Interactive Selection of ISO 27001 Controls under Multiple Objectives

  • Thomas Neubauer
  • Andreas Ekelhart
  • Stefan Fenz
Part of the IFIP – The International Federation for Information Processing book series (IFIPAICT, volume 278)


IT security incidents pose a major threat to the efficient execution of corporate strategies. Although, information security standards provide a holistic approach to mitigate these threats and legal acts demand their implementation, companies often refrain from the implementation of information security standards, especially due to high costs and the lack of evidence for a positive cost/benefit ratio. This paper presents a new approach that supports decision makers in interactively defining the optimal set of security controls according to ISO 27001. Therefore, it uses input data from a security ontology that allows the standardized integration of rules which are necessary to model potential countermeasure combinations based on the ISO 27001 standard controls. The approach was implemented into a tool and tested by means of a case study. It not only supports decision makers in defining the controls needed for certification but also provides them with information regarding the efficiency of the chosen controls with regard to multiple definable objectives.


Information Security Access System Security Guard Security Incident Internal Audit Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Federal standard 1037c. URL, last access: 7 April 2008Google Scholar
  2. 2.
    Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)CrossRefGoogle Scholar
  3. 3.
    BASEL2: Basel Committee on Banking Supervision (BCBS), Basel 2 - International Convergence of Capital Measurement and Capital Standards - A Revised Framework (2001)Google Scholar
  4. 4.
    British Department of Trade and Industry (DTI): BS7799-2:2002 Information security management systems - Specification with guidance for use (2002)Google Scholar
  5. 5.
    BSI: IT Grundschutz Manual. Online: (2004).Google Scholar
  6. 6.
    Bureau of Justice Assistance: Center for Program Evaluation - Glossary. Online: e.htm, last access: 7 April 2008 (2007)Google Scholar
  7. 7.
    Ehrgott, M., Gandibleux, X.: A survey and annotated bibliography of multiobjective combinatorial optimization. OR Spectrum 22(4), 425–460 (2000)CrossRefGoogle Scholar
  8. 8.
    Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security Ontology: Simulating Threats to Corporate Assets. In: A. Bagchi, V. Atluri (eds.) Second International Conference, ICISS 2006, December 19-21, Lecture Notes in Computer Science, vol. 4332/2006, pp. 249–259. Springer Berlin / Heidelberg, Kolkata, India (2006). DOI 10.1007/11961635 17Google Scholar
  9. 9.
    Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security ontologies: Improving quantitative risk analysis. In: 40th Hawaii International Conference on System Sciences (HICSS’07), pp. 156–162. IEEE Computer Society, Los Alamitos, CA, USA (2007).Google Scholar
  10. 10.
    Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., Weippl, E.: Information security fortification by ontological mapping of the ISO/IEC 27001 Standard pp. 381–388 (2007).Google Scholar
  11. 11.
    Focke, A., Stummer, C.: Strategic technology planning in hospital management. OR Spectrum 25(2), 161–182 (2003)CrossRefGoogle Scholar
  12. 12.
    Gordon, L., Loeb, M., Lucyshyn, W., Richardson, R.: 2006 CSI/FBI Computer Crime and Security Survey (2006)Google Scholar
  13. 13.
    Gruber, T.: A translation approach to portable ontology specifications. Knowledge Acquisition 5(2), 199–220 (1993).CrossRefGoogle Scholar
  14. 14.
    International Organization for Standardization and International Electrotechnical Commission: ISO/IEC 17799:2005, information technology – code of practice for information security management (2005)Google Scholar
  15. 15.
    International Organization for Standardization and International Electrotechnical Commission: ISO/IEC 27001:2005, information technology - security techniques - information security management systems- requirements (2005)Google Scholar
  16. 16.
    Ittner, C.D., Larcker, D.F.: Coming Up Short On Financial Measurement. Harvard Business Review 81(11), 88–95 (2003)PubMedGoogle Scholar
  17. 17.
    Neubauer, T., Stummer, C.: Extending business process management to determine efficient IT investments. In: Proceedings of the 2007 ACM Symposium on Applied Computing, pp. 1250–1256 (2007)Google Scholar
  18. 18.
    Neubauer, T., Stummer, C.: Interactive decision support for multiobjective cots selection. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, 01 (2007)Google Scholar
  19. 19.
    Neubauer, T., Stummer, C., Weippl, E.: Workshop-based Multiobjective Security Safeguard Selection. In: Proceedings of the First International Conference on Availability, Reliability and Security ARES, pp. 366–373. IEEE Computer Society (2006)Google Scholar
  20. 20.
    NIST: An introduction to computer security - the nist handbook. Tech. rep., NIST(National Institute of Standards and Technology) (1995). URL Special Publication 800-12Google Scholar
  21. 21.
    PriceWaterhouseCoopers: Information Security Breaches Survey. security, last access: 7 April 2008 (2006)Google Scholar
  22. 22.
    SOX: One hundred seventh congress of the United States of America, Sarbanes Oxley Act - to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. (2002)Google Scholar
  23. 23.
    Stummer, C., Heidenberger, K.: Interactive R&D portfolio analysis with project interdependencies and time profiles of multiple objectives. IEEE Transactions on Engineering Management 50(2), 175–183 (2003)CrossRefGoogle Scholar
  24. 24.
    World Wide Web Consortium: OWL - Web Ontology Language., last access: 7 April 2008 (2004)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Thomas Neubauer
    • 1
  • Andreas Ekelhart
    • 1
  • Stefan Fenz
    • 1
  1. 1.Secure Business AustriaViennaAustria

Personalised recommendations