An Algorithm Design to Evaluate the Security Level of an Information System

  • Sunil Thalia
  • Asma Tuteja
  • Maitreyee Dutta
Part of the Communications in Computer and Information Science book series (CCIS, volume 142)


Measuring the security of an Information System has become a critical issue in the era of Information Technology. As any other process, security can not be improved, if it can not be measured. The need of security metrics is important for assessing the current security status. Since all systems and organizations are different, there is no single set of metrics that is generally applicable. This paper presents an algorithm to develop the necessary security metrics for assessing the information system in a structured way and a quantitative evaluation model with qualitative decision based on Analytic Hierarchy Process (AHP) to measure the security level of the Information System. At last, a test case is given to illustrate the algorithm and effectiveness of this model.


Information system Security metrics Analytic hierarchy process 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Savola, R.: A Security Metrics Development Method for Software Intensive Systems. In: ISA 2009. CCIS, vol. 36, pp. 11–16. Springer, Heidelberg (2009)Google Scholar
  2. 2.
    Parker, D.B.: Computer Security Management. Reston Publishing Company, Reston (1981)Google Scholar
  3. 3.
    Roberts, F.: Measurement Theory, with Applications to Decision-Making, Utility, and the Social Sciences. Addison-Wesley, Reading (1979)Google Scholar
  4. 4.
    Swanson M., Nadya B., Sabato J., Hash J., Graffo L.: Security Metrics Guide for Information Technology Systems, National Institute of Standards and Technology Special Publication #800-26NIST 800-55 (2003)Google Scholar
  5. 5.
    Saaty, T.: The Analytic Hierarchy Process. McGraw-Hill, New York (1980)zbMATHGoogle Scholar
  6. 6.
    Wang, C., Wulf, W.A.: Towards a Framework for Security Measurement. In: 20th National Information Systems Security Conference, Baltimore, MD, USA, pp. 522–533 (October 1997)Google Scholar
  7. 7.
    Hallberg, J., Hunstad, A., Peterson, M.: A Framework for System Security Assessment. In: Proceedings of Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, 224–231 (2005)Google Scholar
  8. 8.
    Vaughn Jr., R.B., Henning, R., Siraj, A.: Information Assurance Measures and Metrics - State of Practice and Proposed Taxonomy. In: 36th Annual Hawaii International Conference on System Sciences Proceedings, p. 10 (2003)Google Scholar
  9. 9.
    WISSRR Workshop Proceedings, Security System Scoring and Ranking, ACSA (May 2001)Google Scholar
  10. 10.
    ISO27002: The ISO 27001 and ISO 27002 Directory,
  11. 11.
    Introduction to ISO 27002 / ISO27002,
  12. 12.
    Introduction to ISO 27004 / ISO27004,

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Sunil Thalia
    • 1
  • Asma Tuteja
    • 2
  • Maitreyee Dutta
    • 1
  1. 1.NITTTRIndia
  2. 2.MITS UniversityIndia

Personalised recommendations