QUT ePrints

Enterprise information security policy assessment : an extended framework for metrics development utilising the goal-question-metric approach

Corpuz, Maria (2011) Enterprise information security policy assessment : an extended framework for metrics development utilising the goal-question-metric approach. In Proceedings of the 15th World Multi-Conference on Systemics, Cybernetics and Informatics, International Institute of Informatics and Systemics (IIIS), Orlando, FL, pp. 269-274.

View at publisher

Abstract

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach.

Impact and interest:

0 citations in Scopus
Search Google Scholar™

Citation countsare sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

606 since deposited on 26 Apr 2012
141 in the past twelve months

Full-text downloadsdisplays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 49881
Item Type: Conference Paper
Additional Information: Paper as part of Research Thesis by Author/Researcher
Keywords: information security policy, information security management assessment, security policy assessment, security assessment
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > OTHER INFORMATION AND COMPUTING SCIENCES (089900) > Information and Computing Sciences not elsewhere classified (089999)
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Schools > School of Information Technology
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2011 Maria Corpuz
Deposited On: 26 Apr 2012 15:05
Last Modified: 26 Apr 2012 15:05

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page