Process Approach to Information Security Metrics in Finnish Industry and State Institutions

Anni Sademies

Process Approach to Information Security Metrics in Finnish Industry and State Institutions

Research output: Book/Report › Book (author) › Scientific › peer-review

Abstract

In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.

Original language	English
Place of Publication	Espoo
Publisher	VTT Technical Research Centre of Finland
Number of pages	96
ISBN (Electronic)	951-38-6407-3
ISBN (Print)	951-38-6406-5
Publication status	Published - 2004
MoE publication type	C1 Separate scientific books

Publication series

Series	VTT Publications
Number	544
ISSN	1235-0621

Keywords

information security (IS)
security metrics
IS metrics
security level
auditing
security processes

Access to Document

https://publications.vtt.fi/pdf/publications/2004/P544.pdf

Cite this

@book{07f566021b014768aa7777bd9d72b263,

title = "Process Approach to Information Security Metrics in Finnish Industry and State Institutions",

abstract = "In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.",

keywords = "information security (IS), security metrics, IS metrics, security level, auditing, security processes",

author = "Anni Sademies",

note = "Project code: E4SU000157 ",

year = "2004",

language = "English",

isbn = "951-38-6406-5",

series = "VTT Publications",

publisher = "VTT Technical Research Centre of Finland",

number = "544",

address = "Finland",

}

TY - BOOK

T1 - Process Approach to Information Security Metrics in Finnish Industry and State Institutions

AU - Sademies, Anni

N1 - Project code: E4SU000157

PY - 2004

Y1 - 2004

N2 - In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.

AB - In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.

KW - information security (IS)

KW - security metrics

KW - IS metrics

KW - security level

KW - auditing

KW - security processes

M3 - Book (author)

SN - 951-38-6406-5

T3 - VTT Publications

BT - Process Approach to Information Security Metrics in Finnish Industry and State Institutions

PB - VTT Technical Research Centre of Finland

CY - Espoo

ER -

Process Approach to Information Security Metrics in Finnish Industry and State Institutions

Abstract

Publication series

Keywords

Access to Document

Fingerprint

Cite this