Title: Ontology-based information security compliance determination and control selection on the example of ISO 27002
Language: English
Authors: Fenz, Stefan 
Neubauer, Thomas  
Category: Original Research Article
Keywords: Decision support systems; Compliance; Organizations; Risk management; security; Ontology
Issue Date: 2018
Journal: Information and Computer Security
Abstract: 
Purpose

The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.
Design/methodology/approach

The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.
Findings

There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.
Originality/value

Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.
DOI: 10.1108/ICS-02-2018-0020
Library ID: AC15559180
URN: urn:nbn:at:at-ubtuw:3-8303
ISSN: 2056-4961
Organisation: E194 - Institut für Information Systems Engineering 
Publication Type: Article
Artikel
Appears in Collections:Article

Show full item record

Page view(s)

85
checked on Feb 26, 2021

Download(s)

14
checked on Feb 26, 2021

Google ScholarTM

Check


This item is licensed under a Creative Commons License Creative Commons