ICSSE 2012 Keynote

Today, Stefan gave a keynote on “Energy-efficient buildings for a greener future” at the ICSSE 2012 conference in Yogyakarta‎. Download the slides here.

Stefan at ICCSE 2012

Stefan at ICCSE 2012

Stefan at ICCSE 2012

Stefan at ICCSE 2012

Posted in Uncategorized | Comments Off on ICSSE 2012 Keynote

Joining ENISA’s Permanent Stakeholder Group

Today I attended my first ENISA PSG meeting. Learn more about the ENISA PSG from the ENISA News Feed:

The Permanent Stakeholders’ Group (PSG) consisting of 30 top IT-security experts, has been appointed following an open Call for Expression of Interest for Membership earlier this year. ENISA has held the first meeting of its new Permanent Stakeholders’ Group on Thursday, 13 September 2012

A new PSG is appointed every 2 ½ years, and the current group will serve from 2012-2015.

The meeting was held at ENISA’s branch office in Athens, giving the new PSG members the opportunity to learn more about the Agency’s work in its effort to empower ‘cyber-security’ in Europe.

Executive Director Professor Udo Helmbrecht said: “We have recruited a highly skilled and experienced group of experts. ENISA’s future is extremely exciting and I am pleased to have them on board to assist me in developing the Agency’s Work Programme and giving advice on Network Information Security (NIS)”.

The full list of the PSG members can be downloaded from here.

ENISA PSG

ENISA PSG

Posted in Uncategorized | Comments Off on Joining ENISA’s Permanent Stakeholder Group

Security Ontology Engineering Challenges

On August 23, 2012 we conducted the first international workshop on security ontologies and taxonomies at the ARES 2012 conference in Prague. In two sessions the latest security ontology research results were presented and the following overall challenges were identified by the workshop participants:

– Reaching critical mass of content
– Motivation of partners/contributors
– Quality management
– Usability
– Funding
– Community support
– APIs
– Technology (SemanticWiki, WebProtege, etc.)
– Joining/merging ontologies
– Data representation (OWL, etc.)
– Overview of current activities/ontologies

The list shows the main challenges active security ontology researchers are currently facing and thereby provides guidance for a structured and collaborative effort to advance the security ontology research field. We encourage all interested researchers and practitioners to extend/modify/discuss the posted challenges list and provide us with feedback regarding their progress in the field. Please see the security ontologies group at https://groups.google.com/forum/#!forum/security-ontologies for further details.

Posted in Information Security Risk Management, Security Ontology | Comments Off on Security Ontology Engineering Challenges

The First International Workshop on Security Ontologies and Taxonomies (SecOnT 2012)

The First International Workshop on Security Ontologies and Taxonomies (co-located with the International Conference on Availability, Reliability and Security) will bring together researchers and practitioners in the area of security ontologies and taxonomies. SecOnT aims at establishing a highly specialized annual meeting to conduct in-depth research discussions and to identify collaboration opportunities among the participants. Click here for the full Call for Papers.

Posted in Security Ontology | Comments Off on The First International Workshop on Security Ontologies and Taxonomies (SecOnT 2012)

Creating PDFs on Android – an evaluation

Together with Michael Schöner we evaluated 14 Java PDF libraries regarding their Android compatibility. 3 of 14 evaluated libraries were compatible with Android and allowed us to create PDFs on the Android platform.

Continue reading

Posted in Android | Comments Off on Creating PDFs on Android – an evaluation

Generation of Bayesian Networks using the Antipatten Ontology

This paper is joint work with Dimitrios Settas and Antonio Cerone from United Nations University (Macau). It will be presented at the 9th ACIS International Conference on Software Engineering Research, Management and Applications (SERA 2011) in Baltimore, Maryland, USA. You can download the full paper from the Publications section in September 2011.

Abstract: Apart from the plethora of antipatterns that are inherently informal and imprecise, the information used in the antipattern ontology itself is many times imprecise or vaguely defined. For example, the certainty in which a cause, symptom or consequence of an antipattern exists in a software project. However, ontologies are not capable of representing uncertainty and the effective detection of antipatterns taking into account the uncertainty that exists in software projects, stills remain an open issue. Bayesian Networks (BNs) have been previously used in order to measure, illustrate and handle antipattern uncertainty in mathematical terms. In this paper, we explore the ways in which the antipattern ontology can be used to generate Bayesian Networks. This approach allows software developers to quantify the existence or occurrence of an antipattern attribute using Bayesian Networks, based on probabilistic knowledge contained in the antipattern ontology regarding antipatterns attributes. The approach is exemplified with an ontology-based model generated using BNTab.

Posted in Bayesian Networks | Comments Off on Generation of Bayesian Networks using the Antipatten Ontology

Information security automation: how far can we go?

This paper is joint work with Raydel Montesino from University of Informatics Sciences (Cuba). It will be presented at the Sixth International Conference on Availability, Reliability and Security (ARES) in Vienna, Austria. You can download the full paper from the Publications section in August 2011.

Abstract: Information security management is a very complex task which involves the implementation and monitoring of more than 130 security controls. To achieve greater efficiency in this process it is necessary to automate as many controls as possible. This paper provides an analysis of how many controls can be automated, based on the standards ISO 27001 and NIST SP800-53. Furthermore, we take the automation potential of controls included in the Consensus Audit Guidelines into account. Finally, we provide an overview of security applications that support automation in the operation of information security controls to increase the efficiency of information security management.

Posted in Information Security Risk Management | Comments Off on Information security automation: how far can we go?

A Community Knowledge Base for IT Security

This article is joint work with Simon Parkin and Aad van Moorsel from Newcastle University (UK). It will appear in May 2011 in IEEE IT Professional.

Abstract: Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their organizations and information systems. The effectiveness of security controls must be balanced with a variety of operational issues, including the impact on employee productivity, legal and ethical stipulations, and business and financial concerns. IT security managers in different organizations face many of the same threats and establish similar solutions, and they’re often gathering and applying the same knowledge. However, they’re doing so largely on their own, which is clearly inefficient. We propose a formalized community project for sharing and applying IT security management knowledge. Here, we present our community knowledge-base prototype, designed to benefit IT security managers in a variety of organizations.

Posted in Information Security Risk Management, Security Ontology | Comments Off on A Community Knowledge Base for IT Security

Information Security Risk Management: In which security solutions is it worth investing?

The article has been accepted for publication in the Communications of the Association for Information Systems (CAIS). Click here to download the article from the CAIS website.

Abstract: As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.

Posted in Information Security Risk Management, Security Ontology | Comments Off on Information Security Risk Management: In which security solutions is it worth investing?

Information Security Knowledge Management Survey

We kindly ask you to participate in our information security knowledge management survey. The survey is conducted by publicly-funded research institutions SBA Research (AT), Newcastle University (UK), and Vienna University of Technology (AT). We conduct the survey to explore potential ways of enabling companies and professionals to share information security knowledge through the application of collaborative semantic web technologies. The aggregated survey results will be published within publically-accessible research publications.

Survey: http://www.sba-research.org/survey/index.php?sid=73314

Thank you for your support.

Posted in Information Security Risk Management, Security Ontology | Comments Off on Information Security Knowledge Management Survey