Information security metrics based on organizational models


  • Jonas Hallberg
  • Kristoffer Lundholm

Publish date: 2009-10-27

Report number: FOI-R--2823--SE

Pages: 67

Written in: English


  • Information security
  • Information system
  • Organizational model
  • Security metric


It has proved to be difficult for organizations, including government agencies, to reach adequate information security levels, as illustrated by a report from the Swedish national audit office published in 2007 (RiR, Swedish National Audit Office 2007). The COntrolled INformation Security (COINS) research project, of which this report is an intermediate result, aims to support Swedish government agencies in reaching higher levels of information security. The report studies a Swedish agency by creating two different types of models. The input to these models was taken partly from the agency's intended information security program, as described by documents, and partly from the agency's security work, captured through interviews with security personnel. For the sake of comparison, the same two types of models were also created from the controls listed in the standard ISO/IEC 27001 appendix A. The models show that many interactions within the agency involve entities which are very broadly defined, e.g. "agency personnel". With entities like this in the organizational model it is hard to assign responsibilities for actions connected to these interactions. The models also show that the relative focus of the agency's intentions corresponds well with the relative focus of the ISO standard while the relative focus for the actual work differs from both the standard and the intentions. This difference is, however, believed to stem from the focus of the questions asked in the interviews rather than inconsistencies between the procedures and the actual work.