Available

Available online
online at
at www.sciencedirect.com
www.sciencedirect.com

ScienceDirect
ScienceDirect
Available online at www.sciencedirect.com
Procedia
ProcediaComputer
ComputerScience
Science00
00(2019)
(2019)000–000
000–000
www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia
ScienceDirect
Procedia Computer Science 160 (2019) 85–92

The
The 10th
10th International
International Conference
Conference on
on Emerging
Emerging Ubiquitous
Ubiquitous Systems
Systems and
and Pervasive
Pervasive Networks
Networks
(EUSPN
(EUSPN 2019)
2019)
November
November 4-7,
4-7, 2019,
2019, Coimbra,
Coimbra, Portugal
Portugal

Comparative
Comparative Study
Study of
of Ontologies
Ontologies Based
Based ISO
ISO 27000
27000 Series
Series Security
Security
Standards
Standards
Ines
Ines Meriah a,*, Latifa Ben Arfa Rabaia,b
Meriaha,* , Latifa Ben Arfa Rabaia,b
aaStrategies
Strategiesfor
forModelling
Modellingand
andARtificial
ARtificialinTelligence
inTelligenceresearch
researchLaboratory
Laboratory(SMART
(SMARTLab),
Lab),
Institut
InstitutSupérieur
Supérieurde
deGestion
GestiondedeTunis,
Tunis,Université
Universitéde
deTunis,
Tunis,Le
LeBardo,
Bardo,Tunis,
Tunis,Tunisia
Tunisia
bbCollege
Collegeof
ofBusiness,
Business, University
Universityof
ofBuraimi,Al
Buraimi,AlBuraimi,P.C.512,Sultanate
Buraimi,P.C.512,SultanateOman
Oman

Abstract
Abstract

Security
Security management
management standards
standards asas ISO/IEC
ISO/IEC 27000
27000 series
series provide
provide guidelines,
guidelines, which
which enable
enable to
to evaluate
evaluate the the security
security inin the
the
company
company on onaa continuous
continuous basis.
basis. Security
Securityontology
ontologytechnology
technologyisis the the most
most recommended
recommended to to make
make links
links between
betweensecurity
securityconcepts
concepts
and
and related
related standards.
standards. This
This paper
paper presents
presents on
onaa review
review ofof ontologies
ontologies based
based ISO/IEC
ISO/IEC 27000
27000 series
series security
security standards
standards and
and provides
provides
recommendations
recommendations for for professionals
professionals andand researchers
researchers whowho need
need to to understand
understand oror incorporate
incorporate one one ofof ISO/IEC
ISO/IEC 27000
27000 standards
standards
features
features to
to cover
cover their
their business
business security
security needs.
needs. WeWe select
select and
and examine
examine in in details
details six
six main
main ontologies
ontologies focusing
focusing onon the
the usage
usage ofof
ISO/IEC
ISO/IEC 27000
27000 series
series security
security standards.
standards. For
For each
each security
security ontology,
ontology, wewe review
review and
and then
then describe
describe itit in
in terms
terms of
of aim,
aim, security
security
concepts
concepts and
and ISO
ISO 27000
27000 features.
features. Based
Based on
onthis
this analysis,
analysis, wewe propose
propose aa comparison
comparison between
betweenthesethese ontologies
ontologies considering
considering several
several
factors
factors to
to pick
pick out
out their
their benefits
benefits and
and limits
limits in
inorder
order to
to give
give aa set
set of
of recommendations
recommendations to to security
securitydecision
decision makers
makers helping
helping them
themto to
select
selectan
anontology
ontologyregarding
regardingtheir
theirsecurity
securityrequirements.
requirements.
© 2019The
© The Authors.Published
Published byElsevier
Elsevier B.V.
©2019
2019 The Authors.
Authors. Published byby ElsevierB.V.
B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
This
This isis an
an open
open access
access article
article under
under the
the CC
CC BY-NC-ND
BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Programlicense
Chairs.(http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review
Peer-review under
underresponsibility
responsibilityofofthe
theConference
ConferenceProgram
ProgramChairs.
Chairs.

Keywords:
Keywords:ISO\IEC
ISO\IEC27000
27000series,
series,Security
Securityontology,
ontology,Ontology-based
Ontology-basedsecurity
securitystandards,
standards,Security
Securityrisk
riskmanagement,
management,Security
Securitydecision
decisionmakers.
makers.

1.
1. Introduction
Introduction
Security
Security management
management isis aa primordial
primordial requirement,
requirement, which
which should
should be
be considered
considered seriously
seriously by
by organizations
organizations [1].
[1]. ItIt
identifies
identifies suitable
suitable countermeasures
countermeasures to
tomitigate
mitigatesecurity
securityrisks
risks in
in order
order to
to offer
offer safety
safety for
for computer
computer resources.
resources.

**Corresponding
Correspondingauthor.
author. Tel.:
Tel.:+216-53-287-995;
+216-53-287-995;fax:
fax:+0-000-000-0000
+0-000-000-0000..
E-mail
E-mailaddress:
address: meriahines@hotmail.fr
meriahines@hotmail.fr

1877-0509
1877-0509© ©2019
2019 The
TheAuthors.
Authors.Published
Publishedby
byElsevier
ElsevierB.V.
B.V.
This
Thisisisan
anopen
openaccess
accessarticle
articleunder
underthe
theCC
CCBY-NC-ND
BY-NC-NDlicense
license(http://creativecommons.org/licenses/by-nc-nd/4.0/)
(http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review
Peer-reviewunder
underresponsibility
responsibilityof
ofthe
theConference
ConferenceProgram
ProgramChairs.
Chairs.

1877-0509 © 2019 The Authors. Published by Elsevier B.V.

This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
10.1016/j.procs.2019.09.447
86 Ines Meriah et al. / Procedia Computer Science 160 (2019) 85–92
2 Ines Meriah and Latifa Ben Arfa Rabai/ Procedia Computer Science 00 (2018) 000–000

According to Straub [2], one of the relevant challenges in information security management is the incomplete
information about the security risks in the company as well as available control to address them. To fill in this gap,
international security management standards and guidelines as ISO 27000 series standards are widely employed in
enterprises [3, 4]. It incorporates several informal rules that enable to reduce the rising number of threats, resolve
existing security issues and improve the security targets in general [5, 6].
One of the best ways of modeling information in security management is ‘ontology’. It creates a conceptual
relationship among security entities like asset, threat, vulnerability and control [6]. We introduce ‘ontology- based
security standards’ to understand such ISO 27000 series standards adapted in enterprises and ensure further security
compliance with a given set of requirements for driving security [7, 8]. This ontology enables also a representation
of security guidelines and best practices in term of concepts and their relationships for effective exploitation, reuse
and comprehension of security standards in the company.
Many security ontologies based ISO 27000 series standards already exist in literature [9, 10]. However, a lack of
explicit readability is depicted for either researchers or practitioners [11] as these standards include varied security
policies, practices, procedures and controls. Moreover, a comparative study between these ontologies, which shows
their strengths and limits, based on main characteristics such as missing security concepts, used ontology
methodology, integration of other security standards and best practices, and validation and evaluation are needed for
organizations. The result of this comparison intends to provide a set of recommendations to help involved users to
understand the way of using such standards in their ontological frameworks or enables them to develop new
ontologies using ISO 27000 series standards in order to ensure good security compliance in information systems.
In section 2, we provide a brief overview of ISO/IEC 27000 series security standards. In section 3, we
introduce security ontologies. In section 4, we present an overview of security ontologies based ISO/IEC 27000
series standards for information systems. In section 5, we give detailed analysis and comparison between the
presented security ontologies. In section 6, we propose a set of recommendations after discussing the significant
findings in the comparative study. The paper ends up with a conclusion and future work.

2. ISO/IEC 27000 series security standards

ISO 27000 series security standards designed as ‘ISO 27000 family of standards’ or ‘ISO 27k’ are the most
prominent international standards adapted by enterprises [12]. It provides guidelines for information security and
presents both physical and security practices and procedures [13]. It includes in particular ISO 27001, ISO 27002
and ISO 27005 standards, which vary in scope and purpose as well as in depth, level of detail and granularity [14].
In fact, ISO 27001 [15] is the first standard related to ISO/IEC standards family. It provides a model for
establishing, implementing, operating, monitoring, reviewing and improving on Information Security Management
System (ISMS). This standard groups the requirements of information security into eleven categories. Each of these
categories is divided also into many subcategories. These subcategories and the corresponding high-level
compliance requirements are the most detailed definitions provided by ISO 27001 [16].
ISO 27002 [17] presents a code of practice for information security management. It introduced as a subject to the
guidance provided within ISO 27001 since it describes hundreds of controls that can be implemented [13].
ISO 27005 [18] is the ISMS standard, which provides guidelines for Information Security Risk Management
(ISRM) in an organization. It builds on the knowledge concepts, models, processes and terminologies defined by
ISO 27001 and assists implementation by taking a risk management approach [11, 13].

3. Security ontology
Ontology is the representation model of concepts and their relationships considering their domain of interest.
According to Herzog et al. [19], ontology can be used as a vocabulary, a dictionary or a roadmap in order to provide
inferences about relationships between entities.
Domain ontologies are defined as a particular type of ontologies that describes specifying concepts in a
particular domain, as well as properties and constraints [20]. Ontologies in information security present the way to
define security terminologies. These ontologies formalize knowledge related to security concepts and their
 Ines Meriah et al. / Procedia Computer Science 160 (2019) 85–92 87
Ines Meriah and Latifa Ben Arfa Rabai / Procedia Computer Science 00 (2018) 000–000 3

interdependencies. Referring to Singh and Pandey [21], the major benefit of implementing security ontology in
information system is that it removes the conflict among several security stakeholders (like security decision-makers,
domain experts and customer) by modeling classes in the form of hierarchy or taxonomy and the relationships
among them.

4. Overview of security ontologies based ISO/IEC 27000 series standards

4.1 Fenz et al. ontology

Fenz et al. introduce an ontology-based framework that enables to map the entire ISO/IEC 27001 standard [22].
They combine ISO/IEC 27001 ontology with security ontology in order to improve the preparation of ISO\IEC
27001 audits and to enhance as well as the security level of the organization respectively.
Their ontology provides a knowledge base of the IT infrastructure relevant to the company’s physical
environment in addition to threats and corresponding countermeasures. The concepts of security ontology are Threat,
Threat-Prevention, Infrastructure and Attribute. In this ontology, authors map the entire ISO\IEC 27001 standard
into three classes, which are Category, Control Objective and Control [22].

4.2 Parkin et al. ontology

Parkin et al. [9] developed security ontology that uses ISO/IEC 27002 security standard and incorporate human
behavioral factors with information security. Their ontology relates ISO 27002 standard to human behavioral in
order to maintain the security compliance of employees taking into account the outcomes of security infrastructure
upon working practices.
This ontology models concepts of Chapter, Section, Guideline and Guideline Step that represent content of ISO
27002 standard. Moreover, it includes Asset, Role, Vulnerability, Threat and Behavior Control concepts presenting
information security and human behavioral aspects both [9].

4.3 Fenz and Ekelhart ontology

The ontology proposed by Fenz and Ekelhart [23] is one of the well-known knowledge base for security domain.
Its structure is based on the security relationship model defined in NIST 800-12 [24] and its content incorporates
organization specific knowledge, security standards and best practice guidelines.
The main concepts of Fenz and Ekelhart ontology are Asset, Threat, Threat Origin, Threat Source, Vulnerability,
Severity Scale, Control, Standard Control, Control Type, Organization and Security Attribute. Controls in Fenz and
Ekelhart ontology are derived from ISO 27001 and ISO 27002 [5, 23].

4.4 Milicevic and Goeken metamodel

Milicevic and Goeken [14] presented ISO 27001 metamodel in order to understand the source document of such
prominent security standard. The main goal of their research work is to present the structure of ISO 27001 in term of
relevant concepts and their relationships.
ISO 27001 metamodel is composed of the following security concepts: Asset, Threat, Control, Requirement,
Role, Control Objective and Security Breach [14].

4.5 Ramanuskait et al. ontology

This security ontology developed to map varied security standards (ISO 27001, PCI DSS, ISSA 5173 and
NISTIR 7621). The purpose of adaptive mapping of these standards is to reduce the mapping complexity and
optimize the use of multiple security standards in organization [25].
Ramanauskaite et al. ontology has five top-level classes: Asset, Countermeasure, Organization, Threat and
Vulnerability. Referring to Ramanuskait et al. [25], Movable assets in the security ontology allow the creation of
88 Ines Meriah et al. / Procedia Computer Science 160 (2019) 85–92
4 Ines Meriah and Latifa Ben Arfa Rabai/ Procedia Computer Science 00 (2018) 000–000

more links to security standards by defining what kind of assets are involved into certain controls (Who is at risk,
who has a vulnerability, etc.).

4.6 Agrawal ontology

Agrawal [11] proposed a new ontology that defines concepts of ISO 27005 risk management standard and their
relationships. The development of this ontology helps users to better understand and identify core concepts related to
the risk assessment phase of ISO 27005 standard.
ISO 27005 ontology presents 11 classes: Asset, Threat, Vulnerability, Control, CIA, Event, Likelihood,
Consequence, Risk, Organization and Objective [11].

5. Comparative Study
Different studies focused on comparing security ontologies based on methodologies selecting main criteria such as
used concepts, ontology type, methodology, language and software development [10, 26]. For ontologies based
ISO/IEC 27000 security standards, we selected five comparison criteria based on a literature review [10, 14, 26].
• ISO 27k standard and integration of other security standards and best practices [10]
• Methodology used and the evaluation and validation of the ontology [26]
• Missing security concepts [14]
As shown in table 1, we propose a new comparison between the above security ontologies based on the different
criteria cited in order to pick out their benefits and limits.

Table 1. Comparison criteria between ontologies based ISO/IEC 27000 series security standards
Ontologies references ISO/IEC 27000 Missing Integration of Methodology Validation
series security security other security of ontology and\or
standards concepts standards and design and Evaluation
best practices development
Fenz et al. [22] ISO/IEC 27001 Vulnerability, - - ✓
Risk
Parkin et al. [9] ISO/IEC 27002 Security - ✓ ✓
Attribute, Risk
Fenz and Ekelhart [23] ISO/IEC 27001 Risk ✓ - ✓
ISO/IEC 27002
Milisovic and Goeken [14] ISO/IEC 27001 Vulnerability, - ✓ ✓
Risk
Ramanuskait et al. [25] ISO/IEC 27001 Security ✓ - ✓
Attribute, Risk
Agrawal [11] ISO/IEC 27005 - - ✓ ✓

Fenz et al. [22] presents an ontological mapping of ISO 27001 standard. The validation of their ontology takes
into account ISO 27001 concepts in combination with physical and security aspects in the organization. In addition,
compliance with ISO/IEC 27001 controls is determined based on the established knowledge on one hand and by
reasoning on the other hand. However, Fenz et al. ontology presents some shortcomings as we noticed the following:
• Vulnerability and Risk concepts are missed in the ontology.
• Lack of a methodology for ontology design and development.
• The ontological mapping is limited only on ISO 27001 requirements.
Ontology based human-behavioral implications in [9] considers ISO 27002 standard for improving standard
readability and maintain security compliance in the organization. It follows a guidance defined in [27] for modelling
ontology concepts and corresponding relationships. Indeed, authors assess the efficacy of their ontology by deriving
ontology content based on individual ISO 27002 guideline related to password policy. However, Parkin et al.
ontology does not consider that Security Attribute and Risk concepts can influence the security behaviours of
 Ines Meriah et al. / Procedia Computer Science 160 (2019) 85–92 89
Ines Meriah and Latifa Ben Arfa Rabai / Procedia Computer Science 00 (2018) 000–000 5

employees within the company. In addition, this ontology does not represent requirements from other security
standards and best practices.
Fenz and Ekelhart ontology [23] is the prominent ontology in information security field. It is updated in several
research works [5] to incorporate requirements and controls from ISO 27001 and ISO 27002. It is also based on best
practice guidelines for deriving ontology concepts like German IT Grundshutz Manual [28]. However, it does not
include Risk as relevant concept in security ontology and does not follow a particular methodology.
Milicevic and Goeken metamodel presents security concepts derived from ISO 27001 standard. The research
methodology of this metamodeling based mainly on UML class diagram for modeling standard structure and
Qualitative Data Analysis (QDA) [29] for building standard metamodel. According to Milicevic and Goeken in [30],
two types of evaluation considered in the overall research methodology: Semantic evaluation and Pragmatical
evaluation. The semantic evaluation focuses on missing concepts in ISO 27001 metamodel like Vulnerability and
Risk. The pragmatic evaluation describes the applicability of ISO 27001 metamodel in a generalized information
security risk management process.
Ramanuskaite et al. ontology [25] used as a base for adaptive mapping of several security standards including
ISO 27001. The assessment of adaptive mapping of these standards proves that Ramanuskait et al. ontology covers a
large part of concepts in the four security standards presented. However, this security ontology presents the
following shortcomings:
• Security Attribute and Risk concepts are missed in the ontology.
• Lack of a methodology for ontology design and development.
• There is no application of the security ontology.
The security ontology of Agrawal [11] presents concepts of ISO 27005 security risk management standard. It
incorporates most relevant security concepts including Asset, Vulnerability, Threat, Control, Security Attribute and
Risk. Furthermore, Agrawal uses domain application that based on case scenario of healthcare system in order to
evaluate his proposed ontology. Like in [9], Noy and McGuinness [27] draw the methodology used for ontology
construction.
6. Discussion and recommendations
Ontologies based ISO/IEC 27000 series security standards address two different goals:
• The conceptualization of such ISO standard in order to identify as well as understand its relevant concepts
(Milicevic et al. ontology and Agrawal ontology).
• The standard mapping or adaptive mapping [4] of such ISO standard in order to ensure the security compliance
in the organization (Fenz et al. ontology, Parkin et al. ontology, Fenz and Ekelhart ontology, and Ramanuskaite
et al. ontology).
The comparison study of the presented ontologies allows us to propose recommendations for different security
stakeholders in organizations in order to help them to understand such standard of ISO 27000 series, incorporate a
set of ISO 27000 requirements and detailed security concepts in their security management frameworks.
Furthermore, these recommendations may represent for security decisions makers a reference and guideline that
enable them to select suitable security concepts and their details according to their security business needs.
Specifically, our recommendations focus on the needs of users to achieve their appropriate security goals using
ontologies based ISO 27000 series security standards. These recommendations are based on five main criteria
required by involved security stockholders:
• ISO/IEC 27000 standard: Which standard related to ISO/IEC 27000 is needed?
• ISO/IEC 27000 series concepts: Which concepts related to ISO/IEC 27000 series are useful?
• Security concepts: Which security concepts are covered?
• Methodology: Which methodology is used?
• Validation and assessment: For each ontology considered in this study, we are interested in being aware if it
was a subject of validation and/or assessment.
690 Ines Meriah
Ines Meriah and Latifa Ben ArfaetRabai/
al. / Procedia Computer
Procedia Science
Computer 160
Science 00(2019)
(2018)85–92
000–000

Fig. 1. Summary of recommendations of ontologies based ISO 27k

Figure 1 shows a summary of our recommendations using security ontologies based on 27k standards related to
the five mentioned criteria required by involved security stockholders.

• ISO/IEC 27000 standard

If the user needs a particular ISO/IEC 27000 standard, we recommend using Fenz et al., Fenz and Ekelhart,
Milicevic and Goeken or Ramanuskaite et al. ontologies for ISO 27001. Parkin et al. or Fenz and Ekelhart ontologies
for ISO 27002 or Agrawal ontology for ISO 27005.

• ISO/IEC 27000 concepts

If the user needs concepts or objects related to ISO 27000 series standards, it is necessary to identify the
appropriate standard (ISO 27001, ISO 27002 or ISO 27005) and its related concepts. In this case, we recommend
using Fenz et al., Parkin et al., Fenz and Ekelhart or Ramanuskaite et al. ontologies.
If the user needs all relevant concepts in a particular standard, we recommend using Milicevic and Goeken for
ISO 27001 or Agrawal for ISO 27005.
 Ines Meriah et al. / Procedia Computer Science 160 (2019) 85–92 91
Ines Meriah and Latifa Ben Arfa Rabai / Procedia Computer Science 00 (2018) 000–000 7

• Security concepts
For modelling security ontology, we take into account the most relevant security concepts, which are Asset,
Threat, Vulnerability, Control, Security Attribute and Risk.
If the user needs information about assets, security threats or controls, we recommend using any ontology
presented.
If the user needs information about vulnerabilities, we recommend using Parkin et al., Fenz and Ekelhart,
Ramanuskaite et al. or Agrawal ontologies.
If the user needs information about security attributes, we recommend using Fenz et al., Fenz and Ekelhart,
Milicevic and Goeken or Agrawal ontologies.
If the user needs information about risks, we recommend using only Agrawal ontology.

• Methodology
If a methodology is used to build security ontology is mandatory, we recommend using Milicevic and Goeken,
Parkin et al. or Agrawal ontologies.

• Assessment and validation

Due to the few knowledge related to information security, ISO/IEC 27000 concepts and controls, the evaluation
of security ontology represents a crucial requirement for decision makers. If the user needs information from
assessed ontology, we recommend using Fenz et al., Parkin et al. Fenz and Ekelhart, Milicevic and Goeken or
Ramanuskaite et al. ontologies.
The application of ontology based ISO 27k in security management frameworks in general and risk scenarios in
particular confirm its effectiveness and consistency in an organization. Thus, if the user needs information from
validated ontology, we recommend using Fenz et al., Parkin et al., Fenz and Ekelhart, Milicevic and Goeken or
Agrawal ontologies.

7. Conclusion
Ontology based security standards allows security stockholders to model and integrate such security standards
features. A security ontology is an advanced technique for storing information and gathering relevant knowledge to
enhance security brand in enterprises. In this paper, a description and analysis of ontologies based ISO 27000 series
security standards is detailed. We pick out the benefits and limits of each security ontology considering a set of
factors like used ISO/IEC 27k standard, missing concepts, integration of other standards and best practices, used
methodology and validation and evaluation of security ontology. This paper provides a set of recommendations to
security decision makers who need to choose an ontology regarding their security requirements and to researchers
and practitioners as well as who need to use security concepts and ISO 27000 features in their security frameworks.
It is evident that there is still a need to develop a unified security ontology covering all relevant security concepts,
incorporating several requirements from ISO 27000 series, following a well-defined methodology and ensuring the
assessment and validation of the security ontology.
Future work may be initiated towards addressing our recommendations covering aspects from security risk
management and ontology based ISO 27000 series security standards. Moreover, a new ontology may also be
proposed to model a particular security risk analysis model for information systems.

References
[1] Blanco, Carlos, et al. (2008) "A systematic review and comparison of security ontologies." Third International Conference on Availability,
Reliability and Security. Ieee.
[2] Straub, Detmar W., and Richard J. Welke. (1998) "Coping with systems risk: security planning models for management decision
making." MIS quarterly : 441-469.
[3] Chiang, Tung Ju, Jen Shiang Kouh, and Ray-I. Chang. (2009) "Ontology-based risk control for the incident management." International
Journal of Computer Science and Network Security9.11: 181-189.
92 Ines Meriah et al. / Procedia Computer Science 160 (2019) 85–92
8 Ines Meriah and Latifa Ben Arfa Rabai/ Procedia Computer Science 00 (2018) 000–000

[4] Olifer, Dmitrij. "Evaluation metrics for ontology-based security standards mapping." 2015 Open Conference of Electrical, Electronic and
Information Sciences (eStream). IEEE, 2015.
[5] Fenz, Stefan, Stefanie Plieschnegger, and Heidi Hobel. (2016) "Mapping information security standard ISO 27002 to an ontological
structure." Information & Computer Security 24.5: 452-473.
[6] Kovalenko, Oleksii, and Taras Kovalenko. (2018) "Knowledge Model and Ontology for Security Services." 2018 IEEE First International
Conference on System Analysis & Intelligent Computing (SAIC). IEEE.
[7] Ullah, Kazi Wali. (2012) Automated security compliance tool for the cloud. MS thesis. Institutt for telematikk.
[8] Al-Hassan, Mustafa Nouman Murad. (2014) "A Semantic Ontology based Concept for Measuring Security Compliance of Cloud Service
Providers".
[9] Parkin, Simon E., Aad van Moorsel, and Robert Coles. (2009) "An information security ontology incorporating human-behavioural
implications." Proceedings of the 2nd International Conference on Security of Information and Networks. ACM.
[10] Blanco, C., Lasheras, J., Fernández-Medina, E., Valencia-García, R., & Toval, A. (2011). Basis for an integrated security ontology according
to a systematic review of existing proposals. Computer Standards & Interfaces, 33(4), 372-388.
[11] Agrawal, Vivek. (2016) "Towards the Ontology of ISO/IEC 27005: 2011 Risk Management Standard." HAISA.
[12] Disterer, Georg. (2013) "ISO/IEC 27000, 27001 and 27002 for information security management".
[13] Gikas, Constantine. (2010) "A general comparison of fisma, hipaa, iso 27000 and pci-dss standards." Information Security Journal: A Global
Perspective 19.3: 132-141.
[14] Milicevic, D., & Goeken, M. (2010). Ontology-based evaluation of ISO 27001. In Conference on e-Business, e-Services and e-Society (pp.
93-102). Springer, Berlin, Heidelberg.
[15] ISO/IEC 27001:2005 Information Technology, Security Techniques, Information Security Management Systems, Requirements.
http://www.iso.org/iso/catalogue_detail?csnumber=42103
[16] Fenz, Stefan. "Ontology-based generation of IT-security metrics." Proceedings of the 2010 ACM Symposium on Applied Computing. ACM,
2010.
[17] ISO/IEC 27002 (2013), “Information technology – security techniques – code of practice for information security controls”
[18] ISO/IEC. ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems - Requirements,
2005.
[19] Herzog, Almut, Nahid Shahmehri, and Claudiu Duma. (2007) "An ontology of information security." International Journal of Information
Security and Privacy (IJISP) 1.4: 1-23.
[20] Guarino, Nicola, ed. (1998) Formal ontology in information systems: Proceedings of the first international conference (FOIS'98), June 6-8,
Trento, Italy. Vol. 46. IOS press.
[21] Singh, Vaishali, and S. K. Pandey. (2014) "Revisiting security ontologies." International Journal of Computer Science Issues (IJCSI) 11.6:
150.
[22] Fenz, Stefan, et al. (2007) "Information security fortification by ontological mapping of the ISO/IEC 27001 standard." 13th Pacific Rim
International Symposium on Dependable Computing (PRDC 2007). IEEE.
[23] Fenz, Stefan, and Andreas Ekelhart. (2009) "Formalizing information security knowledge." Proceedings of the 4th international Symposium
on information, Computer, and Communications Security. ACM.
[24] Stoneburner, Gary, Alice Y. Goguen, and Alexis Feringa. (2002) "Sp 800-30. risk management guide for information technology systems".
[25] Ramanauskaitė, Simona, et al. (2013) "Security ontology for adaptive mapping of security standards." International Journal of Computers,
Communications & Control (IJCCC) 8.6: 813-825.
[26] Singh, V., & Pandey, S. K. (2014). A comparative study of cloud security ontologies. In Proceedings of 3rd International Conference on
Reliability, Infocom Technologies and Optimization (pp. 1-6). IEEE.
[27] Noy, Natalya F., and Deborah L. McGuinness. (2001) "Ontology development 101: A guide to creating your first ontology".
[28] BSI, (2004) IT-Grundschutz-Manual.
[29] Corbin, Juliet M., and Anselm Strauss. (1990) "Grounded theory research: Procedures, canons, and evaluative criteria." Qualitative
sociology 13.1: 3-21.
[30] Milicevic, Danijel, and Matthias Goeken. (2011) "Application of models in information security management." 2011 FIFTH
INTERNATIONAL CONFERENCE ON RESEARCH CHALLENGES IN INFORMATION SCIENCE. IEEE.