{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T17:27:15Z","timestamp":1754155635560,"version":"3.41.2"},"reference-count":32,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2013,11,25]],"date-time":"2013-11-25T00:00:00Z","timestamp":1385337600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,11,25]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 Measurement of information security assurance (ISA) is an important but difficult task. This paper aims to propose a framework, which helps in refining information security requirements into controls whose effectiveness can be measured. This work also provides aggregation techniques to combine these measurements so as to obtain an indicator for ISA at the organizational level. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 A top-down approach of refining security objectives to measurable independent tasks is carried out using assign graph as the model. This captures the various objectives and their interrelationships whose initial values and relative impacts are obtained from experts. Using fuzzy cognitive model (FCM), these initial values are combined together to obtain an indicator for ISA at the firm's level. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 The two applications of the framework revealed that interrelationships do exist between the different controls employed in actual security implementations and that these dependencies are seldom accounted for. When those few controls that are to be measured are clearly identified, the security experts can focus their attention on them and ensure their correct implementation and appropriate measurement. The extent of impact of a single control on the overall security picture of the firm can also be found using this approach. <\/jats:p>\n <\/jats:sec>\n \n Research limitations\/implications<\/jats:title>\n \u2013 While the framework is generic, the assurance values obtained are context-sensitive. This is primarily because of the subjectivity involved in assigning impact measures and initial values. <\/jats:p>\n <\/jats:sec>\n \n Practical implications<\/jats:title>\n \u2013 This work helps in answering two difficult questions in information security management: \u201cwhat to measure?\u201d and \u201chow to quantify the overall security assurance of the organization?\u201d This assists the information security team in identifying and refining those controls that needs to be appropriately emphasized. The proposed framework helps the top management in doing \u201cwhat-if\u201d analysis, thereby aiding their decision-making for information security investments. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 The novel framework proposes a top-down approach for security control refinement and a bottom-up approach for combining the confidence values to obtain an indicator for ISA. This work identifies and accommodates the possibilities of having interdependencies between security controls. The proposed aggregation method using FCM is being applied for the first time in information security context and provides convergence even in the presence of cyclic dependencies amongst the controls.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/imcs-02-2013-0011","type":"journal-article","created":{"date-parts":[[2013,10,24]],"date-time":"2013-10-24T05:03:11Z","timestamp":1382590991000},"page":"401-419","source":"Crossref","is-referenced-by-count":0,"title":["Deriving an information security assurance indicator at the organizational level"],"prefix":"10.1108","volume":"21","author":[{"given":"Vinod","family":"Pathari","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rajendra","family":"M. Sonar","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022012419561452700_b1","doi-asserted-by":"crossref","unstructured":"Anderson, R.\n (2001), \u201cWhy information security is hard-an economic perspective\u201d, Proceedings 17th Annual Computer Security Applications Conference, ACSAC 2001, pp. 358-365.","DOI":"10.1109\/ACSAC.2001.991552"},{"key":"key2022012419561452700_b2","doi-asserted-by":"crossref","unstructured":"Atzeni, A.\n and \n Lioy, A.\n (2006), \u201cWhy to adopt a security metric? A brief survey\u201d, Quality of Protection, Advances in Information Security, Vol. 23, pp. 1-12.","DOI":"10.1007\/978-0-387-36584-8_1"},{"key":"key2022012419561452700_b4","unstructured":"Bartol, N.\n , \n Bates, B.\n , \n Goertzel, K.M.\n and \n Winograd, T.\n (2009), Measuring Cyber Security and Information Assurance (State-of-the-Art Report (SOAR)), Information Assurance Technology Analysis Center (IATAC), Herndon, VA."},{"key":"key2022012419561452700_b5","unstructured":"Bashir, M.\n and \n Christin, N.\n (2008), \u201cThree case studies in quantitative information risk analysis\u201d, Proceedings of the CERT\/SEI Making the Business Case for Software Assurance Workshop, Pittsburgh, PA, pp. 77-86."},{"key":"key2022012419561452700_b6","doi-asserted-by":"crossref","unstructured":"Basile, C.\n , \n Lioy, A.\n , \n Perez, G.M.\n , \n Clemente, F.J.\n and \n Skarmeta, A.F.\n (2007), \u201cPOSITIF: a policy-based security management system\u201d, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY '07, p. -.","DOI":"10.1109\/POLICY.2007.37"},{"key":"key2022012419561452700_b7","doi-asserted-by":"crossref","unstructured":"Bellovin, S.M.\n (2006), \u201cOn the brittleness of software and the infeasibility of security metrics\u201d, IEEE Security & Privacy, Vol. 4 No. 4, p. -.","DOI":"10.1109\/MSP.2006.101"},{"key":"key2022012419561452700_b8","unstructured":"Blakley, B.\n (2002), \u201cThe measure of information security is dollars\u201d, Proceedings of the Workshop on Economics and Information Security, University of California, Berkeley, CA."},{"key":"key2022012419561452700_b9","doi-asserted-by":"crossref","unstructured":"Blakley, B.\n , \n McDermott, E.\n and \n Geer, D.\n (2001), \u201cInformation security is information risk management\u201d, Proceedings of the 2001 Workshop on New Security Paradigms, pp. 97-104.","DOI":"10.1145\/508171.508187"},{"key":"key2022012419561452700_b10","doi-asserted-by":"crossref","unstructured":"Chakraborty, A.\n , \n Sengupta, A.\n and \n Mazumdar, C.\n (2012), \u201cA formal approach to information security metrics\u201d, Third International Conference on Emerging Applications of Information Technology (EAIT), pp. 439-442.","DOI":"10.1109\/EAIT.2012.6408003"},{"key":"key2022012419561452700_b11","unstructured":"Cormen, T.H.\n , \n Leiserson, C.E.\n , \n Rivest, R.L.\n and \n Stein, C.\n (2001), Introduction to Algorithms, MIT press, Cambridge, MA."},{"key":"key2022012419561452700_b3","unstructured":"de Aspuru, G.O.\n (2012), \u201cFuzzy cognitive maps software\u201d, available at: www.ochoadeaspuru.com\/fuzcogmap\/software.php (accessed 5 October 2012)."},{"key":"key2022012419561452700_b12","doi-asserted-by":"crossref","unstructured":"Eloff, M.M.\n and \n von Solms, S.H.\n (2000), \u201cInformation security management: a hierarchical framework for various approaches\u201d, Computers & Security, Vol. 19 No. 3, pp. 243-256.","DOI":"10.1016\/S0167-4048(00)88613-7"},{"key":"key2022012419561452700_b13","doi-asserted-by":"crossref","unstructured":"Falcone, R.\n , \n Pezzulo, G.\n and \n Castelfranchi, C.\n (2002), \u201cA fuzzy approach to a belief-based trust computation\u201d, Trust, Reputation, and Security, Lecture Notes in Aritificial Intelligence, AAMS 2002 International Workshop, Vol. LNAI 2631, Springer, Berlin, pp. 73-86.","DOI":"10.1007\/3-540-36609-1_7"},{"key":"key2022012419561452700_b14","doi-asserted-by":"crossref","unstructured":"Fowler, K.\n (2001), \u201cGiving meaning to measurement\u201d, IEEE Instrumentation & Measurement Magazine, Vol. 4 No. 3, pp. 41-45.","DOI":"10.1109\/5289.953458"},{"key":"key2022012419561452700_b15","doi-asserted-by":"crossref","unstructured":"Geer, D.\n , \n Hoo, K.S.\n and \n Jaquith, A.\n (2003), \u201cInformation security: why the future belongs to the quants\u201d, IEEE Security & Privacy, Vol. 1 No. 4, pp. 24-32.","DOI":"10.1109\/MSECP.2003.1219053"},{"key":"key2022012419561452700_b16","doi-asserted-by":"crossref","unstructured":"Harrison, M.A.\n , \n Ruzzo, W.L.\n and \n Ullman, J.D.\n (1976), \u201cProtection in operating systems\u201d, Communications of the ACM, Vol. 19 No. 8, pp. 461-471.","DOI":"10.1145\/360303.360333"},{"key":"key2022012419561452700_b17","unstructured":"Hinson, G.\n (2006), \u201cSeven myths about information security metrics\u201d, Information System Security Association (ISSA) Journal, July."},{"key":"key2022012419561452700_b18","doi-asserted-by":"crossref","unstructured":"Hwang, C.\n and \n Lin, M.\n (1987), \u201cGroup decision making under multiple criteria\u201d, Lecture Notes in Economics and Mathematical Systems, Vol. 281, Springer, New York, NY.","DOI":"10.1007\/978-3-642-61580-1"},{"key":"key2022012419561452700_b20","doi-asserted-by":"crossref","unstructured":"Kosko, B.\n (1986), \u201cFuzzy cognitive maps\u201d, International Journal of Man-Machine Studies, Vol. 24 No. 1, pp. 65-75.","DOI":"10.1016\/S0020-7373(86)80040-2"},{"key":"key2022012419561452700_b21","doi-asserted-by":"crossref","unstructured":"Krautsevich, L.\n , \n Martinelli, F.\n and \n Yautsiukhin, A.\n (2010), \u201cFormal approach to security metrics: what does more secure mean for you?\u201d, Proceedings of the Fourth European Conference on Software Architecture: Companion Volume, pp. 162-169.","DOI":"10.1145\/1842752.1842787"},{"key":"key2022012419561452700_b22","unstructured":"Leon, P.G.\n and \n Saxena, A.\n (2010), \u201cAn approach to quantitatively measure information security\u201d, Proceedings of the 3rd India Software Engineering Conference, ISEC 2010."},{"key":"key2022012419561452700_b23","doi-asserted-by":"crossref","unstructured":"Nicol, D.M.\n , \n Sanders, W.H.\n and \n Trivedi, K.S.\n (2004), \u201cModel-based evaluation: from dependability to security\u201d, IEEE Transactions on Dependable and Secure Computing, Vol. 1 No. 1, pp. 48-65.","DOI":"10.1109\/TDSC.2004.11"},{"key":"key2022012419561452700_b24","doi-asserted-by":"crossref","unstructured":"Pathari, V.\n and \n Sonar, R.\n (2012), \u201cIdentifying linkages between statements in information security policy, procedures and controls\u201d, Information Management & Computer Security, Vol. 20 No. 4, pp. 264-280.","DOI":"10.1108\/09685221211267648"},{"key":"key2022012419561452700_b25","unstructured":"Patriciu, V.V.\n , \n Priescu, I.\n and \n Nicolaescu, S.\n (2006), \u201cSecurity metrics for enterprise information systems\u201d, Journal of Applied Quantitative Methods, Vol. 1 No. 2, pp. 151-159."},{"key":"key2022012419561452700_b26","doi-asserted-by":"crossref","unstructured":"Sandhu, R.S.\n (1993), \u201cLattice-based access control models\u201d, IEEE Computer, Vol. 26 No. 11, pp. 9-19.","DOI":"10.1109\/2.241422"},{"key":"key2022012419561452700_b27","doi-asserted-by":"crossref","unstructured":"Savola, R.M.\n and \n Heinonen, P.\n (2011), \u201cA visualization and modeling tool for security metrics and measurements management\u201d, Information Security South Africa (ISSA), pp. 1-8.","DOI":"10.1109\/ISSA.2011.6027518"},{"key":"key2022012419561452700_b28","doi-asserted-by":"crossref","unstructured":"Siponen, M.\n (2006), \u201cInformation security standards focus on the existence of process, not its content\u201d, Communications of the ACM, Vol. 49 No. 8, pp. 97-100.","DOI":"10.1145\/1145287.1145316"},{"key":"key2022012419561452700_b29","doi-asserted-by":"crossref","unstructured":"Tashi, I.\n and \n Ghernaouti-H\u00e9lie, S.\n (2008), \u201cEfficient security measurements and metrics for risk assessment\u201d, ICIMP '08: Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection, IEEE Computer Society, Washington, DC, pp. 131-138.","DOI":"10.1109\/ICIMP.2008.34"},{"key":"key2022012419561452700_b19","doi-asserted-by":"crossref","unstructured":"Torres, J.M.\n , \n Sarriegi, J.M.\n , \n Santos, J.\n and \n Serrano, N.\n (2006), \u201cManaging information systems security: critical success factors and indicators to measure effectiveness\u201d, Information Security, Lecture Notes in Computer Science, Vol. 4176\/2006, Springer, Berlin, pp. 530-545.","DOI":"10.1007\/11836810_38"},{"key":"key2022012419561452700_b30","doi-asserted-by":"crossref","unstructured":"Trvcek, D.\n (2010), \u201cSecurity metrics foundations for computer security\u201d, The Computer Journal, Vol. 53 No. 7, pp. 1106-1112.","DOI":"10.1093\/comjnl\/bxp094"},{"key":"key2022012419561452700_b31","doi-asserted-by":"crossref","unstructured":"Vaish, A.\n and \n Varma, S.\n (2010), \u201cParameter extraction for measurement of the effective information security management \u2013 statistical analysis\u201d, International Journal of Computer and Electrical Engineering, Vol. 2 No. 4, pp. 654-659.","DOI":"10.7763\/IJCEE.2010.V2.207"},{"key":"key2022012419561452700_b32","doi-asserted-by":"crossref","unstructured":"Wang, A.J.A.\n (2005), \u201cInformation security models and metrics\u201d, Proceedings of the 43rd Annual Southeast Regional Conference \u2013 Volume 2, Georgia, pp. 178-184.","DOI":"10.1145\/1167253.1167295"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/IMCS-02-2013-0011","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-02-2013-0011\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-02-2013-0011\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:50:44Z","timestamp":1753393844000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/21\/5\/401-419\/186046"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,11,25]]},"references-count":32,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2013,11,25]]}},"alternative-id":["10.1108\/IMCS-02-2013-0011"],"URL":"https:\/\/doi.org\/10.1108\/imcs-02-2013-0011","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2013,11,25]]}}}