¶ … security has become critical in almost all business functions since it can ensure that organizations conduct their businesses and deliver services to the public without any fear of threats or sabotage. The push towards securing organizational information has resulted in the need for developing better metrics for comprehending the actual state of a given organization's security infrastructure (Seddigh et al.,2004).The work of Vaugh, Henning and Siraj (2009,p.9) noted that the adoption of metrics or measures for reliable depiction of the information assurance level that is associated with a given software and hardware system is one of the unresolved problems in the field of security engineering.. In this paper, we evaluate whether devising metrics can really work for Information Assurance programs. We also find out if there is a need for taking additional steps in making sure that the metrics we are using are really measuring our IA programs and strategy.
The need for information assurance measures and metrics
The concepts of metrics and measures in regard to information assurance are aimed at making information assurance a system with quantifiable characteristics. This means making IA a concept that ca be instrumented or measured (Henning et al.,2008). This approach can allows for a system's information assurance properties to be analyzed in a similar way in which the traditional software complexity, productivity measures as well as test case coverage is done. Information assurance must take into account information security, the quality of services as well as system availability. These measures and metrics can be treated as performance measures that are used in quantifying the effectiveness of a given organization's information security infrastructure. The work of Chew et al. (2006, p.10) defined the concept of performance measures as the indicators, metrics and statistics that are used in gauging the performance of a given program.
Can devising metrics really work?
The answer this question is no. This is because there is not a single successful metric or measure that can be used to quantify the level of assurance that exists in a given system (Vaugh, Henning and Siraj,2009,p.9). This problem is further reported by Vaugh, Henning and Siraj (2009) to be far too complicated with the stakeholder community being far too diverse. There would certainly be a need for multiple needed and these measures will need to be updated or refreshed frequently to reflect the changes in technology (such as the shift to cloud computing).Using multiple metrics can certainly produce some level of success but this success can never be quantified per se.
Additional steps to be taken
You’re 77% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.