Abstract
Information security metrics can be used to resolve the security level in a product, process, system or organization. In this study, the use of information security metrics in certain Finnish organizations is studied by analyzing eight interviews conducted in industrial companies and State institutions. The results of the interviews show that measuring information security is considered important, but the benefits of such measurements can only be seen when the use of metrics is applied as a process, with the experience gained from the use of history data. The problem is often in the utilization of the results. There is a need for standards and tools that enable measuring individual expertise as well as to automate and rationalize the measurements. The most beneficial metrics are quantitative as well as proactive.
| Original language | English |
|---|---|
| Title of host publication | IT audit |
| Subtitle of host publication | A strategic foundation for corporate governance |
| Editors | Brian Cusack |
| Pages | 91-98 |
| Publication status | Published - 2005 |
| MoE publication type | A4 Article in a conference publication |
| Event | IT Governance International Conference 2005 - Auckland, New Zealand Duration: 14 Nov 2005 → 16 Nov 2005 |
Conference
| Conference | IT Governance International Conference 2005 |
|---|---|
| Country/Territory | New Zealand |
| City | Auckland |
| Period | 14/11/05 → 16/11/05 |