Security Ontologies: Improving Quantitative Risk Analysis

IT-security has become a much diversified field and small and medium sized enterprises (SMEs), in particular, do not have the financial ability to implement a holistic IT-security approach. We thus propose a security ontology, to provide a solid base for an applicable and holistic IT-security approach for SMEs, enabling low-cost risk management and threat analysis. Based on the taxonomy of computer security and dependability by Landwehr, a heavy-weight ontology can be used to organize and systematically structure knowledge on threats, safeguards, and assets. Using this ontology, each threat scenario can be simulated with a different protection profile as to evaluate the effectiveness and the cost/benefit ratio of individual safeguards

[1]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[2]  Marc Donner,et al.  Toward a Security Ontology , 2003, IEEE Secur. Priv..

[3]  Mariano Fernández-López,et al.  Ontological Engineering , 2003, Encyclopedia of Database Systems.

[4]  H. Raiffa,et al.  Applied Statistical Decision Theory. , 1961 .

[5]  Howard Raiffa,et al.  Applied Statistical Decision Theory. , 1961 .

[6]  Hiromitsu Kumamoto,et al.  Probabilistic Risk Assessment and Management for Engineers and Scientists , 1996 .

[7]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[8]  J. van Leeuwen,et al.  Information Security , 2003, Lecture Notes in Computer Science.

[9]  Sean Bechhofer,et al.  OWL: Web Ontology Language , 2009, Encyclopedia of Database Systems.

[10]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[11]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.