Course - Security Management Metrics - IMT4127
Security Management Metrics
Assessments and mandatory activities may be changed until September 20th.
About
About the course
Course content
- Introduction- Corporate and IT Governance - Transparency, Ownership and Control in Information and Cybersecurity - Security Governance and Investment Management
- Measuring and Assessing - Maturity Models - Measurement Systems- Compliance - Exercises on these topics
- Case Study on Metrics Maturity Assessment (in collaboration with Center for Cyber and Information Security partner)
- Standards and Best Practices- COBIT 5 for Information Security- ISO 27001 (ISMS) / ISO 27002 (Controls) / ISO 27004 (Measurement) / ISO 27014 (Governance), NIST 800-55
- Simulation models and metrics application
Learning outcome
Security Management Metrics do not exist "per se", but are based on IT and operational risk management methods, definition and measurement of security governance, and the subsequent design, implementation and operation of an appropriate level of organizational and technical measurement system. This course provides an overview of IT and Security Governance, Security Metrics and Measurements, Standards and Measurement System and their dependencies in general, and the information security standards Cobit 5 for Information Security, NIST 800-55 and ISO 27001 / ISO 27002 in particular.
After attending the course, candidates should possess the following:
Knowledge
- Understanding of security management as a critical component of IT and corporate governance, including its role as a continuous improvement process and investment area.
- Knowledge of the basic concepts of COBIT 5, NIST 800-55, and the ISO/IEC 270xx standards.
- A basic understanding of the design, implementation, and evaluation of maturity models for security.
Skills
- Ability to apply principles for designing, implementing, and auditing an Information Security Management System (ISMS) using strategic, tactical, and technical building blocks.
- Ability to design an appropriate level of Security Governance and Information Security for a given organizational context, and to express this using a suitable maturity model.
General Competence
- Understanding of the main principles, functions, and interdependencies of IT governance.
- Ability to interpret and apply metrics at strategic, tactical, and operational levels.
- Knowledge of security reporting, measurement techniques, and relevant international standards.
Learning methods and activities
- Lectures
- Assignments
- Project work
Additional information:
- The course will be made accessible for campus, remote and part-time students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be mostly given on campus (Gjøvik) and are open for both categories of students. All the lectures will also be available on Internet through NTNU's learning management system.
- Lectures, exercises and homework in between lecture blocks.
Compulsory requirements:
- The course requires active participation in projects - both in class and outside class.
The course is also available to Master in digital Building processes / "Bygg- og miljøteknikk" track "digitale byggeprosesser", and to students in the Master of Industrial Innovation and Digital Security (MIIDS) (campus Gjøvik Master's only).
Further on evaluation
(the information may be changed until June 15th)
Re-sit: The next time the course is running.
Forms of assessment: online written home-examination and paper
- 2 multiple choice home-examinations (total 40 %).
- The dates of the 2 multiple choice exam will be announced in the first lecture and NTNU resources.
- In addition paper writing (total 60%).
- Both elements (2 MC and paper) need to be passed.
- In specific circumstances, the course responsible can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale
Retake can be carried out for partial assessments without all partial assessments having to be taken up again.
Specific conditions
Admission to a programme of study is required:
Civil Engineering (MIBYGG)
Design of Services, Technology and Interaction (MDTS)
Information Security (MIS)
Information Security (MISD)
Information Security (MISEB)
Management of Innovation and Digital Security (MIIDS)
Recommended previous knowledge
In today’s complex and interconnected digital environment, Security Management Metrics are essential for ensuring that IT and Security Governance frameworks effectively support organizational strategy, resilience, and compliance. This course offers a comprehensive examination of how security performance can be systematically measured, assessed, and improved across operational, tactical, and strategic levels.
Participants will explore established frameworks and standards such as COBIT 5, NIST 800-55, and the ISO/IEC 270xxseries, while also engaging with systems dynamics modelling as a methodological approach to developing, simulating, and refining security metrics. This approach enables a holistic understanding of the interdependencies between governance processes, security controls, organizational behavior, and risk outcomes—facilitating data-driven decision-making and continuous improvement.
By integrating recognized best practices with dynamic modelling techniques, the course equips participants with the competencies to design, implement, and evaluate adaptive security measurement systems. Graduates will be able to align information security governance with organizational objectives, assess maturity models effectively, and apply systems-thinking principles to enhance governance performance in evolving threat and regulatory landscapes.
As other information security management courses, an additional focus of this course is to contribute to 'cost effective information security'. In particular, it addresses the following UN Sustainability Development Goals:
Goal 8, target 8.2: Achieve higher levels of economic productivity through diversification, technological upgrading and innovation, including through a focus on high-value added and labour-intensive sectors.
Goal 12: Sustainable consumption and production is about doing more and better with less. It is also about decoupling economic growth from environmental degradation, increasing resource efficiency and promoting sustainable lifestyles.
Thus, having completed this course, the student will be able to contribute to employer performance with respect to both goal 8, target 8.2 and goal 12.
Required previous knowledge
None
Course materials
Books/standards, conference/journal papers and web resources, such as: -Alan Calder & Steve Watkins. IT Governance : IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002. Fourth Edition. Kogan Page. 2008. -Control Objectives for Information and Related Technology (COBIT) 5 for Information Security, Professional Guides: information security (2012) and assurance (2013), ITGI. -Peter L. Bernstein, "Against the Gods - the Remarkable Story of Risk", John Wiley & Sons, ISBN 0-471-29563-9, Paperback, 1998 -Douglas Hubbard (2016): How to Measure Anything in Cybersecurity Risk http://www.howtomeasureanything.com/ -Brotby & Hinson (2013): PRAGMATIC Security Metrics, CRC Press, ISBN:978-1-4398-8152-1 -Andrew Jaquith (2007): Security Metrics (http://www.securitymetrics.org/) -International Organization of Standardization (2020), ISO 27014 Information Security Governance -Douglas B. Laney (2017): Infonomics, Garnter.
Credit reductions
| Course code | Reduction | From |
|---|---|---|
| IMT4571 | 2.5 sp | Autumn 2017 |
| IMT4651 | 2.5 sp | Autumn 2017 |
| IMT4661 | 2.5 sp | Autumn 2017 |
Subject areas
- Information Security
Contact information
Course coordinator
Department with academic responsibility
Department of Information Security and Communication Technology