Category Archives: Information Security Risk Management

Workshop on Security Ontologies and Taxonomies (SecOnT 2013)

The Second International Workshop on Security Ontologies and Taxonomies (SecOnt 2013) will be held in conjunction with the 8th International Conference on Availability, Reliability and Security (ARES 2013) on September 3 in Regensburg, Germany. With SecOnT we aim at establishing a highly specialized annual meeting to conduct in-depth research discussions and to identify collaboration opportunities among the participants. The preliminary program for the 2013 workshop:

  1. Introductory talk by Stefan Fenz: (i) security ontology applications (risk and compliance management, awareness, incident handling, etc.), (ii) recent developments on the European and international level, (iii) emerging domains which could be supported by security ontologies (e.g., smart grid area), (iv) current challenges of the domain, (v) current limitations of security ontologies, and (vi) potential strategies to enable ontology-based knowledge sharing (incentives and barriers).
  2. Yulia Cherdantseva, Jeremy Hilton (Cardiff University, UK): A Reference Model of Information Assurance & Security
  3. David Mundie (CERT, US): An Ontology for Malware Analysis
  4. Arwa Wali, Soon Chun, James Geller (New Jersey Institute of Technology, US): A Bootstrapping Approach for Developing a Cyber-Security Ontology Using Textbook Index Terms
  5. Kristian Beckers, Maritta Heisel (University Duisburg-Essen, DE): A Usability Evaluation of the NESSoS Common Body of Knowledge
  6. Karin Bernsmed, Per Håkon Meland, Martin Gilje Jaatun, Astrid Undheim, Humberto Castejon (SINTEF ICT, NO): Towards an Ontology for Cloud Security Obligations
  7. Jakub Breier, Ladislav Hudec (Slovak University of Technology, SK): On Selecting Critical Security Controls
  8. Tove Gustavi, Pontus Svenson (Swedish Defence Research Agency, SE): Taxonomy for Port Security Systems

IT-Security Check launched

Our web-based IT-security check is now available at

The tool enables small- and medium-sized enterprises to efficiently assess their IT security risks and to identify appropriate countermeasures to reduce the risks to an acceptable level.

The screencast on provides an in-depth preview of the functionality and work flow of our novel IT security check.

Austrian IT-security and awareness study – press coverage

Together with the University of Vienna, the Bundeskanzleramt Österreich and the Wirtschaftskammer Österreich we conducted a national study regarding implemented IT-security countermeasures and awareness at citizens, companies, and public authorities. Please find the core results in the following Austrian and German press reports:

Security Ontology Engineering Challenges

On August 23, 2012 we conducted the first international workshop on security ontologies and taxonomies at the ARES 2012 conference in Prague. In two sessions the latest security ontology research results were presented and the following overall challenges were identified by the workshop participants:

– Reaching critical mass of content
– Motivation of partners/contributors
– Quality management
– Usability
– Funding
– Community support
– APIs
– Technology (SemanticWiki, WebProtege, etc.)
– Joining/merging ontologies
– Data representation (OWL, etc.)
– Overview of current activities/ontologies

The list shows the main challenges active security ontology researchers are currently facing and thereby provides guidance for a structured and collaborative effort to advance the security ontology research field. We encourage all interested researchers and practitioners to extend/modify/discuss the posted challenges list and provide us with feedback regarding their progress in the field. Please see the security ontologies group at!forum/security-ontologies for further details.

Information security automation: how far can we go?

This paper is joint work with Raydel Montesino from University of Informatics Sciences (Cuba). It will be presented at the Sixth International Conference on Availability, Reliability and Security (ARES) in Vienna, Austria. You can download the full paper from the Publications section in August 2011.

Abstract: Information security management is a very complex task which involves the implementation and monitoring of more than 130 security controls. To achieve greater efficiency in this process it is necessary to automate as many controls as possible. This paper provides an analysis of how many controls can be automated, based on the standards ISO 27001 and NIST SP800-53. Furthermore, we take the automation potential of controls included in the Consensus Audit Guidelines into account. Finally, we provide an overview of security applications that support automation in the operation of information security controls to increase the efficiency of information security management.

A Community Knowledge Base for IT Security

This article is joint work with Simon Parkin and Aad van Moorsel from Newcastle University (UK). It will appear in May 2011 in IEEE IT Professional.

Abstract: Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their organizations and information systems. The effectiveness of security controls must be balanced with a variety of operational issues, including the impact on employee productivity, legal and ethical stipulations, and business and financial concerns. IT security managers in different organizations face many of the same threats and establish similar solutions, and they’re often gathering and applying the same knowledge. However, they’re doing so largely on their own, which is clearly inefficient. We propose a formalized community project for sharing and applying IT security management knowledge. Here, we present our community knowledge-base prototype, designed to benefit IT security managers in a variety of organizations.

Information Security Risk Management: In which security solutions is it worth investing?

The article has been accepted for publication in the Communications of the Association for Information Systems (CAIS). Click here to download the article from the CAIS website.

Abstract: As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.

Information Security Knowledge Management Survey

We kindly ask you to participate in our information security knowledge management survey. The survey is conducted by publicly-funded research institutions SBA Research (AT), Newcastle University (UK), and Vienna University of Technology (AT). We conduct the survey to explore potential ways of enabling companies and professionals to share information security knowledge through the application of collaborative semantic web technologies. The aggregated survey results will be published within publically-accessible research publications.


Thank you for your support.