Evaluating IT security performance with
quantifiable metrics
ERKAN KAHRAMAN
DSV SU/KTH
Institutionen för Data- och Systemvetenskap
Abstract
The growing attention of organizations’ towards information security raised
from the need for protection of their most valuable assets and companies
started to invest more on information security. But security, as it has always
been, still is seen as a cost center since the return on security investments
(including the budget, hiring professionals, education programs) could not
be calculated effectively.
As said, ”An activity can not be managed, if it can not be measured.”
IT security is such an activity that is in need for a tool to be measured.
This requirement is not only driven by managerial, but also financial and
regulatory tools.
The goal of this master thesis is to identify the steps of IT Security Of-
ficers/Auditors to measure IT Security Performance and the adequacy of
security policies and protocols by setting up a Metrics Scorecard evaluated
with quantifiable metrics and so, to continuously validate the security level.
I believe, when preparing the tool, a holistic approach to system science
and system theory would help to understand the security performance goals
and objectives better by combining all technical, organizational and ethical
assets of information systems.
From this perspective, the objective of the project is to create a vendor-
free, organization-wide tool based on system theory which will help decision
makers in measuring and managing security. Methods of research includes
also OCTAVE technique for risk management and the project is based on
previous academic works, best practices and theories that implement quan-
tifiable efficiency, effectiveness, impact and implementation metrics for IT
Security.
iii
Acknowledgements
I would like to thank everybody that put their effort in preparation of this
thesis and their continuous support during the whole project. Job A. Chaula
in the first place, as my adviser for his ideas, comments and knowledge;
Lou