Keywords: IT security metrics, IT security elements, metrics models, metrics dashboard, merics algorithms, goal question metrics, security mesaurement scaling


It is a common management principle that one can only manage and improve what one can measure. Studies indicate that information technology security management could be improved if appropriate security metrics which are based on elements of information technology security are used. The objectives of this study were: to identify the major elements of information technology security, and to develop suitable information technology security metric’s model based on major elements for universities in Kenya. Methodology  involved  a review of secondary publications to ascertain the major information technology security.  Ten percent of universities in Kenya were sampled for data collection. Purposive sampling was conducted for data collection using questionnaire and an interview schedule. In each sampled university, 13 operation areas related to information systems were considered, giving a total of 91 resepondents. Data was collected from the team leader of each operation area, then  analysed using SPSS, where regression model in Tobin's Q equation was adopted. The regression analysis helped to generate coefficients that constituted security metrics' model and prototype. In conclusion, while the level of implementation of IT security elements was found to contribute to the metrics, information security policy was found to contributes as twice. Therefore, it is recommended that the developed IT security metrics model  should be used together with the security policy for better information systems security management.


Download data is not yet available.


Angelini, M., & Santucci, G. (2015). Visual cyber situational awareness for critical infrastructures. In Proceedings of the 8th International Symposium on Visual Information Communication and Interaction (pp. 83-92). ACM.
Bichanga, O. W., & Obara, O. B. (2014). Challenges Facing Information Systems Security Management in Higher Learning Institutions: A Case Study of the Catholic University of Eastern Africa-Kenya. International Journal of Management Excellence, 3(1), 336-349.
Beas, M. I., & Salanova, M. (2006). Self-efficacy beliefs, computer training and psychological Bevans, B. (2016). Categorizing Blog Spam.
Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press.
Furnell, S. M., Bryant, P., & Phippen, A. D. (2007). Assessing the security perceptions of personal Internet users. Computers & Security, 26(5), 410-417.
Gesmann, M., & de Castillo, D. (2011). Using the Google visualisation API with R. The R Journal, 3(2), 40-44.
Gritzalis, D., Kandias, M., Stavrou, V., & Mitrou, L. (2014). History of information: the case of privacy and security in social media. In Proc. of the History of Information Conference (pp. 283-310).
Haubner, G., Petermann, H., & Zobl, H. (1986). U.S. Patent No. 4,630,043. Washington, DC: U.S. Patent and Trademark Office.
Howe, E. D. (2015). Mormonism unvailed (p. 252). Utah Lighthouse Ministry.
Ismail, R., & Zainab, A. N. (2013). Information systems security in special and public libraries: an assessment of status. arXiv preprint arXiv:1301.5386.
Jaffer, S., Ng'ambi, D., & Czerniewicz, L. (2007). The role of ICTs in higher education in South Africa: One strategy for addressing teaching and learning challenges. International journal of Education and Development using ICT, 3(4).
Jonsson, E., & Pirzadeh, L. (2011). A framework for security metrics based on operational system attributes. In 2011 Third International Workshop on Security Measurements and Metrics (pp. 58-65). IEEE.
Kitheka, P. M. (2013). Information Security Management Systems In Public Universities In Kenya: A Gap Analysis between Common Practices and Industry Best Practices (Doctoral dissertation, University of Nairobi).
Kothari, C. R. (2003). Research Methodology–Methods & Techniques, Wishawa Prakashan, New Delhi. Ali SS, Models in Consumer Buying Behaviour, Deep & Deep Publications.
Lebel, P. (2007). U.S. Patent Application No. 11/212,790.
Lenders, V., Tanner, A., & Blarer, A. (2015). Gaining an edge in cyberspace with advanced situational awareness. IEEE Security & Privacy, 13(2), 65-74.
Lie, H. W., & Bos, B. (2005). Cascading style sheets: designing for the Web. Addison-Wesley Professional.
MacLean, R. (2012). Dangerous environments. Environmental Quality Management, 21(3), 109-116.
Makori, E. (2013). Adoption of radio frequency identification technology in university libraries: A Kenyan perspective. The Electronic Library, 31(2), 208-216.
Mang'ira, R., & Andrew, K. (2014). Towards establishment of a full-fledged disaster management department for Moi University libraries.
Martins, A., Eloff, J. H. P., & Park, A. (2001). Measuring information security. In Proceedings of Workshop on Information Security–System Rating and Ranking.
Mitnick, K. D., & Simon, W. L. (2011). The art of deception: Controlling the human element of security. John Wiley & Sons.
Mugenda, O. &Mugenda A.(2003). Research methods: quantitative and qualitative approaches.
Mukhwana, E. J., Kande, A., & Too, J. (2017). Transforming University Education in Africa: Lessons from Kenya. African Journal of Rural Development, 2(3), 341-352.
Ndung'u, P. W., & Kyalo, J. K. (2015). An evaluation of enterprise resource planning systems implementation experiences for selected Public Universities in Kenya.
Nixon, K. C. (2012). Winclada (BETA) ver. 0.9. 9. Published by the author.
Nweze, C. M. (2010). The use of ICT in Nigerian universities: A case study of Obafemi Awolowo University, Ile-Ife.
Okibo, B. W., & Ochiche, O. B. (2014). Challenges Facing Information Systems Security Management in Higher Learning Institutions: A Case Study of the Catholic University of Eastern Africa-Kenya. International Journal of Management Excellence, 3(1), 336-349.
Peláez, M. H. S. (2010). Measuring effectiveness in Information Security Controls. SANS Institute InfoSec Reading Room, http://www. sans. org/reading_room/whitepa pers/basics/measuring-effectivenessinformation-security-controls_33398.
Rubin, A., & Babbie, E. R. (2012). Brooks/Cole Empowerment Series: Essential research methods for social work. Cengage Learning.
Sekeres, M. A., & Bolwell, B. J. (2016). Will cancer patients be the next victims of the data privacy debate. FoxNews. com. Accessed April, 19.
Stojmenovic, I., & Wen, S. (2014). The fog computing paradigm: Scenarios and security issues. In Computer Science and Information Systems (FedCSIS), 2014 Federated Conference on (pp. 1-8). IEEE.
Tibenderana, P. K., & Ogao, P. J. (2008). Acceptance and use of electronic library services in Ugandan universities. In Proceedings of the 8th ACM/IEEE-CS joint conference on Digital l ibraries (pp. 323-332). ACM.
Thomas, T., Chu, B., Lipford, H., Smith, J., & Murphy-Hill, E. (2015). A study of interactive code annotation for access control vulnerabilities. In Visual Languages and Human-Centric Computing (VL/HCC), 2015 IEEE Symposium on (pp. 73-77). IEEE.
Trethowen, L., Anslow, C., Marshall, S., & Welch, I. (2015). VisRAID: Visualizing Remote Access for Intrusion Detection. In Australasian Conference on Information Security and Privacy (pp. 289-306). Springer International Publishing.
Veseli, I. (2011). Measuring the Effectiveness of Information Security Awareness Program (Master's thesis).
Villalonga (2004). Intangible resources, Tobin’s q, and sustainability of performance differences. Journal of Economic Behavior & Organization, 54(2), 205-2