Author Archives: Stefan

IT-Security Check launched

Our web-based IT-security check is now available at

The tool enables small- and medium-sized enterprises to efficiently assess their IT security risks and to identify appropriate countermeasures to reduce the risks to an acceptable level.

The screencast on provides an in-depth preview of the functionality and work flow of our novel IT security check.

Austrian IT-security and awareness study – press coverage

Together with the University of Vienna, the Bundeskanzleramt Österreich and the Wirtschaftskammer Österreich we conducted a national study regarding implemented IT-security countermeasures and awareness at citizens, companies, and public authorities. Please find the core results in the following Austrian and German press reports:

Joining ENISA’s Permanent Stakeholder Group

Today I attended my first ENISA PSG meeting. Learn more about the ENISA PSG from the ENISA News Feed:

The Permanent Stakeholders’ Group (PSG) consisting of 30 top IT-security experts, has been appointed following an open Call for Expression of Interest for Membership earlier this year. ENISA has held the first meeting of its new Permanent Stakeholders’ Group on Thursday, 13 September 2012

A new PSG is appointed every 2 ½ years, and the current group will serve from 2012-2015.

The meeting was held at ENISA’s branch office in Athens, giving the new PSG members the opportunity to learn more about the Agency’s work in its effort to empower ‘cyber-security’ in Europe.

Executive Director Professor Udo Helmbrecht said: “We have recruited a highly skilled and experienced group of experts. ENISA’s future is extremely exciting and I am pleased to have them on board to assist me in developing the Agency’s Work Programme and giving advice on Network Information Security (NIS)”.

The full list of the PSG members can be downloaded from here.



Security Ontology Engineering Challenges

On August 23, 2012 we conducted the first international workshop on security ontologies and taxonomies at the ARES 2012 conference in Prague. In two sessions the latest security ontology research results were presented and the following overall challenges were identified by the workshop participants:

– Reaching critical mass of content
– Motivation of partners/contributors
– Quality management
– Usability
– Funding
– Community support
– APIs
– Technology (SemanticWiki, WebProtege, etc.)
– Joining/merging ontologies
– Data representation (OWL, etc.)
– Overview of current activities/ontologies

The list shows the main challenges active security ontology researchers are currently facing and thereby provides guidance for a structured and collaborative effort to advance the security ontology research field. We encourage all interested researchers and practitioners to extend/modify/discuss the posted challenges list and provide us with feedback regarding their progress in the field. Please see the security ontologies group at!forum/security-ontologies for further details.

The First International Workshop on Security Ontologies and Taxonomies (SecOnT 2012)

The First International Workshop on Security Ontologies and Taxonomies (co-located with the International Conference on Availability, Reliability and Security) will bring together researchers and practitioners in the area of security ontologies and taxonomies. SecOnT aims at establishing a highly specialized annual meeting to conduct in-depth research discussions and to identify collaboration opportunities among the participants. Click here for the full Call for Papers.

Generation of Bayesian Networks using the Antipatten Ontology

This paper is joint work with Dimitrios Settas and Antonio Cerone from United Nations University (Macau). It will be presented at the 9th ACIS International Conference on Software Engineering Research, Management and Applications (SERA 2011) in Baltimore, Maryland, USA. You can download the full paper from the Publications section in September 2011.

Abstract: Apart from the plethora of antipatterns that are inherently informal and imprecise, the information used in the antipattern ontology itself is many times imprecise or vaguely defined. For example, the certainty in which a cause, symptom or consequence of an antipattern exists in a software project. However, ontologies are not capable of representing uncertainty and the effective detection of antipatterns taking into account the uncertainty that exists in software projects, stills remain an open issue. Bayesian Networks (BNs) have been previously used in order to measure, illustrate and handle antipattern uncertainty in mathematical terms. In this paper, we explore the ways in which the antipattern ontology can be used to generate Bayesian Networks. This approach allows software developers to quantify the existence or occurrence of an antipattern attribute using Bayesian Networks, based on probabilistic knowledge contained in the antipattern ontology regarding antipatterns attributes. The approach is exemplified with an ontology-based model generated using BNTab.

Information security automation: how far can we go?

This paper is joint work with Raydel Montesino from University of Informatics Sciences (Cuba). It will be presented at the Sixth International Conference on Availability, Reliability and Security (ARES) in Vienna, Austria. You can download the full paper from the Publications section in August 2011.

Abstract: Information security management is a very complex task which involves the implementation and monitoring of more than 130 security controls. To achieve greater efficiency in this process it is necessary to automate as many controls as possible. This paper provides an analysis of how many controls can be automated, based on the standards ISO 27001 and NIST SP800-53. Furthermore, we take the automation potential of controls included in the Consensus Audit Guidelines into account. Finally, we provide an overview of security applications that support automation in the operation of information security controls to increase the efficiency of information security management.

A Community Knowledge Base for IT Security

This article is joint work with Simon Parkin and Aad van Moorsel from Newcastle University (UK). It will appear in May 2011 in IEEE IT Professional.

Abstract: Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their organizations and information systems. The effectiveness of security controls must be balanced with a variety of operational issues, including the impact on employee productivity, legal and ethical stipulations, and business and financial concerns. IT security managers in different organizations face many of the same threats and establish similar solutions, and they’re often gathering and applying the same knowledge. However, they’re doing so largely on their own, which is clearly inefficient. We propose a formalized community project for sharing and applying IT security management knowledge. Here, we present our community knowledge-base prototype, designed to benefit IT security managers in a variety of organizations.