Information security management is a challenging topic, due to the dif fi culty of exhaustively modeling attackers for an entire system and the threats they cause to it. The idea of security standards and their respective certi fi cation schemes is an excellent one. Companies can use a security analysis process in a standard and establish a security product, e.g., a secure software or a p…