{"id":"https://openalex.org/W2780375555","doi":"https://doi.org/10.1007/s00766-017-0287-5","title":"Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards","display_name":"Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards","publication_year":2017,"publication_date":"2017-12-30","ids":{"openalex":"https://openalex.org/W2780375555","doi":"https://doi.org/10.1007/s00766-017-0287-5","mag":"2780375555"},"language":"en","primary_location":{"id":"doi:10.1007/s00766-017-0287-5","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s00766-017-0287-5","pdf_url":"https://link.springer.com/content/pdf/10.1007%2Fs00766-017-0287-5.pdf","source":{"id":"https://openalex.org/S207090427","display_name":"Requirements Engineering","issn_l":"0947-3602","issn":["0947-3602","1432-010X"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Requirements Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007%2Fs00766-017-0287-5.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5078846285","display_name":"Matthew L. Hale","orcid":"https://orcid.org/0000-0002-8433-2744"},"institutions":[{"id":"https://openalex.org/I122266389","display_name":"University of Nebraska at Omaha","ror":"https://ror.org/04yrkc140","country_code":"US","type":"education","lineage":["https://openalex.org/I122266389"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Matthew L. Hale","raw_affiliation_strings":["Nebraska University Center for Information Assurance, University of Nebraska at Omaha, Omaha, NE, USA"],"affiliations":[{"raw_affiliation_string":"Nebraska University Center for Information Assurance, University of Nebraska at Omaha, Omaha, NE, USA","institution_ids":["https://openalex.org/I122266389"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5088977884","display_name":"Rose Gamble","orcid":null},"institutions":[{"id":"https://openalex.org/I4210106868","display_name":"Fundaci\u00f3n para el Desarrollo de la Ecolog\u00eda","ror":"https://ror.org/01tadt133","country_code":"BO","type":"nonprofit","lineage":["https://openalex.org/I4210106868"]},{"id":"https://openalex.org/I87208437","display_name":"University of Tulsa","ror":"https://ror.org/04wn28048","country_code":"US","type":"education","lineage":["https://openalex.org/I87208437"]}],"countries":["BO","US"],"is_corresponding":false,"raw_author_name":"Rose F. Gamble","raw_affiliation_strings":["ECAR","Tandy School of Computer Science, University of Tulsa, Tulsa, OK, USA"],"affiliations":[{"raw_affiliation_string":"ECAR","institution_ids":["https://openalex.org/I4210106868"]},{"raw_affiliation_string":"Tandy School of Computer Science, University of Tulsa, Tulsa, OK, USA","institution_ids":["https://openalex.org/I87208437"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5078846285"],"corresponding_institution_ids":["https://openalex.org/I122266389"],"apc_list":{"value":2190,"currency":"EUR","value_usd":2780},"apc_paid":{"value":2190,"currency":"EUR","value_usd":2780},"fwci":2.0143,"has_fulltext":true,"cited_by_count":23,"citation_normalized_percentile":{"value":0.90534735,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":100},"biblio":{"volume":"24","issue":"3","first_page":"365","last_page":"402"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9959999918937683,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9959999918937683,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T13295","display_name":"Safety Systems Engineering in Autonomy","score":0.9921000003814697,"subfield":{"id":"https://openalex.org/subfields/2213","display_name":"Safety, Risk, Reliability and Quality"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9864000082015991,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/certified-information-systems-security-professional","display_name":"Certified Information Systems Security Professional","score":0.5945995450019836},{"id":"https://openalex.org/keywords/accreditation","display_name":"Accreditation","score":0.5395969152450562},{"id":"https://openalex.org/keywords/certification","display_name":"Certification","score":0.5128765106201172},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.5107333660125732},{"id":"https://openalex.org/keywords/information-system","display_name":"Information system","score":0.4804822504520416},{"id":"https://openalex.org/keywords/security-controls","display_name":"Security controls","score":0.47645023465156555},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.4749612510204315},{"id":"https://openalex.org/keywords/information-technology-audit","display_name":"Information technology audit","score":0.4733709692955017},{"id":"https://openalex.org/keywords/information-security-standards","display_name":"Information security standards","score":0.4725327789783478},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.46209871768951416},{"id":"https://openalex.org/keywords/information-security-audit","display_name":"Information security audit","score":0.45511630177497864},{"id":"https://openalex.org/keywords/consistency","display_name":"Consistency (knowledge bases)","score":0.45202115178108215},{"id":"https://openalex.org/keywords/information-security-management","display_name":"Information security management","score":0.45034146308898926},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4483790993690491},{"id":"https://openalex.org/keywords/accounting","display_name":"Accounting","score":0.38850611448287964},{"id":"https://openalex.org/keywords/control","display_name":"Control (management)","score":0.33399587869644165},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.3308471441268921},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.25377196073532104},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.22929611802101135},{"id":"https://openalex.org/keywords/internal-audit","display_name":"Internal audit","score":0.2021835744380951},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.19562005996704102},{"id":"https://openalex.org/keywords/cloud-computing-security","display_name":"Cloud computing security","score":0.16958686709403992},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.1029883325099945}],"concepts":[{"id":"https://openalex.org/C169537543","wikidata":"https://www.wikidata.org/wiki/Q1056312","display_name":"Certified Information Systems Security Professional","level":5,"score":0.5945995450019836},{"id":"https://openalex.org/C61521584","wikidata":"https://www.wikidata.org/wiki/Q705899","display_name":"Accreditation","level":2,"score":0.5395969152450562},{"id":"https://openalex.org/C46304622","wikidata":"https://www.wikidata.org/wiki/Q374814","display_name":"Certification","level":2,"score":0.5128765106201172},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.5107333660125732},{"id":"https://openalex.org/C180198813","wikidata":"https://www.wikidata.org/wiki/Q121182","display_name":"Information system","level":2,"score":0.4804822504520416},{"id":"https://openalex.org/C178148461","wikidata":"https://www.wikidata.org/wiki/Q1632136","display_name":"Security controls","level":3,"score":0.47645023465156555},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.4749612510204315},{"id":"https://openalex.org/C177309310","wikidata":"https://www.wikidata.org/wiki/Q758917","display_name":"Information technology audit","level":5,"score":0.4733709692955017},{"id":"https://openalex.org/C139547956","wikidata":"https://www.wikidata.org/wiki/Q6031202","display_name":"Information security standards","level":5,"score":0.4725327789783478},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.46209871768951416},{"id":"https://openalex.org/C39358052","wikidata":"https://www.wikidata.org/wiki/Q2578632","display_name":"Information security audit","level":5,"score":0.45511630177497864},{"id":"https://openalex.org/C2776436953","wikidata":"https://www.wikidata.org/wiki/Q5163215","display_name":"Consistency (knowledge bases)","level":2,"score":0.45202115178108215},{"id":"https://openalex.org/C148976360","wikidata":"https://www.wikidata.org/wiki/Q1662500","display_name":"Information security management","level":5,"score":0.45034146308898926},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4483790993690491},{"id":"https://openalex.org/C121955636","wikidata":"https://www.wikidata.org/wiki/Q4116214","display_name":"Accounting","level":1,"score":0.38850611448287964},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.33399587869644165},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.3308471441268921},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.25377196073532104},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.22929611802101135},{"id":"https://openalex.org/C170856484","wikidata":"https://www.wikidata.org/wiki/Q6452684","display_name":"Internal audit","level":3,"score":0.2021835744380951},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.19562005996704102},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.16958686709403992},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.1029883325099945},{"id":"https://openalex.org/C50522688","wikidata":"https://www.wikidata.org/wiki/Q189833","display_name":"Economic growth","level":1,"score":0.0},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.0},{"id":"https://openalex.org/C117110713","wikidata":"https://www.wikidata.org/wiki/Q3394676","display_name":"Network security policy","level":4,"score":0.0},{"id":"https://openalex.org/C191602146","wikidata":"https://www.wikidata.org/wiki/Q6269489","display_name":"Joint audit","level":4,"score":0.0},{"id":"https://openalex.org/C119599485","wikidata":"https://www.wikidata.org/wiki/Q43035","display_name":"Electrical engineering","level":1,"score":0.0},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1007/s00766-017-0287-5","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s00766-017-0287-5","pdf_url":"https://link.springer.com/content/pdf/10.1007%2Fs00766-017-0287-5.pdf","source":{"id":"https://openalex.org/S207090427","display_name":"Requirements Engineering","issn_l":"0947-3602","issn":["0947-3602","1432-010X"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Requirements Engineering","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1007/s00766-017-0287-5","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s00766-017-0287-5","pdf_url":"https://link.springer.com/content/pdf/10.1007%2Fs00766-017-0287-5.pdf","source":{"id":"https://openalex.org/S207090427","display_name":"Requirements Engineering","issn_l":"0947-3602","issn":["0947-3602","1432-010X"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Requirements Engineering","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.5600000023841858,"id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G3630431747","display_name":null,"funder_award_id":"FA-9550-09-1-0409","funder_id":"https://openalex.org/F4320338279","funder_display_name":"Air Force Office of Scientific Research"}],"funders":[{"id":"https://openalex.org/F4320338279","display_name":"Air Force Office of Scientific Research","ror":"https://ror.org/011e9bt93"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2780375555.pdf","grobid_xml":"https://content.openalex.org/works/W2780375555.grobid-xml"},"referenced_works_count":54,"referenced_works":["https://openalex.org/W326353637","https://openalex.org/W1494920333","https://openalex.org/W1588335385","https://openalex.org/W1606773397","https://openalex.org/W1734912584","https://openalex.org/W1857327297","https://openalex.org/W1964579175","https://openalex.org/W1975217647","https://openalex.org/W1986186023","https://openalex.org/W2004056039","https://openalex.org/W2010713091","https://openalex.org/W2018089182","https://openalex.org/W2019333479","https://openalex.org/W2023413379","https://openalex.org/W2039568215","https://openalex.org/W2040197128","https://openalex.org/W2042990479","https://openalex.org/W2045600954","https://openalex.org/W2076969540","https://openalex.org/W2079008781","https://openalex.org/W2088955355","https://openalex.org/W2092477317","https://openalex.org/W2098439610","https://openalex.org/W2098634112","https://openalex.org/W2110814332","https://openalex.org/W2119404561","https://openalex.org/W2120765605","https://openalex.org/W2127686907","https://openalex.org/W2129169847","https://openalex.org/W2130790002","https://openalex.org/W2131730994","https://openalex.org/W2132585448","https://openalex.org/W2133686175","https://openalex.org/W2135035343","https://openalex.org/W2139521508","https://openalex.org/W2145777421","https://openalex.org/W2147150814","https://openalex.org/W2148244839","https://openalex.org/W2148399451","https://openalex.org/W2152352067","https://openalex.org/W2153047972","https://openalex.org/W2154946633","https://openalex.org/W2156452334","https://openalex.org/W2156566210","https://openalex.org/W2160443281","https://openalex.org/W2161353020","https://openalex.org/W2163022780","https://openalex.org/W2165055650","https://openalex.org/W2168578953","https://openalex.org/W2169187055","https://openalex.org/W4231124227","https://openalex.org/W4233628010","https://openalex.org/W4238326355","https://openalex.org/W4250728693"],"related_works":["https://openalex.org/W2584162156","https://openalex.org/W2497647994","https://openalex.org/W2232533402","https://openalex.org/W2608021191","https://openalex.org/W4285782133","https://openalex.org/W3048038405","https://openalex.org/W2483557577","https://openalex.org/W3157375785","https://openalex.org/W815057058","https://openalex.org/W1596533783"],"abstract_inverted_index":{"Companies":[0],"and":[1,23,70,94,129,141,204,226,232,242],"government":[2],"organizations":[3,49,103,196],"are":[4],"increasingly":[5],"compelled,":[6],"if":[7,74],"not":[8],"required":[9],"by":[10],"law,":[11],"to":[12,66,107,190,197],"ensure":[13,95,143],"that":[14,96,115,131,144,181],"their":[15,97,122,127],"information":[16,79,98,154],"systems":[17,55,99,128],"will":[18],"comply":[19],"with":[20,168,201],"various":[21],"federal":[22],"industry":[24],"regulatory":[25,101,110],"standards,":[26,102],"such":[27],"as":[28,157],"the":[29,43,117,134,153,222,235],"NIST":[30],"Special":[31],"Publication":[32],"on":[33,178],"Security":[34],"Controls":[35],"for":[36,121,195,207],"Federal":[37],"Information":[38],"Systems":[39],"(NIST":[40],"SP-800-53),":[41],"or":[42,52,60,159],"Common":[44],"Criteria":[45],"(ISO":[46],"15408-2).":[47],"Such":[48],"operate":[50],"business":[51],"mission":[53],"critical":[54],"where":[56],"a":[57,113,174,192,214],"lack":[58],"of":[59,82,88,152,217,234],"lapse":[61],"in":[62,78,112,199,221,245],"security":[63,165,185],"protections":[64],"translates":[65],"serious":[67],"confidentiality,":[68],"integrity,":[69],"availability":[71],"risks":[72,93],"that,":[73],"exploited,":[75],"could":[76],"result":[77],"disclosure,":[80],"loss":[81,87],"money,":[83],"or,":[84],"at":[85],"worst,":[86],"life.":[89],"To":[90],"mitigate":[91],"these":[92],"meet":[100,133],"must":[104],"be":[105],"able":[106],"(a)":[108],"contextualize":[109],"documents":[111],"way":[114],"extracts":[116,183],"relevant":[118,184],"technical":[119],"implications":[120],"systems,":[123,147],"(b)":[124],"formally":[125],"represent":[126],"demonstrate":[130],"they":[132],"extracted":[135],"requirements":[136,186],"following":[137,213],"an":[138],"accreditation":[139],"process,":[140,176],"(c)":[142],"all":[145,218],"third-party":[146],"which":[148],"may":[149],"exist":[150],"outside":[151],"system":[155],"enclave":[156],"web":[158],"cloud":[160],"services":[161],"also":[162],"implement":[163],"appropriate":[164],"measures":[166],"consistent":[167],"organizational":[169],"expectations.":[170],"This":[171],"paper":[172],"introduces":[173],"step-wise":[175],"based":[177],"semantic":[179],"hierarchies,":[180],"systematically":[182],"from":[187],"control":[188],"standards":[189],"build":[191],"certification":[193],"baseline":[194],"use":[198],"conjunction":[200],"formal":[202],"methods":[203,244],"service":[205],"agreements":[206],"accreditation.":[208],"The":[209],"approach":[210,236],"is":[211],"demonstrated":[212],"case":[215],"study":[216],"audit-related":[219],"controls":[220],"SP-800-53,":[223],"ISO":[224],"15408-2,":[225],"related":[227],"documents.":[228],"Accuracy,":[229],"applicability,":[230],"consistency,":[231],"efficacy":[233],"were":[237],"evaluated":[238],"using":[239],"controlled":[240],"qualitative":[241],"quantitative":[243],"two":[246],"separate":[247],"studies.":[248]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":4},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":4},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":2},{"year":2020,"cited_by_count":1},{"year":2019,"cited_by_count":1},{"year":2018,"cited_by_count":2}],"updated_date":"2026-03-09T08:58:05.943551","created_date":"2025-10-10T00:00:00"}