In recent years, the frequency of malicious threats actors targeting individuals, governments, and business organizations has increased significantly. Cyber threat adversaries, such as ransomware, Denial of Service (DoS) attacks, zero-day exploits, and phishing attacks, pose a serious threat to the security, operations, and finances of organizations worldwide. Consequently, decision makers face the challenge of determining the level of preparedness required to counter potential cyber-attacks in the digital ecosystem. In order to assess the cybersecurity posture of the organization, we developed a Cybersecurity Readiness Assessment Tool (CRAT) for our research study.

This research describes a Cybersecurity Readiness Assessment Tool (CRAT) design journey from a Design Science Research (DSR) perspective. Furthermore, designing software is complex and requires going beyond fulfilling pre-defined objectives involving multiple iterations to evolve the final design. As the system is implemented, researchers encounter unexplored questions and opportunities. Thus, we elaborate on the software design journey of CRAT by deriving design principles through each iteration, allowing continuous refinement and evaluation. It investigates how the iterative nature of the development process allows for exploring new ideas and integrating frameworks for guiding development through the lens of DSR. This research highlights the interplay between DSR, design principles, and approach to the software development process of CRAT, fostering continuous discovery and improvement and enabling further adjustments and explorations.

Throughout the design and development of the tool, various MCDM (Multi-Criteria Decision Making) methods were experimented with, and the prototype of CRAT was created using the General Readiness Assessment Framework for Technology Adoption (GRAFTA).

The results from each iteration were evaluated, leading to the discovery of design principles for developing the tool. These principles were derived from the insights gained during the development process. The primary contribution of this research lies in the process followed to develop the prototype tool using the DSR methodology, while incorporating MCDM, GRAFTA, and digital nudging. Additionally, recommendations are provided for practitioners on adopting design principles for creating readiness assessment tools.

The combination of the DSR methodology and GRAFTA offered a structured approach to designing and developing CRAT, ensuring its comprehensiveness, effectiveness, and usability. The iterative development process, guided by the FEDS framework, facilitated continuous refinement and improvement of the tool throughout its development. By aligning the stages of GRAFTA with the DSR methodology, CRAT addresses the complex problem of cybersecurity readiness assessment in a comprehensive and effective manner. This approach underscores the importance of maintaining rigor and relevance throughout the research and development process of CRAT and also demonstrating the value of the DSR methodology in designing and developing innovative artifacts to tackle complex and practical problems related to cybersecurity readiness in an organizational context.