Three Models to Measure Information Security Compliance

Abstract

This work introduces three models to measure information security compliance. These are the cardinality model, the second’s model, which is based on vector space, and the last model is based on the priority principle. Each of these models will be presented with definitions, basic operations, and examples. All three models are based on a new theory to understand information security called the Information Security Sets Theory (ISST). The ISST is based on four basic sets: external sets, local strategy sets, local standard sets, and local implementation sets. It should be noted that two sets are used to create local standard sets—local expansion and local creation. The major differences between the Zermelo Fraenkel set theory and the ISST are the elimination of using empty element and empty set. This assumption is based on “there is not empty security” measure and the is substituted to be and is defined as “minimum security (or system default security)”. The main objective of this article is to achieve new modeling system for information security compliance. The compliance measurement is defined in the first model as the cardinality between local strategy sets and the actual local implementation. The second model is looking at the security compliance as the angle between two sets, local implementation and local standard. The third model is based on the priority philosophy for local security standard.