Search results

1 – 9 of 9
To view the access options for this content please click here
Article
Publication date: 14 November 2016

Stefan Fenz, Stefanie Plieschnegger and Heidi Hobel

The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002…

Downloads
1251

Abstract

Purpose

The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002 standard. As information is becoming more valuable and the current businesses face frequent attacks on their infrastructure, enterprises need support at protecting their information-based assets.

Design/methodology/approach

Information security standards and guidelines provide baseline knowledge for protecting corporate assets. However, the efforts to check whether the implemented measures of an organization adhere to the proposed standards and guidelines are still significantly high.

Findings

This paper shows how the process of compliance checking can be supported by using machine-readable ISO 27002 control descriptions in combination with a formal representation of the organization’s assets.

Originality/value

The authors created a formal representation of the ISO 27002 standard and showed how a security ontology can be used to increase the efficiency of the compliance checking process.

Details

Information & Computer Security, vol. 24 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Content available
Article
Publication date: 12 November 2018

Stefan Fenz and Thomas Neubauer

The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and…

Downloads
2202

Abstract

Purpose

The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.

Design/methodology/approach

The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.

Findings

There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.

Originality/value

Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.

Details

Information & Computer Security, vol. 26 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

To view the access options for this content please click here
Article
Publication date: 10 November 2014

Stefan Fenz, Johannes Heurix, Thomas Neubauer and Fabian Pechstein

The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management…

Downloads
10144

Abstract

Purpose

The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results.

Design/methodology/approach

To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback.

Findings

As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need.

Originality/value

The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.

Details

Information Management & Computer Security, vol. 22 no. 5
Type: Research Article
ISSN: 0968-5227

Keywords

To view the access options for this content please click here
Article
Publication date: 5 October 2012

Raydel Montesino, Stefan Fenz and Walter Baluja

The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information…

Downloads
2673

Abstract

Purpose

The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security management.

Design/methodology/approach

This research reviewed the controls recommended by well known standards such as ISO/IEC 27001 and NIST SP 800‐53; and identified security controls that can be automated by existing hard‐and software tools. The research also analyzed the Security Information and Event Management (SIEM) technology and proposed a SIEM‐based framework for security controls automation, taking into account the automation potential of SIEM systems and their integration possibilities with several security tools.

Findings

About 30 per cent of information security controls can be automated and they were grouped in a list of ten automatable security controls. A SIEM‐based framework can be used for centralized and integrated management of the ten automatable security controls.

Practical implications

By implementing the proposed framework and therefore automating as many security controls as possible, organizations will achieve more efficiency in information security management, reducing also the complexity of this process. This research may also be useful for SIEM vendors, in order to include more functionality to their products and provide a maximum of security controls automation within SIEM platforms.

Originality/value

This paper delimits the boundaries of information security automation and defines what automation means for each security control. A novel framework for security controls automation is proposed. This research provides an automation concept that goes beyond what it is normally described in previous works and SIEM solutions.

Details

Information Management & Computer Security, vol. 20 no. 4
Type: Research Article
ISSN: 0968-5227

Keywords

To view the access options for this content please click here
Article
Publication date: 11 May 2012

Stefan Fenz

Collaborative ontology editing tools enable distributed user groups to build and maintain ontologies. Enterprises that use these tools to simply capture knowledge for a

Downloads
1080

Abstract

Purpose

Collaborative ontology editing tools enable distributed user groups to build and maintain ontologies. Enterprises that use these tools to simply capture knowledge for a given ontological structure face the following problems: isolated software solution requiring its own user management; the user interface often does not provide a look‐and‐feel that is familiar to users; additional security issues; hard to integrate into existing electronic work flows; and additional deployment and training costs. This paper aims to investigate these issues.

Design/methodology/approach

To address these problems, the author designed, developed, and validated a plug‐in concept for widely‐used enterprise content and collaboration portals. The prototype is implemented as a Microsoft SharePoint web part and was validated in the risk and compliance management domain.

Findings

The research results enable enterprises to capture knowledge efficiently within given organizational and ontological structures. Considerable cost and time savings were realized in the conducted case study.

Originality/value

According to the results of the literature survey, this work represents the first research effort that provides a generic approach to supporting and increasing the efficiency of ontological knowledge capturing processes by enterprise portals.

Details

VINE, vol. 42 no. 2
Type: Research Article
ISSN: 0305-5728

Keywords

To view the access options for this content please click here
Article
Publication date: 28 September 2007

Andreas Ekelhart, Stefan Fenz, Gernot Goluch, Markus D. Klemen and Edgar R. Weippl

Today the amount of all kinds of digital data (e.g. documents and e‐mails), existing on every user's computer, is continuously growing. Users are faced with huge…

Abstract

Purpose

Today the amount of all kinds of digital data (e.g. documents and e‐mails), existing on every user's computer, is continuously growing. Users are faced with huge difficulties when it comes to handling the existing data pool and finding specific information, respectively. This paper aims to discover new ways of searching and finding semi‐structured data by integrating semantic metadata.

Design/methodology/approach

The proposed architecture allows cross‐border searches spanning various applications and operating system activities (e.g. file access and network traffic) and improves the human working process by offering context‐specific, automatically generated links that are created using ontologies.

Findings

The proposed semantic enrichment of automated gathered data is a useful approach to reflect the human way of thinking, which is accomplished by remembering relations rather than keywords or tags. The proposed architecture supports the goals of supporting the human working process by managing and enriching personal data, e.g. by providing a database model which supports the semantic storage idea through a generic and flexible structure or the modular structure and composition of data collectors.

Originality/value

Available programs to manage personal data usually offer searches either via keywords or full text search. Each of these existing search methodologies has its shortcomings and, apart from that, people tend to forget names of specific objects. It is often easier to remember the context of a situation in which, for example, a file was created or a web site was visited. By proposing this architectural approach for handling semi‐structured data, it is possible to offer a sophisticated and more applicable search mechanism regarding the way of human thinking.

Details

International Journal of Web Information Systems, vol. 3 no. 3
Type: Research Article
ISSN: 1744-0084

Keywords

Content available
Article
Publication date: 28 September 2007

Ismail Khalil Ibrahim, David Tanier and Eric Pardede

Downloads
370

Abstract

Details

International Journal of Web Information Systems, vol. 3 no. 3
Type: Research Article
ISSN: 1744-0084

To view the access options for this content please click here
Article
Publication date: 12 July 2013

Stefan Taubenberger, Jan Jürjens, Yijun Yu and Bashar Nuseibeh

In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors …

Abstract

Purpose

In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost‐effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.

Design/methodology/approach

Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.

Findings

Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.

Originality/value

It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

Details

Information Management & Computer Security, vol. 21 no. 3
Type: Research Article
ISSN: 0968-5227

Keywords

To view the access options for this content please click here
Article
Publication date: 8 February 2013

Stefan Dietze, Salvador Sanchez‐Alonso, Hannes Ebner, Hong Qing Yu, Daniela Giordano, Ivana Marenzi and Bernardo Pereira Nunes

Research in the area of technology‐enhanced learning (TEL) throughout the last decade has largely focused on sharing and reusing educational resources and data. This…

Downloads
1372

Abstract

Purpose

Research in the area of technology‐enhanced learning (TEL) throughout the last decade has largely focused on sharing and reusing educational resources and data. This effort has led to a fragmented landscape of competing metadata schemas, or interface mechanisms. More recently, semantic technologies were taken into account to improve interoperability. The linked data approach has emerged as the de facto standard for sharing data on the web. To this end, it is obvious that the application of linked data principles offers a large potential to solve interoperability issues in the field of TEL. This paper aims to address this issue.

Design/methodology/approach

In this paper, approaches are surveyed that are aimed towards a vision of linked education, i.e. education which exploits educational web data. It particularly considers the exploitation of the wealth of already existing TEL data on the web by allowing its exposure as linked data and by taking into account automated enrichment and interlinking techniques to provide rich and well‐interlinked data for the educational domain.

Findings

So far web‐scale integration of educational resources is not facilitated, mainly due to the lack of take‐up of shared principles, datasets and schemas. However, linked data principles increasingly are recognized by the TEL community. The paper provides a structured assessment and classification of existing challenges and approaches, serving as potential guideline for researchers and practitioners in the field.

Originality/value

Being one of the first comprehensive surveys on the topic of linked data for education, the paper has the potential to become a widely recognized reference publication in the area.

1 – 9 of 9