Abstract
IT security incidents pose a major threat to the efficient execution of corporate strategies. Although, information security standards provide a holistic approach to mitigate these threats and legal acts demand their implementation, companies often refrain from the implementation of information security standards, especially due to high costs and the lack of evidence for a positive cost/benefit ratio. This paper presents a new approach that supports decision makers in interactively defining the optimal set of security controls according to ISO 27001. Therefore, it uses input data from a security ontology that allows the standardized integration of rules which are necessary to model potential countermeasure combinations based on the ISO 27001 standard controls. The approach was implemented into a tool and tested by means of a case study. It not only supports decision makers in defining the controls needed for certification but also provides them with information regarding the efficiency of the chosen controls with regard to multiple definable objectives.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Federal standard 1037c. URL http://www.its.bldrdoc.gov/fs-1037/fs-1037c.htm, last access: 7 April 2008
Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)
BASEL2: Basel Committee on Banking Supervision (BCBS), Basel 2 - International Convergence of Capital Measurement and Capital Standards - A Revised Framework (2001)
British Department of Trade and Industry (DTI): BS7799-2:2002 Information security management systems - Specification with guidance for use (2002)
BSI: IT Grundschutz Manual. Online: http://www.bsi.bund.de/gshb/ (2004).
Bureau of Justice Assistance: Center for Program Evaluation - Glossary. Online: http://www.ojp.usdoj.gov/BJA/evaluation/glossary/glossary e.htm, last access: 7 April 2008 (2007)
Ehrgott, M., Gandibleux, X.: A survey and annotated bibliography of multiobjective combinatorial optimization. OR Spectrum 22(4), 425–460 (2000)
Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security Ontology: Simulating Threats to Corporate Assets. In: A. Bagchi, V. Atluri (eds.) Second International Conference, ICISS 2006, December 19-21, Lecture Notes in Computer Science, vol. 4332/2006, pp. 249–259. Springer Berlin / Heidelberg, Kolkata, India (2006). DOI 10.1007/11961635 17
Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security ontologies: Improving quantitative risk analysis. In: 40th Hawaii International Conference on System Sciences (HICSS’07), pp. 156–162. IEEE Computer Society, Los Alamitos, CA, USA (2007).
Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., Weippl, E.: Information security fortification by ontological mapping of the ISO/IEC 27001 Standard pp. 381–388 (2007).
Focke, A., Stummer, C.: Strategic technology planning in hospital management. OR Spectrum 25(2), 161–182 (2003)
Gordon, L., Loeb, M., Lucyshyn, W., Richardson, R.: 2006 CSI/FBI Computer Crime and Security Survey (2006)
Gruber, T.: A translation approach to portable ontology specifications. Knowledge Acquisition 5(2), 199–220 (1993).
International Organization for Standardization and International Electrotechnical Commission: ISO/IEC 17799:2005, information technology – code of practice for information security management (2005)
International Organization for Standardization and International Electrotechnical Commission: ISO/IEC 27001:2005, information technology - security techniques - information security management systems- requirements (2005)
Ittner, C.D., Larcker, D.F.: Coming Up Short On Financial Measurement. Harvard Business Review 81(11), 88–95 (2003)
Neubauer, T., Stummer, C.: Extending business process management to determine efficient IT investments. In: Proceedings of the 2007 ACM Symposium on Applied Computing, pp. 1250–1256 (2007)
Neubauer, T., Stummer, C.: Interactive decision support for multiobjective cots selection. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 01 (2007)
Neubauer, T., Stummer, C., Weippl, E.: Workshop-based Multiobjective Security Safeguard Selection. In: Proceedings of the First International Conference on Availability, Reliability and Security ARES, pp. 366–373. IEEE Computer Society (2006)
NIST: An introduction to computer security - the nist handbook. Tech. rep., NIST(National Institute of Standards and Technology) (1995). URL http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf. Special Publication 800-12
PriceWaterhouseCoopers: Information Security Breaches Survey. www.dti.gov.uk/industries/information security, last access: 7 April 2008 (2006)
SOX: One hundred seventh congress of the United States of America, Sarbanes Oxley Act - to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. (2002)
Stummer, C., Heidenberger, K.: Interactive R&D portfolio analysis with project interdependencies and time profiles of multiple objectives. IEEE Transactions on Engineering Management 50(2), 175–183 (2003)
World Wide Web Consortium: OWL - Web Ontology Language. http://www.w3.org/TR/owlfeatures/, last access: 7 April 2008 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Neubauer, T., Ekelhart, A., Fenz, S. (2008). Interactive Selection of ISO 27001 Controls under Multiple Objectives. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_31
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_31
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)