A Stakeholder-Centric Approach for Defining Metrics for Information Security Management Systems

An enterprise comprises of information processing systems that help realize its business processes. Automation of these systems is achieved with the help of IT assets like hardware, software and network devices. Assets and their interconnections may contain vulnerabilities, which can be exploited by threats, leading to breach of security of information and business processes. Such probable security risks are managed by implementing an Information Security Management System (ISMS). An important aspect of ISMS is the measurement of information security posture of the enterprise; this enables the comparison of information security status over time, and provides assurance to stakeholders about the amount of security that exists within the information processing systems. Different stakeholders have separate concerns regarding the security of an Enterprise IT System. This paper attempts to identify all such stakeholders and analyze their security concerns. A set of metrics has been defined that covers all facets of ISMS and addresses security concerns of all categories of stakeholders. This would help in the design of an effective and efficient ISMS.