IMT4127 - Security Management Metrics


Examination arrangement

Examination arrangement: Paper writing and Muliple choice examinations
Grade: Letter grades

Evaluation Weighting Duration Grade deviation Examination aids
Papers 6/10
Two multiple choice examinations 4/10

Course content

  1. Introduction- Corporate and IT Governance - Transparency, Ownership and Control in Information and Cybersecurity - Security Governance and Investment Management
  2. Measuring and Assessing - Maturity Models - Measurement Systems- Compliance - Exercises on these topics
  3. Case Study on Metrics Maturity Assessment (in collaboration with Center for Cyber and Information Security partner)
  4. Standards and Best Practices- COBIT 5 for Information Security- ISO 27001 (ISMS) / ISO 27002 (Controls) / ISO 27004 (Measurement) / ISO 27014 (Governance), NIST 800-55
  5. Simulation models and metrics application

Learning outcome

Security Management Metrics do not exist "per se", but are based on IT and operational risk management methods, definition and measurement of security governance, and the subsequent design, implementation and operation of an appropriate level of organizational and technical measurement system. This course provides an overview of IT and Security Governance, Security Metrics and Measurements, Standards and Measurement System and their dependencies in general, and the information security standards Cobit 5 for Information Security, NIST 800-55 and ISO 27001 / ISO 27002 in particular. After attending the course, candidates should possess the following knowledge: -security management as an important input to IT and corporate governance and as a continuous improvement process as well as investment area -the basic concepts of Cobit 5, NIST 800-55 and the ISO 270xx standards -a basic understanding of design, implementation and evaluation of maturity models for security After attending the course, candidates should possess the following skills: -master the principles for designing, implementing and auditing Information security measurement system (ISMS), using strategic, tactical and technical building blocks -be able to design an appropriate level of Security Governance and Information Security for a given organisational context and express this in terms of an appropriate maturity model After attending the course, candidates should possess the following general competence: -main principles, functions and dependencies of IT governance, metrics on strategic, tactical and operational level, security reporting, measurement techniques, and international standards.

Learning methods and activities

  • Lectures
  • Assignments
  • Project work

Additional information:

  • The course will be made accessible for both campus and remote students. Every student is free to choose the pedagogic arrangement form that is best fitted for her/his own requirement. The lectures in the course will be mostly given on campus (Gjøvik/Trondheim) and are open for both categories of students. All the lectures will also be available on Internet through NTNU's learning management system (Blackboard).
  • Lectures, exercises and homework in between lecture blocks.

Compulsory requirements:

  • The course requires active participation in projects - both in class and outside class.

The course is also available to Master in digital Building processes / "Bygg- og miljøteknikk" track "digitale byggeprosesser", and to students in the Master of Industrial Innovation and Digital Security (MIIDS).

Further on evaluation

Re-sit: The next time the course is running.

Forms of assessment:

  • Portfolio based on 2 multiple choice examinations (total 40 %) and paper writing (total 60%).
  • Both elements (2 MC and paper) need to be passed.
  • In specific circumstances, the course responsible can slightly adjust the limits in the conversion table to enforce compatibility with the qualitative descriptions on the A-F scale.

Required previous knowledge


Course materials

Books/standards, conference/journal papers and web resources, such as: -Alan Calder & Steve Watkins. IT Governance : IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002. Fourth Edition. Kogan Page. 2008. -Control Objectives for Information and Related Technology (CObIT) 5 for Information Security, Professional Guides: information security (2012) and assurance (2013), ITGI. -Peter L. Bernstein, "Against the Gods - the Remarkable Story of Risk", John Wiley & Sons, ISBN 0-471-29563-9, Paperback, 1998 -Douglas Hubbard (2016): How to Measure Anything in Cybersecurity Risk -Brotby & Hinson (2013): PRAGMATIC Security Metrics, CRC Press, ISBN:978-1-4398-8152-1 -Andrew Jaquith (2007): Security Metrics ( -International Organization of Standardization (2020), ISO 27014 – Information Security Governance -Douglas B. Laney (2018): Infonomics, Garnter.

Credit reductions

Course code Reduction From To
IMT4571 2.5 AUTUMN 2017
IMT4651 2.5 AUTUMN 2017
IMT4661 2.5 AUTUMN 2017
More on the course



Version: 1
Credits:  7.5 SP
Study level: Second degree level


Term no.: 1
Teaching semester:  SPRING 2024

Language of instruction: English

Location: Gjøvik , Trondheim

Subject area(s)
  • Information Security
Contact information
Course coordinator:

Department with academic responsibility
Department of Information Security and Communication Technology


Examination arrangement: Paper writing and Muliple choice examinations

Term Status code Evaluation Weighting Examination aids Date Time Examination system Room *
Spring ORD Papers 6/10



Room Building Number of candidates
Spring ORD Two multiple choice examinations 4/10





Room Building Number of candidates
  • * The location (room) for a written examination is published 3 days before examination date. If more than one room is listed, you will find your room at Studentweb.

For more information regarding registration for examination and examination procedures, see "Innsida - Exams"

More on examinations at NTNU