Developing a Unified Cyber Risk Management Framework Using Semantic Technologies and Structured Modeling Approaches
Received: 6 August 2025 | Revised: 11 September 2025, 5 October 2025, 14 October 2025, and 19 October 2025 | Accepted: 21 October 2025 | Online: 9 February 2026
Corresponding author: Youssef El Marzak
Abstract
Cybersecurity knowledge is often fragmented across heterogeneous ontologies and standards, limiting consistent and interoperable risk management. This study proposes a unified hybrid ontology by integrating ISO/IEC 27005 and the National Institute of Standards and Technology Special Publication 800-30 (NIST SP 800-30), selected for their complementary approaches to risk identification, assessment, and treatment. A Unified Modeling Language (UML) metamodel was designed, translated into the Resource Description Framework (RDF), enriched with Web Ontology Language (OWL) rules, and validated using the World Wide Web Consortium (W3C) RDF Validator. The resulting ontology (~200 RDF triples) achieved full syntactic conformity after resolving seven detected inconsistencies. Unlike previous static models, the framework reacts dynamically to real-time security events: when a vulnerability is reported, it is linked to affected assets and threats, triggering automatic risk recalculation and activation of treatment plans (avoidance, transfer, mitigation, or acceptance). Monitored by Key Performance Indicators (KPIs), the system ensures proactive, adaptive, and continuously aligned risk management, while remaining extensible to additional frameworks such as the Center for Internet Security (CIS) Controls and Control Objectives for Information and Related Technologies (COBIT).
Keywords:
W3C RDF, cyber risk management, ISO/IEC 27005, NIST SP 800-30Downloads
References
Semantic File System Ontology," Engineering, Technology & Applied Science Research, vol. 8, no. 2, pp. 2827–2833, Apr. 2018. DOI: https://doi.org/10.48084/etasr.1898
M. A. Ullah and S. A. Hossain, "Ontology-Based Information Retrieval System for University: Methods and Reasoning," in Emerging Technologies in Data Mining and Information Security, vol. 814, A. Abraham, P. Dutta, J. K. Mandal, A. Bhattacharya, and S. Dutta, Eds. Singapore: Springer Singapore, 2019, pp. 119–128. DOI: https://doi.org/10.1007/978-981-13-1501-5_10
M. Alenezi, H. A. Basit, F. I. Khan, and M. A. Beg, "A Comparison Study of Available Software Security Ontologies," in Proceedings of the Evaluation and Assessment in Software Engineering, Trondheim Norway, Apr. 2020, pp. 499–504. DOI: https://doi.org/10.1145/3383219.3383292
S.-F. Wen, M. M. Yamin, and B. Katt, "Ontology-Based Scenario Modeling for Cyber Security Exercise," in 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Vienna, Austria, Sept. 2021, pp. 249–258. DOI: https://doi.org/10.1109/EuroSPW54576.2021.00032
T. E. Abioye, O. T. Arogundade, S. Misra, A. T. Akinwale, and O. J. Adeniran, "Toward Ontology‐based Risk Management Framework for Software Projects: An Empirical Study," Journal of Software: Evolution and Process, vol. 32, no. 12, Dec. 2020, Art. no. e2269. DOI: https://doi.org/10.1002/smr.2269
S. F. Wen, "Context-Based Support to Enhance Developers' Learning of Software Security," Education Sciences, vol. 13, no. 7, Jun. 2023, Art. no. 631. DOI: https://doi.org/10.3390/educsci13070631
B. Amini, R. Ibrahim, M. S. Othman, and M. A. Nematbakhsh, "A Reference Ontology for Profiling Scholar's Background Knowledge in Recommender Systems," Expert Systems with Applications, vol. 42, no. 2, pp. 913–928, Feb. 2015. DOI: https://doi.org/10.1016/j.eswa.2014.08.031
A. Sattar, E. Salwana, M. Nazir, M. Ahmad, and A. Kamil, "Comparative Analysis of Methodologies for Domain Ontology Development: A Systematic Review," International Journal of Advanced Computer Science and Applications, vol. 11, no. 5, 2020. DOI: https://doi.org/10.14569/IJACSA.2020.0110515
D. Wu, J. Dong, Y. Tang, and R. Capra, "Understanding Task Preparation and Resumption Behaviors in Cross‐device Search," Journal of the Association for Information Science and Technology, vol. 71, no. 8, pp. 887–901, Aug. 2020. DOI: https://doi.org/10.1002/asi.24307
E. Humphreys, "Information Security Management Standards: Compliance, Governance and Risk Management," Information Security Technical Report, vol. 13, no. 4, pp. 247–255, Nov. 2008. DOI: https://doi.org/10.1016/j.istr.2008.10.010
M. Syafrizal, S. R. Selamat, and N. A. Zakaria, "Analysis of Cybersecurity Standard and Framework Components," International Journal of Communication Networks and Information Security (IJCNIS), vol. 12, no. 3, Apr. 2022. DOI: https://doi.org/10.17762/ijcnis.v12i3.4817
F. Ullah, S. Qayyum, M. J. Thaheem, F. Al-Turjman, and S. M. E. Sepasgozar, "Risk Management in Sustainable Smart Cities Governance: A TOE Framework," Technological Forecasting and Social Change, vol. 167, Jun. 2021, Art. no. 120743. DOI: https://doi.org/10.1016/j.techfore.2021.120743
C. J. Ashley and M. Preiksaitis, "Strategic Cybersecurity Risk Management Practices for Information in Small and Medium Enterprises," Business Management Research and Applications: A Cross-Disciplinary Journal, vol. 1, no. 2, pp. 109–157, 2022.
F. Kitsios, E. Chatzidimitriou, and M. Kamariotou, "The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector," Sustainability, vol. 15, no. 7, Mar. 2023, Art. no. 5828. DOI: https://doi.org/10.3390/su15075828
M. Suorsa and P. Helo, "Information Security Failures Identified and Measured – ISO/IEC 27001:2013 Controls Ranked based on GDPR Penalty Case Analysis," Information Security Journal: A Global Perspective, vol. 33, no. 3, pp. 285–306, May 2024. DOI: https://doi.org/10.1080/19393555.2023.2270984
K. Haufe, R. Colomo-Palacios, S. Dzombeta, K. Brandis, and V. Stantchev, "A Process Framework for Information Security Management," International Journal of Information Systems and Project Management, vol. 4, no. 4, pp. 27–47, 2016. DOI: https://doi.org/10.12821/ijispm040402
M. Podrecca, G. Culot, G. Nassimbeni, and M. Sartor, "Information Security and Value Creation: The Performance Implications of ISO/IEC 27001," Computers in Industry, vol. 142, Nov. 2022, Art. no. 103744. DOI: https://doi.org/10.1016/j.compind.2022.103744
N. Lungu et al., "NIST CSF-2.0 Compliant GPU Shader Execution," Engineering, Technology & Applied Science Research, vol. 14, no. 4, pp. 15187–15193, Aug. 2024. DOI: https://doi.org/10.48084/etasr.7351
A. D. Khaleefah, and H. M. Al-Mashhadi, "Methodologies, Requirements and Challenges of Cybersecurity Frameworks: A Review," International Journal of Wireless and Microwave Technologies, vol. 13, no. 1, pp. 1–13, Feb. 2023. DOI: https://doi.org/10.5815/ijwmt.2023.01.01
R. Kwon, T. Ashley, J. Castleberry, P. Mckenzie, and S. N. Gupta Gourisetti, "Cyber Threat Dictionary Using MITRE ATT&CK Matrix and NIST Cybersecurity Framework Mapping," in 2020 Resilience Week (RWS), Salt Lake City, ID, USA, Oct. 2020, pp. 106–112. DOI: https://doi.org/10.1109/RWS50334.2020.9241271
S. Gros, "A Critical View on CIS Controls," in 2021 16th International Conference on Telecommunications (ConTEL), Zagreb, Croatia, Jun. 2021, pp. 122–128. DOI: https://doi.org/10.23919/ConTEL52528.2021.9495982
M. Adach, K. Hänninen, and K. Lundqvist, "Security Ontologies: A Systematic Literature Review," in Enterprise Design, Operations, and Computing, vol. 13585, J. P. A. Almeida, D. Karastoyanova, G. Guizzardi, M. Montali, F. M. Maggi, and C. M. Fonseca, Eds. Cham, Switzerland: Springer International Publishing, 2022, pp. 36–53. DOI: https://doi.org/10.1007/978-3-031-17604-3_3
A. K. Mishra, N. C. Debnath, and A. Patel, "Evaluating Richness of Security Ontologies for Semantic Web," in Data Science with Semantic Technologies, 1st ed., A. Patel, N. C. Debnath, and B. Bhusan, Eds. Hoboken, NJ, USA: Wiley, 2022, pp. 277–297. DOI: https://doi.org/10.1002/9781119865339.ch11
L. Hertteli, "Improving IT Administration Security by Using Security Controls Based on Security Frameworks," Master's thesis, JAMK University of Applied Sciences, Jyväskylä, Finland, 2022.
R. S. Alves, J. P. B. D. Silva, L. A. Ribeiro Junior, and R. R. Nunes, "Enhancing cybersecurity in the judiciary: Integrating additional controls into the CIS framework," Computers & Security, vol. 157, Oct. 2025, Art. no. 104584. DOI: https://doi.org/10.1016/j.cose.2025.104584
A. Alshammari, "A Novel Security Framework to Mitigate and Avoid Unexpected Security Threats in Saudi Arabia," Engineering, Technology & Applied Science Research, vol. 13, no. 4, pp. 11445–11450, Aug. 2023. DOI: https://doi.org/10.48084/etasr.6091
B. Shamma, "Implementing CIS Critical Security Controls for Organizations on a Low-Budget," M. S. Thesis, University of Houston College of Technology, Houston, TX, USA, 2018.
R. Sasidharan, "A Case Study to Implement Windows System Hardening using CIS Controls," International Journal of Computer Trends and Technology, vol. 70, no. 7, pp. 1–7, July 2022. DOI: https://doi.org/10.14445/22312803/IJCTT-V70I7P101
L. Moudoubah, A. El Yamami, K. Mansouri, and M. Qbadou, "From IT service management to IT service governance: An ontological approach for integrated use of ITIL and COBIT frameworks," International Journal of Electrical and Computer Engineering (IJECE), vol. 11, no. 6, Dec. 2021, Art. no. 5292. DOI: https://doi.org/10.11591/ijece.v11i6.pp5292-5300
"Validation service," W3C RDF Validation Service, 2006. https://www.w3.org/RDF/Validator/.
M. A. Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, "Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency," Procedia Computer Science, vol. 161, pp. 1206–1215, 2019. DOI: https://doi.org/10.1016/j.procs.2019.11.234
C. Sánchez-Zas, V. A. Villagrá, M. Vega-Barbas, X. Larriva-Novo, J. I. Moreno, and J. Berrocal, "Ontology-based Approach to Real-time Risk Management and Cyber-situational Awareness," Future Generation Computer Systems, vol. 141, pp. 462–472, Apr. 2023. DOI: https://doi.org/10.1016/j.future.2022.12.006
Í. Oliveira, T. P. Sales, J. P. A. Almeida, R. Baratella, M. Fumagalli, and G. Guizzardi, "Ontology-based security modeling in ArchiMate," Software and Systems Modeling, vol. 23, no. 4, pp. 925–952, Aug. 2024. DOI: https://doi.org/10.1007/s10270-024-01149-1
Downloads
How to Cite
License
Copyright (c) 2025 Youssef El Marzak, Abdelilah Chahid, Sophia Faris, Khalifa Mansouri
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.
