RiskFlows - Continuous Risk-driven Workflows and Decision Support in Information Security Management Systems

Information Security Management Systems (ISMS) aim at ensuring proper protection of information values and information processing systems (i.e. assets). Information Security Risk Management (ISRM) techniques are incorporated to deal with threats and vulnerabilities that impose risks to information security properties of these assets. Considering the evolution of information systems as well as more demanding security requirements, enterprises have to efficiently deal with changes to their assets, their risk exposure and the impact of these changes to their ISMS and ISRM activities. Current approaches are not well-suited for enterprises facing information security challenges from continuously evolving systems, diverse requirements regarding information security properties and regular changes to their assets and threat landscape. In our PhD thesis we will develop a continuous risk-driven approach to model and enact workflows in ISMS where security risks and derived controls are managed in a collaborative fashion. In this paper we present the problem statement, research goals, the applied methodology and expected contribution of our PhD thesis.