Developing key Performance Indicators for Financial IT Security

Sung Ok Jang, Jong In Lim


As a reinforcing strategic-alignment of IT business, Financial Service becomes more rely on IT systems. It needs to continuous information security activities to provide a secure and reliable finance service. Performance measurement of information security activities can be useful for decision and management support. The purpose of this study is to derive CSF(Critical Success Factor) and KPI(Key Performance Indicator) based on K-ISMS, Financial IT Information Security Standards. Providing a rationale can be used to determine key performance indicators, which are utilized as basic data for establishing security policies for financial IT security competency.

Full Text:



Barua, A., Kriebel, C. H., and Mukhopadhyay, T., "Information Technology and Business Value: An Analytic and Empirical Investigation," Information Systems Research, Vol. 6, No. 1, pp. 3-23, 1995.

Financial Services Commission, "Comprehensive Security Countermeasures for Financial IT Security," 2013.

Grembergen, W. V. and Steven, D. H., "Measuring and Improving IT Governance Through the Balanced Scorecard," Information Systems Control Journal, Vol. 2, No. 1, pp. 35-49, 2005.

Gurbaxani, V. and Lee, S. A., "Integrating Positivist and Interpretive Approaches to Organizational Research," Organization Science, Vol. 2, No. 4, pp. 342-365, 1991.

Haley, T. J., "Software process improvement at Raytheon," IEEE Software, Vol. 13, No. 6, pp. 33-41, 1996.

Humphreys, E., "Information security management standards:Compliance, governance and risk management," Information Security Technical Report, Vol. 13, No. 4, pp. 247-255, 2008.

ISACA, COBIT 5:A Business Framework for the Governance and Management of Enterprise IT, 2013, http://

ISO/IEC 27014, ITU-T Recommendation X.1054 and ISO/IEC 27014:2013 Information technology - Security techniques - Governance of information security, html/27014.html.

Jang, I. J. and Yoo, H. S., "Dynamic Sensitivity Level Measurement for Privacy Protection," The Journal of Society for e-Business Studies, Vol. 17, No. 1, pp. 137-150, 2012.

Kaplan, R. and Norton, D., "The strategy focused organization," Harvard Business Press, 2001.

Kaplan, R. and Norton D., "Using the balanced scorecard as a strategic management system," Harvard Business Review, Jan-Feb, 1996.

Kaplan, R. and Norton, P., "Transforming the Balanced Scorecard from Performance Measurement to Strategic Management: Part I," Accounting Horizons, Vol. 15, No. 1, pp. 87-104, 2001.

Kim, A. C., Lee, S. M., and Lee, D. H., "Compliance Risk Assessment Measures of Financial Information Security using System Dynamics," International Journal of Security and Its Applications(IJSIA), Vol. 6, No. 4, pp. 191-200, 2012.

Kim, H. J. and Ahn, J. H., "An Empirical Study of Employee's Deviant Behavior for Improving Efficiency of Information Security Governance," The Journal of Society for e-Business Studies, Vol. 18, No. 1, pp. 147-164, 2013.

KISA(Korea Internet and Security Agency), 2013 National Information Security White Paper, 2013.

Kraut, R. E. and Streeter, L. A., "Coordination in software development," Communications of the ACM, Vol. 38, No. 3, pp. 69-81, 1995.

Lee, H. M. and Lim, J. I., "A Study on the Development of Corporate Information Security Level Assessment Models," Journal of the Korea Institute of Information Security and Cryptology, Vol. 18, No. 5, pp. 161-170. 2008.

Lee, U. K., Kim, K. K., Ryoo, S. Y., and Yoo, Y. S., "An Evaluation Method for R&D Projects in Telecommunication and Broadcasting," The Journal of Society for e-Business Studies, Vol. 17, No. 2, pp. 165-187, 2012.

Maconachy, W. V., Schou, C. D., Ragsdale, D., and Welch, D., "A model for information assurance:An integrated approach," Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pp. 301-310, 2001.

Martin, C. and Refai, M., "A Policy- Based Metrics Framework for Information Security Performance Measurement," 2007 2nd IEEE/IFIP International Workshop on Business-Driven IT Management, Munich, pp. 94-101, May, 2007.

NIST, Performance Measurement Guide for Information Security, NIST SP800- 55 Rev.1, Jul 2008.

NIST, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP800-53 Rev. 4, Aprl 2013.

Niven, P. R., Balanced scorecard stepby- step: maximizing performance and maintaining results, John Wiley and Sons, Hoboken, NJ. 2002.

Park, S. H., Research on the impact on the outcome of the software project : Change management and improvement of processes, Korea University of Foreign Studies, Graduate School of Management Information Systems, Master Thesis, 2004.

Posthumus, S. and Von Solms, R., "A framework for the governance of information security," Computers and Security, Vol. 23, No. 8, pp. 638-646, Dec 2004.

Steven, D. H. and Grembergen, W. V., "An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment," Information Systems Management, Vol. 26, No. 2, pp. 123-137, 2009.

Tayler, B., "The Balanced Scorecard As A Strategy-Evaluation Tool:The Effects of Responsibility and CausalChain Focus," Working Paper, Cornell University, 2009.

The Bank of Korea, "The usage of Internet banking services in Korea," 2013.

Von Solms, S. H., "Information security governance-compliance management vs operational management," Computers and Security, Vol. 24, No. 6, pp. 443-447, 2005.

Wikipedia, "factor analysis," 2013, http://


  • There are currently no refbacks.