Security metrics process in organizations

Anni Sademies, Reijo Savola

    Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

    Abstract

    The use of information security metrics in certain Finnish industrial companies and State institutions, and its relation to the literature is discussed based on the results gained by interview studies. The emphasis is on the needs of metrics, relationship of metrics with the organizational processes, as well as the usefulness of metrics and future targets. Metrics experiences are used to analyze how they could be exploited in the organizations generally. The results of the interviews show that the benefits of measuring information security can only be seen when there is a process approach on the use of metrics and experience is gained from the use of historical data. The organizations need metrics that are repeatable, manageable, objective and comparable, quantifiable and proactive. There are systematic process models that the organizations could utilize. The essential step is the definition of the security objectives, against which the subsequent results can be mirrored.
    Original languageEnglish
    Title of host publicationProceedings of the 2005 KMIS International Conference
    Subtitle of host publicationInformation Systems for Ubiquitous Society
    Pages444-448
    Publication statusPublished - 2005
    MoE publication typeNot Eligible
    EventKMIS International Conference 2005 - Jeju Island, Korea, Republic of
    Duration: 24 Nov 200526 Nov 2005

    Conference

    ConferenceKMIS International Conference 2005
    CountryKorea, Republic of
    CityJeju Island
    Period24/11/0526/11/05

      Fingerprint

    Cite this

    Sademies, A., & Savola, R. (2005). Security metrics process in organizations. In Proceedings of the 2005 KMIS International Conference: Information Systems for Ubiquitous Society (pp. 444-448)