<div class="csl-bib-body">
<div class="csl-entry">Fenz, S., & Neubauer, T. (2018). Ontology-based information security compliance determination and control selection on the example of ISO 27002. <i>Information and Computer Security</i>, <i>26</i>(5), 551–567. https://doi.org/10.1108/ICS-02-2018-0020</div>
</div>
Purpose
The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.
Design/methodology/approach
The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.
Findings
There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.
Originality/value
Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.
en
dc.description.sponsorship
Wiener Wissenschafts-, Forschungs- und Technologiefonds (WWTF)
-
dc.description.sponsorship
Österreichische Forschungsförderungsgesellschaft
-
dc.language
English
-
dc.language.iso
en
-
dc.publisher
Emerald Publishing Limited
-
dc.relation.ispartof
Information and Computer Security
-
dc.rights.uri
http://creativecommons.org/licenses/by/4.0/
-
dc.subject
Decision support systems
en
dc.subject
Compliance
en
dc.subject
Organizations
en
dc.subject
Risk management
en
dc.subject
security
en
dc.subject
Ontology
en
dc.title
Ontology-based information security compliance determination and control selection on the example of ISO 27002
en
dc.type
Article
en
dc.type
Artikel
de
dc.rights.license
Creative Commons Namensnennung 4.0 International
de
dc.rights.license
Creative Commons Attribution 4.0 International
en
dc.description.startpage
551
-
dc.description.endpage
567
-
dc.relation.grantno
FORISK
-
dc.relation.grantno
COMET K1 center SBA Research
-
dcterms.dateSubmitted
2018-02-13
-
dc.rights.holder
The Author(s) 2018
-
dc.type.category
Original Research Article
-
tuw.container.volume
26
-
tuw.container.issue
5
-
tuw.journal.peerreviewed
true
-
tuw.peerreviewed
true
-
tuw.version
vor
-
dcterms.isPartOf.title
Information and Computer Security
-
tuw.publication.orgunit
E194 - Institut für Information Systems Engineering
-
tuw.publisher.doi
10.1108/ICS-02-2018-0020
-
dc.date.onlinefirst
2018-05-28
-
dc.identifier.eissn
2056-497X
-
dc.identifier.libraryid
AC15559180
-
dc.description.numberOfPages
17
-
dc.identifier.urn
urn:nbn:at:at-ubtuw:3-8303
-
tuw.author.orcid
0000-0002-2880-1526
-
tuw.author.orcid
0000-0002-9814-6045
-
dc.rights.identifier
CC BY 4.0
de
dc.rights.identifier
CC BY 4.0
en
wb.sci
true
-
item.openairetype
research article
-
item.openaccessfulltext
Open Access
-
item.grantfulltext
open
-
item.openairecristype
http://purl.org/coar/resource_type/c_2df8fbb1
-
item.fulltext
with Fulltext
-
item.cerifentitytype
Publications
-
item.languageiso639-1
en
-
crisitem.author.dept
E194-04 - Forschungsbereich Data Science
-
crisitem.author.dept
E194-04 - Forschungsbereich Data Science
-
crisitem.author.orcid
0000-0002-2880-1526
-
crisitem.author.orcid
0000-0002-9814-6045
-
crisitem.author.parentorg
E194 - Institut für Information Systems Engineering
-
crisitem.author.parentorg
E194 - Institut für Information Systems Engineering