Tampere University of Technology

TUTCRIS Research Portal

Model for efficient development of security audit criteria

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


Original languageEnglish
Title of host publicationProceedings of the 17th European Conference on Cyber Warfare and Security, ECCWS 2018
PublisherCurran Associates
Number of pages9
ISBN (Electronic)9781911218852
Publication statusPublished - 2018
Publication typeA4 Article in a conference publication
EventEuropean Conference on Cyber Warfare and Security - Oslo, Norway
Duration: 28 Jun 201829 Jun 2018


ConferenceEuropean Conference on Cyber Warfare and Security


Cyber-attacks have grown in importance to become a matter of national security. A growing number of states and organisations around the world have been developing defensive and offensive capabilities for cyber warfare. Security criteria are important tools for defensive capabilities of critical communications and information systems (CIS). Various criteria have been developed for designing, implementing and auditing CIS. However, the development of criteria is inadequately supported by currently available guidance. The relevant guidance is mostly related to criteria selection. The abstraction level of the guidance is high. This may lead to inefficient criteria development work. In addition, the resulting criteria may not fully meet their goals. To ensure efficient criteria development, the guidance should be supported with concrete level implementation guidelines. This paper proposes a model for efficient development of security audit criteria. The model consists of criteria design goals and concrete implementation guidelines to achieve these goals. The model is based on the guidance given by ISACA and on the criteria development work by FICORA, the Finnish Communications Regulatory Authority. During the years 2008-2017, FICORA has actively participated in development and usage of three versions of Katakri, the Finnish national security audit criteria. The paper includes a case study that applies the model to existing security criteria. The case study covers a review of the criteria composed of the Finnish VAHTI-instructions. During the review, all supported design goals and implementation guidelines of the model were scrutinised. The results of the case study indicate that the model is useful for reviewing existing criteria. The rationale is twofold. First, several remarkable shortcomings were identified. Second, the identification process was time-efficient. The results also suggest that the model would be useful for criteria under development. Addressing the identified shortcomings during the development phase would have made the criteria more efficient, usable and understandable.


  • Audit, Criteria, Katakri, Security, VAHTI

Publication forum classification

Field of science, Statistics Finland