{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:59:27Z","timestamp":1776074367285,"version":"3.50.1"},"reference-count":55,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T00:00:00Z","timestamp":1770681600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T00:00:00Z","timestamp":1770681600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"European Union\u2019s Horizon Europe Programme, CyberSecDome","award":["101120779"],"award-info":[{"award-number":["101120779"]}]},{"name":"European Union\u2019s Digital Europe Programme, CURIUM","award":["101190372"],"award-info":[{"award-number":["101190372"]}]},{"name":"European Union\u2019s Horizon Europe Programme,CUSTODES","award":["101120684"],"award-info":[{"award-number":["101120684"]}]},{"name":"European Union\u2019s Digital Europe Programme, EuDoros","award":["101158605"],"award-info":[{"award-number":["101158605"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"abstract":"Abstract<\/jats:title>\n Cybersecurity certification generally relies on risk assessment results to identify suitable controls and assess the completeness of these controls for security requirement satisfaction and overall security assurance. Prioritization of relevant vulnerabilities is essential to support the risk assessment and overall conformity assessment. However, the security context has continuously evolved with variations in attack surfaces, vulnerability exploitation, and the regulatory landscape\u2013factors that significantly impact the conformity assessment process. This research proposes a hybrid AI framework integrating ensemble learning with GPT-3.5 for effective risk management within composite product cybersecurity conformity assessment under the European Cybersecurity Certification Scheme. It operationalizes Explainable AI (XAI) practices using SHAP and LIME methods to identify the most influential features affecting vulnerability predictions, and applies marginal analysis to measure the quantifiable gap closure between required and actual security postures to validate security control adequacy and requirement satisfaction based on calculated risk levels. This facilitates the adoption of XAI in the context of cybersecurity certification, extending its utility beyond general AI-enabled application scenarios. An industrial pilot scenario based on the P-NET 5G\/6G Testing and Integration Service infrastructure, along with a dataset-based experiment, was conducted to evaluate the proposed framework. The results indicate that the hybrid model achieved 89% accuracy for vulnerability exploitation score prediction, enabling accurate risk calculation for conformity assessment. Furthermore, the XAI analysis revealed that the identified security controls demonstrate adequate performance in satisfying mapped security functional requirements. Ultimately, the framework provides quantifiable validation of security control effectiveness, enabling auditors to trace the logical connections between vulnerability predictions, risk calculations, and security requirement satisfaction for an informed certification decision.<\/jats:p>","DOI":"10.1007\/s10207-026-01218-0","type":"journal-article","created":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T12:38:35Z","timestamp":1770727115000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Hybrid AI-Based dynamic risk assessment framework with explainable AI practices for composite product cybersecurity certification"],"prefix":"10.1007","volume":"25","author":[{"given":"Shareeful","family":"Islam","sequence":"first","affiliation":[]},{"given":"Bilal","family":"Sardar","sequence":"additional","affiliation":[]},{"given":"Eleni Maria","family":"Kalogeraki","sequence":"additional","affiliation":[]},{"given":"Kostas","family":"Lampropoulos","sequence":"additional","affiliation":[]},{"given":"Spyridon","family":"Papastergiou","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,2,10]]},"reference":[{"key":"1218_CR1","doi-asserted-by":"crossref","unstructured":"Papastergiou, S., Islam, S., Kalogeraki, E.M., Chatzopoulou, A., Bountakas, P., Pournaras, K., Beena, S., Polemi, N.: Composite Inspection and Certification (CIC) System for Cybersecuity Assessment of ICT Products, Services, and Processes. In: 2024 IEEE International Conference on Cyber Security and Resilience (CSR). IEEE (2024)","DOI":"10.1109\/CSR61664.2024.10679467"},{"key":"1218_CR2","unstructured":"ENISA: Industry 4.0 Cybersecurity Challenges and Recommendations. European Union Agency for Cybersecurity (2020)"},{"key":"1218_CR3","volume-title":"Regulation (EU) 2019\/881 of the European Parliament and of the Council on ENISA","author":"E Union","year":"2019","unstructured":"Union, E.: Regulation (EU) 2019\/881 of the European Parliament and of the Council on ENISA. Off. J. Eur, Union (2019)"},{"key":"1218_CR4","unstructured":"Common Criteria Portal: Common Criteria for Information Technology Security Evaluation, Part 1, ISO\/IEC 15408 (2024)"},{"key":"1218_CR5","doi-asserted-by":"crossref","unstructured":"Basheer, N., Islam, S., Papastergiou, S., Kalogeraki, E.M.: Composite Product Cybersecurity Certification Using Explainable AI Based Dynamic Risk Assessment. In: IEEE International Conference on Cyber Security and Resilience (CSR) (2025)","DOI":"10.1109\/CSR64739.2025.11130134"},{"key":"1218_CR6","doi-asserted-by":"publisher","DOI":"10.1016\/j.inffus.2024.102303","volume":"107","author":"H Baniecki","year":"2024","unstructured":"Baniecki, H., Biecek, P.: Adversarial attacks and defenses in explainable artificial intelligence: A survey. Information Fusion 107, 102303 (2024)","journal-title":"Information Fusion"},{"key":"1218_CR7","doi-asserted-by":"crossref","unstructured":"Mia, M., Pritom, M.M.A.: Explainable but Vulnerable: Adversarial Attacks on XAI Explanation in Cybersecurity Applications. arXiv preprint arXiv:2510.03623 (2025)","DOI":"10.1109\/TPS-ISA67132.2025.00020"},{"key":"1218_CR8","doi-asserted-by":"crossref","unstructured":"Yeboah-Ofori, A., Ismail, U.M., Swidurski, T., Opoku-Boateng, F.: Cyber threat ontology and adversarial machine learning attacks: Analysis and prediction perturbance. In: IEEE International Conference on Cyber Security and Resilience (CSR), pp. 71\u201377 (2021)","DOI":"10.1109\/ICCMA53594.2021.00020"},{"key":"1218_CR9","doi-asserted-by":"crossref","unstructured":"Srinivas, J., Das, A.K., Kumar, N.: Government regulations in cyber security: Framework, standards and recommendations. Future Gener. Comput. Syst. 92, 178\u2013188 (2019). https:\/\/doi.org\/10.1016\/j.future.2018.09.063","DOI":"10.1016\/j.future.2018.09.063"},{"key":"1218_CR10","doi-asserted-by":"crossref","unstructured":"Marotta, A., Madnick, S.: Analyzing and Categorizing Emerging Cybersecurity Regulations. ACM Comput. Surv. 58(2), Article 51 (2025). https:\/\/doi.org\/10.1145\/3757318","DOI":"10.1145\/3757318"},{"key":"1218_CR11","doi-asserted-by":"crossref","unstructured":"Basheer, N., Islam, S., Alwaheidi, M.K.S., Mouratidis, H., Papastergiou, S.: Large language model based hybrid framework for automatic vulnerability detection with explainable AI for cybersecurity enhancement. Integr. Comput.-Aided Eng. (2025). https:\/\/doi.org\/10.1177\/10692509251368663","DOI":"10.1177\/10692509251368663"},{"key":"1218_CR12","unstructured":"da Ponte, F.R.P., Rodrigues, E.B., Mattos, C.L.C.: CVEjoin: An Information Security Vulnerability and Threat Intelligence Dataset. https:\/\/figshare.com\/articles\/dataset\/CVEjoin_A_Security_Dataset_of_Vulnerability_and_Threat_Intelligence_Information\/21586923 (2025). Accessed 2025"},{"key":"1218_CR13","doi-asserted-by":"crossref","unstructured":"Mohale, V.Z., Obagbuwa, I.C.: A systematic review on the integration of explainable artificial intelligence in intrusion detection systems to enhancing transparency and interpretability in cybersecurity. Front. Artif. Intell. 8 (2025)","DOI":"10.3389\/frai.2025.1526221"},{"key":"1218_CR14","volume-title":"Regulation (EU) 2019\/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification","author":"E Union","year":"2019","unstructured":"Union, E.: Regulation (EU) 2019\/881 of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification. Off. J. Eur, Union (2019)"},{"key":"1218_CR15","unstructured":"European Commission: European Common Criteria-based cybersecurity certification scheme (EUCC), Commission Implementing Regulation (EU) 2024\/482 (2024)"},{"key":"1218_CR16","unstructured":"ENISA: EUCC Cybersecurity Certification Scheme - Assurance Levels and Evaluation Methodology. European Union Agency for Cybersecurity (2024)"},{"key":"1218_CR17","unstructured":"Common Criteria Portal: Common Criteria for Information Technology Security Evaluation (2024)"},{"key":"1218_CR18","unstructured":"ENISA: Security Profiles for ICT Products. European Union Agency for Cybersecurity (2023)"},{"key":"1218_CR19","doi-asserted-by":"crossref","unstructured":"Tillu, R., Muthusubramanian, M., Periyasamy, V.: From data to compliance: The role of AI\/ML in optimizing regulatory reporting processes. J. Knowl. Learn. Sci. Technol. 2 (2023)","DOI":"10.60087\/jklst.vol2.n3.p391"},{"key":"1218_CR20","doi-asserted-by":"crossref","unstructured":"Folorunso, A., Adewumi, T., Adewa, A., Okonkwo, R., Olawumi, T.N.: Impact of AI on cybersecurity and security compliance. Glob. J. Eng. Technol. Adv. 21 (2024)","DOI":"10.30574\/gjeta.2024.21.1.0193"},{"key":"1218_CR21","volume-title":"Regulatory implications of explainable AI in cybersecurity frameworks","author":"C James","year":"2022","unstructured":"James, C.: Regulatory implications of explainable AI in cybersecurity frameworks. Research Publication, Stanford University (2022)"},{"key":"1218_CR22","doi-asserted-by":"crossref","unstructured":"Gaspar, D., Silva, P., Silva, C.: Explainable AI for intrusion detection systems: LIME and SHAP applicability on multi-layer perceptron. IEEE Access 12 (2024)","DOI":"10.1109\/ACCESS.2024.3368377"},{"issue":"1","key":"1218_CR23","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1023\/A:1010933404324","volume":"45","author":"L Breiman","year":"2001","unstructured":"Breiman, L.: Random Forests. Mach. Learn. 45(1), 5\u201332 (2001)","journal-title":"Mach. Learn."},{"issue":"10","key":"1218_CR24","doi-asserted-by":"publisher","first-page":"1340","DOI":"10.1093\/bioinformatics\/btq134","volume":"26","author":"A Altmann","year":"2010","unstructured":"Altmann, A., Tolo\u015fi, L., Sander, O., Lengauer, T.: Permutation importance: a corrected feature importance measure. Bioinformatics 26(10), 1340\u20131347 (2010)","journal-title":"Bioinformatics"},{"key":"1218_CR25","doi-asserted-by":"publisher","first-page":"307","DOI":"10.1186\/1471-2105-9-307","volume":"9","author":"C Strobl","year":"2008","unstructured":"Strobl, C., Boulesteix, A.L., Kneib, T., Augustin, T., Zeileis, A.: Conditional variable importance for random forests. BMC Bioinformatics 9, 307 (2008)","journal-title":"BMC Bioinformatics"},{"key":"1218_CR26","doi-asserted-by":"crossref","unstructured":"Ahmed, S., Al-Shareeda, M., Alturjman, F.: Explainable AI-based innovative hybrid ensemble model for intrusion detection. J. Cloud Comput. 13 (2024)","DOI":"10.1186\/s13677-024-00712-x"},{"key":"1218_CR27","doi-asserted-by":"crossref","unstructured":"Zhang, J., Bu, H., Wen, H., Chen, Y., Li, L., Zhu, H.: When LLMs meet cybersecurity: A systematic literature review. Cybersecurity 8 (2025)","DOI":"10.1186\/s42400-025-00361-w"},{"key":"1218_CR28","unstructured":"Li, M., Wang, S., Zhang, Q.: Large language model for vulnerability detection and repair: Literature review and the road ahead. arXiv preprint arXiv:2404.02525 (2024)"},{"key":"1218_CR29","doi-asserted-by":"crossref","unstructured":"Elkhawaga, G., Elzeki, O., Abuelkheir, M., Reichert, M.: Evaluating Explainable Artificial Intelligence Methods. Electronics 12 (2023)","DOI":"10.3390\/electronics12071670"},{"key":"1218_CR30","doi-asserted-by":"crossref","unstructured":"Yan, F., Wen, S., Nepal, S., Paris, C., Xiang, Y.: Explainable machine learning in cybersecurity: A survey. Int. J. Intell. Syst. 37 (2022)","DOI":"10.1002\/int.23088"},{"key":"1218_CR31","unstructured":"European Commission: Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act). Brussels (2021)"},{"key":"1218_CR32","unstructured":"ISO: ISO\/IEC 42001: Artificial Intelligence \u2013 Management System. Geneva (2023)"},{"key":"1218_CR33","unstructured":"National Institute of Standards and Technology: Artificial Intelligence Risk Management Framework (AI RMF 1.0). Gaithersburg, MD (2023)"},{"key":"1218_CR34","doi-asserted-by":"crossref","unstructured":"Razzak, I., Imran, M., Xu, G.: An optimized ensemble model with advanced feature selection for network intrusion detection. PeerJ Comput. Sci. 10 (2024)","DOI":"10.7717\/peerj-cs.2472"},{"key":"1218_CR35","unstructured":"Wang, W., Zhao, Y., Liu, Q.: How Robust is GPT-3.5 to Predecessors? A Comprehensive Study on Language Understanding Tasks. arXiv preprint arXiv:2303.00293 (2023)"},{"key":"1218_CR36","volume-title":"A feature selection-driven machine learning framework for anomaly-based intrusion detection systems","author":"MS Anwer","year":"2025","unstructured":"Anwer, M.S., Imran, M.: A feature selection-driven machine learning framework for anomaly-based intrusion detection systems. Peer Netw, Appl (2025)"},{"key":"1218_CR37","doi-asserted-by":"crossref","unstructured":"Simon, S.M., Glaum, P., Valdovinos, F.S.: Interpreting random forest analysis of ecological models to move from prediction to explanation. Sci. Rep. 13 (2023)","DOI":"10.1038\/s41598-023-30313-8"},{"key":"1218_CR38","doi-asserted-by":"crossref","unstructured":"Liu, M., Cen, L., Ruta, D.: Gradient boosting models for cybersecurity threat detection with aggregated time series features. In: 2023 18th Conference on Computer Science and Intelligence Systems (FedCSIS). IEEE (2023)","DOI":"10.15439\/2023F4457"},{"key":"1218_CR39","doi-asserted-by":"crossref","unstructured":"Zou, H., Hastie, T.: Regularization and variable selection via the elastic net. J. R. Stat. Soc. Series B Stat. Methodol. 67 (2005)","DOI":"10.1111\/j.1467-9868.2005.00503.x"},{"key":"1218_CR40","unstructured":"Brown, T., Mann, B., Ryder, N., Subbiah, M., Kaplan, J., Dhariwal, P., Neelakantan, A., Shyam, P., Sastry, G., Askell, A., Agarwal, S., Herbert-Voss, A., Krueger, G., Henighan, T., Child, R., Ramesh, A., Ziegler, D.M., Wu, J., Winter, C., Hesse, C., Chen, M., Sigler, E., Litwin, M., Gray, S., Chess, B., Clark, J., Berner, C., McCandlish, S., Radford, A., Sutskever, I., Amodei, D.: Language models are few-shot learners. Adv. Neural Inf. Process. Syst. 33 (2020)"},{"key":"1218_CR41","unstructured":"NIST MITRE CPE: Common Platform Enumeration (2025)"},{"key":"1218_CR42","unstructured":"Software Bill of Materials (SBOM): NTIA Software Bill of Materials (2025)"},{"issue":"4","key":"1218_CR43","first-page":"279","volume":"39","author":"TO Kv\u00e5lseth","year":"1985","unstructured":"Kv\u00e5lseth, T.O.: Cautionary note about R$$^2$$. Am. Stat. 39(4), 279\u2013285 (1985)","journal-title":"Am. Stat."},{"key":"1218_CR44","doi-asserted-by":"crossref","unstructured":"Chai, T., Draxler, R.R.: Root mean square error (RMSE) or mean absolute error (MAE)?\u2013Arguments against avoiding RMSE in the literature. Geosci. Model Dev. 7 (2014)","DOI":"10.5194\/gmdd-7-1525-2014"},{"issue":"1","key":"1218_CR45","doi-asserted-by":"publisher","first-page":"79","DOI":"10.3354\/cr030079","volume":"30","author":"CJ Willmott","year":"2005","unstructured":"Willmott, C.J., Matsuura, K.: Advantages of the mean absolute error (MAE) over the root mean square error (RMSE) in assessing average model performance. Clim. Res. 30(1), 79\u201382 (2005)","journal-title":"Clim. Res."},{"key":"1218_CR46","unstructured":"National Institute of Standards and Technology: Security and privacy controls for information systems and organizations, NIST SP 800-53r5 (2020)"},{"key":"1218_CR47","unstructured":"OpenAI: GPT-3.5 Turbo fine-tuning and API updates (2025)"},{"key":"1218_CR48","unstructured":"P-Net: P-Net Testing Infrastructure (2025)"},{"key":"1218_CR49","doi-asserted-by":"crossref","unstructured":"Kosenkov, O., Elahidoost, P., Gorschek, T., Fischbach, J., Mendez, D., Unterkalmsteiner, M., Fucci, D., Mohanani, R.: Systematic mapping study on requirements engineering for regulatory compliance of software systems. Inf. Softw. Technol. 178 (2025)","DOI":"10.1016\/j.infsof.2024.107622"},{"key":"1218_CR50","doi-asserted-by":"crossref","unstructured":"Abualhaija, S., Ceci, M., Briand, L.: Legal Requirements Analysis: A Regulatory Compliance Perspective. In: Handbook on Natural Language Processing for Requirements Engineering (2025)","DOI":"10.1007\/978-3-031-73143-3_8"},{"key":"1218_CR51","doi-asserted-by":"crossref","unstructured":"Alecci, M., Sannier, N., Ceci, M., Abualhaija, S., Samhi, J., Bianculli, D.: Toward LLM-Driven GDPR Compliance Checking for Android Apps. In: Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering (2025)","DOI":"10.1145\/3696630.3728508"},{"key":"1218_CR52","doi-asserted-by":"crossref","unstructured":"Etezadi, R., Abualhaija, S., Arora, C., Briand, L.: Classification or Prompting: A Case Study on Legal Requirements Traceability. arXiv preprint arXiv:2502.04916 (2025)","DOI":"10.1007\/s10664-026-10827-1"},{"key":"1218_CR53","doi-asserted-by":"crossref","unstructured":"Abdeen, W., Wnuk, K., Unterkalmsteiner, M., Chirtoglou, A.: Challenges of Requirements Communication and Digital Assets Verification in Infrastructure Projects. arXiv preprint arXiv:2504.20511 (2025)","DOI":"10.37190\/e-Inf250107"},{"key":"1218_CR54","unstructured":"Abdeen, W., Unterkalmsteiner, M., Wnuk, K.: Auxiliary Artifacts in Requirements Traceability: A Systematic Mapping Study. arXiv preprint arXiv:2504.19658 (2025)"},{"key":"1218_CR55","volume-title":"NLP4RE Tools: Classification","author":"J Frattini","year":"2025","unstructured":"Frattini, J., Unterkalmsteiner, M., Fucci, D., Mendez, D.: NLP4RE Tools: Classification. Handbook on Natural Language Processing for Requirements Engineering, Overview and Management. In (2025)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01218-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-026-01218-0","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01218-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:18:35Z","timestamp":1776071915000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-026-01218-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,10]]},"references-count":55,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,4]]}},"alternative-id":["1218"],"URL":"https:\/\/doi.org\/10.1007\/s10207-026-01218-0","relation":{},"ISSN":["1615-5270"],"issn-type":[{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,10]]},"assertion":[{"value":"24 November 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"15 January 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"10 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors would like to announce no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any examinations with human members or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"The authors declare no competing interests.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}},{"value":"The complete source code generated during this work, implementing the hybrid AI-based dynamic risk assessment framework and the associated Explainable AI (XAI) operationalization techniques, is publicly available to support reproducibility. The repository, which includes the ensemble learning modules, GPT-3.5 integration logic, and automated audit evidence generation scripts, can be accessed at:\n \n .","order":5,"name":"Ethics","group":{"name":"EthicsHeading","label":"Source code availability"}}],"article-number":"51"}}