Stefan Fenz

E-Mail
Phone: +43 (1) 505 36 88
Fax: +43 (1) 505 88 88

Bio

Dr. Stefan Fenz is senior researcher and project manager at Secure Business Austria and the Institute of Software Technology and Interactive Systems at the Vienna University of Technology. From January to March 2010 Stefan works as a visiting scholar at the Stanford Center for Biomedical Informatics Research at Stanford University. His research focuses on ontology engineering and applied concepts of IT security with an emphasis on information security risk management and business process analysis. Stefan received a Master in Business Informatics and a Master in Software Engineering & Internet Computing from the Vienna University of Technology, and a Master in Political Science from the University of Vienna. He has published numerous papers in refereed journals and at international conferences. Stefan finished his PhD thesis at the Vienna University of Technology at the Institute of Software Technology and Interactive Systems in a cooperation project with Secure Business Austria.

Personal website including latest list of publications

Publications

Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, 2011. BibTeX

@ARTICLE{Fenz_Information_Security_Risk_Mana_2011, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {NA}, note = {not published yet}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, vol. 28, iss. 1, pp. 329-356, 2011. BibTeX | PDF

@ARTICLE{Fenz2011a, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {5}, pdf = {2011 - Fenz - Information Security Risk Management In Which Security Solutions Is It Worth Investing.pdf}, volume = {28}, number = {1}, pages = {329-356}, }
Stefan Fenz, "From the Resource to the Business Process Risk Level," in Proceedings of the South African Information Security Multi-Conference (SAISMC’2010), 2010, pp. 100-109. BibTeX | PDF

@INPROCEEDINGS{fenz2010resource, Author = {Stefan Fenz}, title = {From the Resource to the Business Process Risk Level}, booktitle = {Proceedings of the South African Information Security Multi-Conference (SAISMC'2010)}, year = {2010}, month = {1}, pdf = {fenz2010resource.pdf}, pages = {100--109}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "AURUM: A Framework for Supporting Information Security Risk Management," in Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009, 2009, pp. 1-10. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AURUMFrameworkSupporting_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {AURUM: A Framework for Supporting Information Security Risk Management}, booktitle = {Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009}, year = {2009}, month = {1}, abstract = {As companies are increasingly exposed to a variety of information security threats, they are permanently forced to pay attention to security issues. Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation. Existing risk management approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents AURUM - a new methodology for supporting the NIST SP 800-30 risk management standard - and provides a comparison with the GSTool and CRISAM in order to highlight the benefits decision makers may expect when using AURUM.}, pdf = {2009 - Ekelhart - AURUM A Framework for Information Security Risk Management.pdf}, pages = {1-10}, publisher = {IEEE Computer Society}, note = {978-0-7695-3450-3}, }
Stefan Fenz and Andreas Ekelhart, "Formalizing Information Security Knowledge," in Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security, 2009, pp. 183-194. BibTeX | PDF

@INPROCEEDINGS{Fenz_FormalizingInformationSecurity_2009, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Formalizing Information Security Knowledge}, booktitle = {Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security}, year = {2009}, month = {1}, abstract = {Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This paper describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches.}, pdf = {2009 - Fenz - Formalizing Information Security Knowledge.pdf}, pages = {183-194}, publisher = {ACM}, note = {978-1-60558-394-5}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Business Process-based Resource Importance Determination," in Proceedings of the 7th International Conference on Business Process Management (BPM 2009), 2009, pp. 113-127. BibTeX | PDF

@INPROCEEDINGS{Fenz_BusinessProcessbasedResource_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Business Process-based Resource Importance Determination}, booktitle = {Proceedings of the 7th International Conference on Business Process Management (BPM 2009)}, year = {2009}, month = {1}, abstract = {Information security risk management (ISRM) heavily depends on realistic impact values representing the resources importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.}, pdf = {2009 - Fenz - Business Process-based Resource Importance Determination.pdf}, pages = {113-127}, publisher = {Springer}, note = {accepted for publication}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Semantic Potential of existing Security Advisory Standards," in Proceedings of the FIRST2008 Conference, 2008. BibTeX | PDF

@INPROCEEDINGS{Fenz_SemanticPotentialof_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Semantic Potential of existing Security Advisory Standards}, booktitle = {Proceedings of the FIRST2008 Conference}, year = {2008}, month = {1}, abstract = {New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that allows for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying with standards, such as Basel II and local legislations. This paper conducts an evaluation of existing security advisory standards to identify usable semantic standards, which enable the automated processing of security advisories to ensure faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.}, pdf = {2008 - Fenz - Semantic Potential of Existing Security Advisory Standards.pdf}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner, "XML Security – A comparative literature review," Journal of Systems and Software, vol. 81, pp. 1715-1724, 2008. BibTeX | PDF

@ARTICLE{Ekelhart_XMLSecurity_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner}, sbahotlist = {true}, title = {XML Security - A comparative literature review}, journal = {Journal of Systems and Software}, year = {2008}, month = {1}, abstract = {Since the turn of the millenium, Working Groups of the W3C have been concentrating on the development of XML based security standards, which are paraphrased as XML Security. XML Security consists of three recommendations: XML (Digital) Signature, XML Encryption and XML Key Management Specification (XKMS), all of them published by the W3C. By means of a review of the available literature the authors draw several conclusions about the status quo of XML Security. Furthermore the current state and focuses of research as well as the existing challenges are derived. Trends to different application areas - e.g. use of XML Security for Mobile Computing - are also outlined. Based on this information the analyzed results are discussed and a future outlook is predicted.}, pdf = {2008 - Ekelhart - XML security -- A Comparative Literature Review.pdf}, volume = {81}, pages = {1715-1724}, note = {ISSN: 0164-1212}, }
Stefan Fenz and Thomas Neubauer and Bernhard Riedl and Veronika Grascher, "Pseudonymization for improving the privacy in e-Health applications," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 255-264. BibTeX | PDF

@INPROCEEDINGS{Riedl_Pseudonymizationimprovingprivacy_2008, Author = {Stefan Fenz and Thomas Neubauer and Bernhard Riedl and Veronika Grascher}, sbahotlist = {true}, title = {Pseudonymization for improving the privacy in e-Health applications}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Riedl - Pseudonymization for Improving the Privacy in e-Health Applications.pdf}, pages = {255-264}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck, "Integration of an Ontological Information Security Concept in Risk Aware Business Process Management," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 377-385. BibTeX | PDF

@INPROCEEDINGS{Goluch_IntegrationofOntological_2008, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck}, sbahotlist = {true}, title = {Integration of an Ontological Information Security Concept in Risk Aware Business Process Management}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Goluch - Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management.pdf}, pages = {377-385}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontologies: Improving Quantitative Risk Analysis," in Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007, 2007, pp. 156-162. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologiesImproving_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {Security Ontologies: Improving Quantitative Risk Analysis}, booktitle = {Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007}, year = {2007}, month = {1}, pdf = {2007 - Ekelhart - Security Ontologies Improving Quantitative Risk Analysis.pdf}, pages = {156-162}, publisher = {IEEE Computer Society}, note = {0-7695-2755-8}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps," in Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005, 2005, pp. 135-151. BibTeX | PDF

@INPROCEEDINGS{Weippl_SemanticDesktopSemantic_2005, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps}, booktitle = {Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005}, year = {2005}, month = {10}, pdf = {2005 - Weippl - The Semantic Desktop.pdf}, number = {4623}, pages = {135-151}, }

View all publications

Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, vol. 28, iss. 1, pp. 329-356, 2011. BibTeX | PDF

@ARTICLE{Fenz2011a, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {5}, pdf = {2011 - Fenz - Information Security Risk Management In Which Security Solutions Is It Worth Investing.pdf}, volume = {28}, number = {1}, pages = {329-356}, }
Stefan Fenz, "Electronic Business Interoperability: Concepts." IGI Global, 2011, pp. 596-614. BibTeX | PDF

@INBOOK{Fenz2011c, Author = {Stefan Fenz}, title = {Electronic Business Interoperability: Concepts}, booktitle = {Electronic Business Interoperability: Concepts, Opportunities and Challenges }, year = {2011}, month = {3}, abstract = {For almost all private individuals and especially organizations information technology (IT) including hardware}, pdf = {2011 - Fenz - E-Business and Information Security Risk Management.pdf}, chapter = {E-Business and Information Security Risk Management: Challenges and Potential Solutions}, pages = {596-614}, publisher = {IGI Global}, note = {ISBN: 978-1-60960-485-1}, }
Stefan Fenz, "An Ontology- and Bayesian-based Approach for Determining Threat Probabilities," in ASIA CCS ’11: 6th ACM Symposium on Information, Computer and Communications Security, 2011. BibTeX

@INPROCEEDINGS{Fenz_An_Ontology_and_Bayesian_based_2011, Author = {Stefan Fenz}, title = {An Ontology- and Bayesian-based Approach for Determining Threat Probabilities}, booktitle = {ASIA CCS '11: 6th ACM Symposium on Information, Computer and Communications Security}, year = {2011}, month = {3}, publisher = {ACM}, }
Stefan Fenz, "E-Business and Information Security Risk Management: Challenges and Potential Solutions." IGI Global, 2011. BibTeX

@INBOOK{Fenz_Electronic_Business_Interopera_2011, Author = {Stefan Fenz}, title = {E-Business and Information Security Risk Management: Challenges and Potential Solutions}, booktitle = {Electronic Business Interoperability: Concepts, Opportunities and Challenges}, year = {2011}, month = {1}, chapter = {E-Business and Information Security Risk Management: Challenges and Potential Solutions}, publisher = {IGI Global}, }
Stefan Fenz and Simon Parkin and Aad van Moorsel, "Do we have to reinvent the security wheel at every organization?," IT Professional, 2011. BibTeX

@ARTICLE{Fenz_Do_we_have_to_reinvent_the_sec_2011, Author = {Stefan Fenz and Simon Parkin and Aad van Moorsel}, title = {Do we have to reinvent the security wheel at every organization?}, journal = {IT Professional}, year = {2011}, month = {NA}, note = {not published yet}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Information Security Risk Management: In which security solutions is it worth investing?," Communications of the Association for Information Systems, 2011. BibTeX

@ARTICLE{Fenz_Information_Security_Risk_Mana_2011, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Information Security Risk Management: In which security solutions is it worth investing?}, journal = {Communications of the Association for Information Systems}, year = {2011}, month = {NA}, note = {not published yet}, }
Dimitrios Settas and Antonio Cerone and Stefan Fenz, "Towards Automatic Generation of Ontology-based Antipattern Bayesian Network Models," in Proceedings of the 9th International Conference on Software Engineering Research Management and Applications, 2011. BibTeX | PDF

@INPROCEEDINGS{_Towards_Automatic_Generation_o_2011, Author = {Dimitrios Settas and Antonio Cerone and Stefan Fenz}, title = {Towards Automatic Generation of Ontology-based Antipattern Bayesian Network Models}, booktitle = {Proceedings of the 9th International Conference on Software Engineering Research Management and Applications }, year = {2011}, month = {8}, pdf = {urkesettas.pdf}, }
Stefan Fenz and Simon Parkin and Aad van Moorsel, "A Community Knowledge Base for IT Security," IT Professional, vol. 13, iss. 3, pp. 24-30, 2011. BibTeX | PDF

@ARTICLE{Fenz2011b, Author = {Stefan Fenz and Simon Parkin and Aad van Moorsel}, title = {A Community Knowledge Base for IT Security}, journal = {IT Professional}, year = {2011}, month = {5}, abstract = {Does every organization need to reinvent the wheel when it comes to IT security? Not if the IT community can develop a formal knowledge base for sharing and applying IT security management knowledge.}, pdf = {2011 - Fenz - A Community Knowledge Base for IT Security.pdf}, volume = {13}, number = {3}, pages = {24-30}, }
Stefan Fenz, "Increasing Knowledge Capturing Efficiency by Enterprise Portals," VINE Journal, 2011. BibTeX | PDF

@ARTICLE{_Increasing_Knowledge_Capturing_2011, Author = {Stefan Fenz}, title = {Increasing Knowledge Capturing Efficiency by Enterprise Portals}, journal = {VINE Journal }, year = {2011}, month = {10}, pdf = {sigproc-KCAPsample.pdf}, }
Raydel Montesino and Stefan Fenz, "Automation possibilities in information security management," in Proceedings of the European Conference in Intelligence Security Informatics 2011, 2011. BibTeX | PDF

@INPROCEEDINGS{_Automation_possibilities_in_in_2011, Author = {Raydel Montesino and Stefan Fenz}, title = {Automation possibilities in information security management}, booktitle = {Proceedings of the European Conference in Intelligence Security Informatics 2011}, year = {2011}, month = {9}, pdf = {PID1947709.pdf}, }
Raydel Montesino and Stefan Fenz, "Information security automation: how far can we go," in Proceedings of the Sixth International Conference on Availability, 2011, pp. 280-285. BibTeX | PDF

@INPROCEEDINGS{_Information_security_automatio_2011, Author = {Raydel Montesino and Stefan Fenz}, title = {Information security automation: how far can we go}, booktitle = {Proceedings of the Sixth International Conference on Availability}, year = {2011}, month = {8}, abstract = {Information security management is a very complex task which involves the implementation and monitoring of more than 130 security controls. To achieve greater efficiency in this process it is necessary to automate as many controls as possible. This paper provides an analysis of how many controls can be automated}, pdf = {Montesino.pdf}, pages = {280-285}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart, "Verification, Validation, and Evaluation in Information Security Risk Management," IEEE Security and Privacy, vol. 8, pp. 18-25, 2010. BibTeX

@ARTICLE{Fenz_Verification_Validation_and_Ev_2010, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Verification, Validation, and Evaluation in Information Security Risk Management}, journal = {IEEE Security and Privacy}, year = {2010}, month = {11}, volume = {8}, pages = {18-25}, publisher = {IEEE Computer Society}, }
Stefan Fenz, "Ontology-based Generation of IT-Security Metrics," in Proceedings of the 2010 ACM Symposium on Applied Computing, 2010, pp. 1833-1839. BibTeX | PDF

@INPROCEEDINGS{Fenz2010, Author = {Stefan Fenz}, sbahotlist = {true}, title = {Ontology-based Generation of {IT}-Security Metrics}, booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing}, year = {2010}, month = {1}, abstract = {Legal regulations and industry standards require organizations to measure and maintain a specified IT-security level. Although several IT-security metrics approaches have been developed, a methodology for automatically generating ISO 27001-based IT-security metrics based on concrete organization-specific control implementation knowledge is missing. Based on the security ontology by Fenz et al., including information security domain knowledge and the necessary structures to incorporate organization-specific facts into the ontology, this paper proposes a methodology for automatically generating ISO 27001-based IT-security metrics. The conducted validation has shown that the research results are a first step towards increasing the degree of automation in the field of IT-security metrics. Using the introduced methodology, organizations are enabled to evaluate their compliance with information security standards, and to evaluate control implementations' effectiveness at the same time.}, pdf = {2010FenzOntologybasedGenerationMetrics.pdf}, pages = {1833-1839}, publisher = {ACM}, }
Stefan Fenz, "From the Resource to the Business Process Risk Level," in Proceedings of the South African Information Security Multi-Conference (SAISMC’2010), 2010, pp. 100-109. BibTeX | PDF

@INPROCEEDINGS{fenz2010resource, Author = {Stefan Fenz}, title = {From the Resource to the Business Process Risk Level}, booktitle = {Proceedings of the South African Information Security Multi-Conference (SAISMC'2010)}, year = {2010}, month = {1}, pdf = {fenz2010resource.pdf}, pages = {100--109}, }
Stefan Fenz and Thomas Neubauer, "How to Determine Threat Probabilities Using Ontologies and Bayesian Networks," in CSIIRW ’09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, 2009. BibTeX | PDF

@INPROCEEDINGS{Fenz_HowtoDetermine_2009, Author = {Stefan Fenz and Thomas Neubauer}, title = {How to Determine Threat Probabilities Using Ontologies and Bayesian Networks}, booktitle = {CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research}, year = {2009}, month = {1}, abstract = {The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem this research project proposes an ontology- and Bayesian-based approach for determining asset-specific and comprehensible threat probabilities. The elaborated concepts enable risk managers to comprehensibly quantify the current security status of their organization.}, pdf = {2009 - Fenz - How to Determine Threat Probabilities Using Ontologies and Bayesian Networks.pdf}, publisher = {ACM}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Business Process-based Resource Importance Determination," in Proceedings of the 7th International Conference on Business Process Management (BPM 2009), 2009, pp. 113-127. BibTeX | PDF

@INPROCEEDINGS{Fenz_BusinessProcessbasedResource_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {Business Process-based Resource Importance Determination}, booktitle = {Proceedings of the 7th International Conference on Business Process Management (BPM 2009)}, year = {2009}, month = {1}, abstract = {Information security risk management (ISRM) heavily depends on realistic impact values representing the resources importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.}, pdf = {2009 - Fenz - Business Process-based Resource Importance Determination.pdf}, pages = {113-127}, publisher = {Springer}, note = {accepted for publication}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Automated Risk and Utility Management," in 2009 Sixth International Conference on Information Technology: New Generations, 2009, pp. 393-398. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AutomatedRiskand_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Automated Risk and Utility Management}, booktitle = {2009 Sixth International Conference on Information Technology: New Generations}, year = {2009}, month = {1}, abstract = {Information security breaches pose major threats to the reliable execution of corporate strategies and may have negative effects on business value. Information security risk management (ISRM) provides an effective approach for assessing, mitigating, and evaluating information security risks. Existing ISRM approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents the AURUM prototype that supports decision makers in selecting security measures according to organization-specific technical and economical requirements.}, pdf = {2009 - Ekelhart - Automated Risk and Utility Management.pdf}, pages = {393-398}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Thomas Pruckner and Arman Manutscheri, "Ontological Mapping of Information Security Best-Practice Guidelines," in Business Information Systems, 12th International Conference on Business Information Systems, BIS 2009, 2009. BibTeX | PDF

@INPROCEEDINGS{Fenz_OntologicalMappingof_2009, Author = {Stefan Fenz and Thomas Pruckner and Arman Manutscheri}, title = {Ontological Mapping of Information Security Best-Practice Guidelines}, booktitle = {Business Information Systems, 12th International Conference on Business Information Systems, BIS 2009}, year = {2009}, month = {4}, pdf = {2009 - Fenz - Ontological Mapping of Information Security Best-Practice Guidelines.pdf}, publisher = {Springer Berlin Heidelberg}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "AURUM: A Framework for Supporting Information Security Risk Management," in Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009, 2009, pp. 1-10. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_AURUMFrameworkSupporting_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, sbahotlist = {true}, title = {AURUM: A Framework for Supporting Information Security Risk Management}, booktitle = {Proceedings of the 42nd Hawaii International Conference on System Sciences, HICSS2009}, year = {2009}, month = {1}, abstract = {As companies are increasingly exposed to a variety of information security threats, they are permanently forced to pay attention to security issues. Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation. Existing risk management approaches are highly accepted but demand very detailed knowledge about the IT security domain and the actual company environment. This paper presents AURUM - a new methodology for supporting the NIST SP 800-30 risk management standard - and provides a comparison with the GSTool and CRISAM in order to highlight the benefits decision makers may expect when using AURUM.}, pdf = {2009 - Ekelhart - AURUM A Framework for Information Security Risk Management.pdf}, pages = {1-10}, publisher = {IEEE Computer Society}, note = {978-0-7695-3450-3}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontology-based Decision Support for Information Security Risk Management," in International Conference on Systems, 2009. ICONS 2009., 2009, pp. 80-85. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologybasedDecisionSupport_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontology-based Decision Support for Information Security Risk Management}, booktitle = {International Conference on Systems, 2009. ICONS 2009.}, year = {2009}, month = {3}, abstract = {As e-Business and e-Commerce applications are increasingly exposed to a variety of information security threats, corporate decision makers are increasingly forced to pay attention to security issues. Risk management provides an effective approach for measuring the security but existing risk management approaches come with major shortcomings such as the demand for very detailed knowledge about the IT security domain and the actual company environment. This paper presents the implementation of the AURUM methodology into a software solution which addresses the identified shortcomings of existing information security risk management software solutions. Thereby, the presented approach supports decision makers in risk assessment, risk mitigation, and safeguard evaluation.}, pdf = {2009 - Ekelhart - Ontology-based Decision Support for Information Security Risk Management.pdf}, pages = {80-85}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Andreas Ekelhart, "Formalizing Information Security Knowledge," in Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security, 2009, pp. 183-194. BibTeX | PDF

@INPROCEEDINGS{Fenz_FormalizingInformationSecurity_2009, Author = {Stefan Fenz and Andreas Ekelhart}, title = {Formalizing Information Security Knowledge}, booktitle = {Proceedings of the 4th ACM Symposium on Information, Computer, and Communications Security}, year = {2009}, month = {1}, abstract = {Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This paper describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches.}, pdf = {2009 - Fenz - Formalizing Information Security Knowledge.pdf}, pages = {183-194}, publisher = {ACM}, note = {978-1-60558-394-5}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Ontologiebasiertes IT Risikomanagement," in D.A.CH Security 2009, 2009, pp. 14-24. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologiebasiertesITRisikomanagement_2009, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Ontologiebasiertes IT Risikomanagement}, booktitle = {D.A.CH Security 2009}, year = {2009}, month = {1}, abstract = {Informationssicherheitsrisikomanagement (Information Security Risk Management, ISRM) stellt einen effizienten Zugang zur Bewertung, Verringerung und Evaluierung von Informationssicherheitsrisiken dar. Bereits bestehende ISRM-Ans{\"a}tze sind weitgehend akzeptiert, setzen jedoch sehr detailliertes Informationssicherheitswissen und genaue Kenntnisse des tats{\"a}chlichen Unternehmensumfeldes voraus. Die inad{\"a}quate Umsetzung von ISRM gef{\"a}hrdet die planm{\"a}{\ss}ige Umsetzung der Unternehmensstrategie und kann zu einer Minderung des Unternehmenswertes f{\"u}hren. Der vorliegende Beitrag pr{\"a}sentiert das AURUM Tool, welches die Schwachstellen bestehender Ans{\"a}tze adressiert und Entscheidungstr{\"a}ger bei der Auswahl eines effizienten IT-Sicherheitsportfolios unter Ber{\"u}cksichtigung organisationsspezifischer, technischer und wirtschaftlicher Anforderungen unterst{\"u}tzt.}, pdf = {2009 - Ekelhart - Ontologiebasiertes IT Risikomanagement.pdf}, pages = {14-24}, publisher = {Syssec}, }
A Min Tjoa and Stefan Fenz and Marcus Hudec, "Ontology-based Generation of Bayesian Networks," in International Conference on Complex, Intelligent and Software Intensive Systems, 2009. CISIS ’09., 2009, pp. 712-717. BibTeX | PDF

@INPROCEEDINGS{Fenz_OntologybasedGenerationof_2009, Author = {{A Min} Tjoa and Stefan Fenz and Marcus Hudec}, title = {Ontology-based Generation of {Bayesian} Networks}, booktitle = {International Conference on Complex, Intelligent and Software Intensive Systems, 2009. CISIS '09.}, year = {2009}, month = {1}, abstract = {Bayesian networks are indispensable for determining the probability of events which are influenced by various components. Bayesian probabilities encode degrees of belief about certain events and a dynamic knowledge body is used to strengthen, update, or weaken these assumptions. The creation of Bayesian networks requires at least three challenging tasks: (i) the determination of relevant influence factors, (ii) the determination of relationships between the identified influence factors, and (iii) the calculation of the conditional probability tables for each node in the Bayesian network. Based on existing domain ontologies, we propose a method for the ontology-based generation of Bayesian networks. The ontology is used to provide the necessary knowledge about relevant influence factors, their relationships, their weights, and the scale which represents potential states of the identified influence factors. The developed method enables, based on existing ontologies, the semi-automatic generation and alternation of Bayesian networks.}, pdf = {2009 - Fenz - Ontology-based Generation of Bayesian Networks.pdf}, pages = {712-717}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner, "XML Security – A comparative literature review," Journal of Systems and Software, vol. 81, pp. 1715-1724, 2008. BibTeX | PDF

@ARTICLE{Ekelhart_XMLSecurity_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Markus Steinkellner}, sbahotlist = {true}, title = {XML Security - A comparative literature review}, journal = {Journal of Systems and Software}, year = {2008}, month = {1}, abstract = {Since the turn of the millenium, Working Groups of the W3C have been concentrating on the development of XML based security standards, which are paraphrased as XML Security. XML Security consists of three recommendations: XML (Digital) Signature, XML Encryption and XML Key Management Specification (XKMS), all of them published by the W3C. By means of a review of the available literature the authors draw several conclusions about the status quo of XML Security. Furthermore the current state and focuses of research as well as the existing challenges are derived. Trends to different application areas - e.g. use of XML Security for Mobile Computing - are also outlined. Based on this information the analyzed results are discussed and a future outlook is predicted.}, pdf = {2008 - Ekelhart - XML security -- A Comparative Literature Review.pdf}, volume = {81}, pages = {1715-1724}, note = {ISSN: 0164-1212}, }
Stefan Fenz, "Ontology- and Bayesian-based information security risk management." 2008. BibTeX

@INPROCEEDINGS{Fenz_OntologyandBayesianbased_2008, Author = {Stefan Fenz}, title = {Ontology- and Bayesian-based information security risk management}, year = {2008}, month = {10}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Fortification of IT security by automatic security advisory processing," in Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008, 2008, pp. 575-582. BibTeX | PDF

@INPROCEEDINGS{Fenz_FortificationofIT_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Fortification of IT security by automatic security advisory processing}, booktitle = {Proceedings of the 22nd International Conference on Advanced Information Networking and Applications, AINA2008}, year = {2008}, month = {3}, abstract = {The past years have seen the rapid increase of security related incidents in the field of information technology. IT infrastructures in the commercial as well as in the governmental sector are becoming evermore heterogeneous which increases the complexity of handling and maintaining an adequate security level. Especially organizations which are hosting and processing highly sensitive data are obligated to establish a holistic company-wide security approach. We propose a novel security concept to reduce this complexity by automatic assessment of security advisories. A central entity collects vulnerability information from various sources, converts it into a standardized and machine-readable format and distributes it to its subscribers. The subscribers are then able to automatically map the vulnerability information to the ontological stored infrastructure data to visualize newly-discovered software vulnerabilities. The automatic analysis of vulnerabilities decreases response times and permits precise response to new threats and vulnerabilities, thus decreasing the administration complexity and increasing the IT security level.}, pdf = {2008 - Fenz - Fortification of IT Security by Automatic Security Advisory Processing.pdf}, pages = {575-582}, publisher = {IEEE Computer Society}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Semantic Potential of existing Security Advisory Standards," in Proceedings of the FIRST2008 Conference, 2008. BibTeX | PDF

@INPROCEEDINGS{Fenz_SemanticPotentialof_2008, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Semantic Potential of existing Security Advisory Standards}, booktitle = {Proceedings of the FIRST2008 Conference}, year = {2008}, month = {1}, abstract = {New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that allows for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying with standards, such as Basel II and local legislations. This paper conducts an evaluation of existing security advisory standards to identify usable semantic standards, which enable the automated processing of security advisories to ensure faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.}, pdf = {2008 - Fenz - Semantic Potential of Existing Security Advisory Standards.pdf}, }
A Min Tjoa and Stefan Fenz, "Ontology- and Bayesian-based Threat Probability Determination," in Proceedings of the Junior Scientist Conference 2008, 2008, pp. 69-70. BibTeX

@INPROCEEDINGS{Fenz_OntologyandBayesianbased_2008a, Author = {{A Min} Tjoa and Stefan Fenz}, title = {Ontology- and Bayesian-based Threat Probability Determination}, booktitle = {Proceedings of the Junior Scientist Conference 2008}, year = {2008}, month = {11}, abstract = {Information security risk management is crucial for ensuring long-term business success and thus numerous approaches to implementing an adequate information security risk management strategy have been proposed. The subjective threat probability determination is one of the main reasons for an inadequate information security strategy endangering the organization in performing its mission. To address the problem this research project proposes an ontology- and Bayesian-based approach for determining asset-specific and comprehensible threat probabilities. The elaborated concepts enable risk managers to comprehensibly quantify the current security status of their organization.}, pages = {69-70}, publisher = {Vienna University of Technology}, }
Stefan Fenz and Andreas Ekelhart and Thomas Neubauer, "Interactive Selection of ISO 27001 Controls under Multiple Objectives," in Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008, 2008, pp. 477-492. BibTeX | PDF

@INPROCEEDINGS{Neubauer_InteractiveSelectionof_2008, Author = {Stefan Fenz and Andreas Ekelhart and Thomas Neubauer}, title = {Interactive Selection of ISO 27001 Controls under Multiple Objectives}, booktitle = {Proceedings of the Ifip Tc 11 23rd International Information Security Conference, IFIPSec 2008}, year = {2008}, month = {7}, pdf = {2008 - Neubauer - Interactive Selection of ISO 27001 Controls under Multiple Objectives.pdf}, volume = {278_2008}, pages = {477-492}, publisher = {Springer}, }
Stefan Fenz and Thomas Neubauer and Bernhard Riedl and Veronika Grascher, "Pseudonymization for improving the privacy in e-Health applications," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 255-264. BibTeX | PDF

@INPROCEEDINGS{Riedl_Pseudonymizationimprovingprivacy_2008, Author = {Stefan Fenz and Thomas Neubauer and Bernhard Riedl and Veronika Grascher}, sbahotlist = {true}, title = {Pseudonymization for improving the privacy in e-Health applications}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Riedl - Pseudonymization for Improving the Privacy in e-Health Applications.pdf}, pages = {255-264}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck, "Integration of an Ontological Information Security Concept in Risk Aware Business Process Management," in Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008, 2008, pp. 377-385. BibTeX | PDF

@INPROCEEDINGS{Goluch_IntegrationofOntological_2008, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Thomas Mueck}, sbahotlist = {true}, title = {Integration of an Ontological Information Security Concept in Risk Aware Business Process Management}, booktitle = {Proceedings of the 41st Hawaii International Conference on System Sciences, HICSS2008}, year = {2008}, month = {1}, pdf = {2008 - Goluch - Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management.pdf}, pages = {377-385}, publisher = {IEEE Computer Society}, note = {978-0-7695-3075-8}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Witold Abramowicz and Dominik Zyskowski and Monika Kaczmarek, "Security aspects in Semantic Web Services Filtering," in Proceedings of the 9th @WAS International Conference on Information Integration and Web-based Applications \& Services (iiWAS2007), 2007, pp. 21-31. BibTeX | PDF

@INPROCEEDINGS{Abramowicz_Securityaspectsin_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Witold Abramowicz and Dominik Zyskowski and Monika Kaczmarek}, title = {Security aspects in Semantic Web Services Filtering}, booktitle = {Proceedings of the 9th @WAS International Conference on Information Integration and Web-based Applications \& Services (iiWAS2007)}, year = {2007}, month = {1}, abstract = {Security and trust aspects, perceived as difficult to quantify, have been neglected in various service interactions. However, factors related to security and trust are in fact crucial in the overall value of service quality. A security ontology that enables a quantification of risks related to the usage of Semantic Web services in enterprise information systems was created to meet users' requirements and enhance Semantic Web services with machine processable security information. This article presents how this security ontology can be integrated into the Web service description and how it enhances the process of Web services filtering.}, pdf = {2007 - Abramowicz - Security Aspects in Semantic Web Services Filtering.pdf}, volume = {229}, pages = {21-31}, publisher = {Austrian Computer Society}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart and Gernot Goluch, "Architectural approach for handling semi-structured data in an user-centered working environment," International Journal of Web Information Systems, vol. 3, iss. 3, pp. 198-211, 2007. BibTeX | PDF

@ARTICLE{Ekelhart_Architecturalapproachhandling_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart and Gernot Goluch}, title = {Architectural approach for handling semi-structured data in an user-centered working environment}, journal = {International Journal of Web Information Systems}, year = {2007}, month = {1}, abstract = {Purpose of this paper Today the amount of all kind of digital data (e.g., documents and e-mails), existing on every user's computer, is continuously growing. Users are faced with huge difficulties when it comes to handling the existing data pool and finding specific information respectively. We aim to discover new ways of searching and finding semi-structured data by integrating semantic metadata. Design/methodology/approach The proposed architecture allows cross border searches spanning various applications and operating system activities (e.g., file access and network traffic) and improves the human working process by offering context specific, automatically generated links that are created using ontologies. Findings The proposed semantic enrichment of automated gathered data is a useful approach to reflect the human way of thinking which is accomplished by remembering relations rather than keywords or tags. The proposed architecture supports the goals of supporting the human working process by managing and enriching personal data, e.g. by providing a database model which supports the semantic storage idea through a generic and flexible structure or the modular structure and composition of data collectors. Originality/value Available programs to manage personal data usually offer searches either via keywords or full text search. Each of these existing search methodologies has its shortcomings and apart from that, people tend to forget names of specific objects. It is often easier to remember the context of a situation in which e.g. a file was created or a website was visited. By proposing our architectural approach for handling semi-structured data we are able to offer sophisticated and more applicable search mechanism regarding the way of human thinking.}, pdf = {2007 - Ekelhart - Architectural Approach for Handling Semi-Structured Data in a User-Centered Working Environment.pdf}, volume = {3}, number = {3}, pages = {198-211}, note = {ISSN: 1744-0084}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Security Ontologies: How to Improve Understanding of Complex Relationships," in Proceedings of the World Conference on Educational Multimedia, Hypermedia and Telecommunications 2007, 2007, pp. 404-407. BibTeX | PDF

@INPROCEEDINGS{Weippl_SecurityOntologiesHow_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Ontologies: How to Improve Understanding of Complex Relationships}, booktitle = {Proceedings of the World Conference on Educational Multimedia, Hypermedia and Telecommunications 2007}, year = {2007}, month = {6}, abstract = {It is commonly accepted that simulation can provide a valuable tool in improving learning. Building on a complex knowledge base of IT security related concepts we offer our students a simulation to experience how different safeguards can influence the outcome of security incidents. The goal is to teach students that countermeasures have to cost-effective, that is, the cost of installing and operating safeguards should not exceed the anticipated benefit.}, pdf = {2007 - Weippl - Security Ontologies How to Improve Understanding of Complex Relationships.pdf}, pages = {404-407}, publisher = {AACE}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch, "Ontological Mapping of Common Criterias Security Assurance Requirements," in New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC 11 22nd International Information Security Conference, IFIPSEC2007, May 14-16, 2007, pp. 85-95. BibTeX

@INPROCEEDINGS{Ekelhart_OntologicalMappingof_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch}, title = {Ontological Mapping of Common Criterias Security Assurance Requirements}, booktitle = {New Approaches for Security, Privacy and Trust in Complex Environments, Proceedings of the IFIP TC 11 22nd International Information Security Conference, IFIPSEC2007, May 14-16}, year = {2007}, month = {5}, abstract = {The Common Criteria (CC) for Information Technology Security Evaluation provides comprehensive guidelines for the evaluation and certification of IT security regarding data security and data privacy. Due to the very complex and time-consuming certification process a lot of companies abstain from a CC certification. We created the CC Ontology tool, which is based on an ontological representation of the CC catalog, to support the evaluator at the certification process. Tasks such as the planning of an evaluation process, the review of relevant documents or the creating of reports are supported by the CC Ontology tool. With the development of this tool we reduce the time and costs needed to complete a certification.}, volume = {232_2007}, pages = {85-95}, publisher = {International Federation for Information Processing ,}, note = {978-0-387-72366-2}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart, "Security Issues for the Use of Semantic Web in e-Commerce," in Business Information Systems, 10th International Conference on Business Information Systems, BIS 2007, 2007, pp. 1-13. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityIssuesUse_2007, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart}, title = {Security Issues for the Use of Semantic Web in e-Commerce}, booktitle = {Business Information Systems, 10th International Conference on Business Information Systems, BIS 2007}, year = {2007}, month = {4}, pdf = {2007 - Ekelhart - Security Issues for the Use of Semantic Web in e-Commerce.pdf}, number = {978-3-540-}, pages = {1-13}, publisher = {Springer Berlin Heidelberg}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Gernot Goluch and Bernhard Riedl, "Information Security Fortification by Ontological Mapping of the ISO IEC 27001 Standard," in Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC2007, 2007, pp. 381-388. BibTeX | PDF

@INPROCEEDINGS{Fenz_InformationSecurityFortification_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Gernot Goluch and Bernhard Riedl}, title = {Information Security Fortification by Ontological Mapping of the ISO IEC 27001 Standard}, booktitle = {Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC2007}, year = {2007}, month = {12}, pdf = {2007 - Fenz - Information Security Fortification by Ontological Mapping of the ISOIEC 27001 Standard.pdf}, pages = {381-388}, publisher = {IEEE Computer Society}, note = {0-7695-3054-0}, }
Stefan Fenz and Edgar R. Weippl and Andreas Ekelhart and Thomas Neubauer, "Formal threat descriptions for enhancing governmental risk assessment," in Proceedings of the First International Conference on Theory and Practice of Electronic Governance, 2007, pp. 40-43. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_Formalthreatdescriptions_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Andreas Ekelhart and Thomas Neubauer}, title = {Formal threat descriptions for enhancing governmental risk assessment}, booktitle = {Proceedings of the First International Conference on Theory and Practice of Electronic Governance}, year = {2007}, month = {1}, abstract = {Compared to the last decades, we have recently seen more and more governmental applications which are provided via the Internet directly to the citizens. Due to the long history of IT systems in the governmental sector and the connection of these legacy systems to newer technologies, most governmental institutions are faced with a heterogeneous IT environment. More and more governmental duties and responsibilities rely solely on IT systems which have to be highly dependable to ensure the proper operation of these governmental services. An increasing amount of software vulnerabilities and the generally heightened physical threat level due to terror attacks and natural disasters demand for a holistic IT security approach which captures, manages, and secures the entire governmental IT infrastructure. Our contribution is (1) a novel inventory solution, (2) a mechanism to embed the virtual IT infrastructure data into a physical model provided by our security ontology, and (3) a methodology to automatically identify threatened assets and to reason on the current security status based on formal threat definitions taking software configurations and physical locations into account. A prototypical implementation of the aforementioned concepts shows how these concepts help governmental institutions to secure their IT infrastructure in a holistic and systematic way to fortify their IT systems in an appropriate way against current and future threats.}, pdf = {2007 - Ekelhart - Formal Threat Descriptions for Enhancing Governmental Risk Assessment.pdf}, volume = {232}, pages = {40-43}, publisher = {ACM}, note = {978-1-59593-822-0}, }
Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Bernhard Riedl, "CASSIS – Computer-based Academy for Security and Safety in Information Systems," in Proceedings of the 2nd Conference on Availability, Reliability and Security, ARES2007, 2007, pp. 730-740. BibTeX | PDF

@INPROCEEDINGS{Goluch_CASSISComputerbased_2007, Author = {Stefan Fenz and Andreas Ekelhart and Gernot Goluch and Simon Tjoa and Stefan Jakoubi and Bernhard Riedl}, title = {CASSIS - Computer-based Academy for Security and Safety in Information Systems}, booktitle = {Proceedings of the 2nd Conference on Availability, Reliability and Security, ARES2007}, year = {2007}, month = {4}, abstract = {Information technologies and society are highly interwoven nowadays, but in both, the private and business sector, users are often not aware of security issues or lack proper security skills. The branch of information technology security is growing constantly but attacks against the vocational sector as well as the personal sector still cause great losses each day. Considering that the end-user is the weakest link of the security chain we aim to raise awareness, regarding IT security, and train and educate IT security skills by establishing a European-wide initiative and framework.}, pdf = {2007 - Goluch - CASSIS.pdf}, pages = {730-740}, publisher = {IEEE Computer Society}, note = {978-0-7695-2775-8}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontologies: Improving Quantitative Risk Analysis," in Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007, 2007, pp. 156-162. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologiesImproving_2007, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {Security Ontologies: Improving Quantitative Risk Analysis}, booktitle = {Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS2007}, year = {2007}, month = {1}, pdf = {2007 - Ekelhart - Security Ontologies Improving Quantitative Risk Analysis.pdf}, pages = {156-162}, publisher = {IEEE Computer Society}, note = {0-7695-2755-8}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Ontology-based Business Knowledge for Simulating Threats to Corporate Assets," in Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006, 2006, pp. 37-48. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_OntologybasedBusinessKnowledge_2006, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Ontology-based Business Knowledge for Simulating Threats to Corporate Assets}, booktitle = {Practical Aspects of Knowledge Management, 6th International Conference, PAKM 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Ontology-based Business Knowledge for Simulating Threats to Corporate Assets.pdf}, volume = {4333_2006}, pages = {37-48}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-49998-5}, }
Stefan Fenz and Edgar R. Weippl, "Ontology-based IT-Security Planning," in Proceedings of the 12th Pacific Rim International Symposium on Dependable Computing, PRDC2006, 2006, pp. 389-390. BibTeX | PDF

@INPROCEEDINGS{Fenz_OntologybasedITSecurityPlanning_2006, Author = {Stefan Fenz and {Edgar R.} Weippl}, title = {Ontology-based IT-Security Planning}, booktitle = {Proceedings of the 12th Pacific Rim International Symposium on Dependable Computing, PRDC2006}, year = {2006}, month = {12}, abstract = {IT-security has become a much diversified field and small and medium sized enterprises (SMEs), in particular, do not have the financial ability to implement a holistic IT-security approach. We thus propose a security ontology, to provide a solid base for an applicable and holistic IT-security approach for SMEs, enabling low-cost risk management and threat analysis.}, pdf = {2006 - Fenz - Ontology-based IT Security Planning.pdf}, pages = {389-390}, publisher = {IEEE Computer Society}, note = {9353421}, }
Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "Security Ontology: Simulating Threats to Corporate Assets," in Information Systems Security, Second International Conference, ICISS 2006, 2006, pp. 249-259. BibTeX | PDF

@INPROCEEDINGS{Ekelhart_SecurityOntologySimulating_2006, Author = {Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, title = {Security Ontology: Simulating Threats to Corporate Assets}, booktitle = {Information Systems Security, Second International Conference, ICISS 2006}, year = {2006}, month = {12}, pdf = {2006 - Ekelhart - Security Ontology Simulating Threats to Corporate Assets.pdf}, volume = {4332_2006}, pages = {249-259}, publisher = {Springer Berlin Heidelberg}, note = {978-3-540-68962-1}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Andreas Ekelhart, "The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps," in Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005, 2005, pp. 135-151. BibTeX | PDF

@INPROCEEDINGS{Weippl_SemanticDesktopSemantic_2005, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Andreas Ekelhart}, sbahotlist = {true}, title = {The Semantic Desktop: A Semantic Personal Information Management System based on RDF and Topic Maps}, booktitle = {Proceedings of the ODBIS Workshop, 31st International Conference on Very Large Data Bases (VLDB) 2005}, year = {2005}, month = {10}, pdf = {2005 - Weippl - The Semantic Desktop.pdf}, number = {4623}, pages = {135-151}, }
A Min Tjoa and Stefan Fenz and Edgar R. Weippl and Markus Klemen and Gernot Goluch and Manfred Linnert, "Semantic Storage: A Report on Performance and Flexibility," in Database and Expert Systems Applications, 16th International Conference, DEXA 2005, 2005, pp. 586-595. BibTeX | PDF

@INPROCEEDINGS{Weippl_SemanticStorageReport_2005, Author = {{A Min} Tjoa and Stefan Fenz and {Edgar R.} Weippl and Markus Klemen and Gernot Goluch and Manfred Linnert}, title = {Semantic Storage: A Report on Performance and Flexibility}, booktitle = {Database and Expert Systems Applications, 16th International Conference, DEXA 2005}, year = {2005}, month = {8}, abstract = {Desktop search tools are becoming more popular. They have to deal with increasing amounts of locally stored data. Another approach is to analyze the semantic relationship between collected data in order to preprocess the data semantically. The goal is to allow searches based on relationships between various objects instead of focusing on the name of objects. We introduce a database architecture based on an existing software prototype, which is capable of meeting the various demands for a semantic information manager. We describe the use of an association table which stores the relationships between events. It enables adding or removing data items easily without the need for schema modifications. Existing optimization techniques of RDBMS can still be used.}, pdf = {2005 - Weippl - Semantic Storage A Report on Performance and Flexibility:2005 - Weippl - Semantic Storage A Report on Performance and Flexibility.pdf}, volume = {3588_2005}, pages = {586-595}, publisher = {Springer Berlin Heidelberg}, }