Michael Matthias Naumann, Stelian Mircea Olaru, Georg Sven Lampe, Fabian Pitz


In times of increasing digitalization of processes in companies the topic of information security has become relevant for every industry. For this, a standardization of information security with normative standards such as ISO/IEC 27001:2022 has been established to define requirements and to assess at regular intervals the conformity of the management systems. However, practice shows that companies are fulfilling the requirements only at a minimum level and don’t have a real overview of their security level and the impact of existing risks. This paper evaluates how decision makers in companies currently interpret their security level using metrics. Regarding this, the relationship with effectiveness and conformity of their information security measures are shown and analyzed. Furthermore, in this paper a selection of the most common used practices and frameworks for measuring and certifying information security systems has been analyzed. The results of this research show that there is a need for on overall security perspective and include a proposal on how a structured approach should be defined.


information security risks; key performance indicators;maturity level; metrics; security management systems


Agyepong, E., Cherdantseva, Y., Reinecke, P., Burnap, P., (2023)A systematic method for measuring the performance of a cyber security operations centre analyst,Computers & Security, 124, 102959,

Bakshi, S., (2016)Performance Measurement Metrics for IT Governance, ISACA Journal, 6,

Crémilleux, D., (2019)Visualization for information system security monitoring. Cryptography and Security [cs.CR], (PhDthesis),CentraleSupélec, NNT: 2019CSUP0013, tel-02872028,

Cunha, F., Dinis-Carvalho, J., Sousa, R.M.,(2023)Performance measurement systems in continuous improvement environments: obstacles to their effectiveness, Sustainability, 15(1), 867,

Diesch, R., Pfaff, M., Krcmar, H., (2018)Prerequisite to measure information security - A state of the art literature review,In Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), SCITEPRESS – Science and Technology Publications, Lda, pp. 207-215

Diesch, R., Pfaff, M., Krcmar, H., (2020)A comprehensive model of information security factors for decision-makers. Computers & Security, 92, 101747,

Hoffmann, R., Napiórkowski, J., Protasowicki, T., Stanik, J., (2020)Measurement models of information security based on the principles and practices for risk-based approach,Procedia Manufacturing, 44(2019), 647–654.

Hsu, C., Wang, T., Lu, A., (2016)The impact of ISO 27001 certification on firm performance, In: Proceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS), IEEE Computer Society, USA, pp. 4842–4848.

ISACA, (2019)COBIT - Control Objectives for Information Technologies, An ISACA® Framework,, accessed January 8, 2023.

ISO, (2022)ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements, ISO/IEC, Switzerland.

ISO, (2017)ISO/IEC/IEEE 15939:2017 Systems and software engineering — Measurement process, ISO/IEC, Switzerland.

ISO, (2016)ISO/IEC 27004:2016 Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation, ISO/IEC, Switzerland.

Lampe, S. G., Olaru, M., Fogoroș, T., Massner, S., (2022)Critical success factor for integration of cyber security in context of managed services,In: Pamfilie, R., Dinu, V., Vasiliu, C., Pleșea, D., Tăchiciu L., (Eds), 2022. 8th BASIQ International Conference on New Trends in Sustainable Business and Consumption, Graz, Austria, 25-27 May 2022, ASE, Bucharest, pp.741-748,

Maté, A., Trujillo, J., Mylopoulos, J., (2017)Specification and derivation of key performance indicators for business analytics: A semantic approach,Data & Knowledge Engineering, 108, pp.30–49,

Zaripov, R. N.,Murakaev, I.M.,Ryapukhin, A.V., (2021)Development of the organization’s key performance indicators system in order to improve the effectiveness of its human capital and risk management. TEM Journal,10(1), pp.298–302.

Olifer, D., Goranin, N., Kaceniauskas, A., Cenys, A. (2017)Controls-based approach for evaluation of information security standards implementation costs,Technological and Economic Development of Economy, 23(1), 196–219,

Proença, D., Borbinha, J., (2016)Maturity models for information systems - A state of the art,Procedia Computer Science,Conference on ENTERprise Information Systems / International Conference on Project MANagement / Conference on Health and Social Care Information Systems and Technologies, CENTERIS / ProjMAN / HCist 2016, October 5-7, 2016,100(2), 1042–1049.

Rapina, R., Carolina, Y., Joni, Anggraeni, S., (2022)User involvement in information system quality,International Journal of Innovative Technologies in Social Science,4(36),

VDA, (2022)VDA ISA Catalogue version 5.1,

Wangen, G.B., Snekkenes, E., (2014)A Comparison between Business Process Management and Information Security Management,2014 Federated Conference on Computer Science and Information Systems,FedCSIS 2014, Warsaw, Poland,October 2014, pp. 901–910,

Wills, B., (2016)Measuringwhat matters – KPI development,In Purposely profitable: embedding sustainability into the DNA of food processing and other businesses, Ed. 1, Wiley-Blackwell,pp. 51–68.

Full Text: PDF

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.