Andreas Ekelhart

E-Mail
Phone: +43 (1) 505 36 88
Fax: +43 (1) 505 88 88

Bio

Andreas Ekelhart is researcher and project manager at Secure Business Austria. His research focuses mainly on applied concepts of IT security and semantic applications, on which he specialized during his studies.

He received a Master in Business Informatics from the Vienna University of Technology and a Master in Software Engineering & Internet Computing from the Vienna University of Technology and completed his PhD thesis at the Institute of Software Technology and Interactive Systems in cooperation with Secure Business Austria.

Publications

Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, vol. 28, iss. 1, pp. 329-356, 2011. BibTeX | PDF

@ARTICLE{Fenz2011a, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {5}, pdf = {2011 - Fenz - Information Security Risk Management In Which Security Solutions Is It Worth Investing.pdf}, volume = {28}, number = {1}, pages = {329-356}, }
Stefan Fenz and Andreas Ekelhart, "Verification, Validation, and Evaluation in Information Security Risk Management," IEEE Security and Privacy, vol. 8, pp. 18-25, 2010. BibTeX

@ARTICLE{Fenz_Verification_Validation_and_Ev_2010, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Verification, Validation, and Evaluation in Information Security Risk Management}, journal = {IEEE Security and Privacy}, year = {2010}, month = {11}, volume = {8}, pages = {18-25}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "AURUM: A Framework for Supporting Information Security Risk Management," in Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009, 2009, pp. 1-10. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AURUMFrameworkSupporting_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {AURUM: A Framework for Supporting Information Security Risk Management}, booktitle = {Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009}, year = {2009}, month = {1}, abstract = {As companies are increasingly exposed to a variety of information security threats, they are permanently forced to pay attention to security issues. Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation. Existing risk management approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents AURUM - a new methodology for supporting the NIST SP 800-30 risk management standard - and provides a comparison with the GSTool and CRISAM in order to highlight the benefits decision makers may expect when using AURUM.}, pdf = {2009 - Ekelhart - AURUM A Framework for Information Security Risk Management.pdf}, pages = {1-10}, publisher = {IEEE Computer Society}, note = {978-0-7695-3450-3}, }
Stefan Fenz and Andreas Ekelhart, "Formalizing Information Security Knowledge," in Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security, 2009, pp. 183-194. BibTeX | PDF

@INPROCEEDINGS{Fenz_FormalizingInformationSecurity_2009, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Formalizing Information Security Knowledge}, booktitle = {Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security}, year = {2009}, month = {1}, abstract = {Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This paper describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches.}, pdf = {2009 - Fenz - Formalizing Information Security Knowledge.pdf}, pages = {183-194}, publisher = {ACM}, note = {978-1-60558-394-5}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Business Process-based Resource Importance Determination," in Proceedings of the 7th International Conference on Business Process Management (BPM 2009), 2009, pp. 113-127. BibTeX | PDF

@INPROCEEDINGS{Fenz_BusinessProcessbasedResource_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Business Process-based Resource Importance Determination}, booktitle = {Proceedings of the 7th International Conference on Business Process Management (BPM 2009)}, year = {2009}, month = {1}, abstract = {Information security risk management (ISRM) heavily depends on realistic impact values representing the resources importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.}, pdf = {2009 - Fenz - Business Process-based Resource Importance Determination.pdf}, pages = {113-127}, publisher = {Springer}, note = {accepted for publication}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Automated Risk and Utility Management," in 2009 Sixth International Conference on Information Technology: New Generations, 2009, pp. 393-398. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AutomatedRiskand_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Automated Risk and Utility Management}, booktitle = {2009 Sixth International Conference on Information Technology: New Generations}, year = {2009}, month = {1}, abstract = {Information security breaches pose major threats to the reliable execution of corporate strategies and may have negative effects on business value. Information security risk management (ISRM) provides an effective approach for assessing, mitigating, and evaluating information security risks. Existing ISRM approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents the AURUM prototype that supports decision makers in selecting security measures according to organization-specific technical and economical requirements.}, pdf = {2009 - Ekelhart - Automated Risk and Utility Management.pdf}, pages = {393-398}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontologiebasiertes IT Risikomanagement," in D.A.CH Security 2009, 2009, pp. 14-24. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologiebasiertesITRisikomanagement_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontologiebasiertes IT Risikomanagement}, booktitle = {D.A.CH Security 2009}, year = {2009}, month = {1}, abstract = {Informationssicherheitsrisikomanagement (Information Security Risk Management, ISRM) stellt einen effizienten Zugang zur Bewertung, Verringerung und Evaluierung von Informationssicherheitsrisiken dar. Bereits bestehende ISRM-Ans{\"a}tze sind weitgehend akzeptiert, setzen jedoch sehr detailliertes Informationssicherheitswissen und genaue Kenntnisse des tats{\"a}chlichen Unternehmensumfeldes voraus. Die inad{\"a}quate Umsetzung von ISRM gef{\"a}hrdet die planm{\"a}{\ss}ige Umsetzung der Unternehmensstrategie und kann zu einer Minderung des Unternehmenswertes f{\"u}hren. Der vorliegende Beitrag pr{\"a}sentiert das AURUM Tool, welches die Schwachstellen bestehender Ans{\"a}tze adressiert und Entscheidungstr{\"a}ger bei der Auswahl eines effizienten IT-Sicherheitsportfolios unter Ber{\"u}cksichtigung organisationsspezifischer, technischer und wirtschaftlicher Anforderungen unterst{\"u}tzt.}, pdf = {2009 - Ekelhart - Ontologiebasiertes IT Risikomanagement.pdf}, pages = {14-24}, publisher = {Syssec}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontology-based Decision Support for Information Security Risk Management," in International Conference on Systems, 2009. ICONS 2009., 2009, pp. 80-85. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologybasedDecisionSupport_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontology-based Decision Support for Information Security Risk Management}, booktitle = {International Conference on Systems, 2009. ICONS 2009.}, year = {2009}, month = {3}, abstract = {As e-Business and e-Commerce applications are increasingly exposed to a variety of information security threats, corporate decision makers are increasingly forced to pay attention to security issues. Risk management provides an effective approach for measuring the security but existing risk management approaches come with major shortcomings such as the demand for very detailed knowledge about the IT security domain and the actual company environment. This paper presents the implementation of the AURUM methodology into a software solution which addresses the identified shortcomings of existing information security risk management software solutions. Thereby, the presented approach supports decision makers in risk assessment, risk mitigation, and safeguard evaluation.}, pdf = {2009 - Ekelhart - Ontology-based Decision Support for Information Security Risk Management.pdf}, pages = {80-85}, publisher = {IEEE Computer Society}, }
Andreas Ekelhart and Mathias Kolb, "An Evaluation of Technologies for the Pseudonymization of Medical Data," in Proceedings of the ACM Symposium on Applied Computing, 2009. BibTeX

@INPROCEEDINGS{Neubauer_EvaluationofTechnologies_2009a, Author = {Andreas Ekelhart and Mathias Kolb}, title = {An Evaluation of Technologies for the Pseudonymization of Medical Data}, booktitle = {Proceedings of the ACM Symposium on Applied Computing}, year = {2009}, month = {1}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Fortification of IT security by automatic security advisory processing," in Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008, 2008, pp. 575-582. BibTeX | PDF

@INPROCEEDINGS{Fenz_FortificationofIT_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Fortification of IT security by automatic security advisory processing}, booktitle = {Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008}, year = {2008}, month = {3}, abstract = {The past years have seen the rapid increase of security related incidents in the field of information technology. IT infrastructures in the commercial as well as in the governmental sector are becoming evermore heterogeneous which increases the complexity of handling and maintaining an adequate security level. Especially organizations which are hosting and processing highly sensitive data are obligated to establish a holistic company-wide security approach. We propose a novel security concept to reduce this complexity by automatic assessment of security advisories. A central entity collects vulnerability information from various sources, converts it into a standardized and machine-readable format and distributes it to its subscribers. The subscribers are then able to automatically map the vulnerability information to the ontological stored infrastructure data to visualize newly-discovered software vulnerabilities. The automatic analysis of vulnerabilities decreases response times and permits precise response to new threats and vulnerabilities, thus decreasing the administration complexity and increasing the IT security level.}, pdf = {2008 - Fenz - Fortification of IT Security by Automatic Security Advisory Processing.pdf}, pages = {575-582}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Semantic Potential of existing Security Advisory Standards," in Proceedings of the FIRST2008 Conference, 2008. BibTeX | PDF

@INPROCEEDINGS{Fenz_SemanticPotentialof_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Semantic Potential of existing Security Advisory Standards}, booktitle = {Proceedings of the FIRST2008 Conference}, year = {2008}, month = {1}, abstract = {New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that allows for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying with standards, such as Basel II and local legislations. This paper conducts an evaluation of existing security advisory standards to identify usable semantic standards, which enable the automated processing of security advisories to ensure faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.}, pdf = {2008 - Fenz - Semantic Potential of Existing Security Advisory Standards.pdf}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Interactive Selection of ISO 27001 Controls under Multiple Objectives," in Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008, 2008, pp. 477-492. BibTeX | PDF

@INPROCEEDINGS{Neubauer_InteractiveSelectionof_2008, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Interactive Selection of ISO 27001 Controls under Multiple Objectives}, booktitle = {Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008}, year = {2008}, month = {7}, pdf = {2008 - Neubauer - Interactive Selection of ISO 27001 Controls under Multiple Objectives.pdf}, volume = {278_2008}, pages = {477-492}, publisher = {Springer}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck, "Integration of an Ontological Information Security Concept in Risk Aware Business Process Management," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 377-385. BibTeX | PDF

@INPROCEEDINGS{Goluch_IntegrationofOntological_2008, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck}, sbahotlist = {true}, title = {Integration of an Ontological Information Security Concept in Risk Aware Business Process Management}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Goluch - Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management.pdf}, pages = {377-385}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner, "XML Security – A comparative literature review," Journal of Systems and Software, vol. 81, pp. 1715-1724, 2008. BibTeX | PDF

@ARTICLE{Ekelhart_XMLSecurity_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner}, sbahotlist = {true}, title = {XML Security - A comparative literature review}, journal = {Journal of Systems and Software}, year = {2008}, month = {1}, abstract = {Since the turn of the millenium, Working Groups of the W3C have been concentrating on the development of XML based security standards, which are paraphrased as XML Security. XML Security consists of three recommendations: XML (Digital) Signature, XML Encryption and XML Key Management Specification (XKMS), all of them published by the W3C. By means of a review of the available literature the authors draw several conclusions about the status quo of XML Security. Furthermore the current state and focuses of research as well as the existing challenges are derived. Trends to different application areas - e.g. use of XML Security for Mobile Computing - are also outlined. Based on this information the analyzed results are discussed and a future outlook is predicted.}, pdf = {2008 - Ekelhart - XML security -- A Comparative Literature Review.pdf}, volume = {81}, pages = {1715-1724}, note = {ISSN: 0164-1212}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Witold Abramowicz and Dominik Zyskowski and Monika Kaczmarek, "Security aspects in Semantic Web Services Filtering," in Proceedings of the 9th @WAS International Conference on Information Integration and Web-based Applications \& Services (iiWAS2007), 2007, pp. 21-31. BibTeX | PDF

@INPROCEEDINGS{Abramowicz_Securityaspectsin_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Witold Abramowicz and Dominik Zyskowski and Monika Kaczmarek}, title = {Security aspects in Semantic Web Services Filtering}, booktitle = {Proceedings of the 9th @WAS International Conference on Information Integration and Web-based Applications \& Services (iiWAS2007)}, year = {2007}, month = {1}, abstract = {Security and trust aspects, perceived as difficult to quantify, have been neglected in various service interactions. However, factors related to security and trust are in fact crucial in the overall value of service quality. A security ontology that enables a quantification of risks related to the usage of Semantic Web services in enterprise information systems was created to meet users' requirements and enhance Semantic Web services with machine processable security information. This article presents how this security ontology can be integrated into the Web service description and how it enhances the process of Web services filtering.}, pdf = {2007 - Abramowicz - Security Aspects in Semantic Web Services Filtering.pdf}, volume = {229}, pages = {21-31}, publisher = {Austrian Computer Society}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontologies: Improving Quantitative Risk Analysis," in Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007, 2007, pp. 156-162. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologiesImproving_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {Security Ontologies: Improving Quantitative Risk Analysis}, booktitle = {Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007}, year = {2007}, month = {1}, pdf = {2007 - Ekelhart - Security Ontologies Improving Quantitative Risk Analysis.pdf}, pages = {156-162}, publisher = {IEEE Computer Society}, note = {0-7695-2755-8}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart and Gernot Goluch, "Architectural approach for handling semi-structured data in an user-centered working environment," International Journal of Web Information Systems, vol. 3, iss. 3, pp. 198-211, 2007. BibTeX | PDF

@ARTICLE{Ekelhart_Architecturalapproachhandling_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart and Gernot Goluch}, title = {Architectural approach for handling semi-structured data in an user-centered working environment}, journal = {International Journal of Web Information Systems}, year = {2007}, month = {1}, abstract = {Purpose of this paper Today the amount of all kind of digital data (e.g., documents and e-mails), existing on every user's computer, is continuously growing. Users are faced with huge difficulties when it comes to handling the existing data pool and finding specific information respectively. We aim to discover new ways of searching and finding semi-structured data by integrating semantic metadata. Design/methodology/approach The proposed architecture allows cross border searches spanning various applications and operating system activities (e.g., file access and network traffic) and improves the human working process by offering context specific, automatically generated links that are created using ontologies. Findings The proposed semantic enrichment of automated gathered data is a useful approach to reflect the human way of thinking which is accomplished by remembering relations rather than keywords or tags. The proposed architecture supports the goals of supporting the human working process by managing and enriching personal data, e.g. by providing a database model which supports the semantic storage idea through a generic and flexible structure or the modular structure and composition of data collectors. Originality/value Available programs to manage personal data usually offer searches either via keywords or full text search. Each of these existing search methodologies has its shortcomings and apart from that, people tend to forget names of specific objects. It is often easier to remember the context of a situation in which e.g. a file was created or a website was visited. By proposing our architectural approach for handling semi-structured data we are able to offer sophisticated and more applicable search mechanism regarding the way of human thinking.}, pdf = {2007 - Ekelhart - Architectural Approach for Handling Semi-Structured Data in a User-Centered Working Environment.pdf}, volume = {3}, number = {3}, pages = {198-211}, note = {ISSN: 1744-0084}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch, "Ontological Mapping of Common Criterias Security Assurance Requirements," in New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC 11 22nd International Information Security Conference, IFIPSEC2007, May 14-16, 2007, pp. 85-95. BibTeX

@INPROCEEDINGS{Ekelhart_OntologicalMappingof_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch}, title = {Ontological Mapping of Common Criterias Security Assurance Requirements}, booktitle = {New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC 11 22nd International Information Security Conference, IFIPSEC2007, May 14-16}, year = {2007}, month = {5}, abstract = {The Common Criteria (CC) for Information Technology Security Evaluation provides comprehensive guidelines for the evaluation and certification of IT security regarding data security and data privacy. Due to the very complex and time-consuming certification process a lot of companies abstain from a CC certification. We created the CC Ontology tool, which is based on an ontological representation of the CC catalog, to support the evaluator at the certification process. Tasks such as the planning of an evaluation process, the review of relevant documents or the creating of reports are supported by the CC Ontology tool. With the development of this tool we reduce the time and costs needed to complete a certification.}, volume = {232_2007}, pages = {85-95}, publisher = {International Federation for Information Processing ,}, note = {978-0-387-72366-2}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Security Issues for the Use of Semantic Web in e-Commerce," in Business Information Systems, 10th International Conference on Business Information Systems, BIS 2007, 2007, pp. 1-13. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityIssuesUse_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Issues for the Use of Semantic Web in e-Commerce}, booktitle = {Business Information Systems, 10th International Conference on Business Information Systems, BIS 2007}, year = {2007}, month = {4}, pdf = {2007 - Ekelhart - Security Issues for the Use of Semantic Web in e-Commerce.pdf}, number = {978-3-540-}, pages = {1-13}, publisher = {Springer Berlin Heidelberg}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Bernhard Riedl, "Information Security Fortification by Ontological Mapping of the ISO IEC 27001 Standard," in Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC2007, 2007, pp. 381-388. BibTeX | PDF

@INPROCEEDINGS{Fenz_InformationSecurityFortification_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Bernhard Riedl}, title = {Information Security Fortification by Ontological Mapping of the ISO IEC 27001 Standard}, booktitle = {Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC2007}, year = {2007}, month = {12}, pdf = {2007 - Fenz - Information Security Fortification by Ontological Mapping of the ISOIEC 27001 Standard.pdf}, pages = {381-388}, publisher = {IEEE Computer Society}, note = {0-7695-3054-0}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Security Ontologies: How to Improve Understanding of Complex Relationships," in Proceedings of the World Conference on Educational Multimedia, Hypermedia and Telecommunications 2007, 2007, pp. 404-407. BibTeX | PDF

@INPROCEEDINGS{Weippl_SecurityOntologiesHow_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Ontologies: How to Improve Understanding of Complex Relationships}, booktitle = {Proceedings of the World Conference on Educational Multimedia, Hypermedia and Telecommunications 2007}, year = {2007}, month = {6}, abstract = {It is commonly accepted that simulation can provide a valuable tool in improving learning. Building on a complex knowledge base of IT security related concepts we offer our students a simulation to experience how different safeguards can influence the outcome of security incidents. The goal is to teach students that countermeasures have to cost-effective, that is, the cost of installing and operating safeguards should not exceed the anticipated benefit.}, pdf = {2007 - Weippl - Security Ontologies How to Improve Understanding of Complex Relationships.pdf}, pages = {404-407}, publisher = {AACE}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Bernhard Riedl, "CASSIS – Computer-based Academy for Security and Safety in Information Systems," in Proceedings of the 2nd Conference on Availability, Reliability and Security, ARES2007, 2007, pp. 730-740. BibTeX | PDF

@INPROCEEDINGS{Goluch_CASSISComputerbased_2007, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Bernhard Riedl}, title = {CASSIS - Computer-based Academy for Security and Safety in Information Systems}, booktitle = {Proceedings of the 2nd Conference on Availability, Reliability and Security, ARES2007}, year = {2007}, month = {4}, abstract = {Information technologies and society are highly interwoven nowadays, but in both, the private and business sector, users are often not aware of security issues or lack proper security skills. The branch of information technology security is growing constantly but attacks against the vocational sector as well as the personal sector still cause great losses each day. Considering that the end-user is the weakest link of the security chain we aim to raise awareness, regarding IT security, and train and educate IT security skills by establishing a European-wide initiative and framework.}, pdf = {2007 - Goluch - CASSIS.pdf}, pages = {730-740}, publisher = {IEEE Computer Society}, note = {978-0-7695-2775-8}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Thomas Neubauer, "Formal threat descriptions for enhancing governmental risk assessment," in Proceedings of the First International Conference on Theory and Practice of Electronic Governance, 2007, pp. 40-43. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_Formalthreatdescriptions_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Thomas Neubauer}, title = {Formal threat descriptions for enhancing governmental risk assessment}, booktitle = {Proceedings of the First International Conference on Theory and Practice of Electronic Governance}, year = {2007}, month = {1}, abstract = {Compared to the last decades, we have recently seen more and more governmental applications which are provided via the Internet directly to the citizens. Due to the long history of IT systems in the governmental sector and the connection of these legacy systems to newer technologies, most governmental institutions are faced with a heterogeneous IT environment. More and more governmental duties and responsibilities rely solely on IT systems which have to be highly dependable to ensure the proper operation of these governmental services. An increasing amount of software vulnerabilities and the generally heightened physical threat level due to terror attacks and natural disasters demand for a holistic IT security approach which captures, manages, and secures the entire governmental IT infrastructure. Our contribution is (1) a novel inventory solution, (2) a mechanism to embed the virtual IT infrastructure data into a physical model provided by our security ontology, and (3) a methodology to automatically identify threatened assets and to reason on the current security status based on formal threat definitions taking software configurations and physical locations into account. A prototypical implementation of the aforementioned concepts shows how these concepts help governmental institutions to secure their IT infrastructure in a holistic and systematic way to fortify their IT systems in an appropriate way against current and future threats.}, pdf = {2007 - Ekelhart - Formal Threat Descriptions for Enhancing Governmental Risk Assessment.pdf}, volume = {232}, pages = {40-43}, publisher = {ACM}, note = {978-1-59593-822-0}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Ontology-based Business Knowledge for Simulating Threats to Corporate Assets," in Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006, 2006, pp. 37-48. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologybasedBusinessKnowledge_2006, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Ontology-based Business Knowledge for Simulating Threats to Corporate Assets}, booktitle = {Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Ontology-based Business Knowledge for Simulating Threats to Corporate Assets.pdf}, volume = {4333_2006}, pages = {37-48}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-49998-5}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontology: Simulating Threats to Corporate Assets," in Information Systems Security, Second International Conference, ICISS 2006, 2006, pp. 249-259. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologySimulating_2006, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Security Ontology: Simulating Threats to Corporate Assets}, booktitle = {Information Systems Security, Second International Conference, ICISS 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Security Ontology Simulating Threats to Corporate Assets.pdf}, volume = {4332_2006}, pages = {249-259}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-68962-1}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps," in Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005, 2005, pp. 135-151. BibTeX | PDF

@INPROCEEDINGS{Weippl_SemanticDesktopSemantic_2005, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps}, booktitle = {Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005}, year = {2005}, month = {10}, pdf = {2005 - Weippl - The Semantic Desktop.pdf}, number = {4623}, pages = {135-151}, }

View all publications

Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, vol. 28, iss. 1, pp. 329-356, 2011. BibTeX | PDF

@ARTICLE{Fenz2011a, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {5}, pdf = {2011 - Fenz - Information Security Risk Management In Which Security Solutions Is It Worth Investing.pdf}, volume = {28}, number = {1}, pages = {329-356}, }
Stefan Fenz and Andreas Ekelhart, "Verification, Validation, and Evaluation in Information Security Risk Management," IEEE Security and Privacy, vol. 8, pp. 18-25, 2010. BibTeX

@ARTICLE{Fenz_Verification_Validation_and_Ev_2010, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Verification, Validation, and Evaluation in Information Security Risk Management}, journal = {IEEE Security and Privacy}, year = {2010}, month = {11}, volume = {8}, pages = {18-25}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "AURUM: A Framework for Supporting Information Security Risk Management," in Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009, 2009, pp. 1-10. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AURUMFrameworkSupporting_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {AURUM: A Framework for Supporting Information Security Risk Management}, booktitle = {Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009}, year = {2009}, month = {1}, abstract = {As companies are increasingly exposed to a variety of information security threats, they are permanently forced to pay attention to security issues. Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation. Existing risk management approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents AURUM - a new methodology for supporting the NIST SP 800-30 risk management standard - and provides a comparison with the GSTool and CRISAM in order to highlight the benefits decision makers may expect when using AURUM.}, pdf = {2009 - Ekelhart - AURUM A Framework for Information Security Risk Management.pdf}, pages = {1-10}, publisher = {IEEE Computer Society}, note = {978-0-7695-3450-3}, }
Stefan Fenz and Andreas Ekelhart, "Formalizing Information Security Knowledge," in Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security, 2009, pp. 183-194. BibTeX | PDF

@INPROCEEDINGS{Fenz_FormalizingInformationSecurity_2009, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Formalizing Information Security Knowledge}, booktitle = {Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security}, year = {2009}, month = {1}, abstract = {Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This paper describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches.}, pdf = {2009 - Fenz - Formalizing Information Security Knowledge.pdf}, pages = {183-194}, publisher = {ACM}, note = {978-1-60558-394-5}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Business Process-based Resource Importance Determination," in Proceedings of the 7th International Conference on Business Process Management (BPM 2009), 2009, pp. 113-127. BibTeX | PDF

@INPROCEEDINGS{Fenz_BusinessProcessbasedResource_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Business Process-based Resource Importance Determination}, booktitle = {Proceedings of the 7th International Conference on Business Process Management (BPM 2009)}, year = {2009}, month = {1}, abstract = {Information security risk management (ISRM) heavily depends on realistic impact values representing the resources importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.}, pdf = {2009 - Fenz - Business Process-based Resource Importance Determination.pdf}, pages = {113-127}, publisher = {Springer}, note = {accepted for publication}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Automated Risk and Utility Management," in 2009 Sixth International Conference on Information Technology: New Generations, 2009, pp. 393-398. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AutomatedRiskand_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Automated Risk and Utility Management}, booktitle = {2009 Sixth International Conference on Information Technology: New Generations}, year = {2009}, month = {1}, abstract = {Information security breaches pose major threats to the reliable execution of corporate strategies and may have negative effects on business value. Information security risk management (ISRM) provides an effective approach for assessing, mitigating, and evaluating information security risks. Existing ISRM approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents the AURUM prototype that supports decision makers in selecting security measures according to organization-specific technical and economical requirements.}, pdf = {2009 - Ekelhart - Automated Risk and Utility Management.pdf}, pages = {393-398}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontologiebasiertes IT Risikomanagement," in D.A.CH Security 2009, 2009, pp. 14-24. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologiebasiertesITRisikomanagement_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontologiebasiertes IT Risikomanagement}, booktitle = {D.A.CH Security 2009}, year = {2009}, month = {1}, abstract = {Informationssicherheitsrisikomanagement (Information Security Risk Management, ISRM) stellt einen effizienten Zugang zur Bewertung, Verringerung und Evaluierung von Informationssicherheitsrisiken dar. Bereits bestehende ISRM-Ans{\"a}tze sind weitgehend akzeptiert, setzen jedoch sehr detailliertes Informationssicherheitswissen und genaue Kenntnisse des tats{\"a}chlichen Unternehmensumfeldes voraus. Die inad{\"a}quate Umsetzung von ISRM gef{\"a}hrdet die planm{\"a}{\ss}ige Umsetzung der Unternehmensstrategie und kann zu einer Minderung des Unternehmenswertes f{\"u}hren. Der vorliegende Beitrag pr{\"a}sentiert das AURUM Tool, welches die Schwachstellen bestehender Ans{\"a}tze adressiert und Entscheidungstr{\"a}ger bei der Auswahl eines effizienten IT-Sicherheitsportfolios unter Ber{\"u}cksichtigung organisationsspezifischer, technischer und wirtschaftlicher Anforderungen unterst{\"u}tzt.}, pdf = {2009 - Ekelhart - Ontologiebasiertes IT Risikomanagement.pdf}, pages = {14-24}, publisher = {Syssec}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontology-based Decision Support for Information Security Risk Management," in International Conference on Systems, 2009. ICONS 2009., 2009, pp. 80-85. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologybasedDecisionSupport_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontology-based Decision Support for Information Security Risk Management}, booktitle = {International Conference on Systems, 2009. ICONS 2009.}, year = {2009}, month = {3}, abstract = {As e-Business and e-Commerce applications are increasingly exposed to a variety of information security threats, corporate decision makers are increasingly forced to pay attention to security issues. Risk management provides an effective approach for measuring the security but existing risk management approaches come with major shortcomings such as the demand for very detailed knowledge about the IT security domain and the actual company environment. This paper presents the implementation of the AURUM methodology into a software solution which addresses the identified shortcomings of existing information security risk management software solutions. Thereby, the presented approach supports decision makers in risk assessment, risk mitigation, and safeguard evaluation.}, pdf = {2009 - Ekelhart - Ontology-based Decision Support for Information Security Risk Management.pdf}, pages = {80-85}, publisher = {IEEE Computer Society}, }
Andreas Ekelhart and Mathias Kolb, "An Evaluation of Technologies for the Pseudonymization of Medical Data," in Proceedings of the ACM Symposium on Applied Computing, 2009. BibTeX

@INPROCEEDINGS{Neubauer_EvaluationofTechnologies_2009a, Author = {Andreas Ekelhart and Mathias Kolb}, title = {An Evaluation of Technologies for the Pseudonymization of Medical Data}, booktitle = {Proceedings of the ACM Symposium on Applied Computing}, year = {2009}, month = {1}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Fortification of IT security by automatic security advisory processing," in Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008, 2008, pp. 575-582. BibTeX | PDF

@INPROCEEDINGS{Fenz_FortificationofIT_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Fortification of IT security by automatic security advisory processing}, booktitle = {Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008}, year = {2008}, month = {3}, abstract = {The past years have seen the rapid increase of security related incidents in the field of information technology. IT infrastructures in the commercial as well as in the governmental sector are becoming evermore heterogeneous which increases the complexity of handling and maintaining an adequate security level. Especially organizations which are hosting and processing highly sensitive data are obligated to establish a holistic company-wide security approach. We propose a novel security concept to reduce this complexity by automatic assessment of security advisories. A central entity collects vulnerability information from various sources, converts it into a standardized and machine-readable format and distributes it to its subscribers. The subscribers are then able to automatically map the vulnerability information to the ontological stored infrastructure data to visualize newly-discovered software vulnerabilities. The automatic analysis of vulnerabilities decreases response times and permits precise response to new threats and vulnerabilities, thus decreasing the administration complexity and increasing the IT security level.}, pdf = {2008 - Fenz - Fortification of IT Security by Automatic Security Advisory Processing.pdf}, pages = {575-582}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Semantic Potential of existing Security Advisory Standards," in Proceedings of the FIRST2008 Conference, 2008. BibTeX | PDF

@INPROCEEDINGS{Fenz_SemanticPotentialof_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Semantic Potential of existing Security Advisory Standards}, booktitle = {Proceedings of the FIRST2008 Conference}, year = {2008}, month = {1}, abstract = {New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that allows for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying with standards, such as Basel II and local legislations. This paper conducts an evaluation of existing security advisory standards to identify usable semantic standards, which enable the automated processing of security advisories to ensure faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.}, pdf = {2008 - Fenz - Semantic Potential of Existing Security Advisory Standards.pdf}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Interactive Selection of ISO 27001 Controls under Multiple Objectives," in Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008, 2008, pp. 477-492. BibTeX | PDF

@INPROCEEDINGS{Neubauer_InteractiveSelectionof_2008, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Interactive Selection of ISO 27001 Controls under Multiple Objectives}, booktitle = {Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008}, year = {2008}, month = {7}, pdf = {2008 - Neubauer - Interactive Selection of ISO 27001 Controls under Multiple Objectives.pdf}, volume = {278_2008}, pages = {477-492}, publisher = {Springer}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck, "Integration of an Ontological Information Security Concept in Risk Aware Business Process Management," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 377-385. BibTeX | PDF

@INPROCEEDINGS{Goluch_IntegrationofOntological_2008, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck}, sbahotlist = {true}, title = {Integration of an Ontological Information Security Concept in Risk Aware Business Process Management}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Goluch - Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management.pdf}, pages = {377-385}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner, "XML Security – A comparative literature review," Journal of Systems and Software, vol. 81, pp. 1715-1724, 2008. BibTeX | PDF

@ARTICLE{Ekelhart_XMLSecurity_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner}, sbahotlist = {true}, title = {XML Security - A comparative literature review}, journal = {Journal of Systems and Software}, year = {2008}, month = {1}, abstract = {Since the turn of the millenium, Working Groups of the W3C have been concentrating on the development of XML based security standards, which are paraphrased as XML Security. XML Security consists of three recommendations: XML (Digital) Signature, XML Encryption and XML Key Management Specification (XKMS), all of them published by the W3C. By means of a review of the available literature the authors draw several conclusions about the status quo of XML Security. Furthermore the current state and focuses of research as well as the existing challenges are derived. Trends to different application areas - e.g. use of XML Security for Mobile Computing - are also outlined. Based on this information the analyzed results are discussed and a future outlook is predicted.}, pdf = {2008 - Ekelhart - XML security -- A Comparative Literature Review.pdf}, volume = {81}, pages = {1715-1724}, note = {ISSN: 0164-1212}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Witold Abramowicz and Dominik Zyskowski and Monika Kaczmarek, "Security aspects in Semantic Web Services Filtering," in Proceedings of the 9th @WAS International Conference on Information Integration and Web-based Applications \& Services (iiWAS2007), 2007, pp. 21-31. BibTeX | PDF

@INPROCEEDINGS{Abramowicz_Securityaspectsin_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Witold Abramowicz and Dominik Zyskowski and Monika Kaczmarek}, title = {Security aspects in Semantic Web Services Filtering}, booktitle = {Proceedings of the 9th @WAS International Conference on Information Integration and Web-based Applications \& Services (iiWAS2007)}, year = {2007}, month = {1}, abstract = {Security and trust aspects, perceived as difficult to quantify, have been neglected in various service interactions. However, factors related to security and trust are in fact crucial in the overall value of service quality. A security ontology that enables a quantification of risks related to the usage of Semantic Web services in enterprise information systems was created to meet users' requirements and enhance Semantic Web services with machine processable security information. This article presents how this security ontology can be integrated into the Web service description and how it enhances the process of Web services filtering.}, pdf = {2007 - Abramowicz - Security Aspects in Semantic Web Services Filtering.pdf}, volume = {229}, pages = {21-31}, publisher = {Austrian Computer Society}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontologies: Improving Quantitative Risk Analysis," in Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007, 2007, pp. 156-162. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologiesImproving_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {Security Ontologies: Improving Quantitative Risk Analysis}, booktitle = {Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007}, year = {2007}, month = {1}, pdf = {2007 - Ekelhart - Security Ontologies Improving Quantitative Risk Analysis.pdf}, pages = {156-162}, publisher = {IEEE Computer Society}, note = {0-7695-2755-8}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart and Gernot Goluch, "Architectural approach for handling semi-structured data in an user-centered working environment," International Journal of Web Information Systems, vol. 3, iss. 3, pp. 198-211, 2007. BibTeX | PDF

@ARTICLE{Ekelhart_Architecturalapproachhandling_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart and Gernot Goluch}, title = {Architectural approach for handling semi-structured data in an user-centered working environment}, journal = {International Journal of Web Information Systems}, year = {2007}, month = {1}, abstract = {Purpose of this paper Today the amount of all kind of digital data (e.g., documents and e-mails), existing on every user's computer, is continuously growing. Users are faced with huge difficulties when it comes to handling the existing data pool and finding specific information respectively. We aim to discover new ways of searching and finding semi-structured data by integrating semantic metadata. Design/methodology/approach The proposed architecture allows cross border searches spanning various applications and operating system activities (e.g., file access and network traffic) and improves the human working process by offering context specific, automatically generated links that are created using ontologies. Findings The proposed semantic enrichment of automated gathered data is a useful approach to reflect the human way of thinking which is accomplished by remembering relations rather than keywords or tags. The proposed architecture supports the goals of supporting the human working process by managing and enriching personal data, e.g. by providing a database model which supports the semantic storage idea through a generic and flexible structure or the modular structure and composition of data collectors. Originality/value Available programs to manage personal data usually offer searches either via keywords or full text search. Each of these existing search methodologies has its shortcomings and apart from that, people tend to forget names of specific objects. It is often easier to remember the context of a situation in which e.g. a file was created or a website was visited. By proposing our architectural approach for handling semi-structured data we are able to offer sophisticated and more applicable search mechanism regarding the way of human thinking.}, pdf = {2007 - Ekelhart - Architectural Approach for Handling Semi-Structured Data in a User-Centered Working Environment.pdf}, volume = {3}, number = {3}, pages = {198-211}, note = {ISSN: 1744-0084}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch, "Ontological Mapping of Common Criterias Security Assurance Requirements," in New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC 11 22nd International Information Security Conference, IFIPSEC2007, May 14-16, 2007, pp. 85-95. BibTeX

@INPROCEEDINGS{Ekelhart_OntologicalMappingof_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch}, title = {Ontological Mapping of Common Criterias Security Assurance Requirements}, booktitle = {New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC 11 22nd International Information Security Conference, IFIPSEC2007, May 14-16}, year = {2007}, month = {5}, abstract = {The Common Criteria (CC) for Information Technology Security Evaluation provides comprehensive guidelines for the evaluation and certification of IT security regarding data security and data privacy. Due to the very complex and time-consuming certification process a lot of companies abstain from a CC certification. We created the CC Ontology tool, which is based on an ontological representation of the CC catalog, to support the evaluator at the certification process. Tasks such as the planning of an evaluation process, the review of relevant documents or the creating of reports are supported by the CC Ontology tool. With the development of this tool we reduce the time and costs needed to complete a certification.}, volume = {232_2007}, pages = {85-95}, publisher = {International Federation for Information Processing ,}, note = {978-0-387-72366-2}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Security Issues for the Use of Semantic Web in e-Commerce," in Business Information Systems, 10th International Conference on Business Information Systems, BIS 2007, 2007, pp. 1-13. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityIssuesUse_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Issues for the Use of Semantic Web in e-Commerce}, booktitle = {Business Information Systems, 10th International Conference on Business Information Systems, BIS 2007}, year = {2007}, month = {4}, pdf = {2007 - Ekelhart - Security Issues for the Use of Semantic Web in e-Commerce.pdf}, number = {978-3-540-}, pages = {1-13}, publisher = {Springer Berlin Heidelberg}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Bernhard Riedl, "Information Security Fortification by Ontological Mapping of the ISO IEC 27001 Standard," in Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC2007, 2007, pp. 381-388. BibTeX | PDF

@INPROCEEDINGS{Fenz_InformationSecurityFortification_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Bernhard Riedl}, title = {Information Security Fortification by Ontological Mapping of the ISO IEC 27001 Standard}, booktitle = {Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC2007}, year = {2007}, month = {12}, pdf = {2007 - Fenz - Information Security Fortification by Ontological Mapping of the ISOIEC 27001 Standard.pdf}, pages = {381-388}, publisher = {IEEE Computer Society}, note = {0-7695-3054-0}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Security Ontologies: How to Improve Understanding of Complex Relationships," in Proceedings of the World Conference on Educational Multimedia, Hypermedia and Telecommunications 2007, 2007, pp. 404-407. BibTeX | PDF

@INPROCEEDINGS{Weippl_SecurityOntologiesHow_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Ontologies: How to Improve Understanding of Complex Relationships}, booktitle = {Proceedings of the World Conference on Educational Multimedia, Hypermedia and Telecommunications 2007}, year = {2007}, month = {6}, abstract = {It is commonly accepted that simulation can provide a valuable tool in improving learning. Building on a complex knowledge base of IT security related concepts we offer our students a simulation to experience how different safeguards can influence the outcome of security incidents. The goal is to teach students that countermeasures have to cost-effective, that is, the cost of installing and operating safeguards should not exceed the anticipated benefit.}, pdf = {2007 - Weippl - Security Ontologies How to Improve Understanding of Complex Relationships.pdf}, pages = {404-407}, publisher = {AACE}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Bernhard Riedl, "CASSIS – Computer-based Academy for Security and Safety in Information Systems," in Proceedings of the 2nd Conference on Availability, Reliability and Security, ARES2007, 2007, pp. 730-740. BibTeX | PDF

@INPROCEEDINGS{Goluch_CASSISComputerbased_2007, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Bernhard Riedl}, title = {CASSIS - Computer-based Academy for Security and Safety in Information Systems}, booktitle = {Proceedings of the 2nd Conference on Availability, Reliability and Security, ARES2007}, year = {2007}, month = {4}, abstract = {Information technologies and society are highly interwoven nowadays, but in both, the private and business sector, users are often not aware of security issues or lack proper security skills. The branch of information technology security is growing constantly but attacks against the vocational sector as well as the personal sector still cause great losses each day. Considering that the end-user is the weakest link of the security chain we aim to raise awareness, regarding IT security, and train and educate IT security skills by establishing a European-wide initiative and framework.}, pdf = {2007 - Goluch - CASSIS.pdf}, pages = {730-740}, publisher = {IEEE Computer Society}, note = {978-0-7695-2775-8}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Thomas Neubauer, "Formal threat descriptions for enhancing governmental risk assessment," in Proceedings of the First International Conference on Theory and Practice of Electronic Governance, 2007, pp. 40-43. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_Formalthreatdescriptions_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Thomas Neubauer}, title = {Formal threat descriptions for enhancing governmental risk assessment}, booktitle = {Proceedings of the First International Conference on Theory and Practice of Electronic Governance}, year = {2007}, month = {1}, abstract = {Compared to the last decades, we have recently seen more and more governmental applications which are provided via the Internet directly to the citizens. Due to the long history of IT systems in the governmental sector and the connection of these legacy systems to newer technologies, most governmental institutions are faced with a heterogeneous IT environment. More and more governmental duties and responsibilities rely solely on IT systems which have to be highly dependable to ensure the proper operation of these governmental services. An increasing amount of software vulnerabilities and the generally heightened physical threat level due to terror attacks and natural disasters demand for a holistic IT security approach which captures, manages, and secures the entire governmental IT infrastructure. Our contribution is (1) a novel inventory solution, (2) a mechanism to embed the virtual IT infrastructure data into a physical model provided by our security ontology, and (3) a methodology to automatically identify threatened assets and to reason on the current security status based on formal threat definitions taking software configurations and physical locations into account. A prototypical implementation of the aforementioned concepts shows how these concepts help governmental institutions to secure their IT infrastructure in a holistic and systematic way to fortify their IT systems in an appropriate way against current and future threats.}, pdf = {2007 - Ekelhart - Formal Threat Descriptions for Enhancing Governmental Risk Assessment.pdf}, volume = {232}, pages = {40-43}, publisher = {ACM}, note = {978-1-59593-822-0}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Ontology-based Business Knowledge for Simulating Threats to Corporate Assets," in Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006, 2006, pp. 37-48. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologybasedBusinessKnowledge_2006, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Ontology-based Business Knowledge for Simulating Threats to Corporate Assets}, booktitle = {Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Ontology-based Business Knowledge for Simulating Threats to Corporate Assets.pdf}, volume = {4333_2006}, pages = {37-48}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-49998-5}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontology: Simulating Threats to Corporate Assets," in Information Systems Security, Second International Conference, ICISS 2006, 2006, pp. 249-259. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologySimulating_2006, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Security Ontology: Simulating Threats to Corporate Assets}, booktitle = {Information Systems Security, Second International Conference, ICISS 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Security Ontology Simulating Threats to Corporate Assets.pdf}, volume = {4332_2006}, pages = {249-259}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-68962-1}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps," in Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005, 2005, pp. 135-151. BibTeX | PDF

@INPROCEEDINGS{Weippl_SemanticDesktopSemantic_2005, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps}, booktitle = {Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005}, year = {2005}, month = {10}, pdf = {2005 - Weippl - The Semantic Desktop.pdf}, number = {4623}, pages = {135-151}, }