Skip to main content
Springer Nature Link
Log in

Security Ontologies: A Systematic Literature Review

  • Conference paper
  • First Online:
Enterprise Design, Operations, and Computing (EDOC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13585))

  • 1052 Accesses

Abstract

Security ontologies have been developed to facilitate the organization and management of security knowledge. A comparison and evaluation of how these ontologies relate to one another is challenging due to their structure, size, complexity, and level of expressiveness. Differences between ontologies can be found on both the ontological and linguistic levels, resulting in errors and inconsistencies (i.e., different concept hierarchies, types of concepts, definitions) when comparing and aligning them. Moreover, many concepts related to security ontologies have not been thoroughly explored and do not fully meet security standards. By using standards, we can ensure that concepts and definitions are unified and coherent. In this study, we address these deficiencies by reviewing existing security ontologies to identify core concepts and relationships. The primary objective of the systematic literature review is to identify core concepts and relationships that are used to describe security issues. We further analyse and map these core concepts and relationships to five security standards (i.e., NIST SP 800-160, NIST SP 800-30 rev.1, NIST SP 800-27 rev.A, ISO/IEC 27001 and NISTIR 8053). As a contribution, this paper provides a set of core concepts and relationships that comply with the standards mentioned above and allow for a new security ontology to be developed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Gruber, T.R.: Toward principles for the design of ontologies used for knowledge sharing? Int. J. Hum.-Comput. Stud. 43(4–5), 907–928 (1995)

    Article  Google Scholar 

  2. Kang, W., Liang, Y.: A security ontology with MDA for software development. In: International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 67–74. IEEE, Beijing (2013)

    Google Scholar 

  3. Tsoumas, B., Gritzalis, D.: Towards an ontology-based security management. In: 20th International Conference on Advanced Information Networking and Applications (AINA), pp. 985–992. IEEE, Vienna (2006)

    Google Scholar 

  4. Ross, R.S., McEvilley, M., Oren, J.C.: NIST SP 800-160, Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. NIST, US Department of Commerce, Gaithersburg, MD, USA, Technical report, NIST SP (2016)

    Google Scholar 

  5. Ross, R.S.,: NIST SP 800-30 REV.1: guide for conducting risk assessments. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. Accessed 14 Aug 2022

  6. Stoneburner, G., Hayden, C., Feringa, A.: NIST SP 800–27 Rev. A. Engineering principles for information technology security (a baseline for achieving security), NIST (2017)

    Google Scholar 

  7. ISO/IEC 27001:2013 - Information security management system - requirements, ISO, Technical report (2013)

    Google Scholar 

  8. Garfinkel, S.L.: NISTIR 8053: de-identification of personal information, NIST (2015)

    Google Scholar 

  9. Maxwell, T.A.: Information policy, data mining, and national security: false positives and unidentified negatives. In: 38th Annual Hawaii International Conference on System Sciences, pp. 134c–134c (2005). https://doi.org/10.1109/HICSS.2005.317

  10. Jurisica, I., Mylopoulos, J., Yu, E.: Ontologies for knowledge management: an information systems perspective. Knowl. Inf. Syst. 6(4), 380–401 (2004). https://doi.org/10.1007/s10115-003-0135-4

    Article  Google Scholar 

  11. Mylopoulos, J., Borgida, A., Jarke, M., Koubarakis, M.: Telos: representing knowledge about information systems. ACM Trans. Inf. Syst. 8(4), 325–362 (1990)

    Article  Google Scholar 

  12. Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. ACM Comput. Surv. 26(3), 211–254 (1994)

    Article  Google Scholar 

  13. Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)

    Article  Google Scholar 

  14. Howard, J., D., Longstaff, T.: A common language for computer security incidents. Sandia National Laboratories, pp. 1–25 (1998)

    Google Scholar 

  15. Donner, M.: Toward a security ontology. IEEE Secur. Priv. 1(3), 6–7 (2003)

    Google Scholar 

  16. Blanco, C., Lasheras, J., Valencia-Garcia, R., Fernández-Medina, E., Alvarez, J., Piattini, M.: A systematic review and comparison of security ontologies. In: 3rd International Conference on Availability. Reliability and Security (ARES), pp. 813–820. IEEE, Barcelona (2008)

    Google Scholar 

  17. Herzog, A., Shahmehri, N., Duma, C.: An ontology of information security. Int. J. Inf. Secur. Priv. 1(4), 1–23 (2007)

    Article  Google Scholar 

  18. Undercoffer, J., Joshi, A., Pinkston, J.: Modeling computer attacks: an ontology for intrusion detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45248-5_7

    Chapter  Google Scholar 

  19. Geneiatakis, D., Lambrinoudakis, C.: An ontology description for SIP security flaws. Comput. Commun. 30(6), 1367–1374 (2007)

    Article  Google Scholar 

  20. Noy, N.F., McGuinness D.L.: Ontology development 101: a guide to creating your first ontology, pp. 1–25 (2001)

    Google Scholar 

  21. Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for security requirements: a literature survey and classification. In: Bajec, M., Eder, J. (eds.) CAiSE 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31069-0_5

    Chapter  Google Scholar 

  22. Boinski, T., Orlowski, P., Szymanski, J., Krawczyk, H.: Security ontology construction and integration. In: Filipe, J., Dietz, J.L.G. (eds.) International Conference on Knowledge Engineering and Ontology Development (KEOD), pp. 369–374. INSTICC, Paris (2011)

    Google Scholar 

  23. Nguyen, V.: Ontologies and information systems: a literature survey. DSTO-TN-1002, Defence Science and Technology Organisation, Edingubrgh, SA, pp. 66–92 (2011)

    Google Scholar 

  24. Blanco, C., Lasheras, J., Fernández-Medina, E., Valencia-García, R., Toval, A.: Basis for an integrated security ontology according to a systematic review of existing proposals. Comput. Stand. Int. 33, 372–388 (2011)

    Article  Google Scholar 

  25. Kitchenham, B.: Procedures for performing systematic reviews. Keele UK Keele Univ. 33(2004), 1–26 (2004)

    Google Scholar 

  26. IEEE Xplore. https://www.ieee.org. Accessed 14 Aug 2022

  27. Scopus. https://www.scopus.com/search/form.uri?display=basic. Accessed 14 Aug 2022

  28. Web of Science. https://www.webofscience.com/. Accessed 14 Aug 2022

  29. Adach, M., Hänninen, K., Lundqvist, K.: Search results of security ontologies 1988–2022, Technical report, MDU, Västerås. https://www.es.mdh.se/pdf_publications/6424.pdf. Accessed 14 Aug 2022

  30. Schumacher, M.: 6. Toward a security core ontology. In: Schumacher, M. (ed.) Security Engineering with Patterns. LNCS, vol. 2754, pp. 87–96. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45180-8_6

    Chapter  Google Scholar 

  31. Dritsas, S., et al.: Employing ontologies for the development of security critical applications. In: Funabashi, M., Grzech, A. (eds.) I3E 2005. IIFIP, vol. 189, pp. 187–201. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-29773-1_13

    Chapter  Google Scholar 

  32. Fenz, S., Ekelhart, A.: formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information. Computer, and Communications Security (ASIACCS), pp. 183–194. ACM, New York (2009)

    Google Scholar 

  33. Wang, J.A., Guo, M.: OVM: an ontology for vulnerability management. In: 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW), Oak Ridge Tennessee, USA, pp. 1–4 (2009)

    Google Scholar 

  34. Pereira, T., Santos, H.: An ontology approach in designing security information systems to support organizational security risk knowledge. In: International Conference on Knowledge Engineering and Ontology Development (KEOD). SSEO, vol. 1, pp. 461–466, ScitePress, Barcelona (2012)

    Google Scholar 

  35. ISO/IEC_JTC1 27005:2008: information technology - security techniques - information security risk management, ISO, Technical report (2008)

    Google Scholar 

  36. Ramanauskaite, S., Olifer, D., Goranin, N., Cenys, A.: Security ontology for adaptive mapping of security standards. Int. J. Comput. Commun. 8(6), 813–825 (2013)

    Article  Google Scholar 

  37. Agrawal, V.: Towards the ontology of ISO/IEC 27005: 2011 risk management standard. HAISA, Frankfurt, Germany, pp. 101–111 (2016)

    Google Scholar 

  38. ISSA-UK. Information security for small and medium-sized enterprises, Information System Security Association, Technical report (2011)

    Google Scholar 

  39. Paulsen, C., Toth, P.: NISTIR 7621 small business information security: the fundamentals. NIST, US Department of Commerce (2016)

    Google Scholar 

  40. Payment card industry data security standard (PCIDSS), PCI-Security Standard Council, Technical report (2006). https://www.commerce.uwo.ca/pdf/PCI_DSS_v3-2-1.pdf. Accessed 14 Aug 2022

  41. ISO/IEC 27005:2011 - information technology—security techniques—information security risk management, ISO, Technical report (2011)

    Google Scholar 

Download references

Acknowledgment

This work is supported by the projects: Serendipity - Secure and dependable platforms for autonomy, grant nr: RIT17-0009, funded by the Swedish Foundation for Strategic Research (SSF) and by the DPAC - Dependable Platform for Autonomous Systems and Control, grant nr: 20150022, funded by the Knowledge foundation (KKS).

Author information

Authors and Affiliations

  1. School of Innovation, Design and Engineering, Mälardalen University, Västerås, Sweden

    Malina Adach, Kaj Hänninen & Kristina Lundqvist

Authors
  1. Malina Adach
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kaj Hänninen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kristina Lundqvist
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Malina Adach .

Editor information

Editors and Affiliations

  1. Universidade Federal do Espírito Santo, Vitória, Espírito Santo, Brazil

    João Paulo A. Almeida

  2. University of Groningen, Groningen, The Netherlands

    Dimka Karastoyanova

  3. University of Twente, Enschede, The Netherlands

    Giancarlo Guizzardi

  4. Free University of Bozen-Bolzano, Bolzano, Italy

    Marco Montali

  5. Free University of Bozen-Bolzano, Bolzano, Italy

    Fabrizio Maria Maggi

  6. University of Twente, Enschede, The Netherlands

    Claudenir M. Fonseca

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Adach, M., Hänninen, K., Lundqvist, K. (2022). Security Ontologies: A Systematic Literature Review. In: Almeida, J.P.A., Karastoyanova, D., Guizzardi, G., Montali, M., Maggi, F.M., Fonseca, C.M. (eds) Enterprise Design, Operations, and Computing. EDOC 2022. Lecture Notes in Computer Science, vol 13585. Springer, Cham. https://doi.org/10.1007/978-3-031-17604-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17604-3_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17603-6

  • Online ISBN: 978-3-031-17604-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics