Measuring the information security level: A survey of practice in Finland

Anni Sademies, Reijo Savola

    Research output: Contribution to conferenceConference articleScientificpeer-review


    In order to better understand the achieved information security level in a product, system or organization, security engineers must be able to get input from security objects. The use of information security metrics in certain Finnish industrial companies and State institutions, and its relation to the literature is studied. The techniques used in the implementation and analysis of metrics, as well as their usefulness and future targets, are studied. This is done by analyzing recent interviews conducted in different industrial corporations and State institutions. The interview method is a semi-structured, theme-centered interview. The results are used in analyzing how SSE-CMM could be applied by the organizations and whether the model would be useful in improving the security management of measuring the current security level.
    The results of the interviews clearly show that measuring information security is considered important, but the benefits of such measurements can only be seen when the use of metrics is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalize the measurements. Most of the organizations do not use metrics as a process. However, there is intent to introduce an information security metrics process, as well as to integrate the metrics process into quality and business processes. Legislation, customers and technical development in particular affect the future introduction of security metrics.
    Original languageEnglish
    Number of pages10
    Publication statusPublished - 2004
    MoE publication typeNot Eligible
    Event5th Annual ISSEA - International Systems Security Engineering Association Conference - Arlington, United States
    Duration: 13 Oct 200415 Oct 2004


    Conference5th Annual ISSEA - International Systems Security Engineering Association Conference
    Country/TerritoryUnited States


    • information security


    Dive into the research topics of 'Measuring the information security level: A survey of practice in Finland'. Together they form a unique fingerprint.

    Cite this