Metrics-driven information security framework as part of information security management

As part of any Information Security Management System, measuring and reporting information security should be a top priority. However, there are no ready-made models or recommended metrics on how this should be done. The status, success, and posture of information security are in many cases measured and developed based on gut instinct, intuition, and the know-how of the information security team. This paper presents a model of creating an actual accurate metrics-based security reporting model that is tied closely to the security management model used at the company. This will provide the top management with relevant and factual data on the information security posture of the company and the information security leader tools and methods to elevate the importance of information security as part of the top management agenda.