Ontology-based security modeling in ArchiMate

Software & Systems Modeling - Trang 1-28 - 2024
Ítalo Oliveira1,2, Tiago Prince Sales2, João Paulo A. Almeida3, Riccardo Baratella4, Mattia Fumagalli1, Giancarlo Guizzardi2
1Conceptual and Cognitive Modeling Research Group (CORE), Free University of Bozen-Bolzano, Bolzano, Italy
2Semantics, Cybersecurity and Services Group, University of Twente, Enschede, The Netherlands
3Ontology and Conceptual Modeling Research Group (NEMO), Federal University of Espírito Santo, Vitória, Brazil
4Dipartimento di Antichità, Filosofia, Storia (DAFIST), University of Genoa, Genoa, Italy

Tóm tắt

Enterprise Risk Management involves the process of identification, evaluation, treatment, and communication regarding risks throughout the enterprise. To support the tasks associated with this process, several frameworks and modeling languages have been proposed, such as the Risk and Security Overlay (RSO) of ArchiMate. An ontological investigation of this artifact would reveal its adequacy, capabilities, and limitations w.r.t. the domain of risk and security. Based on that, a language redesign can be proposed as a refinement. Such analysis and redesign have been executed for the risk elements of the RSO grounded in the Common Ontology of Value and Risk. The next step along this line of research is to address the following research problems: What would be the outcome of an ontological analysis of security-related elements of the RSO? That is, can we identify other semantic deficiencies in the RSO through an ontological analysis? Once such an analysis is provided, can we redesign the security elements of the RSO accordingly, in order to produce an improved artifact? Here, with the aid of the Reference Ontology for Security Engineering (ROSE) and the ontological theory of prevention behind it, we address the remaining gap by proceeding with an ontological analysis of the security-related constructs of the RSO. The outcome of this assessment is an ontology-based redesign of the ArchiMate language regarding security modeling. In a nutshell, we report the following contributions: (1) an ontological analysis of the RSO that identifies six limitations concerning security modeling; (2) because of the key role of the notion of prevention in security modeling, the introduction of the ontological theory of prevention in ArchiMate; (3) a well-founded redesign of security elements of ArchiMate; and (4) ontology-based security modeling patterns that are logical consequences of our proposal of redesign due to its underlying ontology of security. As a form of evaluation, we show that our proposal can describe risk treatment options, according to ISO 31000. Finally, besides presenting multiple examples, we proceed with a real-world illustrative application taken from the cybersecurity domain.

Tài liệu tham khảo

Lankhorst, M.: Enterprise Architecture at Work: Modelling. Springer, Communication and Analysis (2017) ISO.: ISO 31000:2018 - Risk management – Guidelines The Open Group. Integrating Risk and Security within a TOGAF ®Enterprise Architecture. The Open Group Guide white paper. (2019) Band, I., Engelsman, W., Feltus, C., Paredes, S.G., Hietala, J., Jonkers, H., et al.: How to Model Enterprise Risk Management and Security with the ArchiMate Language. The Open Group; (2019). W172 The Open Group.: ArchiMate ® 3.1 Specification. Available from: https://pubs.opengroup.org/architecture/archimate3-doc/ Sales, T.P., Almeida, J.P.A., Santini, S., Baião, F., Guizzardi, G.: Ontological analysis and redesign of risk modeling in ArchiMate. In: 2018 IEEE 22nd International Enterprise Distributed Object Computing Conference (EDOC); (2018). pp. 154–163 Guizzardi, G.: Ontological Foundations for Structural Conceptual Models. Telematica Instituut / CTIT, Enschede, The Netherlands (2005) Sales, T.P., Baião, F., Guizzardi, G., Almeida, J.P.A., Guarino, N., Mylopoulos, J.: The Common Ontology of Value and Risk. In: Modeling, C. (ed.) ER 2018, vol. 11157, pp. 121–135. Springer, Cham (2018) Rosemann, M., Green, P., Indulska, M.: A Reference Methodology for Conducting Ontological Analyses. In: Modeling, C. (ed.) ER 2004, vol. 3288, pp. 110–121. Springer, Berlin, Heidelberg (2004) Oliveira, Í., Sales, T.P., Almeida, J.P.A., Baratella, R., Fumagalli, M., Guizzardi, G.: Ontological Analysis and Redesign of Security Modeling in ArchiMate. In: The Practice of Enterprise Modeling. PoEM 2022. vol. 456. Cham: Springer, p. 82–98 (2022) Oliveira, Í., Sales, T.P., Baratella, R., Fumagalli, M., Guizzardi, G.: An Ontology of Security from a Risk Treatment Perspective. In: Modeling, C. (ed.) ER 2022, vol. 13607, pp. 365–379. Springer, Cham (2022) Dresch, A., Lacerda, D.P., Antunes, J.A.V.: In: Design Science Research. Cham: Springer International Publishing. pp. 67–102. (2015) Available from: https://doi.org/10.1007/978-3-319-07374-3_4 Azevedo, C.L., Iacob, M.E., Almeida, J.P.A., van Sinderen, M., Pires, L.F., Guizzardi, G.: Modeling resources and capabilities in enterprise architecture: a well-founded ontology-based proposal for ArchiMate. Inf. Syst. 54, 235–262 (2015) Baratella, R., Fumagalli, M., Oliveira, Í., Guizzardi, G.: Understanding and modeling prevention. In: International Conference on Research Challenges in Information Science. Springer. pp. 389–405 (2022) Blomqvist, E., Sandkuhl, K.: Patterns in ontology engineering: classification of ontology patterns. In: International Conference on Enterprise Information Systems. vol. 4. SCITEPRESS. pp. 413–416 (2005) Guizzardi, G., Botti Benevides, A., Fonseca, C.M., Porello, D., Almeida, J.P.A.: Prince Sales T, pp. 1–44. Unified foundational ontology. Applied ontology, UFO (2022) Guizzardi, G., de Almeida Falbo, R., Guizzardi, R.: Grounding software domain ontologies in the unified foundational ontology (UFO): The case of the ODE Software Process Ontology. In: Ibero-American Conference on Software Engineering. CIbSE. pp. 127–140 (2008) Mumford, S.: Dispositions. Clarendon Press; (2003) Sales, T.P., Roelens, B., Poels, G., Guizzardi, G., Guarino, N., Mylopoulos, J.: A Pattern Language for Value Modeling in ArchiMate. In: Engineering, A.I.S. (ed.) CAiSE 2019, vol. 11483, pp. 230–245. Springer, Cham (2019) Reason, J.: The contribution of latent human failures to the breakdown of complex systems. Philos. Trans. R. Soc. Lond. B Biol. Sci. 327(1241), 475–484 (1990) Gangemi, A., Presutti, V.: Ontology design patterns. In: Handbook on ontologies. Springer. pp. 221–243 (2009) Fernandes, A.D., Ramalho, D., Mira da Silva M.: Enterprise risk management and information systems: a systematic literature review. In: International Conference on Information Resources Management (CON-FIRM). Association for Information Systems. (2022) Ellerm, A., Morales-Trujillo, M.E.: Modelling security aspects with archimate: a systematic mapping study. In: 2020 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA). IEEE. pp. 577–584 (2020) Grov, G., Mancini, F., Mestl, E.M.S.: Challenges for risk and security modelling in enterprise architecture. In: The Practice of Enterprise Modeling: 12th IFIP Working Conference, PoEM 2019, Luxembourg, Luxembourg, November 27–29, 2019, Proceedings 12. Springer. pp. 215–225 (2019) Jonkers, H., Quartel, D.A.C.: Enterprise Architecture-Based Risk and Security Modelling and Analysis. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) Graphical Models for Security, vol. 9987, pp. 94–101. Springer, Cham (2016) Mayer N, Feltus C. Evaluation of the risk and security overlay of archimate to model information system security risks. In: IEEE 21st International Enterprise Distributed Object Computing Workshop (EDOCW). IEEE 2017, 106–116 (2017) Grandry, E., Feltus, C., Dubois, E., Conceptual integration of enterprise architecture management and security risk management. In: 17th IEEE International Enterprise Distributed Object Computing Conference Workshops. IEEE. pp. 114–123 (2013) van den Bosch, S.F.: Designing secure enterprise architectures. a comprehensive approach: framework, method, and modelling language [Master’s Thesis]. University of Twente. Enschede, The Netherlands. (2014) Almeida, R., Teixeira, J.M., Mira da Silva, M., Faroleiro, P.: A conceptual model for enterprise risk management. J. Enterp. Inform. Manag. 32(5), 843–868 (2019) Bradley, S.: Modelling SABSA® with ArchiMate®. The SABSA Institute. T100 (2021) Hoogenboom, C.: An Enterprise Architecture Approach to Implementing the NIST Cyber Security Framework [Master’s Thesis]. Leiden University. Leiden, The Netherlands (2019) Tovstukha, I.: Management of Security Risks in the Enterprise Architecture using ArchiMate and Mal-activities [Master’s Thesis]. University of Tartu. (2017) Artem, Z.: Comparison of STS and ArchiMate Risk and Security Overlay [Master’s Thesis]. University of Tartu. (2018)
Thông tin
Thông tin xuất bản

Software & Systems Modeling

1-28

Thông tin tác giả