Review Comment:
Paper Summary:
In this paper, the authors describe the development of an ontology that conceptualizes the requirements of the NIS 2 directive, and provide concrete example on how a company can use it to track which requirements they are already in compliance with and which ones they are still non-compliant.
Evaluation as an ‘Ontology description’ manuscript:
(1) Quality and relevance of the described ontology: The work is appropriate for this journal, however, it is difficult to assess its quality due to a short evaluation (I give pointers on how to improve it further on) and due to a lack of human-readable documentation for the ontology itself (the provided repository only has a .owl file). A proper state of the art is also missing, in particular related to ontology-based regulatory compliance.
(2) Illustration, clarity and readability of the paper: The paper could use a thorough review to have a more formal style of writing. Moreover, as I elaborate in the next sections of this review, it lacks figures and examples that assist with the overall readability of such a contribution.
(3) Long-term stable URL for resources: The organisation of the repository should be improved as the provided URL does not contain a README file to guide readers through the contents of the repository. The provided OWL ontology appears to be complete for the replication of experiments and is stored on GitHub for long-term preservation and discoverability. There is no provenance information related to the contents of the repository. There is no human-readable documentation for the ontology. The versioning strategy to be used by the authors should also be mentioned.
Detailed evaluation:
Title & Abstract. The title is well-drafted and presents the main goal of the manuscript. The abstract describes well enough its purpose, findings and value, however the methodology used to create the ontology is not mentioned. The abstract should also provide an insight on how much coverage of the directive is provided in the ontology, as well as situate it in relation to the state of the art. The authors also mention that “NIS2Onto reduces time and effort required for the verification, both by enabling continuous monitoring of any modification that occurs during the lifespan of the company and by minimising the risk of error by human personnel”, but do not further elaborate on how they ensure this in any section of the paper, e.g., to establish that using their solution is more time-effiecient, I would expect a user-study to be performed and assessed.
1. Introduction. This section introduces the motivation of the paper. Although the ontological contribution of the work is well covered – the development of an ontology to describe the NIS2 directive –, it is not clear if/how the work was validated by legal experts or how the authors will support the claims of having an adaptable and enforceable compliance mechanism that is interoperable across implementers, which should also be a contribution of the manuscript if the ontology is to be used for automated compliance verification. The second paragraph should properly introduce the scope of NIS2 and to which entities it applies, and also compare the differences between NIS2 and its predecessor. Moreover, this section should also be supported by valid references, including citations for the laws and directives, and improved with definitions from the domain, to help readers that are not experts in cybersecurity and its regulatory aspects. Limitations, if any, are absent from the introduction or the overall paper.
2. Related work. DPV [1] is a state of the art resource to represent information related to usage and processing of personal data, which includes an extension to support the NIS2 Directive [2], which is currently missing from this Related Work section. For completeness, contributions related to cybersecurity ontologies [3-6] (non-exhaustive list) can also be considered for integration in this section, as well as to check whether they are good extension points for the developed ontology. There is also an extensive body of work related to ontology-based regulatory compliance, which is completely missing from this contribution, including using SWRL rules as proposed by the authors. This analysis will be helpful to understand why the authors chose SWRL for their work.
3.1 Overview of the NIS 2 Directive. The author’s decision to not consider Chapter I for the ontology is not comprehensible given that it includes information about the scope, involved entities and definitions that support the Directive’s legislative text. Moreover, a diagram would help readers to visualise the involved NIS2 entities and how they are expected to interact due to the obligations of the directive. A proper introduction to each studied Chapter and its requirements will also help the readers to understand the complexity of NIS2.
3.2 SecOnto Methodology. The contribution would benefit from a diagram/figure explaining the followed methodology, as it is an adapted version of Methontology for the security domain. Such a figure would also help connecting the dots between the proposed methodology and the following subsections related to the development of the ontology (subsections 3.3 to 3.10). The provided description is also not very clear regarding the outcomes of each step of the methodology, e.g., the Implementation step has the ontology, ‘associated paperwork’, and ‘conclusions drawn from the ontology’ as outcomes — what paperwork or conclusions are expected here? In what format? The followed methodology also does not mention any step of legal validation. Other ontology engineering methodologies, such as LOT [7], do this by integrating domain experts, e.g., in this case legal experts, in all phases of ontology development. A couple of sentences can also be added to address now NIS2Onto will adapt to the Member States national implementations of the directive.
3.3. Automating the Creation of the Ontology. The full NLP pipeline to automatically extract concepts from the directive should be better detaileed. In particular, the results of the extraction and its accuracy should be further elaborated by the authors, to provide an understanding of the efficiency, correctness and completeness of the chosen methodology. The protocol for manual evaluation of the created concepts is also missing from this section’s description. The authors also mention that “We deliberately avoided using certain tools, particularly in the context of ontological automated development, because they proved to be ineffective or incompatible with the context of security directives.”. Which tools are included here and why are they not eefective or compatible with security directives?
3.4. Competency Questions. The Compliance check CQ should be split in 2: one for checking whether an entity is compliant and a second one for checking if they are compliant with a certain article. The Integration I and Integration and Differential Analysis CQs introduce integration with other regulations, however this aspect has been left out of the manuscript so far. I would recommend to address this interplay of regulations in a previous section, perhaps in the section decribing the directive. Overall, the CQs would benefit from a more formal structuring.
3.5. NIS2Onto Overview. This section would benefit from a schematic diagram to showcase the main classes and properties of NIS2Onto. Moreover, the authors mention that NIS2Onto “associates specific agents with the security measures the agents must fulfil through the equivalence relationship, i.e., EquivalentTo” — I would expect that an equivalence relationship is used between related elements and not between distinct concepts such as entities, e.g., agents, and security measures. Furthermore, the usage of the term ‘agents’ is ambiguous and must be introduced, probably even in an earlier section. Are agents natural persons, legal entities, software agents, others? An example instantiation of a security measure and its associated actions and entities would also increase the understandability of this section. Concretely, the role of reasoning to evaluate generated inferences should be properly introduced and explained — what additional knowledge does it provide over the already extracted knowledge base? Providing an example of an instantiation of a measure into the concrete adoption of a specific standard would also give further readability to the text.
3.6. Classes and individuals. Examples of documents, agents and objects can be provided in this section. Furthermore, objects are very abstract classes that are seemingly trying to cover different concepts within the same class — if possible, dividing them and using separate classes for different concepts with be ideal. The modelling of compliance classes is not clear. Taking the used example, an instance of Article-10-MemberState-Compliant is supposed to be a subclass of all classes related to Article 10 that a Member State has to comply with or is it just a subclass of the ones which it is already compliant? The text seems to imply the former, while the term itself, i.e., Article-10-MemberState-Compliant, by using the word ‘Compliant’, seems to imply the latter. If what the authors which to express is the former, I would suggest changing the naming of the classes to use the word ‘Compliance’ instead and then use terms like ‘Compliant’ or ‘Non-Compliant’ to express the status of compliance of each class that needs to be complied with for a certain article/entity.
3.7. Object-properties (also applies to 3.8. Data-properties). Similar comment in the previous section, as the authors mention ‘The object property name is obtained by the verb, but it includes other additional elements.’. The result are complex terms that will hinder reusage, e.g., for other security-related ontologies.
3.9. SWRL rules. As mentioned in the comments related to Section 2, there is no justification on why the authors decided to use SWRL as their reasoning language, and as such, no state of the art on existing solutions for regulatory compliance, in particular for security, using SWRL or any other languages. Furthermore, considering that rules are used to verify compliance with the regulation, it would be good to understand their coverage of the regulation, e.g., if there is a rule for each measure in NIS 2, and the rules should be provided together with the ontological resource, e.g., in the linked code repository.
3.10. Evaluation. The provided evaluation can be further improved by the usage of tools such as OOPS! [8] and FOOPS! [9] to access if there are critical pitfalls in the ontology development and whether it follows the FAIR principles for ontology publication. It is also not clear how far the ontology goes in terms of answering the defined competency questions, e.g., SPARQL queries for all competency questions can be provided.
5. Conclusions. The authors mention that ‘NIS2Onto […] supports risk assessment,’ — this sentence should be supported in the previous sections. A concrete suggestion would be to improve the case study section with a risk assessment that is concretly supported by the use of NIS2Onto. As future work, I would also invite the authors to look into how to integrate their work with DPV, as it is a state of the art vocabulary for data protection-related requirements, which is also looking to have NIS 2 as one of its extensions. As such, I am at the disposal of the authors in case they want to work on such an integration, as I am an active member of the Community Group [10] that edits and maintains the DPV.
Minor comments:
Capitalise mentions of ‘Chapters’ and ‘Articles’ in the manuscript and use it consistently.
3.2 SecOnto Methodology
Page 4 Line 7: ‘the ontology that describes the measurements’ -> measures ?
Page 4 Line 15-16: ‘composed of the articles from 7 to 37’ -> composed by Articles 7 to 37
3.3. Automating the Creation of the Ontology
Page 4 Line 35: ‘of SpaCy and ClausIE library’ -> of the SpaCy and ClausIE libraries
3.6. Classes and individuals
NIS2Onto is mispelled in page 6, lines 13 an 14
Page 6 Line 28: ‘The class names adopted has been obtained’ -> have been
4. Case study
Page 10 Line 21: ‘these are Article 12, paragraphs 1 and 2’ -> Figure 3 mentions Article 21, not 12
[1] https://arxiv.org/abs/2404.13426
[2] https://w3id.org/dpv/legal/eu/nis2
[3] https://link.springer.com/chapter/10.1007/978-3-030-63479-7_22
[4] https://ieeexplore.ieee.org/abstract/document/8205615
[5] https://www.mdpi.com/1424-8220/18/9/3053
[6] https://link.springer.com/chapter/10.1007/978-3-319-98842-9_1
[7] https://lot.linkeddata.es
[8] https://oops.linkeddata.es
[9] https://foops.linkeddata.es/FAIR_validator.html
[10] https://www.w3.org/community/dpvcg/
|