The Second International Workshop on Security Ontologies and Taxonomies (SecOnt 2013) will be held in conjunction with the 8th International Conference on Availability, Reliability and Security (ARES 2013) on September 3 in Regensburg, Germany. With SecOnT we aim at establishing a highly specialized annual meeting to conduct in-depth research discussions and to identify collaboration opportunities among the participants. The preliminary program for the 2013 workshop:

1. Introductory talk by Stefan Fenz: (i) security ontology applications (risk and compliance management, awareness, incident handling, etc.), (ii) recent developments on the European and international level, (iii) emerging domains which could be supported by security ontologies (e.g., smart grid area), (iv) current challenges of the domain, (v) current limitations of security ontologies, and (vi) potential strategies to enable ontology-based knowledge sharing (incentives and barriers).
2. Yulia Cherdantseva, Jeremy Hilton (Cardiff University, UK): A Reference Model of Information Assurance & Security
3. David Mundie (CERT, US): An Ontology for Malware Analysis
4. Arwa Wali, Soon Chun, James Geller (New Jersey Institute of Technology, US): A Bootstrapping Approach for Developing a Cyber-Security Ontology Using Textbook Index Terms
5. Kristian Beckers, Maritta Heisel (University Duisburg-Essen, DE): A Usability Evaluation of the NESSoS Common Body of Knowledge
6. Karin Bernsmed, Per Håkon Meland, Martin Gilje Jaatun, Astrid Undheim, Humberto Castejon (SINTEF ICT, NO): Towards an Ontology for Cloud Security Obligations
7. Jakub Breier, Ladislav Hudec (Slovak University of Technology, SK): On Selecting Critical Security Controls
8. Tove Gustavi, Pontus Svenson (Swedish Defence Research Agency, SE): Taxonomy for Port Security Systems

Today, Stefan gave a keynote on Information Security Knowledge Sharing at the ENISA PSG Meeting in Athens. Download the slides here.

On August 23, 2012 we conducted the first international workshop on security ontologies and taxonomies at the ARES 2012 conference in Prague. In two sessions the latest security ontology research results were presented and the following overall challenges were identified by the workshop participants:

– Reaching critical mass of content
– Motivation of partners/contributors
– Quality management
– Usability
– Funding
– Community support
– APIs
– Technology (SemanticWiki, WebProtege, etc.)
– Joining/merging ontologies
– Data representation (OWL, etc.)
– Overview of current activities/ontologies

The list shows the main challenges active security ontology researchers are currently facing and thereby provides guidance for a structured and collaborative effort to advance the security ontology research field. We encourage all interested researchers and practitioners to extend/modify/discuss the posted challenges list and provide us with feedback regarding their progress in the field. Please see the security ontologies group at https://groups.google.com/forum/#!forum/security-ontologies for further details.

This article is joint work with Simon Parkin and Aad van Moorsel from Newcastle University (UK). It will appear in May 2011 in IEEE IT Professional.

Abstract: Corporate IT security managers have a difficult time staying on top of the endless tide of new technologies and security threats sweeping into their organizations and information systems. The effectiveness of security controls must be balanced with a variety of operational issues, including the impact on employee productivity, legal and ethical stipulations, and business and financial concerns. IT security managers in different organizations face many of the same threats and establish similar solutions, and they’re often gathering and applying the same knowledge. However, they’re doing so largely on their own, which is clearly inefficient. We propose a formalized community project for sharing and applying IT security management knowledge. Here, we present our community knowledge-base prototype, designed to benefit IT security managers in a variety of organizations.

The article has been accepted for publication in the Communications of the Association for Information Systems (CAIS). Click here to download the article from the CAIS website.

Abstract: As companies are increasingly exposed to information security threats, decision makers are permanently forced to pay attention to security issues. Information security risk management provides an approach for measuring the security through risk assessment, risk mitigation, and risk evaluation. Although a variety of approaches have been proposed, decision makers lack well-founded techniques that (1) show them what they are getting for their investment, (2) show them if their investment is efficient, and (3) do not demand in-depth knowledge of the IT security domain. This article defines a methodology for management decision makers that effectively addresses these problems. This work involves the conception, design, and implementation of the methodology into a software solution. The results from two qualitative case studies show the advantages of this methodology in comparison to established methodologies.

We kindly ask you to participate in our information security knowledge management survey. The survey is conducted by publicly-funded research institutions SBA Research (AT), Newcastle University (UK), and Vienna University of Technology (AT). We conduct the survey to explore potential ways of enabling companies and professionals to share information security knowledge through the application of collaborative semantic web technologies. The aggregated survey results will be published within publically-accessible research publications.

Survey: http://www.sba-research.org/survey/index.php?sid=73314

Thank you for your support.