A framework for information security evaluation