Addressing misalignment between information security metrics and business-driven security objectives

Christian Fruehwirth*, Stefan Biffl, Mohamed Tabatabai, Edgar Weippl

*Corresponding author for this work

    Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

    7 Citations (Scopus)


    Companies, which approach information security management from a business perspective, invest in using security metrics to measure the degree to which their security objectives are being met. The decision however, on which particular security metrics to use, is surprisingly often based on an uninformed process and disregards the company's security goals and capabilities. Like a factory owner, who bought a new tool, without considering which business goals it should support and whether the staff is actually equipped to operate it, introducing metrics without considering security goals and security capabilities can lead to ineffective operation. Practitioners complain in this context about their security metrics being too complex to use, requiring data that is expensive to gather, or simply measuring the wrong thing. Existing frameworks such as the SSE-CMM or ISO 27000 series provide generic guidance on choosing security objectives and metrics, but lack a method to guide companies in choosing the security metrics that best fit their unique security objectives and capabilities. In response to this problem we present a method with a tool that supports matching security metrics with the objectives and capabilities of a company. Our method helps companies in deciding which metric best suits their particular context, by determining which metric is 1.) efficient to apply using a companies given capabilities and 2.) provides the maximum contribution to the company's security objectives. The method is supported by existing research in the field of value-based software engineering and has been developed based on the established "Quality Function Deployment" (QFD) approach. Initial experiences from applying the method suggest that the method improves the selection process off security metrics.

    Original languageEnglish
    Title of host publication6th International Workshop on Security Measurements and Metrics, MetriSec 2010
    Publication statusPublished - 2010
    MoE publication typeA4 Article in a conference publication
    EventInternational Workshop on Security Measurements and Metrics - Bolzano, Italy
    Duration: 15 Sep 201015 Sep 2010
    Conference number: 6


    WorkshopInternational Workshop on Security Measurements and Metrics
    Abbreviated titleMetriSec


    • business-driven ITSM
    • security management
    • security metrics

    Fingerprint Dive into the research topics of 'Addressing misalignment between information security metrics and business-driven security objectives'. Together they form a unique fingerprint.

    Cite this