在当今快速发展的数字环境中，组织面临着日益严重的网络威胁，这些威胁可能扰乱运营、泄露敏感数据，并造成财务和声誉损失。其主要原因是组织对其网络安全能力缺乏清晰认识，导致防御措施无效。为解决这一问题，网络安全能力成熟度模型（CCMM）通过关注能力成熟度而非单纯实施控制措施，提供了一种系统性的方法来评估和提升组织的网络安全状况。然而，这些模型存在一些局限性，如结构僵化、一刀切的方法、复杂性、安全范围的不足（即技术、组织和人员方面）以及缺乏量化指标，这阻碍了它们的有效性。因此，在不同情境下实施CCMM具有挑战性，且可能导致碎片化和不全面的评估结果。为此，我们提出了一种新的网络安全能力成熟度框架，该框架具有整体性、灵活性和可测量性，旨在为组织提供更相关和有影响力的评估，从而提升其网络安全水平。

In today's rapidly evolving digital landscape, organisations face escalating cyber threats that can disrupt operations, compromise sensitive data, and inflict financial and reputational harm. A key reason for this lies in the organisations' lack of a clear understanding of their cybersecurity capabilities, leading to ineffective defences. To address this gap, Cybersecurity Capability Maturity Models (CCMMs) provide a systematic approach to assessing and enhancing an organisation's cybersecurity posture by focusing on capability maturity rather than merely implementing controls. However, their limitations, such as rigid structures, one-size-fits-all approach, complexity, gaps in security scope (i.e., technological, organisational, and human aspects) and lack of quantitative metrics, hinder their effectiveness. It makes implementing CCMMs in varying contexts challenging and results in fragmented, incomprehensive assessments. Therefore, we propose a novel Cybersecurity Capability Maturity Framework that is holistic, flexible, and measurable to provide organisations with a more relevant and impactful assessment to enhance their cybersecurity posture.