{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,9]],"date-time":"2026-07-09T05:22:22Z","timestamp":1783574542062,"version":"3.55.0"},"reference-count":25,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2008,6,6]],"date-time":"2008-06-06T00:00:00Z","timestamp":1212710400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,6,6]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>This paper aims to show the difficulties involved in dealing with the quantity, diversity and the lack of semantics security information. It seeks to propose the use of ontologies to tackle the problem.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>The paper describes the general methodology to create security ontologies and illustrates the case with the design and validation of two ontologies: system vulnerabilities and security incidents.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Two examples of ontologies, one related to systems vulnerability and the other related to security incidents (designed to illustrate this proposal) are described. The portability\/reusability propriety is demonstrated, inferring that the information structured at lower levels (by security management tools and people) can be successfully used and understood at higher levels (by security governance tools and people).<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Research limitations\/implications<\/jats:title><jats:p>Work in the area of managing privacy policies, risk assessment and mitigation management, as well as CRM, business alignment and business intelligence, could be greatly eased by using an ontology to properly define the concepts involved in the area.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>Ontologies can facilitate the interoperability among different security tools, creating a unique way to represent security data and allow the security data from any security tool (for instance, Snort) to be mapped into an ontology, such as the security incident one described in the paper. An example showing how the two ontologies could be plugged into a high level decision\u2010making system is described at the end.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>Although several previous papers examined the value of using ontologies to represent security information, this one looks at their properties for a possible integrated use of management and governance tools.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810879627","type":"journal-article","created":{"date-parts":[[2008,6,21]],"date-time":"2008-06-21T07:00:26Z","timestamp":1214031626000},"page":"150-165","source":"Crossref","is-referenced-by-count":23,"title":["Ontologies for information security management and governance"],"prefix":"10.1108","volume":"16","author":[{"given":"Edson","family":"dos Santos Moreira","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Luciana","family":"Andr\u00e9ia Fondazzi Martimiano","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Antonio","family":"Jos\u00e9 dos Santos Brand\u00e3o","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mauro","family":"C\u00e9sar Bernardes","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"140","reference":[{"key":"key2022020920182895400_b1","unstructured":"Bechhofer, S., Harmelen, F., van Hendler, J., Horrocks, I., McGuinness, D.L., Patel\u2010Schneider, P.F. and Stein, L.A. (2004), \u201cOWL web ontology language reference\u201d, Technical Report, available at: www.w3.org\/TR\/owl\u2010ref."},{"key":"key2022020920182895400_b2","unstructured":"Bernardes, M.C. (2005), \u201cModelling the information security governance with the support of information systems\u201d, PhD thesis, ICMC\u2010USP, S\u00e3o Carlos (in Portuguese)."},{"key":"key2022020920182895400_b3","unstructured":"Brand\u00e3o, A.J.S. (2004), \u201cUsing ontologies to classify vulnerabilities on security systems\u201d, Master thesis, ICMC\u2010USP, S\u00e3o Carlos (in Portuguese)."},{"key":"key2022020920182895400_b4","unstructured":"Brewster, C., Alani, H., Dasmahapatra, S. and Wilks, S.Y. (2004), \u201cData driven ontology evaluation\u201d, Proceedings of the International Conference on Language Resources and Evaluation, Lisboa, Portugal."},{"key":"key2022020920182895400_b5","unstructured":"Gollmann, D. (1999), Computer Security, Wiley, New York, NY."},{"key":"key2022020920182895400_b6","doi-asserted-by":"crossref","unstructured":"Gruber, T.R.A. (1993), \u201cTranslation approach to portable ontology specification\u201d, Knowledge Acquisition, Vol. 5 No. 2, pp. 199\u2010220.","DOI":"10.1006\/knac.1993.1008"},{"key":"key2022020920182895400_b7","unstructured":"Gr\u00fcninger, M. and Fox, M.S. (1995), \u201cMethodology for the design and evaluation of ontologies\u201d, Proceedings of the International Joint Conference on Artificial Intelligence (IJCAI95), Workshop on Basic Ontological Issues in Knowledge Sharing, April."},{"key":"key2022020920182895400_b8","unstructured":"Howard, J.D. (1997), \u201cAn analysis of security incidents on the internet: 1989\u20101995\u201d, PhD thesis, Institute of Technology, Carnegie Mellon University, Pittsburgh, PA."},{"key":"key2022020920182895400_b9","unstructured":"Howard, J.D. and Longstaff, T.A. (1998), A Common Language for Computer Security Incidents, Sandia National Laboratories, Livermore, CA."},{"key":"key2022020920182895400_b11","unstructured":"Klyne, G. and Carroll, J.J. (2004), \u201cResource description framework (RDF): concepts and abstract syntax\u201d, available at: www.w3.org\/TR\/rdf\u2010concepts\/."},{"key":"key2022020920182895400_b10","unstructured":"Kumar, S. (1995), \u201cClassification and detection of computer intrusions\u201d, PhD thesis, Computer Sciences Department, Purdue University, Hammond, IN."},{"key":"key2022020920182895400_b12","unstructured":"Laudon, K.C. and Laudon, J.P. (2002), Management Information Systems \u2013 Managing the Digital Firm, 7th ed., Prentice\u2010Hall, Englewood Cliffs, NJ."},{"key":"key2022020920182895400_b16","unstructured":"Mann, D.E. and Christey, S.M. (1999), Towards a Common Enumeration of Vulnerabilities, The MITRE Corporation, Bedford, MA, available at: http:\/\/cve.mitre.org\/docs\/docs\u20102000\/cerias.html."},{"key":"key2022020920182895400_b14","unstructured":"Martimiano, L.A.F. (2006), \u201cOn the structuring of information in computer security systems: the use of ontologies\u201d, PhD thesis, ICMC\u2010USP, S\u00e3o Carlos (in Portuguese)."},{"key":"key2022020920182895400_b15","unstructured":"Martimiano, L.A.F. and Moreira, E.D. (2006), \u201cThe evaluation process of a computer security incident ontology\u201d, Proceedings of the 2nd Workshop on Ontologies and their Applications (WONTO06), International Joint Conference, October, available on CD\u2010ROM."},{"key":"key2022020920182895400_b18","unstructured":"NCSC (1988), Glossary of Computer Security Terms, National Computer Security Center, Fort Meade, MD, Trusted Network, NCSC\u2010TG\u2010004, October."},{"key":"key2022020920182895400_b17","unstructured":"Noy, N.F. and McGuinness, D.L. (2001), \u201cOntology development 101: a guide to create your first ontology\u201d, Knowledge Systems Laboratory Technical Report KSL\u201001\u201005, Stanford University, Stanford, CA."},{"key":"key2022020920182895400_b19","unstructured":"Prud'hommeaux, E. and Seaborne, A. (2006), \u201cSPARQL \u2013 query language for RDF\u201d, available at: www.w3.org\/TR\/rdf\u2010sparql\u2010query\/."},{"key":"key2022020920182895400_b20","doi-asserted-by":"crossref","unstructured":"Schumacher, M. (2003), \u201cToward a security core ontology\u201d, Security Engineering with Patterns \u2013 Origins, Theoretical Model and New Applications, Lectures Notes in Computer Science (LNCS 2754), Springer, New York, NY, pp. 87\u201096.","DOI":"10.1007\/978-3-540-45180-8_6"},{"key":"key2022020920182895400_b21","unstructured":"Seaborne, A. (2004), \u201cRDQL \u2013 a query language for RDF\u201d, available at: www.w3.org\/Submission\/2004\/SUBM\u2010RDQL\u201020040109\/."},{"key":"key2022020920182895400_b23","doi-asserted-by":"crossref","unstructured":"Shirey, R. (2000), RFC 2828: Internet Security Glossary, GTE\/BBN Technologies, Cambridge, MA.","DOI":"10.17487\/rfc2828"},{"key":"key2022020920182895400_b24","doi-asserted-by":"crossref","unstructured":"Sirin, E., Parsia, B., Cuenca, B.G., Kalyanpur, A. and Katz, Y. (2006), \u201cPellet: a practical OWL\u2010DL reasoner\u201d, available at: www.mindswap.org\/2003\/pellet\/.","DOI":"10.2139\/ssrn.3199351"},{"key":"key2022020920182895400_b25","doi-asserted-by":"crossref","unstructured":"Swartout, W. and Tate, A. (1999), \u201cOntologies\u201d, IEEE Intelligent Systems, Vol. 14 No. 1, pp. 18\u201019.","DOI":"10.1109\/MIS.1999.747901"},{"key":"key2022020920182895400_b22","doi-asserted-by":"crossref","unstructured":"Uschold, M. and Gr\u00fcninger, M. (1996), \u201cOntologies: principles, methods and applications\u201d, Knowledge Engineering Review, Vol. 11 No. 2, pp. 93\u2010155.","DOI":"10.1017\/S0269888900007797"},{"key":"key2022020920182895400_frd1","unstructured":"L\u00f3pez, M.F. (1996), \u201cCHEMICALS: Ontologia de elementos qu\u00edmicos\u201d, Final\u2010year Project, Facultad de Inform\u00e1tica de la Universidad Polit\u00e9cnica de Madrid, Madrid."}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220810879627","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810879627\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810879627\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:05Z","timestamp":1753402145000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/2\/150-165\/184574"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,6,6]]},"references-count":25,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2008,6,6]]}},"alternative-id":["10.1108\/09685220810879627"],"URL":"https:\/\/doi.org\/10.1108\/09685220810879627","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2008,6,6]]}}}