Skip to main content
Springer Nature Link
Log in

A Security Ontology for Security Requirements Elicitation

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8978))

Included in the following conference series:

  • 1575 Accesses

Abstract

Security is an important issue that needs to be taken into account at all stages of information system development, including early requirements elicitation. Early analysis of security makes it possible to predict threats and their impacts and define adequate security requirements before the system is in place. Security requirements are difficult to elicit, analyze, and manage. The fact that analysts’ knowledge about security is often tacit makes the task of security requirements elicitation even harder. Ontologies are known for being a good way to formalize knowledge. Ontologies, in particular, have been proved useful to support reusability. Requirements engineering based on predefined ontologies can make the job of requirement engineering much easier and faster. However, this very much depends on the quality of the ontology that is used. Some security ontologies for security requirements have been proposed in the literature. None of them stands out as complete. This paper presents a core and generic security ontology for security requirements engineering. Its core and generic status is attained thanks to its coverage of wide and high-level security concepts and relationships. We implemented the ontology and developed an interactive environment to facilitate the use of the ontology during the security requirements engineering process. The proposed security ontology was evaluated by checking its validity and completeness compared to other ontologies. Moreover, a controlled experiment with end-users was performed to evaluate its usability.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Denker, G., Kagal, L., Finin, T.: Security in the Semantic Web using OWL. Information Security Technical Report 10(1), 51–58 (2005)

    Article  Google Scholar 

  2. Norton, 2012 Norton Cybercrime report (July 2012)

    Google Scholar 

  3. Kauppinen, M., Kujala, S., Aaltio, T., Lehtola, L.: Introducing requirements engineering: how to make a cultural change happen in practice. In: Proceedings IEEE Joint International Conference on Requirements Engineering (RE 2002), pp. 43–51 (2002)

    Google Scholar 

  4. Elahi, G., Yu, E., Li, T., Liu, L.: Security Requirements Engineering in the Wild: A Survey of Common Practices. In: Proceedings of COMPSAC 2011, pp. 314–319 (2011)

    Google Scholar 

  5. Donner, M.: Toward a Security Ontology. IEEE Security and Privacy 1(3), 6–7 (2003), http://dlib.computer.org/sp/books/sp2003/pdf/j3006.pdf

  6. Souag, A.: Towards a new generation of security requirements definition methodology using ontologies. In: Proceedings of 24th International Conference on Advanced Information Systems Engineering (CAiSE 2012), Gdańsk, Poland, June 25-29, pp. 1–8 (2012)

    Google Scholar 

  7. Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for Security Requirements: A Literature Survey and Classification. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  8. Blanco, C., Lasheras, J., Valencia-Garcia, R., Fernandez-Medina, E., Toval, A., Piattini, M.: A Systematic Review and Comparison of Security Ontologies. In: The Third International Conference on Availability, Reliability and Security, ARES 2008, pp. 813–820 (2008)

    Google Scholar 

  9. Souag, A., Salinesi, C., Wattiau, I., Mouratidis, H.: Using Security and Domain Ontologies for Security Requirements Analysis. In: IEEE 37th Annual Computer Software and Applications Conference Workshops (COMPSACW), pp. 101–107 (2013)

    Google Scholar 

  10. Salinesi, C., Ivankina, E., Angole, W.: Using the RITA Threats Ontology to Guide Requirements Elicitation: an Empirical Experiment in the Banking Sector. In: First International Workshop on Managing Requirements Knowledge, MARK 2008, pp. 11–15 (2008)

    Google Scholar 

  11. Daramola, O., Sindre, G., Moser, T.: Ontology-Based Support for Security Requirements Specification Process. In: Herrero, P., Panetto, H., Meersman, R., Dillon, T. (eds.) OTM-WS 2012. LNCS, vol. 7567, pp. 194–206. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  12. Velasco, J.L., Valencia-Garcia, R., Fernandez-Breis, J.T., T.: Modelling Reusable Security Requirements Based on an Ontology Framework. Journal of Research and Practice in Information Technology 41(2), 119 (2009)

    Google Scholar 

  13. Salini, P., Kanmani, S.: A Knowledge-oriented Approach to Security Requirements for an E-Voting System. International Journal of Computer Applications 49(11), 21–25 (2012)

    Article  Google Scholar 

  14. Dritsas, S., Gymnopoulos, L., Karyda, M., Balopoulos, T., Kokolakis, S., Lambrinoudakis, C., Katsikas, S.: A knowledge-based approach to security requirements for e-health applications. Electronic Journal for E-Commerce Tools and Applications (2006)

    Google Scholar 

  15. Massacci, F., Mylopoulos, J., Zannone, N.: An ontology for secure socio-technical systems. Handbook of Ontologies for Business Interactions. IDEA Group (2007)

    Google Scholar 

  16. Blanco, C., Lasheras, J., Fernández-Medina, E., Valencia-García, R., T.: Basis for an integrated security ontology according to a systematic review of existing proposals. Computer Standards and Interfaces 33(4), 372–388 (2011)

    Article  Google Scholar 

  17. Undercoffer, J., Joshi, A., Pinkston, J.: Modeling Computer Attacks: An Ontology for Intrusion Detection. In: The 6th International Symposium on Recent Advances in Intrusion Detection, pp. 113–135 (2003)

    Google Scholar 

  18. Geneiatakis, D., Lambrinoudakis, C.: An ontology description for SIP security flaws. Computer Communications 30(6), 1367–1374 (2007)

    Article  Google Scholar 

  19. Denker, G., Kagal, L., Finin, T.W., Paolucci, M., Sycara, K.: Security for DAML Web Services: Annotation and Matchmaking. In: Fensel, D., Sycara, K., Mylopoulos, J. (eds.) ISWC 2003. LNCS, vol. 2870, pp. 335–350. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  20. Denker, G., Nguyen, S., Ton, A.: OWL-S Semantics of Security Web Services: a Case Study. In: Bussler, C.J., Davies, J., Fensel, D., Studer, R. (eds.) ESWS 2004. LNCS, vol. 3053, pp. 240–253. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  21. Karyda, M., Balopoulos, T., Dritsas, S., Gymnopoulos, L., Kokolakis, S., Lambrinoudakis, C., Gritzalis, S.: An ontology for secure e-government applications. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 5 (2006)

    Google Scholar 

  22. Tsoumas, B., Gritzalis, D.: Towards an Ontology-based Security Management. In: 20th International Conference on Advanced Information Networking and Applications, AINA 2006, vol. 1, pp. 985–992 (2006)

    Google Scholar 

  23. Herzog, A., Shahmehri, N., Duma, C.: An Ontology of Information Security. International Journal of Information Security and Privacy 1(4), 1–23 (2007)

    Article  Google Scholar 

  24. Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, New York, NY, USA, pp. 183–194 (2009)

    Google Scholar 

  25. Fernández-López, M., Gómez-Pérez, A., Juristo, N.: METHONTOLOGY: From Ontological Art Towards Ontological Engineering. In: Proceedings of the Ontological Engineering AAAI-97 Spring Symposium Series, Stanford University, EEUU (1997)

    Google Scholar 

  26. Jones, D., Bench-capon, T., Visser, P.: Methodologies For Ontology Development. In: Proceedings IT&KNOWS Conference of the 15th IFIP World Computer Congress, pp. 62–75 (1998)

    Google Scholar 

  27. Mayer, N.: Model-based Management of Information System Security Risk. Presses universitaires de Namur (2012)

    Google Scholar 

  28. Vogel, V.: Information Security Guide, https://wiki.internet2.edu/confluence/display/itsg2/Overview+to+the+Guide

  29. ISO/IEC 13335-1:2004 Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management (2004)

    Google Scholar 

  30. Staab, S., Maedche, A.: Axioms are Objects, too – Ontology Engineering beyond the Modeling of Concepts and Relations. In: Workshop on Applications of Ontologies and Problem-Solving Methods, ECAI 2000, Berlin (2000)

    Google Scholar 

  31. Lekhchine, R.: Construction d’une ontologie pour le domaine de la sécurité: application aux agents mobiles (2009)

    Google Scholar 

  32. Sure, Y., Angele, J., Staab, S.: OntoEdit: Guiding Ontology Development by Methodology and Inferencing. In: Meersman, R., Tari, Z. (eds.) CoopIS 2002, DOA 2002, and ODBASE 2002. LNCS, vol. 2519, pp. 1205–2011. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  33. Farquhar, A., Fikes, R., Rice, J.: The Ontolingua Server: a tool for collaborative ontology construction. International Journal of Human Computer Studies 46(6), 707–727 (1997)

    Article  Google Scholar 

  34. Horridge, M., Knublauch, H., Rector, A., Stevens, R., Wroe, C.: A Practical Guide To Building OWL Ontologies Using The Protégé-OWL Plugin and CO-ODE Tools Edition 1.0. University of Manchester (2004)

    Google Scholar 

  35. O’Connor, M.J., Das, A.K.: SQWRL: A Query Language for OWL. In: OWLED, vol. 529 (2009)

    Google Scholar 

  36. Uschold, M., Gruninger, M., Uschold, M., Gruninger, M.: Ontologies: Principles, methods and applications. Knowledge Engineering Review 11, 93–136 (1996)

    Article  Google Scholar 

  37. Kitchenham, B.A., Pfleeger, S.L., Pickard, L.M., Jones, P.W., Hoaglin, D.C., El Emam, K., Rosenberg, J.: Preliminary guidelines for empirical research in software engineering. IEEE Transactions Software Engineering 28(8), 721–734 (2002)

    Article  Google Scholar 

  38. de la Défense Nationale, S.G.: EBIOS-Expression des Besoins et Identification des Objectifs de Sécurité (2004)

    Google Scholar 

  39. Mouratidis, H., Giorgini, P.: Secure Tropos: A Security-Oriented Extension of the Tropos Methodology. International Journal of Software Engineering and Knowledge Engineering 17(02), 285–309 (2007)

    Article  Google Scholar 

  40. Kim, A., Luo, J., Kang, M.: Security Ontology for Annotating Resources. In Research Lab, NRL Memorandum Report, p. 51 (2005)

    Google Scholar 

  41. Martimiano, A.F.M., Moreira, E.S.: An owl-based security incident ontology. In: Proceedings of the Eighth International Protege Conference, pp. 43–44 (2005)

    Google Scholar 

  42. Lawrence, P.S.: Experimental design and analysis in software engineering. Annals of Software Engineering 1(1), 219–253 (1995)

    Article  Google Scholar 

  43. Davis, F.D.: Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. MIS Quarterly, 319–340 (1989)

    Google Scholar 

  44. Norton, 2013 Norton Cybercrime report (July 2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CRI -Paris 1 Sorbonne University, Paris, France

    Amina Souag, Camille Salinesi & Raúl Mazo

  2. CEDRIC-CNAM & ESSEC Business School, Paris, France

    Isabelle Comyn-Wattiau

Authors
  1. Amina Souag
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Camille Salinesi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Raúl Mazo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Isabelle Comyn-Wattiau
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. iMinds-DistriNet, KU Leuven, Belgium

    Frank Piessens

  2. IMDEA Software Institute, Campus de Montegancedo S/N, 28223, Pozuelo de Alarcón, Spain

    Juan Caballero

  3. Inria Sophia Antipolis – Mediterranee, 2004 route des Lucioles, B.P. 93, 06902, Sophia Antipolis Cedex, France

    Nataliia Bielova

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I. (2015). A Security Ontology for Security Requirements Elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2015. Lecture Notes in Computer Science, vol 8978. Springer, Cham. https://doi.org/10.1007/978-3-319-15618-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15618-7_13

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15617-0

  • Online ISBN: 978-3-319-15618-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics