Security Ontology for Adaptive Mapping of Security Standards

Simona Ramanauskaite, Dmitrij Olifer, Dmitrij Olifer, Nikolaj Goranin, Nikolaj Goranin, Antanas Čenys, Antanas Čenys


Adoption of security standards has the capability of improving the security level in an organization as well as to provide additional benefits and possibilities to the organization. However mapping of used standards has to be done when more than one security standard is employed in order to prevent redundant activities, not optimal resource management and unnecessary outlays. Employment of security ontology to map different standards can reduce the mapping complexity however the choice of security ontology is of high importance and there are no analyses on security ontology suitability for adaptive standards mapping. In this paper we analyze existing security ontologies by comparing their general properties, OntoMetric factors and ability to cover different security standards. As none of the analysed security ontologies were able to cover more than 1/3 of security standards, we proposed a new security ontology, which increased coverage of security standards compared to the existing ontologies and has a better branching and depth properties for ontology visualization purposes. During this research we mapped 4 security standards (ISO 27001, PCI DSS, ISSA 5173 and NISTIR 7621) to the new security ontology, therefore this ontology and mapping data can be used for adaptive mapping of any set of these security standards to optimize usage of multiple security
standards in an organization.


security ontology, security standards, adaptive mapping

Full Text:



Gruber, T (1995). Towards Principles for the Design of Ontologies used for Knowledge Sharing, International Journal of Human-Computer Studies, ISSN 1071-5819, 43(5-6): 907-928.

Dobson, G.; Sawyer P. (2006). Revisiting Ontology- Based Requirements Engineering in the age of the SemanticWeb, In: Dependable Requirements Engineering of Computerised Systems at NPPs, Institute for Energy Technology (IFE), Halden, 2006.

Fernandez-Breis, J. T.; Martiinez-Bejar R (2002). A cooperative framework for integrating ontologies, International Journal of Human-Computer Studies, ISSN 1071-5819, 56(6): 665- 720.

Gruninger, M.; Lee J. (2002). Ontology Applications and Design, Communications of the ACM, ISSN 0001-0782, 45(2): 39- 41.

Mouratidis, H.; Giorgini P. (2006). Integrating Security and Software Engineering: Advances and Future Visions, IGI Global.

Dhillon, G.; Backhouse J. (2000). Information system security management in the new millennium, Communications of the ACM, ISSN 0001-078, 43(7): 125-128.

Donner, M. (2003). Toward a Security Ontology, IEEE Security and Privacy, ISSN 1540-7993, 1(3): 6-7.

Tsoumas, B.; Gritzalis D. (2006). Towards an Ontology-based Security Management, Advanced Information Networking and Applications, ISSN 1550-445X, 1: 985 - 992.

Gomez-Perez A.; Fernandez-Lopez M.; Corcho O. (2004). Ontological Engineering, Springer.

Ramanauskaite, S.; Goranin, N.; Cenys, A.; Olifer, D. (2013) Ontology-based security standards mapping pptimization by the means of Graph theory, Proceesings of International congress on engineering and technology ICET 2013, ISBN 978-80-87670-08-8: 74-83.

Fenz S. (2010). Ontology-based Generation of IT-Security Metrics, Proceedings of the 2010 ACM Symposium on Applied Computing, ISBN 978-1-60558-639-7: 1833-1839.

Mylopoulos J.; Borgida A.; Jarke M.; Koubarakis M. (1990). Telos: Representing Knowledge About Information Systems, ACM Transactions on Information Systems, ISSN 1046-8188: 325-362.

Landwehr C. E.; Bull A. R.; McDermott J. P.; Choi W. S. (1994). A taxonomy of computer program security flaws, ACM Computing Surveys, ISSN 0360-0300, 26(3): 211-254.

Avizienis A.; Laprie J. C.; Randell B.; Landwehr C. (2004). Basic concepts and taxonomy of dependable and secure computing,emphIEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, 1(1): 11-33.

Denker G.; Kagalb L.; Finin T. (2005). Security in the Semantic Web using OWL, Information Security Technical Report, ISSN 2214-2126, 10(1): 51-58.

Mouratidis H.; Giorgini P.; Manson G. (2003). An Ontology for Modelling Security: The Tropos Approach, Proceedings of the KES 2003 Invited Session Ontology and Multiagent Systems Desing.

Giorgini P.; Manson G.; Mouratidis H. (2004). Towards the Development of Secure Information Systems: Security Reference Diagrams and Security Attack Scenarios, Proceeding of 16th Conference On Advanced Information Systems Engineering.

Massacci F.; Mylopoulos J.; Paci F.; Tun T. T.; Yu Y. (2011). An Extended Ontology for Security Requirements, Advanced Information Systems Engineering Workshops, ISSN 1865- 1348, 83: 622-636.

Geneiatakis D.; Lambrinoudakis C. (2007). An ontology description for SIP security flaw, Computer Communications, ISSN 0140-3664, 30(6): 1367-1374.

Karyda M.; Balopoulos T.; Gymnopoulos L.; Kokolakis S.; Lambrinoudakis C.; Gritzalis S.; Dritsas S. (2006). An ontology for secure e-government applications, Proceedings of the The First International Conference on Availability, Reliability and Security, ARES 2006.

Undercoffer J.; Joshi A.; Pinkston J. (2003). Modeling Computer Attacks: An Ontology for Intrusion Detection, The Sixth International Symposium on Recent Advances in Intrusion Detection.

Souag A. (2012). Towards a new generation of security requirements definition methodology using ontologies, Proceedings of 24th International Conference on Advanced Information Systems Engineering: 1-8.

Kim A.; Lou J.; Kang M. H. (2005). Security Ontology for Annotating Resources, On the Move to Meaningful Internet Systems 2005: CoopIS, DOA, and ODBASE ISSN 0302-9743, 3761: 1483-1499.

Herzog A.; Shahmehri N.; Duma C. (2007). An Ontology of Information Securit, International Journl of nformation Security and Privacy, ISSN 1930-1650, 1(4): 1-23.

Fenz S.; Ekelhart A. (2009). Formalizing information security knowledge, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ISBN 978-1-60558-394-5: 183-194.

Lozano-Tello A; Gomez-Perez A. (2004). ONTOMETRIC: A method to choose the appropriate ontology, Journal of database management, ISSN 1063-8016, 15(2): 1-18.

ISACA (2013). COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.

Hofherr M. (2011). Mapping ISO27001 <>PCI DSS 2.0, ForInSecT,


Copyright (c) 2017 Simona Ramanauskaite, Dmitrij Olifer, Dmitrij Olifer, Nikolaj Goranin, Nikolaj Goranin, Antanas Čenys, Antanas Čenys

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

CC-BY-NC  License for Website User

Articles published in IJCCC user license are protected by copyright.

Users can access, download, copy, translate the IJCCC articles for non-commercial purposes provided that users, but cannot redistribute, display or adapt:

  • Cite the article using an appropriate bibliographic citation: author(s), article title, journal, volume, issue, page numbers, year of publication, DOI, and the link to the definitive published version on IJCCC website;
  • Maintain the integrity of the IJCCC article;
  • Retain the copyright notices and links to these terms and conditions so it is clear to other users what can and what cannot be done with the  article;
  • Ensure that, for any content in the IJCCC article that is identified as belonging to a third party, any re-use complies with the copyright policies of that third party;
  • Any translations must prominently display the statement: "This is an unofficial translation of an article that appeared in IJCCC. Agora University  has not endorsed this translation."

This is a non commercial license where the use of published articles for commercial purposes is forbiden. 

Commercial purposes include: 

  • Copying or downloading IJCCC articles, or linking to such postings, for further redistribution, sale or licensing, for a fee;
  • Copying, downloading or posting by a site or service that incorporates advertising with such content;
  • The inclusion or incorporation of article content in other works or services (other than normal quotations with an appropriate citation) that is then available for sale or licensing, for a fee;
  • Use of IJCCC articles or article content (other than normal quotations with appropriate citation) by for-profit organizations for promotional purposes, whether for a fee or otherwise;
  • Use for the purposes of monetary reward by means of sale, resale, license, loan, transfer or other form of commercial exploitation;

    The licensor cannot revoke these freedoms as long as you follow the license terms.

[End of CC-BY-NC  License for Website User]

INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL (IJCCC), With Emphasis on the Integration of Three Technologies (C & C & C),  ISSN 1841-9836.

IJCCC was founded in 2006,  at Agora University, by  Ioan DZITAC (Editor-in-Chief),  Florin Gheorghe FILIP (Editor-in-Chief), and  Misu-Jan MANOLESCU (Managing Editor).

Ethics: This journal is a member of, and subscribes to the principles of, the Committee on Publication Ethics (COPE).

Ioan  DZITAC (Editor-in-Chief) at COPE European Seminar, Bruxelles, 2015:

IJCCC is covered/indexed/abstracted in Science Citation Index Expanded (since vol.1(S),  2006); JCR2018: IF=1.585..

IJCCC is indexed in Scopus from 2008 (CiteScore2018 = 1.56):

Nomination by Elsevier for Journal Excellence Award Romania 2015 (SNIP2014 = 1.029): Elsevier/ Scopus

IJCCC was nominated by Elsevier for Journal Excellence Award - "Scopus Awards Romania 2015" (SNIP2014 = 1.029).

IJCCC is in Top 3 of 157 Romanian journals indexed by Scopus (in all fields) and No.1 in Computer Science field by Elsevier/ Scopus.


 Impact Factor in JCR2018 (Clarivate Analytics/SCI Expanded/ISI Web of Science): IF=1.585 (Q3). Scopus: CiteScore2018=1.56 (Q2);

SCImago Journal & Country Rank

Editors-in-Chief: Ioan DZITAC & Florin Gheorghe FILIP.