Abstract
As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners.
Similar content being viewed by others
Notes
“The current version is COBIT 5, which is the leading business framework for governance and management of enterprise IT (ISACA). COBIT 5 builds on the previous versions of COBIT (and Val IT and Risk IT), and without loss of information in this article, we focus on COBIT 4.1. COBIT 5 goals cascade stakeholder needs into specific actionable and customized goals within the context of enterprise, IT-related goals and enabler goals. The enterprise goals have been developed using the BSC dimensions and the list is not exhaustive (ISACA). COBIT 5 separates IT governance (evaluate stakeholder needs, set direction through prioritization, and monitor performance, compliance, and progress) and IT management (plan, build, run, and monitor activities with direction set by governance).
We would like to thank the two anonymous reviewers for giving us in-depth feedback on the mappings as well as constructive feedback related to methodology.
References
Ahuja, S., & Chan, Y. E. (2015). IT Security Governance: A Framework based on ISO 38500. In CONF-IRM 2015 Proceedings (Vol. 27, p. 15).
Akowuah, F., Yuan, X., Xu, J., & Wang, H. (2013). A survey of security standards applicable to health information systems. International Journal of Information Security and Privacy (IJISP), 7(4), 22–36. https://doi.org/10.4018/ijisp.2013100103
AlGhamdi, S., Win, K. T., & Vlahu-Gjorgievska, E. (2020). Information security governance challenges and critical success factors: Systematic review. Computers & Security, 99, 102030. https://doi.org/10.1016/j.cose.2020.102030
Atkinson, M. (2004). Measuring the performance of the IT function in the UK health service using a balanced scorecard approach. Electronic Journal of Information Systems Evaluation, 1–10.
Atoum, I., & Otoom, A. (2016). Holistic performance model for cyber security implementation frameworks. International Journal of Security and Its Applications, 10(3), 111–120. https://doi.org/10.14257/ijsia.2016.10.3.10
Au, C. H., & Fung, W. S. L. (2019). Integrating knowledge management into information security: From audit to practice. International Journal of Knowledge Management (IJKM), 15(1), 37–52. https://doi.org/10.4018/IJKM.2019010103
Awadallah, E. A., & Allam, A. (2015). A critique of the balanced scorecard as a performance measurement tool. International Journal of Business and Social Science, 6(7), 91–99.
Bachlechner, D., Thalmann, S., & Maier, R. (2014). Security and compliance challenges in complex IT outsourcing arrangements: A multi-stakeholder perspective. Computers & Security, 40, 38–59. https://doi.org/10.1016/j.cose.2013.11.002
Bailey, E., & Becker, J. D. (2014). A comparison of IT governance and control frameworks in cloud computing (p. 16). Presented at the Twentieth Americas Conference on Information Systems.
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138–151. https://doi.org/10.1016/j.im.2013.11.004
Bernik, I., & Prislan, K. (2016). Measuring information security performance with 10 by 10 model for holistic state evaluation. PLoS One, 11(9), 1–33. https://doi.org/10.1371/journal.pone.0163050
Bremser, W. G., & Chung, Q. B. (2005). A framework for performance measurement in the e-business environment. Electronic Commerce Research and Applications, 4(4), 395–412.
British Standards Institute (BSI). (2014). BSI transition guide: Moving from ISO/IEC 27001:2005 to ISO/IEC 27001:2013. https://www.bsigroup.com/LocalFiles/en-GB/iso-iec-27001/resources/BSI-ISO27001-transition-guide-UK-EN-pdf.pdf. Accessed 5 June 2018.
Brothy, K. (2009). Information security governance: a practical development and implementation approach (Vol. 53). John Wiley & Sons.
Butler, J., Henderson, S., & Raiborn, C. (2011). Sustainability and the balanced scorecard: Integrating green measures into business reporting. Management Accounting Quarterly, 12(2), 1–10.
Campara, D., & Mansourov, N. (2008). How to tackle security issues in large existing/legacy systems while maintaining development priorities. In 2008 IEEE Conference on Technologies for Homeland Security (pp. 167–172). Presented at the 2008 IEEE Conference on Technologies for Homeland Security. https://doi.org/10.1109/THS.2008.4534443.
Carcary, M., Renaud, K., McLaughlin, S., & O’Brien, C. (2016). A framework for information security governance and management. IT Professional, 18(2), 22–30. https://doi.org/10.1109/MITP.2016.27
Cartlidge, A., Hanna, A., Rudd, C., Macfarlane, I., Windebank, J., & Rance, S. (2007). An introductory overview of ITIL V3. The IT Service Management Forum (itSMF) Ltd. https://itil.it.utah.edu/itilv3/docs/itSMF_ITILV3_Intro_Overview. Accessed 16 Feb 2022.
Cezar, A., Cavusoglu, H., & Raghunathan, S. (2014). Outsourcing information security: Contracting issues and security implications. Management Science, 60(3), 638–657. https://doi.org/10.1287/mnsc.2013.1763
Chang, K., & Wang, C. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579–593. https://doi.org/10.1007/s10796-010-9232-6
Chen, J. Q., & Benusa, A. (2017). HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management, 10(2), 135–146. https://doi.org/10.1080/20479700.2016.1270875
Chew, E., Swanson, M. M., Stine, K. M., Bartol, N., Brown, A., & Robinson, W. (2008). Performance measurement guide for information security (800–55, Revision 1 ed.pp. 1–40). National Institute of Standards and Technology.
Chun Tie, Y., Birks, M., & Francis, K. (2019). Grounded theory research: A design framework for novice researchers. SAGE Open Medicine, 7, 1–8. https://doi.org/10.1177/2050312118822927
Clinch, J. (2009). ITIL V3 and information security. http://www.trainingcreatively.com/whitepaper/While-Paper-ITI-V3-and-Information-Security.pdf
Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management standard: Literature review and theory-based research agenda. The TQM Journal, 33(7), 76–105. https://doi.org/10.1108/TQM-09-2020-0202
Da Cruz, E., & Labuschagne, L. (2005). A new framework for bridging the gap between IT service management and IT governance from a security perspective (pp. 1–12). Academy of Information Technology at the University of Johannesburg.
Debreceny, R. S., & Gray, G. L. (2013). IT governance and process maturity: A multinational field study. Journal of Information Systems, 27(1), 157–188. https://doi.org/10.2308/isys-50418
Ezhei, M., & Tork Ladani, B. (2020). Interdependency analysis in security investment against strategic attacks. Information Systems Frontiers, 22(1), 187–201. https://doi.org/10.1007/s10796-018-9845-8
Garigue, R., & Stefaniu, M. (2003). Information security governance reporting. Information Systems Security Journal, 12(4), 36–40.
Gashgari, G., Walters, R., & Wills, G. (2017). A Proposed Best-practice Framework for Information Security Governance: In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (pp. 295–301). Presented at the 2nd International Conference on Internet of Things, Big Data and Security, SCITEPRESS - Science and Technology Publications. https://doi.org/10.5220/0006303102950301.
Goldman, J. E., & Ahuja, S. (2011). Integration of COBIT, balanced scorecard and SSE-CMM as an organizational & strategic information security management (ISM) framework. In In ICT ethics and security in the 21st century: New developments and applications (pp. 277–309). IGI Global.
Gordon, L. A., & Loeb, M. P. (2007). Economic aspects of information security: An emerging field of research. Information Systems Frontiers, 8(5), 335–337. https://doi.org/10.1007/s10796-006-9010-7
Gordon, L. A., Loeb, M. P., & Zhou, L. (2016). Investing in cybersecurity: Insights from the Gordon-Loeb model. Journal of Information Security, 7(2), 49–59. https://doi.org/10.4236/jis.2016.72004
Hamdan, B. J. (2013). Evaluating the performance of information security: A balanced scorecard approach. In SAIS 2013Proceedings. Presented at the SAIS. https://www.aisel.aisnet.org/sais2013/11/
Hasan, S., Ali, M., Kurnia, S., & Thurasamy, R. (2021). Evaluating the cyber security readiness of organizations and its influence on performance. Journal of Information Security and Applications, 58, 102726. https://doi.org/10.1016/j.jisa.2020.102726
Hasan, R., & Chyi, T. (2017). Practical application of balanced scorecard - a literature review. Journal of Strategy and Performance Management, 5, 87–103.
Heidt, M., Gerlach, J. P., & Buxmann, P. (2019). Investigating the security divide between SME and large companies: How SME characteristics influence organizational IT security investments. Information Systems Frontiers, 21(6), 1285–1305. https://doi.org/10.1007/s10796-019-09959-1
Herath, H., Bremser, W., & Birnberg, J. (2019). Team-based employee remuneration: A balanced scorecard group target and weight selection-based bonus allocation. Accounting Research Journal, 32(2), 252–272.
Herath, H., & Herath, T. (2008). Investments in information security: A real options perspective with Bayesian postaudit. Journal of Management Information Systems, 25(3), 337–375. https://doi.org/10.2753/MIS0742-1222250310
Herath, H., & Herath, T. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57, 54–63. https://doi.org/10.1016/j.dss.2013.07.010
Herath, H., & Herath, T. (2018). Post-audits for managing cyber security investments: Bayesian post-audit using Markov chain Monte Carlo (MCMC) simulation. Journal of Accounting and Public Policy, 37(6), 545–563. https://doi.org/10.1016/j.jaccpubpol.2018.10.005
Herath, T., Herath, H., & Bremser, W. (2010). Balanced scorecard implementation of security strategies: A framework for IT security performance management. Information Systems Management, 27(1), 72–81. https://doi.org/10.1080/10580530903455247
Hohan, A. I., Olaru, M., & Pirnea, I. C. (2015). Assessment and continuous improvement of information security based on TQM and business excellence principles. Procedia Economics and Finance, 32, 352–359. https://doi.org/10.1016/S2212-5671(15)01404-5
Horne, C. A., Maynard, S. B., & Ahmad, A. (2017). Organisational information security strategy: Review, discussion and future research. Australasian Journal of Information Systems, 21, 1–17. https://doi.org/10.3127/ajis.v21i0.1427
Huang, S.-M., Lee, C.-L., & Kao, A.-C. (2006). Balancing performance measures for information security management: A balanced scorecard framework. Industrial Management & Data Systems, 106(2), 242–255. https://doi.org/10.1108/02635570610649880
Ireton, J. (2016). 1.5 million cybersecurity professionals needed globally by 2020, Ottawa conference hears | CBC News. CBC. https://www.cbc.ca/news/canada/ottawa/cybersecurity-talent-shortage-1.3831541. Accessed 19 October 2021.
ISO International Organization for Standardization. (n.d.). ISO/IEC 27001:2013. ISO. https://www.iso.org/standard/54534.html. Accessed 22 October 2020.
IT Governance Institute. (2006). Information security governance: Guidance for boards of directors and executive management. ISACA.
IT Governance Institute (Ed.). (2007). COBIT 4.1: Framework, control objectives, management guidelines, maturity models. IT Governance Institute.
Kaplan, R. S., & Norton, D. P. (1992). The balanced scorecard: Measures that drive performance. Harvard Business Review, 83, 71–79.
Kaplan, R. S., & Norton, D. P. (2005). The balanced scorecard: Measures that drive performance. Harvard Business Review, 83(7), 172.
Keyes, J. (2016). Chapter 4: Aligning IT to organizational strategy. In Implementing the IT balanced scorecard: Aligning IT with corporate strategy (pp. 91–113). Auerbach Publications, Taylor and Francis Group.
Kong, H.-K., Kim, T.-S., & Kim, J. (2012). An analysis on effects of information security investments: A BSC perspective. Journal of Intelligent Manufacturing, 23(4), 941–953.
Krumay, B., Bernroider, E. W. N., & Walser, R. (2018). Evaluation of cybersecurity management controls and metrics of critical infrastructures: A literature review considering the NIST cybersecurity framework. In N. Gruschka (Ed.), Secure IT systems (pp. 369–384). Springer International Publishing. https://doi.org/10.1007/978-3-030-03638-6_23
Kurniawan, E., & Riadi, I. (2018). Security level analysis of academic information systems based on standard ISO 27002:2003 using SSE-CMM. International journal of computer science and information. Security, 16, 139–147. https://doi.org/10.13140/RG.2.2.20925.15840
Kweon, E., Lee, H., Chai, S., & Yoo, K. (2021). The utility of information security training and education on cybersecurity incidents: An empirical evidence. Information Systems Frontiers, 23(2), 361–373. https://doi.org/10.1007/s10796-019-09977-z
Lin, H.-C. K., Chuang, T.-Y., Lin, I.-L., & Chen, H.-Y. (2014). Elucidating the role of IT/IS assessment and resource allocation in IT/IS performance in hospitals. Information & Management, 51(1), 104–112. https://doi.org/10.1016/j.im.2013.09.004
Lombard, M., Snyder-Duch, J., & Bracken, C. C. (2002). Content analysis in mass communication: Assessment and reporting of Intercoder reliability. Human Communication Research, 28(4), 587–604. https://doi.org/10.1111/j.1468-2958.2002.tb00826.x
Malatji, M., Von Solms, S., & Marnewick, A. (2019). Socio-technical systems cybersecurity framework. Information & Computer Security, 27(2), 233–272. https://doi.org/10.1108/ICS-03-2018-0031
Martinsons, M., Davison, R., & Tse, D. (1999). The balanced scorecard: A foundation for the strategic management of information systems. Decision Support Systems, 25(1), 71–88.
Matthiesen, S., & Bjørn, P. (2015). Why Replacing Legacy Systems Is So Hard in Global Software Development: An Information Infrastructure Perspective. In Proceedings of the 18th ACM Conference on Computer Supported Cooperative Work & Social Computing (pp. 876–890). Presented at the CSCW ‘15: Computer Supported Cooperative Work and Social Computing, Vancouver BC Canada: ACM. https://doi.org/10.1145/2675133.2675232.
Maynard, S., Tan, T., Ahmad, A., & Ruighaver, T. (2018). Towards a framework for strategic security context in information security governance. Pacific Asia. Journal of the Association for Information Systems, 10(4), 65–88. https://doi.org/10.17705/1pais.10403
McGinn, S. (2017). Universities must take steps to protect against ransomware attacks. University Affairs https://www.universityaffairs.ca/news/news-article/universities-must-take-steps-protect-ransomware-attacks/. Accessed 19 October 2021
McHugh, M. L. (2012). Interrater reliability: The kappa statistic. Biochemia Medica, 22(3), 276–282.
McKenzie, L. (2021). Colleges a ‘juicy target’ for Cyberextortion. Inside Higher Ed https://www.insidehighered.com/news/2021/03/19/targeting-colleges-and-other-educational-institutions-proving-be-good-business. Accessed 19 October 2021
Miaoui, Y., & Boudriga, N. (2019). Enterprise security investment through time when facing different types of vulnerabilities. Information Systems Frontiers, 21(2), 261–300. https://doi.org/10.1007/s10796-017-9745-3
Micheli, P., & Mari, L. (2014). The theory and practice of performance measurement. Management Accounting Research, 25(2), 147–156. https://doi.org/10.1016/j.mar.2013.07.005
MicrosoftTechNet. (2007). Balanced Scorecard for Information Security Introduction | Microsoft Docs. https://technet.microsoft.com/en-us/library/bb821240.aspx. Accessed 22 October 2020.
Mishra, S. (2015). Organizational objectives for information security governance: A value focused assessment. Information & Computer Security, 23(2), 122–144. https://doi.org/10.1108/ICS-02-2014-0016
Nicho, M. (2018). A process model for implementing information systems security governance. Information & Computer Security, 26(1), 10–38. https://doi.org/10.1108/ICS-07-2016-0061
de Oliveira Alves, G. A., da Costa Carmo, L. F. R., & de Almeida, A. C. R. D. (2006). Enterprise security governance; a practical guide to implement and control information security governance (ISG). In In 2006 IEEE/IFIP business driven IT management (pp. 71–80). Presented at the 2006 IEEE/IFIP Business Driven IT Management. https://doi.org/10.1109/BDIM.2006.1649213
Omoyiola, B. O. (2020). The evolution of information security measurement and testing. IOSR Journal of Computer Engineering, 22(3), 50–54.
Palmer, A. J. (2010). Approach for selecting the most suitable automated personal identification mechanism (ASMSA). Computers & Security, 29(7), 785–806. https://doi.org/10.1016/j.cose.2010.03.002
Patnayakuni, R., & Patnayakuni, N. (2014). Information Security in Value Chains: A Governance Perspective.
Pérez-González, D., Preciado, S. T., & Solana-Gonzalez, P. (2019). Organizational practices as antecedents of the information security management performance: An empirical investigation. Information Technology & People, 32(5), 1262–1275. https://doi.org/10.1108/ITP-06-2018-0261
Pirttimaki, V., & Lonnqvist, A. (2006). The measurement of business intelligence. Information Systems Management, 231, 32–40.
Pirttimäki, V., Lönnqvist, A., & Karjaluoto, A. (2006). Measurement of business intelligence in a Finnish telecommunications company. The Electronic Journal of Knowledge Management, 4(1), 83–90.
PWC IT Consulting Service. (2013). New Release of ISO27001:13 and 27002:13. https://www.pwc.com.cy/en/publications/assets/iso27001-27002-2013.pdf. Accessed 7 May 2018.
Rastogi, R., & von Solms, R. (2005). Information security governance - a re-definition. In P. Dowland, S. Furnell, B. Thuraisingham, & X. S. Wang (Eds.), Security management, integrity, and internal control in information systems (pp. 223–236). Springer US. https://doi.org/10.1007/0-387-31167-X_14
Rosmiati, Riadi, I., & Prayudi, Y. (2016). A maturity level framework for measurement of information security performance. International Journal of Computer Applications, 141, 975–8887. https://doi.org/10.5120/ijca2016907930
Rubino, M., Vitolla, F., & Garzoni, A. (2017). The impact of an IT governance framework on the internal control environment. Records Management Journal, 27(1), 19–41. https://doi.org/10.1108/RMJ-03-2016-0007
Sarker, S., Xiao, X., & Beaulieu, T. (2013). Qualitative studies in information systems: A critical review and some guiding principles. MIS Quarterly, 37(4), iii–xviii.
Savola, R. M. (2013). Quality of security metrics and measurements. Computers & Security, 37, 78–90. https://doi.org/10.1016/j.cose.2013.05.002
Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: A systematic literature review. Information Systems Frontiers, 19(5), 1205–1228. https://doi.org/10.1007/s10796-016-9648-8
Schatz, D., & Bashroush, R. (2018). A structural model approach for assessing information security value in organizations. International Journal of Strategic Decision Sciences (IJSDS), 9(4), 47–69. https://doi.org/10.4018/IJSDS.2018100104
Schinagl, S., & Shahim, A. (2020). What do we know about information security governance? “From the basement to the boardroom”: Towards digital security governance. Information & Computer Security, 28(2), 261–292. https://doi.org/10.1108/ICS-02-2019-0033
Sheikhpour, R., & Modiri, N. (2012). An approach to map COBIT processes to ISO/IEC 27001 information security management controls. International Journal of Security and Its Applications, 6(2), 16.
Sherwood, J., Clark, A., & Lynas, D. (1995). Enterprise security architecture. SABSA, White paper, 2009.
Shih-Jen, K. H., & McKay, R. (2002). Balanced scorecard: Two perspectives: Certified public accountant. The CPA Journal, 72(3), 20.
Shivashankarappa, A. N., Smalov, L., Dharmalingam, R., & Anbazhagan, N. (2012). Implementing it governance using COBIT: A case study focusing on critical success factors. In In world congress on internet security (WorldCIS-2012) (pp. 144–149). Presented at the World Congress on Internet Security (WorldCIS-2012).
Sklavos, N., & Souras, P. (2006). Economic models and approaches in information security for computer networks. International Journal of Network Security, 2(1), 14–20.
von Solms, B. (2005). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24(2), 99–104. https://doi.org/10.1016/j.cose.2005.02.002
Tallau, L. J., Gupta, M., & Sharman, R. (2010). Information security investment decisions: Evaluating the balanced scorecard method. International Journal of Business Information Systems, 5(1), 34–57.
Telem, M. (1988). Information requirements specification I: Brainstorming collective decision-making approach. Information Processing & Management, 24(5), 549–557. https://doi.org/10.1016/0306-4573(88)90024-6
Tu, C. Z., Yuan, Y., Archer, N., & Connelly, C. E. (2018). Strategic value alignment for information security management: A critical success factor analysis. Information & Computer Security, 26(2), 150–170. https://doi.org/10.1108/ICS-06-2017-0042
Van Grembergen, W., & De Haes, S. (2005). Measuring and improving IT governance through the balanced scorecard. Information Systems Control Journal, 2(1), 35–42.
Veiga, AD., Eloff, JH. (2007). An information security governance framework. Information systems management, 24(4):361–372.
Walsham, G. (2006). Doing interpretive research. European Journal of Information Systems, 15(3), 320–330. https://doi.org/10.1057/palgrave.ejis.3000589
Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage Learning.
Whitman, M., & Mattord, H. J. (2014). Information security governance for the non-security business executive. Journal of Executive Education, 11(1), 17.
Williams, P. (2006). The role of standards in medical information. Security Management, 415–420.
Williams, P. (2007). Information governance: A model for security in medical practice. Journal of Digital Forensics, Security, and Law. https://doi.org/10.15394/jdfsl.2007.1017
Woudenberg, F. (1991). An evaluation of Delphi. Technological Forecasting and Social Change, 40(2), 131–150.
Wu, Y. A., & Saunders, C. S. (2011). Governing information security: Governance domains and decision rights allocation patterns. Information Resources Management Journal (IRMJ), 24(1), 28–45. https://doi.org/10.4018/irmj.2011010103
Xu, F., Luo, X. R., Zhang, H., Liu, S., & Huang, W. W. (2019). Do strategy and timing in IT security investments matter? An empirical investigation of the alignment effect. Information Systems Frontiers, 21(5), 1069–1083. https://doi.org/10.1007/s10796-017-9807-6
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Appropriate ethics approval was obtained through Research Ethics Board (REB) at Brock University.
The authors acknowledge generous financial support provided by the Institute for International Issues in Accounting (IIIA). Dr. Teju Herath acknowledges partial research funding from the Social Sciences and Humanities Research Council (SSHRC) of Canada (Grant no: 410–2010-1848). The usual disclaimers apply. The authors would like to acknowledge research support provided by Carla Avard, Dustin Secord, Farook Alyassin, and Hilary Elliott. The authors also thank Daniel Garcia, Michael Tisi, Russ Fisenko, and Andy Morgan for their assistance.
The authors have no other relevant financial or non-financial or competing interests to declare that are relevant to the content of this article.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendices
Appendix F: Notes for the Interviewer
A critical task in the measurement process- To assess and quantify what will be measured
-
Measurements collected from production statistics depend on the number of systems and the number of users of those systems
-
As the number systems/users changes, the effort to maintain the same level of service will vary
-
Once you know what to measure
-
The how, when, where, and who questions of metrics collection must be addressed
-
Measurements Development Approach
-
-
As the number systems/users changes, the effort to maintain the same level of service will vary
-
Macro-focus measurements: examine the performance of the overall security program
-
Micro-focus measurements: examine the performance of an individual control or group of controls within the InfoSec program
-
Organizations use three types of measurements:
-
-
Those that determine the effectiveness of the execution of the InfoSec policy
-
Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services
-
Those that assess the impact of an incident or other security event on the organization or its mission
-
According to NIST, the following factors must be considered during development and implementation of an InfoSec performance management program:
-
-
Measurements must yield quantifiable information (percentages, averages, and numbers)
-
Data that supports the measurements needs to be readily obtainable
-
Only repeatable InfoSec processes should be considered for management
-
Measurements must be useful for tracking performance and directing resources
-
Before designing, collecting, and using measurements, the CISO should be prepared to answer:
-
-
Why should these measurements be collected?
-
What specific measurements will be collected?
-
How will these measurements be collected?
-
When will these measurements be collected?
-
Who will collect these measurements?
-
Where (at what point in the function’s process) will these measurements be collected?
-
Benefits of using InfoSec performance measurements:
-
-
Increasing accountability for InfoSec performance
-
Improving effectiveness of InfoSec activities
-
Demonstrating compliance with laws, rules, and regulations
-
Providing quantifiable inputs for resource allocation decisions
Rights and permissions
About this article
Cite this article
Herath, T.C., Herath, H.S.B. & Cullum, D. An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks. Inf Syst Front 25, 681–721 (2023). https://doi.org/10.1007/s10796-022-10246-9
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-022-10246-9