As illustrated in the figure below, IT security assessments consist of the following six steps.
- Establish user need
- Define relevant IT security characteristics
- Transform the relevant IT security characteristics into measurable system properties and effects
- Measure selected properties and effects
- Compute compound values
- Interpret values
It is vital that the assessment starts and ends at the user. Consequently, security assessment methods must be developed, selected, and used with the targeted users of the results in mind. Approaches considering these issues will result in improved system comprehension, more generally applicable security tools, better correspondence between needs and solutions, and noticeable gains in system and cost efficiency.