Abstract
According to ISO 31000, the risk management process comprises communication, risk assessment, risk treatment , monitoring, and reporting. Numerous techniques address these aspects, particularly risk assessment and treatment, such as attack trees, fault trees, risk matrix, etc. These approaches implicitly or explicitly require a conceptualization of the risk management domain, that is, a reference domain ontology as a background theory. However, because these techniques are not grounded in ontological analyses and well-founded reference ontologies, they suffer from several limitations and semantic confusion, such as ambiguity, little to no modeling guidance, and lack of semantic integration. Existing well-founded reference ontologies of value, risk, security, and related topics, can support a full-fledge ontologically sound risk management framework capable of solving those semantic issues. Nevertheless, such a comprehensive approach to risk management is yet to be seen. To cover this gap, we present a research proposal integrating these ontologies and associated services into a domain-specific modeling language for risk management. First, we establish a risk management ontology network, including value, risk, incident, security, monitoring, trust, and resilience concepts. We will employ them to ground ontological analyses of those important risk management techniques to identify their shortcomings. This analysis will support redesigns of these techniques to overcome the limitations. We will design a domain-specific modeling language interpreted by the ontology network and served by the redesigned versions of those techniques. By doing so, we expect to address semantic interoperability problems among risk management approaches and data sources.