Process Approach to Information Security Metrics in Finnish Industry and State Institutions

Anni Sademies

Research output: Book/ReportBook (author)

Abstract

In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.
Original languageEnglish
Place of PublicationEspoo
PublisherVTT Technical Research Centre of Finland
Number of pages96
ISBN (Electronic)951-38-6407-3
ISBN (Print)951-38-6406-5
Publication statusPublished - 2004
MoE publication typeC1 Separate scientific books

Publication series

SeriesVTT Publications
Number544
ISSN1235-0621

Fingerprint

Security of data
Industry
Risk assessment
Information technology
Information systems
History

Keywords

  • information security (IS)
  • security metrics
  • IS metrics
  • security level
  • auditing
  • security processes

Cite this

Sademies, A. (2004). Process Approach to Information Security Metrics in Finnish Industry and State Institutions. Espoo: VTT Technical Research Centre of Finland. VTT Publications, No. 544
Sademies, Anni. / Process Approach to Information Security Metrics in Finnish Industry and State Institutions. Espoo : VTT Technical Research Centre of Finland, 2004. 96 p. (VTT Publications; No. 544).
@book{07f566021b014768aa7777bd9d72b263,
title = "Process Approach to Information Security Metrics in Finnish Industry and State Institutions",
abstract = "In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.",
keywords = "information security (IS), security metrics, IS metrics, security level, auditing, security processes",
author = "Anni Sademies",
note = "Project code: E4SU000157",
year = "2004",
language = "English",
isbn = "951-38-6406-5",
series = "VTT Publications",
publisher = "VTT Technical Research Centre of Finland",
number = "544",
address = "Finland",

}

Sademies, A 2004, Process Approach to Information Security Metrics in Finnish Industry and State Institutions. VTT Publications, no. 544, VTT Technical Research Centre of Finland, Espoo.

Process Approach to Information Security Metrics in Finnish Industry and State Institutions. / Sademies, Anni.

Espoo : VTT Technical Research Centre of Finland, 2004. 96 p. (VTT Publications; No. 544).

Research output: Book/ReportBook (author)

TY - BOOK

T1 - Process Approach to Information Security Metrics in Finnish Industry and State Institutions

AU - Sademies, Anni

N1 - Project code: E4SU000157

PY - 2004

Y1 - 2004

N2 - In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.

AB - In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.

KW - information security (IS)

KW - security metrics

KW - IS metrics

KW - security level

KW - auditing

KW - security processes

M3 - Book (author)

SN - 951-38-6406-5

T3 - VTT Publications

BT - Process Approach to Information Security Metrics in Finnish Industry and State Institutions

PB - VTT Technical Research Centre of Finland

CY - Espoo

ER -

Sademies A. Process Approach to Information Security Metrics in Finnish Industry and State Institutions. Espoo: VTT Technical Research Centre of Finland, 2004. 96 p. (VTT Publications; No. 544).