Building problem domain ontology from security requirements in regulatory documents

Seok Won Lee, Robin Gandhi, Divya Muthurajan, Deepak Yavagal, Gail-Joon Ahn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Citations (Scopus)

Abstract

Establishing secure systems assurance based on Certification and Accreditation (C&A) activities, requires effective ways to understand the enforced security requirements, gather relevant evidences, perceive related risks in the operational environment, and reveal their causal relationships with other domain concepts. However, C&A security requirements are expressed in multiple regulatory documents with complex interdependencies at different levels of abstractions that often result in subjective interpretations and non-standard implementations. Their non-functional nature imposes complex constraints on the emergent behavior of software-intensive systems, making them hard to understand, predict, and control. To address these issues, we present novel techniques from software requirements engineering and knowledge engineering for systematically extracting, modeling, and analyzing security requirements and related concepts from multiple C&A-enforced regulatory documents. We employ advanced ontological engineering processes as our primary modeling technique to represent complex and diverse characteristics of C&A security requirements and related domain knowledge. We apply our methodology to build problem domain ontology from regulatory documents enforced by the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP).

Original languageEnglish (US)
Title of host publicationProceedings - International Conference on Software Engineering
PublisherIEEE Computer Society
Pages43-49
Number of pages7
Volume2006-May
ISBN (Print)1595934030, 1595934111, 9781595934031, 9781595934116
DOIs
StatePublished - May 21 2006
Externally publishedYes
EventInternational Workshop on Software Engineering for Secure Systems, SESS 2006 - Shanghai, China
Duration: May 20 2006May 21 2006

Other

OtherInternational Workshop on Software Engineering for Secure Systems, SESS 2006
CountryChina
CityShanghai
Period5/20/065/21/06

Fingerprint

Accreditation
Ontology
Knowledge engineering
Requirements engineering
Information technology

Keywords

  • Information Security Requirements Engineering
  • Information Systems Certification and Accreditation
  • Ontological Engineering
  • Secure Software Assurance

ASJC Scopus subject areas

  • Software

Cite this

Lee, S. W., Gandhi, R., Muthurajan, D., Yavagal, D., & Ahn, G-J. (2006). Building problem domain ontology from security requirements in regulatory documents. In Proceedings - International Conference on Software Engineering (Vol. 2006-May, pp. 43-49). [1137635] IEEE Computer Society. https://doi.org/10.1145/1137627.1137635

Building problem domain ontology from security requirements in regulatory documents. / Lee, Seok Won; Gandhi, Robin; Muthurajan, Divya; Yavagal, Deepak; Ahn, Gail-Joon.

Proceedings - International Conference on Software Engineering. Vol. 2006-May IEEE Computer Society, 2006. p. 43-49 1137635.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lee, SW, Gandhi, R, Muthurajan, D, Yavagal, D & Ahn, G-J 2006, Building problem domain ontology from security requirements in regulatory documents. in Proceedings - International Conference on Software Engineering. vol. 2006-May, 1137635, IEEE Computer Society, pp. 43-49, International Workshop on Software Engineering for Secure Systems, SESS 2006, Shanghai, China, 5/20/06. https://doi.org/10.1145/1137627.1137635
Lee SW, Gandhi R, Muthurajan D, Yavagal D, Ahn G-J. Building problem domain ontology from security requirements in regulatory documents. In Proceedings - International Conference on Software Engineering. Vol. 2006-May. IEEE Computer Society. 2006. p. 43-49. 1137635 https://doi.org/10.1145/1137627.1137635
Lee, Seok Won ; Gandhi, Robin ; Muthurajan, Divya ; Yavagal, Deepak ; Ahn, Gail-Joon. / Building problem domain ontology from security requirements in regulatory documents. Proceedings - International Conference on Software Engineering. Vol. 2006-May IEEE Computer Society, 2006. pp. 43-49
@inproceedings{be8937d3af764d458d1269097cd0b3af,
title = "Building problem domain ontology from security requirements in regulatory documents",
abstract = "Establishing secure systems assurance based on Certification and Accreditation (C&A) activities, requires effective ways to understand the enforced security requirements, gather relevant evidences, perceive related risks in the operational environment, and reveal their causal relationships with other domain concepts. However, C&A security requirements are expressed in multiple regulatory documents with complex interdependencies at different levels of abstractions that often result in subjective interpretations and non-standard implementations. Their non-functional nature imposes complex constraints on the emergent behavior of software-intensive systems, making them hard to understand, predict, and control. To address these issues, we present novel techniques from software requirements engineering and knowledge engineering for systematically extracting, modeling, and analyzing security requirements and related concepts from multiple C&A-enforced regulatory documents. We employ advanced ontological engineering processes as our primary modeling technique to represent complex and diverse characteristics of C&A security requirements and related domain knowledge. We apply our methodology to build problem domain ontology from regulatory documents enforced by the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP).",
keywords = "Information Security Requirements Engineering, Information Systems Certification and Accreditation, Ontological Engineering, Secure Software Assurance",
author = "Lee, {Seok Won} and Robin Gandhi and Divya Muthurajan and Deepak Yavagal and Gail-Joon Ahn",
year = "2006",
month = "5",
day = "21",
doi = "10.1145/1137627.1137635",
language = "English (US)",
isbn = "1595934030",
volume = "2006-May",
pages = "43--49",
booktitle = "Proceedings - International Conference on Software Engineering",
publisher = "IEEE Computer Society",

}

TY - GEN

T1 - Building problem domain ontology from security requirements in regulatory documents

AU - Lee, Seok Won

AU - Gandhi, Robin

AU - Muthurajan, Divya

AU - Yavagal, Deepak

AU - Ahn, Gail-Joon

PY - 2006/5/21

Y1 - 2006/5/21

N2 - Establishing secure systems assurance based on Certification and Accreditation (C&A) activities, requires effective ways to understand the enforced security requirements, gather relevant evidences, perceive related risks in the operational environment, and reveal their causal relationships with other domain concepts. However, C&A security requirements are expressed in multiple regulatory documents with complex interdependencies at different levels of abstractions that often result in subjective interpretations and non-standard implementations. Their non-functional nature imposes complex constraints on the emergent behavior of software-intensive systems, making them hard to understand, predict, and control. To address these issues, we present novel techniques from software requirements engineering and knowledge engineering for systematically extracting, modeling, and analyzing security requirements and related concepts from multiple C&A-enforced regulatory documents. We employ advanced ontological engineering processes as our primary modeling technique to represent complex and diverse characteristics of C&A security requirements and related domain knowledge. We apply our methodology to build problem domain ontology from regulatory documents enforced by the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP).

AB - Establishing secure systems assurance based on Certification and Accreditation (C&A) activities, requires effective ways to understand the enforced security requirements, gather relevant evidences, perceive related risks in the operational environment, and reveal their causal relationships with other domain concepts. However, C&A security requirements are expressed in multiple regulatory documents with complex interdependencies at different levels of abstractions that often result in subjective interpretations and non-standard implementations. Their non-functional nature imposes complex constraints on the emergent behavior of software-intensive systems, making them hard to understand, predict, and control. To address these issues, we present novel techniques from software requirements engineering and knowledge engineering for systematically extracting, modeling, and analyzing security requirements and related concepts from multiple C&A-enforced regulatory documents. We employ advanced ontological engineering processes as our primary modeling technique to represent complex and diverse characteristics of C&A security requirements and related domain knowledge. We apply our methodology to build problem domain ontology from regulatory documents enforced by the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP).

KW - Information Security Requirements Engineering

KW - Information Systems Certification and Accreditation

KW - Ontological Engineering

KW - Secure Software Assurance

UR - http://www.scopus.com/inward/record.url?scp=84953384559&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84953384559&partnerID=8YFLogxK

U2 - 10.1145/1137627.1137635

DO - 10.1145/1137627.1137635

M3 - Conference contribution

AN - SCOPUS:84953384559

SN - 1595934030

SN - 1595934111

SN - 9781595934031

SN - 9781595934116

VL - 2006-May

SP - 43

EP - 49

BT - Proceedings - International Conference on Software Engineering

PB - IEEE Computer Society

ER -