{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T00:17:06Z","timestamp":1775780226222,"version":"3.50.1"},"reference-count":67,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T00:00:00Z","timestamp":1769040000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T00:00:00Z","timestamp":1769040000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"European Union\u2019s Horizon Europe Project","award":["01120684"],"award-info":[{"award-number":["01120684"]}]},{"name":"European Union\u2019s Horizon Europe Project","award":["101120779"],"award-info":[{"award-number":["101120779"]}]},{"name":"European Union\u2019s Digital Europe","award":["01190372"],"award-info":[{"award-number":["01190372"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2026,2]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Cybersecurity risk is one of the primary and growing concerns for ensuing security and resilience of organizations, regardless of their size and type. While proactive risk management is effective, it is challenging due to the evolving and sophisticated threat landscape, exploitation of known and unknown vulnerabilities, and a dynamic security context. The dynamic security context further complicates to calculate the accurate risk level, leading to risk perception that can vary between different stakeholders. However, the demand for adopting cyber insurance is increasing as an effective risk mitigation strategy to avoid any potential loss. In this context, this paper proposes an Explainable AI (XAI) based dynamic cybersecurity risk management approach for informed cyber insurability decision making. The approach utilizes an Large Language Model (LLM) based framework for real-time, contextualized risk level assessment and adopts XAI techniques such as feature contribution and correlation, to justify the decision making. A comprehensive evaluation using an industrial use case and experiment demonstrates the applicability of the proposed approach. The experiment part uses a widely used vulnerability dataset to predicate high exploitable vulnerabilities and links them with the identified assets of the use case scenario. The result shows 96.9% accuracy for the exploitable vulnerability identification and XAI operationalisation justifies the selection of right security control and the cyber insurability decision based on the residual risk.<\/jats:p>","DOI":"10.1007\/s10207-025-01189-8","type":"journal-article","created":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T14:14:37Z","timestamp":1769091277000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Explainable AI based dynamic cybersecurity risk management for cyber insurability"],"prefix":"10.1007","volume":"25","author":[{"given":"Spyridon","family":"Papastergiou","sequence":"first","affiliation":[]},{"given":"Nihala","family":"Basheer","sequence":"additional","affiliation":[]},{"given":"Kostas","family":"Lampropoulos","sequence":"additional","affiliation":[]},{"given":"Panayiotis","family":"Verrios","sequence":"additional","affiliation":[]},{"given":"Shareeful","family":"Islam","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,1,22]]},"reference":[{"key":"1189_CR1","unstructured":"Jennings-Trace, E.: Three massive UK retailers have been hit by cyber attacks this week \u2013 so what\u2019s going on? TechRadar (2025). https:\/\/www.techradar.com\/pro\/security\/three-massive-uk-retailers-have-been-hit-by-cyber-attacks-this-week-so-whats-going-on"},{"key":"1189_CR2","doi-asserted-by":"publisher","unstructured":"Kumar, R., Singh, S.: Cyber insurance in India: An overview. Int. J. Res. Finance Manag. 6, 373\u2013378 (2023). https:\/\/doi.org\/10.33545\/26175754.2023.v6.i1d.230","DOI":"10.33545\/26175754.2023.v6.i1d.230"},{"key":"1189_CR3","doi-asserted-by":"publisher","unstructured":"Islam, S., Basheer, N., Papastergiou, S., Ciampi, M., Silvestri, S.: Intelligent dynamic cybersecurity risk management framework with explainability and interpretability of AI models for enhancing security and resilience of digital infrastructure. Journal of Reliable Intelligent Environments 11, Article 12 (2025). https:\/\/doi.org\/10.1007\/s40860-025-00253-3","DOI":"10.1007\/s40860-025-00253-3"},{"key":"1189_CR4","doi-asserted-by":"publisher","first-page":"474","DOI":"10.1108\/JRF-09-2016-0122","volume":"17","author":"M Eling","year":"2016","unstructured":"Eling, M., Schnell, W.: What do we know about cyber risk and cyber risk insurance? The Journal of Risk Finance 17, 474\u2013491 (2016). https:\/\/doi.org\/10.1108\/JRF-09-2016-0122","journal-title":"The Journal of Risk Finance"},{"key":"1189_CR5","doi-asserted-by":"publisher","first-page":"502","DOI":"10.1057\/s41288-023-00289-7","volume":"48","author":"G Zeller","year":"2023","unstructured":"Zeller, G., Scherer, M.: Risk mitigation services in cyber insurance: optimal contract design and price structure. The Geneva Papers on Risk and Insurance - Issues and Practice 48, 502\u2013547 (2023). https:\/\/doi.org\/10.1057\/s41288-023-00289-7","journal-title":"The Geneva Papers on Risk and Insurance - Issues and Practice"},{"key":"1189_CR6","doi-asserted-by":"publisher","first-page":"698","DOI":"10.1057\/s41288-022-00266-6","volume":"47","author":"F Cremer","year":"2022","unstructured":"Cremer, F., Sheehan, B., Fortmann, M., Kia, A.N., Mullins, M., Murphy, F., Materne, S.: Cyber risk and cybersecurity: a systematic review of data availability. The Geneva Papers on Risk and Insurance - Issues and Practice 47, 698\u2013736 (2022). https:\/\/doi.org\/10.1057\/s41288-022-00266-6","journal-title":"The Geneva Papers on Risk and Insurance - Issues and Practice"},{"key":"1189_CR7","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1017\/asb.2025.9","volume":"55","author":"WF Chong","year":"2025","unstructured":"Chong, W.F., Linders, D., Quan, Z., Zhang, L.: Incident-specific cyber insurance. ASTIN. Bulletin 55, 395\u2013425 (2025). https:\/\/doi.org\/10.1017\/asb.2025.9","journal-title":"Bulletin"},{"key":"1189_CR8","doi-asserted-by":"publisher","first-page":"535","DOI":"10.1016\/j.future.2017.05.043","volume":"83","author":"G Gonzalez-Granadillo","year":"2018","unstructured":"Gonzalez-Granadillo, G., Dubus, S., Motzek, A., Garcia-Alfaro, J., Alvarez, E., Merialdo, M., Papillon, S., Debar, H.: Dynamic risk management response system to handle cyber threats. Future Gener. Comput. Syst. 83, 535\u2013552 (2018). https:\/\/doi.org\/10.1016\/j.future.2017.05.043","journal-title":"Future Gener. Comput. Syst."},{"key":"1189_CR9","unstructured":"Schneider, D., Reich, J., Adler, R., Liggesmeyer, P.: Dynamic risk management in cyber physical systems. arXiv:2401.13539 (2024). arXiv:2401.13539"},{"key":"1189_CR10","doi-asserted-by":"publisher","unstructured":"Cheimonidis, P., Rantos, K.: Dynamic risk assessment in cybersecurity: A systematic literature review. Future Internet 15 (2023). https:\/\/doi.org\/10.3390\/fi15100324","DOI":"10.3390\/fi15100324"},{"key":"1189_CR11","doi-asserted-by":"publisher","unstructured":"Naumov, S., Kabanov, I.: Dynamic framework for assessing cyber security risks in a changing environment. In: 2016 International Conference on Information Science and Communications Technologies (ICISCT), pp. 1\u20134 (2016). https:\/\/doi.org\/10.1109\/ICISCT.2016.7777406","DOI":"10.1109\/ICISCT.2016.7777406"},{"key":"1189_CR12","doi-asserted-by":"publisher","unstructured":"Panou, A., Ntantogian, C., Xenakis, C.: RiSKi. In: 21st Pan-Hellenic Conference on Informatics, pp. 1\u20136 (2017). https:\/\/doi.org\/10.1145\/3139367.3139426","DOI":"10.1145\/3139367.3139426"},{"key":"1189_CR13","doi-asserted-by":"publisher","unstructured":"Wang, S.S.: Integrated framework for information security investment and cyber insurance. Pac.-Basin Finance J. 57, 101173 (2019). https:\/\/doi.org\/10.1016\/j.pacfin.2019.101173","DOI":"10.1016\/j.pacfin.2019.101173"},{"key":"1189_CR14","doi-asserted-by":"publisher","first-page":"1087","DOI":"10.1109\/tcss.2021.3117905","volume":"9","author":"R Zhang","year":"2021","unstructured":"Zhang, R., Zhu, Q.: Optimal Cyber-Insurance contract design for dynamic risk management and mitigation. IEEE Trans. Comput. Soc. Syst. 9, 1087\u20131100 (2021). https:\/\/doi.org\/10.1109\/tcss.2021.3117905","journal-title":"IEEE Trans. Comput. Soc. Syst."},{"key":"1189_CR15","doi-asserted-by":"publisher","unstructured":"Thlon, M., Strupczewski, G.: Assessing the impact of cyber risk perception on cyber insurance purchase decisions. Sci. Pap. Silesian Univ. Technol. Organ. Manag. Ser. 179 (2023). https:\/\/doi.org\/10.29119\/1641-3466.2023.179.32","DOI":"10.29119\/1641-3466.2023.179.32"},{"key":"1189_CR16","doi-asserted-by":"publisher","unstructured":"Jawhar, S., Kimble, C.E., Miller, J.R., Bitar, Z.: Enhancing Cyber Resilience with AI-Powered Cyber Insurance Risk Assessment. In: 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC), pp. 0435\u20130438 (2024). https:\/\/doi.org\/10.1109\/ccwc60891.2024.10427965","DOI":"10.1109\/ccwc60891.2024.10427965"},{"key":"1189_CR17","doi-asserted-by":"publisher","unstructured":"Shaikh, M.U.R., Ullah, R., Akbar, R., Savita, K.S., Mandala, S.: Fortifying Against Ransomware: Navigating Cybersecurity Risk Management with a Focus on Ransomware Insurance Strategies. Int. J. Acad. Res. Bus. Soc. Sci. 14 (2024). https:\/\/doi.org\/10.6007\/ijarbss\/v14-i1\/20566","DOI":"10.6007\/ijarbss\/v14-i1\/20566"},{"key":"1189_CR18","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2023.114102","volume":"177","author":"B Biswas","year":"2024","unstructured":"Biswas, B., Mukhopadhyay, A., Kumar, A., Delen, D.: A hybrid framework using explainable AI (XAI) in cyber-risk management for defence and recovery against phishing attacks. Decis. Support Syst. 177, 114102 (2024). https:\/\/doi.org\/10.1016\/j.dss.2023.114102","journal-title":"Decis. Support Syst."},{"key":"1189_CR19","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijinfomgt.2023.102724","volume":"74","author":"A Mukhopadhyay","year":"2024","unstructured":"Mukhopadhyay, A., Jain, S.: A framework for cyber-risk insurance against ransomware: A mixed-method approach. Int. J. Inf. Manage. 74, 102724 (2024). https:\/\/doi.org\/10.1016\/j.ijinfomgt.2023.102724","journal-title":"Int. J. Inf. Manage."},{"issue":"12","key":"1189_CR20","doi-asserted-by":"publisher","first-page":"222","DOI":"10.3390\/risks10120222","volume":"10","author":"L Pavl\u00edk","year":"2022","unstructured":"Pavl\u00edk, L., Ficek, M., Rak, J.: Dynamic assessment of cyber threats in the field of insurance. Risks 10(12), 222 (2022). https:\/\/doi.org\/10.3390\/risks10120222","journal-title":"Risks"},{"key":"1189_CR21","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.102121","volume":"101","author":"G Uuganbayar","year":"2021","unstructured":"Uuganbayar, G., Yautsiukhin, A., Martinelli, F., Massacci, F.: Optimisation of cyber insurance coverage with selection of cost effective security controls. Computers & Security 101, 102121 (2021). https:\/\/doi.org\/10.1016\/j.cose.2020.102121","journal-title":"Computers & Security"},{"issue":"2","key":"1189_CR22","doi-asserted-by":"publisher","first-page":"426","DOI":"10.1017\/asb.2024.31","volume":"55","author":"TJ Boonen","year":"2025","unstructured":"Boonen, T.J., Feng, Y., Tong, Z.: Cybersecurity investments and cyber insurance purchases in a non-cooperative game. ASTIN Bulletin: The Journal of the IAA 55(2), 426\u2013448 (2025). https:\/\/doi.org\/10.1017\/asb.2024.31","journal-title":"ASTIN Bulletin: The Journal of the IAA"},{"issue":"1","key":"1189_CR23","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s13385-023-00342-9","volume":"13","author":"K Awiszus","year":"2023","unstructured":"Awiszus, K., Knispel, T., Penner, I., Svindland, G., Vo\u00df, A., Weber, S.: Modeling and pricing cyber insurance: Idiosyncratic, systematic, and systemic risks. Eur. Actuar. J. 13(1), 1\u201353 (2023). https:\/\/doi.org\/10.1007\/s13385-023-00342-9","journal-title":"Eur. Actuar. J."},{"key":"1189_CR24","first-page":"103","volume":"81","author":"CC French","year":"2021","unstructured":"French, C.C.: Five approaches to insuring cyber risks. Maryland Law Review 81, 103 (2021)","journal-title":"Maryland Law Review"},{"issue":"3","key":"1189_CR25","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1145\/636772.636774","volume":"46","author":"LA Gordon","year":"2003","unstructured":"Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Commun. ACM 46(3), 81\u201385 (2003). https:\/\/doi.org\/10.1145\/636772.636774","journal-title":"Commun. ACM"},{"issue":"1","key":"1189_CR26","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1108\/JRF-03-2019-0045","volume":"21","author":"M Eling","year":"2020","unstructured":"Eling, M., Schnell, W.: What do we know about cyber risk and cyber risk insurance? The Journal of Risk Finance 21(1), 1\u201314 (2020). https:\/\/doi.org\/10.1108\/JRF-03-2019-0045","journal-title":"The Journal of Risk Finance"},{"key":"1189_CR27","doi-asserted-by":"publisher","unstructured":"Romanosky, S., Ablon, L., Kuehn, A., Jones, T.: Content analysis of cyber insurance policies: How do carriers price cyber risk? Journal of Cybersecurity 5(1), tyz002 (2019). https:\/\/doi.org\/10.1093\/cybsec\/tyz002","DOI":"10.1093\/cybsec\/tyz002"},{"issue":"3","key":"1189_CR28","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3436242","volume":"2","author":"J Jacobs","year":"2021","unstructured":"Jacobs, J., Romanosky, S., Edwards, B., Roytman, M., Adjerid, I.: Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice 2(3), 1\u201317 (2021). https:\/\/doi.org\/10.1145\/3436242","journal-title":"Digital Threats: Research and Practice"},{"key":"1189_CR29","doi-asserted-by":"publisher","unstructured":"Mohitkar, C., Lakshmi, D.: Explainable AI for transparent Cyber-Risk assessment and Decision-Making. In: Advances in computational intelligence and robotics book series, pp. 219\u2013246 (2024). https:\/\/doi.org\/10.4018\/979-8-3693-7540-2.ch010","DOI":"10.4018\/979-8-3693-7540-2.ch010"},{"key":"1189_CR30","doi-asserted-by":"publisher","unstructured":"Mishra, S., Pradhan, R.K.: Analyzing the Impact of Feature Correlation on Classification Accuracy of Machine Learning Model. In: 2023 International Conference on Artificial Intelligence and Smart Communication (AISC), pp. 879\u2013883. IEEE, Greater Noida (2023). https:\/\/doi.org\/10.1109\/AISC56616.2023.10085542","DOI":"10.1109\/AISC56616.2023.10085542"},{"key":"1189_CR31","doi-asserted-by":"publisher","DOI":"10.1002\/9781118445112.stat06481","author":"RR Macdonald","year":"2014","unstructured":"Macdonald, R.R.: Correlation and covariance matrices. Wiley StatsRef: Statistics Reference Online (2014). https:\/\/doi.org\/10.1002\/9781118445112.stat06481","journal-title":"Wiley StatsRef: Statistics Reference Online"},{"key":"1189_CR32","doi-asserted-by":"publisher","unstructured":"Weisburd, D., Britt, C., Wilson, D.B., Wooditch, A.: Measuring Association for Scaled Data: Pearson\u2019s correlation coefficient. In: Springer eBooks, pp. 479\u2013530 (2020). https:\/\/doi.org\/10.1007\/978-3-030-47967-1_14","DOI":"10.1007\/978-3-030-47967-1_14"},{"key":"1189_CR33","doi-asserted-by":"publisher","unstructured":"Zhong, J., Negre, E.: Context-aware feature attribution through argumentation. arXiv (Cornell University) (2023)https:\/\/doi.org\/10.48550\/arxiv.2310.16157","DOI":"10.48550\/arxiv.2310.16157"},{"key":"1189_CR34","doi-asserted-by":"publisher","unstructured":"Zhang, Y., Tan, X., Xi, H., Zhao, X.: Real-time risk management based on time series analysis. In: 2008 7th World Congress on Intelligent Control and Automation, pp. 2518\u20132523. IEEE, Chongqing (2008). https:\/\/doi.org\/10.1109\/WCICA.2008.4593320","DOI":"10.1109\/WCICA.2008.4593320"},{"key":"1189_CR35","doi-asserted-by":"publisher","unstructured":"Cheng, X., Che, C.: Interpretable Machine Learning: Explainability in Algorithm Design. J. Ind. Eng. Appl. Sci. 2, 65\u201370 (2024). https:\/\/doi.org\/10.70393\/6a69656173.323337","DOI":"10.70393\/6a69656173.323337"},{"key":"1189_CR36","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103139","volume":"128","author":"H Mouratidis","year":"2023","unstructured":"Mouratidis, H., Islam, S., Santos-Olmo, A., Sanchez, L.E., Ismail, U.M.: Modelling language for cyber security incident handling for critical infrastructures. Computers & Security 128, 103139 (2023). https:\/\/doi.org\/10.1016\/j.cose.2023.103139","journal-title":"Computers & Security"},{"issue":"18","key":"1189_CR37","doi-asserted-by":"publisher","first-page":"15241","DOI":"10.1007\/s00521-022-07059-6","volume":"34","author":"HI Kure","year":"2022","unstructured":"Kure, H.I., Islam, S., Mouratidis, H.: An integrated cyber security risk management framework and risk predication for the critical infrastructure protection. Neural Comput. Appl. 34(18), 15241\u201315271 (2022). https:\/\/doi.org\/10.1007\/s00521-022-07059-6","journal-title":"Neural Comput. Appl."},{"key":"1189_CR38","doi-asserted-by":"publisher","unstructured":"Basheer, N., Islam, S., Alwaheidi, M.K.S., Mouratidis, H., Papastergiou, S.: Large language model based hybrid framework for automatic vulnerability detection with explainable AI for cybersecurity enhancement. Integrated Computer-Aided Engineering 10692509251368663 (2025). https:\/\/doi.org\/10.3233\/ICA-251368663","DOI":"10.3233\/ICA-251368663"},{"key":"1189_CR39","doi-asserted-by":"publisher","unstructured":"Van Aartsengel, A., Kurtoglu, S.: Analyze process steps and tasks. In: Springer eBooks, pp. 483\u2013517 (2013). https:\/\/doi.org\/10.1007\/978-3-642-35901-9_27","DOI":"10.1007\/978-3-642-35901-9_27"},{"key":"1189_CR40","unstructured":"NVD - Common Platform Enumeration (CPE). https:\/\/nvd.nist.gov\/products\/cpe"},{"key":"1189_CR41","doi-asserted-by":"publisher","first-page":"9","DOI":"10.3978\/j.issn.2305-5839.2015.12.38","volume":"4","author":"Z Zhang","year":"2016","unstructured":"Zhang, Z.: Missing data imputation: focusing on single imputation. PubMed 4, 9 (2016). https:\/\/doi.org\/10.3978\/j.issn.2305-5839.2015.12.38","journal-title":"PubMed"},{"key":"1189_CR42","doi-asserted-by":"publisher","unstructured":"Azar, D., Harmanani, H.: Heuristic approaches for optimizing the performance of rule-based classifiers. In: 2011 IEEE International Conference on Information Reuse & Integration, pp. 25\u201331. IEEE, Las Vegas (2011). https:\/\/doi.org\/10.1109\/IRI.2011.6009515","DOI":"10.1109\/IRI.2011.6009515"},{"key":"1189_CR43","doi-asserted-by":"publisher","unstructured":"Feng, Z., Guo, D., Tang, D., Duan, N., Feng, X., Gong, M., Shou, L., Qin, B., Liu, T., Jiang, D., Zhou, M.: CodeBERT: A Pre-Trained Model for Programming and Natural Languages. In: Findings of the Association for Computational Linguistics: EMNLP 2020 (2020). https:\/\/doi.org\/10.18653\/v1\/2020.findings-emnlp.139","DOI":"10.18653\/v1\/2020.findings-emnlp.139"},{"key":"1189_CR44","doi-asserted-by":"publisher","unstructured":"Khanfir, A., Jimenez, M., Papadakis, M., Traon, Y.L.: CodeBERT-nt: Code Naturalness via CodeBERT. In: 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS), pp. 936\u2013947. IEEE, Guangzhou (2022). https:\/\/doi.org\/10.1109\/QRS57517.2022.00098","DOI":"10.1109\/QRS57517.2022.00098"},{"key":"1189_CR45","doi-asserted-by":"publisher","first-page":"723","DOI":"10.1016\/j.surg.2023.05.023","volume":"174","author":"JH Cabot","year":"2023","unstructured":"Cabot, J.H., Ross, E.G.: Evaluating prediction model performance. Surgery 174, 723\u2013726 (2023). https:\/\/doi.org\/10.1016\/j.surg.2023.05.023","journal-title":"Evaluating prediction model performance. Surgery"},{"key":"1189_CR46","doi-asserted-by":"publisher","unstructured":"Naidu, G., Zuva, T., Sibanda, E.M.: A review of evaluation metrics in Machine learning Algorithms. In: Lecture Notes in Networks and Systems, pp. 15\u201325 (2023). https:\/\/doi.org\/10.1007\/978-3-031-35314-7_2","DOI":"10.1007\/978-3-031-35314-7_2"},{"key":"1189_CR47","doi-asserted-by":"publisher","unstructured":"Rainio, O., Teuho, J., Kl\u00e9n, R.: Evaluation metrics and statistical tests for machine learning. Sci. Rep. 14 (2024)https:\/\/doi.org\/10.1038\/s41598-024-56706-x","DOI":"10.1038\/s41598-024-56706-x"},{"key":"1189_CR48","doi-asserted-by":"publisher","unstructured":"Fourure, D., Javaid, M.U., Posocco, N., Tihon, S.: Anomaly Detection: How to Artificially Increase Your F1-Score with a Biased Evaluation Protocol. In: Lecture notes in computer science, pp. 3\u201318 (2021). https:\/\/doi.org\/10.1007\/978-3-030-86514-6_1","DOI":"10.1007\/978-3-030-86514-6_1"},{"key":"1189_CR49","unstructured":"FIRST - Common Vulnerability Scoring System Specification Document. https:\/\/www.first.org\/cvss\/specification-document"},{"key":"1189_CR50","unstructured":"Applied Sciences: Special Issue on Cybersecurity Risk Assessment and Management. https:\/\/www.mdpi.com\/2076-3417\/12\/9\/4443"},{"key":"1189_CR51","doi-asserted-by":"publisher","unstructured":"Li, M., Sun, H., Huang, Y., Chen, H.: Shapley value: from cooperative game to explainable artificial intelligence. Auton. Intell. Syst. 4 (2024)https:\/\/doi.org\/10.1007\/s43684-023-00060-8","DOI":"10.1007\/s43684-023-00060-8"},{"key":"1189_CR52","doi-asserted-by":"publisher","unstructured":"Khan, M.M.: Cyber Security Risk Management. Int. J. Multidiscip. Res. 6 (2024). https:\/\/doi.org\/10.36948\/ijfmr.2024.v06i04.23754","DOI":"10.36948\/ijfmr.2024.v06i04.23754"},{"key":"1189_CR53","doi-asserted-by":"publisher","unstructured":"NIST: Security and privacy controls for information systems and organizations (2020). https:\/\/doi.org\/10.6028\/nist.sp.800-53r5","DOI":"10.6028\/nist.sp.800-53r5"},{"key":"1189_CR54","doi-asserted-by":"publisher","unstructured":"Tsegaye, T., Flowerday, S.: Controls for protecting critical information infrastructure from cyberattacks. In: World Congress on Internet Security (WorldCIS-2014), pp. 24\u201329. IEEE, London (2014). https:\/\/doi.org\/10.1109\/worldcis.2014.7028160","DOI":"10.1109\/worldcis.2014.7028160"},{"key":"1189_CR55","doi-asserted-by":"publisher","unstructured":"Cremer, F., Sheehan, B., Fortmann, M., Mullins, M., Murphy, F.: Cyber exclusions: An investigation into the cyber insurance coverage gap. In: 2022 Cyber Research Conference - Ireland (Cyber-RCI), pp. 1\u201310. IEEE, Galway (2022). https:\/\/doi.org\/10.1109\/cyber-rci55324.2022.10032678","DOI":"10.1109\/cyber-rci55324.2022.10032678"},{"key":"1189_CR56","unstructured":"P-NET: Cybersecurity Research Network. https:\/\/p-net.gr\/"},{"key":"1189_CR57","doi-asserted-by":"publisher","unstructured":"CVEjoin: An Information Security Vulnerability and Threat Intelligence Dataset. Figshare (2022). https:\/\/doi.org\/10.6084\/m9.figshare.21586923","DOI":"10.6084\/m9.figshare.21586923"},{"key":"1189_CR58","unstructured":"Microsoft CodeBERT-base Model. https:\/\/huggingface.co\/microsoft\/codebert-base"},{"key":"1189_CR59","doi-asserted-by":"publisher","unstructured":"Kholiev, V., Barkovska, O.: Analysis of the of training and test data distribution for audio series classification. I\u043d\u0444\u043e\u0440\u043c\u0430\u0446i\u0439\u043d\u043e\u2013\u043a\u0435\u0440\u0443\u044e\u0447i \u0421\u0438\u0441\u0442\u0435\u043c\u0438 \u041d\u0430 \u0417\u0430\u043bi\u0437\u043d\u0438\u0447\u043d\u043e\u043c\u0443 \u0422\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442i 28, 38\u201343 (2023). https:\/\/doi.org\/10.18664\/ikszt.v28i1.27634","DOI":"10.18664\/ikszt.v28i1.27634"},{"key":"1189_CR60","unstructured":"Tiwari, H.: Advancing Vulnerability Classification with BERT: A Multi-Objective Learning Model. arXiv preprint arXiv:2503.20831 (2025). https:\/\/arxiv.org\/abs\/2503.20831"},{"key":"1189_CR61","unstructured":"Li, Y., Li, X., Wu, H., Xu, M., Zhang, Y., Cheng, X., Zhong, S.: Everything You Wanted to Know About LLM-based Vulnerability Detection But Were Afraid to Ask. arXiv preprint arXiv:2504.13474 (2025)"},{"key":"1189_CR62","doi-asserted-by":"publisher","unstructured":"Li, Y., Luo, Q., Wu, P., Zheng, H.: VDMAF: Cross-language source code vulnerability detection using multi-head attention fusion. Inf. Softw. Technol. 107739 (2025). https:\/\/doi.org\/10.1016\/j.infsof.2025.107739","DOI":"10.1016\/j.infsof.2025.107739"},{"key":"1189_CR63","doi-asserted-by":"publisher","unstructured":"Aghaei, E., Al-Shaer, E., Shadid, W., Niu, X.: Automated CVE analysis for threat prioritization and impact prediction. arXiv (Cornell University) (2023). https:\/\/doi.org\/10.48550\/arxiv.2309.03040","DOI":"10.48550\/arxiv.2309.03040"},{"key":"1189_CR64","doi-asserted-by":"publisher","unstructured":"Rahman, M.M., Kshetri, N., Sayeed, S.A., Rana, M.M.: AssessITS: Integrating procedural guidelines and practical evaluation metrics for organizational IT and Cybersecurity risk assessment. arXiv (Cornell University) (2024). https:\/\/doi.org\/10.48550\/arxiv.2410.01750","DOI":"10.48550\/arxiv.2410.01750"},{"key":"1189_CR65","doi-asserted-by":"publisher","unstructured":"Umm-E-Habiba, N., Habibullah, K.M.: Explainable AI: A Diverse Stakeholder Perspective. In: 2024 IEEE 32nd International Requirements Engineering Conference (RE), pp. 494\u2013495. IEEE, Reykjavik (2024). https:\/\/doi.org\/10.1109\/re59067.2024.00060","DOI":"10.1109\/re59067.2024.00060"},{"key":"1189_CR66","unstructured":"Mosbach, M., Andriushchenko, M., Klakow, D.: On the stability of fine-tuning BERT: Misconceptions, explanations, and strong baselines. arXiv:2006.04884 (2020)"},{"key":"1189_CR67","unstructured":"European Commission, European Common Criteria-based cybersecurity certification scheme (EUCC), Commission Implementing Regulation (EU) 2024\/482, 2024. https:\/\/eur-lex.europa.eu\/eli\/reg_impl\/2024\/482\/oj"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01189-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01189-8","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01189-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T16:07:48Z","timestamp":1769875668000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01189-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,22]]},"references-count":67,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,2]]}},"alternative-id":["1189"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01189-8","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,22]]},"assertion":[{"value":"2 October 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 December 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors would like to announce no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any examinations with human members or creatures performed by any of the others.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"The authors declare no competing interests.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"36"}}