One of the most important goals in an organization is to have risks under an acceptance level along the time. All organizations are exposed to real-time security threats that could have an impact on their risk exposure levels harming the entire organization, their customers and their reputation. New emerging techniques, tactics and procedures (TTP) which remain undetected, the complexity and decentralization of organization assets, the great number of vulnerabilities proportional to the number of new type of devices (IoT) or still the high number of false positives, are only some examples of real risks for any organization. Risk management frameworks are not integrated and automated with near real-time (NRT) risk-related cybersecurity threat intelligence (CTI) information. The contribution of this paper is an integrated architecture based on the Web Ontology Language (OWL), a semantic reasoner and the use of Semantic Web Rule Language (SWRL) to approach a Dynamic Risk Assessment and Management (DRA/DRM) framework at all levels (operational, tactic and strategic). To enable such a dynamic, NRT and more realistic risk assessment and management processes, we created a new semantic version of STIX™v2.0 for cyber threat intelligence as it is becoming a de facto standard for structured threat information exchange. We selected an international leading organization in cybersecurity to demonstrate new dynamic ways to support decision making at all levels while being under attack. Semantic reasoners could be our ideal partners to fight against threats having risks under control along the time, for that, they need to understand the data. Our proposal uses an unprecedented mix of standards to cover all levels of a DRM and ensure easier adoption by users.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
ISO/IEC 27005:2008, Information technology—security techniques and Information security risk management (2008)
ISO 31000:2018, Risk management—guidelines (2018)
Bianco, D.: “The Pyramid of Pain”. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html (2014). Accessed 15 July 2018
OASIS: “STIX™ 2.0 specifications”. https://oasisopen.github.io/cti-documentation/resources#stix-20-specification. Accessed 7 Aug 2018
OASIS: “STIX™ White paper”. https://stixproject.github.io/about/STIX_Whitepaper_v1.1.pdf. Accessed 15 June 2018
OASIS: “TTP (Techniques, Tactics and Procedures” by STIX™. https://stixproject.github.io/getting-started/whitepaper/#tactics-techniques-and-procedures-ttp. Accessed 7 Aug 2018
OASIS: “Campaigns by STIX™”. https://stixproject.github.io/getting-started/whitepaper/#campaigns. Accessed 7 Aug 2018
OASIS: “Incidents by STIX™”. https://stixproject.github.io/getting-started/whitepaper/#incidents. Accessed 7 Aug 2018
European Commission and European Parliament: “NIS Directive”. http://data.europa.eu/eli/dir/2016/1148/oj. Accessed 7 Aug 2018
W3C: “OWL”. https://www.w3.org/OWL/. Accessed 1 June 2017
W3C: “SWRL Semantic Web Rule Language”. https://www.w3.org/Submission/SWRL/. Accessed 1 June 2017
W3C: “Ontology”. https://www.w3.org/standards/semanticweb/ontology. Accessed 1 June 2017
W3C: “Inference”. https://www.w3.org/standards/semanticweb/inference. Accessed 1 June 2017
W3C: “Reasoner”. https://www.w3.org/2001/sw/wiki/Category:Reasoner. Accessed 1 June 2017
W3C: “Pellet reasoner”. https://www.w3.org/2001/sw/wiki/Pellet. Accessed 1 June 2017
Herzog, A., Shahmehri, N., Duma, C.: An ontology for information security. Int. J. Inf. Secur. Priv. 1(4), 1–23 (2007)
Ekelhart, A., Fenz, S., Klemen, M., Weippl, E.: Security ontologies: improving quantitative risk analysis. In: Proceedings of the 40th Hawaii International Conference on System Sciences (2007)
Fenz, S.: Ontology-based generation of IT-security metrics. In: Proceedings of the 41st Hawaii International Conference on System Sciences (2008)
Goluch, G., Ekelhart, A., Fenz, S., Jakoubi, S., Tjoa, S., and T. M.: Integration of an ontological information security concept in risk-aware business process management. In: Proceedings of the 41st Hawaii International Conference on System Sciences (2008)
de Vergara, J.E.L., et al.: A semantic web approach to share alerts among security information management systems. Commun. Comput. Inf. Sci. 72, 14–25 (2010)
Mateos, V., Villagrá, V.A., Romero, F.: Ontologies-based automated intrusion response system. Comput. Intell. Secur. Inf. Syst. 2010, 99–106 (2010)
Obrst, L. et al.: MITRE—developing an ontology of the cyber security domain. In: MITRE (2012)
Singapogu, S. et al.: Security ontologies for modeling enterprise level risk assessment. In: 2012 Annual Computer Security Applications Conference, Orlando (2012)
Erbacher, R.F.: Ontology-based adaptive systems of cyber defense. In: Semantic Technology for Intelligence, Defense and Security Conference, Fairfax, VA (2015)
Syed, Z. et al.: UCO—unified cybersecurity ontology. In: The Workshops of the Thirtieth AAAI Conference on Artificial Intelligence. Artificial Intelligence for Cyber Security: Technical Report WS-16-03 (2016)
Gao, P. et al.: AIQL: enabling efficient attack investigation from system monitoring data. In: USENIX Annual Technical Conference (2018)
Gao, P. et al.: SAQL: a stream-based query system for real-time abnormal system behavior detection. In: USENIX Security Symposium (2018)
Meszaros, J., Buchalcevova, A.: Introducing OSSF: a framework for online service cybersecurity risk management. Comput. Secur. 65, 300–313 (2017)
Qamar, S., Anwar, Z., Ashiqur Rahman, M., Al-Shaer, E., Chu, B.-T.: Data-driven analytics for cyber-threat intelligence and information sharing. Comput. Secur. 67, 35–58 (2017)
Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)
Schiffman, M.: Common vulnerability scoring system (CVSS). http://www.first.org/cvss/cvss-guide. html (2011)
Mozzaquatro, B.A. et al.: An Ontology-Based Cybersecurity Framework for the Internet of Things, Sensors (Basel, Switzerland), vol. 18, 9 3053 (2018)
Zhang, J., Yang, J., Li, J.: When rule engine meets big data: design and implementation of a distributed rule engine using spark. In: IEEE Third International Conference on Big Data Computing Service and Applications. BigDataService), San Francisco, CA (2017)
Alrwais, S., Yuan, K., Alowaisheq, E., Liao, X., Oprea, A., Wang, X., Li, Z.: Catching predators at watering holes: finding and understanding strategically compromised websites. In: Proceedings of the 32nd Annual Conference on Computer Security Applications (2016)
Stanford University “Protege”. https://protege.stanford.edu/
Conflict of interest
All authors declare that they have no conflict of interest.
This article does not contain any studies with human participants or animals performed by any of the authors.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
About this article
Cite this article
Riesco, R., Villagrá, V.A. Leveraging cyber threat intelligence for a dynamic risk framework. Int. J. Inf. Secur. 18, 715–739 (2019). https://doi.org/10.1007/s10207-019-00433-2
- Dynamic risk management (DRM)
- Cyber threat intelligence (CTI)