Information Technology Reference
In-Depth Information
An indirect source of security information, usually neglected by the experts is bu-
siness decisions made by the organization stakeholders (e.g. “ Company's IT systems
should support the Sales process ”). This may raise certain IS security considerations
(e.g. “ the sales application must be accessible by the salesmen with wireless laptops
during business hours ”).
Furthermore, these sources of security knowledge can be classified among a
number of criteria: the ambiguity of contained information , the relevance to the speci-
fic IS environment , the nature of the information therein - e.g. requirement (“ what ”)
or implementation (“ how ”) - the target of appliance (e.g. applies to all IS assets or to
a subset of them), etc. Figure 2 depicts a classification of certain security knowledge
sources against the first two points of view, namely: ambiguity of contained infor-
mation, and relevance to the specific IS environment. The depicted sources of secu-
rity knowledge that span from high to low relevance reflect the existence of specific,
still irrelevant information to the IS under question, due to diversity of technologies
present in some knowledge sources such as mailing lists.
High
Stakeholders'
Decisions
Security and Risk
Management
Standards
Organization
Policy
Risk Analysis
(RA) output
SLA
Vulnerability Catalogues (CVE)
Technical Best Practices, Security Mailing Lists, Security Advisories
Low
Infrastructure Information
IS Relevance
Low
High
Fig. 2. A classification of IS security knowledge sources
In conclusion, it is evident that the complexity, the different way of representation
and the diverse nature of abovementioned sources turns the work of security expert(s)
into a challenging and time-consuming task. The modeling and extraction of security-
related information from different information sources can be addressed with stan-
dardization initiatives such as OVAL [15] and CVE [14], with separate information
extraction modules for each definition [16] [17], etc; our knowledge-based system
which will exploit this vast, but still unstructured wealth of security information is a
valuable tool in the arsenal of security experts.
Search WWH ::




Custom Search