Security-by-Ontology: A Knowledge-Centric Approach Bill Tsoumas, Panagiotis Papagiannakopoulos, Stelios Dritsas, Dimitris Gritzalis Information Security and Critical Infrastructure Protection Research Group Dept. of Informatics, Athens University of Economics and Business 76 Patission Ave., Athens GR-10434, Greece {bts, papajohn, sdritsas, dgrit)@aueb.gr Abstract. We present a security ontology (SO), which can be used as a basis of security management of an arbitrary information system. This SO provides capabilities, such as modeling of risk assessment knowledge, abstraction of security requirements, reusable security knowledge interoperability, aggregation and reasoning. The SO is based on the exploitation of security- related knowledge, derived h om diverse sources. We demonstrate that the establishment of such a framework is feasible and, furthermore, that a SO can support critical security activities of an expert, e.g. security requirements identification, as well as selection of certain countermeasures. We also present and discuss an implementation of a specific SO. The implementation is accompanied by results regarding how a SO can be built and populated with security information. 1 Introduction The introduction of new technologies in conjunction with the dynamic character of Information Systems (IS) brings in attention several categories of information security risks, while in the same time underpins the importance of sound security manage- ment. Traditionally, the security controls requirements come up as a result of an IS Risk Assessment (RA) review, given the thorough intervention of security expert. This is an effort-consuming intervention, which has not yet been properly assisted by automated processes, especially in large and complex organizations, which are heavily IS-dependent. In such organizations "a security program in order to be successfully incorporated must be multi-dimensional ... these include physical elements, people as well as computers and software" [I]. Our objective is to provide a management framework in order to support the IS se- curity management, as defined with the PDCA cycle (Plan-Do-Check-Act) introduced in [2]. Our work is not directly related with RA approaches per se; nevertheless, it supports the security management process with the use of RA results providing automated support. The creation of such a framework was based in the research direction depicted in [3], that is a) the process in specifying safeguards, b) taking under consideration the nature of the organization's flexibility and c) the creation of adaptive safeguards. We propose a structured approach, in order to support the process leading from informal, high-level statements found in policy and RA documents, to deployable technical countermeasures. The outcome of this process Please use the following format when citing this chapter: Author(s) [insert Last name, First-name initial(s)], 2006, in IFIP International Federation for Information Processing, Volume 201, Security and Privacy in Dynamic Environments, eds. Fischer-Hubner, S., Rannenberg, K., Yngstrom, L., Lindskog, S., (Boston: Springer), pp. [insert page numbers].