Organisations increasingly face complex cybersecurity threats shaped not only by internal capabilities but also by external regulatory, institutional, and environmental conditions. While existing cybersecurity standards and maturity models provide valuable guidance, they often offer limited support for assessing organisational readiness in a manner that is both context-sensitive and diagnostically meaningful. This paper presents a context-aware cybersecurity readiness assessment framework designed to support organisational evaluation of cybersecurity readiness while explicitly accounting for external environmental influences. The framework adopts a two-tier architecture. Tier 1 assesses organisational awareness of and engagement with the external cybersecurity environment, including national regulatory obligations, institutional support mechanisms, and international collaboration. Tier 2 evaluates internal organisational cybersecurity readiness across governance, operational controls, awareness and culture, and external collaboration practices. The two tiers are designed to operate independently, enabling complementary interpretation without assuming deterministic relationships between external context and internal capability. The framework is developed and evaluated using a Design Science Research approach and is operationalised through a structured assessment instrument and an interpretable scoring model. Empirical validation is conducted across multiple organisational contexts operating in developing and emerging environments, with qualitative case study evidence where available. The results demonstrate that the framework differentiates meaningfully across readiness domains, avoids artificial score inflation or compression, and supports interpretable diagnosis of alignment gaps between external expectations and internal practices. The study contributes a validated assessment artefact that extends cybersecurity awareness research into a broader organisational readiness perspective. From a practical standpoint, the framework provides organisations, policymakers, and researchers with a structured tool to support incremental improvement, informed decision-making, and reflective engagement with both internal cybersecurity practices and external environmental conditions.
Agyemang et al. (Tue,) studied this question.