The Security Assessment Domain: A Survey of Taxonomies and Ontologies

The use of ontologies and taxonomies contributes by providing means to define concepts, minimize the ambiguity, improve the interoperability and manage knowledge of the security domain. Thus, this paper presents a literature survey on ontologies and taxonomies concerning the Security Assessment domain. We carried out it to uncover initiatives that aim at formalizing concepts from the Information Security and Test and Assessment fields of research. We applied a systematic review approach in seven scientific databases. 138 papers were identified and divided into categories according to their main contributions, namely: Ontology, Taxonomy and Survey. Based on their contents, we selected 47 papers on ontologies, 22 papers on taxonomies, and 11 papers on surveys. A taxonomy has been devised to be used in the evaluation of the papers. Summaries, tables, and a preliminary analysis of the selected works are presented. Our main contributions are: 1) an updated literature review, describing key characteristics, results, research issues, and application domains of the papers; and 2) the taxonomy for the evaluation process. We have also detected gaps in the Security Assessment literature that could be the subject of further studies in the field. This work is meant to be useful for security researchers who wish to adopt a formal approach in their methods and techniques.