A survey of security metrics use in some Finnish organizations

Anni Sademies, Reijo Savola

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review


    Information security metrics can be used to resolve the security level in a product, process, system or organization. In this study, the use of information security metrics in certain Finnish organizations is studied by analyzing eight interviews conducted in industrial companies and State institutions. The results of the interviews show that measuring information security is considered important, but the benefits of such measurements can only be seen when the use of metrics is applied as a process, with the experience gained from the use of history data. The problem is often in the utilization of the results. There is a need for standards and tools that enable measuring individual expertise as well as to automate and rationalize the measurements. The most beneficial metrics are quantitative as well as proactive.
    Original languageEnglish
    Title of host publicationIT audit
    Subtitle of host publicationA strategic foundation for corporate governance
    EditorsBrian Cusack
    Publication statusPublished - 2005
    MoE publication typeA4 Article in a conference publication
    EventIT Governance International Conference 2005 - Auckland, New Zealand
    Duration: 14 Nov 200516 Nov 2005


    ConferenceIT Governance International Conference 2005
    Country/TerritoryNew Zealand


    Dive into the research topics of 'A survey of security metrics use in some Finnish organizations'. Together they form a unique fingerprint.

    Cite this