Stakeholder Oriented Information Security Reporting

  • Margareth Stoll
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 152)


Organizations have to meet most different enterprise-specific stakeholders’, business, standard, legal and regulatory information security requirements. They are faced with a wide range of potential security threats and socio-organizational challenges. To invest all security efforts effectively the collaborators and partners of the whole value chain must be aware how they contribute to achieve common objectives and compliance. This is scarcely supported by fragmented approaches. To bridge the gaps we analyze accordingly to a design-science approach the different requirements and present a coherent and systematic stakeholder oriented information security reporting model. The comprehensive, systemic and structured reporting approach demonstrates the value of information security and sustains informed decision making to invest security efforts pro-actively, effectively and efficiently. The stakeholder oriented focus on security reporting offer new impacts for practice and a wide range of most different research questions.


Information security Reporting Objectives Measurement Stakeholders Governance 



The research leading to these results was partially funded by the Tyrolean business development agency through the Stiftungsassistenz QE—Lab and the COSEMA project, which is part of the Translational Research program.


  1. 1.
    ISO/IEC27004 (2009) ISO/IEC 27004 information technology, security techniques, information security management measurement. International Standard Organization, Geneva, SwitzerlandGoogle Scholar
  2. 2.
    National Institute of Standards and Technology (NIST) Performance measurement guide for information security, special publication 800-55 revision 1. Available at
  3. 3.
    IT Governance Institute (ITGI) (2007) COBIT 4.1: Framework, control objectives, management guidelines, maturity models. IT Governance Institute, Rolling Meadows, ILGoogle Scholar
  4. 4.
    OGC (Great Britain Office of Government Commerce) (2007) Service design (SD): ITIL, The Stationery Office (TSO), LondonGoogle Scholar
  5. 5.
    Sowa S, Tsinas L, Gabriel R (2009) BORIS—Business oriented management of information security, managing information risk and the economics of security. In: Johnson EM (ed) Managing information risk and the economics of security. Springer US, New York, pp 81–97CrossRefGoogle Scholar
  6. 6.
    Savola R (2007) Towards a security metrics taxonomy for the information and communication technology industry. In: International conference on software engineering advances, 2007. ICSEA 2007, pp 60–66Google Scholar
  7. 7.
    Da Veiga A, Eloff JHP (2007) An information security governance framework. Inf Syst Manag 24(4):361–372CrossRefGoogle Scholar
  8. 8.
    von Solms SH, Solms RV (2009) Information security governance. Springer, New YorkGoogle Scholar
  9. 9.
    Humphreys E (2007) Implementing the ISOIEC 27001 information security management system standard. Artech House, BostonGoogle Scholar
  10. 10.
    ISO/IEC27002 (2005) ISO/IEC 27002:2005 information technology, security techniques, code of practice for information security management. International Standard Organization, Geneva, SwitzerlandGoogle Scholar
  11. 11.
    Böhme R (2010) Security metrics and security investment models. In: Echizen I, Kunihiro N, Sasaki R (eds) Advances in information and computer security, Springer Berlin/Heidelberg, pp 10–24Google Scholar
  12. 12.
    Herrmann DS (2007) Complete guide to security and privacy metrics: measuring regulatory compliance, operational resilience, and ROI. Auerbach, Boca RatonGoogle Scholar
  13. 13.
    Vaughn RB Jr, Henning R, Siraj A (2003) Information assurance measures and metrics—state of practice and proposed taxonomy. In: System sciences, 2003. Proceedings of the 36th annual Hawaii international conference, pp 10–19Google Scholar
  14. 14.
    ISACA (2009) An introduction to the business model for information security. Available at
  15. 15.
    Verendel V (2009) Quantified security is a weak hypothesis. In: NSPW’09: new security paradigms workshop, Oxford, UK, 8–11 September 2009Google Scholar
  16. 16.
    ISO/IEC27001 (2005) ISO/IEC 27001:2005 information technology, security techniques, information security management systems requirements. International Standard Organization, Geneva, SwitzerlandGoogle Scholar
  17. 17.
    IT Governance Institute (ITGI) (2006) Information security governance: guidance for boards of directors and executive management, IT Governance Institute, Rolling Meadows, ILGoogle Scholar
  18. 18.
    Saint-Germain R (2005) Information security management best practice based on ISO/IEC 17799. Inf Manag J 39(4):60–66Google Scholar
  19. 19.
    Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q 34(3):523-A7Google Scholar
  20. 20.
    Puhakainen P, Siponen M (2010) Improving employees’ compliance through information systems security training: an action research study. MIS Q 34(4):767-A4Google Scholar
  21. 21.
    McGee AR, Vasireddy SR, Chen Xie SR, Picklesimer DD, Chandrashekhar U, Richman SH (2004) A framework for ensuring network security. Bell Labs Tech J 8(4):7–27CrossRefGoogle Scholar
  22. 22.
    Sherwood J, Clark A, Lynas D (2005) Enterprise security architecture: a business-driven approach. CMP Books, San FranciscoGoogle Scholar
  23. 23.
    Trèek D (2003) An integral framework for information systems security management. Comput Secur 22(4):337–360CrossRefGoogle Scholar
  24. 24.
    Herath T, Herath H, Bremser WG (2010) Balanced scorecard implementation of security strategies: a framework for IT security performance management. Inf Syst Manag 27(1):72–81CrossRefGoogle Scholar
  25. 25.
    Jaquith A (2007) Security metrics: replacing fear, uncertainty, and doubt. Addison-Wesley, Upper Saddle RiverGoogle Scholar
  26. 26.
    Baschin A (2001) Die Balanced Scorecard für Ihren IT-Bereich: ein Leitfaden für Aufbau und Einführung. Campus-Verl., Frankfurt/Main u.aGoogle Scholar
  27. 27.
    Kaplan RS, Norton DP (1992) The balanced scorecard–measures that drive performance. Harv Bus Rev 70(1):71–79Google Scholar
  28. 28.
    Kaplan RS, Norton DP (1996) The balanced scorecard: translating strategy into action. Harvard Business School Press, BostonGoogle Scholar
  29. 29.
    Kaplan RS, Norton DP (2008) Mastering the management system. Harv Bus Rev 86(1):62–77Google Scholar
  30. 30.
    Kaplan RS, Norton DP (2000) Having trouble with your strategy? Then map it. Harv Bus Rev 78(5):167–176Google Scholar
  31. 31.
    Hevner A, Chatterjee S (2010) Design research in information systems. Springer Science + Business Media, LLC., BostonCrossRefGoogle Scholar
  32. 32.
    Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A design science research methodology for information systems research. J Manag Inf Syst 24(3):45–77CrossRefGoogle Scholar
  33. 33.
    Stoll M, Breu R Development of stakeholder oriented corporate information security objectives (in press)Google Scholar
  34. 34.
    Stoll M, Breu R (2010) Information security measurement roles and responsibilities. In: IEEE international conference telecommunication and networking, TeNe2010, BridgeportGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.University of InnsbruckInnsbruckAustria

Personalised recommendations