Ontology-based Generation of IT-Security Metrics

S. Fenz:
"Ontology-based Generation of IT-Security Metrics";
Vortrag: 25th ACM Symposium on Applied Computing (SAC 2010), Sierre, Switzerland; 22.03.2010 - 26.03.2010; in:"Proceedings of the 25th ACM Symposium on Applied Computing (SAC 2010)", ACM, (2010), ISBN: 978-1-60558-638-0; S. 1833 - 1839.

[ Publication Database ]

Abstract:


Legal regulations and industry standards require organizations to measure and maintain a specified IT-security level. Although several IT-security metrics approaches have been developed, a methodology for automatically generating ISO 27001-based IT-security metrics based on concrete organization-specific control implementation knowledge is missing. Based on the security ontology by Fenz et al., including information security domain knowledge and the necessary structures to incorporate organization-specific facts into the ontology, this paper proposes a methodology for automatically generating ISO 27001-based IT-security metrics. The conducted validation has shown that the research results are a first step towards increasing the degree of automation in the field of IT-security metrics. Using the introduced methodology, organizations are enabled to evaluate their compliance with information security standards, and to evaluate control implementations'effectiveness at the same time.