Formalizing Information Security Risk and Compliance Management

01.01.2013 - 31.03.2016

Since the vast majority of business decisions is based on data, reliable information technology (IT) is a prerequisite for business continuity and, therefore, crucial for the entire economy. The UK Turnbull report, US Sarbanes-Oxley act, Basel II and many similar frameworks demand decision makers to define mitigation strategies for their operational IT risks. Since data protection, privacy regulations, and security standards are a complex range of requirements to which decision makers have to respond, there is an increasing need for an overarching information security (IS) framework that can provide context and coherence to risk and compliance activities. However, practice shows that existing approaches fall short of meeting the requirements. Most organizations are lost in the flood of security and- privacy related regulations. While in-depth knowledge of the organization in question and the IS domain as a whole is fundamental to existing approaches, little research has been conducted on the formal knowledge representation of the domains that are relevant to IS risk management. Recent studies have shown that the lack of IS knowledge at the management level is one reason for inadequate or nonexistent IS risk management strategies. The research community identified IS risk management as one of the top ten grand challenges in information technology security and called for sound theories and methods to improve existing IS risk management approaches. In 2006 and 2011, the European Network and Information Security Agency (ENISA) addressed these issues and rated the establishment of unified information bases for IS risk management and the development of risk measurement methods as high priority issues.

This project pursues to close this essential research gap by providing a new approach to support decision makers in interactively defining the optimal set of security controls according to common regulations and standards. The proposed project involves three essential yet unsolved research problems, namely (1) the formal (XML, OWL) representation of IS standards and domain knowledge, (2) the reliable determination of the risk, (3) and the (semi-) automatic countermeasure definition. The project advances the state of the art for all three research problems and develops methods (i) allowing the formal representation of the ISO 27002 standard (Security Ontology), (ii) for automatically determining the IS status of an organization, (iii) to calculate the global business process risk level based on the involved assets and their risk level, (iv) to automatically determine the importance of assets, and (v) to provide decision makers with an interactive overview of solution scenarios. The developed methodologies will be validated by prototypes and tested by means of case studies. This data allows us to quantitatively and objectively measure the success of our methodologies in comparison to competing methods.




Fenz, S., Neubauer, T., Accorsi, R., Koslowski, T. G. (2013). FORISK: Formalizing Information Security Risk and Compliance Management. In 43rd annual IEEE/IFIP International Conference on Dependable Systems and Networks, Budapest, 24-27 Jun 2013.

Syring, A. (2013): Ansätze und Rahmenwerke zur Überführung natürlichsprachlicher Compliance-Anforderungen in automatisiert überwachbare Compliance-Regeln. Eine Analyse des State of the Art. Universität Freiburg, Institut für Informatik und Gesellschaft, Abteilung Telematik, IIG-Bericht 1/2013.

Koslowski, T., Zimmermann, C. (2013). Towards a Detective Approach to Process-Centered Resilience. In R. Accorsi & S. Ranise (Eds.), Security and Trust Management, (LNCS 8203): 176-190. Springer (Berlin Heidelberg).

Müller, G., Koslowski, T. G., Accorsi, R. (2013). Resilience - A New Research Field in Business Information Systems?. In W. Abramowicz (ed.), Business information systems 2013 Workshops, (LNBIP 160): 3-21. Springer (New York).

Beckers, K.; Côté, I.; Fenz, S.; Hatebur, D. & Heisel, M. Heisel, M.; Joosen, W.; Lopez, J. & Martinelli, F. (Eds.) A Structured Comparison of Security Standards Advances in Engineering Secure Future Internet Services and Systems, Springer, 2014, 1-34

Cervantes, G. V. & Fenz, S. et al., N. C.-B. (Ed.) How to assess confidentiality requirements of corporate assets? 29th IFIP TC 11 International Conference, SEC 2014, Marrakech, Morocco, June 2-4, 2014. Proceedings, IFIP International Federation for Information Processing, 2014, 234-241

Fenz, S.; Heurix, J.; Neubauer, T. & Pechstein, F. Current challenges in information security risk management Information Management and Computer Security, 2014, 22, 410-430

Müller, G., Syring, A., Holderer, J. (2015). Automation on Security Operation – Business Process Compliance Requirements: Stepwise Refinements from Natural Language Requirements Structures to Mechanisms. IEEE Conference on Privacy and Security Tokyo, March 2015. Submitted.

Syring, A (2014). MErCoR – Semiformale Compliance-Regeln zur Überwachung automatisierter Geschäftsprozesse. Schriftenreihe innovative  betriebswirtschaftliche Forschung und Praxis, Band 420, Kova¿ (Hamburg).

Holderer, J., Accorsi, R., Müller, G. (2014). When Four-Eyes Become Too Much – On the Interplay of Authorization Constraints and Workflow Resilience. In Proceedings of the 29th Annual ACM Symposium on Applied Computing. ACM, to appear.

Zahoransky, R. M., Brenig, C., Koslowski, T. (2015). Process-Centered Resilience Measurement Framework , Twenty-Third European Conference on Information Systems (ECIS), Münster, Germany, 2015, to appear

Fenz, S.; Plieschnegger, S. & Hobel, H. Mapping Information Security Standard ISO 27002 to an Ontological Structure Information and Computer Security, in press.

Fenz, S.; Heurix, J. & Neubauer, T. How to increase the inventory efficiency in information security risk and compliance management Proceedings of the European Conference on Information Systems (ECIS) 2015, 2015, 12








  • WWTF Wiener Wissenschafts-, Forschu und Technologiefonds (National) Wiener Wissenschafts-, Forschungs- und Technologiefonds (WWTF) Ausschreibungskennung ICT12


  • Information and Communication Technology

Externe Partner_innen

  • Xylem Technologies
  • Albert-Ludwigs-Universität Freiburg