組織若要提升內部的資訊安全等級，組織管理者必須確實地掌握企業內部的資安現狀，如安全控制實施狀況或資安投資效益等，才可以在第一時間內作出改善方案。而資訊安全指標可以透過定性或定量的方式具體告知管理者重要的資訊，作為決策制定與績效改善的重要依據。但在組織使用眾多資安指標的情況下，如何管理及呈現重要的指標資訊為相當重要議題。
為了解決讓管理人員面對多指標的問題，本研究提出以階層式指標架構為基礎，並使用燈號的方法呈現企業資安現況。為其改善過去階層式指標燈號機制的非系統化以及未能呈現每一階層燈號的問題，本研究加上權重之考量及透過指標尺度轉換方法，將不同的尺度單位的度量值轉變為正規化分數，以此分數作為決定所有節點燈號之依據。其方法可以友善及系統化地呈現資安狀態，以協助組織作為資安改善的參考。

Managers of an organization usually need to establish metrics systems to understand situations of information security. Therefore, the managers can adopt appropriate approaches to improve effectiveness and efficiency of information security in the organization. However, in the state-of-the-art, literatures have proposed several kinds of security metrics, so it results in that the managers usually over-flooded by security metrics. Consequently, managers may have trouble making decision based on hundreds of security metrics.
For the very sake of that, this article proposes a method to represent the relationship among metrics with the hierarchical trees. Moreover, this article proposes a well-defined metric system and a transition scheme so that an organization can represent measures of heterogeneous metric systems with the same format and integrate the measures into a hierarchy tree. While managers of an organization can explore such hierarchical tree systematically, this article can hopefully contribute to improve information security of an organization.

1. Richardson, R., CSI Computer Crime & Security Survey. 2008.
2. Ravenel, J.P., Effective Operational Security Metrics. Information Security Journal: A Global Perspective, 2006. 15(3): p. 10-17.
3. Wang, A.J.A., Information security models and metrics, in Proceedings of the 43rd annual Southeast regional conference - Volume 2. 2005, ACM: Kennesaw, Georgia.
4. DeLooze, L.L. Creating a Balanced Scorecard for Computer Security. in Information Assurance Workshop, 2006 IEEE. 2006.
5. Chew, E., et al., Performance Measurement Guide for Information Security. 2008, NIST Special Publication 800-55 Revision 1.
6. Chew, E., et al., Guide for Developing Performance Metrics for Information Security. 2006, NIST Special Publication 800-80 Initial Public Draft.
7. ISO/IEC, Information Technology Security techniques Code of practice for information security management. 2005, ISO/IEC 17799:2005 Internation Standard.
8. Information Technology Security Evaluation Criteria (ITSEC): Preliminary Harmonised Criteria. June 1991, Commission of the European Communities.
9. TCSEC: DoD 5200.28-STD Department of Defense Trusted Computer System Evaluation Criteria. December l985, Department of Defense.
10. Control objectives for information and related technologies. 2000, IT Governance Institute.
11. Report of the Best practices and Metrics Teams, Corporate Information Security Working Group. January 2005, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Government Reform Committee, U.S. House of Representatives.
12. ISO/IEC, Draft Text for ISO/IEC 3rd WD 27004, Information technology -- Security techniques -- Information security management measurements 2006.
13. Herrmann, D.S., Complete Guide to Security and Privacy Metrics. 2006, New York: Auerbach Publications.
14. Kovacich, G., Information systems security metrics management. Computers & Security, 1997. 16(7): p. 610-618.
15. Jaquith, A., Security Metrics: Replacing Fear, Uncertainty, and Doubt 2007: Addison Wesley.
16. Jr, R.B.V., A. Sira, and D.A. Dampier, Information Security System Rating and Ranking. The Journal of Defense Software Engineering, 2002: p. 30-22.
17. ACSA. Workshop on Information Security System Scoring and Ranking. in Proceedings Workshop on Information Security System Scoring and Ranking. 2001: Applied Computer Security Associates.
18. Savola, R.M., Towards a taxonomy for information security metrics, in Proceedings of the 2007 ACM workshop on Quality of protection. 2007, ACM: Alexandria, Virginia, USA.
19. Payne, S.C., A Guide to Security Metrics. 2007, SANS Institute.
20. Nichols, E.A. and A. Sudbury, implementing security metrics initiatives. Information Security Journal: A Global Perspective, 2006. 15(5): p. 30-38.
21. Villarrubia, C., E. Fern´andez-Medina, and M. Piattini, Analysis of ISO IEC 17799 2000 to be used in Security Metrics in Security and Management, H.R. Arabnia, S. Aissi, and Y. Mun, Editors. 2004, CSREA Press. p. 109-117.
22. Kajava, J. and R. Savola. Towards Better Information Security Management by Understanding Security Metrics and Measuring Processes. in In Proceedings of the European University Information Systems (EUNIS) Conference. 2005. Manchester,U.k.
23. Saydjari, O.S., Is risk a good security metric?, in Proceedings of the 2nd ACM workshop on Quality of protection. 2006, ACM: Alexandria, Virginia, USA.
24. 行政院主計處. Available from: http://www.dgbas.gov.tw/mp.asp?mp=1.
25. Clark, K., J. Dawkins, and J. Hale. Security Risk Metrics Fusing Enterprise Objectives and Vulnerabilities. in Proceedings of 2005 IEEE Workshop on Information Assurance and Security. 2005. NY.
26. Savola, R., et al. Measurement of Information Security in Processes and Products. in Proceedings of the IFIP TC-11 WG 11.1 and WG 11.5 Joint Working Conference on Security Management. 2005.
27. Van Grembergen, W. and R. Saull. Aligning business and information technology through the balanced scorecard at a major Canadian financial group: its status measured with an IT BSC maturity model. in System Sciences, 2001. Proceedings of the 34th Annual Hawaii International Conference on. 2001.
28. Huang, S.-M., C.-L. Lee, and A.-C. Kao, Balancing performance measures for information security management: A balanced scorecard framework. Industrial Management & Data Systems, 2006. 106(2): p. 242-255.
29. Sethuraman, S., Framework for Measuring and Reporting Performance of Information Security Programs in Offshore Outsourcing. Information Systems Control Journal, 2006. 6.
30. Card, S.K., J. Mackinlay, and B. Shneiderman, Readings in Information Visualization: Using Vision to Think. 1999: Morgan Kaufmann.
31. Andra, S., Action-Oriented Metrics for IT Performance Management. The Journal of Information Technology Management, 2006. 19(4): p. 17-21.
32. Chapin, D.A., How Can Security Be Measured? information systems control journal, 2005. 2.
33. de Oliveira Alves, G.A., L.F.R. da Costa Carmo, and A.C.R.D. de Almeida. Enterprise Security Governance; A practical guide to implement and control Information Security Governance (ISG). in Business-Driven IT Management, 2006. BDIM '06. The First IEEE/IFIP International Workshop on. 2006.
34. Dougherty, J.D., W. Clebsch, and G. Anderson, Management by Fact Benchmarking University IT Services, in EDUCAUSE Quarterly Articles. 2004.
35. Shneiderman, B. Treemaps for space-constrained visualization of hierarchies. 2005; Available from: http://www.cs.umd.edu/hcil/treemap-history/
36. Officers, W.C.f.C.I., IT Balanced Scorecards - End to End Performance Measurement for the Corporate IT Function 2003, Corporate Executive Board
37. AKS-Labs. Available from: http://www.aks-labs.com/.