Ontologies for information security management and governance

PurposeThis paper aims to show the difficulties involved in dealing with the quantity, diversity and the lack of semantics security information. It seeks to propose the use of ontologies to tackle the problem.Design/methodology/approachThe paper describes the general methodology to create security ontologies and illustrates the case with the design and validation of two ontologies: system vulnerabilities and security incidents.FindingsTwo examples of ontologies, one related to systems vulnerability and the other related to security incidents (designed to illustrate this proposal) are described. The portability/reusability propriety is demonstrated, inferring that the information structured at lower levels (by security management tools and people) can be successfully used and understood at higher levels (by security governance tools and people).Research limitations/implicationsWork in the area of managing privacy policies, risk assessment and mitigation management, as well as CRM, business alignment and business intelligence, could be greatly eased by using an ontology to properly define the concepts involved in the area.Practical implicationsOntologies can facilitate the interoperability among different security tools, creating a unique way to represent security data and allow the security data from any security tool (for instance, Snort) to be mapped into an ontology, such as the security incident one described in the paper. An example showing how the two ontologies could be plugged into a high level decision‐making system is described at the end.Originality/valueAlthough several previous papers examined the value of using ontologies to represent security information, this one looks at their properties for a possible integrated use of management and governance tools.