Abstract
Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.
Highlights
An effective information security management system (ISMS) can minimise business risks, maximise return on investments, facilitate business opportunities, support legal compliance, and boost commercial image and competitive edge of organisations [1, 2]
Since our study focuses on the second type of approaches described above, frameworks that provide an assessment of the information security management capabilities are reviewed in the following [29] presented a framework for the assessment of Information Security Governance and Management (ISGM) maturity, consisting of six building blocks
Items were combined into the corresponding factors, which reflect a degree of development of an individual information security (ISec) area
Summary
An effective information security management system (ISMS) can minimise business risks, maximise return on investments, facilitate business opportunities, support legal compliance, and boost commercial image and competitive edge of organisations [1, 2]. To ensure a successful protection of information assets and a stable information security management (ISM), organisations must perform a security assessment, analyse their information system processes and develop ISM [3,4,5,6]. The performance of the ISMS must be continuously monitored and analysed. Appropriate preventive and/or corrective actions should be taken [1].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
