Entrepreneurial activity has always been connected to covered and uncovered risks. However, no risk can be completely compensated. Every company faces a variety of uncertainties which can, on the basis of their business profile in combination with its reactivity, bear many risks but also chances (Weber, Weißenberger, & Liekweg, 1999, p. 12). The uncertainties each company faces have increased during the last decades due to rapid globalization.

Furthermore the surge for mergers and acquisitions, the rapid technological development, the great worldwide competition, shorter product life cycles and also the entrance to new and modern media information channels have provoked new challenges for companies and their managers (Wurl & Mayer, 2001, p. 180). Such influencing and yet existing factors on entrepreneurial activity display an infinite risk potential, and in addition uncalculated risk potentials arise in our globalized and systemconnected world. As a consequence, any entrepreneurial action is hindered.

Hence, for every success-oriented company it is a requisite to screen and evaluate all existing influences that have an impact on the business of the company (Preis, 1995, p. 20). This procedure is a necessity to come to reasonable and well-founded decisions which guarantee the consistency of every company, also in uncertain times (Form & Reichmann, 2000, pp. 189-191). 1. 1 Objective of the Study The goal of this paper is to point out the possibilities of using the Balanced Scorecard (BSC) as a measurement tool for security management.

Hereby the question will be answered whether the balanced scorecard is an appropriate tool and how the young field of security management can profit from the nature of the BSC. 1. 2 Course of the Investigation On the basis of theoretical foundation the system of the BSC will be proven as a tool to measure the performance of security management. Therefore, the BSC will be displayed in its main features and also proved as a performance measurement system. Furthermore, the BSC will be evaluated as an adaptable and integrative management system to investigate whether it has the potential to serve as a measurement tool for

The Balanced Scorecard as a Tool for Security Management Measurement 2 other management concepts. These findings will then be linked to the field of security management. In order to evaluate the utilizability of the BSC, the field of security management will be defined and previous approaches to measure the performance of security management will be evaluated. Finally, an excursion on the application of security management in the field of Information Technology (IT) will be given. The content and structure of this paper is based on findings in primary and secondary literature, as well as on experiences from the usage in practice. . Balanced Scorecard 2. 1 Background Information and Nature of the Balanced Scorecard The system of the BSC is probably one of the most discussed economic concepts in the last 20 years. As more and more critic found the ordinary key data based management systems faulty, which, to be more precisely, resulted from the one-dimensionality and the strong focus of US-American companies on financial key data, Robert S. Kaplan and David P. Norton initiated a research project together with 12 US-American companies (Weber & Schäffer, 1999, p. 3).

Their aim was to adapt the existing key data based management systems to increased requirements of companies. They could no longer base their decision-making on the financial key data, since financial measures display the happening of the past and financial accounting models are not seen as a system which conduct the company on its way to future value creation (Kaplan & Norton, 1996, p. 7). The outcome of this research project was the BSC (see Figure 1, p. 14). Basically the scorecard is a concretion, presentation and tracking of strategies.

Hence, a information and controlling system which, on the one hand, is a tool for the implementation of a strategy and on the other hand, helps to adjust all entrepreneurial activity to the stated strategy (Neumann-Szyszka, 2003, p. 6). Furthermore it can be seen as an organizing framework for a strategic management system that enables to link the long-term strategy with short-term actions (Kaplan & Norton, 1996, p. 75-85). The main goal is to higher the likelihood of implementation of purposed strategies as well as to assess the added value, the measurement of performance (Gaiser & Greiner, 2002, p. 99). The Balanced Scorecard as a Tool for Security Management Measurement 3 2. 2 Implementation of the Balanced Scorecard Obviously, in order to implement the BSC into a company, the most important content is the existence of a vision and a company´s strategy. Both elements display the basis on which the BSC then derives key data, certain measures and also the goals of a company which are allocated to the so-called standard four main perspectives (Wolf & Runzheimer, 2001, p. 22).

The perspectives have the task to build a thought pattern which guarantees the consideration of all important key aspects of activity, even before the strategy adjustment process begins. The remark of all perspectives in the process of developing and inventing the strategy belongs to the constitutive elements in the approach of the BSC. Thus, the examination with all perspectives assists the implementation process of strategic goals, indicators and strategic actions by multilaterally deriving and following a goal (Horváth & Partners, 2007, p. 0). Consequently, the BSC prevents an isolated view of the perspectives by regarding them balanced and interdependent. Besides the traditional financial perspective, which is also used in traditional management systems, the BSC is amplified by non-financial perspectives, namely the customer perspective, the internal process perspective and the learning and innovation perspective (Herath, Herath, & Bremser, 2010, p. 73). As a connection between the perspectives, we may look at the so-called cause-and-effect chains(see Figure 2, p. 14).

They give an explanation for the relationships between the perspectives as well as between the command variables and indicators (Jöhnk & Zimmermann, 2001, p. 33). This is the reason why the system of the BSC is also called multilateral performance measurement system. For the further implementation process, besides the consideration of cause-and-effect chains, essential advice of Kaplan and Norton should be considered: The application of outcome and performance driving key data must be considered during the implementation process and the overall key data and goals shall be connected with the financial perspective.

This leads to the result of the classical BSC (see Figure 1, p. 14), originally invented by Robert S. Kaplan and David P. Norton (Jöhnk & Zimmermann, 2001, p. 17). With regard to these three rules, four main steps are taken to implement the BSC in an organization, namely translating the vision, communicating & linking, business planning, and feedback & learning. As already mentioned, the vision and the company´s strategy is the basis on which the BSC builds up.

The vision is translated and as a positive side-effect, the translation will establish a broad consensus on the vision and strategy of the company (Müller, 2000, p. 117). Through the process of communication The Balanced Scorecard as a Tool for Security Management Measurement 4 and linking, all layers of management are affected by the implementation and thus information asymmetry can be avoided as well as a better understanding of the company´s strategy and a superior commitment to achieving the stated goals is guaranteed.

On this basis, goal setting programs are developed and of the overall strategic objective, target goals for each department, team and individual are derived and, for motivation, linked to an incentive and reimbursement system to foster the consistent strategic orientation of a company (Weber & Schäffer, 2000, p. 19). The business planning process links strategic planning to financial and personal budgets, as well as to tangible assets, to examine which resources are applicable to achieve the stated goals (Georg, 2000, p. 37).

On the account of the dynamic economic setting, each strategy demands a constant feedback, evaluation, adaption and further development. The fourth and last process, the feedback and learning process, therefore involves the monitoring of the strategy and its implementation in the organization (Kaplan & Norton, 1996, pp. 272-292). 2. 3 The Balanced Scorecard as a Performance Management System The BSC meets the claim of a performance management system since it contributes to the security of the long-term success and continuance of a company.

It measures performance on a multidimensional level of financial and non-financial, as well as with historic and future key data. Besides, it transfers the company´s strategy into key data and objectives, and links operating key figures with performance drivers to display mission critical influencing factors for a possible prematurely intervention (Horvath, 2000, p. 140). Furthermore, it gives a guidance for action that matches the strategy on all levels of the company by deriving objectives and key figures for every department, team and individual.

As an integrative concept the BSC supports the coaction of a variety of management approaches by using four perspectives and thus, adjusting their goals and measures to each other and finally linking them in the long run with the company´s strategy. Thereby, success factors are not regarded individually, but are controlled goaloriented side by side and thus the success of the company can be secured from various directions (Zimmermann & Jöhnk, 2000, p. 88).

The BSC is a strategic management system for executives, which displays an adequate instrument for the implementation of strategies and especially to manage strategic factors of success (Gleißner, 2000, p. 1628). The Balanced Scorecard as a Tool for Security Management Measurement 5 3. 3. 1 Security Management Definition Security management is the management, that guides, conducts and coordinates an organization with regard to all security activities and thus displays the sensible handling with disadvantageous and negative developments that symbolize a potential threat to achieving the company´s objectives (Kremers, 2002, p. 8; Baetge & Jerschenksy, 1999, p. 171). Nowadays, security management is an essential component of management and is advanced permanently. 3. 2 Reasons for Security Management Aspiring towards long-term entrepreneurial success bears many risks. Since so called action dependent or speculative risks are very closely related to the operating target system, they feature a strategic and an operative character. Strategic risks are based on long-term strategic goals which are set throughout the whole company. Therefore a very high risk potential arises from these risks since they have many influencing factors.

An example would be a bank which voluntarily accepts credit risk by lending money to credit unworthy individuals or companies in order to generate higher returns (Mugler, 1998, p. 194). However, operational risks occur in the production process and merely affect the short-term accounting income (Hermann, 1996, p. 35). Besides these action dependent risks, a company also faces a variety of additional risks which can be described as exogenous and endogenous risks. Exogenous risks are not predictable and have a high existence- and success-threatening character.

These are for instance the economic development, the behavior of competitors, as well as legislation. Obviously, as comprehensive due to the last example, exogenous risks can also bear chances such as tax allowance. Endogenous risks, also defined as influenceable risks, result from inhouse company decisions. For instance risks such as theft and concealment have an exclusively negative impact. Yet, endogenous risks can be bordered for instance by access codes in IT environment (Form & Reichmann, 2000, p. 191). Despite this classification, companies face these risks and therefore must secure their environment.

The answer for this process is security management. The Balanced Scorecard as a Tool for Security Management Measurement 6 3. 3 Previous Approaches – Security Metrics By now, there have been several approaches to implement a proper security management, security metrics (see Figure 3, p. 15). Chapin and Akridge describe security metrics as the measurement of the effectiveness of the organization´s security efforts over time (2005, p. 1). However, a measurement itself is not a metric. Whereas measurements are generated by counting, metrics result from analysis.

They are built up on the information of the measurement which is supplemented by certain information or by comparison with two or more measures taken over time (Nichols & Sudberry, 2006, p. 31). The aim is to develop metrics which can be linked to overall objectives and therefore deliver useful management information. They should elucidate structures in the company and show some kind of progress (Chapin & Akridge, 2005, p. 1). A security metrics program should be able to provide an answer whether the company´s security is getting better or worse and to which extent the processes can be improved.

Furthermore, it should state the value of making a security investment and also what the optimal level of investment can be (Nichols & Sudbury, 2006, p. 31). Every security metrics program should consist of three fundamental components: collection, analysis and reporting. In the collection phase all necessary information that gives an insight on critical success factors and also supports the mission, is assembled. Within the analysis process, weaknesses are detected and mended or performance, that was successful, will become appreciated.

The final step of reporting gives the management an insight of how successful the metric was and which measures ought to be continued in the future. Moreover it displays, not only the size and costs to the employees, but also the benefits in relation to security management (Treece & Freadman, 2010, p. 91). Management should be able to measure the effectiveness of controls, target areas for improvement and also to communicate the effectiveness of risk management programs (Nichols & Sudbury, 2006, p. 31) Security metrics are designed for measuring the security of a company.

Since even metrics can not exactly evaluate the security of a company, only the stress test of a crisis finds every breach in the company´s structure that displays a threat to the company´s existence. This phenomenon was experienced by several banks and companies during the financial crisis which started with the collapse of Lehman Brothers in September 2008. Apparently this may seem contradictory since security metrics should not only measure the level of the company´s security, but also prevent a company from being at least partly encountered to threats which can affect the company´s existence (Chapin &

The Balanced Scorecard as a Tool for Security Management Measurement 7 Akridge, 2005, p. 1). Security metrics are applicable to a wide range of environments including production, automated environments or can even be used in governments. Measurement activities are not only taken at start and end points, but also at different intervals and points to measure the progress. Therefore, the metrics that are used are administered at different periodic intervals depending on the objectives of the specific environment (Payne, 2006, p. 1). 4.

The Balanced Scorecard and its Usage in Security Management 4. 1 Amplification of the BSC – Security Perspective Kaplan and Norton state, that the BSC is a flexible management tool which facilitates the coaction of several management approaches in a company (Zimmermann & Jöhnk, 2000, p. 88). Therefore, since companies using the BSC have their own scorecard, essential adjustments consistent with their requirement profile are made in order to implement the BSC individually. This process also contains the identification of correct weights for each indicator to achieve specific goals.

The flexibility of the system of the BSC is an important premise to evaluate the BSC as a tool to measure the performance of security management. Consequently, besides the four perspectives financial, customer, business processes and learning & innovation, the BSC can be extended with further perspectives, for example a security perspective (see Figure 3, p. 15). This election of the new focus area is taken due to the origin of security management which is to lead back on upcoming risks of every company.

Risk is seen as the consequence of an unpredicted, respectively not with the goal coherent result, action or event (Eckert, Lamparter, & Möller, 2004, p. 27). Thus, risk is the trigger for the necessity of implementing security management. Obviously risk is unpredictable und can bear many major implications for companies. However, without risk there is no chance. Chance consequently results out of causes and effects from the goal-oriented influence of strategic success factors. Hence, a positive deviation from a stated command variable can be recognized (Mugler, 1998, p. 194).

With this new perspective the BSC is amplified and the system of security management will be proven as an own component of the system of the BSC. The Balanced Scorecard as a Tool for Security Management Measurement 8 4. 2 Requirements to and Response From the Balanced Scorecard Firstly, a security management system and therefore the measurements must be able to measure organizationally important facts. Secondly the measurements must be reproducible. Thirdly, the measurements must be objective and unbiased. Fourthly, they should serve the evaluation process of measuring progress towards an objective (Chapin & Akridge, 2005, p. ). To be able to collect relevant data for the process of the security management, an overall risk strategy should be implemented. This strategy should help to secure the company´s overall strategy and furthermore the long-term success.

An existing BSC system can help at the implementation process by amplifying the communication actions within the company (Wurl & Mayer, 2001, p. 198). Through this process the risk strategy can be illustrated into daily action and consequently every employee becomes clarified which contribution to an optimal security management is possible (Weber & Schäffer, 2000, p. 9). To take a step forward, all relevant data is gathered. Data, which offers valuable information to fields of risk in the company. The BSC can improve this prospection by bordering essential from dispensable search fields. This benefit is based on the nature of the BSC which allows us to identify risk fields more faster since the strategic goals, which are derived from the overall strategy and placed into perspectives, are connected by cause-and-effect chains. Nevertheless, to identify and capture all relevant risks, the four perspectives of the BSC are not sufficient (Jöhnk & Zimmermann, 2001, p. 02). The system of the BSC only regards endogenous and not exogenous risk potentials. Since these premises are not included in one of the original four perspectives, the total system lacks the expertise to screen all potential risk fields. At this point, an additional perspective can help as mentioned earlier. According to the exigencies of security management, the system of the BSC could so far support the security management at the process of implementing a security strategy as well as with collecting relevant data on risk potentials in order to measure the performance of security management.

In the next step, these fields of risk must be evaluated. Therefore, their occurrence probability and extent are assessed. Then their influence on strategic goals are measured, and finally all risks are aggregated as an overall risk in order to account for relationships and cumulative interdependencies between all risks. The BSC does not contribute to the measurement of the acuteness of a risk. Therefore, a company should additionally use scenario analyses, which goes beyond the scope of this paper. In fact, the BSC can be used as a measurement tool for all risks which arise on

The Balanced Scorecard as a Tool for Security Management Measurement 9 the cause-and-effect-chains. Accordingly, since the BSC only describes the reason why specific strategic objectives must be reached in order to achieve success and continuance, not all correlations can be captured and thus single risk potentials as well as risk interdependencies are not included (Homburg, Stephan, & Haupt, 2005, p. 1074). In order to be aware of risk potentials and deviations from set values, a reporting system is obligatory.

As the system of the BSC already contains a key data based reporting system, this system can easily be amplified to measure measurable risks (Homburg, Stephan, & Haupt, 2005, p. 1075). Furthermore the BSC can support the monitoring and controlling of risk by comparison of the desired and actual value. Hereby, a company realizes whether a risk can be influenced and to which extent the current measures could contribute to meet a given goal. This finding in turn gives an insight, on the one hand, whether the current measure can control the risk and on the other hand, whether additional measures are necessary (Homburg, Stephan, & Haupt, 2005, p. 075). Out of the previous explanations the system of the BSC has proven as a tool that supports all processes of risk management and thus contributes important information and actions to the field of security management. However, the BSC cannot replace an explicit control system for monitoring risks in early stadium. Not all risks can be screened by the original four perspectives and the cause-and-effect chains do not totally display all coactions between risk factors.

Furthermore, the BSC serves as an early warning system but not as an early detection system and, as a last point, risks in the financial perspective indeed are displayed by key data but this does not serve to evaluate the source of risk. 5. Excursus: Information Technology 5. 1 Importance of Information Technology Information Technology (IT) has become an increasingly component of our business world today. Taking into account the development in the last ten years, the role of IT, especially in companies, will increase even more (von Solms, 1999, p. 50). New technologies reate a system-connected world in which in near future cars will have access to all internet services and for instance the spraying equipment in the garden can be controlled from another city via the mobile device. Nowadays, companies are already dependent on a reliable IT system. In the meanwhile, the number of companies that The Balanced Scorecard as a Tool for Security Management Measurement 10 could keep their work up without IT systems is decreasing continually (Rainer, Snyder, & Carr, 1991, p. 129). Therefore, a reliable IT system has achieved a high significance in all management activities the executive level of a company undertakes.

By realizing which effect a breakdown of the IT system can have on the success or failure of a company, managers pay great regard to the security of the company´s IT system. Consequently there is a great attempt in securing the own IT environment. Often, the more important area for covering are the external linkages of the company to other IT systems which can bear essential risks through their particular exposure. These linkages are an even greater threat to the host environment and can display a sustainable detrimental factor (von Solms, 1999, p. 50) 5. Information Technology as a Basis for Management Systems By making a further step, it becomes clear that IT systems are not only exposed to external threats which can paralyze the complete entrepreneurial action of a company, IT systems are also the basis on which systems such as the BSC are built up on. Today´s business environment has become so complex that solely IT systems have the potential to capture and process all important information that is produced by a company and also in its environment. Managers must rely on the accuracy and authenticity of key data and information the IT system delivers.

This data is the basis for the short-term and longterm decisions managers take and should be correct at any rate (Stroie & Rusu, 2011, p. 228). Accordingly, IT systems build the basis for security management. They help to implement management systems such as the BSC and are the maintaining driver which make these systems work. Thus, in order to implement a security management system, it is necessary to have a functioning IT system. Therefore security initiatives are essential and include technological and process considerations. The cost of implementing best practices is often only possible at high prices for many organizations.

Sometimes even special companies are contracted. The impact of a security gap can obviously be of financial nature such as insurance costs, as well as a loss in productivity and revenue and also in the financial performance of a company. Nevertheless, managers are facing a lot of justifications and must answer several questions when introducing or continuing security investments: What level of investment? ; Do the implemented security metrics contribute to the company´s The Balanced Scorecard as a Tool for Security Management Measurement 11 security? Are the security functions effective and efficient? (Herath, Herath, & Bremser, 2010, p. 72). These questions request for a measurement that gives answers. Since the outcome of the investments for a security system, or the loss without security investments is hard to quantify, due to difficulty in defining and measuring, the wide domain of benefits and costs. As many other investments with intangible benefits, security systems raise a company´s value in a way that cannot be captured by traditional input-output accounting models (Herath, Herath, & Bremser, 2010, p. 3). 6. Conclusion The BSC makes a contribution to the control of the strategic execution, since the system measures the performance of a company by comparing results of strategic measures with previously set milestones. In line with the setting of strategic accordant measures, existing projects and activities are reviewed and, if necessary, adapted or cancelled (Müller, 2000, p. 119). Furthermore, the BSC merely considers endogenous influencing factors and manages these mission critical factors, whereas exogenous influencing factors are simply set as a premise.

Hence, the question of how these exogenous factors can be integrated into the strategy and cause-and-effect chains, cannot be answered (Jöhnk & Zimmermann, 2001, p. 63). With its introversive sight, solely set on configurable factors, the BSC can secure business fields but can hardly contribute to the overall strategic security. For this purpose, additional management concepts are necessary (Weber & Schäffer, 2000, p. 21). The system of the BSC cannot be used as a tool for security management measurement on a standalone basis, but can surely support a security management as a whole.

The Balanced Scorecard as a Tool for Security Management Measurement 12 Reference List Baetge, J. , Jerschenksy, A. (1999). Frühwarnsysteme als Instrumente eines effizienten Risikomanagement und -controlling. Controlling Heft 4/5, p. 171-176. Chapin, D. A. , Akridge, S. (2005). How can security be measured? Information Systems Control Journal Volume 2. Eckert, S. , Lamparter, G. , Müller, K. (2004). Konzept und Umsetzung eines Risikomanagementsystems bei der Dürr AG. Controlling & Management Sonderheft 3, p. 24-36. Form, S. , Reichmann, T. (2000). Balanced Chance- and Riskmanagement.

Controlling Heft 4/5, p. 189-198. Gaiser, B. , Greiner, O. (2002). Strategische Steuerung: Von der Balanced Scorecard zur strategiefokussierten Organisation. Georg, S. (2000). Die Balanced Scorecard als Controlling- bzw. Managementsystem. Aachen: Shaker Verlag. Gleißner, W. (2000). Risikopolitik und strategische Unternehmensführung. Der Betrieb Heft 33, p. 1625-1629. Herath, T. , Herath, H. , Bremser, W. G. (2010). Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance. Information Systems Management, S. 72-81. Hermann, D.

C. (1996). Strategisches Risikomanagement kleiner und mittlerer Unternehmen. Stuttgart. Homburg, C. , Stephan, J. , Haupt, M. (2005). Risikomanagement unter Nutzung der Balanced Scorecard. Der Betrieb Heft 20, S. 1069-1075. Horváth & Partners. (2007). Balanced Scorecard umsetzen. Stuttgart: Schaeffer-Poeschel Verlag Stuttgart. Horváth, P. , (2000). Balanced Scorecard umsetzen. Stuttgart: Schaeffer-Poeschel Verlag. Jöhnk, T. , Zimmermann, Z. (2001). Balanced Scorecard in öffentlichen Kreditinstituten. Stuttgart: Deutscher Sparkassen Verlag. Kaplan, R. S, Norton, D.

P. (1996). The Balanced Scorecard: Translating strategy into action. Harvard: Harvard Business Scool Press. Kaplan, R. S, Norton, D. P. (1996). Using the balanced scorecard as a strategic management system. Harvard Business Review, S. 75-85. Kremers, M. (2002). Risikoübernahme in Industrieunternehmen. Sternenfels: Verlag für Wissenschaft und Praxis. Mayer, J. , Wurl, H. (2001). Balanced Scorecards und industrielles Risikomanagement Möglichkeiten der Integration. In Klingebeil, Performance Measurement und Balanced Scorecard (S. 179-213). München: Franz Vahlen Verlag.

The Balanced Scorecard as a Tool for Security Management Measurement 13 Mugler, J. (1998 3. Auflage). Betreibswirtschaft der Klein- und Mittelbetriebe. Wien/New York: Springer Verlag. Müller, A. (2000). Strategisches Management Stuttgart/Berlin/Köln: Kohlhammer Verlag. mit der Balanced Scorecard. Neumann-Szyszka, J. (2003). Einsatzmöglichkeiten der Balanced Scorecard mittelständischen (Fertigungs-)Unternehmen. Wismar: Hochschule Wismar. in Nichols, E. A, Sudbury, A. (2006). Implementing Security Metrics Initiatives. Information Security and Risk Management, S. 30-38. Payne, S. (19. June 2006).

A Guide to security metrics. SANS Security Essentials GSEC Practical Assignment Version 1. 2e, S. 1-9. Preis, A. (1995). Strategisches Controlling: Mit System Chancen und Risiken frühzeitig erkennen. Wiesbaden: Gabler Verlag. Rainer JR, R. K, Snyder, C. A, Carr, H. H. (199). Risk Analysis for Infrmation Technology. Journal of Management and information Systems Volume 8, S. 129-147. Runzheimer, B. , Wolf, K. (2001). Risikomanagement und KonTraG. Wiesbaden: Gabler Verlag. Schäffer, U. , Weber, J. (1999). Balanced Scorecard und Controlling. Vallendar: Gabler Verlag. Schäffer, U. , Weber, J.