An Ontology-Based Approach to Information Systems Security Management

  • Bill Tsoumas
  • Stelios Dritsas
  • Dimitris Gritzalis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3685)


Complexity of modern information systems (IS), impose novel security requirements. On the other hand, the ontology paradigm aims to support knowledge sharing and reuse in an explicit and mutually agreed manner. Therefore, in this paper we set the foundations for establishing a knowledge-based, ontology-centric framework with respect to the security management of an arbitrary IS. We demonstrate that the linking between high-level policy statements and deployable security controls is possible and the implementation is achievable. This framework may support critical security expert activities with respect to security requirements identification and selection of certain controls and countermeasures. In addition, we present a structured approach for establishing a security management framework and identify its critical parts. Our security ontology is being represented in a neutral manner, based on well-known security standards, extending widely used information systems modeling approaches.


Security Management Security Policy IS Security Security Ontology 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Karygiannis, T., Owens, L.: Wireless Network Security: 802.11, Bluetooth and Handheld Devices, NIST Special Publication no. 800-48, US Dept. of Commerce, USA (2002)Google Scholar
  2. 2.
    PAMPAS (“Pioneering Advanced Mobile Privacy and Security”) Project, EU-IST-2001-37763, Final Roadmap, Deliverable D4 (May 2003),
  3. 3.
    DMTF CIM Policy Model v. 2.81 (February 2005), available at
  4. 4.
    Clemente F., Perez G., Blaya J., Skarmeta A.: Representing Security Policies in Web Information Systems. In: Policy Management for the Web - WWW2005 Workshop, 14th International World Wide Web Conference, Chiba, Japan (May 2005)Google Scholar
  5. 5.
    Gruber, T.: Toward principles for the design of ontologies used for knowledge sharing. In: Formal Ontology in Conceptual Analysis and Knowledge Representation. Kluwer Academic Publishers, Dordrecht (1993)Google Scholar
  6. 6.
    Decker, S., et al.: Ontobroker: Ontology based access to distributed and semi-structured information. In: Meersman, R., et al. (eds.) DS-8: Semantic Issues in Multimedia Systems. Kluwer Academic Publishers, Dordrecht (1999)Google Scholar
  7. 7.
    Damianou, N., et al.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–39. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    ISO/IEC 17799 (2000-12-01), Information technology - Code of practice for information security management, ISOGoogle Scholar
  9. 9.
    COBIT 3rd Edition Control Objectives, IT Governance Institute (2000)Google Scholar
  10. 10.
    BSI, IT Baseline Protection Manual, Germany (March 2005), available at
  11. 11.
    Cisco Security Advisories (March 2005),
  12. 12.
    SecurityFocus security portal (March 2005),
  13. 13.
    Seclists. Org Security Mailing List Archive (March 2005),
  14. 14.
    Common Vulnerabilities and Exposures (March 2005),
  15. 15.
    OVAL–Open Vulnerability Assessment Language (March 2005),
  16. 16.
    Cunningham, H., et al.: GATE: A Framework and Graphical Development Environment for Robust NLP Tools and Applications. In: Proc. of the 40th meeting of the Association for Computational Linguistics (ACL 2002), USA (July 2002)Google Scholar
  17. 17.
    Bontcheva, K., et al.: Evolving GATE to Meet New Challenges in Language Engineering. Natural Language Engineering (to appear)Google Scholar
  18. 18.
    Dean, M., et al.: OWL Web Ontology Language Reference W3C Recommendation (March 2005),
  19. 19.
    Noy, N., McGuiness, D.: Ontology Development 101: A Guide to Creating Your First Ontology, Stanford Knowledge Systems Laboratory Technical Report KSL-01-05 and Stanford Medical Informatics Technical Report SMI-2001-0880 (March 2001)Google Scholar
  20. 20.
    Holsapple, C., Joshi, K.: A collaborative approach to ontology design. Com. of the ACM 45(2), 42–47 (2002)Google Scholar
  21. 21.
    British Standard 7799, Part 2, Information Technology - Specification for Information Security Management System, BSI (1999)Google Scholar
  22. 22.
    Standards Australia and Standards New Zealand, Australian/New Zealand Standard for Risk Management 4360 (1999)Google Scholar
  23. 23.
    ISO/IEC 15408-1, 2, 3: Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model, Part 2: Security functional requirements, Part 3: Security assurance requirements (1999)Google Scholar
  24. 24.
    Nmap scanner (March 2005), available at
  25. 25.
    Netstumbler 802.11 network scanner (March 2005), available at
  26. 26.
    Protégé Ontology Development Environment (March 2005), at
  27. 27.
    Westerinen, A., Schott, J.: Implementation of the CIM Policy Model Using PONDER. In: 5th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2004), Yorktown Heights, NY, USA, June 7–9. IEEE Computer Society, Los Alamitos (2004) ISBN 0-7695-2141-XGoogle Scholar
  28. 28.
    Lymberopoulos, L., Lupu, E.C., Sloman, M.S.: Ponder Policy Implementation and Validation in a CIM and Differentiated Services Framework. In: Presented at NOMS 2004, Seoul (April 2004)Google Scholar
  29. 29.
    Alcantara, O.D., Sloman, M.: QoS policy specification - A mapping from Ponder to the IETF, Department of Computing, Imperial College, 180 Queen’s Gate, London SW7 2BZGoogle Scholar
  30. 30.
    Hewlett-Packard: A Primer on Policy-based Network Management, September 14 (1999)Google Scholar
  31. 31.
    ANSI INCITS 359-2004, “Information Technology - Role Based Access Control” (2004)Google Scholar
  32. 32.
    Hegering, H.-G., Abeck, S., Neumair, B.: Integrated Management of Network Systems: Concepts, Architectures and Their Operational Application. Kaufmann Publ., San Francisco (1999)Google Scholar
  33. 33.
    Donner, M.: Toward a Security Ontology. IEEE Security and Privacy 1(3), 6–7 (2003)Google Scholar
  34. 34.
    Denker, G.: Access Control and Data Integrity for DAML+OIL and DAML-S, SRI International, USA (2002)Google Scholar
  35. 35.
    Denker, G.: Security Mark-up and Rules, SRI International, CAIn: Dagstuhl Seminar on Rule Markup Techniques (2002)Google Scholar
  36. 36.
    OASIS Security Service TC. Security Assertion Markup Language (SAML) (March 2005),
  37. 37.
    Bozsak, E., Ehrig, M., Handschub, S., Hotho, J.: KAON – Towards a Large Scale Semantic Web. In: Bauknecht, K., et al. (eds.) Proc. of the 3rd International Conference on e-Commerce and Web Technologies, EC-WEB-2002, pp. 304–313 (2002)Google Scholar
  38. 38.
    Kagal, L., et al.: A policy language for a pervasive computing environment. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (2003)Google Scholar
  39. 39.
    Raskin, V., et al.: Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool. In: Raskin, V., et al. (eds.) Proc. of the New Security Paradigms Workshop. ACM, USA (2001)Google Scholar
  40. 40.
    Uszok, A., et al.: KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services. In: Proc. of the Second International Conference on Trust Management (2004)Google Scholar
  41. 41.
    Tonti, G., et al.: Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei and Ponder. In: Proc. of the 2nd International Semantic Web Conference (2003)Google Scholar
  42. 42.
    Gandon, F.L., Sadeh, M.N.: Semantic web technologies to reconcile privacy and context awareness. Web Semantics Journal 1(3) (2004)Google Scholar
  43. 43.
    Chen, H., et al.: SOUPA: Standard ontology for ubiquitous and pervasive applications. In: Proc. of the First International Conference on Mobile and Ubiquitous Systems: Networking and Services (2004)Google Scholar
  44. 44.
    XACML Specification (2003), eXtensible Access Control Markup Language, v. 1.1 (March 2005), available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Bill Tsoumas
    • 1
  • Stelios Dritsas
    • 1
  • Dimitris Gritzalis
    • 1
  1. 1.Dept. of InformaticsAthens University of Economics and BusinessAthensGreece

Personalised recommendations