Abstract:
Metrics are a set of numbers that are used to obtain information about the operation of
a process or system. In our case, metrics are used to assess the level of information security of
information and communication infrastructure facilities. Metrics in the field of information security
are used to quantify the possibility of damage due to unauthorized hacking of an information system,
which make it possible to assess the cyber sustainability of the system. The purpose of the paper is to
improve information security metrics using multicriteria decision–making methods (MCDM). This
is achieved by proposing aggregated information security metrics and evaluating the effectiveness
of their application. Classical information security metrics consist of one size or one variable. We
obtained the total value by adding at least two different metrics and evaluating the weighting
factors that determine their importance. This is what we call aggregated or multicriteria metrics
of information security. Consequently, MCDM methods are applied to compile aggregated metrics
of information security. These are derived from expert judgement and are proposed for the three
management domains of the ISO/IEC 27001 information security standard. The proposed methods
for improving cyber sustainability metrics are also relevant to information security metrics. Using
AHP, WASPAS and Fuzzy TOPSIS methods to solve the problem, the weights of classical metrics are
calculated and three aggregated metrics are proposed. As a result, to confirm the fulfilment of the
task of improving information security metrics, a verification experiment is conducted, during which
aggregated and classical information security metrics are compared. The experiment shows that the
use of aggregated metrics can be a more convenient and faster process and higher intelligibility is
also achieved.