Cybersecurity Ontology - The relationship between vulnerabilities, standards, legal and regulatory requirements,

Abstract: Since information technology has become a central part of businesses and organizations, the move to the cyber domain has benefitted them and endangered them with new threats through vulnerabilities. To minimize risks and prevent and alleviate cyber-attacks, using standards is common to ensure an organization's cybersecurity. With this increased focus on cybersecurity, new legal and regulatory requirements are created and published, mandatory for organizations to comply with. However, even if one is certified with a cybersecurity standard and complies with necessary legal and regulatory requirements, security breaches do occur, and mitigating vulnerabilities cannot be fully accomplished. With this, ontologies have increased in popularity to visualize and simplify how multiple entities within the domain are interconnected. However, none has interconnected vulnerabilities, standards, legal and regulatory requirements in one and studies propose new, unifying ontologies to be created to aid the domain in building new knowledge. Thus, this study aims to develop a security ontology to understand the relationship between vulnerabilities, standards, legal and regulatory requirements. The research question is written as: What is the relationship between vulnerabilities, standards, legal and regulatory requirements? Design science methodology is applied to the study, in which data is collected through document study and interviews and analyzed using document and content analysis. Based on the data collected, a security ontology presenting and visualizing the relationships between the different subjects implemented has been created. The artefact can be useful for security practitioners and newcomers to more in-depth understanding of how vulnerabilities are connected to controls and which controls can aid in being compliant with legal and regulatory requirements.