Aggregating Corporate Information Security Maturity Levels of Different Assets

  • Michael SchmidEmail author
  • Sebastian PapeEmail author
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 576)


General Data Protection Regulation (GDPR) has not only a great influence on data protection but also on the area of information security especially with regard to Article 32. This article emphasizes the importance of having a process to regularly test, assess and evaluate the security. The measuring of information security however, involves overcoming many obstacles. The quality of information security can only be measured indirectly using metrics and Key Performance Indicators (KPIs), as no gold standard exist. Many studies are concerned with using metrics to get as close as possible to the status of information security but only a few focus on the comparison of information security metrics. This paper deals with aggregation types of corporate information security maturity levels from different assets in order to find out how the different aggregation functions effect the results and which conclusions can be drawn from them. The required model has already been developed by the authors and tested for applicability by means of case studies. In order to investigate the significance of the ranking from the comparison of the aggregation in more detail, this paper will try to work out in which way a maturity control should be aggregated in order to serve the company best in improving its security. This result will be helpful for all companies aiming to regularly assess and improve their security as requested by the GDPR. To verify the significance of the results with different sets, real information security data from a large international media and technology company has been used.


Information security Information security management ISO 27001 Aggregation functions Information security controls Capability maturity model Security maturity model Security metrics framework 


  1. 1.
    Abbas Ahmed, R.K.: Security metrics and the risks: an overview. Int. J. Comput. Trends Technol. 41(2), 106–112 (2016)CrossRefGoogle Scholar
  2. 2.
    Abraham, S., Nair, S.: A predictive framework for cyber security analytics using attack graphs. Int. J. Comput. Netw. Commun. 7(1), 1–17 (2015) CrossRefGoogle Scholar
  3. 3.
    Ahmed, Y., Naqvi, S., Josephs, M.: Aggregation of security metrics for decision making: a reference architecture. In: ACM International Conference Proceeding Series (2018)Google Scholar
  4. 4.
    Anderson, R., et al.: Measuring the cost of cybercrime. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 265–300. Springer, Heidelberg (2013). Scholar
  5. 5.
    Anderson, R., et al.: Measuring the changing cost of cybercrime our framework for analysing the costs of cybercrime. In: Workshop on the Economics of Information Security (WEIS), pp. 1–32 (2019)Google Scholar
  6. 6.
    Beck, A., Rass, S.: Using neural networks to aid CVSS risk aggregation - an empirically validated approach. J. Innov. Digit. Ecosyst. 3(2), 148–154 (2016)CrossRefGoogle Scholar
  7. 7.
    Bland, M.: Estimating mean and standard deviation from the sample size, three quartiles, minimum, and maximum. Int. J. Stat. Med. Res. 4(1), 57–64 (2015)CrossRefGoogle Scholar
  8. 8.
    Böhme, R.: Security metrics and security investment models. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 10–24. Springer, Heidelberg (2010). Scholar
  9. 9.
    Cheng, P., Wang, L., Jajodia, S., Singhal, A.: Aggregating CVSS base scores for semantics-rich network security metrics. In: Proceedings of the IEEE Symposium on Reliable Distributed Systems (2012)Google Scholar
  10. 10.
    Doane, D.P., Seward, L.E.: Applied Statistics in Business and Economics. McGraw-Hill Higher Education, New York (2016)Google Scholar
  11. 11.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4), 438–457 (2002)CrossRefGoogle Scholar
  12. 12.
    Homer, J., et al.: Aggregating vulnerability metrics in enterprise networks using attack graphs. J. Comput. Secur. 21(4), 561–597 (2013)CrossRefGoogle Scholar
  13. 13.
    ISACA: COBIT 5: A business framework for governance and management of enterprise IT (2012)Google Scholar
  14. 14.
    ISO/IEC 27001: Information technology - security techniques - information security management systems - requirements. International Organization for Standardization (2013)Google Scholar
  15. 15.
    ISO/IEC 27701: Security techniques - extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - requirements and guidelines. International Organization for Standardization (2019)Google Scholar
  16. 16.
    Khajouei, H., Kazemi, M., Moosavirad, S.H.: Ranking information security controls by using fuzzy analytic hierarchy process. Inf. Syst. e-Bus. Manag. 15(1), 1–19 (2017)CrossRefGoogle Scholar
  17. 17.
    Lee, M.C.: Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. Int. J. Comput. Sci. Inf. Technol. (IJCSIT) 6, 29–45 (2014)Google Scholar
  18. 18.
    Manikandan, S.: Measures of central tendency: median and mode. J. Pharmacol. Pharmacother. 2(3), 214–215 (2011)CrossRefGoogle Scholar
  19. 19.
    Nasser, A.A.: Measuring the information security maturity of enterprises under uncertainty using fuzzy AHP. I.J. Inf. Technol. Comput. Sci. 4, 10–25 (2018)Google Scholar
  20. 20.
    Ramos, A., Lazar, M., Filho, R.H., Rodrigues, J.J.: Model-based quantitative network security metrics: a survey. IEEE Commun. Surv. Tutor. 19(4), 2704–2734 (2017) CrossRefGoogle Scholar
  21. 21.
    Rudolph, M., Schwarz, R.: Security indicators - a state of the art survey public report. FhG IESE VII(043) (2012)Google Scholar
  22. 22.
    Saleh, M.: Information security maturity model. Int. J. Comput. Sci. Secur. (IJCSS) 5, 21 (2011)Google Scholar
  23. 23.
    Savola, R.M.: Towards a taxonomy for information security metrics. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 28–30 (2007)Google Scholar
  24. 24.
    Schmid, M., Pape, S.: A structured comparison of the corporate information security maturity level. In: Dhillon, G., Karlsson, F., Hedström, K., Zúquete, A. (eds.) SEC 2019. IAICT, vol. 562, pp. 223–237. Springer, Cham (2019). Scholar
  25. 25.
    Schmitz, C., Pape, S.: LiSRA: lightweight security risk assessment for decision support in information security. Comput. Secur. 90 (2020) CrossRefGoogle Scholar
  26. 26.
    Syamsuddin, I., Hwang, J.: The application of AHP to evaluate information security policy decision making. Int. J. Simul. Syst. Sci. Technol. 10(4), 46–50 (2009)Google Scholar
  27. 27.
    Vinet, L., Zhedanov, A.: A ‘missing’ family of classical orthogonal polynomials. J. Phys. A Math. Theor. 44(8), 16 (2011) MathSciNetCrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2020

Authors and Affiliations

  1. 1.Chair of Mobile Business & Multilateral SecurityGoethe University FrankfurtFrankfurtGermany
  2. 2.Hubert Burda Media Holding KGMunichGermany

Personalised recommendations