Author Archives: Stefan

Information Security Risk Management: In which security solutions is it worth investing?

The article has been accepted for publication in the Communications of the Association for Information Systems (CAIS). Click here to download the article from the CAIS website.

Abstract: As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.

Information Security Knowledge Management Survey

We kindly ask you to participate in our information security knowledge management survey. The survey is conducted by publicly-funded research institutions SBA Research (AT), Newcastle University (UK), and Vienna University of Technology (AT). We conduct the survey to explore potential ways of enabling companies and professionals to share information security knowledge through the application of collaborative semantic web technologies. The aggregated survey results will be published within publically-accessible research publications.


Thank you for your support.

An Ontology- and Bayesian-based Approach for Determining Threat Probabilities

The paper has been accepted for publication and I will present it in March 2011 at the 6th ACM Symposium on Information, Computer and Communications Security in Hongkong, China.

Abstract: Information security risk management is crucial for ensuring long-term business success and thus numerous approaches to implementing an adequate information security risk management strategy have been proposed. The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem we developed an ontology- and Bayesian-based approach to determine threat probabilities taking general information security knowledge and organization-specific knowledge about existing control implementations and attacker profiles into account. The elaborated concepts enable risk managers to comprehensibly quantify by the Bayesian threat probability determination the current security status of their organization.

Verification, Validation, and Evaluation in Information Security Risk Management

Our article “Verification, Validation, and Evaluation in Information Security Risk Management” got accepted at IEEE Security & Privacy. Check out the preprint at the IEEE Digital Library.

Over the last four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. While restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. Individual approaches exist, but so far there is no systematic overview of the available methods. In this article we survey verification, validation and evaluation methods referenced in ISRM literature and discuss in which ISRM phases the methods should be applied. The selection of appropriate methods is demonstrated with a potential real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation and evaluation and can serve as a reference for researchers and users of ISRM approaches who aim to establish trust in their results.

Business Process-Based Resource Importance Determination

Find details about our novel resource importance determination method in our latest BPM paper.

Information security risk management (ISRM) heavily depends on realistic impact values representing the resources’ importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an
answer to the following question are still missing: How can business processes be used to determine resources’ importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.

AURUM: Automated Risk and Utility Management

Our AURUM prototype supports decision makers in selecting security measures according to technical and economical requirements. It is designed to minimize the interaction necessary between user and system and to provide decision makers with an intuitive solution that can be used without extensive knowledge about the information security domain. However, the solution is also capable of providing expert users with detailed information on di fferent levels of granularity. Find out more at

Online Voting Tools – Answer Profile Analysis in the Context of and the European Parliament Election 2009

Online voting tools enable us to compare our own political position with those of electable political parties in the context of a specific election. The Austrian online voting tool uses a questionnaire of 25 to 26 questions, the users’ and the parties’ answer profiles to determine the political position of its users. In Austria we are still faced with a situation where the typical Internet user is more likely educated and young than formally uneducated and old. Anthony Down’s Economic Theory of Democracy understands politics as a market. Political parties offer manifestos that are requested by the voters. Parties act rational with maintenance of power and vote-maximization as their ultimate goals. The specific concept of Wahlkabine, the social inhomogeneity of the Austrian Internet users, and the assumption of rational acting and vote-maximizing parties leads to the following thesis: “Political parties optimize their Wahlkabine-answer-profiles differing from their political positions communicated in the general election campaign to maximize their votes among Wahlkabine users’. The corresponding research question is: “How do the Wahlkabine-answer-profiles of the Austrian political parties differ from their political positions communicated in the general election campaign in the context of the European Parliament election (4th to 7th June 2009)?”. The analysis has shown that only 9% of the analyzed positions differ from the Wahlkabine-answer-profiles. In total the analysis covers 84 sources consisting of manifestos (8), print media (50), online media (18), and TV shows (8). The detailed political position deviations are: ÖVP 11%, SPÖ 9%, Liste Martin 11%, FPÖ 6%, Grüne 0%, BZÖ 24%, JuLis 0%, KPÖ 0%. Due to these results we have to reject the thesis of this work. In the context of the European Parliament elections 2009 Austrian political parties consistently argued in the general election campaign and the Wahlkabine-answer-profiles. In the microscopic context of this work it was not possible to confirm the Economic Theory of Democracy. Online voting tools such as Wahlkabine enable their users to compare their political positions with those of the political parties. Furthermore, voters are enabled to easily compare even those political positions which are not in the focus of mass media to subsequently incorporate the gained knowledge into their voting decision process. The future and further related research will show how political parties deal with the increasing popularity of online voting tools.