Talks and Poster Presentations (with Proceedings-Entry):
T. Neubauer, A. Ekelhart, S. Fenz:
"Interactive Selection of ISO 27001 Controls under Multiple Objectives";
Talk: 23rd International Information Security Conference (IFIP SEC 2008),
- 2008-09-10; in: "Proceedings of the 23rd International Information Security Conference (SEC 2008)",
IT security incidents pose a major threat to the efficient execution of corporate strategies. Although, information security standards provide a holistic approach to mitigate these threats and legal acts demand their implementation, companies often refrain from the implementation of information security standards, especially due to high costs and the lack of evidence for a positive cost/benefit ratio. This paper presents a new approach that supports decision makers in interactively defining the optimal set of security controls according to ISO 27001. Therefore, it uses input data from a security ontology that allows the standardized integration of rules which are necessary to model potential countermeasure combinations based on the ISO 27001 standard controls. The approach was implemented into a tool and tested by means of a case study. It not only supports decision makers in defining the controls needed for certification but also provides them with information regarding the efficiency of the chosen controls with regard to multiple definable objectives.
"Official" electronic version of the publication (accessed through its Digital Object Identifier - DOI)
Project Head A Min Tjoa:
Created from the Publication Database of the Vienna University of Technology.