SecAOnto: A Conceptual Model of Security Assessment

SecAOnto: A Conceptual Model of Security Assessment

Ferrucio de Franco Rosa (CTI, Brazil & UNIFACCAMP, Brazil), Luiz Antonio Lima Teixeira Junior (CTI, Brazil), Rodrigo Bonacin (CTI, Brazil & UNIFACCAMP, Brazil) and Mario Jino (FEEC, University of Campinas, Brazil)
Copyright: © 2020 |Pages: 24
DOI: 10.4018/IJWP.2020070104

Abstract

Security assessment is crucial to the implementation and use of secure web portals. Literature reports studies about knowledge representation models for systems assessment and information security areas; however, there is a lack of conceptual formalization for the security assessment area. The security assessment ontology (SecAOnto) objective is to formalize knowledge on security assessment. It is based on ontologies, taxonomies, vocabularies, glossaries, and market guidelines. This paper presents an application of SecAOnto with the objective of identifying concepts in descriptions of security assessment items; the coverage of security characteristics is determined by using a coverage calculus algorithm. The application of SecAOnto and of the coverage calculus algorithms to the well-known standard ISO/IEC 27001 highlights its expressiveness. The proposal is useful for security experts and researchers in the context of security assessment, as well as to support web-based conceptual architectures.
Article Preview
Top

Introduction

Web portals are important components in the context of the Internet; for example, cloud computing is a means of delivering Information Technology business services (Alhawari, Jarrah, & Hadi, 2017). Security, privacy and trust are key aspects of the new Web portals and mobile applications. Various applications (e.g., e-Wallets (Gandon & Sadeh, 2004)) access personal resources, among other critical information, increasing the need for secure and trusted interoperable systems. Trust is core issue of human interaction with Web portals, once it is necessary for users to act under uncertainty and in risk situations (Artz & Gil, 2007).

Development, maintenance and assessment of secure and trusted interoperable Web systems, and fault tolerant web systems (Nascimento, Rubira, Burrows, Castor, & Brito, 2014), demand a rigorous conceptual support. Literature presents advances in frameworks for the security assessment process (e.g., (ISO/IEC, 2013)), nevertheless formally described models, such as ontologies are still needed (Rosa & Jino, 2017).

Theoretical knowledge regarding information security assessment should be better systematized and organized. Frequently information systems are evaluated based on experts’ previous experience (Barros, Rosa, & Balcão Filho, 2013; Gartner, Ruhroth, Burger, Schneider, & Jurjens, 2014; MITRE, 2015; NIST, 2015b; OSVDB, 2015; Rosa, Jino, & Bonacin, 2017; Salini & Kanmani, 2012; Tsoumas & Gritzalis, 2006; Wita, Jiamnapanon, & Teng-amnuay, 2010).

In this context, the security assessment can be enhanced by the formal conceptualization of the domain (Rosa, Jino, & Bonacin, 2017). The semantic web ontologies may provide means to formally represent the security assessment domain in a machine and human interpretable format (Feledi & Fenz, 2012). We propose to use ontologies for representing and structuring the knowledge of the security assessment domain.

Various efforts have investigated alternatives and proposed ontologies with the objective of representing the Information Security domain and subdomains. Although there are studies relating software development processes, as a whole, with information security ontologies (e.g., (Kang & Liang, 2013; Mouratidis & Giorgini, 2008; Wen & Katt, 2018)), there is still a need for ontologies representing the relationship between the fields of “Information Security” and “Software Assessment” in a comprehensive and deeply way. The investigation of vulnerability as well as attacks is the basis for various of security assessment methods. This approach does not consider rigorous assessment coverage criteria (Rosa, Bonacin, Bueno, & Jino, 2018). The establishment of relations between concepts of “Information Security” and “Software Assessment” are necessary to determine these criteria. This may make explicit the coverage of assessed security characteristics, for instance, by its measurement; a minimal percentage of assessment coverage could be required, going beyond defense-attack issues and coverage of known vulnerabilities, providing a higher level of resilience.

Our objective is to use an ontology to represent the concepts of the Security Assessment area. The Security Assessment Ontology (SecAOnto) aims to formally represent the particularities of this area.

The ontology engineering process starts by analyzing the existing works on Information Security and Systems Assessment areas. The engineering approach is based on Barbosa, Nakagawa, & Maldonado (2006), Bermejo (2007), and Obrst, Chase, & Markeloff (2012), following the Guarino’s ontology classification (Guarino, 1998); we propose: (1) the Information Security models is reused as domain ontology; (2) the System Assessment models is reused as task ontology; and (3) the SecAOnto is developed an application ontology, representing concepts from both contexts.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 13: 2 Issues (2021): Forthcoming, Available for Pre-Order
Volume 12: 2 Issues (2020)
Volume 11: 2 Issues (2019)
Volume 10: 2 Issues (2018)
Volume 9: 2 Issues (2017)
Volume 8: 1 Issue (2016)
Volume 7: 2 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing