Abstract
In recent years, many companies have had problems with information security. These include data leaks, phishing email etc. which may cause financial loss, reputational damage, productivity decline, safety/health damage and so on. Even though organizational leaders are more aware of these problems now, many still don’t fully understand the current information security status of their organization. The visualization of metrics resulting from security assessments process will help them to identify issues accurately. We believe that KRIs based analysis is necessary to create metrics that appear to be effective, and the importance of each KRI varies depending on the characteristics of the organization. In this paper we propose a method for extracting KRIs that reflects the characteristics of an organization type and provide examples.
