Aggregating Corporate Information Security Maturity Levels of Different Assets

Schmid, M. and Pape, S.

In Privacy and Identity Management. Data for Better Living: AI and Privacy - 14th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Windisch, Switzerland, August 19-23, 2019, Revised Selected Papers, pages 376-392, Springer Boston, IFIP Advances in Information and Communication Technology , 2019.

Abstract

General Data Protection Regulation (GDPR) has not only a great influence on data protection but also on the area of information security especially with regard to Article 32. This article emphasizes the importance of having a process to regularly test, assess and evaluate the security. The measuring of information security however, involves overcoming many obstacles. The quality of information security can only be measured indirectly using metrics and Key Performance Indicators (KPIs), as no gold standard exist. Many studies are concerned with using metrics to get as close as possible to the status of information security but only a few focus on the comparison of information security metrics. This paper deals with aggregation types of corporate information security maturity levels from different assets in order to find out how the different aggregation functions effect the results and which conclusions can be drawn from them. The required model has already been developed by the authors and tested for applicability by means of case studies. In order to investigate the significance of the ranking from the comparison of the aggregation in more detail, this paper will try to work out in which way a maturity control should be aggregated in order to serve the company best in improving its security. This result will be helpful for all companies aiming to regularly assess and improve their security as requested by the GDPR. To verify the significance of the results with different sets, real information security data from a large international media and technology company has been used.

PDFDOILinkLinkBibtexprivacysecurity

Bibtex

@InCollection{SP19ifipsc,
  author    = {Michael Schmid and Sebastian Pape},
  title     = {Aggregating Corporate Information Security Maturity Levels of Different Assets},
  booktitle = {Privacy and Identity Management. Data for Better Living: {AI} and Privacy - 14th {IFIP} {WG} 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Windisch, Switzerland, August 19-23, 2019, Revised Selected Papers},
  publisher = {Springer Boston},
  year      = {2019},
  editor    = {Michael Friedewald and Melek {\"{O}}nen and Eva Lievens and Stephan Krenn and Samuel Fricker},
  number    = {576},
  series    = {IFIP Advances in Information and Communication Technology},
  pages     = {376--392},
  month     = {08},
  doi       = {10.1007/978-3-030-42504-3_24},
  keywords  = {privacy, security, security management},
  url       = {https://link.springer.com/chapter/10.1007/978-3-030-42504-3_24},
}

PDF