Markus D. Klemen

Security Ontologies: Improving Quantitative Risk Analysis

IT-security has become a much diversified field and small and medium sized enterprises (SMEs), in particular, do not have the financial ability to implement a holistic IT-security approach. We thus propose a security ontology, to provide a solid base for an applicable and holistic IT-security approach for SMEs, enabling low-cost risk management and threat analysis. Based on the taxonomy of computer security and dependability by Landwehr, a heavy-weight ontology can be used to organize and systematically structure knowledge on threats, safeguards, and assets. Using this ontology, each threat scenario can be simulated with a different protection profile as to evaluate the effectiveness and the cost/benefit ratio of individual safeguards

Business process-based valuation of IT-security

Growing business integration raises the need for secure business processes as security problems can affect the profit and the reputation of a company. However, decisions regarding a reasonable level of security in a business environment are often made in a value-neutral way.This paper presents a framework for the valuation of cost-benefit of various security levels with business processes. The framework can be used for planning security levels in software development and allows further continuous monitoring and improvement of cost-benefit of security measures along with operative business processes.

Secure business process management: a roadmap

The security of corporate business processes is crucial for the business success of companies. Existing business process management methodologies barely consider security and dependability objectives. Business processes and security issues are developed separately and often do not follow the same strategy. Growing business integration and legal requirements raise the need for secure business processes as security problems negatively affect profit and reputation of companies and their stakeholders. In this paper we summarize the state of the art of business process management and security and identify shortcomings of existing approaches. Based on that we identify research challenges and present a roadmap for secure business process management (SBPM) that allows an integrated view on business process management and security. This approach provides top management in process oriented enterprises with a stepwise methodology for the parallel and continuous development and improvement of business processes along with security issues over the whole business process life cycle.

Security ontology: simulating threats to corporate assets

Threat analysis and mitigation, both essential for corporate security, are time consuming, complex and demand expert knowledge. We present an approach for simulating threats to corporate assets, taking the entire infrastructure into account. Using this approach effective countermeasures and their costs can be calculated quickly without expert knowledge and a subsequent security decisions will be based on objective criteria. The ontology used for the simulation is based on Landwehrs [ALRL04] taxonomy of computer security and dependability.

Semantic storage: a report on performance and flexibility

Desktop search tools are becoming more popular. They have to deal with increasing amounts of locally stored data. Another approach is to analyze the semantic relationship between collected data in order to preprocess the data semantically. The goal is to allow searches based on relationships between various objects instead of focusing on the name of objects. We introduce a database architecture based on an existing software prototype, which is capable of meeting the various demands for a semantic information manager. We describe the use of an association table which stores the relationships between events. It enables adding or removing data items easily without the need for schema modifications. Existing optimization techniques of RDBMS can still be used.

Ontology-Based business knowledge for simulating threats to corporate assets

We propose a security ontology, to provide a solid base for an applicable and holistic IT-Security approach for SMEs, enabling low-cost threat analysis. Based on the taxonomy of computer security and dependability by Landwehr [ALRL04] and the threat classification according to Peltier [Pel01], a heavy-weight ontology can be used to organize and systematically structure knowledge on threats, safeguards, and assets. The ontology is used in an organization to capture business knowledge required for and created during a security risk analysis where instances of concepts are added to the ontology to allow the simulation of different attack and disaster scenarios. Each scenario can be replayed with a different protection profile as to evaluate the effectiveness and the cost/benefit ratio of individual safeguards.

Hidden Price of User Authentication: Cost Analysis and Stakeholder Motivation

IT security is a vital task; user authentication a fundamental part. Yet the policies to implement user authentication often have a poor cost/benefit ratio. This paper (i) analyzes the costs of typical user authentication policies based on interviews with large Austrian IT providers. It (ii) then elaborates on how the policies are chosen, focusing on a lack of real cost accounting, and riskaverse principal agents in the security departments.

Architectural approach for handling semi‐structured data in a user‐centred working environment

Purpose – Today the amount of all kinds of digital data (e.g. documents and e‐mails), existing on every users computer, is continuously growing. Users are faced with huge difficulties when it comes to handling the existing data pool and finding specific information, respectively. This paper aims to discover new ways of searching and finding semi‐structured data by integrating semantic metadata.Design/methodology/approach – The proposed architecture allows cross‐border searches spanning various applications and operating system activities (e.g. file access and network traffic) and improves the human working process by offering context‐specific, automatically generated links that are created using ontologies.Findings – The proposed semantic enrichment of automated gathered data is a useful approach to reflect the human way of thinking, which is accomplished by remembering relations rather than keywords or tags. The proposed architecture supports the goals of supporting the human working process by managing...