SAEOn: An Ontological Metamodel for Quantitative Security Assurance Evaluation

Abstract

AbstractSecurity assurance is a critical aspect in determining the trustworthiness of information and communication technology systems. Security assurance evaluation (SAE) is the process responsible for gathering assurance shreds of evidence to check if the defined security requirements are fulfilled. SAE can be generally categorized into qualitative and quantitative methods. As there is still a dearth of studies on the quantitative SAE, this paper intends to fill this gap by proposing an ontological quantitative security assurance evaluation metamodel (SAEOn). This ontology allows us to define the entities of the SAE and the assurance metrics separately and relate them to each other in a modular way. With the formal definition of SAE metamodel, the constructed knowledge content can be reused, shared, and exchanged over time. Moreover, the proposed metamodel is structured in a hierarchical fashion, by which we believe the ontology is sufficiently generic and highly customizable that can be applied in various application domains. In this paper, we present the proposed SAEOn ontology in detail, covering the aspects of design, implementation, and evaluation.KeywordsSecurity assuranceQuantitative approachSecurity metricsOntology