Professional Documents
Culture Documents
Abstract—The growing demand for cyber security profes- All the training operations carried out in a CSE revolve
sionals with practical knowledge is boosting the development around the concept of scenario. Scenarios describe the
and conduct of cyber security exercises around the world. situation that the exercise is trying to simulate and the
Scenarios stand a central position of the exercise, which sets logical flow of events that will be happening [18]. A
the stage for later action by providing contextual informa- scenario could include the digital infrastructure where
tion that the participants will need during the exercise. To all the activities are staged in as well as all the game-
manage the increasing numbers of scenario creation in the like aspects such as targets, vulnerabilities, and rules of
different contexts, we propose an ontology to model scenarios engagement [16], [26]. Due to the large creation of CSE
for cyber security exercises. This ontology identifies aspects nowadays and the increasing complexity of scenarios,
of scenario modeling relevant to cyber security that can be how to efficiently deal with scenario information, such as
used as a means to achieve a defined taxonomy of knowledge information sharing and scenario inference, is a non-trivial
items and a standard vocabulary for cyber scenarios. With problem. Additionally, because cyber scenarios fundamen-
the semantic framework based on RDF/OWL, this ontology tally involve various contexts, containing distributed IT
provides a common structure at a semantic level that allows systems, complex operational tasks and security concepts
scenarios to be shared and reused across applications and (e.g., vulnerabilities), knowledge management of all these
community boundaries. In this paper, we present the design, aspects is necessary to the retrieval and reuse of scenarios.
implementation, and evaluation of the proposed ontology. As interoperability and computability of scenario informa-
tion in CSE promise a great deal in the global effort for
Index Terms—cyber security exercise, scenario modeling, better quality and more efficient cyber security training,
ontology yet remain largely unachieved.
To address the aforementioned issues, we use on-
1. Introduction tologies as a means to achieve a defined taxonomy of
knowledge items and a standard (conceptual) vocabulary
Cyber Security Exercise (CSE) is increasingly seen for defining cyber scenarios to achieve knowledge stan-
as an important part of cybersecurity training in both dardization and sharing. The ontology provides a com-
the private and public sector [26]. CSE has been iden- mon structure at a semantic level that allows data to be
tified as an effective technique to stimulate cyber se- shared and reused across applications, enterprises, and
curity awareness [16], which provides opportunities and community boundaries [23]. Semantic Web technologies
an ultimate learning experience [3] for the students or provide rich constructs to represent information that is not
cyber professionals to improve their skills in protecting only machine-readable but also machine-understandable,
and defending information systems in the context of a thus facilitating semantic integration and sharing of in-
realistic, true-to-life situation [6]. It helps uncover gaps in formation from heterogeneous sources. The main bene-
organizational security policies, procedures, and resources fit of the ontology-based model is the availability of a
[12], [21], from which employees of an organization can formal, encoded description of the security knowledge:
be provided necessary training and/or tools and policies that is, all the entities, their attributes, and their inter-
can be rectified too [34]. The growing demand for cyber relationships will be defined and represented, described in
security professionals with practical knowledge [38] is detail within [23], [30]. To the best of our knowledge, the
boosting the development and conduct of different types of cyber-scenario ontology presented in this paper is the first
CSE around the world. These include technical exercises, ontology work based on the CSE context, which unifies
such as Locked Shields, which is conducted under the cyber security knowledge with general cyber scenarios
aegis of the NATO Cooperative Cyber Defence Centre about entities and relations. By adopting the ontology,
of Excellence (CCDCOE) in Tallinn. In such exercises, CSE teams can manage scenarios efficiently, share and
participants use digital tools to mitigate and counter cyber reuse knowledge and employ the reasoning capability of
incidents. There are also non-technical exercises such the semantic web to draw inferences among different
as the annual Cyber 9/12 Challenge, an annual desk- scenarios. In addition, users can extend the core level
based activity, in which students from across the globe scenario ontology to satisfy the specific requirements of
compete in developing policy solutions tackling a fictional different specific domains in cyber security. The remainder
cyber catastrophe. There are also small-scale exercises of this paper is organized as follows. In Section 2, we
conducted inside corporate or government contexts [12]. introduce the scientific background of the research. The
250
responses that help participants achieve exercise objectives semantics of an entity as a set of things or concepts rather
[43]. Simply put, the CSE scenario is a story that sets than strings of words. Ontologies are now central to many
out the fictive conditions and events of the exercise. It is applications such as scientific knowledge portals, infor-
typically based on a cyber security problem and its back- mation management, and integration systems, electronic
ground. Cyber scenario integration into exercises focuses commerce, and web services. The main areas, in which
on the inclusion of the cyberspace domain as an integral ontological modeling is applied, include communication
element of the operational environment, not as a separate and knowledge sharing, logic inference and reasoning, and
event or scenario. A narrative scenario is documented and knowledge base. By analyzing and extending several types
typically distributed to participants via handouts or an of research [29], [41], we can identify and summarize
oral presentation before the exercise or at the beginning the reasons for and benefits of developing and using
of the exercise event. Scenario documentation usually ontologies in knowledge modeling.
includes a brief scenario background, summaries, orders,
and a storyline designed to provide participants a sense • Ontologies share a common understanding of
of the world/local situation, ensuring the representative structured information among people or software
operational context supports training objectives [37]. The agents.
scenario itself portrays the events that will occur during • Ontologies make domain knowledge reusable.
the conduct of the event. These events will also become a • Ontologies enable the interoperability among
part of the Master Scenario Events List (MSEL) (typically models or specific domain vocabularies.
used in operations-based exercises), which serves as the • Ontologies allow and simplify the communication
script for the execution of the exercise; it includes the among humans, computational systems, and be-
ordering of injects, time of execution, and the expected tween humans and systems.
reactions from the training audience [18]. • Ontologies have the expressive power for ac-
In summary, the scenario has two important functions: quiring context from diverse and heterogeneous
sources.
• It sets the mood for the exercise, captures the
participant’s attention, and motivates them to con-
tinue. 3. An Ontology-Based Scenario Model for
• It also sets the stage for later action by providing Cyber Security Exercise
information that the participants will need during
the exercise. In this section, we present the modeling of the scenario
ontology for the cyber security exercises. We aim to
2.3. Ontologies structure cyber scenario elements and the corresponding
security knowledge. To develop this ontology, we first
One of the most accepted definitions of ontologies reviewed the literature in the domains of cyber security ex-
in the field of computer science is the one given by ercises and cyber security knowledge modeling to identify
Gruber [20], who defines an ontology as “an explicit an inventory of the elements and relationships of a cyber
formal specification of a conceptualization”. This can be scenario model. Subsequently we sliced the ontology into
further elaborated that an ontology is a formal description three submodels: Scenario Information Model, Scenario
of the relevant concepts and relationships in an area of Operation Model, and Security Knowledge Model. Figure
interest, simplifying and abstracting the view of the world 1 illustrates the interrelation between the three models
for some purpose [42]. An ontology is a technology that at the semantic level. The scenario information model
provides a way to exchange semantic information between describes basic information about the exercise scenario,
people and systems. It provides a common vocabulary and which implies security knowledge in the security knowl-
depicts all the concepts and inter-concept relations in a edge model. The scenario operation model describes the
formal logic representation. An ontology is a graph whose concepts of injects, representative systems, and teams that
nodes represent the concepts or objects of a domain, are critical for the operationalization of the scenario as
and the edges indicate relationships between concepts. well as of the implied security knowledge. Sections 3.1 –
Usually, this graph is structured around a hierarchical 3.3 below describe the detailed design of the three models
“backbone” similar to the class/subclass relationship in in the ontology.
object-oriented programming. Due to the formalization,
it can be represented and to some degree interpreted by
machines and enables the formal analysis of the domain.
This allows an automated or computer-aided extraction
and aggregation of knowledge from different sources and
possibly in different formats [20].
Ontologies play an important role in achieving inter-
operability across organizations and on the Semantic Web
[15] because they aim to capture domain knowledge and
their role is to create semantics explicitly in a generic
way, providing the basis for agreement within a domain
Semantic Web technologies provide representation lan-
guages, such as Resource Description Framework (RDF) Figure 1. A semantic view of the ontology design
and Web Ontology Language (OWL), to represent the
251
3.1. Scenario Information Model • Actor: An actor in a scenario is a participant en-
gaging in an action or process directly or indirectly
Most stakeholders of the exercise, from exercise di- (e.g., attackers, hackers, threat actors, security per-
rectors, controllers, and simulators, to the players are sonnel, users, etc.)
involved in one way or another with the scenario itself. • Social environment: A social environment refers
The scenario repositories, therefore, are always focused to the social and cultural setting in which actors
on storing the information perspective first. The informa- live or in which something happens or develops in
tion model describes the context and main attributes of a scenario. Examples of social environments are
scenarios (see Figure 2). The key concepts in the scenario organizations, teams, social events, etc.
information model are described in the following. A Cyber Harm is the damaging consequence demonstrated
in the cyber scenario. It corresponds to the consequences
of an attack or a threat. Unlike the abstract descriptions of
security knowledge in the Security Knowledge Model, the
cyber harm is contextualized, that is, described concretely
to the context of the scenario. By modeling this concept
specifically in the ontology, users can easily search for
the failure points in the real world and draw on relevant
security knowledge.
252
while in discussion-based exercises, a formal MSEL is not • Network: The term network in this model refers
necessary. An Inject is also known as an implementer or to a group of elements used to represent the net-
injector, that will be demonstrated to participants during work information of cyber-system components in
an exercise. In practice, an inject is usually associated a network topology. The sub-classes include IP
with an attack event or a threat that exploits vulnerabilities address, router, subnet, and port
presented in the scenario context. Injects are designed • Installed Software: Software can be installed in
to elicit a specific response from participants, such as equipment or nodes and is classified into two sub-
triggering action and a responsible decision that is in line classes: application software and system software.
with security countermeasures or organizational incident • Service: It refers to a software functionality or a set
response plan. There are two types of injects: Message of software functionalities (such as the retrieval of
Inject and Technical Inject. specified information or the execution of a set of
• Message Inject: A message inject is a pre-scripted operations). Examples are email services, printing
message that can be delivered in different means, services, etc.
for example, email, letters, radio, and telephone • Credential: Credentials refer to the verification of
calls. Each message inject contains information identity or tools for authentication. They may be
designed to supplement the scenario, prompt ad- part of a (digital) certificate or other authentica-
ditional actions, or trigger discussions toward pre- tion processes that help confirm a user’s identity
defined questions. They expand on the outline of concerning a network address or other systems.
the scenario storyline or the key events portrayed • Content: Content is any content that exists in
in the MSEL. The attributes of an inject include the form of digital data. Forms of digital content
description, target, inject time, delivery means, include information that is digitally transmitted or
message content, expected action, and measures of contained in computer files (e.g., images, videos,
performance. An Expected Action represents the webpages, data, etc.). Cryptocurrencies are also a
management/administration’s desired responses or type of digital content.
actions to the questions or messages proposed • Configuration: A configuration refers to how com-
during the delivery of injects. The Measure of ponents of representative systems are arranged,
Performance describes the criteria for assessing and how their options are set. System configura-
participants’ response to the message inject. It is tions are usually deployed with configured scripts.
important to be aware that, in discussion-based A Module represents a specific training topic in the overall
exercises, especially in the detailed-type scenario, scenario. Events and injects are typically included within
message injects are directly linked with the sce- modules, i.e.,
nario itself, while in operation-based exercises,
injects are commonly contained in MSEL. Scenarios > M odules > Events/Injects
• Technical Inject: A technical inject is a goal-
The scenario section is usually divided up into distinct,
oriented action in the operation-based exercise,
sequenced modules, which are always based on exercise
which is used to emulate attacker behavior or
objectives and scenario requirements. More advanced ex-
network traffic according to the context of the
ercises can contain this level of depth while designing the
scenario. In association with message injects, tech-
scenario. Examples of modules are phishing emails, data
nical injects are often carried out with various de-
recovery, social media takeover, etc.
grees of automation with less (or without) human
A Team is a placeholder for the roles of exercise
involvement, such as attack vectors, vulnerability
participants. The concept of Team is usually applied in the
injectors, or real-use traffic simulators (gray traf-
operation-based exercises, in which different colors are as-
fic), and can be delivered to the representative sys-
signed to participants to identify their roles. For example,
tem by employing scripts or system configuration
the red team represents the ‘attackers’ (or ‘offenders’),
deployment. A typical technical inject involves
while the blue team acts as the defender.
the following attributes: description, inject time,
A Discussion Question is designed to address spe-
script, and configuration.
cific problems or issues that link back to the scenario
A Representative System is defined as a group of objectives. Dependent on the scenario format, discussion
information systems that can represent (or simulate) the questions can be incorporated into scenario itself or an
affected cyber objects in the scenario. When practicing inject. Responses to the discussion questions are the focus
scenarios, it is preferable to work with representations of of the scenario/inject, and reviewing them provides the
cyber systems (also known as a testbed or infrastructure basis for performance evaluation.
orchestrators), since it is neither safe nor legitimate to
execute a scenario on an operational cyber system. The 3.3. Security Knowledge Model
class of representation system contains the following sub-
classes: To train the trainees in learning attack techniques and
• Equipment: An equipment is a set of physical knowledge of various types of vulnerabilities, and train
resources serving to equip the scenario operation, on the identification of damage situation and response
e.g., personal computers, mobile devices, servers, actions, it is necessary to associate the scenario with se-
etc. curity domain knowledge. The security knowledge model
• Node: A node is used to define a virtual machine describes the security-concept modeling and relationships
(VM) in the virtual environment. with other entities in the ontology (see Figure 4). The
253
security knowledge model is developed to serve as a core regard, we mainly apply the taxonomy scheme provided
knowledge base for security-knowledge management and by the Software Engineering Institution (SEI) [6], which
better knowledge reuse. We have surveyed and reviewed categorizes cyber security risks as those due to the fail-
existing cybersecurity standards and ontologies to incorpo- ures from four perspectives: (1) actions of people, (2)
rate the most commonly used taxonomies in the ontology internal processes, (3) external events and (4) systems
and to provide a common understanding of the cyber- and technologies. We keep the detailed classification (i.e.,
security domain. The modeled security concepts and the the subclasses) of the first three perspectives, which con-
corresponding taxonomy are described in the following. tain human and organizational factors. However, for the
system and technologies perspective, Common Weakness
Enumeration (CWE) [28] provides a more comprehensive
classification of weaknesses in hardware and software that
can either be a faulty configuration in the hardware or
vulnerabilities present in the software. We then model
the CWE security weakness taxonomy under the class of
System and Technologies.
A Countermeasure is an action, device, procedure, or
technique that reduces a threat, a vulnerability, or an attack
by preventing or mitigating it, by minimizing the harm
it can cause, or by discovering and reporting it so that
corrective action can be taken. To properly classify cyber
security countermeasures, we adopt NIST Cyber Security
Framework [36]. It provides a common organizing struc-
ture for multiple approaches to cybersecurity by assem-
Figure 4. Security knowledge model bling standards, guidelines, and practices that are working
effectively today. The taxonomy is structured with five
An Attack Pattern is a description of the common high-level functions: identify, protect, detect,respond, and
attributes and approaches employed by adversaries to recover.
exploit known weaknesses in cyber-enabled capabilities A Consequence is a result or effect, typically one
[5]. While attack trees [33] provide a holistic view of that is unwelcome or unpleasant. In the context of cyber
the potential attacks facing a particular piece of software, security, the consequence is the harm caused to an ex-
attack patterns provide actionable detail on specific types ploited organization by a cyber-attack. Agrafiotis et al. [1]
of common attacks potentially affecting entire classes of present a taxonomy of organizational cyber-harm which
information systems. To model attack patterns, we utilize should help researchers and practitioners to consider the
Common Attack Pattern Enumeration and Classification full range of harms that might result from cyber-attacks.
(CAPEC) [8], which organizes attack patterns hierarchi- The main cyber-harm they include are (1) physical or
cally based on mechanisms that are frequently employed digital harm, (2) economic harm, (3) psychological harm,
when exploiting a vulnerability. According to the analysis (4) reputational harm, and (5) social and societal harm.
of cyber security attack taxonomy [11], CAPEC was Figure 5 shows the complete ontology model including
identified as outperforming all the other taxonomies. the interrelationships of the models.
A Threat is a potential negative action/event/condition/
circumstance facilitated by a vulnerability that results in 4. Implementation of the Ontology
an unwanted impact on a computer system or application.
Many threat taxonomies already exist in the literature, To implement the designed ontology, we used Protégé
defined by different security organisms. In our ontology, [39], a free, open-source platform that provides a suite of
we adopt the European Union Agency for Cybersecurity tools to construct domain models and knowledge-based
(ENISA) Threat Taxonomy [13], which summarizes cyber applications with ontologies. A part of the class structure
threats that have been accessed by collecting publicly is depicted in Figure 6. Some of the subclasses are omit-
available information. The most important aspect of the ted in this figure to simplify the presentation. We have
threat taxonomy is that it is open to the addition of implemented the full scope of the security taxonomies
new threats to the hierarchical tree without modifying in Protégé described in Section 3.3 (see Figure 6 (c)).
its inherent structure. The layout conceived by ENISA is The relationships between the classes are maintained with
presented as a table with three levels of classification. object properties. Some of these object properties are
A Weakness is a type of mistake that, in proper shown in Figure 7.
conditions, could contribute to the introduction of vul- Figure 8 demonstrates the individual creation
nerabilities within that product [9], regardless of whether in Protégé with modeling object properties
it occurs in implementation, design, or other phases of and data properties of a scenario, named
a product lifecycle. Instead of modeling Vulnerability, ‘S004: Ransomware infection’. This scenario
we take Weakness in the ontology to categorize similar was constructed in a detailed scenario format with five
types of vulnerabilities that aim to efficiently facilitate message injects. This scenario describes a phishing attack
the identification, mitigation, and prevention effort. Se- that employs ransomware via email, encountered in an
curity weaknesses, from a broad view, cover social (e.g., institutional financial department. Figure 9 depicts one of
organizations and processes), human (e.g., behavior), and the injects ‘S004-Inject1’ in the scenario ‘S004’.
technical aspects (e.g., systems and technologies). In this This inject was maintained with critical data properties
254
Figure 5. The proposed scenario ontology for cyber security exercises
255
Figure 8. Defining individuals in Protégé: A scenario
Figure 10. Snippet of OWL RDF/XML showing an individual in the scenario class
256
competency questions (CQs). This method of evaluation
is considered a very effective evaluation technique to test
the adaptability and consistency of an ontology [32]. If
the SPARQL queries can extract individuals as a response,
it signifies that the CQs have succeeded in covering the
defined objectives of the ontology. Therefore, three exem-
plary CQs were developed considering the interoperability
among different models.
CQ 1. What is the context of a given scenario ‘S004’?
CQ 2. List the inject information (including title, mod-
ule, message content, and discussion questions) related to
scenario ‘S004’.
CQ 3. What are the implied attack patterns in the sce-
nario ‘S004’ and what are the corresponding weakness?
The corresponding SPARQL statement for each eval- Figure 13. The SPARQL statement and the execution result of CQ 3
uated CQ and the execution result in the Protégé editor
are depicted in Figure 11 - 13.
257
References [23] Hendler, J., O. Lassila, and T. Berners-Lee. 2001. ”The semantic
web”. Scientific American, volume 284, issue 5, pages 34-43.
[1] Agrafiotis, I., et al. 2018. ”A taxonomy of cyber-harms: Defining [24] Hoffman, L.J., et al. 2005. ”Exploring a national cybersecurity
the impacts of cyber-attacks and understanding how they propa- exercise for universities”. IEEE Security Privacy, volume 3, issue
gate”. Journal of Cybersecurity, volume 4, issue 1, pages tyy006. 5, pages 27-33.
[2] Alcamo, J. and T. Ribeiro. 2001. ”Scenarios as tools for interna- [25] ISO. 2013. ”ISO 22398:2013 Societal security — Guidelines for
tional environmental assessment”. volume 5. European Environ- exercises”. pages.
ment Agency. [26] Karjalainen, M., T. Kokkonen, and S. Puuska. 2019. ”Pedagogical
[3] Augustine, T. and R.C. Dodge. 2006. ”Cyber defense exercise: aspects of cyber security exercises”. in 2019 IEEE European Sym-
meeting learning objectives thru competition”. posium on Security and Privacy Workshops (EuroSPW). IEEE.
[4] Avery, A. 2020. ”Cybersecurity Scenario Modeling: Imagining the [27] Kim, Y.G. and S. Cha. 2012. ”Threat scenario-based security risk
Black Swans for Digital Infrastructures Risk Management”. analysis using use case modeling in information systems”. Security
and Communication Networks, volume 5, issue 3, pages 293-300.
[5] CAPEC, ”CAPEC Glossary-Attack Pattern”; Available
from: https://capec.mitre.org/about/glossary.htmlAttackPattern. [28] MITRE, ”Common Weakness Enumeration (CWE) ”; Available
(Accessed on Feb 3, 2021) from: https://cwe.mitre.org/index.html. (Accessed on Feb. 02,
2021)
[6] Cebula, J.L. and L.R. Young. 2010. ”A taxonomy of operational
cyber security risks”, Carnegie-Mellon Univ Pittsburgh Pa Software [29] Noy, N.F. and D.L. McGuinness. 2001. ”Ontology development
Engineering Inst. pages. 101: A guide to creating your first ontology”.
[7] Center for Internet Security, ”Tabletop Exercises: Six Scenar- [30] Obrst, L., P. Chase, and R. Markeloff. 2012. ”Developing an
ios to Help Prepare Your Cybersecurity Team ”; Available Ontology of the Cyber Security Domain”. in STIDS. Citeseer.
from: https://www.cisecurity.org/wp-content/uploads/2018/10/Six- [31] Planning, Mass Evacuation. 2008. ”Directors’s Guideline for Civil
tabletop-exercises-FINAL.pdf. (Accessed on Feb. 02, 2021) Defence Emergency Management Groups, Wyd”. Ministry of Civil
[8] Common Attack Pattern Enumeration and Classification (CAPEC), Defence Emergency Management, Wellington.
”CAPEC VIEW: Mechanisms of Attack”; Available from: [32] Raad, J. and C. Cruz. 2015. ”A survey on ontology evalua-
https://capec.mitre.org/data/definitions/1000.html. (Accessed on tion methods”. in Proceedings of the International Conference
Feb 2, 2021) on Knowledge Engineering and Ontology Development, part of
[9] CWE, ”CWE Glossary-Weakness”; Available from: the 7th International Joint Conference on Knowledge Discovery,
https://cwe.mitre.org/documents/glossary/index.htmlWeakness. Knowledge Engineering and Knowledge Management.
(Accessed on June 3, 2019) [33] Saini, V., Q. Duan, and V. Paruchuri. 2008. ”Threat modeling using
[10] Department of Homeland Security. 2006. ”Cyber Storm Exercise attack trees”. Journal of Computing Sciences in Colleges, volume
Report”. 23, issue 4, pages 124-131.
[11] Derbyshire, R., et al. 2018. ”An analysis of cyber security attack [34] Samejima, M. and H. Yajima. 2012. ”IT risk management frame-
taxonomies”. in 2018 IEEE European Symposium on Security and work for business continuity by change analysis of information
Privacy Workshops (EuroSPW). IEEE. system”. in 2012 IEEE International Conference on Systems, Man,
and Cybernetics (SMC). IEEE.
[12] Dewar, R.S. 2018. ”Cybersecurity and cyberdefense exercises”,
ETH Zurich. [35] Scarfone, K.A., T. Grance, and K. Masone. 2008. ”Sp 800-61 rev.
1. computer security incident handling guide”, National Institute
[13] ENISA, ”Threat Taxonomy”; Available from: of Standards Technology.
https://www.enisa.europa.eu/topics/threat-risk-
management/threats-and-trends/enisa-threat-landscape/threat- [36] Sedgewick, A. 2014. ”Framework for improving critical infrastruc-
taxonomy/view. (Accessed on Feb. 2, 2021) ture cybersecurity, version 1.0”.
[14] European Cyber Security Organisation (ECSO), ”Understanding [37] Staff, U.J. 2012. ”Joint Training Manual for the Armed Forces of
Cyber Ranges: From Hype to Reality”; Available from: the United States (CJCSM 3500.03 D)”. Washington, DC: Joint
https://www.ecs-org.eu/documents/uploads/understanding-cyber- Chiefs of Staff, volume, issue, pages.
ranges-from-hype-to-reality.pdf. (Accessed on Jan. 23, 2021) [38] Topham, L., et al. 2016. ”Cyber security teaching and learning
[15] Fensel, D., et al. 2001. ”Ontologies and electronic commerce”. laboratories: A survey”. Information Security, volume 35, issue 1,
IEEE Intelligent Systems, volume 16, issue 1, pages 8-14. pages 51.
[39] Tudorache, T., et al. 2013. ”WebProtégé: A collaborative ontology
[16] Furtună, A., V.-V. Patriciu, and I. Bica. 2010. ”A structured ap-
editor and knowledge acquisition tool for the web”. Semantic web,
proach for implementing cyber security exercises”. in 2010 8th
volume 4, issue 1, pages 89-99.
International Conference on Communications. IEEE.
[40] U.S. Department of Homeland Security, ”Cyber Tabletop
[17] Garb, Y., S. Pulver, and S.D. VanDeveer. 2008. ”Scenarios in
Exercise for the Healthcare Industry ”; Available from:
society, society in scenarios: toward a social scientific analysis
https://www.hsdl.org/?abstractdid=789781. (Accessed on Jan. 30,
of storyline-driven environmental modeling”. Environmental Re-
2021)
search Letters, volume 3, issue 4, pages 045015.
[41] Uschold, M. and M. Gruninger. 1996. ”Ontologies: Principles,
[18] Grance, T., et al. 2006. ”Guide to test, training, and exercise
methods and applications”. The knowledge engineering review,
programs for IT plans and capabilities”. volume, issue, pages.
volume 11, issue 2, pages 93-136.
[19] Gray, P. and A. Hovav. 1999. ”Using scenarios to understand the
[42] Wand, Y., V.C. Storey, and R. Weber. 1999. ”An ontological
frontiers of IS”. Information Systems Frontiers, volume 1, issue 1,
analysis of the relationship construct in conceptual modeling”.
pages 15-24.
ACM Transactions on Database Systems (TODS), volume 24, issue
[20] Gruber, T.R. 1993. ”A translation approach to portable ontology 4, pages 494-528.
specifications”. Knowledge acquisition, volume 5, issue 2, pages
[43] Yamin, M.M., B. Katt, and V. Gkioulos. 2020. ”Cyber ranges
199-220.
and security testbeds: Scenarios, functions, tools and architecture”.
[21] Gurnani, R., K. Pandey, and S.K. Rai. 2014. ”A scalable model Computers Security, volume 88, pages 101636.
for implementing Cyber Security Exercises”. in 2014 International
Conference on Computing for Sustainable Global Development
(INDIACom). IEEE.
[22] Harris, S., A. Seaborne, and E.J.W.C.r. Prud’hommeaux. 2013.
”SPARQL 1.1 query language”. volume 21, issue 10, pages 778.
258