Category Archives: Information Security Risk Management

An Ontology- and Bayesian-based Approach for Determining Threat Probabilities

The paper has been accepted for publication and I will present it in March 2011 at the 6th ACM Symposium on Information, Computer and Communications Security in Hongkong, China.

Abstract: Information security risk management is crucial for ensuring long-term business success and thus numerous approaches to implementing an adequate information security risk management strategy have been proposed. The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem we developed an ontology- and Bayesian-based approach to determine threat probabilities taking general information security knowledge and organization-specific knowledge about existing control implementations and attacker profiles into account. The elaborated concepts enable risk managers to comprehensibly quantify by the Bayesian threat probability determination the current security status of their organization.

Verification, Validation, and Evaluation in Information Security Risk Management

Our article “Verification, Validation, and Evaluation in Information Security Risk Management” got accepted at IEEE Security & Privacy. Check out the preprint at the IEEE Digital Library.

Over the last four decades, various information security risk management (ISRM) approaches have emerged. However, there is a lack of sound verification, validation, and evaluation methods for these approaches. While restrictions, such as the impossibility of measuring exact values for probabilities and follow-up costs, obviously exist, verification, validation, and evaluation of research is essential in any field, and ISRM is no exception. Individual approaches exist, but so far there is no systematic overview of the available methods. In this article we survey verification, validation and evaluation methods referenced in ISRM literature and discuss in which ISRM phases the methods should be applied. The selection of appropriate methods is demonstrated with a potential real-world example. This systematic analysis draws conclusions on the current status of ISRM verification, validation and evaluation and can serve as a reference for researchers and users of ISRM approaches who aim to establish trust in their results.

Business Process-Based Resource Importance Determination

Find details about our novel resource importance determination method in our latest BPM paper.

Information security risk management (ISRM) heavily depends on realistic impact values representing the resources’ importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an
answer to the following question are still missing: How can business processes be used to determine resources’ importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.

AURUM: Automated Risk and Utility Management

Our AURUM prototype supports decision makers in selecting security measures according to technical and economical requirements. It is designed to minimize the interaction necessary between user and system and to provide decision makers with an intuitive solution that can be used without extensive knowledge about the information security domain. However, the solution is also capable of providing expert users with detailed information on di fferent levels of granularity. Find out more at