Measuring Efficacy of Information Security Policies : A Case Study of UAE based company

Abstract: Nowadays information security policies are operative in many organizations. Currently few organizations take the pain of verifying the efficacy of these policies. Different standards and procedures exist about methods of measuring efficacy of information security policies. Choosing and implementing them depends mainly on the key performance indicators (KPIs) and key risk indicators (KRIs) of any particular organization. This thesis is a case study of an organization in United Arab Emirates (UAE). The basic aim of the research is to inquire and analyze how the efficacy of the implemented security policies is being measured in this particular organization and to propose a method which is more suitable to the needs of organization. The research is based on theoretical study, an interview and a questionnaire. The results of this thesis indicate that there are no formal mechanisms for measuring the efficacy of information security policies in the organization under consideration. Moreover the employees of the organization are also not much satisfied with information security awareness in the company, which can be another reason for ensuring that the efficacy is measured on regular basis. Therefore, a technique from ISO27004 has been used to demonstrate how this efficacy can be measured. It is a step by step procedure for which the information has been extracted from the interview and survey questionnaire responses.