Ontological Mapping of Common Criteria’s Security Assurance Requirements

  • Andreas Ekclhart
  • Stefan Fenz
  • Gernot Goluch
  • Edgar Weippl
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


The Common Criteria (CC) for Information Technology Security Evaluation provides comprehensive guidelines for the evaluation and certification of IT security regarding data security and data privacy. Due to the very complex and time-consuming certification process a lot of companies abstain from a CC certification. We created the CC Ontology tool, which is based on an ontological representation of the CC catalog, to support the evaluator at the certification process. Tasks such as the planning of an evaluation process, the review of relevant documents or the creating of reports are supported by the CC Ontology tool. With the development of this tool we reduce the time and costs needed to complete a certification.


Resource Description Framework Common Criterion Certification Process Configuration Management Ontological Mapping 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    CC, “Common criteria for information technology security evaluation, part 1: Introduction and general model, version 2.3,” 2005.Google Scholar
  2. 2.
    V. Raskin, C. F. Hempelmann, K. E. Triezenberg, and S. Nirenburg, “Ontology in information security: a useful theoretical foundation and methodological tool.” in In Proceedings of the 2001 Workshop on New Security Paradigms, NSPW’ 01, ACM Press, New York, 2001.Google Scholar
  3. 3.
    K. Olthoff, “A cursory examination of market forces driving the use of protection profiles.” in In Proceedings of the 1999 Workshop on New Security Paradigms, NSPW’ 99, ACM Press, 2000.Google Scholar
  4. 4.
    J. Hearn, “Does the common criteria paradigm have a future?” Security & Privacy Magazine, IEEE, vol. 2, p. 6465, 2004.Google Scholar
  5. 5.
    S. Katzke, “The common criteria years (19931998): Looking back and ahead.” Presentation, 4th International Common Criteria Conference, 2003.Google Scholar
  6. 6.
    CC, “Common criteria for information technology security evaluation, part 3: Security assurance requirements, version 2.3,” 2005.Google Scholar
  7. 7.
    A. Ekelhart, S. Fenz, M. Kiemen, and E. Weippl, “Security ontologies: Improving quantitative risk analysis,” in in Proceedings HICCS, 2007.Google Scholar
  8. 8.
    A. Ekelhart, S. Fenz, M. Kiemen, A. Tjoa, and E. Weippl, “Ontology-based business knowledge for simulating threats to corporate assets,” in in Proceedings of the International Conference on Practical Aspects of Knowledge Management PAKM, Springer Lecture Notes in Computer Science, 2006.Google Scholar
  9. 9.
    S. Fenz and E. Weippl, “Ontology based it-security planning,“ in in IEEE Proceedings on IEEE International Symposium Pacific Rim Dependable Computing PRDC, 2006.Google Scholar
  10. 10. CC, “Common criteria for information technology security evaluation, part 2: Security functional requirements, version 2.3,” 2005.Google Scholar
  11. 11. RDF, “Resource description framework,,” 2006.
  12. 12. OWL, “,” 2004.
  13. 13. SPARQL, “Sparql query language for rdf.,” 2006.
  14. 14.
    R. Neches, R. Fikes, T. Finin, T. Gruber, R. Patil, T. Senator, and W. Swartout, “Enabling technology for knowledge sharing.” AI Magazin 12, vol. 3, pp. 36–56, 1991.Google Scholar
  15. 15.
    A. Gmez-Prez, M. Fernndez-Lpez, and O. Corcho, Ontological Engineering. Springer, London, first edition, 2004.Google Scholar
  16. 16. Protege, “The protege ontology editor and knowledge acquisition system.,” 2005.
  17. 17.
    F. Keblawi and D. Sullivan, “Applying the common criteria in systems engineering,” Security & Privacy Magazine, IEEE, vol. 4, pp. 50–55, 2006.CrossRefGoogle Scholar
  18. 18.
    M. Vetterling, G. Wimmel, and A. Wisspeintner, “Secure systems development based on the common criteria: the palme project,” in In Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, SIGSOFT’ 02/FSE-10, ACM Press, New York, 2002.Google Scholar
  19. 19.
    M. Razzazi, M. Jafari, S. Moradi, H. Sharifipanah, M. Damanafshan, K. Fayazbakhsh, and A. Nickabadi, “Common criteria security evaluation: A time and cost effective approach.” in in Procedings Information and Communication Technologies, ICTTA, vol. 2, 2006, pp. 3287–3292.CrossRefGoogle Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Andreas Ekclhart
    • 1
  • Stefan Fenz
    • 1
  • Gernot Goluch
    • 1
  • Edgar Weippl
    • 1
  1. 1.Secure Business AustriaVienna

Personalised recommendations