Title: Towards ontological approach to eliciting risk-based security requirements

Authors: Oluwasefunmi 'Tale Arogundade; Zhi Jin; Xiaoguang Yang

Addresses: Laboratory of Management Decision and Information Systems, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beijing, 100190, China; Department of Computer Science, Federal University of Agriculture, P.M.B 2240, Abeokuta, Ogun State, Nigeria ' School of Electronics Engineering and Computer Science, Peking University, Beijing, 100871, China ' Laboratory of Management Decision and Information Systems, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beijing, 100190, China

Abstract: Security requirements managers aim at eliciting, reusing and keeping their sets of requirements. They desire well defined, consistent and up to date requirements throughout the system lifecycle. This paper presents security ontology (SO) which can be used as a basis for eliciting risk-based security requirements. The ontology is based on the security relationship model described in the national institute of standards and technology special publication 800-12 but use-misuse case concepts and some extensions were used. We extended use case with some elements (action and object) to facilitate information system (IS) security policy instantiation after the system has been deployed. We incorporated risk and privilege concepts in order to represent risk knowledge in an unambiguous way and to enable ontology control security issues respectively. This ontology enriches the modelling and management of risk-based safeguard requirements within the requirements engineering discipline by organising the security knowledge to form heavy weight ontology which include concepts, concept taxonomies, relationships, properties, axioms and constraints. This ontology provides capabilities such as IS security management, traceability and reuse. OWL protégé 3.3.1 editor was used for the ontology coding. The results of its adoption in capturing safeguard requirements of healthcare IS were also discussed.

Keywords: security ontology; safety; security requirements; requirements engineering; threats; risks; privileges; use-misuse case; risk-based security; information system security; healthcare information systems; security management traceability; reuse.

DOI: 10.1504/IJICS.2014.065168

International Journal of Information and Computer Security, 2014 Vol.6 No.2, pp.143 - 178

Accepted: 04 Mar 2014
Published online: 15 Oct 2014 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article