Leveraging cyber threat intelligence for a dynamic risk framework

Automation by using a semantic reasoner and a new combination of standards (STIX™, SWRL and OWL)


One of the most important goals in an organization is to have risks under an acceptance level along the time. All organizations are exposed to real-time security threats that could have an impact on their risk exposure levels harming the entire organization, their customers and their reputation. New emerging techniques, tactics and procedures (TTP) which remain undetected, the complexity and decentralization of organization assets, the great number of vulnerabilities proportional to the number of new type of devices (IoT) or still the high number of false positives, are only some examples of real risks for any organization. Risk management frameworks are not integrated and automated with near real-time (NRT) risk-related cybersecurity threat intelligence (CTI) information. The contribution of this paper is an integrated architecture based on the Web Ontology Language (OWL), a semantic reasoner and the use of Semantic Web Rule Language (SWRL) to approach a Dynamic Risk Assessment and Management (DRA/DRM) framework at all levels (operational, tactic and strategic). To enable such a dynamic, NRT and more realistic risk assessment and management processes, we created a new semantic version of STIX™v2.0 for cyber threat intelligence as it is becoming a de facto standard for structured threat information exchange. We selected an international leading organization in cybersecurity to demonstrate new dynamic ways to support decision making at all levels while being under attack. Semantic reasoners could be our ideal partners to fight against threats having risks under control along the time, for that, they need to understand the data. Our proposal uses an unprecedented mix of standards to cover all levels of a DRM and ensure easier adoption by users.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17


  1. 1.

    ISO/IEC 27005:2008, Information technology—security techniques and Information security risk management (2008)

  2. 2.

    ISO 31000:2018, Risk management—guidelines (2018)

  3. 3.

    Bianco, D.: “The Pyramid of Pain”. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html (2014). Accessed 15 July 2018

  4. 4.

    OASIS: “STIX™ 2.0 specifications”. https://oasisopen.github.io/cti-documentation/resources#stix-20-specification. Accessed 7 Aug 2018

  5. 5.

    OASIS: “STIX™ White paper”. https://stixproject.github.io/about/STIX_Whitepaper_v1.1.pdf. Accessed 15 June 2018

  6. 6.

    OASIS: “TTP (Techniques, Tactics and Procedures” by STIX™. https://stixproject.github.io/getting-started/whitepaper/#tactics-techniques-and-procedures-ttp. Accessed 7 Aug 2018

  7. 7.

    OASIS: “Campaigns by STIX™”. https://stixproject.github.io/getting-started/whitepaper/#campaigns. Accessed 7 Aug 2018

  8. 8.

    OASIS: “Incidents by STIX™”. https://stixproject.github.io/getting-started/whitepaper/#incidents. Accessed 7 Aug 2018

  9. 9.

    European Commission and European Parliament: “NIS Directive”. http://data.europa.eu/eli/dir/2016/1148/oj. Accessed 7 Aug 2018

  10. 10.

    W3C: “OWL”. https://www.w3.org/OWL/. Accessed 1 June 2017

  11. 11.

    W3C: “SWRL Semantic Web Rule Language”. https://www.w3.org/Submission/SWRL/. Accessed 1 June 2017

  12. 12.

    W3C: “Ontology”. https://www.w3.org/standards/semanticweb/ontology. Accessed 1 June 2017

  13. 13.

    W3C: “Inference”. https://www.w3.org/standards/semanticweb/inference. Accessed 1 June 2017

  14. 14.

    W3C: “Reasoner”. https://www.w3.org/2001/sw/wiki/Category:Reasoner. Accessed 1 June 2017

  15. 15.

    W3C: “Pellet reasoner”. https://www.w3.org/2001/sw/wiki/Pellet. Accessed 1 June 2017

  16. 16.

    Herzog, A., Shahmehri, N., Duma, C.: An ontology for information security. Int. J. Inf. Secur. Priv. 1(4), 1–23 (2007)

    Article  Google Scholar 

  17. 17.

    Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security ontologies: improving quantitative risk analysis. In: Proceedings of the 40th Hawaii International Conference on System Sciences (2007)

  18. 18.

    Fenz, S.: Ontology-based generation of IT-security metrics. In: Proceedings of the 41st Hawaii International Conference on System Sciences (2008)

  19. 19.

    Goluch, G., Ekelhart, A., Fenz, S., Jakoubi, S., Tjoa, S., and T. M.: Integration of an ontological information security concept in risk-aware business process management. In: Proceedings of the 41st Hawaii International Conference on System Sciences (2008)

  20. 20.

    de Vergara, J.E.L., et al.: A semantic web approach to share alerts among security information management systems. Commun. Comput. Inf. Sci. 72, 14–25 (2010)

    Google Scholar 

  21. 21.

    Mateos, V., Villagrá, V.A., Romero, F.: Ontologies-based automated intrusion response system. Comput. Intell. Secur. Inf. Syst. 2010, 99–106 (2010)

    Google Scholar 

  22. 22.

    Obrst, L. et al.: MITRE—developing an ontology of the cyber security domain. In: MITRE (2012)

  23. 23.

    Singapogu, S. et al.: Security ontologies for modeling enterprise level risk assessment. In: 2012 Annual Computer Security Applications Conference, Orlando (2012)

  24. 24.

    Erbacher, R.F.: Ontology-based adaptive systems of cyber defense. In: Semantic Technology for Intelligence, Defense and Security Conference, Fairfax, VA (2015)

  25. 25.

    Syed, Z. et al.: UCO—unified cybersecurity ontology. In: The Workshops of the Thirtieth AAAI Conference on Artificial Intelligence. Artificial Intelligence for Cyber Security: Technical Report WS-16-03 (2016)

  26. 26.

    Gao, P. et al.: AIQL: enabling efficient attack investigation from system monitoring data. In: USENIX Annual Technical Conference (2018)

  27. 27.

    Gao, P. et al.: SAQL: a stream-based query system for real-time abnormal system behavior detection. In: USENIX Security Symposium (2018)

  28. 28.

    Meszaros, J., Buchalcevova, A.: Introducing OSSF: a framework for online service cybersecurity risk management. Comput. Secur. 65, 300–313 (2017)

    Article  Google Scholar 

  29. 29.

    Qamar, S., Anwar, Z., Ashiqur Rahman, M., Al-Shaer, E., Chu, B.-T.: Data-driven analytics for cyber-threat intelligence and information sharing. Comput. Secur. 67, 35–58 (2017)

    Article  Google Scholar 

  30. 30.

    Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)

    Article  Google Scholar 

  31. 31.

    Schiffman, M.: Common vulnerability scoring system (CVSS). http://www.first.org/cvss/cvss-guide. html (2011)

  32. 32.

    Mozzaquatro, B.A. et al.: An Ontology-Based Cybersecurity Framework for the Internet of Things, Sensors (Basel, Switzerland), vol. 18, 9 3053 (2018)

  33. 33.

    Zhang, J., Yang, J., Li, J.: When rule engine meets big data: design and implementation of a distributed rule engine using spark. In: IEEE Third International Conference on Big Data Computing Service and Applications. BigDataService), San Francisco, CA (2017)

  34. 34.

    Alrwais, S., Yuan, K., Alowaisheq, E., Liao, X., Oprea, A., Wang, X., Li, Z.: Catching predators at watering holes: finding and understanding strategically compromised websites. In: Proceedings of the 32nd Annual Conference on Computer Security Applications (2016)

  35. 35.

    Stanford University “Protege”. https://protege.stanford.edu/

Download references

Author information



Corresponding author

Correspondence to R. Riesco.

Ethics declarations

Conflict of interest

All authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Riesco, R., Villagrá, V.A. Leveraging cyber threat intelligence for a dynamic risk framework. Int. J. Inf. Secur. 18, 715–739 (2019). https://doi.org/10.1007/s10207-019-00433-2

Download citation


  • STIX™
  • SWRL
  • OWL
  • Cybersecurity
  • Dynamic risk management (DRM)
  • Cyber threat intelligence (CTI)