Information security indicators

In information technology, benchmarking of computer security requires measurements for comparing both different IT systems and single IT systems in dedicated situations. The technical approach is a pre-defined catalog of security events (security incident and vulnerability) together with corresponding formula for the calculation of security indicators that are accepted and comprehensive.

Information security indicators have been standardized by the ETSI Industrial Specification Group (ISG) ISI. These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). In 2019 the ISG ISI terminated and related standards will be maintained via the ETSI TC CYBER.

The list of Information Security Indicators belongs to the ISI framework that consists of the following eight closely linked Work Items:


 * 1) ISI Indicators (ISI-001-1 and Guide ISI-001-2 ): A powerful way to assess security controls level of enforcement and effectiveness (+ benchmarking)
 * 2) ISI Event Model (ISI-002 ): A comprehensive security event classification model (taxonomy + representation)
 * 3) ISI Maturity (ISI-003 ): Necessary to assess the maturity level regarding overall SIEM capabilities (technology/people/process) and to weigh event detection results. Methodology complemented by ISI-005 (which is a more detailed and case-by-case approach)
 * 4) ISI Guidelines for event detection implementation (ISI-004 ): Demonstrate through examples how to produce indicators and how to detect the related events with various means and methods (with classification of use cases/symptoms)
 * 5) ISI Event Stimulation (ISI-005 ): Propose a way to produce security events and to test the effectiveness of existing detection means (for major types of events)
 * 6) An ISI-compliant Measurement and Event Management Architecture for Cyber Security and Safety (ISI-006 ): This work item focuses on designing a cybersecurity language to model threat intelligence information and enable detection tools interoperability.
 * 7) ISI Guidelines for building and operating a secured SOC (ISI-007 ): A set of requirements to build and operate a secured SOC (Security Operations Center) addressing technical, human and process aspects.
 * 8) ISI Description of a whole organization-wide SIEM approach (ISI-008 ): A whole SIEM (CERT/SOC based) approach positioning all ISI aspects and specifications.

Preliminary work on information security indicators have been done by the French Club R2GS. The first public set of the ISI standards (security indicators list and event model) have been released in April 2013.