SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT


Presentation: Stoned Bootkit

Peter Kleissner presented his Stoned Bootkit and new research directions to circumvent full disk encryption.

Internet Security: the fight for website blockers

SBA managing director Markus Klemen was interviewed and cited in Sundays’ “Die Presse” concerning the technical difficulties behind DNS-based website blockers. Link to the online version:


Today we attend the highly prestigious International Conference on Business Process Management (BPM’2009) and present our paper “Business Process-based Resource Importance Determination” in the main track.

SBA hosts IPICS Summer School

The IPICS academic summer school  is a two weeks course for Master`s students in their final year, PhD students and IT professionals interested in a comprehensive overview and broad coverage of recent developments in “Information and Communication Security”. Speakers include Prof. Preneel, Prof. Lopez, Prof. Samarati and many more.

Guest Lecture: Using security patterns to develop secure systems (Eduardo B. Fernandez)

Using security patterns to develop secure systems

Eduardo B. Fernandez

Florida Atlantic University

Boca Raton, FL, USA

A security pattern is a special type of software architectural pattern that describes solutions to security problems. We describe our recent results in methodologies to apply security patterns, where we are now and where we are going. In particular we are working on:

Secure software development methodology—This is a general methodology to build secure systems. We have worked in the methodology itself and we are developing now specific aspects of it.

Modeling and Classification of security patterns—We have tried to provide a precise characterization of security patterns that can be used as a basis for classification. A good classification makes the application of the pattern much easier along the software lifecycle.

Misuse patterns– A misuse pattern describes, from the point of view of the attacker, how a type of attack is performed (what units it uses and how), analyzes the ways of stopping the attack by enumerating possible security patterns that can be applied for this purpose, and describes how to trace the attack once it has happened by appropriate collection and observation of forensics data. They can be used in the lifecycle to prevent the occurrence of known types of attacks.

Eduardo B. Fernandez (Eduardo Fernandez-Buglioni) is a professor in the Department of Computer Science and Engineering at Florida Atlantic University in Boca Raton, Florida. He has published numerous papers on authorization models, object-oriented analysis and design, and security patterns. He has written four books on these subjects, the most recent being a book on security patterns. He has lectured all over the world at both academic and industrial meetings. He has created and taught several graduate and undergraduate courses and industrial tutorials. His current interests include security patterns and web services security and fault tolerance. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. He is a Senior Member of the IEEE, and a Member of ACM. He is an active consultant for industry, including assignments with IBM, Allied Signal, Motorola, Lucent, and others. More details can be found at

Gastvortrag: Schutz Privatsphäre bei der Weitergabe von persönlichen Daten in Geschäftsprozessen



Schutz Privatsphäre bei der Weitergabe von persönlichen Daten in Geschäftsprozessen



Der Schutz der Privatsphäre in Geschäftsprozessen für personalisierte Dienstleistungen basiert momentan auf das Vertrauen der Nutzer in die Diensteanbieter. Diese Geschäftsprozesse erfordern nicht nur eine Erhebung sondern auch eine Weitergabe persönlicher Daten ihrer Nutzer. Allerdings können Nutzer die Verarbeitung und Weitergabe ihrer Daten nicht kontrollieren.

Beispiele sind Kundenkartensysteme und medizinische Dienstleistungen mit der elektronischen Patientenakte.

Derzeit delegieren Nutzer ihre Privatsphäre an die Diensteanbieter, indem sie zu deren Datenschutzrichtlinie pauschal einwilligen und ihre Einhaltung jedoch nicht kontrollieren können. Gegenwärtige Mechanismen zum Schutz der Privatsphäre decken den Zugriff auf persönliche Daten bei ihrer Erhebung ab, jedoch nicht ihre Nutzung und damit deren Weitergabe. Der Vortrag stellt ein System mit einer nicht-verkettbaren Delegation von Rechten für den Datenzugriff und einem modifizierten digitalem Watermarkingschema zur nachvollziehbaren Durchsetzung dieser Rechte zur Datenweitergabe vor, so dass Nutzer den Diensteanbietern nicht mehr vertrauen müssen.



Dr. Sven Wohlgemuth promovierte bei Prof. Dr. Günter Müller am Institut für Informatik und Gesellschaft der Albert-Ludwigs-Universität Freiburg im Breisgau. Neben der Promotion war er Koordinator des Schwerpunktprogramms “Sicherheit in der Informations- und Kommunikationstechnik” der Deutschen Forschungsgemeinschaft (DFG) und der Arbeitsgruppe “Privacy in Business Processes” des europäischen Network of Excellence “Future of Identity in the Information Society (FIDIS)” des 6. Rahmenprogramms der Europäischen Union.

Derzeit ist er Gastwissenschaftler am National Institute of Informatics in Tokyo, Japan. Dort beschäftigt er sich mit der Durchsetzung von Obligationen zum Schutz der Privatsphäre bei der Weitergabe persönlicher Daten.

International Conference on Risks and Security of Internet and Systems 2009

Our paper “A Reference Model for Risk-Aware Business Process Management” has been accepted at the 4th International Conference on Risks and Security of Internet and Systems (CRISIS2009).

International Conference on Privacy, Security, Risk and Trust 2009

Our paper “Towards Automating Social Engineering Using Social Networking Sites” has been accepted at the International Conference on Privacy, Security, Risk and Trust (PASSAT2009).


Two papers are presented at the EDMEDIA conference (“Integrated Approach for the Detection of Learning Styles and Affective States” and “Screen Recording for E-Learning”)

EDMEDIA tutorial and steering committee meeting

Together with Martin Ebner, Edgar Weippl presents a tutorial on e-learning at the ED-MEDIA conference; Edgar is also member of the steering committee.

New Castle University – Secure Business Austria Workshop

From 18th to 19th June 2009 Aad van Moorsel and Simon E. Parkin from Newcastle University will visit our research center. Our goal is to identify and initialize joint research projects between Newcastle University and Secure Business Austria in the field of economically justified security solutions.

On 18th June 2009 9am Aad van Moorsel and Simon E. Parkin will give a public talk on their Trust Economics project. Trust Economics is a research project, which is conducted jointly by Hewlett-Packard, Merrill-Lynch, Newcastle University, University College London and University of Bath. Its objective is to develop a methodology that allows companies to make decisions about security investments based on costs and benefits for the company. Aad van Moorsel and Simon Parkin will present their recent work on knowledge base support for IT security investment decisions. The distinguishing feature of the Trust Economics knowledge base is the inclusion of the human behavioral aspect in its underlying information security ontology. In addition to their recent research results and technology developments, we will discuss the rationale behind the Trust Economics project.

Secure Business Austria at Konkuk University

Stefan Fenz will hold a four week IT security course at the 2009 Konkuk University International Summer Program. Konkuk University, is one of the leading private universities in Korea, generally regarded as one of the top 10 universities in Korea out of over 370 universities and colleges.

ZIT Roundtable – Halwachs

Edgar Weippl takes part in the round-table discussion on innovation and knowledge transfer organized by ZIT.

Business Process Management Conference 2009

Our paper “Business Process-based Resource Importance Determination” has been accepted at the 7th International Conference on Business Process Management (BPM’2009).

Traditionally, the BPM conference attracts the outstanding researchers in the field and abides to the highest academic standards. BPM solicits original research papers that break new ground in or make significant novel contributions to the field. The acceptance rate in previous editions has been around 14%. (cf.

Prof. Maria Damiani visits Secure Business Austria

Prof. Maria Damiani gave a talk on “Spatio-temporal access control: state-of-the-art and open issues”.

In the last few years, a number of spatial and spatio-temporal access control models have been developed in the framework of pervasive computing and location-based services. The distinguishing feature of those models is that the access authorization is subordinated to the satisfaction of contextual conditions, such as spatial proximity or containment in certain spaces. For example, health records can be only accessed by personnel located in the hospital during working hours. In most cases those models extend RBAC to allow for the specification of simple constraints based on location and time which are then enforced upon users’ request. Many issues, however, remain to be investigated, for example the administration of spatio-temporal policies, the specification of usage control in mobile applications, the development of suitable architectures and the protection of privacy. In this talk, I will overview research in spatio-temporal access control and discuss a few open issues.

Prof. Daniel S. Yeung visits Secure Business Austria

Prof. Daniel S. Yeung gave a talk on “Sensitivity Based Generalization Error for Supervised Learning Problem with Applications in Model Selection and Feature Selection”.

Generalization error model provides a theoretical support for a classifier’s performance in terms of prediction accuracy. However, existing models give very loose error bounds. This explains why classification systems generally rely on experimental validation for their claims on prediction accuracy. In this talk we will revisit this problem and explore the idea of developing a new generalization error model based on the assumption that only prediction accuracy on unseen points in a neighborhood of a training point will be considered, since it will be unreasonable to require a classifier to accurately predict unseen points “far away” from training samples. The new error model makes use of the concept of sensitivity measure for an ensemble of multiplayer feedforward neural networks (Multilayer Perceptrons or Radial Basis Function Neural Networks). Two important applications will be demonstrated, model selection and feature reduction for RBFNN classifiers. A number of experimental results using datasets such as the UCI, the 99 KDD Cup, and text categorization, will be presented.

Database Forensic at the Security Forum in Hagenberg

Edgar Weippl gives a talk on Database Forensic at the Security Forum in Hagenberg.

Abstract: Whenever data is being processed, there are many places where parts of the data are temporarily stored; thus forensic analysis can reveal past activities, create a (partial) timeline and restore deleted data. While this fact is well known for computer forensic and multiple tools to forensically analyze data exit, the systematic analysis of database systems has only recently begun.

Clearly, database system are bound to leave more extensive traces since they not only store a file but, in addition, need indexes, rollback segments and log files. In this tutorial we will cover the basics of forensic analysis particularly focusing on database systems.

AARIT and ERCIM Membership

Secure Business Austria is now member of AARIT ( and ERCIM (

Guest Lecture – Günter Müller

Günter Müller gave an excellent talk on compliance and risk management.

Springer Studies in Computational Intelligence

Our paper “An Evaluation of Technologies for the Pseudonymization of Medical Data” was accepted for publication.

International Journal of Business Process Management

Our paper “An Empirical Study about the Status of Business Process Management” was accepted for publication.

IEEE International Conference on Systems

We are attending the IEEE International Conference on Systems and present our latest research results regarding pseudonymization. We received the best paper award for the paper “Technologies for the Pseudonymization of Medical Data: A Legal Evaluation”.

Secure 2.0 – FIT-IT Award

We took the second place with the project Secure 2.0 (FIT-IT) in this year’s FIT-IT awards.

Guest Lecture – Ludwig Fuchs

Ludwig Fuchs ( gave an excellent talk on combining role mining and role engineering.

Guest Lecture – Stefan Sackmann

Stefan Sackmann gave a talk on risk management. We will start a collaboration with his group. Stefan Fenz will manage the joint research efforts.