Abstract
In order to better understand the achieved information security level in a product, system or organization, security engineers must be able to get input from security objects. The use of information security metrics in certain Finnish industrial companies and State institutions, and its relation to the literature is studied. The techniques used in the implementation and analysis of metrics, as well as their usefulness and future targets, are studied. This is done by analyzing recent interviews conducted in different industrial corporations and State institutions. The interview method is a semi-structured, theme-centered interview. The results are used in analyzing how SSE-CMM could be applied by the organizations and whether the model would be useful in improving the security management of measuring the current security level.
The results of the interviews clearly show that measuring information security is considered important, but the benefits of such measurements can only be seen when the use of metrics is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalize the measurements. Most of the organizations do not use metrics as a process. However, there is intent to introduce an information security metrics process, as well as to integrate the metrics process into quality and business processes. Legislation, customers and technical development in particular affect the future introduction of security metrics.
The results of the interviews clearly show that measuring information security is considered important, but the benefits of such measurements can only be seen when the use of metrics is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalize the measurements. Most of the organizations do not use metrics as a process. However, there is intent to introduce an information security metrics process, as well as to integrate the metrics process into quality and business processes. Legislation, customers and technical development in particular affect the future introduction of security metrics.
Original language | English |
---|---|
Number of pages | 10 |
Publication status | Published - 2004 |
MoE publication type | Not Eligible |
Event | 5th Annual ISSEA - International Systems Security Engineering Association Conference - Arlington, United States Duration: 13 Oct 2004 → 15 Oct 2004 |
Conference
Conference | 5th Annual ISSEA - International Systems Security Engineering Association Conference |
---|---|
Country/Territory | United States |
City | Arlington |
Period | 13/10/04 → 15/10/04 |
Keywords
- information security