Ontology-based information security compliance determination and control selection on the example of ISO 27002. (12th November 2018)
- Record Type:
- Journal Article
- Title:
- Ontology-based information security compliance determination and control selection on the example of ISO 27002. (12th November 2018)
- Main Title:
- Ontology-based information security compliance determination and control selection on the example of ISO 27002
- Authors:
- Fenz, Stefan
Neubauer, Thomas - Abstract:
- Abstract : Purpose: The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system. Design/methodology/approach: The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments. Findings: There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential. Originality/value: Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, ITAbstract : Purpose: The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system. Design/methodology/approach: The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments. Findings: There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential. Originality/value: Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level. … (more)
- Is Part Of:
- Information and computer security. Volume 26:Number 5(2018)
- Journal:
- Information and computer security
- Issue:
- Volume 26:Number 5(2018)
- Issue Display:
- Volume 26, Issue 5 (2018)
- Year:
- 2018
- Volume:
- 26
- Issue:
- 5
- Issue Sort Value:
- 2018-0026-0005-0000
- Page Start:
- 551
- Page End:
- 567
- Publication Date:
- 2018-11-12
- Subjects:
- Decision support systems -- Compliance -- Organizations -- Risk management -- security -- Ontology
Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-02-2018-0020 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 8776.xml