To read the full version of this content please select one of the options below:

Ontologies for information security management and governance

Edson dos Santos Moreira (Institute of Mathematics and Computer Sciences, University of São Paulo, São Paulo, Brazil)
Luciana Andréia Fondazzi Martimiano (Institute of Mathematics and Computer Sciences, University of São Paulo, São Paulo, Brazil)
Antonio José dos Santos Brandão (Institute of Mathematics and Computer Sciences, University of São Paulo, São Paulo, Brazil)
Mauro César Bernardes (Institute of Mathematics and Computer Sciences, University of São Paulo, São Paulo, Brazil)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 6 June 2008

Abstract

Purpose

This paper aims to show the difficulties involved in dealing with the quantity, diversity and the lack of semantics security information. It seeks to propose the use of ontologies to tackle the problem.

Design/methodology/approach

The paper describes the general methodology to create security ontologies and illustrates the case with the design and validation of two ontologies: system vulnerabilities and security incidents.

Findings

Two examples of ontologies, one related to systems vulnerability and the other related to security incidents (designed to illustrate this proposal) are described. The portability/reusability propriety is demonstrated, inferring that the information structured at lower levels (by security management tools and people) can be successfully used and understood at higher levels (by security governance tools and people).

Research limitations/implications

Work in the area of managing privacy policies, risk assessment and mitigation management, as well as CRM, business alignment and business intelligence, could be greatly eased by using an ontology to properly define the concepts involved in the area.

Practical implications

Ontologies can facilitate the interoperability among different security tools, creating a unique way to represent security data and allow the security data from any security tool (for instance, Snort) to be mapped into an ontology, such as the security incident one described in the paper. An example showing how the two ontologies could be plugged into a high level decision‐making system is described at the end.

Originality/value

Although several previous papers examined the value of using ontologies to represent security information, this one looks at their properties for a possible integrated use of management and governance tools.

Keywords

Citation

dos Santos Moreira, E., Andréia Fondazzi Martimiano, L., José dos Santos Brandão, A. and César Bernardes, M. (2008), "Ontologies for information security management and governance", Information Management & Computer Security, Vol. 16 No. 2, pp. 150-165. https://doi.org/10.1108/09685220810879627

Publisher

:

Emerald Group Publishing Limited

Copyright © 2008, Emerald Group Publishing Limited