Skip to main content
SpringerLink
Log in

Ontology Guided Risk Analysis: From Informal Specifications to Formal Metrics

  • Chapter
Advances in Information and Intelligent Systems

Part of the book series: Studies in Computational Intelligence ((SCI,volume 251))

Abstract

The level of compliance with security certification requirements is the primary driver of the decision to accredit a software system into operation with an acceptable level of risk. However, given the complexity of current software systems, numerous natural language Certification and Accreditation (C&A) requirements, and ad-hoc processes to assess compliance, this decision is often based on the subjective judgment of the designated officials rather than well-designed metrics and measures. This chapter presents our ongoing research on ontology guided process of building “formal metrics” for understanding risk from the informal specification of security requirements and related evidence collected from the C&A process. The transformation of informal sources (in the problem space) into a representation that supports well-defined metrics (in the solution space) is realized through a combination of knowledge engineering and requirements engineering techniques. Our research outlines a methodological approach for metrics development and understanding using the structured representation of regulatory security requirements in a problem domain ontology. The metrics derived from the domain ontology create a traceable chain of analytical thoughts with software artifacts (e.g. requirements, design, and code). We provide concrete examples for the feasibility of our research findings through its application to a security C&A process and the resulting tool suite.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aagedal, J.O., den Braber, F., Dimitrakos, T., Gran, B.A., Raptis, D., Stolen, K.: Model-based risk assessment to improve enterprise security. In: Proceedings of the 6th International Enterprise Distributed Object Computing Conference, pp. 51–62 (2002)

    Google Scholar 

  2. Basili, V.R., Rombach, H.D.: The TAME project: Towards improvement-oriented software environments. IEEE Transactions on Software Engineering 14(6), 758–773 (1988)

    Article  Google Scholar 

  3. Breaux, T.D., Vail, M.W., Antón, A.I.: Towards Regulatory Compliance: Extracting Rights & Obligations to Align Requirements with Regulations. In: Proc. 14th Int’l Conf. on RE 2006, pp. 49–58 (2006)

    Google Scholar 

  4. Butler, S.A.: Security Attribute Evaluation Method: A Cost Benefit Approach. In: Proceedings of the 24th International Conference on Software Engineering, May 2002, pp. 232–240 (2002)

    Google Scholar 

  5. Butler, S.A., Shaw, M.: Incorporating Nontechnical Attributes in Multi-Attribute Analysis for Security. In: Proceedings of the Workshop on Economics-Driven Software Engineering Research (2002), http://www-2.cs.cmu.edu/~shawnb/EDSERIV.pdf

  6. Carr, M.J., et al.: Taxonomy-Based Risk Identification. Tech. Report CMU/SEI-93-TR-6 ESC-TR-93-183 (1993)

    Google Scholar 

  7. Chaudhri, V.K., Farquhar, A., Fikes, R., Karp, P.D., Rice, J.P.: OKBC: a programmatic foundation for knowledge base interoperability. In: Proceedings of the 15th National/10th Conference on Artificial intelligence/innovative Applications of Artificial intelligence, pp. 600–607. AAAI, Menlo Park (1998)

    Google Scholar 

  8. Alberts, C., Dorofee, A.: Managing Information Security Risks: The OCTAVE(SM) Approach. Addison-Wesley Professional, Reading (2002)

    Google Scholar 

  9. Common Criteria, Part 1: Introduction and General Model, v2.3, ISO/IEC 15408 (August 2005)

    Google Scholar 

  10. Common Weakness Enumeration, http://cve.mitre.org/cwe/

  11. Davis, T.: Federal Computer Security Report Card Grades. Press Release (2004)

    Google Scholar 

  12. DoD 8510.1-M: DITSCAP Application Manual (2000)

    Google Scholar 

  13. DoD Instruction 5200.40: DITSCAP (1997)

    Google Scholar 

  14. DoDI 8500.2: IA Implementation (February 2003)

    Google Scholar 

  15. Feather, M.S., Cornford, S.L.: Quantitative risk-based requirements reasoning. Requirements Engineering Journal 8(4), 248–265 (2003)

    Article  Google Scholar 

  16. Gandhi, R.A., Lee, S.W.: Discovering and Understanding Multi-dimensional Correlations among Certification Requirements with application to Risk Assessment. In: Proceedings of the 15th IEEE International Requirements Engineering Conference (RE 07), Delhi, India, October 15-19, (2007)

    Google Scholar 

  17. Gandhi, R.A., Lee, S.W.: Visual Analytics for Requirements-driven Risk Assessment. In: The Proceedings of 2nd International Workshop on Requirements Engineering Visualization (REV 2007) at the 15th IEEE International Requirements Engineering Conference (RE 2007), Delhi, India, October 15-19 (2007)

    Google Scholar 

  18. Ganter, B., Wille, R.: Formal Concept Analysis. Springer, Heidelberg (1996)

    MATH  Google Scholar 

  19. Jackson, M.: The Meaning of Requirements, in Annals of Software Engineering, vol. 3, pp. 5–21. Baltzer Science Publication (1997)

    Google Scholar 

  20. Johansson, E., Johnson, P.: Assessment of Enterprise Information Security - Estimating the Credibility of the Results. In: Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS 2005) in conjunction with the 13th IEEE International Requirements Engineering Conference (RE 2005), Paris, France, 8/29 – 9/2. IEEE Press, Los Alamitos (2005)

    Google Scholar 

  21. Juristo, N., Moreno, A.M.: Introductory paper: Reflections on Conceptual Modeling. Data & Knowledge Engineering 33(2), 103–117 (2000)

    Article  MATH  Google Scholar 

  22. Kaplan, R.S., Norton, D.P.: The Balanced Scorecard: Translating Strategy into Action. Harvard Business School Press, Boston (1996)

    Google Scholar 

  23. Kimbell, J., Walrath, M.: Life Cycle Security and DITSCAP. IANewsletter 4(2) (Spring 2001), http://iac.dtic.mil/iatac

  24. Kotonya, G., Sommerville, I.: Requirements engineering with viewpoints. Software Engineering Journal 11(1), 5–18 (1996)

    Article  Google Scholar 

  25. Lee, S.W., Gandhi, R.A., Ahn, G.: Certification Process Artifacts Defined as Measurable Units for Software-intensive Systems Lifecycle. International Journal on Software Process: Improvement and Practice 12(2), 165–189 (2007)

    Article  Google Scholar 

  26. Lee, S.W., Gandhi, R.A., Wagle, S.J., Murty, A.B.: r-AnalytiCA Workbench: Requirements Analytics for Certification & Accreditation. In: Proceedings of the IEEE 15th International Requirements Engineering Conference (RE 2007), Posters, Demos and Exhibits Session, Delhi, India, October 15-19 (2007)

    Google Scholar 

  27. Lee, S.W., Muthurajan, D., Gandhi, R.A., Yavagal, D., Ahn, G.: Building Decision Support Problem Domain Ontology from Security Requirements to Engineer Software-intensive Systems. International Journal on Software Engineering and Knowledge Engineering 16(6), 851–884 (2006)

    Article  Google Scholar 

  28. Lee, S.W., Gandhi, R.A.: Ontology-based Active Requirements Engineering Framework. In: Proceedings of the 12th Asia-Pacific Software Engineering Conference (APSEC 2005), Taipei, Taiwan, December 15-17, 2005, pp. 481–490. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  29. Lee, S.W., Gandhi, R.A.: Requirements as Enablers for Software Assurance. CrossTalk: The Journal of Defense Software Engineering 19(12), 20–24 (2006)

    Google Scholar 

  30. Lee, S.W., Gandhi, R.A., Wagle, S.J.: Ontology-guided Service-oriented Architecture Composition to Support Complex and Evolving Process Definitions. To appear in the International Journal of Software Engineering and Knowledge Engineering(March 2008) (accepted July 14, 2008)

    Google Scholar 

  31. Lee, S.W., Rine, D.C.: Missing Requirements and Relationship Discovery through Proxy Viewpoints Model. Studia Informatica Universalis: International Journal on Informatics 3(3), 315–342 (2004)

    Google Scholar 

  32. Lee, S.W., Wagle, S., Gandhi, R.A.: GenOM/GenOM-DB Programmer’s Guide. Version 3, Technical Report TR-NISE-07-04, Knowledge Intensive Software Engineering Research Group, Dept. of Software and Information Systems, UNC Charlotte (2007)

    Google Scholar 

  33. Lekkas, D., Spinellis, D.: Handling and Reporting Security Advisories: A Scorecard Approach. IEEE Security and Privacy Magazine 3(4), 32–41 (2005)

    Article  Google Scholar 

  34. Mead, N.R., Hough, E., Stehney, T.: Security Quality Requirements Engineering (SQUARE) Methodology. Technical Report (CMU/SEI-2005-TR-009). Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2005)

    Google Scholar 

  35. Moffett, J.D., Haley, C.B., Nuseibeh, B.A.: Core Security Requirements Artefacts. Technical Report 2004/23. Department of Computing, The Open University, Milton Keynes (June 2004)

    Google Scholar 

  36. Black, P.E.: SAMATE’s contribution to Information Assurance. IAnewsletter 9(2) (Fall 2006), http://iac.dtic.mil/iatac

  37. Robinson, W.N., Pawlowski, S.: Surfacing Root Requirements Interactions from Inquiry Cycle Requirements. In: Proc. 6th Int’l Conf. on RE, pp. 82–89 (1998)

    Google Scholar 

  38. Rolland, C., Prakash, N.: From conceptual modeling to requirements engineering. Annals of Software Engineering 10, 151–176 (2000)

    Article  MATH  Google Scholar 

  39. SAMATE Reference Dataset, http://samate.nist.gov/SRD/

  40. Sutcliffe, A.: Scenario-based requirements analysis. Requirements Engineering Journal 3(1), 48–65 (1998)

    Article  MathSciNet  Google Scholar 

  41. Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems. NIST Special Publication #800-55, Gaithersburg, MD, USA (2003)

    Google Scholar 

  42. Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems. In: NIST Special Publication #800-55, Revised as Performance Measurement Guide for Information Security, Gaithersburg, MD, USA (July 2008)

    Google Scholar 

  43. Swartout, W., Tate, A.: Ontologies. IEEE Intelligent Systems 14(1), 18–19 (1999)

    Article  Google Scholar 

  44. Tsipenyuk, K., Chess, B., McGraw, G.: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors. IEEE Security & Privacy Magazine 3(6), 81–84 (2005)

    Article  Google Scholar 

  45. van Lamsweerde, A.: Goal-oriented requirements engineering: a guided tour. In: Proceedings of the fifth IEEE International Symposium on Requirements Engineering, August 2001, pp. 249–262 (2001)

    Google Scholar 

  46. Vaughn, R.B., Henning, R., Siraj, A.: Information Assurance Measures and Metrics – State of Practice and Proposed Taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, pp. 331–340 (2003)

    Google Scholar 

  47. Verdon, D., McGraw, G.: Risk Analysis in Software Design. IEEE Security & Privacy Magazine 2(4), 79–84 (2004)

    Article  Google Scholar 

  48. Wang, H., Wang, C.: Taxonomy of Security Considerations and Software Quality. Communications of the ACM 46(6), 75–78 (2003)

    Article  Google Scholar 

  49. Wasson, K.S.: A Case Study in Systematic Improvement of Language for Requirements. In: 14th Int’l RE Conf., pp. 6–15 (2006)

    Google Scholar 

  50. Wong, P.C., Thomas, J.: Visual Analytics. IEEE Computer Graphics and Applications 24(5), 20–21 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Information Science and Technology, University of Nebraska at Omaha, 6001 Dodge Street, Omaha, NE, 68182

    Robin Gandhi

  2. College of Computing and Informatics, University of North Carolina at Charlotte, 9201 University City Blvd., Charlotte, NC, 28223

    Seok-Won Lee

Authors
  1. Robin Gandhi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seok-Won Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. College of Computing and Informatics, University of North Carolina at Charlotte, 28223, Charlotte, N.C., USA

    Zbigniew W. Ras  & William Ribarsky  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Gandhi, R., Lee, SW. (2009). Ontology Guided Risk Analysis: From Informal Specifications to Formal Metrics. In: Ras, Z.W., Ribarsky, W. (eds) Advances in Information and Intelligent Systems. Studies in Computational Intelligence, vol 251. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04141-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04141-9_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04140-2

  • Online ISBN: 978-3-642-04141-9

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation