{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,2]],"date-time":"2025-11-02T06:51:59Z","timestamp":1762066319909,"version":"build-2065373602"},"reference-count":37,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2022,9,2]],"date-time":"2022-09-02T00:00:00Z","timestamp":1662076800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Algorithms"],"abstract":"<jats:p>The cyber threat landscape is highly dynamic, posing a significant risk to the operations of systems and organisations. An organisation should, therefore, continuously monitor for new threats and properly contextualise them to identify and manage the resulting risks. Risk identification is typically performed manually, relying on the integration of information from various systems as well as subject matter expert knowledge. This manual risk identification hinders the systematic consideration of new, emerging threats. This paper describes a novel method to promote automated cyber risk identification: OnToRisk. This artificial intelligence method integrates information from various sources using formal ontology definitions, and then relies on these definitions to robustly frame cybersecurity threats and provide risk-related insights. We describe a successful case study implementation of the method to frame the threat from a newly disclosed vulnerability and identify its induced organisational risk. The case study is representative of common and widespread real-life challenges, and, therefore, showcases the feasibility of using OnToRisk to sustainably identify new risks. Further applications may contribute to establishing OnToRisk as a comprehensive, disciplined mechanism for risk identification.<\/jats:p>","DOI":"10.3390\/a15090316","type":"journal-article","created":{"date-parts":[[2022,9,5]],"date-time":"2022-09-05T20:48:25Z","timestamp":1662410905000},"page":"316","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Sustainable Risk Identification Using Formal Ontologies"],"prefix":"10.3390","volume":"15","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7976-1942","authenticated-orcid":false,"given":"Avi","family":"Shaked","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Oxford, Oxford OX1 3QD, UK"}]},{"given":"Oded","family":"Margalit","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Ben Gurion University of the Negev, Be\u2019er Sheva 84105, Israel"}]}],"member":"1968","published-online":{"date-parts":[[2022,9,2]]},"reference":[{"key":"ref_1","unstructured":"(2022). Risk Management\u2014Vocabulary (Standard No. ISO 31073:2022)."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Atkinson, C., Cuske, C., and Dickopp, T. (2006, January 16\u201320). Concepts for an Ontology-Centric Technology Risk Management Architecture in the Banking Industry. Proceedings of the 2006 10th IEEE International Enterprise Distributed Object Computing Conference Workshops (EDOCW\u201906), Hong Kong, China.","DOI":"10.1109\/EDOCW.2006.28"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Refsdal, A., Solhaug, B., and St\u00f8len, K. (2015). Cyber-Risk Management, Springer International Publishing. SpringerBriefs in Computer Science.","DOI":"10.1007\/978-3-319-23570-7"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"105143","DOI":"10.1016\/j.ssci.2020.105143","article-title":"Defining Cyber Risk","volume":"135","author":"Strupczewski","year":"2021","journal-title":"Saf. Sci."},{"key":"ref_5","unstructured":"(2018). Risk Management\u2014Guidelines (Standard No. ISO 31000:2018)."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"474","DOI":"10.1108\/JRF-09-2016-0122","article-title":"What Do We Know about Cyber Risk and Cyber Risk Insurance?","volume":"17","author":"Eling","year":"2016","journal-title":"J. Risk Financ."},{"key":"ref_7","first-page":"615","article-title":"Components and Challenges of Integrated Cyber Risk Management","volume":"104","author":"Kosub","year":"2015","journal-title":"Z. F\u00fcr Die Gesamte Versicher."},{"key":"ref_8","first-page":"1","article-title":"Contingency for Cost Control in Project Management: A Case Study","volume":"3","author":"Jackson","year":"2003","journal-title":"Constr. Econ. Build."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/j.compind.2018.08.002","article-title":"Computers in Industry Future Developments in Cyber Risk Assessment for the Internet of Things","volume":"102","author":"Radanliev","year":"2018","journal-title":"Comput. Ind."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"101761","DOI":"10.1016\/j.cose.2020.101761","article-title":"A Review and Theoretical Explanation of the \u2018Cyberthreat-Intelligence (CTI) Capability\u2019 That Needs to Be Fostered in Information Security Practitioners and How This Can Be Accomplished","volume":"92","author":"Shin","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Kotsias, J., Ahmad, A., and Scheepers, R. (2022). Adopting and Integrating Cyber-Threat Intelligence in a Commercial Organisation. Eur. J. Inf. Syst., 1\u201317.","DOI":"10.1080\/0960085X.2022.2088414"},{"key":"ref_12","unstructured":"(2022, August 24). Risk Registers (ENISA). Available online: https:\/\/www.enisa.europa.eu\/topics\/threat-risk-management\/risk-management\/current-risk\/bcm-resilience\/bc-plan\/supporting-documents\/risk-registers."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Chen, Y., Boehm, B., and Sheppard, L. (2007, January 3\u20136). Value Driven Security Threat Modeling Based on Attack Path Analysis. Proceedings of the Annual Hawaii International Conference on System Sciences, Waikoloa, HI, USA.","DOI":"10.1109\/HICSS.2007.601"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"101867","DOI":"10.1016\/j.cose.2020.101867","article-title":"TIMiner: Automatically Extracting and Analyzing Categorized Cyber Threat Intelligence from Social Data","volume":"95","author":"Zhao","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s12198-018-0195-z","article-title":"MITIGATE: A Dynamic Supply Chain Cyber Risk Assessment Methodology","volume":"12","author":"Schauer","year":"2019","journal-title":"J. Transp. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Shaked, A., and Margalit, O. (2022, January 7\u201311). OnToRisk\u2013A Formal Ontology Approach to Automate Cyber Security Risk Identification. Proceedings of the 2022 17th Annual System of Systems Engineering Conference (SOSE), Rochester, NY, USA.","DOI":"10.1109\/SOSE55472.2022.9812653"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"907","DOI":"10.1006\/ijhc.1995.1081","article-title":"Towards Principles for Design of Ontologies Used for Knowledge Sharing","volume":"43","author":"Gruber","year":"1995","journal-title":"Int. J. Hum.-Comput. Stud."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/MIS.2008.10","article-title":"Near-Term Prospects for Semantic Technologies","volume":"23","author":"Benjamins","year":"2008","journal-title":"IEEE Intell. Syst."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1109\/5254.747902","article-title":"What Aro Ontologies, and Why Do We Need Them?","volume":"14","author":"Chandrasekaran","year":"1999","journal-title":"IEEE Intell. Syst. Appl."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Poole, D.L., and Mackworth, A.K. (2017). Artificial Intelligence, Cambridge University Press.","DOI":"10.1017\/9781108164085"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Wang, J.A., and Guo, M. (2009, January 3\u20135). Security Data Mining in an Ontology for Vulnerability Management. Proceedings of the 2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing (IJCBS 2009), Shanghai, China.","DOI":"10.1109\/IJCBS.2009.13"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1007\/s12599-017-0488-y","article-title":"Recommendation-Based Conceptual Modeling and Ontology Evolution Framework (CMOE+)","volume":"59","author":"Gailly","year":"2017","journal-title":"Bus. Inf. Syst. Eng."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1007\/s12599-009-0078-8","article-title":"Semantic Process Modeling\u2014Design and Implementation of an Ontology-Based Representation of Business Processes","volume":"1","author":"Thomas","year":"2009","journal-title":"Bus. Inf. Syst. Eng."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Meng, X., Wang, F., Xie, Y., Song, G., Ma, S., Hu, S., Bai, J., and Yang, Y. (2018). An Ontology-Driven Approach for Integrating Intelligence to Manage Human and Ecological Health Risks in the Geospatial Sensor Web. Sensors, 18.","DOI":"10.3390\/s18113619"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Shen, Y., Xu, M., Lin, Y., Cui, C., Shi, X., and Liu, Y. (2022). Safety Risk Management of Prefabricated Building Construction Based on Ontology Technology in the BIM Environment. Buildings, 12.","DOI":"10.3390\/buildings12060765"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1186\/s42400-020-00060-8","article-title":"Automating Threat Modeling Using an Ontology Framework: Validated with Data from Critical Infrastructures","volume":"3","author":"Heiding","year":"2020","journal-title":"Cybersecurity"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Aranovich, R., Wu, M., Yu, D., Katsy, K., Ahmadnia, B., Bishop, M., Filkov, V., and Sagae, K. (2021). Beyond NVD: Cybersecurity Meets the Semantic Web. ACM International Conference Proceeding Series, Association for Computing Machinery.","DOI":"10.1145\/3498891.3501259"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Mozzaquatro, B., Agostinho, C., Goncalves, D., Martins, J., and Jardim-Goncalves, R. (2018). An Ontology-Based Cybersecurity Framework for the Internet of Things. Sensors, 18.","DOI":"10.3390\/s18093053"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Vega-Barbas, M., Villagr\u00e1, V.A., Monje, F., Riesco, R., Larriva-Novo, X., and Berrocal, J. (2019). Ontology-Based System for Dynamic Risk Management in Administrative Domains. Appl. Sci., 9.","DOI":"10.3390\/app9214547"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"1655","DOI":"10.1109\/TDSC.2020.3033150","article-title":"Automated Security Risk Identification Using AutomationML-Based Engineering Data","volume":"19","author":"Eckhart","year":"2022","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3092566","article-title":"Software Vulnerability Analysis and Discovery Using Machine-Learning and Data-Mining Techniques: A Survey","volume":"50","author":"Ghaffarian","year":"2017","journal-title":"ACM Comput. Surv."},{"key":"ref_32","unstructured":"Yin, R.K. (2009). Case Study Research: Design and Methods, SAGE."},{"key":"ref_33","unstructured":"Adkins, H. (2022). Review of the December 2021 Log4j Event, Cybersecurity and Infrastructure Security Agency."},{"key":"ref_34","first-page":"18","article-title":"2022 Cyber Landscape","volume":"69","author":"Tuttle","year":"2022","journal-title":"Risk Manag."},{"key":"ref_35","unstructured":"(2022, March 14). Prot\u00e9g\u00e9. Available online: http:\/\/protege.stanford.edu."},{"key":"ref_36","unstructured":"(2022, March 21). The CoModIDE Plugin for Prot\u00e9g\u00e9 Repository. Available online: https:\/\/github.com\/comodide\/CoModIDE."},{"key":"ref_37","unstructured":"(2022, August 17). MITRE CVE Website. Available online: https:\/\/cve.mitre.org\/."}],"container-title":["Algorithms"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-4893\/15\/9\/316\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:22:27Z","timestamp":1760142147000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-4893\/15\/9\/316"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,9,2]]},"references-count":37,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2022,9]]}},"alternative-id":["a15090316"],"URL":"https:\/\/doi.org\/10.3390\/a15090316","relation":{},"ISSN":["1999-4893"],"issn-type":[{"type":"electronic","value":"1999-4893"}],"subject":[],"published":{"date-parts":[[2022,9,2]]}}}