Mattia Fumagalli

Risk propagation encompasses a plethora of techniques for analyzing how risk “spreads” in a given system. Albeit commonly used in technical literature, the very notion of risk propagation turns out to be a conceptually imprecise and overloaded one. This might also explain the multitude of modeling solutions that have been proposed in the lit- erature. Having a clear understanding of what exactly risk is, how it be quantified, and in what sense it can be propagated is fundamental for devising high-quality risk assessment and decision-making solutions. In this paper, we exploit a previous well-established work about the nature of risk and related notions with the goal of providing a proper interpre- tation of the different notions of risk propagation, as well as revealing and harmonizing the alternative semantics for the links used in common risk propagation graphs. Finally, we discuss how these results can be leveraged in practice to model risk propagation scenarios.

In Risk Management, security issues arise from complex relations among objects and agents, their capabilities and vulnerabilities, the events they are involved in, and the value and risk they ensue to the stakeholders at hand. Further, there are patterns involving these relations that crosscut many domains, ranging from information security to public safety. Understanding and forming a shared conceptualization and vocabulary about these notions and their relations is fundamental for modeling the corresponding scenarios, so that proper security countermeasures can be devised. Ontologies are instruments developed to address these conceptual clarification and terminological systematization issues. Over the years, several ontologies have been proposed in Risk Management and Security Engineering. However, as shown in recent literature, they fall short in many respects, including generality and expressivity - the latter impacting on their interoperability with related models. We propose a Reference Ontology for Security Engineering (ROSE) from a Risk Treatment perspective. Our proposal leverages on two existing Reference Ontologies: the Common Ontology of Value and Risk and a Reference Ontology of Prevention, both of which are grounded on the Unified Foundational Ontology (UFO). ROSE is employed for modeling and analysing some cases, in particular providing clarification to the semantically overloaded notion of Security Mechanism.

Enterprise Risk Management involves the process of identification, evaluation, treatment, and communication regarding risks throughout the enterprise. To support the tasks associated with this process, several frameworks and modeling languages have been proposed, such as the Risk and Security Overlay (RSO) of ArchiMate. An ontological investigation of this artifact would reveal its adequacy, capabilities, and limitations w.r.t. the domain of risk and security. Based on that, a language redesign can be proposed as a refinement. Such analysis and redesign have been executed for the risk elements of the RSO grounded in the Common Ontology of Value and Risk. The next step along this line of research is to address the following research problems: What would be the outcome of an ontological analysis of security-related elements of the RSO? That is, can we identify other semantic deficiencies in the RSO through an ontological analysis? Once such an analysis is provided, can we redesign the security elements of the RSO accordingly, in order to produce an improved artifact? Here, with the aid of the Reference Ontology for Security Engineering (ROSE) and the ontological theory of prevention behind it, we address the remaining gap by proceeding with an ontological analysis of the security-related constructs of the RSO. The outcome of this assessment is an ontology-based redesign of the ArchiMate language regarding security modeling. In a nutshell, we report the following contributions: (1) an ontological analysis of the RSO that identifies six limitations concerning security modeling; (2) because of the key role of the notion of prevention in security modeling, the introduction of the ontological theory of prevention in ArchiMate; (3) a well-founded redesign of security elements of ArchiMate; and (4) ontology-based security modeling patterns that are logical consequences of our proposal of redesign due to its underlying ontology of security. As a form of evaluation, we show that our proposal can describe risk treatment options, according to ISO 31000. Finally, besides presenting multiple examples, we proceed with a real-world illustrative application taken from the cybersecurity domain.

Formal Ontology is a discipline whose business is to develop formal theories about general aspects of reality such as identity, dependence, parthood, truth-making, causality, etc. A foundational ontology is a specific consistent set of these ontological theories that support activities such as domain analysis, conceptual clarification, and meaning negotiation. A (well-founded) core ontology specifies, under a foundational ontology, the central concepts and relations of a given domain. Foundational and core ontologies can be seen as ontology engineering frameworks to systematically address the laborious task of building large (more specific) domain ontologies. However, both in research and industry, it is common that ontologies as computational artifacts are built without the aid of any framework of this kind, often yielding modeling mistakes and representation gaps. In this paper, we analyze a case in the domain of cybersecurity, namely, the case of D3FEND — an OWL knowledge graph of cybersecurity countermeasure techniques proposed by the MITRE Corporation. Based on the Reference Ontology for Security Engineering (ROSE), a core ontology of the security domain founded in the Unified Founda-tional Ontology (UFO), our investigation reveals a number of semantic issues and opportunities for improvement in D3FEND, including missing concepts, semantic overload of terms, and lacking constraints that cause an under-specification of the model. As a result of our ontological analysis, we propose several suggestions for the appropriate redesign of D3FEND to overcome those issues.

Enterprise Risk Management and security have become a fundamental part of Enterprise Architecture, so several frameworks and modeling languages have been designed to support the activities associated with these areas. Archi- Mate’s Risk and Security Overlay is one of such proposals, endorsed by The Open Group. We investigate the capabilities of the proposed security-related con- structs in ArchiMate with regard to the necessities of enterprise security modeling. Our analysis relies on a well-founded reference ontology of security to uncover ambiguity, missing modeling elements, and other deficiencies of the security mod- eling capabilities in ArchiMate. Based on this ontologically-founded analysis, we propose a redesign of security aspects of ArchiMate to overcome its original limitations.

Prevention is a pervasive phenomenon. It is about blocking an effect before it happens or stopping it as it unfolds: vaccines prevent (the unfolding of) diseases; seat belts prevent events causing serious injuries; circuit breaks prevent the manifestation of overcurrents. Many disciplines in the information sciences deal with modeling and reasoning about prevention. Examples include risk and security management as well as medical and legal informatics. Having a proper conceptualization of this phenomenon is crucial for devising proper modeling mechanisms and tools to support these disciplines. Forming such a conceptualization is a matter of Formal Ontology. In fact, prevention and related notions have become a topic of interest in this area. In this paper, with the support of Unified Foundational Ontology (UFO), we conduct an ontological analysis of this and other related notions, namely, the notions of countermeasures and countermeasure mechanisms, including the notion of antidotes. As a result of this conceptual clarification process, we propose an ontology-based reusable module extending UFO and capturing the relations between these elements. Finally, we employ this module to address a few cases in risk management.