menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
Educators
 Academic Advocate
 IT Governance Using COBIT and Val IT
 Academic Research Surveys
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & EducatorsEducators Academic Advocate

TITLE OF RESEARCH PROJECT
Security Metrics - Enumeration of QoP for Information Assurance of IT Systems

NAME OF RESEARCHER
Mark Gerschefske, Sr, CISSP, IAM, IEM

UNIVERSITY:
Colorado Technical University
USA

TARGET AUDIENCE
IT Security Practitioners

HOW TO PARTICIPATE
The web survey can be accessed at:
http://www.surveymonkey.com/s.aspx?sm=NZzgbWV2KIXZIWb0d5ze6Q_3d_3d

CLOSING DATE FOR RESPONSE
31 December 2008

DESCRIPTION OF RESEARCH:
The purpose of this research is to develop metrics that enable the measurement of Quality of Protection (QoP) for IA systems. This focus builds on using standard measurements to provide metrics to trend organizational security posture of IA of IT Systems. The research supports a theoretical model that shows a relationship between industry standards and organizational performance goals. Validation of the model and testing of the hypothesis will be through surveying security practitioners:

  • H0—The state of the industry lacks the ability to enumerate QoP metrics to quantify the security posture of an organizational assurance information program.
  • H1—The numeration QoP metric can be developed that quantifies the security posture.
  • H2—The QoP metric approach can be applied across like industry sectors.

Prior work has been done in this field by the SSE-CMM (Kormaos C., et al) and NIST special publications (SP) 800-53, SP 800-55, and SP 800-80. This work is intended to build on what has already been published and provide an agreement on how metrics can be built from existing policies, procedures, and industry standards. Through the use of a fastidiously reviewed test instrument this study will collect data from security practitioners dispersed globally in all lines of business.

Data collection for this research is based on a globally administered test instrument that will amass data responses from within the scope of the survey. By offering the survey through ISACA It is hoped that it will reach a cross section of the security industry to provide representation across all industry segments. Through the use of demographics it should be able to determine the industry spread and geographic displacement of the survey participates.

The findings of this research will provide guidelines on how metrics can be structured to provide a security ranking across IT organizations on how well they are meeting corporate and regulator mandates. This research will complete my dissertation requirements for my Doctorate and will provide bases for future papers on metrics and QoP in assessing an organizations security posture.

SURVEY RESULTS:
Survey results will be available to participants by providing an e-mail address at the time of taking the survey. The results will be available when the Dissertation and article is published in early 2009.

FOR MORE INFORMATION:
Please contact Mark Gerschefske at Mark.Gerschefske@verizonbusiness.com or phone +1.719.535.6099
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2008 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA