Information security metric integrating enterprise objectives

Security is one of the key concerns in the domain of information technology systems. Maintaining the confidentiality, integrity and availability of such systems, mandates a rigorous prior analysis of the security risks that confront these systems. In order to analyze, mitigate and recover from these risks a metrics based approach is essential in prioritizing the response strategies against these risks. In addition to that the enterprise objectives must be focally integrated in the definition, impact calculation and prioritization phases of this analysis to come up with metrics that are useful both for the technical and managerial communities within an organization. Also the inclusion of enterprise objectives in the identification of information assets will act as a preliminary filter to overcome the real life scalability issues inherent with such threat modeling efforts. Within this study an attack tree based approach will be utilized to offer an information security risk metric that integrates the enterprise objectives with the information asset vulnerabilities within an organization. In the essential step of enterprise resource identification, the resource-based view of a company will be utilized.