The First International Workshop on Security Ontologies and Taxonomies (co-located with the International Conference on Availability, Reliability and Security) will bring together researchers and practitioners in the area of security ontologies and taxonomies. SecOnT aims at establishing a highly specialized annual meeting to conduct in-depth research discussions and to identify collaboration opportunities among the participants. Click here for the full Call for Papers.
The First International Workshop on Security Ontologies and Taxonomies (SecOnT 2012)
Posted in Security Ontology
Comments Off
Creating PDFs on Android – an evaluation
Together with Michael Schöner we evaluated 14 Java PDF libraries regarding their Android compatibility. 3 of 14 evaluated libraries were compatible with Android and allowed us to create PDFs on the Android platform.
Posted in Android
Comments Off
Generation of Bayesian Networks using the Antipatten Ontology
This paper is joint work with Dimitrios Settas and Antonio Cerone from United Nations University (Macau). It will be presented at the 9th ACIS International Conference on Software Engineering Research, Management and Applications (SERA 2011) in Baltimore, Maryland, USA. You can download the full paper from the Publications section in September 2011.
Abstract: Apart from the plethora of antipatterns that are inherently informal and imprecise, the information used in the antipattern ontology itself is many times imprecise or vaguely defined. For example, the certainty in which a cause, symptom or consequence of an antipattern exists in a software project. However, ontologies are not capable of representing uncertainty and the effective detection of antipatterns taking into account the uncertainty that exists in software projects, stills remain an open issue. Bayesian Networks (BNs) have been previously used in order to measure, illustrate and handle antipattern uncertainty in mathematical terms. In this paper, we explore the ways in which the antipattern ontology can be used to generate Bayesian Networks. This approach allows software developers to quantify the existence or occurrence of an antipattern attribute using Bayesian Networks, based on probabilistic knowledge contained in the antipattern ontology regarding antipatterns attributes. The approach is exemplified with an ontology-based model generated using BNTab.
Posted in Bayesian Networks
Comments Off
Information security automation: how far can we go?
This paper is joint work with Raydel Montesino from University of Informatics Sciences (Cuba). It will be presented at the Sixth International Conference on Availability, Reliability and Security (ARES) in Vienna, Austria. You can download the full paper from the Publications section in August 2011.
Abstract: Information security management is a very complex task which involves the implementation and monitoring of more than 130 security controls. To achieve greater efficiency in this process it is necessary to automate as many controls as possible. This paper provides an analysis of how many controls can be automated, based on the standards ISO 27001 and NIST SP800-53. Furthermore, we take the automation potential of controls included in the Consensus Audit Guidelines into account. Finally, we provide an overview of security applications that support automation in the operation of information security controls to increase the efficiency of information security management.
Posted in Information Security Risk Management
Comments Off
A Community Knowledge Base for IT Security
This article is joint work with Simon Parkin and Aad van Moorsel from Newcastle University (UK). It will appear in May 2011 in IEEE IT Professional.
Abstract: Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their organizations and information systems. The effectiveness of security controls must be balanced with a variety of operational issues, including the impact on employee productivity, legal and ethical stipulations, and business and financial concerns. IT security managers in different organizations face many of the same threats and establish similar solutions, and they’re often gathering and applying the same knowledge. However, they’re doing so largely on their own, which is clearly inefficient. We propose a formalized community project for sharing and applying IT security management knowledge. Here, we present our community knowledge-base prototype, designed to benefit IT security managers in a variety of organizations.
Posted in Information Security Risk Management, Security Ontology
Comments Off
Information Security Risk Management: In which security solutions is it worth investing?
The article has been accepted for publication in the Communications of the Association for Information Systems (CAIS). Click here to download the article from the CAIS website.
Abstract: As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.
Posted in Information Security Risk Management, Security Ontology
Comments Off
Information Security Knowledge Management Survey
We kindly ask you to participate in our information security knowledge management survey. The survey is conducted by publicly-funded research institutions SBA Research (AT), Newcastle University (UK), and Vienna University of Technology (AT). We conduct the survey to explore potential ways of enabling companies and professionals to share information security knowledge through the application of collaborative semantic web technologies. The aggregated survey results will be published within publically-accessible research publications.
Survey: http://www.sba-research.org/survey/index.php?sid=73314
Thank you for your support.
Posted in Information Security Risk Management, Security Ontology
Comments Off
An Ontology- and Bayesian-based Approach for Determining Threat Probabilities
The paper has been accepted for publication and I will present it in March 2011 at the 6th ACM Symposium on Information, Computer and Communications Security in Hongkong, China.
Abstract: Information security risk management is crucial for ensuring long-term business success and thus numerous approaches to implementing an adequate information security risk management strategy have been proposed. The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem we developed an ontology- and Bayesian-based approach to determine threat probabilities taking general information security knowledge and organization-specific knowledge about existing control implementations and attacker profiles into account. The elaborated concepts enable risk managers to comprehensibly quantify by the Bayesian threat probability determination the current security status of their organization.
Posted in Information Security Risk Management
Comments Off
New BNTab Version (1.1.3)
By September 3, 2010, Protege uses a new version of the OWL API (3.1.0). Therefore, I had to refactor the BNTab plug-in. If you have a previous BNTab version already installed, Protege will automatically offer you an update. Find install instructions and download links at Stanford’s Protege Wiki if you are a new user.
Posted in Security Ontology
Comments Off
Verification, Validation, and Evaluation in Information Security Risk Management
Our article “Verification, Validation, and Evaluation in Information Security Risk Management” got accepted at IEEE Security & Privacy. Check out the preprint at the IEEE Digital Library.
Abstract:
Over the last four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. While restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. Individual approaches exist, but so far there is no systematic overview of the available methods. In this article we survey verification, validation and evaluation methods referenced in ISRM literature and discuss in which ISRM phases the methods should be applied. The selection of appropriate methods is demonstrated with a potential real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation and evaluation and can serve as a reference for researchers and users of ISRM approaches who aim to establish trust in their results.
Posted in Information Security Risk Management
Comments Off