Maturity models are a widely used concept for measuring information security. The idea is to systematically evaluate the maturity of security-relevant processes in an organisation. This enables decision-makers to get an overview of the implementation status of relevant processes to identify neuralgic points. Maturity models thus play a central role in the conception of information security management systems (ISMS). Some industries, for instance, the German automotive industry, have even established security maturity levels as the de facto standard for measuring information security. However, the quality of security maturity level assessments has not been sufficiently investigated yet. Therefore, we have analysed to what extent security managers can accurately assess the maturity levels of security controls. To verify the quality of maturity level assessments a case study was conducted where security experts assessed a subset of the ISO/IEC 27002 security controls for a hypothetical scenario using the COBIT maturity levels. Additionally, ex-post interviews have been conducted with several participants of the study to verify some of the hypotheses developed during the previous analyses. Our results show that many security experts struggled with the task and did not perform well. However, we discovered professional characteristics that have a strong significant effect on the assessment capabilities. We also identified various types of additional support that can help practitioners to make more reliable assessments in practice. Moreover, the experts' self-perception was overly optimistic when asked to assess their performance. We even found a weak inverted correlation for more experienced experts, also known as Dunning-Kruger effect. Our results have a strong impact on practice since they indicate that practitioners need support to carry out high-quality assessments and they also show what kind of support addresses the identified challenges.

成熟度模型是衡量信息安全的广泛使用的概念。这个想法是系统地评估组织中安全相关流程的成熟度。这使决策者能够大致了解相关流程的实施状态，以识别神经痛点。因此，成熟度模型在信息安全管理系统 (ISMS) 的概念中起着核心作用。一些行业，例如德国汽车行业，甚至将安全成熟度级别作为衡量信息安全的事实标准。然而，安全成熟度级别评估的质量尚未得到充分调查。因此，我们分析了安全管理人员在多大程度上可以准确评估安全控制的成熟度级别。为了验证成熟度级别评估的质量，进行了一项案例研究，其中安全专家使用 COBIT 成熟度级别针对假设场景评估了 ISO/IEC 27002 安全控制的子集。此外，还对研究的几名参与者进行了事后访谈，以验证在先前分析中提出的一些假设。我们的结果表明，许多安全专家都在努力完成这项任务并且表现不佳。然而，我们发现专业特征对评估能力有很强的显着影响。我们还确定了各种类型的额外支持，可以帮助从业者在实践中进行更可靠的评估。此外，当被要求评估他们的表现时，专家的自我认知过于乐观。对于更有经验的专家，我们甚至发现了弱反向相关，也称为邓宁-克鲁格效应。我们的结果对实践有很大的影响，因为它们表明从业者需要支持来进行高质量的评估，并且他们还展示了什么样的支持可以解决已确定的挑战。