Politike i norme informacijske sigurnosti prisutne su već desetljećima u poslovanju različitih organizacijskih entiteta u državnim sektorima zemalja i međunarodnim organizacijama, a tijekom tog razdoblja postale su redovita praksa i u poslovnim sektorima. Dosadašnji razvoj politika i normi informacijske sigurnosti uglavnom je bio usmjeren prema različitim, usko profiliranim sektorskim pristupima, što je rezultiralo slabom povezanošću znanja na široj domenskoj razini. Za razliku od srodnih istraživanja koja analiziraju pojedine politike i norme informacijske sigurnosti ili neke uže domenske segmente, u ovom radu pristupilo se analizi šireg domenskog područja. Provedena je analiza s ciljem šire domenske sistematizacije i integracije različitih pristupa i zahtjeva globalnog i lokalnog okruženja te dominantnih suvremenih politika i normi informacijske sigurnosti. Predložena je metoda modeliranja kojom se obuhvaća sustavski prikaz životnog ciklusa politike informacijske sigurnosti u globalnom okruženju, transformiran u hijerarhijsku domensku taksonomiju, uz pomoć koje se ostvaruje sadržaj modela u obliku domenskog rječnika, kategorizacije i hijerarhijskih odnosa koncepata te međusobnih relacija i atributa koncepata. Konceptualni metamodel ostvaren je kao okvir za upravljanje i komuniciranje znanjem kojim se povezuje postojeće heterogeno i slabo povezano domensko znanje iz dominantnih politika i normi informacijske sigurnosti. Formalna specifikacija konceptualnog metamodela (rječnik, sintaksa i semantika), temelj je za ostvarenje programskog ontološkog metamodela koji se koristi za provjeru valjanosti konceptualnog metamodela te za provjeru svojstava koja se postižu njegovom primjenom. Studijama slučajeva koje su ostvarene programskim ontološkim modelima, potvrđena su tražena svojstva jednostavnosti, dosljednosti, sveobuhvatnosti i učinkovitosti upravljanja životnim ciklusom politika informacijske sigurnosti modeliranih predloženom metodom.
Information security policies and standards are present for decades within the business operations of different organizational entities in government sectors and international organizations. During that period of time, different security policies and standards became also the best practice in various business sectors. Past experience in the development of the security policies and standards is that they were mostly oriented towards narrowly specialized approach of each of the various sectors. The result of such approach is very weak correlation of the knowledge on the wider level of information security domain. This research is aimed at the wider level of information security domain in difference to some related researches that analyse certain standards, policies within certain business sectors, or some narrow functional domain segments. The goal of this research is to correlate mutually different approaches in different sectors on the wider level of information security domain. The research comprises the chosen security policies and standards in the contemporary practises of different government and business sectors that are dominant in the global environment. The key research questions are: can the conceptualisation of the information security domain correlate existing heterogeneous and weakly related domain knowledge, and whether the lifecycle management of the security policies based on such conceptualisation will be simpler, more consistent, more comprehensive, and more efficient. The first chapter “Introduction” describes the research field, motivation and the research goals, as well as the research questions. Chapter 2 “Modelling of Information Security Policies” explains the various methods and techniques used within the proposed method for modelling of security policies, such as conceptualisation, ontology methods, system approach, and domain taxonomy. Chapter 3 “Overview of Related Researches” analyses the state of play in the research field of information security and the related researches. Chapter 4 “Analysis of Information Security Policies and Standards” analyses the wider level of information security domain in order to systematize and integrate the approaches of different sectors, different requirements from the global and local environments, and different characteristics of dominant information security policies and standards. Based on this analysis, and the process of abstraction and generalization of related concepts typical for dominant security policies and standards, common domain concepts are proposed as the general domain vocabulary shown in annex A. Chapter 5, “Knowledge Management Based Method for Modelling of Information Security Policies”, proposes the method for modelling of security policies. The method comprises the system scheme of the security policies lifecycle shown in the global environment. Using the appropriate transformation, the scheme is realized in the way that is more appropriate for the elaboration of hierarchical domain taxonomy and for creating of subsystems of the conceptual metamodel. The proposed structure of the conceptual metamodel comprises of four organizational levels of this complex system with 18 subsystems. The metamodel structure is verified against the chosen dominant security policies and standards. Further elaboration of the metamodel content is done with the use of ontology methods for shaping the concepts and subconcepts. The elaborated hierarchical domain taxonomy is shown in annex B. Chapter 6 “The Realization of the Conceptual Metamodel of Information Security Policies”, based on the hierarchical domain taxonomy and further elaboration of attributes and mutual relations of domain concepts, describes the realization of conceptual metamodel using UML (Unified Modelling Language). This conceptual metamodel correlates the existing heterogeneous and weakly related domain knowledge. It also realizes the framework for the management and communication of the domain knowledge that comprises different approaches within different sectors, based on the chosen dominant security policies and standards. The conceptual model developed in UML has high level of clearness, comprehensibility, and visualization of the domain concepts, which makes it very appropriate for the communication among different security officers and other responsible persons within the different organizations. The conceptual model developed in UML also offers the formal specification consisted of vocabulary (domain taxonomy), syntax (categories and hierarchies of the classes representing concepts), and semantics (attributes and mutual relations of the classes). Besides UML notation, in annex C there is the table of the descriptions of all the relations defined among the classes of the metamodel. The formal specification is intended for software based development of the conceptual metamodel. Chapter 7 “The Realization of the Software Based Ontology Model” describes the realization of the software based ontology model developed using Protégé Frames. Ontology model is used for the verification of the research results obtained by the proposed method and realized conceptual metamodel in UML. The verification is based on the case studies that comprise of the security policy modelling of the organizational entities from government sector and from business sector. Third case study presents the solution for adapting modelled security policies of these two different organizations from different sectors for mutual business cooperation and sensitive information sharing (classified contract). Using the developed software based ontology metamodel, necessary policies were modelled as ontology models elaborated from the same metamodel. These case studies verify that the lifecycle management of the security policies modelled using the proposed method become simpler, more consistent, more comprehensive, and more efficient. The case studies also verify that the proposed modelling method and the realised conceptual metamodel represent the comprehensive solution for the wider domain level. Chapter 8 “Conclusion” gives the conclusion and guidelines for the future research. The thesis describes the analysis realised with the view to comprise wider domain systematization and integration of different approaches and requirements within the global and local environment and the dominant information security policies and standards. The proposed method of policy modelling comprises the system scheme of the security policies lifecycle shown in the global environment, and transformed into hierarchical domain taxonomy. Hierarchical domain taxonomy is used to realize the content of the model comprised of vocabulary, sintax, and semantics. Conceptual metamodel is realised as the framework for the management and communication of the wider domain knowledge that correlates existing heterogeneous and weakly related domain knowledge from the dominant information security policies and standards. Formal specification of the conceptual metamodel (vocabulary, sintax, and semantics) is the base for the realization of software based ontology metamodel. The ontology metamodel is used for the verification of the research results, proposed policy modelling method and realised conceptual metamodel. Case studies that are realised using the ontology metamodel verify the required characteristics of the lifecycle management of the security policies modelled using the proposed method. It is verified that the lifecycle management becomes simpler, more consistent, more comprehensive, and more efficient.