In order to manage and improve something, it is normally necessary to be able to assess the current state of affairs. A problem with assessment, however, is that in order to assess, it is normally necessary to be able to define the assessment topic. These general statements are also true within the area of Enterprise Information Security. Although much has been written on the topic, there is little consensus on what Enterprise Information Security really is. The lack of consensus lessens the credibility of existing assessment approaches.
This paper presents a well-defined, transparent, and quantified method for the assessment of Enterprise Information Security. The method is based on the consolidation of the most prominent sources on the topic and results in a single quantitative estimate of the level of Enterprise Information Security in a company.
The usefulness of the presented method has been verified by a case study at a large European electric utility.
The present paper is a part of an ongoing research project on a credible and cost-effective method for Enterprise Information Security assessment.
2005. 136-146 p.