A Survey of Security Assessment Ontologies

  • Ferrucio de Franco RosaEmail author
  • Mario Jino
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 569)


A literature survey on ontologies concerning the Security Assessment domain has been carried out to uncover initiatives that aim at formalizing concepts from the “Security Assessment” field of research. A preliminary analysis and a discussion on the selected works are presented. Our main contribution is an updated literature review, describing key characteristics, results, research issues, and application domains of the papers. We have also detected gaps in the Security Assessment literature that could be the subject of further studies in the field. This work is meant to be useful for security researchers who wish to adopt a formal approach in their methods.


Software assessment Information security Security assessment Ontology Information Knowledge management 


  1. 1.
    Barros, C.P., de, Franco Rosa, F., Balcão Filho, A.F.: Software testing with emphasis on finding security defects. In: IADIS - The 12th International Conference on WWW/Internet, pp. 226–228 (2013)Google Scholar
  2. 2.
    Tsoumas, B., Gritzalis, D.: Towards an ontology-based security management. In: Proceedings of the International Conference on Advanced Information Networking and Applications AINA, vol. 1, pp. 985–990 (2006)Google Scholar
  3. 3.
    Salini, P., Kanmani, S.: A knowledge-oriented approach to security requirements engineering for E-voting system. Int. J. Comput. Appl. 49, 21–25 (2012)Google Scholar
  4. 4.
    Gartner, S., Ruhroth, T., Burger, J., Schneider, K., Jurjens, J.: Maintaining requirements for long-living software systems by incorporating security knowledge. In: 2014 IEEE 22nd International Requirements Engineering Conference, pp. 103–112 (2014)Google Scholar
  5. 5.
    The MITRE Corporation: Common Vulnerabilities and Exposures (CVE) (2015)Google Scholar
  6. 6.
    Wita, R., Jiamnapanon, N., Teng-amnuay, Y.: An ontology for vulnerability lifecycle. In: 3rd International Symposium on Intelligent Information Technology and Security Informatics, IITSI 2010, pp. 553–557 (2010)Google Scholar
  7. 7.
    NIST - US National Institute of Standards and Technology: NVD CVSS - Common Vulnerability Scoring System Support v2 (2015)Google Scholar
  8. 8.
    Herzog, A., Shahmehri, N., Duma, C.: An ontology of information security. Int. J. Inf. Secur. Priv. 1, 1–23 (2007)CrossRefGoogle Scholar
  9. 9.
    Biolchini, J., Mian, P.G., Candida, A., Natali, C.: Systematic review in software engineering. Engineering 679, 165–176 (2005)Google Scholar
  10. 10.
    Kitchenham, B.: Procedures for performing systematic reviews. Keele Univ. 33, 28 (2004). Keele, UKGoogle Scholar
  11. 11.
    Koinig, U., Tjoa, S., Ryoo, J.: Contrology - an ontology-based cloud assurance approach. In: 2015 IEEE 24th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 105–107 (2015)Google Scholar
  12. 12.
    de Souza, E.F.: Knowledge Management Applied to Software Testing: An Ontology Based, (2014)Google Scholar
  13. 13.
    Kang, W., Liang, Y.: A security ontology with MDA for software development. In: Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, CyberC 2013, pp. 67–74 (2013)Google Scholar
  14. 14.
    da Cunha Freitas, A.L.S.: Ontologia para teste de desempenho de software (2013).
  15. 15.
    Salini, P., Kanmani, S.: Ontology-based representation of reusable security requirements for developing secure web applications. Presented at the (2013)Google Scholar
  16. 16.
    Panchal, J., Chirchi, V.R.: Privacy preservation requirement for personal health record: a survey on security prototypes. Int. J. Adv. Comput. Eng. Appl. 2, 13–18 (2013)Google Scholar
  17. 17.
    Ramanauskaite, S., Olifer, D., Goranin, N., Čenys, A.: Security ontology for adaptive mapping of security standards. Int. J. Comput. Commun. Control 8, 878–890 (2013)CrossRefGoogle Scholar
  18. 18.
    Kotenko, I., Polubelova, O., Saenko, I., Doynikova, E.: The ontology of metrics for security evaluation and decision support in SIEM systems. In: Proceedings of the 2013 International Conference on Availability, Reliability and Security, ARES 2013, pp. 638–645 (2013)Google Scholar
  19. 19.
    Gyrard, A., Bonnet, C., Boudaoud, K., Gyrard, A., Bonnet, C., Boudaoud, K., Stac, T., Toolbox, S., Gyrard, A., Bonnet, C.: The STAC (Security Toolbox : Attacks & Countermeasures) ontology (2014)Google Scholar
  20. 20.
    Bhaumik, A.: An approach in defining information assurance patterns based on security ontology and meta-modeling (2012)Google Scholar
  21. 21.
    D’Agostini, S., Di Giacomo, V., Pandolfo, C., Presenza, D.: An ontology for run-time verification of security certificates for SOA. In: Proceedings of the 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, pp. 525–533 (2012)Google Scholar
  22. 22.
    Feledi, D., Fenz, S.: Challenges of web-based information security knowledge sharing. In: 2012 Seventh International Conference on Availability, Reliability and Security, pp. 514–521 (2012)Google Scholar
  23. 23.
    Birkholz, H., Sieverdingbeck, I., Sohr, K., Bormann, C.: IO: an interconnected asset ontology in support of risk management processes. In: Proceedings of the 2012 7th International Conference on Availability, Reliability and Security, ARES 2012, pp. 534–541 (2012)Google Scholar
  24. 24.
    Diéguez, M., Sepúlveda, S., Cares, C.: On optimizing the path to information security compliance. In: Proceedings of the 2012 8th International Conference on Information and Communication Technology, QUATIC 2012, pp. 182–185 (2012)Google Scholar
  25. 25.
    Talib, A.M., Atan, R., Abdullah, R., Azrafi, M., Murad, A.: Security ontology driven multi agent system architecture for cloud data storage security: ontology development. Int. J. Comput. Sci. Netw. Secur. 12, 63–72 (2012)Google Scholar
  26. 26.
    Nabil, S., Mohamed, B.: Security ontology for semantic SCADA. In: CEUR Workshop Proceedings, vol. 867, pp. 179–192 (2012)Google Scholar
  27. 27.
    Lotz, V., Kaluvuri, S.P., Di Cerbo, F., Sabetta, A.: Towards security certification schemas for the internet of services. In: 2012 5th International Conference on New Technologies, Mobility and Security – Proceedings of NTMS 2012 Conference and Workshops (2012)Google Scholar
  28. 28.
    Massacci, F., Mylopoulos, J., Paci, F., Yu, Y., Tun, T.T.: An Extended Ontology for Security Requirements. Presented at the (2011)Google Scholar
  29. 29.
    Bialas, A.: Common criteria related security design patterns for intelligent sensors-knowledge engineering-based implementation. Sensors 11, 8085–8114 (2011)CrossRefGoogle Scholar
  30. 30.
    Janpitak, N., Sathitwiriyawong, C.: Data Center Physical Security Ontology for Automated Evaluation (2011). Weblidi.Info.Unlp.Edu.Ar
  31. 31.
    Nascimento, C., Ferraz, F., Assad, R.: OntoLog: using web semantic and ontology for security log analysis. In: Proceedings of the Sixth International Conference on Software Engineering Advances, ICSEA 2011, pp. 177–182 (2011)Google Scholar
  32. 32.
    Ciuciu, I., Claerhout, B., Schilders, L., Meersman, R.: Ontology-based matching of security attributes for personal data access in e-Health. In: Meersman, R., et al. (eds.) OTM 2011. LNCS, vol. 7045, pp. 605–616. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25106-1_13 CrossRefGoogle Scholar
  33. 33.
    Evesti, A., Savola, R., Ovaska, E., Kuusijarvi, J.: The design, instantiation, and usage of information security measuring ontology. In: Proceedings of the 4th IEEE International Conference on Self-Adaptive and Self-Organizing Systems, pp. 204–212 (2011)Google Scholar
  34. 34.
    Da Silva, P.F., Otte, H., Todesco, J.L., Gauthier, F.A.O.: Uma ontologia para gestão de segurança da informaç ão. In: CEUR Workshop Proceedings, vol. 776, pp. 141–146 (2011)Google Scholar
  35. 35.
    Basile, C., Silvestro, J., Lioy, A., Canavese, D.: Security Ontology Definition (2011)Google Scholar
  36. 36.
    Blackwell, C.: A security ontology for incident analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research - CSIIRW 2010, p. 1 (2010)Google Scholar
  37. 37.
    Vorobiev, A., Bekmamedova, N.: An ontology-driven approach applied to information security. J. Res. Pract. Inf. Technol. 42, 61–76 (2010)Google Scholar
  38. 38.
    Takahashi, T., Kadobayashi, Y., Fujiwara, H.: Ontological approach toward cybersecurity in cloud computing. In: Proceedings of the 3rd International Conference on Security of Information and Networks - SIN 2010, p. 100 (2010)Google Scholar
  39. 39.
    Singhal, A., Wijesekera, D.: Ontologies for modeling enterprise level security metrics. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research - CSIIRW 2010, p. 1 (2010)Google Scholar
  40. 40.
    Almeida, M.B., Souza, R.R., Coelho, K.C.: Uma Proposta de Ontologia para o Domínio Segurança da Informação em Organizações: descrição do estágio terminológico. Inf. Soc. Est. 20, 155–168 (2010)Google Scholar
  41. 41.
    Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: 4th International Symposium on Information, Computer, and Communication Security, p. 183 (2009)Google Scholar
  42. 42.
    Bialas, A.: Ontology-based security problem definition and solution for the common criteria compliant development process. In: Proceedings of the 2009 4th International Conference on Dependability of Computer Systems, DepCos-RELCOMEX 2009, pp. 3–10 (2009)Google Scholar
  43. 43.
    Bezerra, D., Costa, A., Okada, K.: SwTOI (Software Test Ontology Integrated) and its application in Linux test. In: CEUR Workshop Proceedings, vol. 460, pp. 25–36 (2009)Google Scholar
  44. 44.
    de Azevedo, R.R., de Almeida, S.C., Brasil, P.A., Almeida, M.J.S.C., Filho, E.C.D.B.C.: CoreSec : an ontology of security aplied to the business process of management (2008)Google Scholar
  45. 45.
    de Azevedo, R.R.: CoreSec : Uma Ontologia para o Domínio de Segurança da Informação (2008)Google Scholar
  46. 46.
    Barbosa, E.F., Nakagawa, E.Y., Maldonado, J.C.: Towards the establishment of an ontology of software testing. In: Seke (2006)Google Scholar
  47. 47.
    Raskjn, V., Hempelmann, C.F., Nirenburg, S., Lafayette, W.: Ontology in information security : a useful theoretical foundation and methodological tool. In: Workshop on New Security Paradigms, pp. 53–59 (2002)Google Scholar
  48. 48.
    Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A Security Ontology for Security Requirements Elicitation. Presented at the (2015)Google Scholar
  49. 49.
    Grobler, M., Vuuren, J.J., Leenen, L.: Implementation of a cyber security policy in South Africa: reflection on progress and the way forward. In: Hercheui, M.D., Whitehouse, D., McIver, W., Phahlamohlaka, J. (eds.) HCC 2012. IAICT, vol. 386, pp. 215–225. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33332-3_20 CrossRefGoogle Scholar
  50. 50.
    Zhu, H., Huo, Q.: Developing a software testing ontology in UML for a software growth environment of web-based applications. In: Software Evolution with UML, pp. 1–34 (2005)Google Scholar
  51. 51.
    Jutla, D., Xu, L.: Privacy agents and ontology for the semantic web. In: Americas Conference on Information Systems, pp. 1760–1767 (2004)Google Scholar
  52. 52.
    Khairkar, A.D., Kshirsagar, D.D., Kumar, S.: Ontology for detection of web attacks. In: Proceedings of the 2013 International Conference on Communication Systems and Network Technologies, CSNT 2013, pp. 612–615 (2013)Google Scholar
  53. 53.
    Liu, F.-H., Lee, W.-T.: Constructing Enterprise Information Network Security Risk Management Mechanism by Ontology. J. Appl. Sci. Eng. 13, 79–87 (2010)Google Scholar
  54. 54.
    Viljanen, L.: Towards an ontology of trust. In: Katsikas, S., López, J., Pernul, G. (eds.) TrustBus 2005. LNCS, vol. 3592, pp. 175–184. Springer, Heidelberg (2005). doi: 10.1007/11537878_18 CrossRefGoogle Scholar
  55. 55.
    British Standards Institution (BSI): BSI Standard 100-2 IT-Grundschutz Methodology Version 2.0 (2008)Google Scholar
  56. 56.
    Bowen, P., Hash, J., Wilson, M.: NIST - Information Security Handbook: A Guide for Managers (2006).
  57. 57.
    Fenz, S., Pruckner, T., Manutscheri, A.: Ontological mapping of information security best-practice guidelines. In: Abramowicz, W. (ed.) BIS 2009. LNBIP, vol. 21, pp. 49–60. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01190-0_5 CrossRefGoogle Scholar
  58. 58.
    ISO/IEC: ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements (2013)Google Scholar
  59. 59.
    PCI Security Standards Council: Payment Card Industry Data Security Standard (PCI DSS).
  60. 60.
    ISSA-UK: ISSA 5173 – The Security Standard for SMES.
  61. 61.
    NIST - US National Institute of Standards and Technology: NISTIR 7621 - Small Business Information Security: The Fundamentals.
  62. 62.
    U.S. Department of Health & Human Services: Health Insurance Portability and Accountability Act (HIPAA).
  63. 63.
    Addison-Hewitt Associates: A Guide to the Sarbanes-Oxley Act (SOX).
  64. 64.
    Blanco, C., Lasheras, J., Fernández-Medina, E., Valencia-García, R., Toval, A.: Basis for an integrated security ontology according to a systematic review of existing proposals. Comput. Stand. Interfaces. 33, 372–388 (2011)CrossRefGoogle Scholar
  65. 65.
    Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for security requirements: a literature survey and classification. In: Bajec, M., Eder, J. (eds.) CAiSE 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31069-0_5 CrossRefGoogle Scholar
  66. 66.
    Barnes, S.J.: Assessing the value of IS journals. Commun. ACM 48, 110–112 (2005)CrossRefGoogle Scholar
  67. 67.
    Rainer, R.K., Miller, M.D.: Examining differences across journal rankings. Commun. ACM 48, 91–94 (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Renato Archer Information Technology Center (CTI)CampinasBrazil
  2. 2.School of Electrical and Computer Engineering at University of Campinas (UNICAMP)CampinasBrazil

Personalised recommendations