First I am going to reference some work i found on the internet which offers some interesting insights into the various different views and approaches to developing ontologies for security and cyber security.
The first is a project form 2007 which provides a Cyber Security Ontology developed in OWL – Reference: A. Herzog, N. Shahmehri, C. Duma, ‘An Ontology of Information Security’, International Journal of Information Security and Privacy, 1(4):1-23, 2007. The paper is available here.
It is interesting reading through the material produced by these projects as it shows the variety of different approaches taken to define and apply the domain of cyber security. It also highlights just how varied this domain is and how much needs to be formalised. The PoSecCo projects also describes a Security Decision Support System (SDSS) which would suggest that the models and data are being used to infer some outcome to support a decision criteria.
Whilst each of the projects above have covered different areas of security it may well be that from an ontological perspective that some consolidation of ideas and classifications are required to standardise the domain. So, and it is just my opinion, there may be two or three key ontology models required – two if cyber defence is considered a subset of cyber security. The first being the enterprise architecture ontology to provide the context for all the entities that comprise the enterprise. The second is the security ontology covering what constitutes security through policy, compliance, threat, risk and vulnerability. The third is the defence ontology which covers the technologies, methods and capabilities to protect the enterprise. Each works in conjunction to provide a range of views to understand the challenges and also to provide sufficient situational awareness to combat the increasing threat. For more information on Situational Awareness there is an excellent website called Military Ontology which whilst specific to military defence has some very thought provoking material and resources. Finally there is a paper on the subject of Situational Awareness Ontology which is well worth reading and i hope to come back to this topic in the future.
Having not had the opportunity to continue this blog and the theme of using semantics to develop the evidence based enterprise these last few years i am going to begin again with a new area of focus. The focus will be a series of posts and models covering Cyber Defence and Enterprise Architecture, an area i have been working in these last four years. I am going to start with some basic principles to cover what i will exploring:
Enterprise Architecture patterns (including conceptual models, building blocks etc) represent the basis for evidence based EA
A pattern should have a specification and qualification, at a minimum a metamodel or an ontology to provide that specification and qualification
Evidence, broadly construed, is anything presented in support of an assertion. This support may be strong or weak. The strongest type of evidence is that which provides direct proof of the truth of an assertion. (Wikipedia Definition)
Evidence should be derived from domains within the organisation through recorded instances and lessons and classified through domain ontologies.
EA patterns qualified by ontological models creates an evidential design process
So i am going to use an Enterprise Architecture Ontology, a Cyber Defence Ontology, a Security Ontology and an ITIL Service Management Ontology to provide the qualification and the guidelines for evidence within architectural patterns. So an ontology in the context of an architectural guideline or pattern representation is a specification of conceptualizations (from enterprise architecture and security domains) that constitutes evidence-based architectural practice. The evidence would be drawn from security frameworks or security operations demonstrating where weak or vulnerable architectural solutions have failed to prevent a cyber attack. For example, an architectural guideline or pattern would define a set of key concepts, decisions and actions (also concepts), as well as a set of rules (relationships) that relate the evaluation of a security decision criterion to further reasoning steps or to its associated actions. Thus enabling security restrictions or policies to enhance an architectural pattern (through Architectural and Solution Building Blocks) and improve the security aspects of a physical deployment of the future solution.
I have attached to this post a series of high level images of the Ontologies and SKOS models i will be using. The service technology model is an example the integration between the Cyber Defence Ontology, the Enterprise Architecture Ontology and the ITIL Ontology. At a high level it shows the relationships between the controls of the enterprise technology architecture, which defines the product, supplier management with a supporting actor of Security Operations, SOC supplier management and the deployed product used by Security Operations. At a further level of detail the three ontologies are able to show the interfaces between the three distinct business units (Service Management, Security Operations and Enterprise Architecture) thus providing an operating pattern for their interaction, collaboration and in particular the incident and change management processes necessary for in-life support.