Teodor Sommestad

Learn More
To facilitate rational decision making regarding cyber security investments, decision makers need to be able to assess expected losses before and after potential investments. This paper presents a model based assessment framework for analyzing the cyber security provided by different architectural scenarios. The framework uses the Bayesian statistics based(More)
Enterprise architecture is an approach which aim to provide decision support based on organization-wide models. The creation of these models is however cumbersome as multiple aspects of an organization need to be considered. The Enterprise Architecture approach would be signi cantly less demanding if data used to create the models could be collected(More)
Security is dependent on a mixture of interrelated concepts such as technical countermeasures, organizational policies, security procedures, and more. To facilitate rational decision making, these concepts need to be combined into an overall judgment on the current security posture, as well as potential future ones. Decision makers are, however, faced with(More)
The discipline of enterprise architecture advocates the use of models to support decision-making on enterprise-wide information system issues. In order to provide such support, enterprise architecture models should be amenable to analyses of various properties, as e.g. the availability, performance, interoperability, modifiability, and information security(More)
Information system security risk, defined as the product of the monetary losses associated with security incidents and the probability that they occur, is a suitable decision criterion when considering different information system architectures. This paper describes how probabilistic relational models can be used to specify architecture metamodels so that(More)
Purpose: To identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach: A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated(More)
This paper presents a modeling language specifically developed for assessing the cyber security of SCADA systems. The modeling language uses the formalism Probabilistic Relational Models to integrate a mathematical inference engine with the modeling notation. If a SCADA system is modeled using this cyber security modeling language the cyber security of this(More)
When system administrators monitor the security of computer network(s) they often use an intrusion detection system (IDS). The IDS examines events (in network traffic, operating systems, etc.) and raises an alarm if the events are believed to be symptoms of an intrusion. A number of studies investigate IDSs from a technical perspective. These studies(More)