Why is a simple list of measurement data usually insufficient when reporting information security measurements?

1. World Economic Forum. Global risks 2015; 2015. Available: http://reports.weforum.org/global-risks-2015.

2. Commission European. The European agenda on security; 2015. Available: http://ec.europa.eu/dgs/home-affairs/e-library/documents/basic-documents/docs/eu_agenda_on_security_en.pdf.

3. NATO Public Diplomacy Division. NATO 2020: Assured security; Dynamic engagement. Analysis and Recommendations of the Group of experts on a New Strategic Concept for NATO; 2010. Available: http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_05/20100517_100517_expertsreport.pdf.

4. Xu Q, Ren P, Song H, Du Q. Security Enhancement for IoT Communications Exposed to Eavesdroppers With Uncertain Locations. IEEE Acess. 2016; 4: 2840–2853. 10.1109/ACCESS.2016.2575863 [CrossRef] [Google Scholar]

5. Mehmood A, Song H, Lloret J. Multi-Agent based framework for secure and reliable communication among open clouds. Network Protocols and algorithms. 2014; 6(4): 60–76. 10.5296/npa.v6i4.6028 [CrossRef] [Google Scholar]

6. Li W, Song H. ART: An Attack-Resistant Trust Management Scheme for Securing Vehicular Ad Hoc Networks. IEEE Transactions of Intelligent Transportation Systems. 2016; 17(4): 960–969. 10.1109/TITS.2015.2494017 [CrossRef] [Google Scholar]

7. Whitman ME. Mattord HJ. Principles of information security. Fourth edition Boston, MA: Course Technology, Cengage Learning; 2011. [Google Scholar]

8. Chang SE, Ho CB (2006). Organizational factors to the effectiveness of implementing information security management. Industrial Management & Data Systems. 2006; 106(3): 345–361. 10.1108/02635570610653498 [CrossRef] [Google Scholar]

9. Bojanc R., Jerman Blažič B. An economic modelling approach to information security risk management. International Journal of Information Management. 2008: 28(5): 413–422. 10.1016/j.ijinfomgt.2008.02.002 [CrossRef] [Google Scholar]

10. Mishra S, Chasalow L. Information security effectiveness: A research framework. Issues in Information Systems. 2011; 12(1): 246–255. Available: http://iacis.org/iis/2011/246-255_AL2011_1677.pdf. [Google Scholar]

11. Kong HK, Kim TS, Kim J. An analysis on effect of information security investments: A BSC perspective. Journal of Intelligent Manufacturing. 2012; 23(4): 941–953. 10.1007/s10845-010-0402-7 [CrossRef] [Google Scholar]

12. Rhee HS, Ryu YU, Kim CT. (2012). Unrealistic optimism on information security management. Computers & Security. 2012; 31(2): 221–232. 10.1016/j.cose.2011.12.001 [CrossRef] [Google Scholar]

13. Baskerville R, Spagnoletti P, Kim J. Incident—centred information security: Managing a strategic balance between prevention and response. Information & Management. 2014; 51(1): 138–151. 10.1016/j.im.2013.11.004 [CrossRef] [Google Scholar]

14. Feng N, Wang HJ, Li M. A security risk analysis model for information systems: Casual relationships of risk factors and vulnerability propagation analysis. Information Sciences. 2014; 256: 57–73. 10.1016/j.ins.2013.02.036 [CrossRef] [Google Scholar]

15. Teo TSH. Aligning business and information systems. Review and future research directions In: Planning for Information Systems, Advances in Management Information Systems, volume 14, ed King WR (Armonk, NY: M.E. Sharpe; ); 2009. p. 68–95. Available: http://bschool.nus.edu.sg/staff/bizteosh/TeoAMIS2009.pdf. [Google Scholar]

16. Jacobs MA. Complexity: Toward an empirical measure. Technovation. 2013; 33(4–5): 111–118. 10.1016/j.technovation.2013.01.001 [CrossRef] [Google Scholar]

17. Sqiure R, Song H. Cyber-physical systems opportunities in the chemical industry: A security and emergency management example. Process Safety Progress. 2014; 33(4): 329–332. 10.1002/prs.11676 [CrossRef] [Google Scholar]

18. Xu J, Ge H, Juanjuan X, Yangrui G. Study on the mode of intelligent chemical industry based on cyber-physical system and its implementation. Advances in Engineering software. 2016; 99: 18–26. 10.1016/j.advengsoft.2016.04.010 [CrossRef] [Google Scholar]

19. Institute Ponemon. Security effectiveness framework study; 2010. Available: http://trionlogics.com/wp-content/uploads/Security-Effectiveness-Framework-Study.pdf.

20. Ernst&Young. Global information security survey. Get ahead of cybercrime. Insight on governance, risk and compliance; 2014. Available: http://www.ey.com/Publication/vwLUAssets/EY-global-information-security-survey-2014/$FILE/EY-global-information-security-survey-2014.pdf.

21. PricewaterhouseCoopers [PWC]. Global state of information security survey 2014;. Defending yesterday; 2013. Available: http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml.

22. European Union Agency for Network and Information Security. ENISA threat landscape: Overview of current and emerging cyber-threats; 2013. Available: https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats.

23. The Department for Business Innovation & Skills [BIS], PricewaterhouseCoopers [PWC]. Information security breaches survey; 2014. Available: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/307296/bis-14-767-information-security-breaches-survey-2014-technical-report-revision1.pdf.

24. Verizon. Data breach investigation report; 2014. Available: http://www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf.

25. Sansage. State of security information and event management processes. The burried truth; 2012. Available: http://www.firmenpresse.de/pdf-pressrelease178292.pdf.

26. Hewlett Packard Development Company [HP]. State of security operations. Report of capabilities and maturity of cyber defense organizations, Business white paper;: 2015. Available: http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/State-of-Security-Operations-2015-Report/ba-p/6697279#.VXbfk0ZqG2m.

27. Hua M, Bapna S. Who can we trust? The economic impact of insider threats. Journal of Global Information Technology Management. 2013; 16(4): 47–67. 10.1080/1097198X.2013.10845648 [CrossRef] [Google Scholar]

28. Kankanhalli A, Teo HH, Tan BCY, Wei KK. An integrative study of information systems security effectiveness. International Journal of Information Management. 2003; 23(2): 139–154. 10.1016/S0268-4012(02)00105-6 [CrossRef] [Google Scholar]

29. Herbane B. Small business research: Time for a crisis-based view. International Small Business Journal. 2010: 28(1): 43–64. 10.1177/0266242609350804 [CrossRef] [Google Scholar]

30. Herath HSB, Herath TC. IT security auditing: A performance evaluation decision model. Decision Support Systems. 2014; 57(1): 54–63. 10.1016/j.dss.2013.07.010 [CrossRef] [Google Scholar]

31. Pironti JP. Developing metrics for effective information security governance. Information Systems Control Journal. 2007; 2: 1–5. Available: http://www.iparchitects.com/wp-content/uploads/Developing-Metrics-and-Measures-for-Information-Security-Governance-ISACA-Member-Journal-March-2007.pdf.

32. von Solms B, von Solms R. The 10 deadly sins of information security management. Computers & Security. 2004; 23(5): 371–376. 10.1016/j.cose.2004.05.002 [CrossRef] [Google Scholar]

33. Nguyen TH, Newby M, Macaulay MJ. Information technology adoption in small business: Confirmation of a proposed framework. Journal of Small Business Management. 2015; 53(1):207–227. 10.1111/jsbm.12058 [CrossRef] [Google Scholar]

34. Savola RM. Quality of security metrics and measurement. Computers & Security. 2013; 37, 78–90. 10.1016/j.cose.2013.05.002 [CrossRef] [Google Scholar]

35. Hoque Z. A contingency model of the association between strategy, environmental uncertainty and performance measurement: Impact on organizational performance. International Business Review. 2004; 13(4): 485–502. 10.1016/j.ibusrev.2004.04.003 [CrossRef] [Google Scholar]

36. The Department for Business Innovation & Skills [BIS]. UK cyber security standards: Research report; 2013. Available: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/261681/bis-13-1294-uk-cyber-security-standards-research-report.pdf.

37. Patel SC, Graham JH, Ralston PAS. (2008). Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancement. International Journal of Information Management. 2008; 6: 28: 483–491. 10.1016/j.ijinfomgt.2008.01.009 [CrossRef] [Google Scholar]

38. Gordon AL, Loeb PM. The economics of information security investment. ACM Transactions on Information and System Security. 2002; 5(4): 438–457. 10.1145/581271.581274 [CrossRef] [Google Scholar]

39. Bayuk JL, Horowitz BM. An architectural system engineering methodology for addressing cyber security. System Engineering. 2011; 14(3): 294–304. 10.1002/sys.20182 [CrossRef] [Google Scholar]

40. Posey C, Roberts TL, Lowry PB, Hightower RT. Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary insiders. Information & Management. 2014; 51(5): 551–567. 10.1016/j.im.2014.03.009 [CrossRef] [Google Scholar]

41. Ifinedo P. Information system policy compliance: An empirical study of the effects of socialisation, influence and cognition. Information & Management. 2014; 51(1): 69–79. 10.1016/j.im.2013.10.001 [CrossRef] [Google Scholar]

42. Son JY. Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies. Information & Management. 2011; 48(7): 286–302. 10.1016/j.im.2011.07.002 [CrossRef] [Google Scholar]

43. Jackson S. Organizational culture and information system adoption: A three-perspective approach. Information and Organization. 2011; 21(2): 57–83. 10.1016/j.infoandorg.2011.03.003 [CrossRef] [Google Scholar]

44. Thompson M. People, practice and technology: Restoring Giddens' broader philosophy to the study of information systems. Information and Organization. 2012; 22(3): 188–207. 10.1016/j.infoandorg.2012.04.001 [CrossRef] [Google Scholar]

45. Cassar G, Gibson B. Forecast rationality in small firms. Journal of Small Business Management. 2007; 45(3): 283–302. 10.1111/j.1540-627X.2007.00213.x [CrossRef] [Google Scholar]

46. Hu Q, Dinev T, Hart P, Cooke D. Managing employee compliance with information security policy: The critical role of top management and organizational culture. Decision Sciences. 2012; 43(4): 615–659. 10.1111/j.1540-5915.2012.00361.x [CrossRef] [Google Scholar]

47. Kim TH, Lee JN, Chun JU, Benbasat I. Understanding the effect of knowledge management strategies on knowledge management performance: A contingency perspective. Information & Management. 2014; 51(4): 398–416. 10.1016/j.im.2014.03.001 [CrossRef] [Google Scholar]

48. Willison R. Understanding the perpetration of employee computer crime in the organizational context. Information and Organization. 2006; 16(4): 304–324. 10.1016/j.infoandorg.2006.08.001 [CrossRef] [Google Scholar]

49. D'Arcy J, Hovav A. Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics. 2009; 89(1 Supplement): 59–71. 10.1007/s10551-008-9909-7 [CrossRef] [Google Scholar]

50. Goel S, Shawky HA. Estimating the market impact of security breach announcements on firm values. Information & Management. 2009; 46(7): 404–410. 10.1016/j.im.2009.06.005 [CrossRef] [Google Scholar]

51. Hagen JM, Albrechtsen E, Hovden J. Implementation and effectiveness of organizational information security measures. Information Management & Computer Security. 2008; 16(4): 377–397. 10.1108/09685220810908796 [CrossRef] [Google Scholar]

52. Kaplan RS, Norton DP. The balanced scorecard—measures that drive performance. Harvard Business Review. 1992; 70(1): 71–79. . [PubMed] [Google Scholar]

53. Thomson KL, von Solms R. Towards an information security competence maturity model. Computer Fraud & Security. 2006; 18(5): 11–15. 10.1016/S1361-3723(06)70356-6 [CrossRef] [Google Scholar]

54. Tornatzky LG, Fleischer M. The process of technology innovation. Lexington, MA: Lexington Books; 1990. [Google Scholar]

55. Da Veiga A, Eloff JHP. A framework and assessment instrument for information security culture. Computers & Security. 2010: 29(2): 196–207. 10.1016/j.cose.2009.09.002 [CrossRef] [Google Scholar]

56. Saleh S. A new approach for assessing the maturity of Information Security. ISACA Journal. 2006; 6(3): 1–7. Available: http://www.isaca.org/Journal/Past-Issues/2006/Volume-3/Documents/jpdf0603-A-New-Approach.pdf. [Google Scholar]

57. Scott WR, Christensen S. (1995). The institutional construction of organizations: International and longitudinal studies. Thousand Oaks, CA: Sage Publications; 1995. [Google Scholar]

58. Kotulic AG, Clark JG. Why there aren't more information security research studies. Information & Management. 2004; 41(5): 597–607. 10.1016/j.im.2003.08.001 [CrossRef] [Google Scholar]

59. Technologies Turning. Turning point polling software for Windows, version 5 Youngstown, OH: Turning Technologies; 2014. [Google Scholar]

60. IBM Corp. IBM SPSS Software for Windows, version 22 Armonk, NY: IBM Corp.; 2013. [Google Scholar]

61. Peterson RA. A meta-analysis of Cronbach's Coefficient Alpha. Journal of Consumer research. 1994; 21(2): 381–391. 10.1086/209405 [CrossRef] [Google Scholar]

62. Garson DG. Testing of statistical assumptions. Asheboro, NC: North Carolina State University & Statistical Associates Publishing; 2012. [Google Scholar]

63. Institute SANS. Critical security controls, version 6; 2016. Available: https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf.

64. Institute Ponemon. Global report on the cost of cyber crime. Benchmark study of global companies; 2014. Available: http://www.ponemon.org/blog/2014-global-report-on-the-cost-of-cyber-crime.

65. Deloitte. TMT global security study. Blurring the lines; 2013. Available: https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Technology-Media-Telecommunications/dttl_TMT_GlobalSecurityStudy_English_final_020113.pdf.

66. Carnegie Mellon University. CMMI for development. Version 1.3; 2010. Available: http://www.sei.cmu.edu/reports/10tr033.pdf.

67. Lee CM, Chang H. A study on security strategy in ICT convergence environment. The Journal of Supercomputing. 2014; 70(1): 211–223. 10.1007/s11227-014-1194-x [CrossRef] [Google Scholar]

68. Solomon P. Basing earned value on technical performance. Crosstalk: Software Project Management—Lessons Learned. 2013; January/February: 25–28. Available: http://www.crosstalkonline.org/storage/issue-archives/2013/201301/201301-Solomon.pdf.

Page 2

CSFs and KPIs constituting the model.

Critical success factors	Key performance indicators
1. Physical information security controls	1.a	Fire, voltage and flood protection of buildings and premises
1.b	Adequate installation and management of communication and power network
1.c	Support systems for critical services—power supply, cooling, communication
1.d	Control of third-party access to buildings and premises
1.e	Control of employee access to buildings and premises
1.f	Adequate installation and physical protection of hardware
1.g	Regular maintenance of hardware
1.h	Protection of ICT located outside organizations’ premises (MDM systems)
1.i	Adequate building architecture and security plans in place—defined security areas
1.j	Protection of buildings and premises against break-ins and wiretapping
2. Technical and logical security controls	2.a	Malware protection
2.b	Logical security of programs, systems and databases—identification/authorization
2.c	Technical protection of local networks (LAN) and network devices
2.d	Technical measures aimed at protecting information during their storage
2.e	Technical measures aimed at protecting communications and information during transfer
2.f	Access control—log management, activity monitoring
2.g	Adequate system capabilities and capacities for information processing—system reliability
2.h	Standardization of workstations
2.i	Change management—analyses of impacts that technology changes have on existing systems
2.j	Regular (automated) security updates of software and systems
3. Information resources management	3.a	Security categorization of information
3.b	Defined administration and other responsibilities related to information management
3.c	User guidelines for handling information
3.d	Implementation of the “need-to-know” principle
3.e	Control over the exercise of administrator and system rights
3.f	Definition and protection of organization’s intellectual property
3.g	Definition and protection of personal data
3.h	Provision of data processing traceability—audit trails
3.i	Adequate deletion of data, destruction of equipment and physical documentation
3.j	Information archiving and back-ups
4. Employee management	4.a	Raising employees’ awareness regarding information risks and policies
4.b	Defined responsibilities related to the use of confidential systems and data
4.c	Defined disciplinary proceedings, sanctions and infringement proceedings
4.d	User rights management throughout employment—before, during, after employment
4.e	Security vetting of employees
4.f	Employee agreements and declarations concerning the protection of confidentiality
4.g	Provision of technical and consultative support to employees
4.h	Defined remote access and teleworking procedures
4.i	Protection of employee rights during information security control procedures—protection of privacy
4.j	Professional training of security and technical personnel
5. Information risk management and incident handling	5.a	Business continuity plan and policy
5.b	Automated early warning systems—IDS, IPS, SIEM
5.c	Defined procedures for reporting and handling detected irregularities
5.d	Crisis management—plans for responding to critical security risks
5.e	An alternative location (i.e. hot spot) for the most important parts of information systems
5.f	Incident monitoring, recording and analysis—experiential learning
5.g	Forensic procedures and evidence gathering for incident investigations
5.h	Information risk management—analysis and evaluation
5.i	Analyses of former information incidents’ impacts on business operation—damage assessment
5.j	Assessment of existing security controls’ efficiency—performance measurement
6. Organizational culture and top management support	6.a	Ethical, socially responsible and transparent security management
6.b	Pursuing the principle of efficiency in information security—economy/cost optimization
6.c	Good relations and constructive debates regarding security controls between organizational departments
6.d	Inclusion of information security in the planning of organizational projects and changes
6.e	Leadership familiarity with security needs—open communication channels
6.f	Users’ general satisfaction and confidence with respect to information security
6.g	Organizations’ innovativeness, excellence and continuous development in the field of IT
6.h	Adequate staffing and financial support to information security
6.i	Clearly defined organizational hierarchy and job classification
6.j	Leaderships’ involvement in information security planning
7. Information security policy and compliance	7.a	Adoption of a formal information security policy
7.b	Policy’s breakdown into sub-areas and orderly documentation
7.c	Monitoring the respect of policies among users during their everyday work
7.d	Compliance with international standards and recommendations
7.e	Continuous development and upgrading of information security—control of risks and conformity
7.f	Regular management reviews and internal audits
7.g	Compliance with relevant legislation
7.h	Fulfillment of contractual security obligations
7.i	Use of licensed products and services
7.j	Analysis of examples of information security best practices—benchmarking
8. Security management maturity	8.a	Strategic and long-term planning of information security—proactive approach
8.b	Development of information security as a business function or special department/service
8.c	Adequate personnel structure—recruitment of qualified staff
8.d	Formal authority of security personnel—ability of decision-making
8.e	Division between system-related and security tasks—separation between IT and security division
8.f	Cooperation with other organizational authorities in information security planning
8.g	Regular vertical and horizontal security meetings
8.h	Team decision-making regarding management of critical security risks
8.i	Management of employees’ security culture and motivational activities
8.j	Legitimacy of information security—compliance with user requirements
9. Third-party relationships	9.a	Formalized contractual relationships with partners and suppliers regarding information security
9.b	Defined security responsibilities with respect to customers
9.c	Involvement of third parties in the implementation of information security measures
9.d	Good customer relations—building trust and reputation/organizations’ goodwill
9.e	Testing ICT before acquisition—defined acceptability criteria and quality
9.f	Security vetting of business partners and suppliers
9.g	Defined and regulated security of e-business
9.h	Adequate technical protection of inter—organizational information systems
9.i	Formalized contractual relationships for the processing and exchange of personal data
9.j	Liability insurance covering information security events and incidents
10. External environment connections	10.a	Flexibility of organizations—adapting to changes in the sector and the environment
10.b	Successful management of competitive and external pressures
10.c	Cooperation with other sectoral organizations—inter-organizational strategic ties
10.d	Participation in economic and business associations, societies and groups
10.e	Cooperation with competent authorities when dealing with information incidents
10.f	Cooperation with security consultant groups and external audits of information security
10.g	Active participation in foreign environments—international cooperation for knowledge sharing
10.h	Defined rules governing communication with the public and competitive organizations
10.i	Monitoring technological developments and implementing innovations regularly
10.j	Monitoring and analyzing security trends—development of threats and vulnerabilities