International Journal of Information Security

, Volume 18, Issue 6, pp 715–739 | Cite as

Leveraging cyber threat intelligence for a dynamic risk framework

Automation by using a semantic reasoner and a new combination of standards (STIX™, SWRL and OWL)
  • R. RiescoEmail author
  • V. A. Villagrá
Regular contribution


One of the most important goals in an organization is to have risks under an acceptance level along the time. All organizations are exposed to real-time security threats that could have an impact on their risk exposure levels harming the entire organization, their customers and their reputation. New emerging techniques, tactics and procedures (TTP) which remain undetected, the complexity and decentralization of organization assets, the great number of vulnerabilities proportional to the number of new type of devices (IoT) or still the high number of false positives, are only some examples of real risks for any organization. Risk management frameworks are not integrated and automated with near real-time (NRT) risk-related cybersecurity threat intelligence (CTI) information. The contribution of this paper is an integrated architecture based on the Web Ontology Language (OWL), a semantic reasoner and the use of Semantic Web Rule Language (SWRL) to approach a Dynamic Risk Assessment and Management (DRA/DRM) framework at all levels (operational, tactic and strategic). To enable such a dynamic, NRT and more realistic risk assessment and management processes, we created a new semantic version of STIX™v2.0 for cyber threat intelligence as it is becoming a de facto standard for structured threat information exchange. We selected an international leading organization in cybersecurity to demonstrate new dynamic ways to support decision making at all levels while being under attack. Semantic reasoners could be our ideal partners to fight against threats having risks under control along the time, for that, they need to understand the data. Our proposal uses an unprecedented mix of standards to cover all levels of a DRM and ensure easier adoption by users.


STIX™ SWRL OWL Cybersecurity Dynamic risk management (DRM) Cyber threat intelligence (CTI) 


Compliance with ethical standards

Conflict of interest

All authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.


  1. 1.
    ISO/IEC 27005:2008, Information technology—security techniques and Information security risk management (2008)Google Scholar
  2. 2.
    ISO 31000:2018, Risk management—guidelines (2018)Google Scholar
  3. 3.
    Bianco, D.: “The Pyramid of Pain”. (2014). Accessed 15 July 2018
  4. 4.
    OASIS: “STIX™ 2.0 specifications”. Accessed 7 Aug 2018
  5. 5.
    OASIS: “STIX™ White paper”. Accessed 15 June 2018
  6. 6.
    OASIS: “TTP (Techniques, Tactics and Procedures” by STIX™. Accessed 7 Aug 2018
  7. 7.
    OASIS: “Campaigns by STIX™”. Accessed 7 Aug 2018
  8. 8.
    OASIS: “Incidents by STIX™”. Accessed 7 Aug 2018
  9. 9.
    European Commission and European Parliament: “NIS Directive”. Accessed 7 Aug 2018
  10. 10.
    W3C: “OWL”. Accessed 1 June 2017
  11. 11.
    W3C: “SWRL Semantic Web Rule Language”. Accessed 1 June 2017
  12. 12.
    W3C: “Ontology”. Accessed 1 June 2017
  13. 13.
    W3C: “Inference”. Accessed 1 June 2017
  14. 14.
    W3C: “Reasoner”. Accessed 1 June 2017
  15. 15.
    W3C: “Pellet reasoner”. Accessed 1 June 2017
  16. 16.
    Herzog, A., Shahmehri, N., Duma, C.: An ontology for information security. Int. J. Inf. Secur. Priv. 1(4), 1–23 (2007)CrossRefGoogle Scholar
  17. 17.
    Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security ontologies: improving quantitative risk analysis. In: Proceedings of the 40th Hawaii International Conference on System Sciences (2007)Google Scholar
  18. 18.
    Fenz, S.: Ontology-based generation of IT-security metrics. In: Proceedings of the 41st Hawaii International Conference on System Sciences (2008)Google Scholar
  19. 19.
    Goluch, G., Ekelhart, A., Fenz, S., Jakoubi, S., Tjoa, S., and T. M.: Integration of an ontological information security concept in risk-aware business process management. In: Proceedings of the 41st Hawaii International Conference on System Sciences (2008)Google Scholar
  20. 20.
    de Vergara, J.E.L., et al.: A semantic web approach to share alerts among security information management systems. Commun. Comput. Inf. Sci. 72, 14–25 (2010)Google Scholar
  21. 21.
    Mateos, V., Villagrá, V.A., Romero, F.: Ontologies-based automated intrusion response system. Comput. Intell. Secur. Inf. Syst. 2010, 99–106 (2010)Google Scholar
  22. 22.
    Obrst, L. et al.: MITRE—developing an ontology of the cyber security domain. In: MITRE (2012)Google Scholar
  23. 23.
    Singapogu, S. et al.: Security ontologies for modeling enterprise level risk assessment. In: 2012 Annual Computer Security Applications Conference, Orlando (2012)Google Scholar
  24. 24.
    Erbacher, R.F.: Ontology-based adaptive systems of cyber defense. In: Semantic Technology for Intelligence, Defense and Security Conference, Fairfax, VA (2015)Google Scholar
  25. 25.
    Syed, Z. et al.: UCO—unified cybersecurity ontology. In: The Workshops of the Thirtieth AAAI Conference on Artificial Intelligence. Artificial Intelligence for Cyber Security: Technical Report WS-16-03 (2016)Google Scholar
  26. 26.
    Gao, P. et al.: AIQL: enabling efficient attack investigation from system monitoring data. In: USENIX Annual Technical Conference (2018)Google Scholar
  27. 27.
    Gao, P. et al.: SAQL: a stream-based query system for real-time abnormal system behavior detection. In: USENIX Security Symposium (2018)Google Scholar
  28. 28.
    Meszaros, J., Buchalcevova, A.: Introducing OSSF: a framework for online service cybersecurity risk management. Comput. Secur. 65, 300–313 (2017)CrossRefGoogle Scholar
  29. 29.
    Qamar, S., Anwar, Z., Ashiqur Rahman, M., Al-Shaer, E., Chu, B.-T.: Data-driven analytics for cyber-threat intelligence and information sharing. Comput. Secur. 67, 35–58 (2017)CrossRefGoogle Scholar
  30. 30.
    Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)CrossRefGoogle Scholar
  31. 31.
    Schiffman, M.: Common vulnerability scoring system (CVSS). html (2011)
  32. 32.
    Mozzaquatro, B.A. et al.: An Ontology-Based Cybersecurity Framework for the Internet of Things, Sensors (Basel, Switzerland), vol. 18, 9 3053 (2018)Google Scholar
  33. 33.
    Zhang, J., Yang, J., Li, J.: When rule engine meets big data: design and implementation of a distributed rule engine using spark. In: IEEE Third International Conference on Big Data Computing Service and Applications. BigDataService), San Francisco, CA (2017)Google Scholar
  34. 34.
    Alrwais, S., Yuan, K., Alowaisheq, E., Liao, X., Oprea, A., Wang, X., Li, Z.: Catching predators at watering holes: finding and understanding strategically compromised websites. In: Proceedings of the 32nd Annual Conference on Computer Security Applications (2016)Google Scholar
  35. 35.
    Stanford University “Protege”.

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Spanish National Cybersecurity Institute (INCIBE)LeónSpain
  2. 2.Universidad Politécnica de MadridMadridSpain

Personalised recommendations