Article Preview
TopIntroduction
Web portals are important components in the context of the Internet; for example, cloud computing is a means of delivering Information Technology business services (Alhawari, Jarrah, & Hadi, 2017). Security, privacy and trust are key aspects of the new Web portals and mobile applications. Various applications (e.g., e-Wallets (Gandon & Sadeh, 2004)) access personal resources, among other critical information, increasing the need for secure and trusted interoperable systems. Trust is core issue of human interaction with Web portals, once it is necessary for users to act under uncertainty and in risk situations (Artz & Gil, 2007).
Development, maintenance and assessment of secure and trusted interoperable Web systems, and fault tolerant web systems (Nascimento, Rubira, Burrows, Castor, & Brito, 2014), demand a rigorous conceptual support. Literature presents advances in frameworks for the security assessment process (e.g., (ISO/IEC, 2013)), nevertheless formally described models, such as ontologies are still needed (Rosa & Jino, 2017).
Theoretical knowledge regarding information security assessment should be better systematized and organized. Frequently information systems are evaluated based on experts’ previous experience (Barros, Rosa, & Balcão Filho, 2013; Gartner, Ruhroth, Burger, Schneider, & Jurjens, 2014; MITRE, 2015; NIST, 2015b; OSVDB, 2015; Rosa, Jino, & Bonacin, 2017; Salini & Kanmani, 2012; Tsoumas & Gritzalis, 2006; Wita, Jiamnapanon, & Teng-amnuay, 2010).
In this context, the security assessment can be enhanced by the formal conceptualization of the domain (Rosa, Jino, & Bonacin, 2017). The semantic web ontologies may provide means to formally represent the security assessment domain in a machine and human interpretable format (Feledi & Fenz, 2012). We propose to use ontologies for representing and structuring the knowledge of the security assessment domain.
Various efforts have investigated alternatives and proposed ontologies with the objective of representing the Information Security domain and subdomains. Although there are studies relating software development processes, as a whole, with information security ontologies (e.g., (Kang & Liang, 2013; Mouratidis & Giorgini, 2008; Wen & Katt, 2018)), there is still a need for ontologies representing the relationship between the fields of “Information Security” and “Software Assessment” in a comprehensive and deeply way. The investigation of vulnerability as well as attacks is the basis for various of security assessment methods. This approach does not consider rigorous assessment coverage criteria (Rosa, Bonacin, Bueno, & Jino, 2018). The establishment of relations between concepts of “Information Security” and “Software Assessment” are necessary to determine these criteria. This may make explicit the coverage of assessed security characteristics, for instance, by its measurement; a minimal percentage of assessment coverage could be required, going beyond defense-attack issues and coverage of known vulnerabilities, providing a higher level of resilience.
Our objective is to use an ontology to represent the concepts of the Security Assessment area. The Security Assessment Ontology (SecAOnto) aims to formally represent the particularities of this area.
The ontology engineering process starts by analyzing the existing works on Information Security and Systems Assessment areas. The engineering approach is based on Barbosa, Nakagawa, & Maldonado (2006), Bermejo (2007), and Obrst, Chase, & Markeloff (2012), following the Guarino’s ontology classification (Guarino, 1998); we propose: (1) the Information Security models is reused as domain ontology; (2) the System Assessment models is reused as task ontology; and (3) the SecAOnto is developed an application ontology, representing concepts from both contexts.