A Comprehensive and Comparative Metric for Information Security

Measurement of information security is important for organizations to justify security decisions and investments. Unfortunately, there are no metrics available that allow for a comprehensive security assessment of an entire organization. It turned out that there are two main aspects which are important to develop such a metric. On the one hand, an appropriate security indicator is required and, on the other hand, a method for combining single security aspects to an overall security measure for an entire organization. An approach fulfilling these two aspects is presented in this article. Besides a comparable indicator, based on the intuitive understanding of security, an approach is proposed for combining single security aspects to reflect the organization’s security assessment. The presented approach was evaluated on a small university department. It will influence on forthcoming ISO 27004 metric-standard, which aligns with the already existing and well known ISO 17799. 1. Motivation and Objectives Number and severity of attacks against the IT-infrastructure of almost any organization is steadily growing [19]. Additionally, the number of uncovered security threats grows, for example in operating systems. Thus, the organization is under growing risk: intruders are able to attack organizations and might cause * Corresponding author: Dr. Falko Dressler, Dept. of Computer Science 7, University of Erlangen, Martensstr. 3, 91058 Erlangen, Germany; Telephone: +49 9131 85-27914, Email: [email protected] enormous damage. As a result, organizations are likely to loose assets and conclusively to loose money. In order to avoid such loss, organizations try to secure their systems and to save money by installing controls. However, the question arises where to invest and especially how much. Installing very many controls usually leads to an improved security, but to high costs due to installation and maintenance. In opposite, installation of none or not enough controls will lead to large and expensive security incidents, which, in turn, might be also very expensive for the organization. Therefore, there is a growing requirement for an appropriate measure for evaluating the security of an entire organization. Moreover, there is an additional reason measuring the security risks of an organization: security risks usually influence the operational risk of an organization. Due to BASEL II [1], the operational risk of an organization has become an important aspect for loan granting.