A KNOWLEDGE BASE FOR JUSTIFIED INFORMATION SECURITY DECISION-MAKING

Daria Stepanova, Simon E. Parkin, Aad van Moorsel

2009

Abstract

The majority of modern-day companies store commercially sensitive and valuable information assets in digital form. It is essential for the Chief Information Security Officer (CISO) within an organisation to ensure that such information is adequately protected. External standards exist to advise CISOs on how to secure information, but these are essentially ``one-size-fits-all''. Furthermore they do not consider the human-behavioural aspects that determine the impact of security controls upon employees, or how security controls can be best deployed to manage insecure employee behaviour. CISOs require more information than they are currently provided with to justify their information security management decisions. Here we present a knowledge base and accompanying user interface. The knowledge base represents key structural components of the ISO27002 security standard, formally relating them to one another. This empowers CISOs to understand how different security measures impact upon each other. It also considers how human-behavioural factors can be associated with these concepts. The accompanying user interface provides a means to present formalised information security concepts to CISOs. This paper describes the development of the knowledge base and user interface, highlighting and discussing key challenges and how they were resolved.

References

  1. A. Adams, M. A. Sasse, P. L. (1997). Making passwords secure and usable. In HCI 97: Proceedings of HCI on People and Computers XII, pages 1-19. SpringerVerlag.
  2. A. Beautement, R. Coles, e. a. (2008). Modelling the human and technological costs and benefits of usb memory stick security. In Workshop on Economics in Information Security (WEIS).
  3. BS (2005). BS ISO/IEC 27002:2005 - Information Technology - Security Techniques - Code of Practice for Information Security Management. British Standards Institution.
  4. Alberts, A. D. (2004). An introduction to the octave method. http:// www.cert.org/octave/methodintro.html. Software Engineering Institute, Carnegie Mellon University, last viewed 12/03/09.
  5. Cura (2009). Cura compliance. Cura Software Solutions, http://www.curarisk.com/pages/content.asp?SectionID =7&SubSectionID=50. last viewed 12/03/09.
  6. Decraene, D. (2009). jowl - semantic javascript library. http://jowl.ontologyonline.org/. last viewed 12/03/09.
  7. ENISA (2008). Knowledgebase: Tool-based security policy composition. European Network and Information Security Agency (ENISA). Version 1.0.
  8. ISACA (2009). An Introduction to the Business Model for Information Security. ISACA.
  9. KTN (2007). Human Vulnerabilities in Security Systems: White Paper. KTN Human Factors Working Group.
  10. Modulo (2009). Modulo risk manager. http:// www.modulo.com/products/modulo-risk-manageroverview.jsp. last viewed 12/03/09.
  11. N. F. Noy, D. L. M. (2000). Ontology development 101: A guide to creating your first ontology. Stanford KSL Technical Report KSL-01-05.
  12. Newcastle (2009). Trust economics website. Newcastle University, UK, http://www.trust-economics.org/. last viewed 24/02/09.
  13. R. Coles, J. Griffin, e. a. (2008). Trust economics feasibility study. In 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2008), pages A45-A50. IEEE Computer Society.
  14. S. E. Parkin, A. v. M. (2009). An information security ontology incorporating human-behavioral implications. School of Computing Science, Newcastle University CS-TR No 1139.
  15. S. Fenz, G. Goluch, e. a. (2007). Information security fortification by ontological mapping of the iso/iec 27001 standard. In PRDC 7807: Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, pages 381-388. IEEE Computer Society.
  16. S. Lee, R. Gandhi, e. a. (2006). Building problem domain ontology from security requirements in regulatory documents. In SESS 7806: Proceedings of the 2006 international workshop on Software engineering for secure systems, pages 43-50. ACM.
  17. Skidmore, P. (2003). Beyond Measure. Demos.
Download


Paper Citation


in Harvard Style

Stepanova D., Parkin S. and Moorsel A. (2009). A KNOWLEDGE BASE FOR JUSTIFIED INFORMATION SECURITY DECISION-MAKING . In Proceedings of the 4th International Conference on Software and Data Technologies - Volume 2: ICSOFT, ISBN 978-989-674-010-8, pages 326-331. DOI: 10.5220/0002256703260331


in Bibtex Style

@conference{icsoft09,
author={Daria Stepanova and Simon E. Parkin and Aad van Moorsel},
title={A KNOWLEDGE BASE FOR JUSTIFIED INFORMATION SECURITY DECISION-MAKING},
booktitle={Proceedings of the 4th International Conference on Software and Data Technologies - Volume 2: ICSOFT,},
year={2009},
pages={326-331},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002256703260331},
isbn={978-989-674-010-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 4th International Conference on Software and Data Technologies - Volume 2: ICSOFT,
TI - A KNOWLEDGE BASE FOR JUSTIFIED INFORMATION SECURITY DECISION-MAKING
SN - 978-989-674-010-8
AU - Stepanova D.
AU - Parkin S.
AU - Moorsel A.
PY - 2009
SP - 326
EP - 331
DO - 10.5220/0002256703260331