Information Technology Reference
In-Depth Information
An Ontology-Based Approach to Information Systems
Security Management
Bill Tsoumas, Stelios Dritsas, and Dimitris Gritzalis
*
Dept. of Informatics, Athens University of Economics and Business,
76 Patission Ave., Athens GR-10434, Greece
{bts, sdritsas, dgrit}@aueb.gr
Abstract.
Complexity of modern information systems (IS), impose novel secu-
rity requirements. On the other hand, the ontology paradigm aims to support
knowledge sharing and reuse in an explicit and mutually agreed manner. There-
fore, in this paper we set the foundations for establishing a knowledge-based,
ontology-centric framework with respect to the security management of an arbi-
trary IS. We demonstrate that the linking between high-level policy statements
and deployable security controls is possible and the implementation is achiev-
able. This framework may support critical security expert activities with respect
to security requirements identification and selection of certain controls and
countermeasures. In addition, we present a structured approach for establishing
a security management framework and identify its critical parts. Our security
ontology is being represented in a neutral manner, based on well-known secu-
rity standards, extending widely used information systems modeling ap-
proaches.
Keywords:
Security Management, Security Policy, IS Security, Security
Ontology.
1 Introduction
Modern information systems offer organizations and individuals a lot of benefits. The
advances in information and communication technologies (ICT) offer dramatic cost
savings and can introduce new capabilities in order to support new and diverse ser-
vices to organizations and/or end users. A combination of conventional networks and
wireless- and sensor-aware devices with traditional installations such as mainframes,
becomes more and more popular. The dynamic character of IS exacerbates the secu-
rity risks innate in any IS; the lack of effective security requirements inclusion during
the system development is the most important reason, which is further stressed by the
rush of commercial competition. In addition, new technologies face several categories
of risks; a number of these risks are similar to those of a conventional IS, while others
are introduced by the new technologies' immaturity and the lack of efficient integra-
tion with conventional ones. As an example, we might consider the vulnerabilities
introduced by wireless where the use of the airwave as the underlying communication
medium it might be an easy target to malicious users.
*
Corresponding author.
