An Ontology-based Framework for Modelling Security Requirements

Joaquín Lasheras, Rafael Valencia-García, Jesualdo Tomás Fernández-Breis, Ambrosio Toval



In the last years, security in Information Systems (IS) has become an important issue, so that it has to be taken into account in all the stages of IS development, including the early phase of Requirements Engineering (RE). One of the most helpful RE strategies for improving the productivity and quality of software process and products is the reuse of requirements, and this can be facilitated by Semantic Web technologies. In this work, we describe a novel ontology-based framework for representing and reusing security requirements based on risk analysis. A risk analysis ontology and a requirement ontology have been developed and combined to represent formally reusable security requirements and improve security in IS, detecting incompleteness and inconsistency in requirements and achieving semantic processing in requirements analysis. These ontologies have been developed according to a formal method to build and compare ontologies and with a standard language, OWL. This framework will be the basis to elaborate a “lightweight” method to elicit security requirements.


  1. Smith, S.W.Spafford, E.H., Grand Challenges in Information Security: Process and Output. IEEE Security & Privacy, 2(1): (2004). p. 69-71.
  2. Devanbu, P.Stubblebine, S., Software engineering for security: a roadmap. ACM Press. Future of Software Engineering: (2000). p. 227-239.
  3. Jürjens, J., Secure Systems Development with UML: Springer (2005).
  4. Cheng, B.Atlee, M. Research Directions in Requirements Engineering. in Future of Software Engineering 2007 (FOSE 2007) Minneapolis, Minnesota (2007).
  5. ISO27002, ISO/IEC 17799-27002 Code of Practice for Information Security Managament. (2005).
  6. Rothenberger, M.A., Dooley, K.J., Kulkarni, U.R., Nada, N., Strategies for Software Reuse: A Principal Component Analysis of Reuse Practices. IEEE Trans. on Soft. Eng., 29(9): (2003). p. 825-837.
  7. Sommerville, I., Software Engineering (7th edition): Pearson Education Limited (2004).
  8. Firesmith, D., Specifying Reusable Security Requirements. Journal of Object Technology, 3(1): (2004). p. 61-75.
  9. Berners-Lee, T., Hendler, J., Lassila, O., The Semantic Web, in Scientific American.(2001):
  10. Brewster, C.O'Hara, K., Knowledge Representation with Ontologies: The Present and Future. IEEE Intelligent Systems, 19:1: (2004). p. 72-73.
  11. Gruber, T., Towards Principles for the Design of Ontologies used for Knowledge Sharing. International Journal of Human-Computer Studies, 43(5/6): (1995). p. 907-928.
  12. Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S. Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool. in New Paradigms Security Workshop NSPW'01. ACM Press Clouford, New Mexico, USA (2001).
  13. Tsoumas, B.Gritzalis, D., Towards an Ontology-based Security Management. Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA'06). IEEE Computer Society, 1: (2006).
  14. Mouratidis, H.Giorgini, P., Integrating Security and Software Engineering: Advances and Future Visions: Idea Group Publishing (2007a).
  15. Toval, A., Olmos, A., Piattini, M. Legal Requirements Reuse: A Critical Success Factor for Requirements Quality and Personal Data Protection. in IEEE Joint International Conference on Requirements Engineering (ICRE'02 and RE'02). Essen, Alemania (2002b).
  16. MAGERIT, Methodology for Information Systems Risk Analysis and Management: (2006)
  17. ISO15408, ISO/IEC 15408 (Common Criteria v3.0) "Information Technology Security Techniques-Evaluation Criteria for IT Security".(2005).
  18. Toval, A., Nicolás, J., Moros, B., García, F.,Requirements Reuse for Improving Information Systems Security: A Practicioner's Approach.Requirements Engineering Journal.Springer,6(4):(2002a).p.205-219.
  19. IEEE, Std 830-1998 Guide to Software Requirements Specifications in Volume 4: Resource and Technique Standards. The Institute of Electrical and Electronics Engineers, Inc. IEEE Software Engineering Standards Collection.(1999).
  20. IEEE, Std 1233-1998 Guide for Developing System Requirements Specifications, in Volume 1: Customer and Terminology Standards. The Institute of Electrical and Electronics Engineers, Inc. IEEE Software Engineering Standards Collection(1999).
  21. Martínez, M.A., Lasheras, J., Toval, A., Piattini, M. An Audit Method of Personal Data Based on Requirements Engineering. in The 4th International Workshop on Security In Information Systems (WOSIS-2006). Paphos, Chipre (2006).
  22. Lozano-Tello, A.Gómez-Pérez, A., ONTOMETRIC: A Method to Choose the Appropriate Ontology. Journal of Database Management. Special Issue on Ontological analysis, Evaluation, and Engineering of Business Systems Analysis Methods, 15(2): (2004).
  23. Blanco, C., Lasheras, J., Valencia-García, R., Fernández-Media, E., Toval, A., Piattini, M. A Systematic Review and Comparison of Security Ontologies. in International Workshop on Frontiers in Availability, Reliability and Security (FARES) in conjunction with ARES. Barcelona (2007).
  24. Dobson, G.Sawyer, P., Revisiting Ontology-Based Requirements Engineering in the age of the Semantic Web. International Seminar on "Dependable Requirements Engineering of Computerised Systems at NPPs", Institute for Energy Technology (IFE), Halden: (2006).
  25. Mouratidis, H., Giorgini, P., Manson, G., An Ontology for Modelling Security: The Tropos Approach, in Knowledge-Based Intelligent Information and Engineering Systems. Springer Berlin / Heidelberg. (2003) p. 1387-1394.
  26. Kim, A., Luo, J., Kang, M. Security Ontology for Annotating Resources in 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE'05). Agia Napa, Cyprus (2005).
  27. Fenz, S.Weippl, E.Ontology based IT-security planning. Proceedings of 12th Pacific Rim International Symposium on Dependable Computing PRDC 7806. IEEE Computer Society: (2006). p. 389-390.
  28. Lee, S.W., Gandhi. R.A., Ontology-based Active Requirements Engineering Framework. APSEC (2005).

Paper Citation

in Harvard Style

Lasheras J., Valencia-García R., Tomás Fernández-Breis J. and Toval A. (2008). An Ontology-based Framework for Modelling Security Requirements . In Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008) ISBN 978-989-8111-44-9, pages 78-88. DOI: 10.5220/0001743400780088

in Bibtex Style

author={Joaquín Lasheras and Rafael Valencia-García and Jesualdo Tomás Fernández-Breis and Ambrosio Toval},
title={An Ontology-based Framework for Modelling Security Requirements},
booktitle={Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)},

in EndNote Style

JO - Proceedings of the 6th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2008)
TI - An Ontology-based Framework for Modelling Security Requirements
SN - 978-989-8111-44-9
AU - Lasheras J.
AU - Valencia-García R.
AU - Tomás Fernández-Breis J.
AU - Toval A.
PY - 2008
SP - 78
EP - 88
DO - 10.5220/0001743400780088