Information Security Ontology
In a nutshell

The AURUM Information Security Ontology provides unified and machine-readable information security knowledge sharing, enabling users to collaboratively understand and extend the knowledge body. Its application within the risk management framework AURUM provides its users with the basis for automated risk and compliance management..


Your Benefits
  • Formalized IT Security Knowledge
  • Efficient Knowledge Sharing
  • Better Decision Making
  • Increased Awareness
  • Companies
  • Cities
Learn more about the
As companies are increasingly exposed to a variety of information security threats, they are permanently forced to pay attention to security issues.

Information security knowledge is fragmented, not machine-readable, difficult to share, and mostly static, i.e., security professionals have to compile security programs based on isolated and often outdated resources. Automated tools for knowledge capturing and processing cannot be used due to the missing machine-readability of existing knowledge sources.

The development of an effective and efficient information security program requires the involvement of stakeholders such as end-users and senior management. However, most stakeholders lack the required knowledge of information security issues that would allow them to play an important role in information security management.

Deeper knowledge about the final information security program is usually kept by a few individuals per organization with little overlap and few networks utilizing the fragmented knowledge.

Organizations that were involved in our recent field studies typically verify and check their approaches to security problems against what other organizations are doing (Benchmarking). Existing methods and tools do not support this functionality.

Semantic risk management

Risk management provides an effective approach for measuring the security through risk assessment, risk mitigation and evaluation.

Traditional risk management approaches demand very detailed knowledge about the IT security domain and the actual company environment.

Have a look at the unique
Share your corporate knowledge
Create, modify, discuss knowledge regarding threats, vulnerabilities, controls, and control implementations with regard to ITSEC standards such as ISO 27001 (based on the Security Ontology).
Multi-level Architecture
Multi-level architecture differentiating between the generic knowledge base, the domain-specific knowledge base and the organization-specific knowledge base.
Formalize your corporate knowledge
The security ontology formalizes information security knowledge with regard to threats, vulnerabilities, controls, and their interdependencies.
Collaborative and web-based
The web-based knowledge repository UI allows you to browse, extend, and edit the knowledge base in a collaborative way.
Efficient decision making
FORISK is designed to minimize the interaction between user and system and to provide decision makers with an intuitive solution that can be used without extensive domain knowledge.
Basis for risk management
The knowledge base can be used to support compatible risk and compliance management tools with information security background knowledge.
Automated Reasoning
The entire knowledge is stored in a machine-readable way (W3C OWL standard) and allows you to use the knowledge base for automated risk- and compliance management activities. FORISK automatically considers interdependencies and compatibility between different measures.
Legal compliance
FORISK supports corporate decision makers in identifying the optimal information security concept in terms of costs, effectiveness, and compliance to common ITSEC standards.
Get your personal demo
Find out
How it works
The security ontology was proposed based on the security relationship model described in the National Institute of Standards and Technology (NIST) Special Publication 800-12. The figure below shows the high-level concepts and corresponding relations of the ontology. A threat gives rise to follow-up threats, represents a potential danger to the organization’s assets and affects specific security attributes (e.g. confidentiality, integrity, and/or availability) as soon as it exploits a vulnerability in the form of a physical, technical, or administrative weakness. Additionally each threat is described by potential threat origins (human or natural origin) and threat sources (accidental or deliberate source). For each vulnerability a severity value and the asset on which the vulnerability could be exploited is assigned. Controls have to be implemented to mitigate an identified vulnerability and to protect the respective assets by preventive, corrective, deterrent, recovery, or detective measures (control type).
Each control is implemented as asset concept, or as combinations thereof. Controls are derived from and correspond to best-practice and information security standard controls (e.g., the German IT Grundschutz Manual and ISO/IEC 27001) to ensure the incorporation of widely accepted knowledge. The controls are modeled on a highly granular level and are thus reusable for different standards. When implementing the controls, a compliance with various information security standards is implicit. To enrich the knowledge model with concrete information security knowledge the German IT Grundschutz Manual (Grundschutzhandbuch) has been superimposed on the security ontology and more than 500 information security concepts and 600 corresponding formal axioms are integrated into the ontological knowledge base. The coded ontology follows the OWL-DL (W3C Web Ontology Language) standard and ensures that the knowledge is represented in a standardized form.
The threat subontology build upon Peltier’s threat classification, comprises natural, accidental and intentional threats at the highest level, followed by a detailed subclassification. An in-depth threat description for clarity, as well as endangered security objectives, following the security- and dependability taxonomy referring to Avizienis et al. (confidentiality, integrity, availability, accountability, authenticity, reliability and safety), are provided for each threat. This is useful if a company wants to prioritize their IT security strategy regarding specific attributes. Often the occurrence of a threat gives rise to or intensifies other threats, therefore these relationships are reflected in the ontology.

The annual rate of occurrence of each threat is stored within the probability concept which is linked to the threat and location subontology to map location-dependent threat occurrence rates. For natural threats such as flood and earthquake national weather and research centers provide proper data-sets to determine annual occurrence rates. Local law enforcement agencies are able to provide data for intentional threats such as theft, active wiretapping and vandalism and for accidental threats such as power-outage the local energy supply company is able to provide reliable data about former power-outages. Insurance companies can be also used to get reliable data regarding specific threat occurrence rates.

Furthermore, each threat exploits one or more vulnerabilities which can be found in the vulnerability subontology. Understanding the relationships between threats and endangered assets is vital for a comprehensive security planning and thus these connections have been integrated. Assets are reflected by classes in the infrastructure subontology.

In the following an example is given to clarify the threat ontology: Unauthorized access to the office building is a subclass of the class unauthorized access. If this threat would be given rise by a threat agent, availability would be affected the most. While simple unauthorized access could have damaged windows or doors as consequence, the possible subsequent threats, e.g. theft of hardware or vandalism, could have severe impact on the company’s availability, confidentiality and integrity. Defined vulnerabilities which could be exploited by the unauthorized access threat to the office building are doors or windows with a low level of security or the unauthorized dissemination of access credentials by employees.

A vulnerability is the absence of a proper safeguard that could be exploited by a threat. We subclassified the subontology vulnerability into three distinct classes: (1) administrative vulnerability, (2) physical vulnerability, and (3) technical vulnerability. Each vulnerability can be exploited by predefined threats of the threat subontology and mitigation is achieved by selection of one or more controls which are implemented by elements from either the infrastructure, control or software subontology.

The infrastructure section of the Security Ontology contains a wide range of physical elements which are utilized within an organization. Parts of the categorization such as the IT and telecommunication branch follow established standards like the United Nations Standard Products and Services Code to ensure a standardized structure. To guarantee that the entire organization can be mapped to the ontology, the infrastructure subontology also provides structural elements which enable the mapping of the physical environment elements, such as buildings, floors, rooms, windows or doors. Vulnerability severity ratings (critical, important, moderate and low) enable an additional classification. In the case of physical vulnerabilities we added an extra relation that indicates the corresponding infrastructure element that causes a certain vulnerability, e.g. a door with a low security rating.

Compared to the infrastructure part of the Security Ontology the control subontology provides administrative elements which are atomic elements coming from best-practice standards, guidelines, baselines, procedures and security frameworks such as ISO27001, ISO17799, Cobit, ITIL, and BSI.

The following example should clarify the idea of the described vulnerability subontology: A physical vulnerability would be windows with a low security rating used within the organization’s building. This circumstance can be exploited by the threat unauthorized access, which was described in the previous section. The ontology indicates that this vulnerability is caused by the usage of standard windows and thus appropriate safeguards to reduce the vulnerability would be the implementation of more secure window types such as wired windows or acrylic windows.

Vulnerabilities can be reduced by installing infrastructure resources, implementing organizational controls, and/or deploying specific software products, depending on the vulnerability’s nature. Certain infrastructure resources demand other resources to be effective, e.g. a fire extinguishing system depends on fire detectors. By adding links between infrastructure elements this requirement can be modeled.

The approach and the corresponding knowledge base are not restricted to a certain organization. Instead knowledge is shared on a global level to mitigate the inefficient ‘reinventing the security wheel’ practice. With a collaboratively editable and machine-readable information security knowledge base, organizations should be able to reduce their costs at knowledge capturing and processing for information security compliance and risk management tasks.

Browse the SecurityOntology online