Security Ontology for Adaptive Mapping of Security Standards
AbstractAdoption of security standards has the capability of improving the security level in an organization as well as to provide additional benefits and possibilities to the organization. However mapping of used standards has to be done when more than one security standard is employed in order to prevent redundant activities, not optimal resource management and unnecessary outlays. Employment of security ontology to map different standards can reduce the mapping complexity however the choice of security ontology is of high importance and there are no analyses on security ontology suitability for adaptive standards mapping. In this paper we analyze existing security ontologies by comparing their general properties, OntoMetric factors and ability to cover different security standards. As none of the analysed security ontologies were able to cover more than 1/3 of security standards, we proposed a new security ontology, which increased coverage of security standards compared to the existing ontologies and has a better branching and depth properties for ontology visualization purposes. During this research we mapped 4 security standards (ISO 27001, PCI DSS, ISSA 5173 and NISTIR 7621) to the new security ontology, therefore this ontology and mapping data can be used for adaptive mapping of any set of these security standards to optimize usage of multiple securitystandards in an organization.
 Dobson, G.; Sawyer P. (2006). Revisiting Ontology- Based Requirements Engineering in the age of the SemanticWeb, In: Dependable Requirements Engineering of Computerised Systems at NPPs, Institute for Energy Technology (IFE), Halden, 2006.
 Fernandez-Breis, J. T.; Martiinez-Bejar R (2002). A cooperative framework for integrating ontologies, International Journal of Human-Computer Studies, ISSN 1071-5819, 56(6): 665- 720.
 Gruninger, M.; Lee J. (2002). Ontology Applications and Design, Communications of the ACM, ISSN 0001-0782, 45(2): 39- 41.
 Mouratidis, H.; Giorgini P. (2006). Integrating Security and Software Engineering: Advances and Future Visions, IGI Global.
 Dhillon, G.; Backhouse J. (2000). Information system security management in the new millennium, Communications of the ACM, ISSN 0001-078, 43(7): 125-128.
 Donner, M. (2003). Toward a Security Ontology, IEEE Security and Privacy, ISSN 1540-7993, 1(3): 6-7.
 Tsoumas, B.; Gritzalis D. (2006). Towards an Ontology-based Security Management, Advanced Information Networking and Applications, ISSN 1550-445X, 1: 985 - 992.
 Gomez-Perez A.; Fernandez-Lopez M.; Corcho O. (2004). Ontological Engineering, Springer.
 Ramanauskaite, S.; Goranin, N.; Cenys, A.; Olifer, D. (2013) Ontology-based security standards mapping pptimization by the means of Graph theory, Proceesings of International congress on engineering and technology ICET 2013, ISBN 978-80-87670-08-8: 74-83.
 Fenz S. (2010). Ontology-based Generation of IT-Security Metrics, Proceedings of the 2010 ACM Symposium on Applied Computing, ISBN 978-1-60558-639-7: 1833-1839.
 Mylopoulos J.; Borgida A.; Jarke M.; Koubarakis M. (1990). Telos: Representing Knowledge About Information Systems, ACM Transactions on Information Systems, ISSN 1046-8188: 325-362.
 Landwehr C. E.; Bull A. R.; McDermott J. P.; Choi W. S. (1994). A taxonomy of computer program security flaws, ACM Computing Surveys, ISSN 0360-0300, 26(3): 211-254.
 Avizienis A.; Laprie J. C.; Randell B.; Landwehr C. (2004). Basic concepts and taxonomy of dependable and secure computing,emphIEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, 1(1): 11-33.
 Denker G.; Kagalb L.; Finin T. (2005). Security in the Semantic Web using OWL, Information Security Technical Report, ISSN 2214-2126, 10(1): 51-58.
 Mouratidis H.; Giorgini P.; Manson G. (2003). An Ontology for Modelling Security: The Tropos Approach, Proceedings of the KES 2003 Invited Session Ontology and Multiagent Systems Desing.
 Giorgini P.; Manson G.; Mouratidis H. (2004). Towards the Development of Secure Information Systems: Security Reference Diagrams and Security Attack Scenarios, Proceeding of 16th Conference On Advanced Information Systems Engineering.
 Massacci F.; Mylopoulos J.; Paci F.; Tun T. T.; Yu Y. (2011). An Extended Ontology for Security Requirements, Advanced Information Systems Engineering Workshops, ISSN 1865- 1348, 83: 622-636.
 Geneiatakis D.; Lambrinoudakis C. (2007). An ontology description for SIP security flaw, Computer Communications, ISSN 0140-3664, 30(6): 1367-1374.
 Karyda M.; Balopoulos T.; Gymnopoulos L.; Kokolakis S.; Lambrinoudakis C.; Gritzalis S.; Dritsas S. (2006). An ontology for secure e-government applications, Proceedings of the The First International Conference on Availability, Reliability and Security, ARES 2006.
 Undercoffer J.; Joshi A.; Pinkston J. (2003). Modeling Computer Attacks: An Ontology for Intrusion Detection, The Sixth International Symposium on Recent Advances in Intrusion Detection.
 Souag A. (2012). Towards a new generation of security requirements definition methodology using ontologies, Proceedings of 24th International Conference on Advanced Information Systems Engineering: 1-8.
 Kim A.; Lou J.; Kang M. H. (2005). Security Ontology for Annotating Resources, On the Move to Meaningful Internet Systems 2005: CoopIS, DOA, and ODBASE ISSN 0302-9743, 3761: 1483-1499.
 Herzog A.; Shahmehri N.; Duma C. (2007). An Ontology of Information Securit, International Journl of nformation Security and Privacy, ISSN 1930-1650, 1(4): 1-23.
 Fenz S.; Ekelhart A. (2009). Formalizing information security knowledge, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ISBN 978-1-60558-394-5: 183-194.
 Lozano-Tello A; Gomez-Perez A. (2004). ONTOMETRIC: A method to choose the appropriate ontology, Journal of database management, ISSN 1063-8016, 15(2): 1-18.
 ISACA (2013). COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.
 Hofherr M. (2011). Mapping ISO27001 <>PCI DSS 2.0, ForInSecT, http://www.forinsect.com/downloads/Mapping-ISO27001-PCI_public.pdf.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
ONLINE OPEN ACCES: Acces to full text of each article and each issue are allowed for free in respect of Attribution-NonCommercial 4.0 International (CC BY-NC 4.0.
You are free to:
-Share: copy and redistribute the material in any medium or format;
-Adapt: remix, transform, and build upon the material.
The licensor cannot revoke these freedoms as long as you follow the license terms.
DISCLAIMER: The author(s) of each article appearing in International Journal of Computers Communications & Control is/are solely responsible for the content thereof; the publication of an article shall not constitute or be deemed to constitute any representation by the Editors or Agora University Press that the data presented therein are original, correct or sufficient to support the conclusions reached or that the experiment design or methodology is adequate.