Process Approach to Information Security Metrics in Finnish Industry and State Institutions

    Research output: Book/ReportBook (author)Scientificpeer-review


    In today's information technology world, there is a growing need for security solutions: information systems are more and more vulnerable because of the increased complexity and interconnection of insecure components and networks. Even though appropriate security approaches can be found, the resulting security level often remains unknown. It is a widely accepted principle that an activity cannot be managed well if it cannot be measured. Information security (IS) metrics offers work as a research field. This thesis focuses on studying the use of IS metrics in certain Finnish industrial companies and state institutions. The objective is to study the state-of-practise and its relation to the literature in the research field. The use of IS metrics is particularly studied from the perspective of processes. The aim is to reveal how development and implementation of the metrics is carried out in the organisations. In addition, the techniques used in implementation and analysis of metrics, as well as their usefulness and future targets are studied. The research consists of a literature study followed by a survey study, and an analytical phase. The survey study is implemented by conducting eight interviews in different industrial corporations and state institutions. The method used is a semi-structured, theme-centred interview. The results are categorised applying suitable classifications found in the literature and analysed using an interpretative analysis method. The survey clearly shows that measuring IS is important, but the benefits of measurements can only be seen when the metrics use is applied as a process, with the experience gained from the use of history data. Technical metrics and risk assessment metrics are commonly used, but there is a need to measure individual expertise as well as to automate and rationalise measurements. Most of the organisations do not use IS metrics as a process. However, there are intentions to implement an IS metrics process, as well as to integrate the IS metrics process into quality and business processes. Legislation, customers and technical development especially affect the future development of IS metrics.
    Original languageEnglish
    Place of PublicationEspoo
    PublisherVTT Technical Research Centre of Finland
    Number of pages96
    ISBN (Electronic)951-38-6407-3
    ISBN (Print)951-38-6406-5
    Publication statusPublished - 2004
    MoE publication typeC1 Separate scientific books

    Publication series

    SeriesVTT Publications


    • information security (IS)
    • security metrics
    • IS metrics
    • security level
    • auditing
    • security processes


    Dive into the research topics of 'Process Approach to Information Security Metrics in Finnish Industry and State Institutions'. Together they form a unique fingerprint.

    Cite this