Analysing Information Security Risk Ontologies

Analysing Information Security Risk Ontologies

Ines Meriah (Université de Tunis, Institut Supérieur de Gestion, SMART Lab, Le Bardo, Tunisia) and Latifa Ben Arfa Rabai (SMART Lab, Université de Tunis, Institut Supérieur de Gestion, Tunis, Tunisie & College of Business, University of Buraimi, Al Buraimi, Oman)
DOI: 10.4018/IJSSSP.2020010101


This research work presents existing security ontologies and identifies relevant security ontology requirements in information systems. Moreover, it proposes a new classification of security ontologies in which, two main families, namely ontologies-based security standards and ontologies-based security risk assessment, are defined. For each family, a set of related research works is selected and a thorough description of their security ontologies is presented. The purpose of this analysis is to identify security ontology requirements as well as ontological characteristics for each study in order to help a security decision maker to select an ontology based off of their security risks and requirements as well as their needed security models and standards. By selecting the appropriate ontology, security stakeholders support security compliance and risk assessment in an enterprise.
Article Preview


The invasion of the internet and the evolution of computing paradigms as cloud computing, expose organizations to cyber security issues. It is due to new vulnerabilities and potential threats that suddenly penetrate the system and disrupt its functionalities (Abercrombie et al., 2009). Thus, organizations devote an important part of their financial benefits to buy advanced security controls and implement security mechanisms in order to avoid security problems and respect security features namely integrity, availability and confidentiality. Referring to recent estimates of Gartner Survey, the spending on information security services and products expected to grow from 86, 4 billion in 2017 to 98 billion in 2018 (Gartner, 2019). According to EY Global Information Security Survey (GISS), more than three-quarters (87%) of organizations do not yet have a sufficient budget to provide the levels of cyber security and resilience they want (Kessel, 2019). Hence, implementing expensive security products is not the right solution to decrease the rising of attacks and protect the enterprise itself. Security management and international security standards as ISO 27000 series should be applied in enterprises to assess security risks and decrease business investments (Humphreys, 2008). In the security field, these two requirements help security decision makers to better understand security concepts and their relationships as well as security risk assessment models and their benefits.

National Institute of Standards and Technology (NIST) introduces risk management as “the process of identifying risk, assessing risk, and reduce risk to an acceptable level” (Stoneburner et al., 2002). This process enables to analyze security threats and mitigate security losses of information systems. In fact, security risk assessment as a major part of an Information Security Management System (ISMS) (Shameli-Sendi et al., 2016) estimates the risk caused by security issues in order to evaluate the security in organizational information systems (Meriah & Rabai, 2018). The risk concept presents the security harm, damage, injury or loss, which is provoked by external or internal vulnerabilities (Garzia & Lambardi, 2018). According to Jouini et al. (2018), risk assessment models focus on identifying potential threats and vulnerabilities, analyzes inherent business risks and provides measures, processes and controls to decrease the impact of these risks to business operations. These assessments help managers to develop mitigation plans, balance the economic and operational costs of security countermeasures and protect the assets and systems that support their organizations’ mission (Fenz & Neubauer, 2009).

Managing security risks properly represent one of the relevant challenges in each organization. The major problem is the lack of complete information about the security issues, as well as the required controls to address them (Straub, 1998; Meriah & Rabai, 2019). In this context, security management standards as ISO 27000 series introduced as guidelines that provides several security policies, rules and controls enable to assess business security and improve the security management process in information systems (Humphreys, 2008). Referring to Fenz et al. (2016), these standards are widely incorporated in enterprises to identify potential threats, adapt the appropriate control and ensure the security compliance in general.

As examples of international security standards:

Complete Article List

Search this Journal:
Open Access Articles
Volume 12: 2 Issues (2021): Forthcoming, Available for Pre-Order
Volume 11: 2 Issues (2020)
Volume 10: 2 Issues (2019)
Volume 9: 4 Issues (2018)
View Complete Journal Contents Listing