/ethical-theories-virtue-ethics-utilitarianism-deontology. [Accessed: 2-May-2025]. M. Manjikian, "Cybersecurity Ethics: An Introduction". Routledge, 2017. L. Floridi and M. Taddeo, “What is data ethics?” Philos. Trans. R. Soc. A: Math., Phys. Eng. Sci., vol. 374, no. 2083, Art. no. 20160360, 2016. Association for Computing Machinery, “ACM Code of Ethics and Professional Conduct.” [Online]. Available: https://www.acm.org/code-of-ethics. [Accessed: 2-May-2025]. (ISC)², “Code of Ethics.” [Online]. Available: https://www.isc2.org/Ethics. [Accessed: 5-May-2025]. Information Systems Audit and Control Association (ISACA), “Code of Professional Ethics.” [Online]. Available: https://engage.isaca.org/newenglandchapter/aboutchapter/new-page. [Accessed: 5-May-2025]. National Institute of Standards and Technology, NIST Open Government Plan 2016. Gaithersburg, MD, USA: NIST, 2016. [Online]. Available: https://www.nist.gov/document/formattednistopengovernmentplan2016finalpdf. [Accessed: 7-May-2025]. UK Cyber Security Council, “Ethical principles for individuals.” [Online]. Available: https://www.ukcybersecuritycouncil.org.uk/ethics/ethical-principles-for-individuals/. [Accessed: 12-May-2025]. UK Cyber Security Council, “Ethical declaration.” [Online]. Available: https://www.ukcybersecuritycouncil.org.uk/ethics/ethical-declaration/. [Accessed: 12-May-2025]. EDUNINE 2025, “IEEE policies: Code of Ethics.” [Online]. Available: https://edunine.eu/edunine2025/eng/ieeePolicies.php#codeE. [Accessed: 12-May-2025]. B. Curtis, B. Hefley, and S. Miller, "People Capability Maturity Model (P-CMM), Version 2.0". Pittsburgh, PA, USA: Software Engineering Institute, pp. 1–533, 2009. T. L. Saaty, “A scaling method for priorities in hierarchical structures,” J. Math. Psychol., vol. 15, no. 3, pp. 234–281, 1977. İ. Avcı and M. Koca, “A novel security risk analysis using the AHP method in smart railway systems,” Appl. Sci., vol. 14, no. 10, Art. no. 4243, 2024. A. J. S. Rojas, E. F. P. Valencia, J. Armas-Aguirre, and J. M. M. Molina, “Cybersecurity maturity model for the protection and privacy of personal health data,” in Proc. 2022 IEEE 2nd Int. Conf. Adv. Learning Technol. Educ. & Res. (ICALTER), pp. 1–4, Nov. 2022. A E. David, “An ethical framework for cybersecurity professionals: A grounded theory study,” Ph.D. dissertation, Northcentral Univ., Prescott, AZ, USA, 2022. B. Sadeghi, D. Richards, P. Formosa, M. McEwan, M. H. A. Bajwa, M. Hitchens, and M. Ryan, “Modelling the ethical priorities influencing decision-making in cybersecurity contexts,” Organ. Cybersecurity J.: Pract., Process People, vol. 3, no. 2, pp. 127–149, 2023. N. Sjelin and G. White, “The Community Cyber Security Maturity Model,” in Cyber-Physical Security: Protecting Critical Infrastructure at the State and Local Level, Cham, Switzerland: Springer Int. Publishing, pp. 161–183, 2016. A. M. Rea-Guaman, T. San Feliu, J. A. Calvo-Manzano, and I. D. Sanchez-Garcia, “Comparative study of cybersecurity capability maturity models,” in Proc. 17th Int. Conf. Software Process Improvement and Capability Determination (SPICE), Palma de Mallorca, Spain, Oct. 4–5, pp. 100–113, 2017. SO.org, “ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection - Information security management systems - Requirements.” [Online]. Available: https://www.iso.org/standard/27001. [Accessed: 18-Oct-2025]. Türk Standardları Enstitüsü (TSE), “TS EN ISO/IEC 27001 Information Security Management System (Management Systems Certification).” [Online]. Available: https://www.tse.org.tr/bilgi-guvenligi-yonetim-sistemi-bgys-belgelendirmesi-ts-iso-iec-27001/. [Accessed: 18-Oct-2025]. T.C. Cumhurbaşkanlığı, “Bilgi ve İletişim Güvenliği Tedbirleri ile İlgili 2019/12 Sayılı Cumhurbaşkanlığı Genelgesi [Presidential Circular No. 2019/12 on Information and Communication Security Measures],” [Online]. Available: https://www.lexpera.com.tr/resmi-gazete/metin/bilgi-ve-iletisim-guvenligi-tedbirleri-ile-ilgili-2019-12-sayili-cumhurbaskanligi-genelgesi-30823-1. [Accessed: 18-Oct-2025]. [in Turkish] T.C. Cumhurbaşkanlığı Dijital Dönüşüm Ofisi, “Bilgi ve İletişim Güvenliği Denetim Rehberi [Information and Communication Security Audit Guide],” [Online]. Available: https://ms.hmb.gov.tr/uploads/2021/12/BG_Denetim_Rehberi-1.pdf. [Accessed: 18-Eki-2025]. [in Turkish] T.C. Ulaştırma ve Altyapı Bakanlığı, “Ulusal Siber Güvenlik Stratejisi ve Eylem Planı 2024-2028 [National Cybersecurity Strategy and Action Plan 2024–2028],” [Online]. Available: https://www.uab.gov.tr/uploads/pages/siber-guvenligin-yol-haritasi-yerli-ve-milli-tekno/ulusal-siber-guvenlik-stratejisi-2024-2028.pdf. [Accessed: 18-Oct-2025]. [in Turkish] P. Formosa, M. Wilson, and D. Richards, “A principlist framework for cybersecurity ethics,” Computers & Security, vol. 109, Art. no. 102382, 2021. I. Flechais and G. Chalhoub, “Practical cybersecurity ethics: mapping CyBOK to ethical concerns,” in Proc. 2023 New Security Paradigms Workshop (NSPW), pp. 62–75, Sep. 2023. M. S. Nasir, H. Khan, A. Qureshi, A. Rafiq, and T. Rasheed, “Ethical aspects in cyber security: Maintaining data integrity and protection: A review,” Spectrum Eng. Sci., vol. 2, no. 3, pp. 420–454, 2024. N. Al-Hashem and A. Saidi, “The psychological aspect of cybersecurity: understanding cyber threat perception and decision-making,” Int. J. Appl. Mach. Learn. Comput. Intell., vol. 13, no. 8, pp. 11–22, 2023. A A. G. Navdeep and V. S. Muskan, “The role of ethics in developing secure cyber-security policies,” Tuijin Jishu J. Propuls. Technol., 2023. S. Bıçakçı, F. D. Ergun, and M. Çelikpala, “Türkiye’de siber güvenlik [Cybersecurity in Türkiye],” Ekonomi ve Dış Politika Araştırma Merkezi (EDAM), Siber Politika Kağıtları Serisi, no. 1, pp. 1–35, 2015. [in Turkish] Anadolu Ajansı, “E-Devlet Kapısı’ndan dijital altyapılarından veri sızıntısı iddialarına ilişkin açıklama [Statement on allegations of data leakage from e-Government Gateway digital infrastructures],” Anadolu Ajansı, 27-Oct-2021. [Online]. Available: https://www.aa.com.tr/tr/gundem/e-devlet-kapisindan-dijital-altyapilarindan-veri-sizintisi-iddialarina-iliskin-aciklama/. [Accessed: May-15-2025]. [in Turkish] Ö. Kutlu and S. Kahraman, “An Analysis of Personal Data Protection Policy in Turkey,” Siyaset, Ekonomi ve Yönetim Araştırmaları Dergisi, vol. 5, no. 4, pp. 45–62, 2017. H. Yeşilyurt, “Cyber Security Risks and Solutions in the Financial Services Sector: Payment Systems and Supply Chain Integrity,” Celal Bayar Univ. Sos. Bilimler Dergisi, vol. 13, no. 2, pp. 97–120, 2015. H. Çakır and M. Taşer, “Evaluation of Cyber Security Activities and Training Studies in Turkey,” Gazi Univ. J. Sci. Part C: Design Technol., pp. 1–1, 2023. İ. Avcı and M. Koca, “Cybersecurity attack detection model using machine-learning techniques,” Acta Polytech. Hung., vol. 20, no. 7, pp. 29–44, 2023. Anadolu Ajansı, “TürkNet’ten siber saldırı açıklaması [TurkNet’s statement on cyberattack],” Anadolu Ajansı, Apr-15-2025. [Online]. Available: https://www.aa.com.tr/tr/bilim-teknoloji/turknetten-siber-saldiri-aciklamasi/3508607. [Accessed: 16-May-2025]. İ. Avcı, “Investigation of cyber-attack methods and measures in smart grids,” Sakarya Univ. J. Sci., vol. 25, no. 4, pp. 1049–1060, 2021. B. Ren, Q. Zhang, J. Ren, S. Ye, and F. Yan, “A novel hybrid approach for water resources carrying capacity assessment by integrating fuzzy comprehensive evaluation and analytical hierarchy process methods with the cloud model,” Water, vol. 12, no. 11, p. 3241, 2020.