Metrics, a fundamental element in the construction of informatics security maturity models

In organizations, information security is required to guarantee institutional information environment, through human resources and technological management, to do so, it is necessary to use regulatory devices for functions and activities developed by institution personnel. The purpose of this paper was to construct security metrics that allow measuring, making decisions and improving information security systems performance in Capital District universities. In order to carry out this research, a literature review was done which supported conceptual references about security metrics, their types and indicators, and information security levels were established. From these levels, a questionnaire was designed and validated; it was applied to information security administrators or managers at selected Capital District universities. Then, the data was analyzed and a set of indicators which permitted metrics construction for each level. Resulting metrics made possible to measure institutional performance against challenges for preservation and protection of information, as well as identifying the origin of not satisfactory performance and informatics areas which require being improved. Likewise, metrics facilitate the establishment of new information security policies, where goals and objectives redefinition is carried out at the same time with technological changes to face threats and vulnerabilities that would arise in the future.