skip to main content
10.1145/2691195.2691275acmotherconferencesArticle/Chapter ViewAbstractPublication PagesicegovConference Proceedingsconference-collections
research-article

Security metrics to evaluate organizational IT security

Published: 27 October 2014 Publication History

Abstract

Organizations have moved their business activity to the Internet and mobile applications, which make them more exposed to unexpected and underestimated security risks. This fact requires organizations to implement adequate security controls as well as the respective monitoring and evaluation on a regular basis. However, these tasks require strong arguments (in monetary terms) to justify the return of investment in the security controls. In this context, it is crucial for organizations to define metrics to assess the efficiency of the implemented controls, to justify the security investments. This paper highlights some reflections regarding the definition of meaningful metrics of security controls, to deliver actionable information for decision makers for managing their organizational assets and ensure their day-to-day operations.

References

[1]
Ashford, W., (2011). Security Think Tank: How can businesses measure the effectiveness of their IT security teams?{on-line}. ComputerWeekly.com. Available from: http://www.computerweekly.com/feature/Security-Think-Tank-How-can-businesses-measure-the-effectiveness-of-their-IT-security-teams. {Accessed January 2014}.
[2]
ISO/IEC_JTC1, 2009a. ISO/IEC FDIS 27000 Information Technology - Security Techniques - Information Security Management Systems - Overview and Vocabulary. ISO copyright office: Geneva, Switzerland.
[3]
Pagett, J., Ng, S. (2010). Improving Residual Risk Management Through the Use of Security Metrics {on-line}. Royal Holloway Series 2010. Available from: http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RHUL_Pagett_v2.pdf. {Accessed January 2014}.
[4]
Peláez, M. H. S., (2010). Measuring effectiveness in Information Security Controls {on-line}. SANS Institute InfoSec Reading Room. Available from: http://www.sans.org/reading-room/whitepapers/basics/measuring-effectiveness-information-security-controls-33398. {Accessed January 2014}.
[5]
Pereira, T., 2012. Conceptual Framework to Support Information Security Risk Management. Doctoral Thesis. University of Minho.

Cited By

View all

Index Terms

  1. Security metrics to evaluate organizational IT security

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ICEGOV '14: Proceedings of the 8th International Conference on Theory and Practice of Electronic Governance
    October 2014
    563 pages
    ISBN:9781605586113
    DOI:10.1145/2691195
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    • Macao Foundation, Macao SAR Govt: Macao Foundation, Macao SAR Government
    • Municipio de Guimarães: Municipio de Guimarães

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 October 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. information security
    2. security controls
    3. security metrics

    Qualifiers

    • Research-article

    Conference

    ICEGOV2014
    Sponsor:
    • Macao Foundation, Macao SAR Govt
    • Municipio de Guimarães

    Acceptance Rates

    ICEGOV '14 Paper Acceptance Rate 30 of 73 submissions, 41%;
    Overall Acceptance Rate 350 of 865 submissions, 40%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)6
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 22 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2022)Improving the Derivation of Sound Security Metrics2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC54236.2022.00287(1804-1809)Online publication date: Jun-2022
    • (2019)Designing Sound Security MetricsInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.201901010110:1(1-21)Online publication date: 1-Jan-2019
    • (2019)Designing Good Security Metrics2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2019.10270(580-585)Online publication date: Jul-2019
    • (2019)Construction and Security Measurement of Cybersecurity Metrics Framework Based on Network BehaviorJournal of Physics: Conference Series10.1088/1742-6596/1302/2/0220691302(022069)Online publication date: 3-Sep-2019
    • (2018)Aggregation of security metrics for decision makingProceedings of the 12th European Conference on Software Architecture: Companion Proceedings10.1145/3241403.3241458(1-7)Online publication date: 24-Sep-2018

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media