Fenz, S., & Neubauer, T. (2018). Ontology-based information security compliance determination and control selection on the example of ISO 27002. Information and Computer Security, 26(5), 551–567. https://doi.org/10.1108/ICS-02-2018-0020
E194 - Institut für Information Systems Engineering
-
Journal:
Information and Computer Security
-
ISSN:
2056-4961
-
Date (published):
2018
-
Number of Pages:
17
-
Publisher:
Emerald Publishing Limited
-
Peer reviewed:
Yes
-
Keywords:
Decision support systems; Compliance; Organizations; Risk management; security; Ontology
en
Abstract:
Purpose
The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.
Design/methodology/approach
The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.
Findings
There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.
Originality/value
Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.