Abstract
PurposeThe purpose of this paper is to provide a method to formalize information security control descriptions and a decision support system increasing the automation level and, therefore, the cost efficiency of the information security compliance checking process. The authors advanced the state-of-the-art by developing and applying the method to ISO 27002 information security controls and by developing a semantic decision support system.Design/methodology/approachThe research has been conducted under design science principles. The formalized information security controls were used in a compliance/risk management decision support system which has been evaluated with experts and end-users in real-world environments.FindingsThere are different ways of obtaining compliance to information security standards. For example, by implementing countermeasures of different quality depending on the protection needs of the organization. The authors developed decision support mechanisms which use the formal control descriptions as input to support the decision-maker at identifying the most appropriate countermeasure strategy based on cost and risk reduction potential.Originality/valueFormalizing and mapping the ISO 27002 controls to the security ontology enabled the authors to automatically determine the compliance status and organization-wide risk-level based on the formal control descriptions and the modelled environment, including organizational structures, IT infrastructure, available countermeasures, etc. Furthermore, it allowed them to automatically determine which countermeasures are missing to ensure compliance and to decrease the risk to an acceptable level.
Highlights
Cyber incidents are one of the top emerging risks in companies for the long-term future
The overall purpose of our work was to enrich the security ontology with formal rules derived from the ISO 27002 standard (ISO/IEC 27002, 2013) to ease the compliance checking by enabling organizations to query, visualize and analyze the knowledge base
To validate the developed method and the resulting security ontology including the formal ISO 27002 control descriptions, we developed a compliance and risk management decision support system which is capable of using the security ontology as the underlying knowledge base
Summary
Cyber incidents are one of the top emerging risks in companies for the long-term future. Accenture and Ponemon Insitute (2017) state that the annualized cost of cyber security in 2017 to US$11.7mn on average per company (basis: 254 companies that have been analyzed in the study). The costs for cyber security increase by 22.7 per cent per year. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
