A new method for the identification of proactive information security management system metrics

Information security is topic of everyday interest, with mainstream media reports revealing information security incidents in many different areas. These reports demonstrate the importance to any organization of having an information security management system (ISMS). Foreseeing potential security risks is usually key to successful risk management. Available information security standards such as the ISO 27000 set of standards give a formal framework for successful information security management in any size of organisation or company. In this paper we draw on experience gained during a project leading to successful ISO 27001 certification at the Central Bank of Bosnia and Herzegovina in 2009. We review recent work on proactive damage prevention, and we propose methodology based on the GQM (Goal, Question, Metrics) paradigm for determining proactive steps for detection and resolution of different information security control violations. For creating proactive measurement metrics we use the well recognised standards ISO 27004:2009, and NIST 800-55. We present several examples of proactive metrics.