TY - GEN
T1 - Building problem domain ontology from security requirements in regulatory documents
AU - Lee, Seok Won
AU - Gandhi, Robin
AU - Muthurajan, Divya
AU - Yavagal, Deepak
AU - Ahn, Gail Joon
PY - 2006/5/21
Y1 - 2006/5/21
N2 - Establishing secure systems assurance based on Certification and Accreditation (C&A) activities, requires effective ways to understand the enforced security requirements, gather relevant evidences, perceive related risks in the operational environment, and reveal their causal relationships with other domain concepts. However, C&A security requirements are expressed in multiple regulatory documents with complex interdependencies at different levels of abstractions that often result in subjective interpretations and non-standard implementations. Their non-functional nature imposes complex constraints on the emergent behavior of software-intensive systems, making them hard to understand, predict, and control. To address these issues, we present novel techniques from software requirements engineering and knowledge engineering for systematically extracting, modeling, and analyzing security requirements and related concepts from multiple C&A-enforced regulatory documents. We employ advanced ontological engineering processes as our primary modeling technique to represent complex and diverse characteristics of C&A security requirements and related domain knowledge. We apply our methodology to build problem domain ontology from regulatory documents enforced by the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP).
AB - Establishing secure systems assurance based on Certification and Accreditation (C&A) activities, requires effective ways to understand the enforced security requirements, gather relevant evidences, perceive related risks in the operational environment, and reveal their causal relationships with other domain concepts. However, C&A security requirements are expressed in multiple regulatory documents with complex interdependencies at different levels of abstractions that often result in subjective interpretations and non-standard implementations. Their non-functional nature imposes complex constraints on the emergent behavior of software-intensive systems, making them hard to understand, predict, and control. To address these issues, we present novel techniques from software requirements engineering and knowledge engineering for systematically extracting, modeling, and analyzing security requirements and related concepts from multiple C&A-enforced regulatory documents. We employ advanced ontological engineering processes as our primary modeling technique to represent complex and diverse characteristics of C&A security requirements and related domain knowledge. We apply our methodology to build problem domain ontology from regulatory documents enforced by the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP).
KW - Information Security Requirements Engineering
KW - Information Systems Certification and Accreditation
KW - Ontological Engineering
KW - Secure Software Assurance
UR - http://www.scopus.com/inward/record.url?scp=84953384559&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84953384559&partnerID=8YFLogxK
U2 - 10.1145/1137627.1137635
DO - 10.1145/1137627.1137635
M3 - Conference contribution
AN - SCOPUS:84953384559
T3 - Proceedings - International Conference on Software Engineering
SP - 43
EP - 49
BT - Proceedings of the 2006 International Workshop on Self-Adaptation and Self-Managing Systems, SEAMS 2006, Co-located with the 28th International Conference on Software Engineering, ICSE 2006
PB - IEEE Computer Society
T2 - International Workshop on Software Engineering for Secure Systems, SESS 2006
Y2 - 20 May 2006 through 21 May 2006
ER -