Towards a General Information Security Management Assessment Framework to Compare Cyber-Security of Critical Infrastructure Organizations

Publication: Chapter in book/Conference proceedingContribution to conference proceedings


This paper describes the development of an information security framework that aims to comparatively assess the quality of management processes in the context of cyber-security of organizations operating within critical infrastructure sectors. A design science approach was applied to establish a framework artifact that consists of the four dimensions “Security Ambition”, “Security Process”, “Resilience” and “Business Value”. These dimensions were related to the balanced scorecard concept and information security literature. The framework includes metrics, measurement approaches and aggregation methods. In its adapted form, our framework enables a systematic compilation of information security, and seeks to display the security situation of a focal firm against the desired future states, industry benchmarks, and allows for an investigation of interdependencies. The design science research process included workshops, cyclic refinements of the instrument, pretests and the framework evaluation within 30 critical infrastructure organizations. The framework was found to be particularly useful as learning and benchmarking tool capable of highlighting weaknesses, strengths, and gaps in relation to standards.
Original languageEnglish
Title of host publicationResearch and Practical Issues of Enterprise Information Systems - CONFENIS 2016
Editors A Min Tjoa, Li Da Xu, Maria Raffai, Niina Maarit Novak
Place of PublicationVienna
PublisherSpringer Lecture Notes in Business Information Processing (LNBIP)
Pages127 - 141
ISBN (Print)978-3-319-49943-7
Publication statusPublished - 2016

Austrian Classification of Fields of Science and Technology (ÖFOS)

  • 502050 Business informatics

Cite this