Information security governance metrics: a survey and taxonomy

Abstract

ABSTRACT Information Security Governance (ISG) is now considered a vital component of any organization’s Information Technology (IT) Governance. ISG consists of the processes, organizational structures, and most importantly, the corporate leadership involved in the safeguarding of organization’s information assets. Hence, the purpose of ISG is to bring information security to the attention of the executives such as CEOs and Boards, so that the executives can address the issues of information security and take security-related decisions that lead to outcomes that better align with organizational goals such as value delivery, better performance measurement, business process assurance, and risk management. In order for the corporate leadership to make data-driven decisions, data related to various security metrics are collected and presented in the form of dashboards. The goal of this article is to identify those security metrics that are particularly important from an ISG standpoint. A survey was performed on security literature to identify and categorize ISG metrics. An ISG metrics taxonomy was developed as a result of this study. Security teams can benefit from the ISG metrics taxonomy as, when creating security dashboards, the taxonomy can focus their attention on those specific security metrics that are of most value to the corporate leadership.