The intent of this paper is to present a novel quantitative equation to assess information security level for enterprises, establishments and corporate generally, and financial institutions specifically in public and private sectors in Syria. This method is the result of statistical study1 which has been applied to a set of financial institutions in Syria as a sample of study to assess the gap between existing information security level and ISO 27K directives for Information and Communication Technology (ICT) security, benefiting from other international approaches and models designed for this purpose. This study aims to highlight the special requirements and the modified framework required to develop ICT security in financial institutions taking into consideration the culture and the special conditions in Syria.