How to Assess Confidentiality Requirements of Corporate Assets?

Cervantes, Gabriela Varona; Fenz, Stefan

doi:10.1007/978-3-642-55415-5_19

Cited by 2 publications

(1 citation statement)

References 8 publications

(5 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For the integrity of the server room, it is 74 × 0,66 = 48.84, for the availability of the server room it is 21 × 0.43 = 9.03. The integrity and availability impact values are derived from the inventory phase, in which the user has to answer a set of questions regarding the importance of each asset for the company (Cervantes et al , 2014) for further details on the questionnaire approach). The threat probabilities are assessed by checking how much already implemented countermeasures decrease the occurrence probability of relevant threats (residual probability).…”

Section: Inventory and Decision Supportmentioning

confidence: 99%

Ontology-based information security compliance determination and control selection on the example of ISO 27002

Fenz

Neubauer

2018

ICS

Self Cite

View full text Add to dashboard Cite

Purpose-The purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system. Design/methodology/approach-The research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments. Findings-There are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential. Originality/value-Formalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.

show abstract

Section: Inventory and Decision Supportmentioning

confidence: 99%