Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
In the advanced information and communication network society, every organization faces information-related risks such as information leaks, system, and service malfunctions, unauthorized intrusions, business email compromise, ransom attacks, etc. In order to deal with these various types of risks, it is necessary to take measures that emphasize the balance of the entire organization rather than individual technical measures. In this chapter, we will provide an overview of various risks related to information and consider the establishment of information security policies as a means of overall risk management. Especially keeping in mind SMEs with limited financial and human resources, we will discuss the information security policy automatic generation system by utilizing ontology.
Faculty of Business Administration, Department of Business Management, Daito Bunka University, Tokyo, Japan
*Address all correspondence to: nagata@ic.daito.ac.jp
1. Introduction
World Economic Forum analyzes the risks to the global economy and the world as a whole and publishes the results every year in “The Global Risks Report” underpinned by the Global Risks Perception Survey (GRPS). Responses for the GRPS 2022–2023 were collected from September 7 to October 5, 2022, and have brought together leading insights on the evolving global risks landscape from over 1200 experts across academia, business, government, international communities, and civil society.
Global risk is defined as the possibility of the occurrence of an event or condition which, if it occurs, would negatively impact a significant proportion of global GDP, population, or natural resources. The risk of “Widespread cyber-crime and cyber insecurity” which is described as increasingly sophisticated cyberespionage or cybercrimes including loss of privacy, data fraud or theft, and cyber espionage is ranked 8th risk in the 18th Edition of the report ([1], p. 8).
It also reported that there were some notable differences between the responses of government and business respondents, with “Debt crises”, “Failure to stabilize price trajectories”, “Failure to mitigate climate change”, and “Failure of climate change adaptation” featuring more prominently for governments, and “Widespread cybercrime and cyber insecurity”, and “Large-scale environmental damage incidents” featuring higher for business.
From the response by asking, “Please rank the top 5 currently manifesting risks in order of how severe you believe their impact will be on a global level in 2023”, the “Cyberattacks on critical infrastructure” is the 5th risk as the currently manifesting risks, following the “Energy supply crisis (1st)”, “Cost-of-living crisis(2nd)”, “Risking inflation(3rd)”, and “Food supply crisis(4th)”. As highlighted in the chapter ‘Digital Dependencies and Cyber Vulnerabilities’ in Global Risks Report 2022, malicious activity in cyberspace is growing, with more aggressive and sophisticated attacks taking advantage of more widespread exposure ([2], pp. 45–56). It was seen as a persistent threat by GRPS respondents as well as a strong driver of other risks. Therefore, “Widespread cybercrime and cyber insecurity” is considered a new entrant into the top 10 rankings of the most severe risks over the next decade.
In the reports, examples of three concerned risks are cited with descriptions as follows ([1], p. 76):
Breakdown of critical information infrastructure: Deterioration, overload, or shutdown of critical physical and digital infrastructure or services leading to the breakdown of internet, cellular devices, public utilities, or satellites. Those are stemming from, but not limited to, cyberattacks, intentional or unintentional physical damage, or solar storms.
Digital inequality and lack of access to digital services: Fractured or unequal access to digital networks and technologies stemming from underinvestment, low digital skills, insufficient purchasing power, or government restrictions on technologies.
Digital power concentration: Concentration of critical digital assets, capabilities, or knowledge among a small number of individuals, businesses, or states that can control access to digital technologies and demand discretionary pricing. Those are stemming from, but not limited to, the failure of anti-trust regulation, inadequate investment in the innovation ecosystem, or state control over key technologies.
These digital risks are considered critical risks, especially in developing countries and oil-producing countries. Digital inequality is the first-ranked risk in the executive opinion survey in India and the fourth-ranked risk in Indonesia. The digital power concentration is the fifth among those in China. Executives in European countries such as Austria, Denmark, Hungary, Poland, and Switzerland recognize the breakdown of critical infrastructure through cyber attacks as one of the five critical risks.
Statista, a global data and business intelligence platform, takes the following as examples of cybercrime: Identity fraud, data theft, ransomware attacks, copyright infringement, and phishing campaigns. From their research, the most common type of cyber attack that organizations worldwide experienced in 2022 was bulk phishing, and SMS phishing, or smishing, and ransomware were quite common too. Statista also estimates the cost of cybercrime worldwide at $8.44 trillion in 2022 and $11.5 trillion in 2023. The predicted amount of cybercrime will rise to $23.82 trillion in 2027 [3]. eSentire, globally recognized as the Authority in Managed Detection and Response (MDR), also predicted that the global annual cost of cybercrime will reach $8 trillion in 2023, according to Cybersecurity Ventures, and is expected to reach $10.5 trillion by 2025 [4].
A Statista report states that organizations worldwide don’t only pay to get the lost data back but also suffer downtime and disruption in operations caused by cybercrime. The average cost of a data breach worldwide is around $4.35 million, but financial repercussions differ greatly depending on the region, organization size, and industry. The average cost of a data breach in the healthcare sector is $10.1 million.
FBI (Federal Bureau of Investigation)‘s Internet Crime Complaint Center (IC3) collects reports on cyberattacks and incidents from U.S. residents, and publishes the result of analyzed data, identifying trends, and pursuing the threat at hand in the “FBI Internet Crime Report”. In 2022, the IC3 received 800,944 complaints with a potential total loss of more than $10.3 billion in 2022, which has grown from $6.9 billion in 2021 ([5], p. 7). Here let us list some characteristic risks from the report in 2022 ([5], pp. 11–16).
BUSINESS EMAIL COMPROMISE (BEC): 21,832 BEC complaints received by IC3 were adjusted losses of over $2.7 billion. BEC is a sophisticated scam that is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. BEC targets not only businesses but also individuals performing transfers of funds.
INVESTMENT (Fraud Losses): Investment scams reported to the IC3 were the costliest scheme. The fraud losses increased from $1.45 billion in 2021 to $3.31 billion in 2022 within which cryptocurrency investment fraud rose from $907 million to $2.57 billion. The covering losses from these fraudulent investments are assumed massive debt, and the most targeted age are from 30 to 49.
RANSOMWARE: 2385 complaints identified as ransomware received by IC3 have adjusted losses of more than $34.3 million. Ransomware is a type of malicious software that encrypts data on a computer, making it unusable. Until the ransom is paid, the cyber-criminal will often steal data off the system and hold that data hostage. If the ransom is not paid, the victim’s data remains unavailable.
CALL CENTER FRAUD: TECH AND CUSTOMER SUPPORT/GOVERNMENT IMPERSONATION: Illegal call center defraud was classified into two categories Tech/Customer Support and Government Impersonation. They are responsible for over $1 billion in losses to victims.
As we see above, in an advanced information and communication network society, ensuring the security of information is the basis of organizational activities, and any act that damages them poses a great risk to the sustainable operation of the organization. Prior to the beginning of commercial use of the Internet in the early 1990s, information security in organizations was largely handled by core information processing departments and was a technical and tactical approach by experts. Currently, it is an organizational and strategic approach involving all stakeholders, including employees, and must take into account the three elements of information security: Confidentiality, Integrity, and Availability (CIA) in a well-balanced manner.
The International Institute for Management Development (IMD), one of the world’s leading business schools based in Switzerland, publishes the IMD Word Digital Competitiveness Ranking every year [6]. In a recent report, they insist that cybersecurity capabilities, both at the company and governmental level, have become a very important factor, and the result reflects those factors facilitating the strengthening of capabilities to protect digital infrastructure from cyber-attacks [7]. The ranking evaluation is based on the three main digital competitiveness factors, such as “Knowledge”, “Technology”, and “Future Readiness”, and each of them has three subfactor categories to which all the evaluation factor items belong.
Among 40 countries with GDP per capita, greater than $20,000, countries or regions ranked in the top 20 are listed in Table 1 according to the evaluation item “Cyber security” along with some other evaluation item rankings.
Country or region
Cyber security
Government cyber security capability
Digital/Technology skills
Opportunity and threats
Agility of companies
Qatar
1
13
11
11
23
Saudi Arabia
2
21
7
20
20
Finland
3
34
3
15
15
Austria
4
26
40
22
14
UAE
5
7
16
23
8
Singapore
6
10
9
15
10
Hong Kong SAR
7
48
15
2
4
Israel
8
1
19
24
24
Taiwan
9
9
33
5
3
China
10
3
12
13
22
Canada
12
4
14
18
18
Sweden
13
17
4
7
7
Denmark
14
8
5
1
1
Switzerland
15
27
18
8
9
Estonia
16
2
44
28
11
Iceland
17
52
1
3
2
Norway
18
44
8
10
13
Lithuania
19
32
2
4
5
Netherlands
20
40
6
9
12
USA
27
15
10
19
21
Table 1.
Top 20 Countries or Regions of GDP per capita greater than $20,000 in the item of Cyber Security with some of the other items.
The ranking value is among 64 countries or regions.
Source: IMD Word Digital Competitiveness ranking 2023.
From the Appendices and Sources in ([6], pp. 182–184), short descriptions of each item are as follows;
Cyber security: Cyber security is being adequately addressed by corporations.
Government cyber security capacity: The government’s capability to mitigate harm from cyber security threats.
Digital/technology skills: Digital/technological skills are readily available.
Opportunities and threats: Companies are very good at responding quickly to opportunities and threats.
The agility of companies: Companies are agile.
When focusing only on the evaluation item “Cyber Security”, the so-called five-eyes country rankings are 12th (Canada), 22nd (UK), 27th (USA), 31st (Australia), and 52nd (New Zealand). Those of other high GDP countries, China 10th, Japan 43rd, Germany 21st, India 33rd, France 34th, and so on. This result suggests the difficulty of cybersecurity measures taken by individual organizations in large countries. Moreover, the “Government cyber security capability” does not always support general security measures. For example, the ranking value of the Japanese government’s cyber security capability is 24th.
As we see above, information security, including cybersecurity, is critically needed for any type of organization, and here we insist that establishing an information security policy plays an important role in ISMS (Information Security Management System) coping. However, it requires a lot of work and resources, both in finance and human, for its full establishment. In this chapter, after giving some issues on the information security policy, we introduce an automatically generated system that might benefit especially SMEs.
The rest of the chapter is organized as follows; a review of information security policy is coming up in the next section. Some general issues on security management and policy are described, along with a review of some papers on cybersecurity applying ontology, in the following section. The outline of the proposed system, including a brief notice on ontology, is explained as the methodology in the following section. The last section is on the conclusion and future works.
In this section, a basic concept of the information security policy is described, the recent situation of its establishment, especially in Japan, is presented, and some literature on the topic is reviewed.
2.1 What is the information security policy
The information security policy is sometimes considered the comprehensive and integrated system for implementing ISMS, where various types of controls and measures are incorporated. In an issue titled “Information security policy sample” published in 2016 by the Japan Network Security Association (JNSA), a layers document construction model is adopted as shown in Figure 1 with content descriptions [8].
Basic policy: A document that broadly declares to the public the stance on information security.
Information security policy: A document that describes the policy for information security management. Clarify the structure, roles, and responsibilities for addressing information security.
Information security measures regulations: Clarify the information security measures that should be introduced and followed, including daily operations.
Information security measures procedure manual: Clarify the specific actions that should be taken on a daily basis using products that implement information security measures.
Record: Records created in conjunction with compliance with information security measures and operational processes.
Figure 1.
5 Layer Model for Information Security Policy related Documents (Source: Information security policy sample, JNSA).
Leron Zinatullin shows a four-layer model consisting of “Policy”, “Standard”, “Guideline”, and “Procedure”, where “(Basic) Policy” is defined as a document providing a high-level overview of how organizational processes should operate in a secure manner [9]. He also described “Standard” as a regulation for the approach to security in the designated scope by preventing them from implementing conflicting or redundant solutions, and “Procedure” as a set of basic steps aiding the implementation of policies and standards.
In general, an information security policy describes the basic concept of what kind of information assets are to be protected and how to protect them from what threats. In other words, it is a systematization of the ideas and policies applied within the organization when building information security measures.
Here is a simpler model of three layers, with “Basic Policy”, “Standard”, and “Procedure” shown in Figure 2.
Figure 2.
3 Layer Model for Information Security Policy.
The short descriptions of the three-layer model are as follows;
Basic Policy: The document expresses the basic concept of information security measures, including declarations by representatives of organizations such as “Why information security is necessary?”, “What kind of policy is used for information security?”, and “What kind of policy will be used to handle customer information?”.
Standard: Specific measures and standards that are common to the entire organization will be cleared. In many cases, the standard provides general provisions for what kind of measures are to be taken, but in order to do so, it is necessary to analyze the information security risks in the organization.
Procedure: The document (regulations, manuals, procedures, etc.) describes how to implement specific information security measures in each field and describes the details of the information security measures to be implemented for each countermeasure standard as a specific procedure.
2.1.1 Work flow for policy establishment
According to the 3 Layer model in Figure 2 above, here describes the flow for establishing the information security policy along with Figure 3.
Establish the organization and the system: The involvement and responsibilities of the executives of the organization. A committee consisting of the heads of relevant departments, information system administrators, and a group of people with specialized knowledge of information security (e.g., the “Information Security Committee”) shall be established, and its purpose, authority, and name shall be clarified. Almost all departments are listed, including information systems (LAN management sections, etc.), technical departments (experts with internal and external technical knowledge, etc.), auditing, human resources, accounting, public relations, and administration sections.
Formulation of the basic policy document: Declares that “the basic policy shall take measures to ensure the information security required for information systems”, and the purpose, scope, and basic approach to information security measures. The basic policy defines the terms necessary to understand the policy, and since it determines the basic direction of information security, it should be noted that it will not be frequently updated.
Risk analysis: The risk analysis is to identify the information assets to be protected and assess the risks to them. Evaluate their importance from the CIA’s point of view. Next, for all information assets, the frequency of occurrence of physical threats such as intrusion, destruction, failure, power outage, disaster, etc., unauthorized access, eavesdropping, computer viruses, technical threats such as falsification/erasure, DoS attacks, spoofing, and human threats such as mismanagement, elegance, fraudulent acts, improper management of passwords, etc. The magnitude of the damage when it occurs is examined, and the risk assessment of the information asset is used. At last, the measures against the risk are considered to be a method of reducing the magnitude of the damage.
Establishment of countermeasure standards: Individual countermeasures for each information asset are clarified through risk analysis, and their standards are determined by organizing and relocating them according to the following:
Organization and structure
Responsibilities and privileges for information, classification, and management of information
Physical security
Personal security: Roles, responsibilities and disclaimers, education and training, reporting of incidents and defects, password management, employment and contracting of part-time and temporary employees
Technical security: computer and network management, access control, system development, installation, maintenance, etc., computer antivirus, collection of security information
Operational security: Monitoring of information systems and confirmation of compliance with policies (operation management), points to note in operation management, countermeasures in the event of a breach, operation contracts by outsourcing
Compliance with laws and regulations
Response to information security violations
Evaluation and review
Policy decision: Now that the basic policy and countermeasure standards have been established, consider it as an information security policy and make a decision on it. However, at the time of the draft policy, ask for evaluations by experts in the field of information security and opinions from related departments, etc. Based on the results, it is also necessary to establish procedures for accepting and reflecting opinions on the policy from the relevant departments at the operational stage.
Develop the implementation procedures: Now that the countermeasure standards in accordance with the basic policy have been decided, compile them into a document, formulate regulations, guidelines, and implementation manuals that can be referred to by each department, and distribute them.
Operation management: In order to ensure the operational management of information security policy, it is necessary to appropriately take measures such as establishing an organization and system, monitoring, and responding to breaches. If a policy violation that may cause serious problems is reported, it will be handled according to the contingency plan, conduct drills, review the precautions to be taken in communication, investigation, and response in the event of a breach, and develop a plan to prevent a recurrence.
Evaluation and review: Evaluate and review the countermeasure standards on a regular basis based on changes in the information system and the emergence of new threats. An audit by an external organization is also necessary, but in that case, the weakness of the information system will be known to the relevant organization, so carefully consider the reliability and select an audit organization. When updating the policy, it may be necessary to fully consider the differences between the policy and the actual situation, to grasp the actual situation by listening to the opinions of the relevant departments, etc., and to conduct a new risk analysis.
Figure 3.
Work Flow for Information Security Policy Establishment.
2.1.2 Basic policy document
As an example of items in the basic policy document, first have a look at them in “The Importance of Information Security in Financial Institutions and Countermeasures” [10]. Though this report is very old, items picked up still have universality for the basic policy document, for example.
Purpose and Scope of Information Security Measures: Basic concept of information security measures, scope (basically for all organizations) and reason why information and systems to be protected, identification of information assets to be protected and people who handle them, and priority standard evaluating information assets and systems to be protected.
Promotion of Information Security Measures: Involvement and responsibilities of management officers, the appointment of an officer in charge of information security and establishment of a security department, checks by the legal department regarding laws and regulations, compliance, use of external consulting, etc.
Operation of Information Security Measures: Expected information security risks and their management, the decision-making process for the implementation of information security measures, procedures for reviewing information security measures, and outline of specific information security measures.
User management and information security education: Responsibilities of each officer and employee and arrangements in the event of a violation (penalties, etc.), checking the status of compliance with information security measures, and promoting awareness of information security policy.
Response to failures in the crisis management system.
Other: procedures for periodic review of the information security policy.
In the “Guidelines for Information Security Policies in Local Governments” formulated by the Ministry of Internal Affairs and Communications on March 30, 2001, and revised on September 25, 2018, [11], the following example sentences are written as a basic policy item.
Purpose: The purpose of this basic policy is to establish basic matters regarding the information security measures implemented in order to maintain the CIA of information assets held by our organization.
Definitions of words, terminologies, etc.
The following threats are assumed as threats to the target information assets, and proper information security measures should be implemented.
Leakage, destruction, falsification, or deletion of information assets due to intentional factors such as unauthorized access, virus attacks, denial of service attacks, cyber-attacks, intrusion by outsiders, theft of important information, internal fraud, etc.
Unauthorized removal of information assets, violation of regulations such as the use of unauthorized software, inadequacies in design and development, program defects, operation and configuration errors, maintenance deficiencies, inadequacies in internal and external audit functions, leakage, destruction, deletion, etc. of information assets due to unintentional factors such as inadequate outsourcing management, management defects, equipment failures, etc.
Earthquakes, lightning strikes, suspension of services and operations due to disasters such as fires, etc.
Dysfunction of system operation due to shortage of personnel due to large-scale and widespread diseases.
Spillover effects from infrastructure failures such as interruptions in power supply, communication interruptions, and interruptions in water supply.
Scope of application
Scope of administrative agencies: The administrative agencies to which this basic policy applies are internal departments, administrative committees, parliamentary secretariats, fire departments, and local public enterprises.
Scope of information assets: The information assets covered by this information security policy are as follows; networks, information systems and related equipment, electromagnetic recording media, information handled by networks and information systems (including printed documents), and system-related documents such as information system specifications and network diagrams.
Employees, part-time employees, and temporary employees must have a common understanding of the importance of information security. And comply with the information security policy and information security implementation procedures in the performance of their duties.
Information Security Measures: The following information security measures are taken to protect information assets from the threats described above in 3.
Organizational structure: Establish an agency-wide organizational structure to promote information security measures for the information assets.
Classification and management of information assets: The information assets held by the organization shall be classified according to the CIA, and information security measures shall be implemented based on the classification.
Improvement of the resilience of the information system as a whole: The following three measures will be taken for the information system as a whole. (1) Prevent leakage of stakeholders’ information in the system, (2) implement detoxified communication in intranet or extranet connection systems, and (3) implement information security measures in Internet connection systems, cloud computing systems, etc.
Physical security: Take physical measures for the management of communication lines and personal computers of employees.
Human security: Establish matters to be complied with by employees, etc., regarding information security, and take personnel measures such as providing sufficient education and enlightenment.
Technical security: Take technical measures such as computer management, access control, anti-malware measures, and countermeasures against unauthorized access.
Operation: Take measures for the operation of the information security policy, such as monitoring the information system, checking the status of compliance with the information security policy, and ensuring security when outsourcing.
Use of external services: In the case of outsourcing, select an outsource, conclude a contract that specifies information security requirements, and confirm that the necessary security measures are ensured by the outsource. In the case of using external services in accordance with the terms and conditions, establish regulations and take measures for the use of external services. When using social media services, establish operating procedures for social media services, stipulate the information that can be transmitted on social media services, and determine the person responsible for each social media service to be used.
Evaluation and review: In order to verify the status of compliance with the information security policy, conduct information security audits and self-inspections, and improve operations to enhance information security.
Implementation of information security audits and self-inspections: Information security audits and self-inspections are carried out periodically or as necessary to verify the status of compliance with the information security policy.
Review of the information security policy: If it becomes necessary to review the information security policy as a result of the information security audit and self-inspection, or if new measures are required to respond to changes in the information security situation, the information security policy will be reviewed.
Formulation of information security standards: In order to implement the measures stipulated in 6, 7, and 8 above, formulate information security measures standards that stipulate specific compliance matters and judgment criteria.
Formulation of information security implementation procedures: Information Security Implementation Procedures shall be formulated based on the Information Security Measures Standards, which stipulate specific procedures for implementing information security measures.
For universities and other educational and research institutions, the Ministry of Education, Culture, Sports, Science and Technology of Japan (MEXT) obliges national universities to prepare one. According to the “Summary of the Academic Information Infrastructure Fact-finding Survey” conducted by the MEXT in 2019 [12], security policies are formulated by all universities in 86 national universities and 86 (92.5%) in 93 public universities. Talking about private universities, 73.4% of 613 universities formulated a kind of security policy statement at that time.
Although information security policies are required for universities and other educational institutions, their basic policy documents published on their websites are much simpler than those described above.
3. Some issues on information security management and policy
ISO/IEC 27000 family [13], some of which are based on BS7799, is one of the well-known ISMS frameworks. In 3.1.24 of the latest version of ISO/IEC 27002: 2022, quoting ISO/IEC 27000:2018, 3.53, the policy is determined as “intentions and direction of an organization, as formally expressed by its top management”. Since ISO/IEC 27002 is the guideline for organizational information security standards and management by giving a code of practice for information security controls, policy is handled as one of the controls in parallel with some others such as asset classification, personal security, physical and environmental security, etc.
According to the model in Figure 2, a supporting system for generating the security policy is proposed, then an initial program was created as a prototype [14]. The flow of the system is depicted in Figure 4.
Explanation of information security policy itself in several media such as text, audio, video, etc., then its necessity is explained to those who are responsible for the organization.
Input the organizational characteristics.
Generating basic policy using a template consisting of several items by referring to organizational data file and displaying with some comment on requirements when adopting this expression or word.
In case of going to the standard stage, choose one of the risk analysis methods from OCTAVE [15], or ENISA’s system [16]. They output a set of mitigation controls. A precise method to select effective risk mitigation measures is proposed in [17], and that for identifying information-related assets is in [18].
Summarizing and documenting the procedures for each department, then the document will be completed after hearing the opinions of each department.
The arrows from down to up represent the PDCA cycle of overall security policy.
Figure 4.
Overall Flow of Information Security Policy Establishment (Source: Nagata [14]).
In order to reflect organization’s characteristics, some systems with ontology-based processes would be more effective.
3.1 Review of some ontology-based information security management systems
“Ontology is an explicit specification of a conceptualization. The term is borrowed from philosophy, where an ontology is a systematic account of existence. For knowledge-based systems, what ‘exists’ is exactly that which can be represented.”
He also claimed that sharing a common understanding of the structure of information among people or software agents is one of the more common goals in developing ontologies.
In the guide for ontology development published by Noy and McGuiness [20], an ontology is denoted as a formal explicit description of concepts in a domain of discourse, properties of each concept describing various features and attributes of the concept, and restrictions on slots.
Herzog et al. [21] gave a security ontology built upon classical components of risk analysis and their relations to each other.
Since, in an organization, information assets play a central role in establishing an information security policy, creating a detailed information asset ontology becomes important. Zeb et al. [22], proposed an ontology-supported Asset Information Integrator System (AIIS) to help industry experts exchange their tangible capital assets information and transform the way they were exchanged at that time between the municipal and Canadian provincial governments. They presented the ontology development methodology in ten steps as the hybrid version of several former works.
Aiming to assist in determining inherent attributes of IT assets that can assist in the process of IT assets risk value assessment, Adesemowo et al. [23], published a paper on IT assets ontology, where assets are divided into “Personnel”, “Network”, “Services”, “Data”, “Hardware”, “Software”, and “Information”.
Fenz et al. proposed an ontological mapping of ISO/IEC 27001 [24], and ISO/IEC 27002 [25], as an ontology-based ISMS policy implementation. The overview of creating security ontology based on ISO/IEC 27002 is described in Figure 5.
Figure 5.
Overview of Mapping ISO 27002 in the Ontological Structure and Applying the Results (Source: Fenz et al. [25]).
Pereira and Santos [26], represented a somehow different conceptual framework for information security ontology from that of Fenz et al. [25]. Although they have “Asset”, “Threat”, “Vulnerability”, and “Control” as common classes, relations between the two of them are distinct. For instance, “Control protect asset” in Pereira and Santos, whereas “Control (is) implemented (in) Asset” in Fenz et al. Thus, the configuration of the ontology will vary depending on the adopted criteria, organizational characteristics, purpose, way of thinking, and so on.
Almost all the policy-based ontologies aim to present mitigation measures against risks and threats and means to compensate for vulnerabilities. For that purpose, it is necessary to create a detailed ontology coping with the characteristics of the organization. Unified Process for Ontology (UPON) was proposed by Nicola et al. [27], for building a large-scale ontology in four workflows as “Requirements”, “Analysis”, “Design”, “Implementation”, and “Test” by a domain expert and knowledge expert. Methods, UPON, may be helpful for creating a precise ontology.
A pioneering policy management framework named KAoS by Uszok et al. [28], uses semantically rich ontological representation and reasoning composed of three layers, “Human Interface Layer”, “Policy Management Layer”, “Policy Monitoring and Enforcement Layer”. The basic form of KAoS policy is as follows:
[Actor] is [constrained] to perform [controlled action] which has [any attributes].
Tonti et al. [29], discussed the implementation of the enforcement system of OWL policies using the KAoS policy framework into multi-agent systems built on top of the JDK1.4.
4. Generation system of information security policy with ontology
As we see in Section 3, an automated basic information security policy statement generation system described in Figure 4 is proposed for embedding into the existing Java application program.
Although some systems incorporating ontology for information security enforcement are proposed and several methodologies mentioned in the previous section are useful and effective for organizational information security establishments, those are concerned with the creation of ontologies that reflect policies and the methodology of automatically configuring means to ensure information security using ontologies.
Here we mention the additional proposed phase of the system in the upper part of Figure 4 for creating a general basic statement by applying organization-related ontology [30]. Figure 6 depicts the outline of the phase in the upper part of which the system queries corresponding ontology by using input organizational essential data, then constructs a set of candidate phrases of basic policy. Policymakers try to adjust or modify the represented policy with the help of the ontology again in the lower part.
Figure 6.
Improved Version of the First Stage of Former System (Source: Nagata [30]).
The key point is to apply ontology, a method of creating competency questions from sample sentences, and configure an ontology that can respond to them is also proposed.
Organizational ontology also plays an important role in this phase, but what is needed here is the creation of basic policy phrases, not the detailed ontology that is treated in many studies. To implement the phase, ontologies for different types of organizations must be created in advance.
Here describe the method for ontology creation.
Step 1 Gather sample phrases of basic policy and then classify the set of them into each of the typical items in the former implemented system, such as “Concept and Purpose”, “Scope of Application”, “Definition of terms”, “Composition/Positioning”, “Management system”, “Role/Responsibility”, and “Basic requirements”.
Step 2 Analyze the sample policies to get competency questions (CQ) for ontology. For example, if there is a sample phase reading.
“The CEO serves as chairman of the information protection committee and is responsible for information security within the organization”, then CQs will be like as follows:
CQ1: “Is there a body for ensuring information security?”
CQ2: “Who serves as chairman of the ISMS committee?”
CQ3: “Is the chairman ultimately responsible for ISMS?”
Step 3 Configure each of the ontologies according to the type of organization. These types of organizations are pre-determined relatively broadly according to business conditions, such as universities, high schools, research institutes, manufacturing industries, distribution industries, etc., as well as their management style and scale. Then create an ontology that will be common to each of these types.
In step 3, we can apply existing ontologies for general matters such as FOAF ontology for academic organizations [31].
This chapter deals with information security as a risk to organizations. First, the current state of information risks such as cyber crimes and their effects are described, and an overview of information security policies as a means of ensuring information security for organizations.
In the second half, we looked at specific information security policy contents and an automatic generation system using ontology.
Some of the proposed automated basic information security policy statement generation systems are embedded into existing Java application programs. However, ontology configuration is a time-consuming and skill-intensive process, and the validity assessment of the prepared statement will be necessary.
Although application programming by Java is still in the development stage, we think that the direction for proceeding to the countermeasure standard creation stage following this basic policy stage is indicated.
International Institute for Management Development
ISMS
information security management system
ISO/IEC
International Organization for Standardization/International Electrotechnical Commission
JDK
Java development kit
JNSA
Japan network security association
KAoS
knowledge acquisition in automated specification
LAN
local area network
MDR
Managed detection and response
MEXT
The Ministry of Education, Culture, Sports, Science and Technology of Japan
OCTAVE
operationally critical threat, asset, and vulnerability evaluation system
OWL
web ontology language
PDCA
Plan, Do, Check, and Action
SMEs
Small or medium-sized enterprises
UPON
Unified process for ontology
References
1.The Global Risks Report 2023, 18th Edition, World Economic Forum. Available from: https://www.weforum.org/reports/globalrisks-report-2023/ [Accessed: January 24, 2024]
2.The Global Risks Report 2022, 17th Edition, World Economic Forum. Available from: https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf, [Accessed: January 24, 2024]
3.Cybercrime Expected To Skyrocket in Coming Years, Anna Fleck. Available from: https://www.statista.com/chart/28878/expected-cost-of-cybercrime-until-2027/ [Accessed: January 24, 2024]
4.2022 Official Cybercrime Report. Available from: https://www.esentire.com/resources/library/2022-official-cybercrime-report [Accessed: January 24, 2024]
5.FBI Internet Crime Report 2022 by Internet Crime Complaint Center. Available from: https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf [Accessed: January 24, 2024]
6.IMD World Digital Competitiveness Ranking 2023. IMD World Competitiveness Center. Available from: https://www.imd.org/centers/world-competitiveness-center/rankings/world-digital-competitiveness/ [Accessed: January 24, 2024]
7.IMD World Digital Competitiveness Ranking 2022, IMD World Competitiveness Center. Available from: https://www.imd.org/wp-content/uploads/2023/03/digital-ranking-2022.pdf [Accessed: January 24, 2024]
8.Information security policy sample, Japan Network Security Association. Available from: https://www.jnsa.org/result/2016/policy/data/policy_gaiyou.pdf, [Accessed: January 2024]
9.Zinatullin L. The Psychology of Information Security. IT Governance Publishing; 2016. ISBN-13: 978-1849287890
10.Japan Bank Survey Monthly Report, Bank of Japan, April 18, 2000. Available from: https://www3.boj.or.jp/josa/past_release/chosa200005c.pdf, [Accessed: January 24, 2024]
11.Guidelines for Information Security Policies in Local Governments. Available from: https://www.soumu.go.jp/main_content/000575052.pdf [Accessed: January 24, 2024]
12.Summary of the Academic Information Infrastructure Fact-finding Survey, Ministry of Education, Culture, Sports, Science and Technology of Japan. Available from: https://www.mext.go.jp/content/20200721-mxtjyohoka01-000005760_2.pdf [Accessed: January 24, 2024]
13.ISO/IEC 27000 family-Information security management, ISO. Available from: https://www.iso.org/standard/iso-iec-27000-family, [Accessed: January 24, 2024]
14.Nagata K, Kigawa Y. Construction of support system for information security policy. In: Proceedings of the 20th Asia Pacific Industrial Engineering and Management Systems Conference 2019, Kanazawa, Japan, December 02-05, APIEMS. 2019. pp. 942-947
15.Alberts C, Dorofee S, Stevens J, Woody C. In OCTAVE-S Implementation Guide, Version 1.0, CMU/SEI-2003-HB-003. Carnegie Mellon Software Engineering Institute; 2005. Available from: https://apps.dtic.mil/sti/pdfs/ADA430801.pdf [Accessed: January 24, 2024]
16.Information Package for SMEs-With examples of Risk Assessment/Risk Management for two SMEs-, George Patsis. Available from: https://www.enisa.europa.eu/publications/information-package-for-smes/ [Accessed: January 24, 2024]
17.Nagata K, Kigawa Y, Cui D, Amagasa M. Method to select effective risk mitigation controls using fuzzy outranking. In: Proceedings of the 9th International Conference on Intelligent Systems Design and Applications, Pisa, Italy, November 30–December 02, 2009. IEEE Computer Society; 2009. pp. 479-484. ISBN: 978-0-7695-3872-3. Available from: https://dl.acm.org/doi/10.1109/ISDA.2009.186 [Accessed: January 24, 2024]
18.Nagata K. Chapter 6, construction of effective database system for information risk mitigation, security enhanced application for information systems. In: Security Enhanced Applications for Information Systems. London, UK: INTECH Open Access Publisher; 2012. pp. 111-130. ISBN: 978-953-51-0643-2. Available from: https://www.intechopen.com/chapters/37311 [Accessed: January 24, 2024]
19.Gruber TR. A translation approach to portable ontology specifications. Knowledge Acquisition. 1993;5(2):199-220. DOI: 10.1006/knac.1993.1008
20.Noy NF, McGuiness DL. Ontology Development 101: A Guide to Creating Your First Ontology. Stanford Knowledge Systems Laboratory Technical Report KSL-01-05; 2001. Available from: https://protege.stanford.edu/publications/ontology_development/ontology101.pdf [Accessed: January 24, 2024]
21.Herzog A, Shahmehri N, Duma C. An ontology of information security. Internationl Journal of Information Security and Privacy. 2007;1(4):1-23
22.Zeb J, Froese T, Vanier D. An ontology-supported asset information integrator system in infrastructure management. Built Environment Project and Asset Management. 2015;5(4):380-397
23.Adesemowo AK, Solms R, Botha RA. ITAOFIR: IT asset ontology for information risk in knowledge economy and beyond. In: Proceedings of 11th International Conference, Global Security, Safety and Sustainability: The Security Challenges of the Connected World 2017, January 18-20. London, UK: Springer; 2017. pp. 173-187
24.Fenz S, Goluch G, Ekelhart A, Riedl B, Weippl E. Information security fortification by ontological mapping of the ISO/IEC 27001 standard. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007). Melbourne, VIC, Australia: IEEE; 2007. pp. 381-388. DOI: 10.1109/PRDC.2007.29
25.Fenz S, Plieschnegger S, Hobel H. Mapping information security standard ISO/IEC 27002 to an ontology structure. Information & Computer Security. 2015;24(5):452-473
26.Pereira T, Santos H. An ontology approach to information security management. In: Sartori F, Sicilia MÁ, Manouselis N, editors. Metadata and Semantic Research. MTSR 2009. Communications in Computer and Information Science. Vol. 46. Berlin, Heidelberg: Springer; 2012. pp. 368-375. DOI: 10.1007/978-3-642-04590-5_17
27.Nicola AD, Missikoff M, Navigli R. A software engineering approach to ontology building. Information Systems. 2009;34:258-275
28.Uszok A, Bradshaw JM, Jeffers R. KAoS: A Policy and Domain Services Framework for Grid Computing and Semantic Web Services. In: Trust Management. iTrust 2004. Lecture Notes in Computer Science. Vol. 2995. Berlin, Heidelberg: Springer; 2004. pp. 16-26
29.Tonti G, Montanari R, Bradshaw JM, Bunch L, Jeffers R, Suri N, et al. Automated generation of enforcement mechanisms for semantically-rich security policies in java-based multi-agent systems. In: IEEE First Symposium on Multi-Agent Security and Survivability, 2004. Drexel, PA, USA: IEEE; 2004. pp. 11-20. DOI: 10.1109/MASSUR.2004.1368413
30.Nagata K. Automatic generating system of information security policy. Athens Journal of Technology and Engineering. 2023;10(4):227-236
31.Kalem E, Martiri E. FOAF-academic ontology: A vocabulary for the academic community. In: Proceedings 2011 Third International Conference on Intelligent Networking and Collaborative Systems. Fukuoka, Japan: IEEE; 2011. pp. 440-445. DOI: 10.1109/INCoS.2011.94
Written By
Kiyoshi Nagata
Submitted: 23 January 2024Reviewed: 23 January 2024Published: 14 March 2024
Open access peer-reviewed chapter - ONLINE FIRST
