Abstract
In Risk Management, security issues arise from complex relations among objects and agents, their capabilities and vulnerabilities, the events they are involved in, and the value and risk they ensue to the stakeholders at hand. Further, there are patterns involving these relations that crosscut many domains, ranging from information security to public safety. Understanding and forming a shared conceptualization and vocabulary about these notions and their relations is fundamental for modeling the corresponding scenarios, so that proper security countermeasures can be devised. Ontologies are instruments developed to address these conceptual clarification and terminological systematization issues. Over the years, several ontologies have been proposed in Risk Management and Security Engineering. However, as shown in recent literature, they fall short in many respects, including generality and expressivity - the latter impacting on their interoperability with related models. We propose a Reference Ontology for Security Engineering (ROSE) from a Risk Treatment perspective. Our proposal leverages on two existing Reference Ontologies: the Common Ontology of Value and Risk and a Reference Ontology of Prevention, both of which are grounded on the Unified Foundational Ontology (UFO). ROSE is employed for modeling and analysing some cases, in particular providing clarification to the semantically overloaded notion of Security Mechanism.
Work supported by Accenture Israel Cybersecurity Labs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Adach, M., et al.: A combined security ontology based on the unified foundational ontology. In: International Conference on Semantic Computing, pp. 187–194 (2022)
Amaral, G., Sales, T.P., Guizzardi, G., Porello, D.: Towards a reference ontology of trust. In: Panetto, H., et al. (eds.) OTM 2019. LNCS, vol. 11877, pp. 3–21. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-33246-4_1
Band, I., Engelsman, W., Feltus, C., Paredes, S.G., Diligens, D.: Modeling enterprise risk management and security with the ArchiMate language (2015)
Baratella, R., Fumagalli, M., Oliveira, Í., Guizzardi, G.: Understanding and modeling prevention. In: Guizzardi, R., Ralyte, J., Franch, X. (eds.) Research Challenges in Information Science. RCIS 2022. LNBIP, vol. 446, pp. 389–405. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-05760-1_23
van den Berg, B., Hutten, P., Prins, R.: Security and safety: an integrative perspective. In: Jacobs, G., Suojanen, I., Horton, K.E., Bayerl, P.S. (eds.) International Security Management. ASTSA, pp. 13–27. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-42523-4_2
Casola, V., et al.: A first step towards an ISO-based information security domain ontology. In: International Conference on Enabling Technologies, pp. 334–339 (2019)
Chen, B., et al.: Research on ontology-based network security knowledge map. In: International Conference on Cloud Computing, Big Data and Blockchain, pp. 1–7 (2018)
Debbech, S., et al.: An ontological approach to support dysfunctional analysis for railway systems design. J. Univers. Comput. Sci. 26(5), 549–582 (2020)
Donner, M.: Toward a security ontology. IEEE Secur. Priv. 1(03), 6–7 (2003)
Duarte, B.B., de Almeida Falbo, R., Guizzardi, G., Guizzardi, R., Souza, V.E.S.: An ontological analysis of software system anomalies and their associated risks. Data Knowl. Eng. 134, 101892 (2021)
Ekelhart, A., Fenz, S., Klemen, M.D., Weippl, E.R.: Security ontology: simulating threats to corporate assets. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 249–259. Springer, Heidelberg (2006). https://doi.org/10.1007/11961635_17
Guizzardi, G.: Ontological foundations for structural conceptual models (2005)
Guizzardi, G., et al.: Grounding software domain ontologies in the unified foundational ontology (UFO): The case of the ODE software process ontology. In: Ibero-American Conference on Software Engineering, pp. 127–140 (2008)
Guizzardi, G., Wagner, G., de Almeida Falbo, R., Guizzardi, R.S.S., Almeida, J.P.A.: Towards ontological foundations for the conceptual modeling of events. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) ER 2013. LNCS, vol. 8217, pp. 327–341. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41924-9_27
Guizzardi, G., Bernasconi, A., Pastor, O., Storey, V.C.: Ontological unpacking as explanation: the case of the viral conceptual model. In: Ghose, A., Horkoff, J., Silva Souza, V.E., Parsons, J., Evermann, J. (eds.) ER 2021. LNCS, vol. 13011, pp. 356–366. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-89022-3_28
ISO: ISO 31000:2018 - Risk management - Guidelines (2018)
Jacobsen, A., et al.: FAIR principles: interpretations and implementation considerations. Data Intell. 2(1–2), 10–29 (2020)
Katsikas, S.K.: Risk management. In: Vacca, J.R. (ed.) Computer and Information Security Handbook, pp. 507–527. Morgan Kaufmann, 3 edn. (2013)
Kjellén, U.: Prevention of Accidents Through Experience Feedback. CRC Press, Boca Raton (2000)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The Coras Approach. Springer, Heidelberg (2010)
Massacci, F., Mylopoulos, J., Paci, F., Tun, T.T., Yu, Y.: An extended ontology for security requirements. In: Salinesi, C., Pastor, O. (eds.) CAiSE 2011. LNBIP, vol. 83, pp. 622–636. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22056-2_64
Oliveira, Í., et al.: How FAIR are security core ontologies? A systematic mapping study. In: Research Challenges in Information Science, pp. 107–123 (2021)
Oltramari, A., et al.: Towards a human factors ontology for cyber security. Semant. Technol. Intell. Def. Secur. 2015, 26–33 (2015)
Sales, T.P., Baião, F., Guizzardi, G., Almeida, J.P.A., Guarino, N., Mylopoulos, J.: The common ontology of value and risk. In: Trujillo, J.C., et al. (eds.) ER 2018. LNCS, vol. 11157, pp. 121–135. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00847-5_11
Sales, T.P., et al.: Ontological analysis and redesign of risk modeling in ArchiMate. In: International Enterprise Distributed Object Computing Conference, pp. 154–163 (2018)
Sales, T.P., Roelens, B., Poels, G., Guizzardi, G., Guarino, N., Mylopoulos, J.: A pattern language for value modeling in ArchiMate. In: Giorgini, P., Weber, B. (eds.) CAiSE 2019. LNCS, vol. 11483, pp. 230–245. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21290-2_15
Saud, Y.E., Israni, K., Goddard, J.: Bow-tie diagrams in downstream hazard identification and risk assessment. Process Saf. Prog. 33(1), 26–35 (2014)
Verdonck, M., et al.: Ontology-driven conceptual modeling: a systematic literature mapping and review. Appl. Ontol. 10(3–4), 197–227 (2015)
Zhou, J., et al.: An ontological approach to identify the causes of hazards for safety-critical systems. In: System Reliability and Safety, pp. 405–413 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Oliveira, Í., Sales, T.P., Baratella, R., Fumagalli, M., Guizzardi, G. (2022). An Ontology of Security from a Risk Treatment Perspective. In: Ralyté, J., Chakravarthy, S., Mohania, M., Jeusfeld, M.A., Karlapalem, K. (eds) Conceptual Modeling. ER 2022. Lecture Notes in Computer Science, vol 13607. Springer, Cham. https://doi.org/10.1007/978-3-031-17995-2_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-17995-2_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17994-5
Online ISBN: 978-3-031-17995-2
eBook Packages: Computer ScienceComputer Science (R0)