Lightweight evaluation and comparison of information security
Information security has recently attracted ample attention, also in the media. In most organizations, awareness of security threats has increased and many have initiated information security programs to increase their cyber resilience. But, especially in smaller organizations, a vexing challenge remains regarding how to prioritize improvement actions and how to deploy scarce resources most effectively.
In a joint study, Radboud University Nijmegen and the Software Improvement Group are creating and validating a lightweight evaluation framework that shows in a very short period how secure organizational processes are in comparison with other organizations. The evaluation framework is based on existing information security standards such as ISO 27001 and ISO 27002 and its output provides a baseline to determine which organizational processes to improve first.
Organizations that participate in the validation of the framework will go through the following three steps:
- Data collection: about 4 employees from different departments fill out a 20-minute questionnaire.
- Interviews: each of these 4 employees provides feedback on the questionnaire and the evaluation framework in a 30-minute interview.
- Feedback: the evaluation results are shared with the participating organization in a 1- hour interactive session or a written report.
Are you interested in lightweight instruments for improving information security? Would you like to compare the cyber resilience of your organization with other organizations? Please express your interest to participate in the validation of our evaluation framework to Karin Huijben (firstname.lastname@example.org). We will contact you further on how to participate. We are looking forward to your participation!
Dr. ir. E. Poll (Radboud University Nijmegen)
Prof. dr. ir. J. Visser (Radboud University Nijmegen & Software Improvement Group)