WWTF Project: Formalizing Information Security Risk and Compliance Management


Our proposal entitled "Formalizing Information Security Risk and Compliance Management" is accepted in context of Information and Communication Technology Call 2012. Here is a short abstract:

Abstract : Since the vast majority of business decisions is based on data, reliable information technology is a prerequisite for business continuity and, therefore, crucial for the entire economy. Legal and regulative frameworks demand decision makers to define mitigation strategies for their operational IT risks, but existing approaches fall short of meeting their needs. Recent studies have shown that the lack of IS knowledge at the management level is one reason for inadequate or nonexistent IS risk management strategies. This project pursues to close this essential research gap by providing a new approach to support decision makers in interactively defining the optimal set of security controls according to common regulations and standards. The proposed project addresses three essential yet unsolved research problems, namely (i) the formal representation of IS standards and domain knowledge, (ii) the reliable determination of the risk, (iii) and the (semi-) automatic countermeasure definition.

For further information please contact Dr. Stefan Fenz