SoK

Abstract

Information security metrics are used to measure the effectiveness of information security countermeasures. A large number of metrics and their technical nature creates difficulties when generating reports for the information security management level of an organization. Managers struggle with the usefulness and clarity of the metrics because they are not linked to the security management goals. Also, responsible managers with no technical information security background struggle to understand the metrics. Therefore, this study uses a state-of-the-art literature analysis together with the Goal-Question-Metric approach to investigate linking technical security metrics to management success factors. This study enables the management to design appropriate security reports for their organization and to direct the metrics toward making goal-oriented decisions. Furthermore, the study invites future research by revealing areas in which security metrics do not exist and create new solutions and studies to suggest a standardized information security dashboard.