Ontology of information security in enterprises

Abstract

Today’s global free-market enterprise is reliant on the interconnectedness of social, economic and political ecosystems. Enterprises no longer maintain a simple unary relationship between its customers and consumers. Enterprises have become an integral part of a complex relationship within the new socio- and techno- economic paradigm. The cornerstone of this new model is the Internet formed from a collection of eclectic commodity-based and inconsistently constructed technologies that, at an aggregate level, do not lend themselves to provide a secure and trustworthy channel to conduct or transact business. Enterprises have struggled to implement an appropriate and continuous level of protection in part by underestimating the effect of organizational complexity and not adopting a holistic (systems thinking) approach to the problem of enterprise security. This research paper examines key issues that undermine the ability of enterprises to formulate effective and viable security models and proposes an alternative framework that forms the basis and foundation to engineering more reliable fail-safe and fail–secure models. The proposed solution considers the creation of an enterprise-specific ontology that describes the enterprise as a complex system. A security framework is developed that recognizes the organization as a set of business capabilities that have measureable strategic outcomes against which business decisions regarding security are made. The proposed model advocates symmetry between security prevention, prediction and fail-safe concepts. To ensure the appropriate use of security, a business value model is defined that is a function of financial, operational and security-based quality assurance measures. The concept of value chain is used to describe the relationship between an organization’s strategy and its resources responsible for the execution of its operating plan. Validation of the ‘Enterprise Ontology’ and ‘Information Security Capability-Driven Framework’ is obtained from the creation of a business strategy to ‘business capability value map’ and quantification of key business and security metrics. A set of ontology-based competency questions allows the business to understand and make informed and prudent decisions regarding how and where security should be applied to ensure a favourable outcome for the enterprise. Analysis of the results of this study demonstrates the usefulness of the model in guiding the organization to assess current security risks and make informed and business-directed security decisions. The result is a deployment strategy that balances the scarce resources of the enterprise whilst maintaining strategic alignment. Further opportunities exist to improve the creation and quality of enterprise ontology including development of a more rigorous and systematic approach to modelling the enterprise’s current state and future state scenarios using the business capability framework. Semantically driven conceptual models of the enterprise may also be expressed within key security technologies and systems that support the organization by forming a collection of ontology-aware technologies that respond and react collectively to attacks in a fail-secure configuration.