Abstract

The Access Risk Knowledge (ARK) Platform is a socio-technical risk management system for organisations vulnerable to operational failure. ARK is based on Semantic Web standards to support data management activities such as data sharing, integration, classification, and retrieval, supporting the development of a data governance approach. Operationally, the ARK platform provides capabilities for performing socio-technical risk analyses and sharing, analysing, and visualising that information between institutions through an intuitive user interface, combining machine learning approaches to classify and suggest concepts. In this work, we explore the security module of the ARK Platform, where access control and sensitive data processing are integrated into the platform, and it explores the extent to which Semantic Web standards could cope with the requirements for cybersecurity risk management systems. The ARK Platform provides mechanisms to extend its functionality, such as integrating new ontologies or taxonomies for a particular domain, organisation or problem. In this sense, the ARK Platform was extended with incident response (IR) capabilities for socio-technical systems analysis by defining a new ontology for cybersecurity control and a taxonomy of cybersecurity concepts based on the ISO 27000 series standard, DPV controls, NIOSH Controls, and Enterprise Risk Management concepts to model IR artefacts, processes, and roles. Additionally, the security module of the ARK Platform was extended with personal data processing and access control mechanisms restricting access to evidence according to user roles where information related to users and projects are securely persisted in a Semantic Web format. As a result, two ontologies for risk management and two taxonomies of risk and cybersecurity concepts that consider ISO and NIST standards have been published as open sources.

Statistics