TU Berlin

Main document

Literature Database Entry


Steffen Weiß, "Metric for IT-Security of an Organization," Master's Thesis, Department of Computer Science, Friedrich–Alexander University of Erlangen–Nuremberg (FAU), May 2005. (Advisors: Falko Dressler and Oliver Weißmann)


For example Basel II has lead to higher requirements on information technology, but also dependency on information technology has risen. Thus consciousness about security increased and procedures are established to reduce damages and rates of occurrence. However, the problem arises to measure improvement of security if additional controls are installed. But measurement of security was not possible so far. In this diploma thesis, a metric for measurement of security of an organization is established to face this problem. Technical and organizational aspects of a security concept are included. The aim of this thesis is measurement of IT-Security and Information Security of organizations. Measurement must consider the organization as a whole and results must be comparable between organizations. First, a comparable indicator for security is established. It is based on the intuitive understanding of security and defined as '100% - [percentage of lost assets]' As known from risk management, amount of lost assets is assessed in scenarios. A list of abstract scenarios is given for simplification of the organization's assessment. Additionally this list provides more repeatable results. In the first step, this list is adapted to the context of the organization under measurement. In a second step, the likely damage and the likely rate of occurrence of these scenarios is assessed. Indicators measured in the organization (like number of spam-mails) as well as expert knowledge (like knowledge about special threats) and values suggested in the predefined scenarios are used to support the measurement process. Results of single scenarios are quantified. Afterwards results are combined to some different indicators with the help of precisely defined formulas. Results of this calculation allow determining the security status of the whole organization. An evaluation of the metric was conducted on a small unit of a university. Thus it was able to show that the metric is applicable in a real-world assessment. The metric was contributed to the ISO-committee as a suggestion for an according standard. This suggestion was accepted in April 2005. Thus the metric provided will significantly influence this standard.

Quick access

BibTeX BibTeX


Steffen Weiß

BibTeX reference

    author = {Wei{\ss}, Steffen},
    title = {{Metric for IT-Security of an Organization}},
    advisor = {Dressler, Falko and Wei{\ss}mann, Oliver},
    institution = {Department of Computer Science},
    location = {Erlangen, Germany},
    month = {5},
    school = {Friedrich--Alexander University of Erlangen--Nuremberg (FAU)},
    type = {Master's Thesis},
    year = {2005},

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or permissions@acm.org.

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at www.springerlink.com.

This page was automatically generated using BibDB and bib2web.