Security metrics to evaluate organizational IT security

Abstract

Organizations have moved their business activity to the Internet and mobile applications, which make them more exposed to unexpected and underestimated security risks. This fact requires organizations to implement adequate security controls as well as the respective monitoring and evaluation on a regular basis. However, these tasks require strong arguments (in monetary terms) to justify the return of investment in the security controls. In this context, it is crucial for organizations to define metrics to assess the efficiency of the implemented controls, to justify the security investments. This paper highlights some reflections regarding the definition of meaningful metrics of security controls, to deliver actionable information for decision makers for managing their organizational assets and ensure their day-to-day operations.