In the last couples of years, the complexity and interconnectedness of Information Systems (IS), and security related incidents increased signi cantly. In order to guarantee con dentiality, integrity, and availability of these IS an appropriate information security risk management (ISRM) must be in place. Reliable ISRM represents a challenge for organizations, since they take security related decisions based on outdated data, overlook vulnerabilities, threats or common incidents. To overcome these issues the acquisition of shared cyber security information at the right time supports ISRM to reduce risks, identify attacks, and enhance resilience of an IS. However, the exchange and acquisition of shared cyber security information represents a major challenge in ISRM. In the proposed PhD thesis we focus on this challenge by developing a framework that automatically combines and integrates shared cyber security information into ISRM processes. In doing so, we develop quality criteria, measures, and metrics to evaluate and lter shared cyber security information.
The increasing complexity and heterogeneity of Information Systems (IS)
combined with more sophisticated cyber-attacks manifest serious threats harming an
IS's security. Recent prominent information security incidents have shown that
attacks can lead to business-critical loss of intellectual property, productivity,
money, and reputation [1{3]. In order to counteract these threats, and to
guarantee con dentiality, integrity, and availability, an organisation needs to put an
information security risk management (ISRM) in place [
Reliable ISRM represents a major challenge for organizations, since they fail to
predict risks [
In the PhD thesis we want to answer the following overarching research question: How can shared cyber security information be integrated into information security risk management? The main objective of the PhD thesis is the development of a framework to combine and integrate shared cyber security information into ISRM, thereby we want to focus primarily on security information shared between organisations. In this context, the development of criteria (e.g. timeliness, completeness, reliability, provenance of information) and methods to evaluate data quality, and lter relevant information for ISRM plays an important role.
Our contribution is threefold: At rst we characterize the landscape of relevant and valuable shared cyber security information for ISRM. Secondly, we develop a taxonomy to evaluate the quality of shared cyber security information and provide rules to lter it. Finally, we implement a framework which bases upon the developed taxonomy, provides methods to automatically evaluate the data quality and lter relevant shared cyber security information, and combines and integrates the collected information into ISRM. 2
Cyber Security information sharing is a contemporary topic in information
security communities. In recent years several standardization e orts have
addressed the challenge of representing cyber security information in a
standardized manner [
works have been introduced, e.g. Common Vulnerability Exposure (CVE),
Structured Threat Information Expression (STIXX), Trusted Automated eXchange
of Indicator Information (TAXII), Common Con guration Enumeration (CCE),
Common Attack Pattern Enumeration and Classi cation (CAPEC), and the
Open Vulnerability and Assessment Language (OVAL), among others [
While there are a number of ad-hoc solutions for cyber security information
sharing, like email exchange, phone calls, shared databases or data feeds, there is a
tendency to establish systems for automated data exchange, and form
communities for cyber security information sharing [
To bene t from information, a persistent theme in research is the assessment
of information quality. Therefore, several data quality metrics, measures and
frameworks focusing on information quality exist [18{21]. In ISRM only a few
researches dealt with the aspect of information quality, e.g. investigations
regarding quality de ciencies in the documentation of business security
requirements [
To the best of our knowledge no prior research has been conducted that examines how shared cyber security information with respect to quality criteria can be integrated into ISRM. In doing so, research and practice lacks metrics, measures and methods for quality assessment of shared cyber security information. 3
In Section 1 we introduced our overarching research questions which we divide in the following three research questions: (a) What are potential shared cyber security information sources for ISRM?, (b) What are quality requirements for shared cyber security information for ISRM?, and (c) How can ISRM processes be supplied with shared cyber security information? In the following we explain these research questions and outline the expected contributions. 3.1
RQ1: What are potential shared cyber security information sources for ISRM? As described in Section 2, several standards for describing and exchanging of shared cyber security information exist. At rst we provide a comprehensive overview of the state of the art of standards in the eld. Based on these investigations we conduct a study with the goal of identifying potential shared cyber security information sources applied in practice. In this context, our primary focus is on security information which is shared between organisation. In addition to them, we analyse information which is available from public security databases. Finally, the contribution of this research step includes a classi cation of the landscape of valuable shared cyber security information sources, underlying standards, and their relevance for practice. 3.2
RQ2: What are quality requirements for shared cyber security
information for ISRM?
Based on the identi ed landscape of shared cyber security information for ISRM
we develop criteria, metrics and measures to evaluate the data quality. For
example, they take in account criteria, like timeliness, provenance, reliability, or
completeness of shared information. For this purpose, we analyze the adoption
possibilities of existing quality models from information science [18{20, 24, 25],
and other elds of ISRM, e.g. [
RQ3: How can ISRM processes be supplied with shared cyber security information? As depicted in Figure 1, based on the identi ed landscape of shared cyber security information and the taxonomy for quality assurance we develop a framework that automatically collects, combines, and integrates shared cyber security information to ISRM processes. Thereby, we are following three goals: (a) To integrate a multitude of shared cyber security information into ISRM processes, (b) assure the quality of integrated information, and (c) reduce the implicated overhead of useless information. The developed framework should be capable of being integrated into information security management systems implementing ISRM processes. 4
As depicted in Figure 2 our research plan can be divided into the following three
steps considering the design science principles [
At rst, we conduct empirical studies with the goal of identifying the landscape of shared cyber security information. Therefore, we carry out qualitative expert interviews with experts in the eld. The interviewees include security experts from our industry and academic partners. Based on the results of the interviews we carry out a quantitative survey addressing the same issue. In doing so, our main goal is the validation of the results of the expert interviews, and subsequently provide of a comprehensive picture of relevant shared cyber security information for ISRM in practice. Secondly, we identify and develop quality criteria with corresponding quality metrics to assess the quality for shared cyber security information. Therefore, we conduct a systematic literature study on existing data quality criteria and metrics in di erent applications areas of information science. Based on qualitative expert interviews we evaluate the applicability of the identi ed quality criteria and metrics to shared cyber security information. Thereby, it might be necessary to adopt or add one or another quality metric. The main result of
the the systematic literature study and the expert interviews is a comprehensive taxonomy to evaluate the quality of shared cyber security information.
Development and evaluation of the framework
Thirdly, we develop a framework to supply shared cyber security information for
ISRM processes. As mentioned in Section 3 the framework should be capable of
being integrated into information security management systems (ISMS)
implementing ISRM processes. In order to demonstrate the integration capabilities we
integrate it into the tool-supported ISMS framework ADAMANT [
The main goal of our research, and the proposed PhD thesis is the development of a framework that integrates shared cyber security information into ISRM processes. In doing so, the framework combines information originating from di erent sources, ensures a certain degree of information quality, and lters information in order to counteract useless information over ow. Thereby our research contributions are threefold: (a) Identifying the landscape of shared cyber security information, (b) providing a taxonomy to evaluate the quality of shared cyber security information, and (c) developing the described framework. This paper provides an overview of the addressed research questions, expected contributions and applied research methodology. At the time of writing this paper we were analysing the results of the survey and expert study for identifying valuable shared cyber security information for ISRM, described in section 4.1.