Measuring Information Security: Guidelines to Build Metrics

  • Eberhard von Faber


Measuring information security is a genuine interest of security managers. With metrics they can develop their security organization’s visibility and standing within the enterprise or public authority as a whole. Organizations using information technology need to use security metrics. Despite the clear demands and advantages, security metrics are often poorly developed or ineffective parameters are collected and analysed. This paper describes best practices for the development of security metrics. First attention is drawn to motivation showing both requirements and benefits. The main body of this paper lists things which need to be observed (characteristic of metrics), things which can be measured (how measurements can be conducted) and steps for the development and implementation of metrics (procedures and planning). Analysis and communication is also key when using security metrics. Examples are also given in order to develop a better understanding. The author wants to resume, continue and develop the discussion about a topic which is or increasingly will be a critical factor of success for any security managers in larger organizations.


Risk Management Information Security Security Control Security Incident Security Action 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ISO/IEC 21827 – Information Technology – Systems Engineering – Capability Maturity Model (SSE-CMM)Google Scholar
  2. ISO/IEC 27001 – Information technology – Security techniques – Information security management systems – RequirementsGoogle Scholar
  3. ISO/IEC 27002 – Information technology – Security techniques – Code of practice for information security managementGoogle Scholar
  4. Draft ISO/IEC 27004 – Information technology – Security techniques – Information security management – MeasurementsGoogle Scholar
  5. Andrew Jaquith: Security metrics: replacing fear, uncertainty, and doubt; Addison Wesley, 2007Google Scholar
  6. NIST Special Publication 800-55 Rev. 1: Performance Measurement Guide for Information SecurityGoogle Scholar
  7. NIST Special Publication 800-53 Rev. 3: Recommended Security Controls for Federal Information Systems and OrganizationsGoogle Scholar
  8. Eberhard von Faber: How Economy and Society affect Enterprise Security Management; in: N. Pohlmann, H. Reimer, W. Schneider (Editors): Securing Electronic Business Processes, Vieweg (2008), p. 77-83Google Scholar
  9. Jeffrey Wheatman: The Do’s and Don’ts of Information Security Metrics; Gartner Research, 21 October 2008Google Scholar
  10. Roberta J. Witty, Chris Brittain and Ant Allan: Justify Identity Management Investment with Metrics; Gartner Research, 23 February 2004Google Scholar

Copyright information

© Vieweg+Teubner | GWV Fachverlage GmbH 2010

Authors and Affiliations

  • Eberhard von Faber
    • 1
  1. 1.Brandenburg University of Applied ScienceBrandenburg

Personalised recommendations