Security Ontology for Adaptive Mapping of Security Standards

Authors

  • Simona Ramanauskaite Vilnius Gediminas Technical University
  • Dmitrij Olifer Vilnius Gediminas Technical University
  • Dmitrij Olifer Vilnius Gediminas Technical University
  • Nikolaj Goranin Vilnius Gediminas Technical University
  • Nikolaj Goranin Vilnius Gediminas Technical University
  • Antanas Čenys Vilnius Gediminas Technical University
  • Antanas Čenys Vilnius Gediminas Technical University

Keywords:

security ontology, security standards, adaptive mapping

Abstract

Adoption of security standards has the capability of improving the security level in an organization as well as to provide additional benefits and possibilities to the organization. However mapping of used standards has to be done when more than one security standard is employed in order to prevent redundant activities, not optimal resource management and unnecessary outlays. Employment of security ontology to map different standards can reduce the mapping complexity however the choice of security ontology is of high importance and there are no analyses on security ontology suitability for adaptive standards mapping. In this paper we analyze existing security ontologies by comparing their general properties, OntoMetric factors and ability to cover different security standards. As none of the analysed security ontologies were able to cover more than 1/3 of security standards, we proposed a new security ontology, which increased coverage of security standards compared to the existing ontologies and has a better branching and depth properties for ontology visualization purposes. During this research we mapped 4 security standards (ISO 27001, PCI DSS, ISSA 5173 and NISTIR 7621) to the new security ontology, therefore this ontology and mapping data can be used for adaptive mapping of any set of these security standards to optimize usage of multiple security
standards in an organization.

Author Biography

Simona Ramanauskaite, Vilnius Gediminas Technical University

Department of Mathematics and Computer Science

References

Gruber, T (1995). Towards Principles for the Design of Ontologies used for Knowledge Sharing, International Journal of Human-Computer Studies, ISSN 1071-5819, 43(5-6): 907-928.

Dobson, G.; Sawyer P. (2006). Revisiting Ontology- Based Requirements Engineering in the age of the SemanticWeb, In: Dependable Requirements Engineering of Computerised Systems at NPPs, Institute for Energy Technology (IFE), Halden, 2006.

Fernandez-Breis, J. T.; Martiinez-Bejar R (2002). A cooperative framework for integrating ontologies, International Journal of Human-Computer Studies, ISSN 1071-5819, 56(6): 665- 720.

Gruninger, M.; Lee J. (2002). Ontology Applications and Design, Communications of the ACM, ISSN 0001-0782, 45(2): 39- 41.

Mouratidis, H.; Giorgini P. (2006). Integrating Security and Software Engineering: Advances and Future Visions, IGI Global. http://dx.doi.org/10.4018/978-1-59904-147-6

Dhillon, G.; Backhouse J. (2000). Information system security management in the new millennium, Communications of the ACM, ISSN 0001-078, 43(7): 125-128.

Donner, M. (2003). Toward a Security Ontology, IEEE Security and Privacy, ISSN 1540-7993, 1(3): 6-7.

Tsoumas, B.; Gritzalis D. (2006). Towards an Ontology-based Security Management, Advanced Information Networking and Applications, ISSN 1550-445X, 1: 985 - 992.

Gomez-Perez A.; Fernandez-Lopez M.; Corcho O. (2004). Ontological Engineering, Springer.

Ramanauskaite, S.; Goranin, N.; Cenys, A.; Olifer, D. (2013) Ontology-based security standards mapping pptimization by the means of Graph theory, Proceesings of International congress on engineering and technology ICET 2013, ISBN 978-80-87670-08-8: 74-83.

Fenz S. (2010). Ontology-based Generation of IT-Security Metrics, Proceedings of the 2010 ACM Symposium on Applied Computing, ISBN 978-1-60558-639-7: 1833-1839. http://dx.doi.org/10.1145/1774088.1774478

Mylopoulos J.; Borgida A.; Jarke M.; Koubarakis M. (1990). Telos: Representing Knowledge About Information Systems, ACM Transactions on Information Systems, ISSN 1046-8188: 325-362.

Landwehr C. E.; Bull A. R.; McDermott J. P.; Choi W. S. (1994). A taxonomy of computer program security flaws, ACM Computing Surveys, ISSN 0360-0300, 26(3): 211-254.

Avizienis A.; Laprie J. C.; Randell B.; Landwehr C. (2004). Basic concepts and taxonomy of dependable and secure computing,emphIEEE Transactions on Dependable and Secure Computing, ISSN 1545-5971, 1(1): 11-33.

Denker G.; Kagalb L.; Finin T. (2005). Security in the Semantic Web using OWL, Information Security Technical Report, ISSN 2214-2126, 10(1): 51-58.

Mouratidis H.; Giorgini P.; Manson G. (2003). An Ontology for Modelling Security: The Tropos Approach, Proceedings of the KES 2003 Invited Session Ontology and Multiagent Systems Desing.

Giorgini P.; Manson G.; Mouratidis H. (2004). Towards the Development of Secure Information Systems: Security Reference Diagrams and Security Attack Scenarios, Proceeding of 16th Conference On Advanced Information Systems Engineering.

Massacci F.; Mylopoulos J.; Paci F.; Tun T. T.; Yu Y. (2011). An Extended Ontology for Security Requirements, Advanced Information Systems Engineering Workshops, ISSN 1865- 1348, 83: 622-636.

Geneiatakis D.; Lambrinoudakis C. (2007). An ontology description for SIP security flaw, Computer Communications, ISSN 0140-3664, 30(6): 1367-1374.

Karyda M.; Balopoulos T.; Gymnopoulos L.; Kokolakis S.; Lambrinoudakis C.; Gritzalis S.; Dritsas S. (2006). An ontology for secure e-government applications, Proceedings of the The First International Conference on Availability, Reliability and Security, ARES 2006.

Undercoffer J.; Joshi A.; Pinkston J. (2003). Modeling Computer Attacks: An Ontology for Intrusion Detection, The Sixth International Symposium on Recent Advances in Intrusion Detection. http://dx.doi.org/10.1007/978-3-540-45248-5_7

Souag A. (2012). Towards a new generation of security requirements definition methodology using ontologies, Proceedings of 24th International Conference on Advanced Information Systems Engineering: 1-8.

Kim A.; Lou J.; Kang M. H. (2005). Security Ontology for Annotating Resources, On the Move to Meaningful Internet Systems 2005: CoopIS, DOA, and ODBASE ISSN 0302-9743, 3761: 1483-1499.

Herzog A.; Shahmehri N.; Duma C. (2007). An Ontology of Information Securit, International Journl of nformation Security and Privacy, ISSN 1930-1650, 1(4): 1-23.

Fenz S.; Ekelhart A. (2009). Formalizing information security knowledge, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ISBN 978-1-60558-394-5: 183-194.

Lozano-Tello A; Gomez-Perez A. (2004). ONTOMETRIC: A method to choose the appropriate ontology, Journal of database management, ISSN 1063-8016, 15(2): 1-18.

ISACA (2013). COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.

Hofherr M. (2011). Mapping ISO27001 <>PCI DSS 2.0, ForInSecT, http://www.forinsect.com/downloads/Mapping-ISO27001-PCI_public.pdf.

Published

2013-11-11

Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.