Skip to main content
SpringerLink
Log in

SAEOn: An Ontological Metamodel for Quantitative Security Assurance Evaluation

  • Conference paper
  • First Online:
Computer Security. ESORICS 2022 International Workshops (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13785))

Included in the following conference series:

  • 1007 Accesses

Abstract

Security assurance is a critical aspect in determining the trustworthiness of information and communication technology systems. Security assurance evaluation (SAE) is the process responsible for gathering assurance shreds of evidence to check if the defined security requirements are fulfilled. SAE can be generally categorized into qualitative and quantitative methods. As there is still a dearth of studies on the quantitative SAE, this paper intends to fill this gap by proposing an ontological quantitative security assurance evaluation metamodel (SAEOn). This ontology allows us to define the entities of the SAE and the assurance metrics separately and relate them to each other in a modular way. With the formal definition of SAE metamodel, the constructed knowledge content can be reused, shared, and exchanged over time. Moreover, the proposed metamodel is structured in a hierarchical fashion, by which we believe the ontology is sufficiently generic and highly customizable that can be applied in various application domains. In this paper, we present the proposed SAEOn ontology in detail, covering the aspects of design, implementation, and evaluation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Atkinson, C., Kuhne, T.: Model-driven development: a metamodeling foundation. IEEE Softw. 20(5), 36–41 (2003)

    Article  Google Scholar 

  2. Berners-Lee, T., Hendler, J., Lassila, O.: The semantic web. Sci. Am. 284(5), 28–37 (2001)

    Article  Google Scholar 

  3. Ekclhart, A., Fenz, S., Goluch, G., Weippl, E.: Ontological mapping of common criteria’s security assurance requirements. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC 2007. IIFIP, vol. 232, pp. 85–95. Springer, Boston, MA (2007). https://doi.org/10.1007/978-0-387-72367-9_8

    Chapter  Google Scholar 

  4. Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security. ACM (2009)

    Google Scholar 

  5. de Franco Rosa, F., Jino, M., Bonacin, R.: Towards an ontology of security assessment: a core model proposal. In: Latifi, S. (ed.) Information Technology – New Generations. AISC, vol. 738, pp. 75–80. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-77028-4_12

    Chapter  Google Scholar 

  6. Gao, J.-B., et al.: Ontology-based model of network and computer attacks for security assessment. J. Shanghai Jiaotong Univ. (Sci.) 18(5), 554–562 (2013)

    Article  Google Scholar 

  7. Gonzalez-Gil, P., Skarmeta, A.F., Martinez, J.A.: Towards an ontology for IoT context-based security evaluation. In: 2019 Global IoT Summit (GIoTS). IEEE (2019)

    Google Scholar 

  8. Gruber, T.R.: A translation approach to portable ontology specifications. Knowl. Acquisition 5(2), 199–220 (1993)

    Article  Google Scholar 

  9. Heitlager, I., Kuipers, T., Visser, J.: A practical model for measuring maintainability. In: 6th International Conference on the Quality of Information and Communications Technology (QUATIC 2007). IEEE (2007)

    Google Scholar 

  10. Herrmann, D.S.: Using the Common Criteria for IT Security Evaluation. Auerbach Publications, Boca Raton (2002)

    Book  Google Scholar 

  11. Hlomani, H., Stacey, D.J.S.W.J.: Approaches, methods, metrics, measures, and subjectivity in ontology evaluation: a survey. Semant. Web J. 1(5), 1–11 (2014)

    Google Scholar 

  12. Horrocks, I., et al.: SWRL: a semantic web rule language combining OWL and RuleML. W3C Member Submission 21(79), 1–31 (2004)

    Google Scholar 

  13. Jayalakshmi, T., Santhakumaran, A.: Statistical normalization and back propagation for classification. Int. J. Comput. Theory Eng. 3(1), 1793–8201 (2011)

    Google Scholar 

  14. Katt, B., Prasher, N.: Quantitative security assurance metrics: REST API case studies. In: Proceedings of the 12th European Conference on Software Architecture: Companion Proceedings (2018)

    Google Scholar 

  15. Katt, B., Prasher, N.: Quantitative security assurance. In: Exploring Security in Software Architecture and Design, pp. 15–46. IGI Global (2019)

    Google Scholar 

  16. Koinig, U., Tjoa, S., Ryoo, J.: Contrology-an ontology-based cloud assurance approach. In: 2015 IEEE 24th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE (2015)

    Google Scholar 

  17. O’Connor, M., et al.: Supporting rule system interoperability on the semantic web with SWRL. In: Gil, Y., Motta, E., Benjamins, V.R., Musen, M.A. (eds.) ISWC 2005. LNCS, vol. 3729, pp. 974–986. Springer, Heidelberg (2005). https://doi.org/10.1007/11574620_69

    Chapter  Google Scholar 

  18. Ouedraogo, M., et al.: Appraisal and reporting of security assurance at operational systems level. J. Syst. Softw. 85(1), 193–208 (2012)

    Article  Google Scholar 

  19. OWASP: OWASP Web Security Testing Guide. https://owasp.org/www-project-web-security-testing-guide/. Accessed 26 Jan 2022

  20. Powley, S., et al.: An evaluation ontology applied to connected vehicle security assurance. In: INCOSE International Symposium. Wiley Online Library (2019)

    Google Scholar 

  21. Raad, J., Cruz, C.: A survey on ontology evaluation methods. In: Proceedings of the International Conference on Knowledge Engineering and Ontology Development, part of the 7th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management (2015)

    Google Scholar 

  22. Raskin, V., et al.: Ontology in information security: a useful theoretical foundation and methodological tool. In: Proceedings of the 2001 Workshop on New Security Paradigms (2001)

    Google Scholar 

  23. Ross, R.S.: Managing information security risk: organization, mission, and information system view (2011)

    Google Scholar 

  24. Saaty, T.L.: Decision making with the analytic hierarchy process. Int. J. Serv. Sci. 1(1), 83–98 (2008)

    Google Scholar 

  25. Shukla, A., et al.: System security assurance: a systematic literature review. arXiv preprint arXiv:2110.01904 (2021)

  26. Tudorache, T., et al.: WebProtégé: a collaborative ontology editor and knowledge acquisition tool for the web. Semant. Web 4(1), 89–99 (2013)

    Article  Google Scholar 

  27. W3C: RDF 1.1 XML Syntax. https://www.w3.org/TR/rdf-syntax-grammar/. Accessed 26 Jan 2022

  28. W3C: SPARQL 1.1 Query Language. https://www.w3.org/TR/sparql11-query/. Accessed 27 Jan 2022

  29. Wand, Y., Storey, V.C., Weber, R.: An ontological analysis of the relationship construct in conceptual modeling. ACM Trans. Database Syst. (TODS) 24(4), 494–528 (1999)

    Article  Google Scholar 

  30. Wang, J.A., Guo, M.: OVM: an ontology for vulnerability management. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (2009)

    Google Scholar 

  31. Wang, J.A., et al.: Ontology-based security assessment for software products. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (2009)

    Google Scholar 

  32. Wen, S.-F., Shukla, A., Katt, B.: Developing security assurance metrics to support quantitative security assurance evaluation. J. Cybersecur. Priv. 2(3), 587–605 (2022)

    Article  Google Scholar 

  33. Yavagal, D.S., et al.: Common criteria requirements modeling and its uses for quality of information assurance (QoIA). In: Proceedings of the 43rd Annual Southeast Regional Conference, vol. 2 (2005)

    Google Scholar 

Download references

Acknowledgment

This research work is financially supported by the SFI Norwegian Centre for Cybersecurity in Critical Sectors (NORCICS, NFR project number: 310105).

Author information

Authors and Affiliations

  1. Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway

    Shao-Fang Wen & Basel Katt

Authors
  1. Shao-Fang Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Basel Katt
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shao-Fang Wen .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Polytechnique Montréal, Montreal, Canada

    Frédéric Cuppens

  3. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  4. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  5. Technical University of Berlin, Berlin, Germany

    Frank Pallas

  6. Alexander von Humboldt Institute for Internet and Society, Berlin, Germany

    Jörg Pohle

  7. Ruhr University Bochum, Bochum, Germany

    M. Angela Sasse

  8. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  9. University of Trento, Trento, Italy

    Silvio Ranise

  10. University of Genoa, Genoa, Italy

    Luca Verderame

  11. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  12. Indra, Alcobendas, Spain

    Jorge Maestre Vidal

  13. Indra, Alcobendas, Spain

    Marco Antonio Sotelo Monge

  14. George Mason University, Fairfax, VA, USA

    Massimiliano Albanese

  15. Norwegian University of Science and Technology, Gjøvik, Norway

    Basel Katt

  16. Norwegian Computing Center, Oslo, Norway

    Sandeep Pirbhulal

  17. Institute for Energy Technology, Halden, Norway

    Ankur Shukla

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wen, SF., Katt, B. (2023). SAEOn: An Ontological Metamodel for Quantitative Security Assurance Evaluation. In: Katsikas, S., et al. Computer Security. ESORICS 2022 International Workshops. ESORICS 2022. Lecture Notes in Computer Science, vol 13785. Springer, Cham. https://doi.org/10.1007/978-3-031-25460-4_35

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-25460-4_35

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-25459-8

  • Online ISBN: 978-3-031-25460-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation