A Policy-Based Metrics Framework for Information Security Performance Measurement

In this article we are proposing a new approach to measure and monitor overall IT security performance. This approach is based on a policy-based frame work that establishes a methodology to measure security performance; it also incorporates a policy performance indicator. The framework is composed of a number of interacting components: security policies and procedures model, a business security goal and targets repository, a set of security measurement processes, a metrics development and analysis process, and a central metrics and measurement model. Lastly a module that derives an overall security posture and generates reports detects trends and develops recommendations. Our approach assists in determining the security posture of an organization, which is becoming a necessity for legal and regulatory compliance.