Security Management Metrics
Study plans 2016-2017 - IMT4127 - 7.5 ECTS

On the basis of

Security Management Metrics encompass requirements of IT and Security Governance, its measuring and assessment as well supportive Standards and Best Practices.

Calder and Watkins define IT Governance as ”the framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization’s information systems support and enable the achievement of its strategies and objectives”. IT Governance is of crucial importance for any organization's ability to safe- guarding critical information in the context of growing threats, as well as increasing requirements from national and international regulations. For Information Security Governance best practice outcomes defined by the Information Systems Audit and Control Association ISACA include:

  • Strategic alignment of security with business strategy and organizational objectives
  • Reduction of risk and potential business impacts to an acceptable level
  • Value delivery through the optimization of security investments with organizational objectives
  • Efficient utilization of security investments supporting organization objectives
  • Performance measurement and monitoring to ensure that objectives are met

Expected learning outcomes

However, IT Governance does not exist "per se", but is based on IT and operational risk management methods, definition and measurement of security measurement metrics, and the subsequent design, implementation and operation of an appropriate level of organizational and technical information security.

This course provides an overview of IT and Security Governance, IT Risk Management, Business Continuity Management and Information Security and their dependencies in general, and the information security standards ISO 27001 / ISO 27002 in particular.


After attending the course, candidates should possess the following knowledge:

·       security management as an important input to IT and corporate risk management and as a continuous improvement process as well as investment area

·       the basic concepts of COSO, Cobit and the ISO 27001 / ISO 27002 / ISO 22301 standard

·       a basic understanding of design, implementation and evaluation of maturity models for security


After attending the course, candidates should possess the following skills:

·       master the principles for designing, implementing and auditing ISO 27001-based Information security management system (ISMS) , using both organizational and technical building blocks

·       be able to design an appropriate level of IT Risk Management and Information Security for a given organisational context and express this in terms of an appropriate maturity model

General competence:

After attending the course, candidates should possess the following general competence:

·       main principles, functions and dependencies of IT Governance, ROSI calculation, IT Risk Management, Business Continuity Management/IT Disaster Recovery and Information Security


A) Requirements

- Corporate and IT Governance (2 Lectures)

- Internal Control System (2 Lectures)

- Transparency, Ownership and Control in Information and Cybersecurity (1 Lecture)

- Security Governance and Investment Management (2 Lectures)

- Exercise on Requirements (2 Lectures)

B) Measuring and Assessing

- Maturity Models (2 Lectures)

- Audit (2 Lectures)

- Compliance (1 Lecture)

- Risk Management and IT-Risk Management (2 Lectures)

- 2 Exercises on these topics (2 Lectures)

C) Standards and Best Practices

- COSO (1 Lecture)

- COBIT (1 Lecture)

- ISO 27001 (ISMS) / ISO 27002 (Controls) (3 Lectures)

- ISO 270xx / Cloud Security Alliance Guidelines (1 Lecture)

- ISO 22301 (Business Continuity, Disaster Recovery and Crisis Management) (2 Lectures)

- Awareness Measures (1 Lecture)

- 3 Exercises on these topics (2 Lectures)

Teaching Methods

Project work

Teaching Methods (additional text)

The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be given on campus and are open for both categories of students. All the lectures will also be available on Internet through GUC’s learning management system (Fronter) or directly provided via streaming (dependent on availability of class rooms with such availabilities). Lectures, exercises and homework in between lecture blocks.

Form(s) of Assessment

Multiple Choice Test(s)
Evaluation of Project(s)

Form(s) of Assessment (additional text)

Mappeevaluering” based on three multiple choice examinations (each 13.3 %, altogether 40 %) and paper writing for each of the parts A, B and C (20% each, total 60%). All elements need to be passed. In specific circumstances, the course responsible can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale.

Grading Scale

Alphabetical Scale, A(best) – F (fail)

External/internal examiner

The multiple choice examinations are evaluated by internal examiner. An external examiner will, in addition to the internal examiner, be used every fifth year on the paper writing projects, first time spring 2018.

Re-sit examination

The next time the course is running.

Examination support

None except lexicon to/from any language and English.

Coursework Requirements

The course requires active participation in projects – both in class and outside class.

Teaching Materials

Books/standards, conference/journal papers and web resources, such as:

Alan Calder & Steve Watkins. IT Governance : IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002. Fourth Edition. Kogan Page. 2008.

Control Objectives for Information and Related Technology (CObIT) 5, Professional Guides: information security (2012) and assurance (2013), ITGI.

Committee of Sponsoring Organizations of the Treadwy Commission, Enterprise Risk Management – Integrated Framework, 2015.

Katsikas, Sokratis; Gritzalis, Dimitris, eds. (1996). Information Systems Security: Facing the Information Society of the 21st Century. IFIP Advances in Information and Communication Technology. Springer. p. 358. ISBN 9780412781209.

Peter L. Bernstein, "Against the Gods - the Remarkable Story of Risk", John Wiley & Sons, ISBN 0-471-29563-9 ,Paperback, 1998

Replacement course for

IMT 4661 Security Management Dynamics , IMT4651 Security as Continuous Improvement