Interactive Selection of ISO 27001 Controls under Multiple Objectives

IT security incidents pose a major threat to the efficient execution of corporate strategies. Although, information security standards provide a holistic approach to mitigate these threats and legal acts demand their implementation, companies often refrain from the implementation of information security standards, especially due to high costs and the lack of evidence for a positive cost/benefit ratio. This paper presents a new approach that supports decision makers in interactively defining the optimal set of security controls according to ISO 27001. Therefore, it uses input data from a security ontology that allows the standardized integration of rules which are necessary to model potential countermeasure combinations based on the ISO 27001 standard controls. The approach was implemented into a tool and tested by means of a case study. It not only supports decision makers in defining the controls needed for certification but also provides them with information regarding the efficiency of the chosen controls with regard to multiple definable objectives.

[1]  Edgar R. Weippl,et al.  Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard , 2007, 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007).

[2]  Christian Stummer,et al.  Strategic technology planning in hospital management , 2003, OR Spectr..

[3]  日本規格協会 情報セキュリティマネジメントシステム : 仕様及び利用の手引 : 英国規格 : BS7799-2:2002 = Information security management systems : specification with guidance for use : british standards : BS 7799-2:2002 , 2002 .

[4]  Sean Bechhofer,et al.  OWL: Web Ontology Language , 2009, Encyclopedia of Database Systems.

[5]  R. Power CSI/FBI computer crime and security survey , 2001 .

[6]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[7]  Xavier Gandibleux,et al.  A survey and annotated bibliography of multiobjective combinatorial optimization , 2000, OR Spectr..

[8]  Thomas Neubauer,et al.  Interactive Decision Support for Multiobjective COTS Selection , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[9]  Christian Stummer,et al.  Interactive R&D portfolio analysis with project interdependencies and time profiles of multiple objectives , 2003, IEEE Trans. Engineering Management.

[10]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[11]  Edgar R. Weippl,et al.  Workshop-based multiobjective security safeguard selection , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[12]  Edgar R. Weippl,et al.  Security Ontology: Simulating Threats to Corporate Assets , 2006, ICISS.

[13]  Edgar R. Weippl,et al.  Security Ontologies: Improving Quantitative Risk Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[14]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[15]  Thomas Neubauer,et al.  Extending business process management to determine efficient IT investments , 2007, SAC '07.

[16]  D. Larcker,et al.  Coming up short on nonfinancial performance measurement. , 2003, Harvard business review.

[17]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[18]  David Powell,et al.  Dependability Evaluation of Cooperative Backup Strategies for Mobile Devices , 2007 .

[19]  Stefan Fenz,et al.  Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard , 2007 .

[20]  Thomas R. Gruber,et al.  A translation approach to portable ontology specifications , 1993, Knowl. Acquis..