A Security Ontology for Security Requirements Elicitation

  • Amina Souag
  • Camille Salinesi
  • Raúl Mazo
  • Isabelle Comyn-Wattiau
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8978)


Security is an important issue that needs to be taken into account at all stages of information system development, including early requirements elicitation. Early analysis of security makes it possible to predict threats and their impacts and define adequate security requirements before the system is in place. Security requirements are difficult to elicit, analyze, and manage. The fact that analysts’ knowledge about security is often tacit makes the task of security requirements elicitation even harder. Ontologies are known for being a good way to formalize knowledge. Ontologies, in particular, have been proved useful to support reusability. Requirements engineering based on predefined ontologies can make the job of requirement engineering much easier and faster. However, this very much depends on the quality of the ontology that is used. Some security ontologies for security requirements have been proposed in the literature. None of them stands out as complete. This paper presents a core and generic security ontology for security requirements engineering. Its core and generic status is attained thanks to its coverage of wide and high-level security concepts and relationships. We implemented the ontology and developed an interactive environment to facilitate the use of the ontology during the security requirements engineering process. The proposed security ontology was evaluated by checking its validity and completeness compared to other ontologies. Moreover, a controlled experiment with end-users was performed to evaluate its usability.


Security ontology concepts security requirements elicitation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Denker, G., Kagal, L., Finin, T.: Security in the Semantic Web using OWL. Information Security Technical Report 10(1), 51–58 (2005)CrossRefGoogle Scholar
  2. 2.
    Norton, 2012 Norton Cybercrime report (July 2012)Google Scholar
  3. 3.
    Kauppinen, M., Kujala, S., Aaltio, T., Lehtola, L.: Introducing requirements engineering: how to make a cultural change happen in practice. In: Proceedings IEEE Joint International Conference on Requirements Engineering (RE 2002), pp. 43–51 (2002)Google Scholar
  4. 4.
    Elahi, G., Yu, E., Li, T., Liu, L.: Security Requirements Engineering in the Wild: A Survey of Common Practices. In: Proceedings of COMPSAC 2011, pp. 314–319 (2011)Google Scholar
  5. 5.
    Donner, M.: Toward a Security Ontology. IEEE Security and Privacy 1(3), 6–7 (2003),
  6. 6.
    Souag, A.: Towards a new generation of security requirements definition methodology using ontologies. In: Proceedings of 24th International Conference on Advanced Information Systems Engineering (CAiSE 2012), Gdańsk, Poland, June 25-29, pp. 1–8 (2012)Google Scholar
  7. 7.
    Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for Security Requirements: A Literature Survey and Classification. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Blanco, C., Lasheras, J., Valencia-Garcia, R., Fernandez-Medina, E., Toval, A., Piattini, M.: A Systematic Review and Comparison of Security Ontologies. In: The Third International Conference on Availability, Reliability and Security, ARES 2008, pp. 813–820 (2008)Google Scholar
  9. 9.
    Souag, A., Salinesi, C., Wattiau, I., Mouratidis, H.: Using Security and Domain Ontologies for Security Requirements Analysis. In: IEEE 37th Annual Computer Software and Applications Conference Workshops (COMPSACW), pp. 101–107 (2013)Google Scholar
  10. 10.
    Salinesi, C., Ivankina, E., Angole, W.: Using the RITA Threats Ontology to Guide Requirements Elicitation: an Empirical Experiment in the Banking Sector. In: First International Workshop on Managing Requirements Knowledge, MARK 2008, pp. 11–15 (2008)Google Scholar
  11. 11.
    Daramola, O., Sindre, G., Moser, T.: Ontology-Based Support for Security Requirements Specification Process. In: Herrero, P., Panetto, H., Meersman, R., Dillon, T. (eds.) OTM-WS 2012. LNCS, vol. 7567, pp. 194–206. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Velasco, J.L., Valencia-Garcia, R., Fernandez-Breis, J.T., T.: Modelling Reusable Security Requirements Based on an Ontology Framework. Journal of Research and Practice in Information Technology 41(2), 119 (2009)Google Scholar
  13. 13.
    Salini, P., Kanmani, S.: A Knowledge-oriented Approach to Security Requirements for an E-Voting System. International Journal of Computer Applications 49(11), 21–25 (2012)CrossRefGoogle Scholar
  14. 14.
    Dritsas, S., Gymnopoulos, L., Karyda, M., Balopoulos, T., Kokolakis, S., Lambrinoudakis, C., Katsikas, S.: A knowledge-based approach to security requirements for e-health applications. Electronic Journal for E-Commerce Tools and Applications (2006)Google Scholar
  15. 15.
    Massacci, F., Mylopoulos, J., Zannone, N.: An ontology for secure socio-technical systems. Handbook of Ontologies for Business Interactions. IDEA Group (2007)Google Scholar
  16. 16.
    Blanco, C., Lasheras, J., Fernández-Medina, E., Valencia-García, R., T.: Basis for an integrated security ontology according to a systematic review of existing proposals. Computer Standards and Interfaces 33(4), 372–388 (2011)CrossRefGoogle Scholar
  17. 17.
    Undercoffer, J., Joshi, A., Pinkston, J.: Modeling Computer Attacks: An Ontology for Intrusion Detection. In: The 6th International Symposium on Recent Advances in Intrusion Detection, pp. 113–135 (2003)Google Scholar
  18. 18.
    Geneiatakis, D., Lambrinoudakis, C.: An ontology description for SIP security flaws. Computer Communications 30(6), 1367–1374 (2007)CrossRefGoogle Scholar
  19. 19.
    Denker, G., Kagal, L., Finin, T.W., Paolucci, M., Sycara, K.: Security for DAML Web Services: Annotation and Matchmaking. In: Fensel, D., Sycara, K., Mylopoulos, J. (eds.) ISWC 2003. LNCS, vol. 2870, pp. 335–350. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Denker, G., Nguyen, S., Ton, A.: OWL-S Semantics of Security Web Services: a Case Study. In: Bussler, C.J., Davies, J., Fensel, D., Studer, R. (eds.) ESWS 2004. LNCS, vol. 3053, pp. 240–253. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    Karyda, M., Balopoulos, T., Dritsas, S., Gymnopoulos, L., Kokolakis, S., Lambrinoudakis, C., Gritzalis, S.: An ontology for secure e-government applications. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 5 (2006)Google Scholar
  22. 22.
    Tsoumas, B., Gritzalis, D.: Towards an Ontology-based Security Management. In: 20th International Conference on Advanced Information Networking and Applications, AINA 2006, vol. 1, pp. 985–992 (2006)Google Scholar
  23. 23.
    Herzog, A., Shahmehri, N., Duma, C.: An Ontology of Information Security. International Journal of Information Security and Privacy 1(4), 1–23 (2007)CrossRefGoogle Scholar
  24. 24.
    Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, New York, NY, USA, pp. 183–194 (2009)Google Scholar
  25. 25.
    Fernández-López, M., Gómez-Pérez, A., Juristo, N.: METHONTOLOGY: From Ontological Art Towards Ontological Engineering. In: Proceedings of the Ontological Engineering AAAI-97 Spring Symposium Series, Stanford University, EEUU (1997)Google Scholar
  26. 26.
    Jones, D., Bench-capon, T., Visser, P.: Methodologies For Ontology Development. In: Proceedings IT&KNOWS Conference of the 15th IFIP World Computer Congress, pp. 62–75 (1998)Google Scholar
  27. 27.
    Mayer, N.: Model-based Management of Information System Security Risk. Presses universitaires de Namur (2012)Google Scholar
  28. 28.
  29. 29.
    ISO/IEC 13335-1:2004 Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management (2004)Google Scholar
  30. 30.
    Staab, S., Maedche, A.: Axioms are Objects, too – Ontology Engineering beyond the Modeling of Concepts and Relations. In: Workshop on Applications of Ontologies and Problem-Solving Methods, ECAI 2000, Berlin (2000)Google Scholar
  31. 31.
    Lekhchine, R.: Construction d’une ontologie pour le domaine de la sécurité: application aux agents mobiles (2009)Google Scholar
  32. 32.
    Sure, Y., Angele, J., Staab, S.: OntoEdit: Guiding Ontology Development by Methodology and Inferencing. In: Meersman, R., Tari, Z. (eds.) CoopIS 2002, DOA 2002, and ODBASE 2002. LNCS, vol. 2519, pp. 1205–2011. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  33. 33.
    Farquhar, A., Fikes, R., Rice, J.: The Ontolingua Server: a tool for collaborative ontology construction. International Journal of Human Computer Studies 46(6), 707–727 (1997)CrossRefGoogle Scholar
  34. 34.
    Horridge, M., Knublauch, H., Rector, A., Stevens, R., Wroe, C.: A Practical Guide To Building OWL Ontologies Using The Protégé-OWL Plugin and CO-ODE Tools Edition 1.0. University of Manchester (2004)Google Scholar
  35. 35.
    O’Connor, M.J., Das, A.K.: SQWRL: A Query Language for OWL. In: OWLED, vol. 529 (2009)Google Scholar
  36. 36.
    Uschold, M., Gruninger, M., Uschold, M., Gruninger, M.: Ontologies: Principles, methods and applications. Knowledge Engineering Review 11, 93–136 (1996)CrossRefGoogle Scholar
  37. 37.
    Kitchenham, B.A., Pfleeger, S.L., Pickard, L.M., Jones, P.W., Hoaglin, D.C., El Emam, K., Rosenberg, J.: Preliminary guidelines for empirical research in software engineering. IEEE Transactions Software Engineering 28(8), 721–734 (2002)CrossRefGoogle Scholar
  38. 38.
    de la Défense Nationale, S.G.: EBIOS-Expression des Besoins et Identification des Objectifs de Sécurité (2004)Google Scholar
  39. 39.
    Mouratidis, H., Giorgini, P.: Secure Tropos: A Security-Oriented Extension of the Tropos Methodology. International Journal of Software Engineering and Knowledge Engineering 17(02), 285–309 (2007)CrossRefGoogle Scholar
  40. 40.
    Kim, A., Luo, J., Kang, M.: Security Ontology for Annotating Resources. In Research Lab, NRL Memorandum Report, p. 51 (2005)Google Scholar
  41. 41.
    Martimiano, A.F.M., Moreira, E.S.: An owl-based security incident ontology. In: Proceedings of the Eighth International Protege Conference, pp. 43–44 (2005)Google Scholar
  42. 42.
    Lawrence, P.S.: Experimental design and analysis in software engineering. Annals of Software Engineering 1(1), 219–253 (1995)CrossRefGoogle Scholar
  43. 43.
    Davis, F.D.: Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology. MIS Quarterly, 319–340 (1989)Google Scholar
  44. 44.
    Norton, 2013 Norton Cybercrime report (July 2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Amina Souag
    • 1
  • Camille Salinesi
    • 1
  • Raúl Mazo
    • 1
  • Isabelle Comyn-Wattiau
    • 2
  1. 1.CRI -Paris 1 Sorbonne UniversityParisFrance
  2. 2.CEDRIC-CNAM & ESSEC Business SchoolParisFrance

Personalised recommendations