Search results

The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002 standard. As information is becoming more valuable and the current businesses face frequent attacks on their infrastructure, enterprises need support at protecting their information-based assets.

Information security standards and guidelines provide baseline knowledge for protecting corporate assets. However, the efforts to check whether the implemented measures of an organization adhere to the proposed standards and guidelines are still significantly high.

This paper shows how the process of compliance checking can be supported by using machine-readable ISO 27002 control descriptions in combination with a formal representation of the organization’s assets.

The authors created a formal representation of the ISO 27002 standard and showed how a security ontology can be used to increase the efficiency of the compliance checking process.

The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.

The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.

There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.

Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.

The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results.

To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback.

As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need.

The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.

The purpose of this paper is to propose a framework for security controls automation, in order to achieve greater efficiency and reduce the complexity of information security management.

This research reviewed the controls recommended by well known standards such as ISO/IEC 27001 and NIST SP 800‐53; and identified security controls that can be automated by existing hard‐and software tools. The research also analyzed the Security Information and Event Management (SIEM) technology and proposed a SIEM‐based framework for security controls automation, taking into account the automation potential of SIEM systems and their integration possibilities with several security tools.

About 30 per cent of information security controls can be automated and they were grouped in a list of ten automatable security controls. A SIEM‐based framework can be used for centralized and integrated management of the ten automatable security controls.

By implementing the proposed framework and therefore automating as many security controls as possible, organizations will achieve more efficiency in information security management, reducing also the complexity of this process. This research may also be useful for SIEM vendors, in order to include more functionality to their products and provide a maximum of security controls automation within SIEM platforms.

This paper delimits the boundaries of information security automation and defines what automation means for each security control. A novel framework for security controls automation is proposed. This research provides an automation concept that goes beyond what it is normally described in previous works and SIEM solutions.

Collaborative ontology editing tools enable distributed user groups to build and maintain ontologies. Enterprises that use these tools to simply capture knowledge for a given ontological structure face the following problems: isolated software solution requiring its own user management; the user interface often does not provide a look‐and‐feel that is familiar to users; additional security issues; hard to integrate into existing electronic work flows; and additional deployment and training costs. This paper aims to investigate these issues.

To address these problems, the author designed, developed, and validated a plug‐in concept for widely‐used enterprise content and collaboration portals. The prototype is implemented as a Microsoft SharePoint web part and was validated in the risk and compliance management domain.

The research results enable enterprises to capture knowledge efficiently within given organizational and ontological structures. Considerable cost and time savings were realized in the conducted case study.

According to the results of the literature survey, this work represents the first research effort that provides a generic approach to supporting and increasing the efficiency of ontological knowledge capturing processes by enterprise portals.

Today the amount of all kinds of digital data (e.g. documents and e‐mails), existing on every user's computer, is continuously growing. Users are faced with huge difficulties when it comes to handling the existing data pool and finding specific information, respectively. This paper aims to discover new ways of searching and finding semi‐structured data by integrating semantic metadata.

The proposed architecture allows cross‐border searches spanning various applications and operating system activities (e.g. file access and network traffic) and improves the human working process by offering context‐specific, automatically generated links that are created using ontologies.

The proposed semantic enrichment of automated gathered data is a useful approach to reflect the human way of thinking, which is accomplished by remembering relations rather than keywords or tags. The proposed architecture supports the goals of supporting the human working process by managing and enriching personal data, e.g. by providing a database model which supports the semantic storage idea through a generic and flexible structure or the modular structure and composition of data collectors.

Available programs to manage personal data usually offer searches either via keywords or full text search. Each of these existing search methodologies has its shortcomings and, apart from that, people tend to forget names of specific objects. It is often easier to remember the context of a situation in which, for example, a file was created or a web site was visited. By proposing this architectural approach for handling semi‐structured data, it is possible to offer a sophisticated and more applicable search mechanism regarding the way of human thinking.

In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost‐effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.

Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.

Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.

It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

Research in the area of technology‐enhanced learning (TEL) throughout the last decade has largely focused on sharing and reusing educational resources and data. This effort has led to a fragmented landscape of competing metadata schemas, or interface mechanisms. More recently, semantic technologies were taken into account to improve interoperability. The linked data approach has emerged as the de facto standard for sharing data on the web. To this end, it is obvious that the application of linked data principles offers a large potential to solve interoperability issues in the field of TEL. This paper aims to address this issue.

In this paper, approaches are surveyed that are aimed towards a vision of linked education, i.e. education which exploits educational web data. It particularly considers the exploitation of the wealth of already existing TEL data on the web by allowing its exposure as linked data and by taking into account automated enrichment and interlinking techniques to provide rich and well‐interlinked data for the educational domain.

So far web‐scale integration of educational resources is not facilitated, mainly due to the lack of take‐up of shared principles, datasets and schemas. However, linked data principles increasingly are recognized by the TEL community. The paper provides a structured assessment and classification of existing challenges and approaches, serving as potential guideline for researchers and practitioners in the field.

Being one of the first comprehensive surveys on the topic of linked data for education, the paper has the potential to become a widely recognized reference publication in the area.

The increased capital requirements and the implementation of new liquidity standards under Basel III sparked various concerns among researchers, academics and other stakeholders. The question is whether Basel III regulation is ideal, that is, adequate to deal with a crisis, such as the 2007–2009 global financial crisis? The purpose of this paper is threefold: First, perform a stress testing exercise on the US banking sector, while examining liquidity and solvency risk indicators jointly under the Basel III regulatory framework. Second, allow the study to cover the post-crisis period, while referring to key Basel III regulatory requirements. And third, focus on the resilience of domestic systemically important banks (D-SIBs), which are supposed to support the US financial system in times of stress and therefore whose failure causes the entire financial system to fail.

The authors used a sample of the 24 largest US banks observed over the period Q1-2015 to Q1-2021 and a scenario-based vector autoregressive conditional forecasting approach.

The authors found that the model successfully produces accurate forecasts and simulates the responses of the solvency and liquidity indicators to different real and historical macroeconomic shocks. The authors also found that the US banking sector is resilient and can withstand both historical and hypothetical macroeconomic shocks because of its compliance with the Basel III capital and liquidity regulations, which consist of encouraging banks to hold high-quality liquid assets and stable funding resources and to strengthen their capital, which absorbs the losses incurred in a crisis.

The authors developed a framework for testing the resilience of the US banking sector under macroeconomic shocks, while examining liquidity and solvency risk indicators jointly under Basel III regulatory framework, a point not yet well studied elsewhere, and most studies on this subject are based on precrisis data. The authors also focused on the resilience of D-SIBs, whose failure causes the failure of the entire financial system, which previous studies have failed to examine.