Formalizing information security knowledge

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback
Take a look at the new version of this page: [ beta version ]. Tell us what you think.

Formalizing information security knowledge

Full text

Pdf (1.07 MB)

Source

ASIAN ACM Symposium on Information, Computer and Communications Security archive
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security table of contents

Sydney, Australia

SESSION: Theory of security table of contents

Pages: 183-194

Year of Publication: 2009

ISBN:978-1-60558-394-5

Authors

Stefan Fenz	Vienna University of Technology, Vienna, Austria
Andreas Ekelhart	Secure Business Austria, Vienna, Austria

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 86, Downloads (12 Months): 538, Citation Count: 2

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1533057.1533084 What is a DOI?

ABSTRACT

Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This paper describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Marco D. Aime , Andrea Atzeni , Paolo C. Pomi, AMBRA: automated model-based risk analysis, Proceedings of the 2007 ACM workshop on Quality of protection, October 29-29, 2007, Alexandria, Virginia, USA [doi>10.1145/1314257.1314272]
	2	M. Alavi and D. E. Leidner. Review: Knowledge management and knowledge management systems: Conceptual foundations and research issues. MIS Quarterly, 25(1):107--136, 2001.
	3	Algirdas Avizienis , Jean-Claude Laprie , Brian Randell , Carl Landwehr, Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Dependable and Secure Computing, v.1 n.1, p.11-33, January 2004 [doi>10.1109/TDSC.2004.2]
	4	Franz Baader , Diego Calvanese , Deborah L. McGuinness , Daniele Nardi , Peter F. Patel-Schneider, The description logic handbook: theory, implementation, and applications, Cambridge University Press, New York, NY, 2003
	5	F. Baader, I. Horrocks, and U. Sattler. Mechanizing Mathematical Reasoning, volume 2605/2005 of Lecture Notes in Computer Science, chapter Description Logics as Ontology Languages for the Semantic Web, pages 228--248. Springer Berlin/Heidelberg, 2005.
	6	Richard Baskerville, Information systems security design methods: implications for information systems development, ACM Computing Surveys (CSUR), v.25 n.4, p.375-414, Dec. 1993 [doi>10.1145/162124.162127]
	7	M. Bishop. Computer security -- art and science. Addison Wesley, 2003.
	8	Matt Bishop, What Is Computer Security?, IEEE Security and Privacy, v.1 n.1, p.67-69, January 2003 [doi>10.1109/MSECP.2003.1176998]
	9	J. Brank, M. Grobelnik, and D. Mladenić. A survey of ontology evaluation techniques. In SIKDD 2005 at Multiconference IS 2005, 2005.
	10	C. Brewster, H. Alani, S. Dasmahapatra, and Y. Wilks. Data driven ontology evaluation. In International Conference on Language Resources and Evaluation, 2004.
	11	BSI. IT Grundschutz Manual, 2004.
	12	Vinay K. Chaudhri , Bonnie E. John , Sunil Mishra , John Pacheco , Bruce Porter , Aaron Spaulding, Enabling experts to build knowledge bases from science textbooks, Proceedings of the 4th international conference on Knowledge capture, October 28-31, 2007, Whistler, BC, Canada [doi>10.1145/1298406.1298435]
	13	DCSSI. EBIOS -- Section 2 -- Approach. February 2004.
	14	G. Denker, L. Kagal, T. W. Finin, M. Paolucci, and K. P. Sycara. Security for DAML web services: Annotation and matchmaking. In International Semantic Web Conference, pages 335--350, 2003.
	15	ENISA. Risk management: implementation principles and inventories for risk management/risk assessment methods and tools. Technical report, European Network and Information Security Agency, June 2006.
	16	Thomas R. Gruber, Toward principles for the design of ontologies used for knowledge sharing, International Journal of Human-Computer Studies, v.43 n.5-6, p.907-928, Nov./Dec. 1995 [doi>10.1006/ijhc.1995.1081]
	17	A. Herzog, N. Shahmehri, and C. Duma. An ontology of information security. International Journal of Information Security and Privacy, 1(4):1--23, October-December 2007.
	18	I. Horrocks, P. Patel-Schneider, and F. van Harmelen. From SHIQ and RDF to OWL: The making of a web ontology language. Journal of Web Semantics, 1(1):7--26, 2003.
	19	ISO/IEC. ISO/IEC 27001:2005, Information technology -- Security techniques -- Information security management systems -- Requirements, 2005.
	20	P. Jrvinen. Research questions guiding selection of an appropriate research method. In Proceedings of the 8th European Conference on Information Systems, Trends in Information and Communication Systems for the 21st Century, ECIS 2000, Vienna, Austria, July 3--5, 2000, 2000.
	21	C. Jung, I. Han, and B. Suh. Risk analysis for electronic commerce using case-based reasoning. International Journal of Intelligent Systems in Accounting, Finance & Management, 8:61--73, 1999.
	22	M. Karyda , T. Balopoulos , L. Gymnopoulos , S. Kokolakis , C. Lambrinoudakis , S. Gritzalis , S. Dritsas, An ontology for secure e-government applications, Proceedings of the First International Conference on Availability, Reliability and Security, p.1033-1037, April 20-22, 2006 [doi>10.1109/ARES.2006.28]
	23	Someswar Kesh , Pauline Ratnasingam, A knowledge architecture for IT security, Communications of the ACM, v.50 n.7, p.103-108, July 2007 [doi>10.1145/1272516.1272521]
	24	A. Kim, J. Luo, and M. Kang. Security ontology for annotating resources. In OTM Conferences (2), pages 1483--1499, 2005.
	25	R. Likert. A technique for the measurement of attitudes. Archives of Psychology, 140:1--55, 1932.
	26	L. A. F. Martimiano and E. dos Santos Moreira. An OWL-based security incident ontology, 2005.
	27	Denise Johnson McManus , Charles A. Snyder, Synergy between data warehousing and knowledge management: three industries reviewed, International Journal of Information Technology and Management, v.2 n.1-2, p.85-99, July 2003 [doi>10.1504/IJITM.2003.002450]
	28	NIST. An Introduction to Computer Security -- The NIST Handbook. Technical report, NIST (National Institute of Standards and Technology), October 1995. Special Publication 800--12.
	29	Chintan Patel , Kaustubh Supekar , Yugyung Lee , E. K. Park, OntoKhoj: a semantic web portal for ontology searching, ranking and classification, Proceedings of the 5th ACM international workshop on Web information and data management, November 07-08, 2003, New Orleans, Louisiana, USA [doi>10.1145/956699.956712]
	30	Thomas R. Peltier, Information Security Risk Analysis, CRC Press, Inc., Boca Raton, FL, 2000
	31	PITAC. Cyber security: A crisis of prioritization -- report to the president. Technical report, President's Information Technology Advisory Committee, February 2005.
	32	Victor Raskin , Christian F. Hempelmann , Katrina E. Triezenberg , Sergei Nirenburg, Ontology in information security: a useful theoretical foundation and methodological tool, Proceedings of the 2001 workshop on New security paradigms, September 10-13, 2001, Cloudcroft, New Mexico [doi>10.1145/508171.508180]
	33	Markus Schumacher, Security Engineering with Patterns: Origins, Theoretical Models, and New Applications, Springer-Verlag New York, Inc., Secaucus, NJ, 2003
	34	R. Shirey, Internet Security Glossary, RFC Editor, 2000
	35	Sean W. Smith , Eugene H. Spafford, Grand Challenges in Information Security: Process and Output, IEEE Security and Privacy, v.2 n.1, p.69-71, January 2004 [doi>10.1109/MSECP.2004.1264859]
	36	G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. NIST Special Publication 800--30, National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899--8930, July 2002.
	37	Detmar W. Straub , Richard J. Welke, Coping with systems risk: security planning models for management decision making, MIS Quarterly, v.22 n.4, p.441-469, Dec. 1998 [doi>10.2307/249551]
	38	United Nations. United Nations Standard Products and Services Code, 2006.
	39	M. Uschold and M. Grninger. Ontologies: Principles, methods and applications. Knowledge Engineering Review, 11(2):93--155, 1996.
	40	W3C. OWL -- web ontology language, February 2004.
	41	W3C. SPARQL -- query language for RDF, 2007.
	42	Michael E. Whitman, Enemy at the gate: threats to information security, Communications of the ACM, v.46 n.8, p.91-95, August 2003 [doi>10.1145/859670.859675]

CITED BY 2

	Stefan Fenz , Thomas Neubauer, How to determine threat probabilities using ontologies and Bayesian networks, Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, April 13-15, 2009, Oak Ridge, Tennessee
	Mirko Montanari , Roy H. Campbell, Multi-aspect security configuration assessment, Proceedings of the 2nd ACM workshop on Assurable and usable security configuration, November 09-09, 2009, Chicago, Illinois, USA