The paper has been accepted for publication and I will present it in March 2011 at the 6th ACM Symposium on Information, Computer and Communications Security in Hongkong, China.
Abstract: Information security risk management is crucial for ensuring long-term business success and thus numerous approaches to implementing an adequate information security risk management strategy have been proposed. The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem we developed an ontology- and Bayesian-based approach to determine threat probabilities taking general information security knowledge and organization-specific knowledge about existing control implementations and attacker profiles into account. The elaborated concepts enable risk managers to comprehensibly quantify by the Bayesian threat probability determination the current security status of their organization.