Next Article in Journal
UV-C Treatment for Food Surface Decontamination: Impact of Colony Size on Listeria monocytogenes Inactivation
Previous Article in Journal
DN-AnchorNet: A Unified Framework with Structure-Preserving Enhancement and Adaptive Anchors for Robust Coastal SAR Ship Detection
Previous Article in Special Issue
Few-Shot Network Intrusion Detection Using Online Triplet Mining
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 16
Issue 12
10.3390/app16126185
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

Toward a Unified View of Cybersecurity Ontologies: A Systematic Review and Conceptual Consolidation

by
Ricardo Gacitua
* and
Mauricio Diéguez-Rebolledo
Computer Science and Informatics Department, Universidad de La Frontera, Temuco 4780000, Chile
*
Author to whom correspondence should be addressed.
Appl. Sci. 2026, 16(12), 6185; https://doi.org/10.3390/app16126185 (registering DOI)
Submission received: 10 November 2025 / Revised: 14 December 2025 / Accepted: 19 December 2025 / Published: 18 June 2026
(This article belongs to the Special Issue New Advances in Cybersecurity Technology and Cybersecurity Management)
Browse Figures
Versions Notes

Abstract

(1) Background: Cybersecurity has grown in scale and complexity, increasing the need for shared conceptual frameworks that enable consistent, interoperable, and machine-readable representations of security knowledge. Ontologies address this need by structuring core cybersecurity concepts, yet existing efforts vary widely in purpose and methodological rigour. Prior developments tend to follow either an instrumental path—prioritizing usability and rapid adoption—or a formal path, emphasising logical precision and reasoning capabilities. This divergence has resulted in a fragmented landscape lacking analytical synthesis. (2) Methods: To clarify current practices and uncover research opportunities, we conducted a systematic literature review of 93 cybersecurity ontologies published over the past decade. Following PRISMA guidelines, we analysed their conceptual coverage, development methods, validation strategies, and alignment with the NIST Cybersecurity Framework (CSF) 2.0. (3) Results: Despite heterogeneity in scope, the ontologies consistently model core entities such as Asset, Threat, Vulnerability, Attack, and Countermeasure. However, conceptual coverage remains uneven: most contributions focus on the Identify and Detect functions of the NIST CSF, while Respond and Recover are largely underrepresented. This reveals a prevailing emphasis on preventive security rather than resilience and highlights gaps in empirical validation and industrial deployment. (4) Conclusions: The field shows strong conceptual maturation but limited methodological consistency and operational impact. Advancing cybersecurity ontologies will require integrating pragmatic and formal modelling traditions, incorporating emerging techniques such as knowledge graphs and LLM-assisted ontology learning, and expanding coverage toward post-incident response and recovery. These steps are essential for developing a unified, explainable, and adaptive cybersecurity knowledge base capable of supporting real-world security operations.

1. Introduction

The rapid evolution of cyber threats and the increasing complexity of digital ecosystems have transformed cybersecurity into a critical scientific and industrial priority. Organisations must protect diverse assets—ranging from enterprise networks to cyber–physical systems—against sophisticated dynamic attacks [1]. To address this challenge, the cybersecurity community has turned toward formal knowledge representation approaches that enable structured understanding, interoperability, and reasoning across systems. In this context, security ontologies have emerged as a central mechanism to define and interrelate the core concepts of cybersecurity. They provide a semantic foundation for knowledge sharing and automation in activities such as risk management, threat intelligence, incident response, and compliance verification [2,3,4]. In recent years, this role has become even more relevant with the growth of intelligent and data-driven security systems, where ontologies support explainability, semantic integration, and trustworthy automation.
Despite considerable progress, the current landscape of cybersecurity ontologies remains fragmented. Most ontologies are designed independently to address specific objectives—such as vulnerability analysis, access control, or industrial control systems—without coordination or reuse [5,6]. As a result, redundancy, inconsistent terminology, and poor interoperability persist in all models. Core entities such as incident, vulnerability, or control are often defined differently, compromising semantic consistency and hindering the integration of security tools and datasets [7]. Although modularity and ontology alignment have been proposed as solutions, few ontologies implement them systematically. Consequently, there is still no consolidated framework that unifies existing models and promotes shared understanding across cybersecurity domains. Furthermore, emerging developments in areas such as image security, neuromorphic computing, and intelligent threat analysis highlight the growing need for semantically aligned knowledge models capable of integrating heterogeneous sources and supporting advanced reasoning.
This fragmentation has scientific and practical implications. Restricts cross-domain reasoning, hampers automation, and limits the scalability of ontology-based solutions. In addition, the growing adoption of artificial intelligence and explainable reasoning in cybersecurity heightens the need for structured, interoperable, and reusable knowledge representations. Addressing this gap requires first understanding the conceptual and methodological diversity that characterises the field—an understanding that can only be achieved through systematic review and consolidation. By synthesising how cybersecurity ontologies have been designed, applied, and validated, this study aims to lay the foundation for a unified conceptual model that supports semantic alignment and practical reuse. To the best of our knowledge, no prior review has consolidated methodological gaps, conceptual overlaps, and maturity patterns into a structured research agenda for cybersecurity ontology development.
This paper does not introduce a new ontology. Instead, it presents a systematic review and conceptual consolidation of existing cybersecurity ontologies. By analysing ninety-three academic and industrial ontologies, the study identifies recurring core concepts, relationships, and methodological trends that define the current state of the field.
Three research questions guide this work:
  • RQ1: What core concepts and relationships are essential for a complete understanding of security issues?
  • RQ2: What is the predominant focus of existing security ontologies in the literature?
  • RQ3: What is the current stage of development and application of security ontologies, ranging from theoretical constructs to real-world implementations?
This paper makes three main contributions to cybersecurity ontology research:
  • Comprehensive Mapping: It provides the most extensive systematic review to date, analysing 93 cybersecurity ontologies from academic and industrial sources published over the last decade.
  • Conceptual Consolidation: It identifies and harmonises the recurring core concepts and relationships that form the conceptual backbone of cybersecurity knowledge.
  • Methodological Insights: It classifies existing ontologies by thematic focus, methodological orientation, and maturity, revealing both the field’s conceptual strengths and its empirical limitations.
In addition, the study highlights conceptual gaps, limited coverage of the Respond and Recover functions in the NIST CSF 2.0, and the scarcity of real-world validations—thereby providing concrete directions for future ontology development. Together, these contributions establish the analytical foundation for developing a unified and interoperable Integrated Security Ontology, which will be formalised and validated in future work.
By consolidating fragmented research, this study contributes to both academic and practical domains. For researchers, it offers a synthesised map of ontology development, exposing conceptual overlaps, research trends, and gaps. For practitioners, it clarifies how ontologies can be reused or integrated across security contexts to improve decision-making and knowledge sharing. Most importantly, it sets the groundwork for future efforts toward semantic interoperability and standardised cybersecurity knowledge models. The insights derived from this review also connect cybersecurity ontology research with broader security engineering efforts, including resilience-oriented architectures, SOAR platforms, and zero-trust strategies, thereby strengthening both scientific relevance and practical applicability.
In general, this study advances cybersecurity ontology research by offering the most extensive synthesis to date of 93 academic and industrial ontologies, providing a unified classification aligned with the NIST 2.0 Cybersecurity Framework and integrating conceptual, methodological and maturity-orientated perspectives that have not been jointly analysed in previous reviews.
Although several post-2022 studies explore ontology learning through knowledge graphs or large language models (LLMs), these works focus primarily on the process of generating or evolving ontologies rather than on the ontology artefacts themselves. Because the objective of this systematic review is to analyse existing cybersecurity ontologies—their conceptual structures, intended applications, and maturity—techniques for automatic ontology construction falls outside the defined scope. This distinction is important: an ontology represents the abstract schema (concepts, rules, relationships), whereas a knowledge graph is a concrete instantiation of such a schema populated with data. Knowledge graphs and LLM-based extraction methods may assist in producing future ontologies, but do not constitute ontology artefacts suitable for inclusion in this review.
Recent developments in ontology-learning pipelines, including KG-based representations [8] and LLM-supported ontology induction [9,10], are therefore acknowledged as complementary but methodologically distinct research strands. By focussing strictly on curated ontology artefacts, this review offers a foundational map of what cybersecurity knowledge is currently formalised, identifies conceptual and functional gaps, and provides a baseline against which future automatically generated ontologies may be assessed.
This perspective is reinforced by recent work in the AI community. Falconer [11] argues that the rise of AI agents and LLM-based applications has renewed the importance of ontologies as machine-interpretable semantic structures capable of constraining reasoning, reducing hallucinations, and supporting explainable decision-making. This broader shift suggests that high-quality cybersecurity ontologies will be essential components of trustworthy autonomous security systems, SOAR pipelines, and hybrid symbolic–neural architectures. Our review therefore clarifies not only what current cybersecurity ontologies capture, but also where significant conceptual and operational gaps remain—providing a critical foundation for integrating future ontology-learning techniques into the cybersecurity domain.
The remainder of this paper is structured as follows. Section 2 reviews related work on security ontologies and highlights the gaps that motivate this study. Section 3 presents a systematic classification of security ontologies that frames our analysis. Section 4 presents the systematic review process, including the search strategy, the selection criteria, and the data analysis. Section 5 reports findings organised by research question. Section 6 interprets the results, discussing implications for ontology integration. Section 7 addresses validity considerations, and Section 8 outlines future research directions, including the implementation and evaluation of the ontology. Finally, Section 9 summarises the main insights of the study and outlines the next steps toward a unified ontology framework.

2. Related Work: Ontology Security Surveys

This section reviews the existing literature covering cybersecurity ontologies and identifies gaps in the domain.
Previous work related to the evaluation of domain ontologies in the cybersecurity context is relatively limited. Although numerous studies have surveyed ontologies within the cybersecurity domain [12,13,14,15,16,17], only a handful have undertaken the classification, analysis, or comprehensive evaluation of these ontologies. This scarcity is largely due to the nascent nature of the field, where both academic inquiries and practical implementations are relatively recent developments. As the field matures, there is an increasing demand for systematic methodologies that do more than just propose ontologies; they must also critically examine and refine these frameworks to enhance their practical utility and relevance in cybersecurity.
  • Foundational Ontologies in Cybersecurity: De Colle et al. [18] emphasise the fragmentation in cybersecurity ontology efforts and propose the development of a foundational ontology rooted in top-level architectures like the Basic Formal Ontology (BFO) and the Common Core Ontologies (CCO). It is argued that such foundational ontologies can enhance interoperability across different domains and improve data analysis and security operations within cybersecurity practices.
  • Guizzardi et al. [19] describe UFO (Unified Foundational Ontology) putting together theories from areas such as formal ontology in philosophy, cognitive science, linguistics, and philosophical logics.
  • Syed et al. [20] propose UCO (Unified Cybersecurity Ontology). It was designed to integrate heterogeneous data sources and cybersecurity standards—such as STIX, CVE, CAPEC, and CYBOX—within a common semantic framework using OWL and RDF. By enabling reasoning across these standards and linking cybersecurity data to the Linked Open Data cloud, UCO demonstrated the potential of semantic technologies for cyber situational awareness. However, UCO focusses primarily on the technical integration of data and standards rather than on the conceptual consolidation of cybersecurity knowledge. It provides neither a systematic synthesis of the numerous ontologies proposed in academia nor an analysis of their conceptual overlaps, maturity, or thematic scope. Consequently, while UCO remains an important operational reference, it also underscores the need for a more comprehensive, empirically grounded ontology—one that unifies existing conceptual models across domains, as pursued in this systematic review.
  • Security Assessment Ontologies: Rosa et al. [21] conducted a survey on security assessment ontologies, analysing works that formalise concepts within the Security Assessment domain. They highlight the lack of structured knowledge in the field and advocate for ontologies that support systematic security assessment.
  • Evaluations of Cybersecurity Ontologies: Several studies have focused on evaluating the practical implications of cybersecurity ontologies in various subdomains. For example, Martins et al. [17] provided a conceptual characterisation of ontologies, discussing how these frameworks can be applied specifically within the cybersecurity domain to improve the clarity and utility of cybersecurity data.
  • Survey on Ontological Approaches in Security: Several comprehensive surveys [12,14,15,17] emphasise the scattered efforts in formalising security assessment and point out the necessity for ontologies that not only detail theoretical concepts, but are also applicable in practical security settings.
  • Ref. [20] Among the most notable efforts to unify cybersecurity knowledge, the Unified Cybersecurity Ontology (UCO) proposed by Syed et al. [20] represents a significant milestone.
Despite the rich landscape of ontology development, there remains a significant gap in the integration of these ontologies across different cybersecurity areas. Most ontology projects focus narrowly on specific aspects like risk management or threat detection without a unified approach to interlink these efforts. This gap highlights the need for a more comprehensive and integrated framework that could better support the broader objectives of cybersecurity, including improved data interoperability and enhanced analytical capabilities.

3. Systematic Classification of Security Ontologies

The rapidly evolving and complex nature of cybersecurity requires robust tools and frameworks to effectively manage and mitigate security risks. Security ontologies, which serve as structured artefacts, play a pivotal role in standardising domain concepts and relationships, enabling the development of advanced tools for addressing security issues. Despite the proliferation of various security ontologies, there is a lack of clarity on their differences and specific applications, complicating the task of selecting and using the most appropriate ontology for specific security tasks.
Our proposal aims to systematically classify existing security ontologies and extract their main concepts and relationships to provide a structured analysis. The classification will serve as a foundational step towards developing a unified security ontology that integrates essential elements of reviewed ontologies into a comprehensive framework that addresses the broader needs of cybersecurity. Through a meticulous review of the literature, we examine existing security ontologies, highlighting their scope, focus, and level of detail that they provide. Our research diverges from traditional reviews as we not only catalogue these ontologies but also aim to harmonise them into a cohesive framework.
The main contributions of this study are:
  • Systematic Classification of Security Ontologies: The study provides a detailed classification of existing security ontologies, identifying their main concepts and relationships. This classification serves as a foundation for understanding the landscape of security ontologies and their respective scopes, enhancing clarity in their application.
  • Development of a Unified Security Ontology Framework: Building on classification, the study proposes a unified security ontology framework that integrates the essential elements of the reviewed ontologies. This framework aims to provide a comprehensive and standardised approach to address the diverse needs of cybersecurity, facilitating better interoperability among tools and systems.
  • Foundation for Future Research and Development: By offering a clear and structured analysis of existing security ontologies and proposing a unified framework, the study lays the foundation for future research and development in cybersecurity. This contribution is expected to improve the effectiveness of security measures and support the development of advanced tools and methodologies to manage cybersecurity risks.
The primary objective of this study is to address the fragmented landscape of security ontologies by proposing a systematic classification and detailed analysis of existing ontologies within the cybersecurity domain. The methodology involves a comprehensive literature review to identify and collect a wide range of existing security ontologies, followed by a rigorous analysis of each ontology’s structure, concepts, relationships, and level of detail. This analysis will highlight unique attributes, identify overlaps, and expose gaps in conceptual coverage across the reviewed ontologies.
The proposed unified ontology aims to facilitate better interoperability among cybersecurity tools and systems, enable clearer communication and collaboration among security teams, and enhance the effectiveness of security measures by providing a more comprehensive understanding of cyber threats and defences. In addition, it will support the standardisation of security practices and help in compliance with various regulatory frameworks. The structured approach to classifying and integrating security ontologies in the study is expected to contribute significantly to the cybersecurity field by reducing complexity and enhancing the practical utility of security ontologies.
To provide clarity on the scope and intent of this paper, Table 1 outlines the main contributions in three dimensions: review, proposal, and vision.
Throughout the manuscript, terminology is used consistently: the term ontology artefact refers to the formal knowledge model itself, while distinctions between representation formalism, modelling paradigm, and reasoning support are maintained to improve clarity for both researchers and practitioners.

4. Literature Review Method

There is an increasing array of proposed models that aim to conceptualise various aspects of cybersecurity through ontologies. Consequently, it is becoming imperative to synthesise and offer comprehensive overviews of these proposals.
To address this need, we perform an analysis of the existing literature using a Systematic review approach [22]. This method ensures a systematic and objective exploration of available empirical study data, enabling us to address specific research questions effectively. The review process comprises three key stages: (1) Planning the review, (2) Conducting the review and (3) Reporting the review. The following subsections describe the study phases.

4.1. First Phase: Planning the Review

A systematic review of the literature (SLR) on a specific topic is particularly valuable when there is increasing interest and a growing body of research on that topic [23]. Conducting a comprehensive review involves considering both the quantity and quality of the relevant literature, which is organised through a coherent conceptual framework. Such a detailed review not only aids in theory development, but also helps to consolidate areas with extensive research and identify gaps where further investigation is needed. In the context of cybersecurity ontologies, the planning phase defines the scope, research objectives, and methodological boundaries required to ensure a rigorous and reproducible review.

4.1.1. Research Questions

The research questions (RQs) specify the analytical goals of the review and guide the subsequent phases of study identification, extraction, and synthesis. Consequently, this review seeks to answer the following research questions (RQs), summarised in Table 2.

4.1.2. Scope Definition Using the PICO–C Framework

To ensure methodological transparency and reproducibility, the review adopts the PICO–C framework (Population–Intervention–Comparison–Outcome–Context) as recommended by Kitchenham and Charters [24] and aligned with PRISMA 2020 guidelines [25]. PICO–C helps operationalise the scope defined by the RQs and ensures a structured and consistent selection of studies.
Table 3 illustrates how PICO–C is applied in this review.
Separating the RQs (analytical objectives) from the PICO–C elements (methodological scope) ensures conceptual clarity and avoids conflating research goals with selection criteria.

4.1.3. Protocol Definition

Before formal review, a review of the protocol and pilot testing were conducted to ensure precision and efficacy.
The review protocol describes the search strategy, sources, screening procedures, inclusion and exclusion criteria, and mechanisms for resolving disagreements. It provides the operational foundation for the PRISMA identification, screening, and eligibility steps later reported in Section 4.2.
The review protocol was registered a priori in the Open Science Framework (OSF) and is publicly available at https://doi.org/10.17605/OSF.IO/V7PB9. The PRISMA 2020 checklist used to guide the reporting of this systematic review is provided in Appendix E. Table A3 PRISMA Checklist.

4.1.4. Pilot Testing

To avoid introducing bias by the accumulation of data, a pilot test was conducted with an initial screening process to ensure that the extracted information is both standardised and relevant. Pilot testing must address three main questions:
  • Are the eligibility criteria clearly expressed enough?
  • Do the screeners interpret the criteria consistently?
  • Are any relevant papers not identified as such?
It is common practice to run a pilot test with a small sample of included papers (e.g., [26,27]) to assess data extraction and quality evaluation.
The pilot testing protocol used is the following:
  • Discuss the initial set of eligibility requirements with subject matter experts.
  • Select reviewers to carry out the screening procedure.
  • Describe the procedure for settling disputes over screening decisions; in this case, arbitration by a previously designated third party.
  • Choose a representative sample from the entire collection of studies at random to serve as a training set.
  • Define the criteria that must be met for the training process to be considered successful.
  • Examine the papers in the training set; each reviewer involved in the screening process should evaluate each research.
  • Describe any disagreements or difficult decisions that occur among the reviewers during the screening process.
  • Use the previously described disagreement resolution approach to come to a consensus on each decision.
  • When appropriate, provide additional detail and clarification regarding the eligibility criteria.
  • Find out if the requirements for finishing the training procedure have been met.
The pilot tests yielded several reassuring conclusions. Reviewers quickly became familiar with the eligibility requirements, and only one classification disagreement arose across the entire set of test items. This dispute was resolved efficiently through the established arbitration procedure. A shared Google Drive template facilitated the online and distributed review process, allowing reviewers to identify and discuss potential inconsistencies in real time. In general, the review and consensus phases proceeded smoothly, requiring minimal additional discussion and confirming that the classification criteria were clear and easy to apply.
The pilot testing revealed that the choices were made consistently during the screening procedure. The insights gained from the pilot informed minor refinements to the wording of the inclusion and exclusion criteria and to the structure of the data-extraction form, thereby improving the robustness of the subsequent conducting phase.
The pilot testing process ensured that eligibility criteria were interpreted consistently and that the review protocol could be applied reliably during the conducting phase.

4.1.5. Inclusion and Exclusion Criteria

Explicit inclusion and exclusion criteria were defined during the planning phase to ensure transparency and to reduce the risk of selection bias. These criteria guided the PRISMA 2020 identification and screening stages and were applied consistently by all reviewers.
These criteria establish a transparent boundary around the evidence base and ensure a consistent and reproducible selection process during the conducting phase.

4.2. Second Phase: Conducting the Review

The search and screening of publications published in indexed scientific presses is a necessary step in gathering data from the research literature (to address research objectives). This phase operationalises the review protocol defined in the planning stage by specifying how studies were identified, screened, selected, and appraised in accordance with PRISMA 2020 and established SLR guidelines in software engineering [24].

4.2.1. Search Strategy

Following the recommendations of PRISMA 2020, the search strategy was designed to ensure a comprehensive and reproducible coverage of the cybersecurity ontology literature. The process was informed by the PICO–C framework (Section 3) and refined through several pilot iterations.
The search aimed to identify primary studies that explicitly propose, extend, or evaluate ontologies applied to any cybersecurity domain. The period of analysis spans from 2012 to 2025, capturing over a decade of research activity. The resulting strategy defines the identification stage in the PRISMA 2020 flow, ensuring that all relevant records are systematically captured before screening.

4.2.2. Databases

Five major scientific sources were queried: IEEE Xplore, ACM Digital Library, Elsevier Scopus, Springer Link, and DBLP. To detect early-stage or workshop publications, a complementary search was conducted in CEUR–WS.org and arXiv (grey literature). These sources were selected to balance coverage of high-impact venues with sensitivity to emerging work, as recommended by PRISMA for comprehensive identification.

4.2.3. Search String

Initial exploratory searches revealed that many relevant articles use terminology beyond the word “ontology”. Accordingly, we constructed a composite Boolean query consisting of four concept blocks: (ontology terms) AND (security domain) AND (knowledge representation synonyms) AND (application subdomains). The terms within each block were joined with OR, and the blocks were combined with AND. The general form of the query is:
(ontology OR ontologies OR "knowledge graph" OR taxonomy OR "semantic model")
AND ("cybersecurity" OR "information security" OR "network security" OR "data protection")
AND ("risk management" OR "threat intelligence" OR "vulnerability" OR "incident response" OR compliance OR "security assessment" OR "access control" OR "critical infrastructure" OR IoT OR ICS)
Each digital library required syntax adjustments and field delimiters. Full search strings and filters for each database are documented in the Appendix C to enable independent replication of the search process. Examples are shown below:
  • IEEE Xplore:
  • ("Document Title":"ontology" OR "knowledge graph") AND ("cybersecurity" OR "information security") AND (risk OR threat OR vulnerability)
    Filters: Year = 2012–2025; Language = English; Document Type = Journal or Conference Paper.
  • Scopus:
  • TITLE-ABS-KEY(("ontology" OR "knowledge graph" OR taxonomy) AND ("cybersecurity" OR "information security") AND ("risk management" OR "threat intelligence" OR "critical infrastructure"))
  • ACM Digital Library:
  • +(ontology OR "knowledge graph") +(cybersecurity OR "information security") +(risk OR vulnerability OR attack)
  • Springer Link/DBLP:
    Keyword search restricted to subjects of computer science and Information systems.

4.2.4. Identification and Selection of Studies (PRISMA 2020)

Only peer-reviewed papers written in English were included. Duplicates were removed across databases by title and DOI matching. Technical reports, theses, and non-refereed preprints were excluded unless their final peer-reviewed versions were unavailable. The inclusion and exclusion criteria applied at this stage are summarised in Table 4, covering publication type, language, time frame, and explicit use of a cybersecurity ontology.
To ensure recall adequacy, a benchmark list of ten well-known cybersecurity ontologies (e.g., UCO, OntoCARMEN, OnToRisk, SecOnto, CoCoa) was used. All were retrieved by the final query set, confirming sufficient sensitivity. This validation step complements the PRISMA identification phase by providing an additional check that key studies were not missed.
After screening and deduplication, 93 primary studies met all inclusion criteria. Some description is provided in Table A1. Figure 1 presents the PRISMA 2020 flow diagram, detailing the number of records at each phase (identification, screening, eligibility, and inclusion) and the main reasons for exclusion at full-text review.
The goal of this stage was to identify and retain the most relevant primary studies addressing the research questions defined through the PICO–C framework. The study selection followed the PRISMA 2020 flow model, consisting of three filtering levels: (i) identification, (ii) screening, and (iii) confirmation of eligibility. The process ensured that inclusion and exclusion criteria (Section 4.2.2) were consistently applied by multiple reviewers.
Search results from all databases were exported to a unified spreadsheet and duplicated by DOI, title, and author fields. Each record was independently selected by three reviewers in two stages: (a)  title–abstract review and (b) full-text review. Disagreements were discussed during weekly calibration meetings. When consensus could not be achieved, a fourth senior reviewer served as an arbitrator. All decisions and reasons for exclusion (e.g., not an ontology, non-cybersecurity scope, insufficient detail) were logged to ensure traceability.
To quantify consistency between reviewers, the level of agreement was measured using Cohen’s coefficient  κ for pairwise comparisons and the average multi-rater  κ ¯ following Fleiss’ formulation. The interpretation of  κ values adopted was the thresholds proposed by Landis and Koch (1977) [28]: (<0.20 poor, 0.21–0.40 fair, 0.41–0.60 moderate, 0.61–0.80 substantial, and >0.80 almost perfect agreement). A target threshold of  κ ¯ 0.70 was considered acceptable before proceeding to the data-extraction phase.
All inclusion/exclusion decisions and reviewer votes were automatically recorded in a shared online form (Google Sheets template) to maintain traceability. The conflicts were resolved through joint discussions and majority voting. The final consensus list contained 93 primary studies, which were then imported into the data-extraction sheet for coding. The reasons for exclusion at the full-text stage are detailed in Figure 1, together with the PRISMA 2020 flow diagram that summarises the number of records in each phase.

4.2.5. Data Extraction

Data extraction was conducted systematically to collect all information required to answer the research questions defined through the PICO–C framework (Section 3). A predefined extraction form was designed, iteratively refined, and pilot-tested on five randomly selected studies to ensure consistency among reviewers and alignment with the objectives of the review.
The goal of this phase was to obtain structured and comparable data from each primary study, allowing multi-perspective analyses reported in Section 5. In particular, the extracted information supported three complementary classification approaches, each aligned with one of the research questions:
  • Thematic Classification (RQ1–RQ2). To identify recurring conceptual structures and major areas of emphasis, each study was analysed according to a thematic taxonomy derived inductively from the corpus (e.g., foundational concepts, risk and vulnerability modelling, threat and attack representation, governance and compliance, detection and monitoring, domain-specific ontologies). This classification enabled the synthesis of core concepts (RQ1) and the examination of thematic focus across the field (RQ2).
  • NIST CSF 2.0 Mapping (RQ2). To assess how cybersecurity ontologies support operational functions, we mapped ontology content to the NIST Cybersecurity Framework 2.0 (Identify, Protect, Detect, Respond, Recover, and Govern). This mapping provided an application-oriented perspective on ontology coverage and allowed us to assess imbalances or gaps in support for different cybersecurity functions.
  • Methodological Classification Using Wieringa’s Framework (RQ3). To evaluate the methodological maturity of the field, we categorised each study according to the well-established classification proposed by Wieringa et al. [29]. This framework distinguishes between six types of research contributions: solution proposals, validation research, evaluation research, experience papers, philosophical papers, and opinion papers. Incorporating this classification enabled a structured assessment of research maturity and complemented the conceptual and thematic analyses conducted for RQ1 and RQ2.
In Wieringa’s terminology, validation research refers to analytical investigations or controlled laboratory studies performed to examine the properties of a proposed artefact. Crucially, this category does not imply empirical validation in operational or industrial environments. Several articles in the literature on cybersecurity ontology labelled “validation” belong to this analytical category rather than providing real-world evidence. Therefore, in this review, we apply Wieringa’s terminology strictly within its original methodological meaning and treat empirical validation as a distinct form of evidence. This distinction is essential for addressing RQ3, which evaluates the degree to which cybersecurity ontologies have undergone substantive empirical evaluation.
Two reviewers independently extracted data from every included study using a shared spreadsheet template. A third reviewer verified the completeness and resolved the discrepancies. Each record received a unique identifier (P01–P93) corresponding to its citation key and the digital-object identifier (DOI). The extraction focused on observable artefacts, methodological descriptors, and validation evidence. In particular, we distinguished between studies that only reported logical or expert-based validation of the ontology and those that also provided empirical evaluation through case studies, prototypes, or industrial deployments.
Table 5 lists the main variables extracted and indicates their correspondence with the PICO–C elements. Each item was selected to support later comparison across ontologies and to ensure alignment between the conceptual and empirical dimensions of the review.
Data were managed using a cloud-based spreadsheet (Google Sheets) and periodically exported to .csv format for analysis in Python/Pandas scripts. Version control was maintained through GitHub to ensure transparency.
The resulting extraction matrix comprises 93 records × 12 fields and serves as the empirical basis for the thematic and NIST-based synthesis. This matrix enables quantitative mapping of ontology coverage, maturity, and validation depth, supporting the comparative analyses reported in Section 5.

4.2.6. Study Quality Appraisal

Quality evaluation was conducted to evaluate the methodological validity and practical completeness of each primary study. This step ensures that the synthesis presented in Section 5 is based on robust and traceable evidence.
The assessment pursued two complementary goals: (i) determine the internal validity of the review process itself, and (ii) assess the intrinsic quality of each ontology paper in terms of transparency, reusability, and methodological rigour.
Two instruments were used in combination:
(a)
DARE macro-criteria. Following the Database of Abstracts of Reviews of Effects (DARE) [30], three global questions were applied to the review as a whole: (1) Were all relevant studies identified? (2) Was the information clearly presented and traceable? (3) Was the’ quality and validity of the included studies evaluated? These elements were rated as Yes = 1, Partial = 0.5, No = 0. The DARE score serves as a transparency indicator but is not used to weight the results.
(b)
Ontology-specific checklist. Each of the ninety-three primary studies was evaluated using a fine-grained checklist derived from previous ontology evaluation frameworks (OntoQA, OQuaRE and Guarino’s meta-properties) and adapted for cybersecurity domains. Table 6 summarises the eight criteria used.
Each study was independently scored by two reviewers on the scale 0 to 2 above. The scores were summed to produce a composite index in the range 0–16, classified as Low (0–6), Medium (7–11) or High (12–16) quality. Discrepancies greater than one point per item were discussed until consensus was reached; unresolved cases were reviewed by a third assessor. Although these scores were not used to exclude studies, they inform the interpretation of maturity trends and support a basic assessment of risk of bias in the body of evidence.
In general, approximately one-third of the ontologies achieved a high-quality rating (≥12 points), typically those that published complete OWL artefacts and validation tests. Another third scored medium, while the remainder lacked public artefacts or empirical evaluation, confirming the reproducibility limitations discussed in Section 7.
Quality evaluation and bias considerations. The quality assessment criteria applied in this review were designed to mitigate common sources of bias in secondary studies on ontology engineering. Specifically, criteria related to the clarity of the scope, explicit definition of concepts, and the completeness of the description of the ontology help reduce reporting bias, while criteria assessing the validation strategy and the application context address evaluation bias. Requirements for transparency in methodology and artefact availability contribute to limiting selection bias during data extraction and synthesis.
It is important to note that, unlike clinical studies, ontology engineering research rarely follows standardised experimental protocols. As a result, the risk-of-bias assessment in this domain focusses on methodological transparency, conceptual completeness, and evidence of evaluation rather than on statistical validity. Our appraisal therefore reflects established practices in software engineering and knowledge representation systematic reviews.

4.3. Third Phase: Reporting the Review

The writing of the review results and sending them to possible interested parties is the last stage of this systematic review.

4.3.1. Key Concepts

We explore the thematic landscape of our systematic literature review through a captivating word cloud illustration (see Figure 2), showcasing key concepts and recurring themes. A list of 150 concepts provided is a compilation of terms frequently appearing in a set of abstracts related to security ontologies.
  • Security (268): The highest frequency term, reflecting the primary focus of the abstracts on various aspects of security.
  • Ontology (218): Refers to the formal representation of knowledge within a domain, crucial for defining and structuring security-related concepts.
  • Information (153): Central to security ontologies, as it deals with the management, protection, and integrity of data.
  • System (135): Highlights the emphasis on securing various types of systems, including computer systems, networks, and information systems.
  • Cybersecurity (130): A key area within security that focusses on protecting systems connected to the Internet from cyber attacks.
  • Knowledge (125): Indicates the importance of knowledge representation, sharing, and management in security ontologies.
  • Model (120): Models are used to simulate, analyse, and improve security measures.
  • Attack (115): Reflects the frequent discussion of various types of attacks and threat vectors in the abstracts.
  • Management (110): refers to the strategies and processes involved in managing security risks and vulnerabilities.
  • Risk (105): A fundamental concept in security that involves the assessment and mitigation of potential threats.
  • Analysis (100): Refers to the methods and tools used to analyse security systems, vulnerabilities, and incidents.
  • Vulnerability (95): Indicates the focus on identifying and addressing security weaknesses.
  • Approach (90): Different approaches and methodologies used in the development and implementation of security measures.
  • Threat (85): Discusses various security threats and how to counteract them.
  • Data (80): Central to security, focused on data protection, privacy, and integrity.
  • Method (75): Different methods used in security research and practice.
  • Network (70): Network security is a major component of cybersecurity, involving the protection of data during transmission.
  • Systematic (68): Indicates a structured and systematic approach to security.
  • Framework (66): Security frameworks provide structured guidelines for implementing security measures.
  • Detection (64): Techniques and technologies used to detect security breaches and threats.
The list continues with other terms related to various aspects of security, such as evaluation, control, requirements, technology, processes, and specific security measures like encryption and authentication. The inclusion of these terms shows a comprehensive view of the elements that are considered crucial in the field of security ontologies. The frequencies give an indication of the relative importance and focus areas within the abstracts, providing information on current research trends and priorities in this domain.
Figure 3 indicates a significant increase in publications in 2023, with a notable peak at 19 articles. This surge may suggest increased interest or advancements in the field of cybersecurity ontology during that year. Before 2023, the publication numbers were relatively stable with occasional fluctuations, reflecting ongoing research activity but without dramatic changes. The years 2021 and 2017 also saw a relatively high number of publications, highlighting these periods as active in terms of scholarly contributions to the field.
The increasing number of publications on security ontologies, particularly the significant increase observed in recent years (2024–2025), suggests a persistent lack of standardised ontologies in the field, as researchers continue to develop and propose different ontological frameworks each year.

4.3.2. Ontology Representation and Modelling Characteristics

In the literature on cybersecurity ontologies, the methodology used to construct an ontology is often not reported or is described only at a very high level. As a consequence, attempting to classify ontologies according to their development methodology (e.g., METHONTOLOGY, NeOn, ontology learning, or hybrid approaches) would require speculative inference and would not yield a reliable or reproducible analysis. This limitation has been widely acknowledged in previous ontology surveys and meta-analyses [31,32].
Consistent with best practices in ontology engineering research, this study therefore characterises cybersecurity ontologies based on observable artefact-level properties rather than on undocumented or inconsistently reported development processes. This choice enables a systematic, transparent, and replicable classification in a heterogeneous body of primary studies.
Classification Framework
Following established ontology-engineering literature, each reviewed ontology was analysed along three complementary and orthogonal dimensions that can be objectively extracted from the primary study or its accompanying artefact:
  • Representation formalism, referring to the knowledge-representation language or logical formalism used to encode the ontology (e.g., OWL/OWL-DL, RDF(S), rule-based extensions such as SWRL or SPARQL-based rules, or conceptual modelling languages without formal semantics). This dimension captures the level of formal expressiveness and the semantic foundations available for machine interpretation.
  • Modelling paradigm, refers to the conceptual structure adopted to organise cybersecurity knowledge, such as taxonomic or hierarchical models, graph-based representations, event- or process-centric models, modular or layered ontologies, or hybrid combinations. This dimension reflects how the domain is conceptualised independently of the underlying representation language.
  • Reasoning support, referring to the type of automated reasoning that is supported in principle by the ontology artefact, including Description Logic reasoning, rule-based reasoning, SPARQL or graph-query reasoning, combined approaches, or the absence of explicitly supported automated reasoning mechanisms. This dimension reflects the computational capabilities enabled by the ontology, rather than its actual runtime deployment.
Coding Scheme and Classification Procedure
To ensure consistency and replicability, each of the three dimensions was coded using a fixed and closed set of categories defined a priori. For each ontology, the most appropriate category was selected based on explicit statements in the primary study or on clearly identifiable properties of the published artefact (e.g., ontology language, use of rule extensions or query mechanisms). No new categories were introduced during the classification process. When a primary study did not specify a particular characteristic, the corresponding entry was conservatively marked as Not specified. The complete coding scheme and the detailed classification per-study are reported in Table A2.
Descriptive Characterisation of Reviewed Ontologies
Applying this framework, all 93 cybersecurity ontologies included in the review were characterised along the three dimensions of representation formalism, modelling paradigm, and reasoning support. The resulting classification provides a structured overview of how cybersecurity knowledge is represented, organised, and intended to support automated processing in the literature.
At a high level, the reviewed ontologies exhibit a strong emphasis on formally defined representations—most commonly OWL-based formalisms—combined with predominantly taxonomic or hierarchical modelling paradigms. Graph-based and hybrid modelling approaches appear primarily in studies that address integration of heterogeneous security knowledge or situational awareness scenarios. In terms of reasoning support, many ontologies enable Description Logic–based inference or query-driven reasoning in principle, while explicit rule-based reasoning is reported less frequently and is often confined to specialised use cases such as policy enforcement or risk propagation.
Given the size and descriptive nature of the classification, the full table is provided in Table A2 (Characterisation of the Reviewed Cybersecurity Ontologies). This table is intended as a reference artefact to support transparency and cross-study comparison. It is not used directly to derive or support answers to the research questions but rather to contextualise the broader trends discussed in subsequent sections.
Quantitative Snapshot (Derived from Table A2)
Across the 93 reviewed ontology artefacts, OWL-based representations dominate (73.1%), while explicit extensions are less common (OWL+SWRL: 9.7%; OWL+SPARQL/SPIN: 5.4%). Pure RDF(S) formalisms appear rarely (2.2%), and a small fraction of studies rely on conceptual (ontology-based) modelling languages (5.4%) or do not specify the formalism (4.3%). Regarding the modelling paradigm, taxonomic/hierarchy structures are most prevalent (33.3%), followed by event-/process-centric models (18.3%) and graph-based representations (14.0%); hybrid designs are also frequent (taxonomy+rules: 11.8%; taxonomy+graph: 7.5%). In terms of reasoning support, nearly half of the artefacts enable Description Logic reasoning in principle (48.4%), while query-driven reasoning via SPARQL/graph queries is also common (23.7%). Combined DL and rule-based reasoning is reported in 11.8% of cases, whereas purely rule-centric reasoning without DL support is rare (3.3% in SWRL/SPIN/custom categories).
Figure 4 summarises the distribution of representation formalisms in the 93 reviewed ontology artefacts. OWL-based representations dominate the corpus, either as pure OWL-DL ontologies or as extended rules (SWRL) or query-based mechanisms (SPARQL/SPIN). RDF(S)-only representations and ontology-grounded conceptual modelling languages occur less frequently, typically in earlier or more exploratory studies. This distribution reflects a strong preference for formalisms that support formal semantics and automated reasoning.
Figure 5 reports the modelling paradigms adopted by the reviewed cybersecurity ontologies. Taxonomic or hierarchical structures represent the most common paradigm, often serving as a conceptual backbone for more complex models. A substantial proportion of studies adopt hybrid paradigms, combining taxonomic structures with graph-based relations, rules, or event- and process-centric constructs. Purely graph-based and modular or layered ontologies are also present, reflecting increasing interest in knowledge-graph-oriented and multi-layered representations of cybersecurity knowledge.
Figure 6 shows the types of automated reasoning supported in principle by the reviewed ontology artefacts. Description Logic reasoning is the most frequently enabled capability, consistent with the widespread use of OWL-DL. Query-driven reasoning using SPARQL is also common, particularly in graph-based and hybrid ontologies. A smaller subset of studies explicitly combines DL reasoning with rule-based inference (e.g., SWRL or SPIN), while several works report no explicit automated reasoning support or do not specify reasoning mechanisms.
Overall, the artefact-level characterisation highlights a strong methodological convergence toward OWL-based representations, taxonomic or hybrid modelling paradigms, and Description Logic–centric reasoning support. At the same time, the diversity of modelling paradigms and reasoning configurations indicates that cybersecurity ontologies are designed to address heterogeneous objectives, ranging from conceptual harmonisation to operational querying and compliance checking. This characterisation is provided to contextualise the subsequent thematic and methodological analyses and does not, by itself, address the research questions.

5. Results

This section presents the main findings of our systematic review of the literature, structured to directly address the three research questions defined in the methodology. Each subsection synthesises the insights from the reviewed security ontologies to (i) identify the core security concepts and relationships (RQ1), (ii) categorise the prevalent thematic focusses in the literature (RQ2), and (iii) assess the level of maturity and real-world applicability of existing ontological models (RQ3). The results form the basis for the integrated security ontology proposed in this study and its future operationalisation as a security knowledge graph.
The terms “ontology,” “concept,” “relationship,” and “knowledge graph” are used in accordance with the definitions provided in the Appendix B. We distinguish between generic ontologies and specialised ones, as well as between design-time and runtime applications.
Across the three research questions, a key insight is the prevalence of core concepts (asset, threat, vulnerability, countermeasure) but a lack of consensus in their structure and interaction. The literature shows a growing trend toward application-specific models, yet only a few ontologies address lifecycle-wide coverage or formal reasoning support. These findings validate the need for a unified and extensible ontology that balances theoretical foundation with operational applicability.

5.1. Answer to Research Question 1

To address Research Question 1—What core concepts and relationships are essential for a complete understanding of security issues?—we examined the body of selected studies and systematically extracted the concepts and relationships explicitly modelled within them. The resulting set, detailed in Appendix B, represents the conceptual foundation that cybersecurity researchers and practitioners use recurrently to describe, reason about, and manage security knowledge in diverse domains.
Understanding cybersecurity in a comprehensive way requires more than listing isolated elements such as “assets” or “threats.” It involves identifying the underlying concepts that define what must be protected, what can go wrong, and how those elements interact. Ontologies make these abstractions explicit, allowing us to organise security knowledge in a structured and reusable form. By capturing shared terminology and formalising relationships among entities, they reduce ambiguity, improve interoperability between tools, and foster a shared understanding among analysts, developers, and decision-makers.
From the reviewed ontologies, we identified a set of recurring core concepts, including:
  • Asset—any valuable element—information, infrastructure, service, or person—that requires protection.
  • Vulnerability—a weakness or flaw that exposes assets to potential exploitation.
  • Threat—any circumstance or actor with the capability and intent to exploit vulnerabilities.
  • Attack—a concrete manifestation of a threat, often involving a deliberate chain of actions.
  • Countermeasure or Control—actions or mechanisms designed to prevent, detect, or mitigate attacks and vulnerabilities.
  • Risk—the potential loss or impact when a threat exploits a vulnerability.
  • Security Property—the qualities to preserve, notably confidentiality, integrity, availability, and resilience.
  • Incident and Event—observable manifestations of adverse actions or conditions affecting assets.
  • Weakness—the underlying cause of vulnerabilities, typically arising from design or implementation flaws.
  • Context and Intelligence—the situational and environmental information that shapes the relevance and likelihood of threats.
Alongside these concepts, the papers also defined a network of relations that describe how these entities interact, for example: threat exploits vulnerability, vulnerability affects asset, countermeasure mitigates threat, actor performs attack, and incident is composed of events. These relations form causal and dependency chains that can be used to reason about attack scenarios, simulate risks, or trace how weaknesses propagate through systems.
Collectively, these concepts and relationships enable a systemic view of security. They support reasoning tasks such as risk assessment, threat modelling, incident analysis, and decision support. For example, an ontology-driven model can infer that if a vulnerability remains unpatched and a known threat is active, then the risk to a critical asset increases—information that can automatically trigger mitigation recommendations.

Synthesis and Discussion

The consolidation of concepts across the ninety-three ontologies reveals a stable and recurring conceptual backbone, directly addressing RQ1. The five clusters—(1) assets and actors, (2) vulnerabilities and weaknesses, (3) threats and attacks, (4) protection mechanisms and goals, and (5) contextual and evaluative constructs such as risk and incident—represent the minimum semantic structure required to model cybersecurity phenomena in a coherent and reusable way.
This pattern indicates that, despite differences in formalisms, scopes, and application domains, ontology authors consistently converge on a shared set of primitives for representing security knowledge. Such convergence suggests an emergent form of implicit standardisation within the community, even in the absence of a formally agreed reference model. In other words, the core conceptual building blocks of cybersecurity ontologies are already relatively mature and widely recognised. At the same time, the analysis of relationships shows that many ontologies remain focused on predominantly static structures (e.g., taxonomic hierarchies and simple part–of decompositions), with fewer models capturing dynamic or behavioural aspects such as propagation paths, causal chains, or temporal evolution of incidents. This limitation highlights an opportunity to extend the conceptual backbone defined in RQ1 towards richer behavioural and inferential models that can support advanced tasks such as simulation, prediction, root–cause analysis, and automated decision support.
Overall, the synthesis for RQ1 shows both conceptual maturity—through convergence on a common set of core entities—and limitations in relational expressiveness. This dual insight provides the foundation for the thematic and methodological analyses presented in Section 5.2 and Section 5.3, which further examine how these concepts are applied and evaluated in practice.

5.2. Answer to Research Question 2

To answer Research Question 2—What is the predominant focus of existing security ontologies in the literature?—we conducted a comprehensive analysis of academic and industrial contributions from 2012 to 2025. The results show that security ontologies aim to formalise domain knowledge, standardise ambiguous terminology, facilitate knowledge sharing, and support cybersecurity tasks such as risk assessment, threat modelling, compliance, and decision-making.
First, we identify and code the main topics explicitly addressed in each article, using dual coding and consensus resolution to finalise the categories. Secondly, we classify the same set of ontologies using the NIST CSF 2.0 [33]. This dual approach balances data-driven themes with a widely adopted standard reference model. These two complementary approaches provide both a conceptual and a lifecycle-orientated view of ontology coverage.

5.2.1. Approach 1: Topic Categories Identified from the Literature

The reviewed ontologies can be grouped according to their principal thematic focus. This taxonomy reflects how existing work structures cybersecurity knowledge across organisational, technical, and operational dimensions. Although the taxonomy is organised into seven conceptual themes, cybersecurity ontologies often span multiple areas. Therefore, the categories are not mutually exclusive; instead, the review applies a multi-label classification that reflects the multidimensional nature of security modelling.
  • Foundational Information Security Concepts. Ontologies defining core constructs such as Assets, Threats, Vulnerabilities, Attacks, and Controls, including domain-independent relationships that serve as a baseline for more specialised models.
  • Risk, Vulnerability and Exposure Modelling. Ontologies focusing on risk assessment processes, vulnerability representation, exposure evaluation, and related analytical tasks. These models often integrate established taxonomies such as CVE, CWE, and CVSS and support structured reasoning about risk propagation, likelihood, and impact.
  • Threats, Attacks, and Cyber Threat Intelligence. Ontologies that formalise adversarial behaviour and attack mechanisms, including attack patterns, threat actors, TTPs, malware characterisation, and intelligence indicators. These models support incident analysis, intrusion detection, attribution, and proactive threat intelligence.
  • Governance, ISMS and Security Compliance. Ontologies addressing organisational security governance, policy representation, compliance requirements, security processes, and Information Security Management Systems (ISMS). They provide structured representations aligned with standards such as ISO 27001/27002 and the NIST framework, supporting policy management, audit preparation, and risk treatment planning.
  • Security Requirements Engineering. Ontologies that support the elicitation, refinement, and validation of security requirements in software and systems engineering. These models facilitate early integration of security into system design and ensure traceability across development artefacts.
  • Security Detection, Monitoring, and Operations. Ontologies that support operational security tasks, including intrusion detection, anomaly detection, event correlation, and SOC/SIEM workflow modelling. They provide semantic structures that enable automated or semi-automated reasoning in security operations.
  • Domain-Specific and Application-Oriented Cybersecurity. Ontologies specialised for particular environments or contexts, such as IoT and IIoT systems, cyber–physical and industrial control systems, access control models (RBAC/ABAC), web application security, social engineering, and human or education-orientated cybersecurity.
Because cybersecurity ontologies often address multiple conceptual dimensions, a single ontology may be associated with more than one thematic category. The classification adopted in this review therefore follows a multi-label approach that captures the breadth of each contribution rather than forcing exclusive assignment. This approach enables a more accurate reflection of thematic coverage in the literature.
Although foundational concepts such as assets, threats, and vulnerabilities appear in most ontologies, the most mature and frequently addressed areas correspond to risk modelling, vulnerability analysis, and threat/attack modelling. These domains benefit from extensive structured datasets and taxonomies that support richer conceptualisations and facilitate automated reasoning.
Table 7 summarises how the reviewed ontologies are distributed across the thematic categories described above. The distribution illustrates a strong concentration of research in Risk, Vulnerability and Exposure Modelling, Threats, Attacks, and Cyber Threat Intelligence, and Governance, ISMS, and Security Compliance, while domain-specific, human-centric, and operational detection-orientated ontologies appear less represented.
Figure 7 complements the table by providing a visual representation of the distribution of ontologies in thematic categories. It shows three dominant clusters—risk/vulnerability modelling, threat/attack intelligence, and governance/ISMS—reflecting the centrality of these topics in cybersecurity practice and research. A second tier of categories, including foundational concepts, requirements engineering, and detection/monitoring, exhibits moderate representation.
Topic clustering confirms a mature emphasis on risk, vulnerability, and attack modelling, with emerging but smaller clusters in IoT, social engineering, and pedagogical contexts.
The figure illustrates the distribution of cybersecurity ontologies in the revised thematic taxonomy. Three categories clearly dominate the landscape: (i) Risk, Vulnerability and Exposure Modelling, (ii) Threats, Attacks and Cyber Threat Intelligence, and (iii) Governance, ISMS and Security Compliance. These clusters reflect the availability of established taxonomies (e.g., CVE, CWE, ATT&CK, ISO 27001) and the practical relevance of these domains for risk-based decision-making and security operations
A second group of categories—including Foundational Information Security Concepts, Security Requirements Engineering, and Security Detection and Monitoring—shows moderate representation, indicating steady but less extensive research activity.
By contrast, several specialized domains such as IoT Security, ICS/Industrial Control Systems, Social Engineering, Human-oriented cybersecurity, and Access Control exhibit comparatively smaller clusters. These areas highlight emerging or niche research directions that remain underexplored relative to mainstream ontology development.
Overall, the visual distribution confirms a structural imbalance: most ontologies focus on modelling risks, threats, and governance structures, whereas comparatively fewer address human factors, domain-specific environments, or post-incident activities. Together, Table 7 and Figure 7 demonstrate that the field has achieved conceptual maturity in technical and governance-related domains but continues to lack comprehensive support for behavioural, organisational and recovery-orientated knowledge, reinforcing the motivation for integrated and unified security ontologies.
To ensure analytical precision, ontologies were not restricted to a single thematic category. Because many cybersecurity ontologies cover overlapping conceptual areas (e.g., combining foundational constructs with domain-specific modelling), a multi-label coding scheme was applied. This avoids imposing artificial boundaries and is consistent with recommended practices for qualitative evidence synthesis in software engineering.

5.2.2. Approach 2: The NIST CSF 2.0

To complement the topic-based view, we map each ontology to the NIST CSF 2.0 [33] (see Figure 8), which organises activities into six functions—Govern, Identify, Protect, Detect, Respond and Recover. Because many ontologies span multiple phases of the security lifecycle, we count each ontology in every NIST category it addresses. This rule ensures comprehensive coverage and aligns with how we constructed the heatmap and counts. (See Figure 9 and Table 8).
Figure 9 presents a heatmap illustrating the relationship between the reviewed ontologies and the NIST CSF 2.0 functions. Each ontology was assigned to one or more categories of NIST according to its primary objectives and scope. The colour intensity in the heatmap reflects the number of papers addressing each function, where darker tones represent higher coverage.
Heatmap takeaway. Coverage is concentrated in DE.CM and DE.AE (Detect), with strong presence in GV.RR, GV.PO, and GV.OV (Govern); Recover is sparsely represented.
Visualisation reveals a clear pattern of concentration in specific areas. The Detect function dominates, especially in the subcategories DE.CM (Continuous Monitoring, 36 papers) and DE.AE (Adverse Event Analysis, 32 papers), indicating that most ontologies focus on detection and monitoring mechanisms. The Govern function also shows strong representation, particularly in GV.RR (Roles and Responsibilities), GV.PO (Policy) and GV.OV (Oversight)—each linked to approximately 26 papers—reflecting the importance of governance, compliance, and organisational accountability.
Moderate coverage appears in Identify and Protect, primarily in categories such as ID.RA (Risk Assessment), ID.AM (Asset Management) and PR.PS (Platform Security). By contrast, Respond (RS.AN Incident Analysis, RS.MI Mitigation) and Recover (RC.RP Recovery Planning, RC.CO Communication) remain weakly represented, indicating areas underexplored in current ontology research.
Table 8 complements the heatmap by providing the quantitative distribution of ontologies across functions, categories, and subcategories of NIST CSF 2.0. For instance, under Govern, the most represented categories are GV.RR (Roles and Responsibilities), GV.PO (Policy), and GV.OV (Oversight), each with 26 papers. Under Identify, ID.RA (Risk Assessment, 24 papers) and ID.AM (Asset Management, 8 papers) dominate, while within Protect, PR.PS (Platform Security) and PR.IR (Technology Infrastructure Resilience) each account for 17 papers.
The Detect function continues to lead overall with 36 papers for DE.CM and 32 for DE.AE. The Respond function is moderately represented (RS.AN = 13, RS.MI = 8), whereas the Recover function remains largely unexplored (RC.RP = 2, RC.CO = 0).
The tables show the following. The counts confirm the heatmap pattern: Detect (DE.CM = 36; DE.AE = 32) leads, Identify (ID.RA = 24) and Protect (PR.PS = 17; PR.IR = 17) show moderate activity, while Recover (RC.RP = 2; RC.CO = 0) remains largely uncovered.
Because many ontologies address multiple phases of the security lifecycle, each ontology was counted in every category to which it contributes. This approach ensures a comprehensive representation of how the existing body of work aligns with NIST CSF 2.0.
Synthesis and Discussion
The combined thematic and NIST-based analyses provide a clear and consistent answer to RQ2. Across both perspectives, cybersecurity ontologies concentrate overwhelmingly on risk, vulnerability, and threat/attack modelling, with a secondary emphasis on governance and detection. These focal areas align closely with the core conceptual clusters identified in RQ1, indicating a strong coupling between the underlying conceptual backbone and the application domains that receive the most modelling effort.
Two dynamics emerge from this pattern. First, ontology development appears to be strongly shaped by the availability of structured data sources and standards. Domains supported by well-established taxonomies and frameworks—such as CVE/CWE/CVSS for vulnerabilities and ATT&CK or ISO 27001 for threats, controls, and governance—attract substantially more ontological work than areas lacking comparable resources. This suggests a form of standardisation bias, whereby readily available datasets lower the barrier to ontology construction and promote reuse.
Second, the persistent under-representation of response and recovery activities, in both the topic-based taxonomy and the NIST CSF mapping, reveals a structural gap in the modelling of post-incident processes. Although detection, prevention, and governance are richly modelled, there is comparatively little ontological support for organisational learning, resilience engineering, incident forensics, or adaptive recovery planning. This imbalance is particularly problematic given the increasing importance of resilience and continuous improvement in modern cybersecurity practice.
The convergence of findings from two independent analytical approaches strengthens the validity of these observations. Together, they show that current cybersecurity ontology research remains predominantly front-loaded towards pre-incident and real-time activities (risk assessment, threat intelligence, monitoring, and compliance), while post-incident and recovery-oriented knowledge remains comparatively unexplored. This gap defines a clear research agenda under RQ2 for developing ontologies that more explicitly support resilience, incident response, recovery strategies, and long-term organisational learning.

5.3. Answer to Research Question 3

To answer Research Question 3—What is the current stage of development and application of security ontologies, ranging from theoretical concepts to real-world implementation in industrial settings.—we examined the maturity, evolution, and methodological orientation of cybersecurity ontology research. While RQ1 identified the foundational concepts and relationships that underpin security knowledge, and RQ2 explored the domains and frameworks where ontologies are applied, RQ3 focused on how the field has evolved over time and the nature of its research contributions. To provide a comprehensive view, we applied two complementary approaches:
  • Approach 1: Trajectory across three dimensions of maturity, which traces the historical and conceptual evolution of ontology research from theoretical foundations to industrial adoption; and
  • Approach 2: Classification by research type, adapted from Wieringa et al. [29], which examines the methodological character of the studies.
Together, these analyses reveal not only how cybersecurity ontology research has progressed but also where it remains methodologically and practically constrained. While trajectory analysis examines how the domain evolved over time, Wieringa classification assesses methodological rigour. Together, they provide a holistic view of maturity in cybersecurity ontology research.

5.3.1. Approach 1: Trajectory Across Three Dimensions

The first approach analyses the trajectory of research across three progressive dimensions:
  • Foundational and Theoretical Development: Papers in this category focus on the conceptual and methodological aspects of ontology construction, such as domain scoping, class and relation definition, and alignment with upper ontologies (e.g., DOLCE, SUMO). These studies emphasise formal expressiveness and interoperability, often employing OWL, SWRL, and SPARQL as representation and reasoning languages.
  • Application and Deployment in Diverse Domains: This dimension includes ontologies applied to specific cybersecurity problems such as risk assessment, vulnerability management (e.g., CVE, CWE, CVSS), attack and threat modelling, access control, and even educational or pedagogical uses. These works typically demonstrate how ontology-based reasoning enhances data integration, traceability, and decision support within particular domains like IoT, cyber–physical systems, and human-centric security.
  • Real-World Implementation and Industrial Adoption: The final dimension corresponds to studies that report operational deployment of ontologies in real industrial or governmental contexts (e.g., aeronautics, energy, or healthcare). These studies show how ontology-driven solutions are integrated into existing cybersecurity infrastructures for monitoring, incident response, or compliance management.
This analysis allows us to assess whether the field has advanced beyond conceptual design toward practical operational integration.
Table 9 categorises the reviewed ontologies in these three dimensions. Early works focused on foundational development, emphasising ontology engineering methods, knowledge modelling principles, and formal representation languages such as OWL and SWRL. These studies established the theoretical basis for interoperability and reasoning in cybersecurity knowledge bases.
As the field matured, attention was turned to application and deployment ontologies within specific domains such as risk management, vulnerability analysis (e.g., CVE, CWE, CVSS), threat modelling and access control. These works often demonstrate the advantages of ontological reasoning for data integration, traceability, and decision support, particularly in domains like IoT and cyber–physical systems.
A smaller but growing subset of papers report real-world implementation and industrial adoption, showing ontology-based systems integrated into operational environments such as aerospace, energy, and healthcare sectors. These works highlight practical benefits—such as improved incident detection and compliance management—but remain limited in number, indicating that large-scale industrial uptake is still emerging.
Table 9 reveals a strong concentration of studies in the foundational and application dimensions, confirming that the field is theoretically mature yet practically fragmented. Few studies reach industrial adoption, underscoring the gap between conceptual innovation and real-world deployment.
Figure 10 complements Table 9, showing how research evolved over time. Between 2012 and 2016, foundational studies dominated as researchers established the core theoretical basis. From 2017 onwards, applied research expanded rapidly, reflecting a move toward domain-specific solutions. Industrial adoption has appeared only in the last few years, with scattered but promising implementations. Overall, this progression illustrates a trajectory from conceptual design to application and gradually toward operational integration.
Together, Table 9 and Figure 10 depict an evolutionary trajectory from conceptual formulation to application and, finally, partial real-world deployment. This trajectory indicates that cybersecurity ontology research has reached methodological maturity, but that translation to widespread industrial practice remains limited. Bridging this gap will require greater collaboration between academia and industry, along with scalable validation studies that demonstrate the tangible benefits of ontology-driven cybersecurity solutions.

5.3.2. Second Approach: Classification Framework for Cybersecurity Ontology Papers

To complement the trajectory analysis presented earlier, the second approach applies classification framework proposed by Wieringa et al. [29]. This framework categorises research papers according to their primary intent and methodological rigour, helping to identify whether the field is progressing mainly through conceptual innovation, empirical validation, or practical experience.
We adapt Wieringa’s scheme to classify each cybersecurity ontology study into one of six categories: Solution Proposal, Validation Research, Philosophical Paper, Opinion Paper, Experience Paper, and Evaluation Research. This taxonomy provides a complementary view of the field’s maturity—distinguishing theoretical contributions from those grounded in experimentation or real-world deployment.
Clarification of the notion of “validation research.” Wieringa’s framework uses the term validation research to refer to studies in which a proposed artefact is investigated analytically or in controlled laboratory settings. Importantly, this category does not imply empirical validation in real-world environments or industrial deployments. During the review process, several ontology articles classified as “validation research” followed this analytical or illustrative style of evaluation rather than providing empirical evidence of effectiveness.
Consequently, in this SLR we strictly use Wieringa’s terminology in its original methodological sense and do not interpret “validation research” as empirical validation. When discussing the empirical maturity of cybersecurity ontologies (RQ3), we therefore distinguish between (a) Wieringa’s validation research and (b) genuine empirical validation studies conducted in operational contexts. This clarification addresses potential confusion and ensures that our maturity assessment does not overstate the strength of the empirical evidence base in the field.
  • Solution Proposal: Introduces new ontologies or frameworks, focussing on conceptual novelty and structural relevance to cybersecurity domains (e.g., threat modelling, access control, vulnerability analysis).
  • Validation Research: Conducts rigorous empirical or computational evaluation of proposed ontologies using simulations, reasoning consistency tests, or prototype implementations.
  • Philosophical Papers: Present theoretical reflections or conceptual models redefining how security constructs should be formally represented.
  • Opinion Papers: Provide analytical perspectives or critiques on trends, adoption challenges, and research gaps.
  • Experience Papers: Report on the use of ontologies in operational contexts such as security operations centres or SIEM systems, emphasising lessons learnt.
  • Evaluation Research: Examine the practical application of existing ontologies through surveys or field studies, assessing their effectiveness for specific cybersecurity tasks.
The Figure 11 shows that Solution Proposals constitute the largest proportion of the literature, followed by Validation Research. This distribution indicates that the field remains primarily conceptual, though with a growing emphasis on empirical verification. Other categories—such as Philosophical, Opinion, and Evaluation Research—are less represented, while explicit Experience Reports are rare.
It is important to distinguish between Wieringa’s category of “validation research,” which refers to analytical or laboratory-based investigations, and empirical validation conducted in real operational environments. Because our aim is to characterise the methodological maturity of ontology research, we faithfully adopted Wieringa’s terminology while separately identifying whether any studies provided empirical evidence in the real-world. As shown in Section 5.3, such empirical validations are relatively rare.
Consistent with the figure, Table 10 confirms that the Proposal for the solution and the validation research dominate the literature. This pattern highlights the field’s ongoing effort to consolidate new models while gradually moving toward empirical and comparative evaluation. The limited number of philosophical and opinion papers suggests that conceptual reflection is often embedded within technical works rather than addressed as a standalone research stream.
Synthesis and Discussion
The results of the trajectory analysis and the Wieringa-based classification jointly address RQ3 by characterising the methodological maturity of cybersecurity ontology research. The trajectory analysis shows a progression from foundational contributions towards an expanding body of domain-specific applications, with emerging—though still limited—instances of industrial adoption. This evolution reflects increasing sophistication in ontology design and a gradual movement from purely theoretical work towards operational relevance.
However, the methodological classification tempers this positive trajectory. The dominance of solution proposals and the comparatively smaller number of papers on validation, evaluation, and explicit experience indicate that the field remains methodologically unbalanced. Many ontologies are proposed and illustrated with small-scale examples, but relatively few are subjected to systematic empirical testing, benchmarking against alternatives, or long-term deployment in real-world environments. As a consequence, the evidence for claims about effectiveness, scalability, and usability is often limited.
Taken together, these findings reveal a key tension: cybersecurity ontology research exhibits intellectual maturity in its conceptual design (as shown in RQ1) and domain coverage (as shown in RQ2), but lacks comparable empirical maturity in its methodological practices (as examined in RQ3). Bridging this gap will require more evaluation and experience studies, the development of standardised validation frameworks, and the creation of shared benchmark datasets and open repositories that enable reproducible cross-domain comparison of ontology-based solutions.
Strengthening these methodological foundations is essential for enabling ontologies to transition from academic artefacts to robust, operational components of cybersecurity ecosystems. In this sense, the answer to RQ3 not only diagnoses the current imbalance between design and validation, but also points directly to the kinds of research investments needed to transform conceptual advances into practical impact.
Challenges and Future Research Directions
Despite promising advances, several open challenges persist, particularly as cybersecurity knowledge rapidly expands and integrates with emerging technologies such as knowledge graphs, large language models (LLMs), and automated reasoning systems. Our synthesis highlights the following research priorities:
  • Granularity, Coverage, and Timeliness: Many ontologies remain either too abstract or narrowly scoped to specific attack types or infrastructures. Recent work on CTI knowledge graphs and fine-grained threat taxonomies suggests that ontologies should incorporate richer event structures, artefact-level indicators, and continuous streams of operational data (e.g., CERT advisories, malware reports, cloud telemetry). Achieving this requires models that can represent both static domain knowledge and rapidly evolving threat intelligence.
  • Interoperability and Conceptual Alignment: Although standard formats (OWL/RDF), STIX 2.x, and ATT&CK mappings have improved interoperability, conceptual misalignment remains a major barrier to reuse. Emerging harmonisation efforts—including ontology alignment tools, crosswalks between CTI vocabularies, and graph-based fusion techniques—indicate promising directions. However, a widely accepted reference ontology for cybersecurity is still lacking, limiting integration across tools, organisations, and research communities.
  • Maintenance, Evolution, and Automation: Security ontologies must evolve at the pace of the threat landscape. Manual curation is increasingly infeasible. Recent advances in LLM-assisted ontology engineering, automated term extraction, and semi-supervised evolution pipelines offer a foundation for continuous updating. Yet the challenge remains to ensure semantic consistency, avoid concept drift, and incorporate tacit domain knowledge that is not explicitly stated in textual sources.
  • Relationship Modelling and Inference Capabilities: While many ontologies capture taxonomic hierarchies, few formalise causality, temporal dependencies, attack progression, or multi-step adversarial behaviour. State-of-the-art CTI knowledge graphs and reasoning engines demonstrate that modelling non-taxonomic and temporal relationships can significantly enhance predictive and forensic capabilities. Future research should develop expressive ontologies capable of supporting causal inference, automated attack-path reconstruction, and dynamic risk propagation.
  • Evaluation, Benchmarking, and Real-World Validation: Our review confirms that most ontologies lack systematic or large-scale empirical evaluation. Recent initiatives in benchmark datasets, reproducible reasoning tests, and cybersecurity data challenges represent important steps, but broader adoption is needed. Validation frameworks should include usability testing, performance evaluation in SOC workflows, integration with real CTI platforms, and longitudinal studies of operational impact.
  • Explainability, Integration, and AI Synergy: Modern cybersecurity solutions increasingly rely on AI models, digital twins, and automated analytics pipelines. Ontologies have a critical role in enhancing explainability, structuring model outputs, and grounding machine-learning decisions in domain semantics. Future research should explore tight integration between ontologies, XAI techniques, cyber-physical digital twins, and LLM-based reasoning agents in order to support transparent, trustworthy, and adaptive security systems.
Overall, the field has progressed from early risk modelling to sophisticated threat intelligence and governance representations, but significant opportunities remain. Advancing ontology quality, scalability, and practical usability—particularly through automation, standardisation, and integration with modern AI techniques—will be essential for translating conceptual maturity into widespread industrial adoption.
Limitations of Ontology-Based Approaches
Although ontologies offer a structured and semantically rigorous means of representing cybersecurity knowledge, their practical adoption and effectiveness are shaped by several inherent limitations. These limitations complement the challenges identified above and provide an important context for interpreting the results of this review.
Static modelling of a dynamic domain. Most ontologies capture domain knowledge in a static or quasi-static form, which makes them well suited for representation and reasoning but less effective for modelling rapidly evolving threat landscapes. Cybersecurity phenomena—such as adversarial behaviour, attack progression, and system reconfiguration—are inherently dynamic, and traditional ontology formalisms struggle to capture temporal changes, causal chains, or real-time adaptation without significant extensions.
Limited expressiveness for behaviour and probabilistic semantics. Although OWL and related formalisms enable rich taxonomic structures, they provide limited support for representing uncertainty, probabilistic relationships, or stochastic behaviour. Many practical security analyses (e.g., risk propagation, attack likelihood estimation, anomaly prediction) require models that go beyond deterministic logical relations. Hybrid approaches combining ontologies with probabilistic reasoning exist but remain complex to implement and are not yet widely adopted.
High cost of development and maintenance. Creating a high-quality ontology requires substantial domain expertise, modelling effort, and continuous maintenance. As shown in RQ3, few existing ontologies provide mechanisms for systematic evolution and even fewer are maintained beyond their initial publication. This limits long-term usability and hinders industrial adoption, particularly in environments where threat intelligence and system configurations change frequently.
Interoperability and alignment challenges. Even when sharing similar conceptual domains, independently developed ontologies often diverge in terminology, granularity, and modelling assumptions. This misalignment reduces interoperability between tools, organisations, and datasets. As observed in RQ1 and RQ2, there are overlapping conceptual structures across ontologies, but they are rarely harmonised, resulting in duplication and inconsistent semantics across the ecosystem.
Limited empirical validation. A recurring finding from RQ3 is that most ontologies are evaluated only through illustrative examples or analytical validation. Few undergo empirical evaluation in operational environments, making it difficult to determine their practical effectiveness, scalability, or integration costs. This limits confidence in ontology-based systems and weakens the evidence base supporting ontology use in mission-critical security contexts.
Scalability and performance constraints. Reasoning over large ontologies or knowledge bases can be computationally expensive. In security settings that require timely analysis—such as real-time intrusion detection or incident response—these performance constraints may hinder deployment unless combined with optimisation strategies, modularisation, or hybrid AI techniques.
Taken together, these limitations show that ontology-based approaches—while conceptually mature and beneficial for structuring cybersecurity knowledge—face constraints in expressiveness, dynamism, maintenance, and empirical validation. Addressing these issues will be essential to enable future generations of cybersecurity ontologies to support operational decision-making, autonomous security agents, and AI-driven security architectures.
It is important to note that philosophical, opinion, and solution proposal papers were included to characterise conceptual evolution and research maturity, but were not interpreted as providing empirical evidence of effectiveness; conclusions regarding practical impact and validation are drawn primarily from evaluation and experience studies.
From an industrial perspective, these limitations are particularly relevant in Industrial Internet of Things (IIoT) and Industry 4.0 environments, where heterogeneous cyber–physical assets, automation systems, and supervisory control infrastructures coexist. Recent surveys on Industry 4.0 architectures and IIoT security highlight the increasing complexity of industrial environments and the critical role of secure communication, monitoring, and response mechanisms [123,124]. In such settings, cybersecurity ontologies could provide a shared semantic layer to support interoperability across industrial devices, security platforms, and automation systems.

6. Discussion

This review explored how cybersecurity ontologies have evolved conceptually, thematically, and practically across academic and industrial contexts. Taken together, the results suggest a field that has reached conceptual maturity but still lacks methodological and operational cohesion. While the diversity of domains and purposes reflects the richness of cybersecurity itself, it has also fostered a fragmented landscape of models, each addressing local needs with limited reuse or alignment.
The prevalence of OWL-DL and hybrid modelling paradigms observed in artefact characterisation (Section 4.3.2) helps explain why most reviewed ontologies emphasise conceptual consistency and structural completeness, while fewer studies report large-scale empirical validation. A common trend is the dominance of highly specialized ontologies—tailored to intrusion detection, vulnerability management, or regulatory compliance—that frequently recreate comparable concepts under varying labels. As a consequence, foundational notions such as incident, control, or threat agent appear inconsistently defined, making cross-domain reasoning and semantic interoperability difficult. Although several works advocate modularity and standard alignment, few deliver concrete mechanisms for integration or versioning, and even fewer are tested beyond experimental settings.
From a methodological standpoint, the analysis reveals the coexistence of two paradigms in cybersecurity ontology research. The first is an instrumental paradigm, which privileges lightweight, pragmatic, and easy-to-adopt models intended for operational use and rapid prototyping. The second is a formal paradigm, grounded in logical precision, ontological commitments, and inferential interoperability. Most existing work clearly aligns with the instrumental orientation, emphasising usefulness and adaptability over formal rigour. Although this pragmatic trend has fostered a wide array of applied ontologies, it also contributes to conceptual dispersion and hampers integration across frameworks. Reconciling both paradigms—combining the accessibility of instrumental models with the rigour of formal ontologies—remains essential to advance toward a unified and trustworthy knowledge base.
Another key finding emerges from the NIST-based mapping, which shows a strong concentration of ontologies in the Identify and Detect functions, with markedly lower density in Respond and Recover. This imbalance reflects more than a topical gap: it suggests an epistemological asymmetry within the field. Ontological knowledge about risks, threats, and detection mechanisms is far more developed than that concerning post-incident analysis, organisational learning, and resilience. In other words, cybersecurity ontology research has primarily codified the logic of prevention, but has yet to articulate an ontology of recovery—how organizations learn, adapt, and evolve after adverse events. Bridging this asymmetry will require integrating operational and sociotechnical perspectives capable of representing adaptive responses and institutional memory.
Despite these limitations, encouraging trends are visible. There is now broad agreement on a core conceptual vocabulary—entities such as Asset, Threat, Vulnerability, Attack, and Countermeasure—which provides a shared foundation for reasoning and compliance frameworks. At the same time, recent research has begun to bridge ontological modelling with operational contexts such as threat intelligence, dynamic incident response, and social-engineering defence. This shift from static representations toward actionable knowledge signals a gradual move from theoretical modelling to practical enablement.
The expansion of domain-specific ontologies for IoT, cyber–physical systems, and web infrastructures also demonstrates adaptability to new threat environments. However, empirical validation and large-scale deployment remain the exception rather than the rule. Only a handful of initiatives—mostly in sectors such as energy, aeronautics, and enterprise risk management—report measurable adoption or reasoning-based evaluation. This gap between conceptual sophistication and applied validation remains one of the field’s main barriers to maturity.
Looking ahead, advancing toward an Integrated Security Ontology represents both a challenge and an opportunity. The challenge lies in reconciling heterogeneous conceptualizations without sacrificing the expressiveness that different subdomains require. The opportunity resides in establishing a common, extensible foundation that supports reuse, semantic alignment, and scalability. Such an ontology could act as a bridge between research and practice, enabling explainable AI applications, automated compliance, and context-aware defence systems.
In short, cybersecurity ontology research has evolved from isolated conceptual artefacts into a critical enabler of intelligent and adaptive defence. What the field now needs is not more ontologies but better connected ones—models that communicate through shared semantics, validated through empirical evidence, and sustained by collaborative communities. Consolidation, therefore, should not replace specialization but rather make it interoperable. Achieving this balance—between the instrumental and the formal, between detection and recovery—will determine whether ontological engineering becomes a backbone of cybersecurity knowledge or remains a fragmented collection of promising yet disconnected efforts.
As with most systematic reviews in software engineering, the findings may be influenced by reporting bias, as many ontology studies provide limited detail on evaluation procedures or long-term usage; however, the applied quality appraisal mitigates this risk by emphasising transparency, validation intent, and artefact completeness.

7. Limitations

Although this study aimed to provide a comprehensive overview of cybersecurity ontologies, several limitations should be considered when interpreting its findings.
First, the scope of the search was intentionally restricted to peer-reviewed publications written in English. This decision ensured methodological consistency and quality control but may have excluded valuable contributions from industrial or governmental projects reported in other languages or non-indexed venues. Future reviews could complement this approach with grey literature or regional sources to capture a broader perspective.
Second, the terminology of cybersecurity remains fluid and context-dependent. Concepts such as “incident,” “control,” or “threat actor” are not always used uniformly across studies, which may have introduced subtle ambiguities in the mapping and synthesis processes. Although the review sought to mitigate this through consensus coding, complete harmonisation is inherently difficult in a field that evolves as rapidly as cybersecurity.
Third, there is substantial heterogeneity in the way ontologies are evaluated. Only a minority of the reviewed works provide empirical validation or quantitative quality metrics, which limits the comparability of maturity levels between studies. This heterogeneity reflects the lack of community-agreed benchmarks rather than methodological oversight, and addressing it will be crucial for future consolidation efforts.
Another limitation concerns the availability of tools and artefacts. Many publications describe conceptual frameworks but do not release the underlying OWL or RDF models, making independent verification or reuse challenging. This limitation underscores a broader issue in the ontology-engineering community—the gap between conceptual modelling and open, reproducible research practice.
Finally, the review maintained a deliberate focus on the cybersecurity domain. Although related areas such as safety, dependability, and trust management share conceptual overlaps, their integration lies beyond the scope of this paper. Bridging these domains in future work could reveal cross-cutting ontological patterns and enhance the unified understanding of security and resilience.
Despite these limitations, the review offers a reliable and balanced portrayal of the current state of cybersecurity ontology research. By identifying both conceptual strengths and methodological weaknesses, it provides a grounded foundation for advancing toward more integrated, validated, and practically useful ontological frameworks.

8. Future Work

The results of this review highlight a clear fragmentation in the landscape of security ontologies. Although numerous models have been developed to address specific aspects—ranging from risk management and vulnerability analysis to attack modelling and compliance—there remains a lack of unified frameworks that can bridge these specialised domains and enable consistent and scalable knowledge representation across contexts. As a direct response to this gap, our future work will focus on the design and implementation of an integrated security ontology. This unified model will aim to synthesise core concepts, relationships, and domain-specific extensions into a cohesive, semantically rich structure capable of supporting both human understanding and machine reasoning. The integrated ontology will:
  • Unify foundational constructs (e.g., Asset, Threat, Vulnerability, Control, Incident) based on the consensus found across the reviewed literature.
  • Harmonise diverse modelling perspectives (e.g., risk assessment, attack classification, policy compliance, social engineering) into interoperable modules.
  • Incorporate mappings to widely used standards and taxonomies such as CVE, CWE, CVSS, STIX, ISO/IEC 27001, and NIST guidelines to improve alignment with industry practices.
  • Enable reuse and extensibility through modular ontology design patterns and OWL-based formalisation, facilitating domain adaptation (e.g., IoT, CPS, or cloud environments).
  • Provide tool support for automatic population from structured sources (e.g., vulnerability databases) and unstructured data (e.g., threat intelligence feeds, technical documentation).
In parallel, empirical validation efforts will be conducted through real-world case studies in industrial and government settings, focussing on practical utility, integration challenges, and user-centred feedback. In addition, future iterations of the ontology will explore integration with Explainable AI (XAI), security knowledge graphs, and visualisation platforms to enhance transparency and usability.
Ultimately, our goal is to reduce the cognitive and semantic fragmentation that currently impedes interoperability and collaboration in the security domain and to offer a shared foundation for researchers, practitioners, and policy-makers working toward resilient digital ecosystems. Figure 12 illustrates our envisioned architecture for an integrated security ontology. At the core lies a shared model that captures fundamental security concepts such as Asset, Threat, Vulnerability, Security Property, and Countermeasure, serving as the ontological backbone. Surrounding this core are specialised modules that reflect key application areas—Risk Management, Attack Detection, Policy Compliance, and Domain-Specific Extensions such as Internet of Things (IoT) or Cyber-Physical Systems (CPS). These modules interoperate with the core ontology via semantically consistent interfaces. This modular yet integrated structure aims to reduce fragmentation by enabling reuse, fostering cross-domain reasoning, and supporting scalable implementation in real-world settings. By consolidating diverse perspectives into a cohesive knowledge model, the proposed architecture lays the foundation for a comprehensive and adaptable cybersecurity ontology.
To transition from conceptualisation to operational implementation, future work must include empirical validation of the proposed ontology and knowledge graph. This includes:
  • Conducting expert reviews using competency questions.
  • Evaluating reasoning capabilities through case-based scenarios.
  • Applying the ontology in prototype tools for threat analysis and security requirement elicitation.
  • Comparing retrieval performance and inference consistency with existing ontologies.

Emerging Research Challenges: Toward Security Knowledge Graphs

The systematic review presented in this paper revealed persistent fragmentation among existing cybersecurity ontologies, particularly in terms of conceptual alignment, empirical validation, and interoperability. These limitations indicate that, although ontologies have achieved significant conceptual maturity, their integration into operational and data-driven environments remains limited. To address these shortcomings, recent research increasingly points toward Security Knowledge Graphs (SKGs) as a promising evolution of ontology-based approaches. SKGs extend traditional ontologies by enabling dynamic reasoning, continuous data integration, and automated enrichment from heterogeneous information sources.
Building upon the empirical gaps and conceptual insights identified in this review, this subsection outlines a set of emerging research challenges that must be addressed to transform isolated cybersecurity ontologies into unified, explainable, and scalable knowledge infrastructures. These challenges are derived from the synthesis of results in Section 5 and Section 6 and represent the next logical step toward the development of the Integrated Security Ontology and its operational implementation through SKGs, which will be detailed in Part II of this research.
  • Semantic Integration of Heterogeneous Sources: Security data is distributed across disparate repositories—ranging from structured vulnerability databases (e.g., CVE, CWE, NVD) to unstructured sources such as blogs, social media, and threat reports. Integrating these into a coherent knowledge graph requires resolving ambiguities, mapping between ontologies, and harmonizing inconsistent terminologies.
  • Scalability and Real-Time Updates: Cybersecurity data evolves rapidly. SKGs must be dynamically updated to reflect emerging threats, vulnerabilities, and countermeasures. This poses challenges in data-ingestion pipelines, stream reasoning, and incremental ontology enrichment without compromising graph consistency or performance.
  • Standardization of Core Schemas and Vocabularies: There is currently no universally accepted schema for representing security knowledge in graph form. While standards such as STIX, TAXII, and MISP provide partial solutions, they are domain-specific and not fully OWL-compatible. Establishing modular and extensible core vocabularies is therefore essential for semantic interoperability.
  • Automated Knowledge Extraction: Converting raw text (e.g., advisories, documentation, or social media) into structured triples for SKGs requires robust natural language processing (NLP) techniques—including entity recognition, relationship extraction, and disambiguation. Current tools often struggle with domain-specific jargon and the implicit relationships common in cybersecurity narratives.
  • Security and Privacy of the Knowledge Graph Itself: Ironically, security knowledge graphs may become attack targets or vectors for information leakage. Ensuring access control, provenance tracking, trust assessment of sources, and protection against inference attacks remains a non-trivial challenge.
  • Explainability and Human-Interpretability: For security analysts to adopt SKGs in practice, the outputs of reasoning engines must be explainable and traceable. This requires not only well-designed ontology structures but also visualization and interaction mechanisms that align with analysts’ workflows.
  • Validation and Benchmarking: There is a lack of standardized benchmarks and evaluation frameworks to assess the quality, completeness, and utility of SKGs. Establishing empirical validation procedures and publicly available testbeds is crucial to ensure comparability and reproducibility.
Addressing these challenges will require interdisciplinary collaboration among ontology engineers, cybersecurity practitioners, NLP researchers, and data-infrastructure specialists. Future work must balance formal expressiveness with operational scalability, enabling both automated inference and real-time situational awareness within complex cybersecurity environments.
A simplified fragment of a Security Knowledge Graph (SKG) is presented in Figure 13, illustrating how core cybersecurity concepts and relationships can be semantically connected to support contextual awareness and automated reasoning. The central asset, a Web Application, is associated with a specific vulnerability—CVE-2021-44228 (Log4Shell)—which is formally classified under the CWE-502 weakness category related to the deserialisation of untrusted data.
A Remote Threat Actor is capable of exploiting this vulnerability, representing the threat context. In response, two countermeasures are depicted: a Java Library Update, which directly mitigates the vulnerability, and a WAF Rule Update + Patch, which provides a protective barrier against the attack vector initiated by the threat actor.
This example demonstrates the potential of SKGs to unify heterogeneous cybersecurity data—vulnerabilities, threats, weaknesses, and countermeasures—into a coherent, machine-readable structure. Such representations can form the foundation for advanced security analytics, threat modelling, vulnerability management, and decision support in both research and operational settings.

9. Conclusions

This study conducted a comprehensive systematic review of cybersecurity ontologies to clarify how the field has evolved conceptually, thematically, and methodologically. Using more than a decade of research, we identified consistent patterns in how security knowledge is structured, shared, and operationalised across domains.
The analysis revealed a landscape that is intellectually mature, yet operationally fragmented. Many ontologies remain isolated efforts, tailored to specific applications such as vulnerability management, risk assessment, or compliance verification. Although this specialisation demonstrates the flexibility of ontology-based approaches, it has also led to redundant modelling, semantic inconsistencies, and limited interoperability—factors that hinder large-scale adoption in operational environments. At the same time, this diversity reflects the broad applicability of ontologies in heterogeneous cybersecurity contexts.
At the artefact level, the reviewed literature shows a clear preference for OWL-based taxonomically grounded ontologies with DL-based reasoning support. Across the three research questions, several insights stand out. First, the synthesis of core concepts and relationships (RQ1) confirms the emergence of a shared conceptual backbone—centred on Asset, Threat, Vulnerability, Attack, and Countermeasure. These constructs provide a stable vocabulary that can support reasoning, traceability, and alignment across security domains. Second, domain-based and framework-based analyses (RQ2) show that existing ontologies predominantly support the Govern, Identify, and Detect functions of the NIST 2.0 Cybersecurity Framework, while Respond and Recover remain comparatively under-represented. This imbalance highlights a gap between preventive modelling and the needs of resilience, incident response, and recovery. Third, methodological assessment (RQ3) indicates that despite the strong conceptual development, empirical validation and sustained industrial adoption are still limited. Most contributions remain at the level of conceptual proposals or prototypes, with few longitudinal evaluations or comparative assessments in real operational settings.
Taken together, these findings point to a clear direction for future research and practice: the transition from fragmented, application-specific ontologies to integrated, reusable, and empirically grounded security knowledge models. From a practitioner perspective, this transition is particularly relevant for modern cybersecurity operations, where interoperability, automation, and explainability are critical. Emerging paradigms such as Security Orchestration, Automation, and Response (SOAR), Zero-Trust architectures, and continuous compliance monitoring require shared semantic foundations capable of linking alerts, assets, policies, controls, and response actions across heterogeneous tools and platforms.
Future cybersecurity ontologies should therefore be designed with explicit support for operational integration. This includes enabling machine-interpretable representations that can drive automated playbooks in SOAR platforms, support policy reasoning in Zero-Trust environments, and provide an explainable semantic context for AI-assisted detection and decision-making. Equally important is the need for modularity and evolution, allowing ontologies to adapt to emerging threats, new regulatory requirements, and changing organisational contexts without repeated reinvention.
This review provides the analytical foundation for addressing these challenges. By clarifying what current cybersecurity ontologies capture, where conceptual and functional gaps persist, and how maturity varies across the literature, it directly informs the design of a unified and practitioner-oriented cybersecurity ontology. Such a unified model represents a natural next step for the field—one that moves beyond conceptual consolidation to operational impact, bridging research advances with the practical needs of contemporary cybersecurity practice.

Author Contributions

Conceptualization, R.G. and M.D.-R.; methodology, R.G.; software, R.G. and M.D.-R.; validation, R.G. and M.D.-R.; formal analysis, R.G. and M.D.-R.; investigation, R.G. and M.D.-R.; resources, R.G. and M.D.-R.; data curation, M.D.-R.; writing—original draft preparation, R.G.; writing—review and editing, R.G. and M.D.-R.; visualization, R.G. and M.D.-R.; supervision, R.G. and M.D.-R.; project administration, R.G. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new datasets were generated in this study. The primary data consist of the set of academic articles included in the systematic review, which were identified through publicly accessible digital libraries and screened using the Rayyan software platform https://www.rayyan.ai/. The final list of included studies and the corresponding extraction criteria can be made available by the authors upon reasonable request.

Conflicts of Interest

The authors declare no conflicts of interest.

Appendix A. Selected Articles

Table A1. A sample long table.
Table A1. A sample long table.
IDSourceTitleYear
P01 [58]A Proposal for an Ontology to Enhance IT Architecture Resilience2025
P02 [43]Building a comprehensive and multi-dimensional information security ontology: elicitation process and OWL implementation2025
P03 [106]CyberROAD: A cybersecurity risk assessment ontology for automotive domain aligned with ISO/SAE 21434:20212025
P04 [91]Guiding cybersecurity compliance: An ontology for the NIS 2 directive2025
P05 [107]OntoCPS4PMS: Ontology modeling for collaborative cyber-physical threat defense in power monitoring system2025
P06 [81]Protecting digital assets using an ontology based cyber situational awareness system2025
P07 [92]SecOnto: Ontological Representation of Security Directives2025
P08 [88]Ontology-based security modeling in ArchiMate2024
P09 [115]Developing a Novel Ontology for Cybersecurity in Internet of Medical Things-Enabled Remote Patient Monitoring2024
P10 [53]Blockchain-based ontology driven reference framework for security risk management2024
P11 [79]Ontological-based Intrusion Detection System (IDS): A Comparative Study2023
P12 [54]A management knowledge graph approach for critical infrastructure protection: Ontology design, information extraction and relation prediction2023
P13 [105]A Smart Grid Ontology: Vulnerabilities, Attacks, and Security Policies2023
P14 [119]Toward a phishing attack ontology2023
P15 [89]An Ontological Approach to Compliance Verification of the NIS 2 Directive2023
P16 [55]Towards an Ontology-Driven Approach for Process-Aware Risk Propagation2023
P17 [41]Construction of Ontology Graphs in a Cyber Security Framework (OCSF)2023
P18 [56]Ontology-based approach to real-time risk management and cyber-situational awareness2023
P19 [120]Ontology-based Solution for Handling Safety and Cybersecurity Interdependency in NFV Safety Architecture2023
P20 [80]An Ontology-Centric Approach for Network Security Situation Awareness2023
P21 [121]Security Ontology OntoSecRPA for Robotic Process Automation Domain2023
P22 [42]The Design and Application of a Unified Ontology for Cyber Security2023
P23 [57]Towards Cybersecurity Risk Assessment Automation: an Ontological Approach2023
P24 [100]Onto-CARMEN: Ontology-driven approach for Cyber-Physical System Security Requirements meta-modelling and reasoning2023
P25 [51]OnToRisk—a formal ontology approach to automate cyber security risk identification2022
P26 [40]Security Ontology Structure for Formalization of Security Document Knowledge2022
P27 [50]Hybrid ontology for safety, security, and dependability risk assessments and Security Threat Analysis (STA) method for industrial control systems2022
P28 [104]Semantic-Based Approach for Cyber-Physical Cascading Effects Within Healthcare Infrastructures2022
P29 [99]Supporting Security Requirements Engineering through the Development of The Secure Development Ontology2022
P30 [108]Building an Ontology for Cyber Defence Exercises2022
P31 [76]Proactive Ontology-based Cyber Threat Intelligence Analytic2021
P32 [46]Towards an Ontology for Enterprise Level Information Security Policy Analysis2021
P33 [38]Towards an Automatic Approach to the Design of A Generic Ontology for Information Security2021
P34 [39]Social engineering in cybersecurity: a domain ontology and knowledge graph application examples2021
P35 [63]Ontology-Driven Framework for Trend Analysis of Vulnerabilities and Impacts in IoT Hardware2021
P36 [74]Cyberattack Ontology: A Knowledge Representation for Cyber Supply Chain Security2021
P37 [62]Intelligent Answer System Based on Vulnerability Knowledge Graph2021
P38 [7]Cybersecurity Ontology for Dynamic Analysis of IT Systems2021
P39 [39]Integrating Heterogeneous Security Knowledge Sources for Comprehensive Security Analysis2021
P40 [109]Ontology-Based Scenario Modeling for Cyber Security Exercise2021
P41 [47]Corda Security Ontology: Example of Post-Trade Matching and Confirmation2020
P42 [60]Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system2020
P43 [77]Towards ontology-based cyber threat response2020
P44 [75]Ontology-based Automation of Penetration Testing2020
P45 [103]An Ontology to Promote Interoperability between Cyber-physical Security Systems in Critical Infrastructures2020
P46 [67]CSKB: A Cyber Security Knowledge Base Based on Knowledge Graph2020
P47 [36]Natural Language Processing Model for Automatic Analysis of Cybersecurity-Related Documents2020
P48 [49]Defender-centric Conceptual Cyber Exposure Ontology for Adaptive Cyber Risk Assessment2020
P49 [110]Automatically Generate E-Learning Quizzes from IoT Security Ontology2019
P50 [44]A STAMP-based ontology approach to support safety and security analyses2019
P51 [73]Applying Semantic Web Technologies to Discover an Ontology of Computer Attacks2019
P52 [72]Applying Multi-Level Theory to an Information Security Incident Domain Ontology.2019
P53 [34]An ontology-based approach to improve access policy administration of attribute-based access control2019
P54 [83]A First Step Towards an ISO-Based Information Security Domain Ontology2019
P55 [70]TAGraph: Knowledge Graph of Threat Actor2019
P56 [35]OWL Ontologies in Cybersecurity: Conceptual Modeling of Cyber-Knowledge2019
P57 [82]An Ontology Capturing the Interdependence of the General Data Protection Regulation (GDPR) and Information Security2018
P58 [98]Towards Eliciting and Analyzing Security Requirements Using Ontologies through Use Case Scenarios (Work-in-Progress)2018
P59 [21]Towards an Ontology of Security Assessment: A Core Model Proposal2018
P60 [64]A Practical Approach to Constructing a Knowledge Graph for Cybersecurity2018
P61 [112]An Ontology-Based Cybersecurity Framework for the Internet of Things2018
P62 [66]CoCoa: An Ontology for Cybersecurity Operations Centre Analysis Process2018
P63 [61]Cybersecurity vulnerability management: An ontology-based conceptual model2018
P64 [101]Cybersecurity Ontology for Critical Infrastructures2017
P65 [78]Network Security Situation Awareness Based on Semantic Ontology and User-Defined Rules for Internet of Things2017
P66 [86]An Ontology-Based Approach to Automate Tagging of Software Artifacts2017
P67 [111]An ontological model of the domain of applications for the Internet of Things in analysing information security2017
P68 [48]Cybersecurity and Resilience Modelling for Software-Defined Networks-Based Manufacturing Applications2017
P69 [95]Maintenance & information security ontology2017
P70 [71]An ontology for threat intelligence2016
P71 [59]Tracing known security vulnerabilities in software repositories—A Semantic Web enabled modelling approach2016
P72 [96]Knowledge Base for an Intelligent System in order to Identify Security Requirements for Government Agencies Software Projects2016
P73 [87]Towards the Ontology of ISO/IEC 27005: 2011 Risk Management Standard.2016
P74 [20]UCO: A unified cybersecurity ontology2016
P75 [102]A semantic security framework and context-aware role-based access control ontology for smart spaces2016
P76 [116]Towards a Human Factors Ontology for Cyber Security.2015
P77 [114]Towards a reference ontology for security in the Internet of Things2015
P78 [94]An Ontology to the Information Security Management2015
P79 [45]The information systems’ security level assessment model based on an ontology and evidential reasoning approach2015
P80 [69]Risk intelligence retrieval based on ontology2015
P81 [93]Reference Ontology for Cybersecurity Operational Information2014
P82 [118]Towards an Ontological Model Defining the Social Engineering Domain2014
P83 [65]Ontology for attack detection: An intelligent approach to web application security2014
P84 [90]Using an ontology as a model for the implementation of the national cybersecurity policy framework for South Africa2014
P85 [117]Social engineering attack framework2014
P86 [113]Information Security Ontology Model for Internet of Thing2013
P87 [68]Ontology and Specification-Based Intrusion Detection and Prevention System2013
P88 [52]A Multi-objective Decision Support Framework for Simulation-Based Security Control Selection2012
P89 [37]The Ontological Approach for SIEM Data Repository Implementation2012
P90 [84]On Optimizing the Path to Information Security Compliance2012
P91 [97]Security asset elicitation for collaborative models2012
P92 [85]An Ontology Approach in Designing Security Information Systems to Support Organizational Security Risk Knowledge.2012
P93 [122]An Ontological Approach to Information Security Management2012

Appendix B. Glossary of Terms Extracted from the SLR

CategoryTerms (Excerpt)
Core Ontological ConceptsOntology; Concept/Class; Property/Attribute; Relation; Axiom; Instance; Thing (Root Concept); Domain Ontology; Task Ontology; Application Ontology; Vocabulary; Glossary; Taxonomy; Metamodel; Knowledge Base; Knowledge Graph; Assertion Box (ABox); Terminology Box (TBox); Rule; Constraint; Archetype; Connected Component; Trivial Component; Concern; Root; Leaf.
Domain-Specific Security EntitiesAsset; Electronic Data; Physical Data; Hardware; Software; Person; Service; Threat; Vulnerability; Countermeasure; Security Measure; Security Goal; Confidentiality; Integrity; Availability; Authenticity; Risk; Impact; Incident; Event; Information System; Security Attribute; Security Mechanism; Mission; Purpose; Control Algorithm; Threat Actor; Organisation; Tool; Alert.
Key Relations and Propertiesis-a; relates to; exploited by; threatens; has security properties; affects; exploits; reduces; detects; prevents; protects; has vulnerability; mitigates; interacts with; created by; located in; has consequences.
Attack and Vulnerability ConceptsAttack; Attack Scenario; Attack Mechanism; Attack Type; Active Attack; Brute Force Attack; Denial of Service (DoS); Ping of Death; SYN Flood; SQL Injection; Cross-Site Scripting (XSS); Spear Phishing; Man-in-the-Middle; Spoofing; Data Breach; Simple Password; Buffer Overflow.
Security Evaluation and ManagementSecurity Assessment; Vulnerability Management; Information Security Management (ISM); Risk Management; Security Policy; Security Compliance; Security Metrics; Certification Process; Audit; Security Testing Process; Security Testing; Security Reviews; Local Coverage; Global Coverage; Total Coverage; Security Threat Analysis (STA).
Pedagogical and Development ConceptsPedagogical Cybersecurity Ontology; Pedagogical Knowledge; Importance; Difficulty; Prerequisites; Likely Misunderstandings; Domain Content Knowledge; Bridge Concepts; Teaching Materials; Software Engineering Ontologies; Software Security Tagger Framework; Bag of Security Concepts.
Standards and MethodologiesSTAMP/STPA-Sec; National Institute of Standards and Technology (NIST); ISO/IEC 27001; ISO/IEC 27002; ISO/IEC 27005; Coordination Center for Emergency Response Teams (CERT/CC); Common Vulnerability Scoring System (CVSS); Common Weakness Enumeration (CWE); Common Attack Pattern Enumeration and Classification (CAPEC); Web Ontology Language (OWL); SPARQL Protocol and RDF Query Language (SPARQL); Protégé Tool; Apache JENA Framework.

Appendix C. Database-Specific Search Strings

To ensure transparency and replicability of the systematic literature review, this appendix reports the exact search strings, search fields, and filters applied to each digital library. Minor syntactic adaptations were required to accommodate database-specific query languages, while preserving equivalent semantics across sources.
All searches targeted peer-reviewed publications written in English and published between 2010 and 2025. The final search was conducted in December 2025.

Appendix C.1. IEEE Xplore

Search fields: Document Title, Abstract, Index Terms
  • (‘‘cybersecurity ontology’’ OR ‘‘security ontology’’ OR
  •  ‘‘information security ontology’’ OR ‘‘cyber security ontology’’)
  • AND (ontology OR ontologies)
Filters: Journals and Conferences; English; 2010–2025

Appendix C.2. ACM Digital Library

Search fields: Title, Abstract, Keywords
  • (‘‘cybersecurity ontology’’ OR ‘‘security ontology’’ OR
  •  ‘‘information security ontology’’)
Filters: Articles and Proceedings; English; 2010–2025

Appendix C.3. Scopus

Search fields: TITLE-ABS-KEY
  • TITLE-ABS-KEY(
  •  ‘‘cybersecurity ontology’’ OR ‘‘security ontology’’ OR
  •  ‘‘information security ontology’’ OR ‘‘cyber security ontology’’
  • )
Filters: Computer Science; English; 2010–2025

Appendix C.4. SpringerLink

Search fields: Title, Abstract
  • (‘‘cybersecurity ontology’’ OR ‘‘security ontology’’ OR
  •  ‘‘information security ontology’’)
Filters: Computer Science; English; 2010–2025

Appendix C.5. Web of Science

Search fields: Topic (Title, Abstract, Author Keywords)
  • TS=(‘‘cybersecurity ontology’’ OR ‘‘security ontology’’ OR
  •     ‘‘information security ontology’’)
Filters: Computer Science; English; 2010–2025

Appendix C.6. DBLP

Search fields: Title
  • cybersecurity ontology
  • OR security ontology
Filters: Computer Science publications; 2010–2025

Appendix C.7. CEUR-WS.org

Search fields: Full text (manual screening)
  • ontology AND (cybersecurity OR ‘‘information security’’)
Filters: Workshop proceedings; English; 2010–2025

Appendix C.8. arXiv

Search fields: Title and Abstract
  • (‘‘cybersecurity ontology’’ OR ‘‘security ontology’’)
Filters: Computer Science categories; English; 2010–2025

Appendix C.9. Post-Processing and Deduplication

All retrieved records were exported in BibTeX format and merged into a single corpus. Duplicate detection, inclusion/exclusion screening, and conflict resolution were conducted using the Rayyan platform. Screening decisions followed the inclusion and exclusion criteria reported in Section 4.2.4 and are summarised in the PRISMA 2020 flow diagram (Figure 1).

Appendix D. Characterisation of the Reviewed Cybersecurity Ontology

Table A2. Characzterisation of the reviewed cybersecurity ontology artefacts according to representation formalism, modelling paradigm, and reasoning support. This table provides a descriptive overview of ontology artefact properties and is not used to derive or support answers to the research questions (RQ1–RQ3).
Table A2. Characzterisation of the reviewed cybersecurity ontology artefacts according to representation formalism, modelling paradigm, and reasoning support. This table provides a descriptive overview of ontology artefact properties and is not used to derive or support answers to the research questions (RQ1–RQ3).
IDRef.Representation FormalismModelling ParadigmReasoning Support
P01 [58]Not specifiedTaxonomic/hierarchical (conceptual)Not specified
P02 [43]OWL (generated from XML-based elicitation artefacts)Multi-dimensional/modular taxonomy (hybrid conceptual views)DL reasoning (in principle); not explicitly reported
P03 [106]OWL/RDF (OWLGrEd; RDF/OWL artefact referenced)Graph-based ontology with taxonomic backboneNot specified
P04 [91]OWL + SPARQL (compliance queries)Taxonomic/compliance-oriented conceptual model (controls/obligations)SPARQL/graph queries (compliance checking); DL reasoning not specified
P05 [107]OWL + SWRL (Protégé implementation)Hybrid (taxonomy + rule-centric model for threat defense)DL + rule-based reasoning (SWRL-supported)
P06 [81]RDF + SPARQL (integration/query layer)Graph-based CTI/asset-relationship modelSPARQL/graph queries
P07 [92]Not specified (semantic assertions + SWRL rules reported)Hybrid (TBox/ABox-style knowledge + rules for directives)Rule-based reasoning (SWRL); DL reasoning not specified
P08 [88]ArchiMate metamodel/conceptual modelling language (ontology-grounded redesign)Event/causal and risk-treatment conceptual modelling patterns (EA-focused)No explicit automated reasoning (computational support stated as future work)
P09 [115]OWL (Turtle/RDF serialization) + Description LogicTaxonomic/hierarchical domain ontologyDL reasoning (in principle); tool-based reasoning not specified
P10 [53]OWL + SPARQL (Protégé; Pellet mentioned)Hybrid (taxonomy + graph-based risk management links)DL reasoning (Pellet) + SPARQL/graph queries
P11 [79]OWL (OWL-DL)Taxonomic/hierarchicalDL reasoning
P12 [54]OWL (knowledge graph oriented)Hybrid (taxonomy + graph)SPARQL/graph query reasoning
P13 [105]OWL (OWL-DL)Taxonomic/hierarchicalDL reasoning
P14 [119]OWL (OWL-DL)Taxonomic/hierarchical (attack-centric)DL reasoning
P15 [89]OWL + SPARQLTaxonomic/compliance-orientedSPARQL/graph query reasoning
P16 [55]OWL + SWRLEvent-/process-centric (risk propagation)DL + rule-based reasoning
P17 [41]RDF(S)Graph-based (knowledge graph)Rule-based reasoning (custom rules); DL not specified
P18 [56]OWL + SPIN (SPARQL rules)Hybrid (taxonomy + rules)Rule-based reasoning (SPIN/SPARQL rules)
P19 [120]OWL (OWL-DL)Event-/anomaly-centric (safety–security interdependency)DL + rule-based reasoning
P20 [80]OWL (OWL-DL)Modular/layered ontology (knowledge-graph-driven)DL reasoning + SPARQL/graph query reasoning
P21 [121]OWL (OWL-DL)Taxonomic/hierarchical (domain-specific)DL reasoning
P22 [42]OWL (OWL-DL)Modular/layered ontologyDL reasoning
P23 [57]OWL + SWRLEvent-/risk-centric (risk assessment)DL + rule-based reasoning
P24 [100]OWL + SWRLHybrid (taxonomy + rules; requirements-centric)DL + rule-based reasoning
P25 [51]OWL (OWL-DL)Event-/risk-centric (risk identification)DL reasoning
P26 [40]OWL (OWL-DL)Taxonomic/hierarchical (document-centric)DL reasoning
P27 [50]OWL (OWL-DL)Hybrid (taxonomy + event/safety–security integration)DL reasoning
P28 [104]OWL (OWL-DL)Event-/causal-centric (impact propagation)DL + rule-based reasoning
P29 [99]OWL (OWL-DL)Taxonomic/hierarchical (requirements-centric)DL reasoning
P30 [108]OWL + RDF(S)Graph-based (exercise knowledge management)DL reasoning + SPARQL/graph query reasoning
P31 [76]OWL (OWL-DL)Graph-based (cyber threat intelligence)DL reasoning + SPARQL/graph query reasoning
P32 [46]OWL (OWL-DL)Taxonomic/hierarchical (policy-centric)DL reasoning
P33 [38]OWL (OWL-DL)Taxonomic/hierarchical (generic security concepts)DL reasoning
P34 [39]OWL + RDF(S)Graph-based (social engineering knowledge graph)SPARQL/graph query reasoning
P35 [63]OWL (OWL-DL)Hybrid (taxonomy + graph; vulnerability trend analysis)DL reasoning + SPARQL/graph query reasoning
P36 [74]OWL + SWRLHybrid (taxonomy + rules; attack-centric)DL + rule-based reasoning
P37 [62]OWL + RDF(S)Graph-based (vulnerability knowledge graph)SPARQL/graph query reasoning
P38 [7]OWL (OWL-DL)Event-/system-centric (dynamic IT analysis)DL reasoning + SPARQL/graph query reasoning
P39 [39]OWL + RDF(S)Hybrid (taxonomy + graph; heterogeneous knowledge integration)DL reasoning + SPARQL/graph query reasoning
P40 [109]RDF(S) + OWLEvent-/scenario-centric (cyber exercise modelling)DL reasoning + SPARQL/graph query reasoning
P41 [47]OWL (OWL-DL)Taxonomic/hierarchical (blockchain security processes)DL reasoning
P42 [60]OWL (OWL-DL)Hybrid (taxonomy + graph; vulnerability management)DL reasoning + SPARQL/graph query reasoning
P43 [77]OWL + SWRLHybrid (taxonomy + rules; threat response)DL + rule-based reasoning
P44 [75]OWL + SWRLHybrid (taxonomy + rules; penetration testing)DL + rule-based reasoning
P45 [103]OWL (OWL-DL)Hybrid (taxonomy + system-centric interoperability)DL reasoning
P46 [67]OWL + RDF(S)Graph-based (cybersecurity knowledge graph)SPARQL/graph query reasoning
P47 [36]Not specifiedTaxonomic/conceptual (NLP-oriented domain ontology)Not specified
P48 [49]Not specifiedConceptual/risk-centric (defender-centric exposure modelling)Not specified
P49 [110]OWL (OWL-DL)Taxonomic/hierarchical (IoT security education)DL reasoning
P50 [44]OWL (OWL-DL)Event-/causal-centric (STAMP/STPA-Sec safety–security modelling)DL reasoning
P51 [73]RDF(S) + OWLTaxonomic/hierarchical (attack-centric)DL reasoning
P52 [72]OWL (OWL-DL)Modular/layered ontology (incident-centric)DL reasoning
P53 [34]OWL (OWL-DL)Hybrid (taxonomy + policy-centric rules)DL reasoning
P54 [83]OWL (OWL-DL)Taxonomic/hierarchical (standards-centric)DL reasoning
P55 [70]OWL + RDF(S)Graph-based (threat actor knowledge graph)SPARQL/graph query reasoning
P56 [35]RDF(S) + OWLTaxonomic/hierarchical (conceptual cybersecurity modelling)DL reasoning
P57 [82]OWL (OWL-DL)Taxonomic/hierarchical (legal–security compliance)DL reasoning
P58 [98]OWL (OWL-DL)Event-/scenario-centric (requirements elicitation)DL reasoning
P59 [21]OWL (OWL-DL)Hybrid (taxonomy + assessment process modelling)DL reasoning
P60 [64]OWL + RDF(S)Graph-based (cybersecurity knowledge graph)DL reasoning + SPARQL/graph query reasoning
P61 [112]OWL-DLTaxonomic/hierarchicalDL reasoning
P62 [66]OWLHybrid (taxonomy + operational processes)DL reasoning
P63 [61]OWLTaxonomic/conceptualDL reasoning
P64 [101]OWLTaxonomic/domain ontologyDL reasoning
P65 [78]OWL + rule-based extensionsHybrid (taxonomy + rules)DL + rule-based reasoning
P66 [86]OWLGraph-basedDL reasoning
P67 [111]OWLTaxonomic/hierarchicalDL reasoning
P68 [48]OWLHybrid (taxonomy + causal relations)DL reasoning
P69 [95]OWLTaxonomic/domain ontologyDL reasoning
P70 [71]RDF(S) + OWLGraph-based (threat intelligence)SPARQL/graph queries
P71 [59]OWLGraph-based (software artefact tracing)SPARQL/graph queries
P72 [96]OWLTaxonomic/hierarchicalDL reasoning
P73 [87]OWL-DLTaxonomic/standard-alignedDL reasoning
P74 [20]OWL-DLTaxonomic/unified reference ontologyDL reasoning
P75 [102]OWLHybrid (taxonomy + context-aware access control)DL reasoning
P76 [116]OWLTaxonomic/human factors modelDL reasoning
P77 [114]OWLTaxonomic/reference ontologyDL reasoning
P78 [94]OWLTaxonomic/information security managementDL reasoning
P79 [45]OWLHybrid (taxonomy + evidential reasoning model)DL reasoning
P80 [69]OWLGraph-based (risk intelligence patterns)SPARQL/graph queries
P81 [93]OWL (OWL-DL)Modular/layered ontologyDL reasoning
P82 [118]Conceptual/Modelling language (ontology-grounded)Hybrid (taxonomy + graph)No explicit automated reasoning
P83 [65]OWL + SWRLHybrid (taxonomy + rules)DL + rule-based reasoning
P84 [90]OWL (OWL-DL)Modular/layered ontologyDL reasoning
P85 [117]Conceptual/Modelling language (ontology-grounded)Event-/process-centricNo explicit automated reasoning
P86 [113]OWL (OWL-DL)Modular/layered ontologyNo explicit automated reasoning
P87 [68]OWL + SPARQL/SPINHybrid (taxonomy + rules)SPARQL/graph query reasoning
P88 [52]Conceptual/Modelling language (ontology-grounded)Conceptual/enterprise modellingNo explicit automated reasoning
P89 [37]OWL (OWL-DL)Modular/layered ontologyDL reasoning
P90 [84]Conceptual/Modelling language (ontology-grounded)Conceptual/enterprise modellingNo explicit automated reasoning
P91 [97]OWL (OWL-DL)Hybrid (taxonomy + rules)DL reasoning
P92 [85]OWL (OWL-DL)Taxonomic/hierarchicalNot specified
P93 [122]OWL (OWL-DL)Taxonomic/hierarchicalNot specified

Appendix D.1. Coding Scheme for Ontology Characterisation

This appendix documents the coding scheme used to characterise the reviewed cybersecurity ontology artefacts according to the three dimensions introduced in Section 4.3.2: representation formalism, modelling paradigm, and reasoning support. The coding scheme was defined a priori to ensure consistency, transparency, and replicability of the classification process.
For each dimension, a fixed and closed set of categories was established based on widely accepted concepts in the ontology-engineering literature [31,32]. During classification, each ontology was assigned exactly one category per dimension, corresponding to the most representative characteristic explicitly reported in the primary study or clearly identifiable from the published artefact. When a study did not specify sufficient information to support classification along a given dimension, the value Not specified was assigned.

Appendix D.1.1. Representation Formalism

This dimension captures the knowledge-representation language or logical formalism used to encode the ontology. The following categories were used:
  • OWL (OWL-DL): Ontologies explicitly implemented using the Web Ontology Language with Description Logic semantics.
  • OWL + SWRL: OWL ontologies extended with Semantic Web Rule Language rules to support rule-based inference.
  • OWL + SPARQL/SPIN: OWL ontologies combined with SPARQL-based querying or rule mechanisms (e.g., SPIN) for constraint checking or inference.
  • RDF(S): Ontologies represented primarily using RDF or RDFS without explicit Description Logic expressiveness.
  • Conceptual/modelling language (ontology-grounded): Conceptual or enterprise modelling languages that are ontology-inspired or ontology-aligned but do not provide formal logical semantics.
  • Not specified: Studies that did not clearly report the representation formalism used.

Appendix D.1.2. Modelling Paradigm

This dimension describes the conceptual structure adopted to organise cybersecurity knowledge, independently of the representation language. The following categories were used:
  • Taxonomic/hierarchical: Ontologies primarily organised as class hierarchies with subclass relationships.
  • Graph-based: Ontologies or knowledge graphs emphasising network-like relationships among entities, often supporting exploratory or query-driven analysis.
  • Hybrid (taxonomy + rules): Ontologies combining hierarchical structures with explicit rule-based constructs.
  • Hybrid (taxonomy + graph): Ontologies combining hierarchical classification with rich relational or graph-oriented modelling.
  • Event-/process-centric: Ontologies centred on events, processes, workflows, or temporal or causal relationships.
  • Modular/layered ontology: Ontologies explicitly structured into modules or layers addressing different abstraction levels or concerns.
  • Conceptual/enterprise modelling: High-level conceptual models often used in enterprise or architectural contexts, without strong formal semantics.

Appendix D.1.3. Reasoning Support

This dimension captures the type of automated reasoning that the ontology artefact supports in principle, based on its formalism and modelling choices. The following categories were used:
  • DL reasoning: Description Logic–based reasoning, such as subsumption, classification, or consistency checking.
  • Rule-based reasoning (SWRL): Reasoning enabled through SWRL rules.
  • SPARQL/graph query reasoning: Query-based reasoning using SPARQL over RDF or knowledge graph representations.
  • Rule-based reasoning (SPIN/SPARQL rules): Reasoning implemented using SPARQL-based rule frameworks or constraints.
  • DL + rule-based reasoning: Combined use of Description Logic reasoning and rule-based inference.
  • No explicit automated reasoning: Ontologies that provide conceptual structure but do not explicitly support automated reasoning.
  • Not specified: Studies that did not report or imply any form of automated reasoning support.
The coding scheme documented in this appendix underpins the detailed per-study classification presented in Appendix D (Table A2) and ensures that the characterisation of ontology artefacts is transparent, systematic, and reproducible.

Appendix E. PRISMA Checklist

Table A3. PRISMA 2020 Checklist.
Table A3. PRISMA 2020 Checklist.
Section and TopicItemChecklist ItemLocation Where Item Is Reported
TITLE
Title1Identify the report as a systematic review.Title and Abstract
ABSTRACT
Abstract2See the PRISMA 2020 for Abstracts Checklist.Abstract
INTRODUCTION
Rationale3Describe the rationale for the review in the context of existing knowledge.Introduction Background and Motivation
Objectives4Provide an explicit statement of the objective(s) or question(s) the review addresses.Introduction—Objectives and Research Questions
METHODS
Eligibility Criteria5Specify the inclusion and exclusion criteria for the review and how studies were grouped for the syntheses.Methods—Eligibility Criteria
Information sources6Specify all databases, registers, websites, organisations, reference lists and other sources searched or consulted to identify studies. Specify the date when each source was last searched or consulted.Methods—Information Sources
Search strategy7Present the full search strategies for all databases, registers and websites, including any filters and limits used.Methods—Search Strategy
Selection process8Specify the methods used to decide whether a study met the inclusion criteria of the review, including how many reviewers screened each record and each report retrieved, whether they worked independently, and if applicable, details of automation tools used in the process.Methods—Study Selection
Data collection process9Specify the methods used to collect data from reports, including how many reviewers collected data from each report, whether they worked independently, any processes for obtaining or confirming data from study investigators, and if applicable, details of automation tools used in the process.Methods—Data Extraction
Data items10aList and define all outcomes for which data were sought. Specify whether all results that were compatible with each outcome domain in each study were sought (e.g. for all measures, time points, analyses), and if not, the methods used to decide which results to collect.Methods—Data Items
10bList and define all other variables for which data were sought (e.g. participant and intervention characteristics, funding sources). Describe any assumptions made about any missing or unclear information.Methods—Data Items
Study risk of bias assessment11Specify the methods used to assess risk of bias in the included studies, including details of the tool(s) used, how many reviewers assessed each study and whether they worked independently, and if applicable, details of automation tools used in the process.Methods—Quality Assessment
Effect measures12Specify for each outcome the effect measure(s) (e.g. risk ratio, mean difference) used in the synthesis or presentation of results.Methods—Data Synthesis
Synthesis methods13aDescribe the processes used to decide which studies were eligible for each synthesis (e.g. tabulating the study intervention characteristics and comparing against the planned groups for each synthesis (item #5)).Methods—Data Synthesis
13bDescribe any methods required to prepare the data for presentation or synthesis, such as handling of missing summary statistics, or data conversions.Methods—Data Synthesis
13cDescribe any methods used to tabulate or visually display results of individual studies and syntheses.Results—Tables and Figure
13dDescribe any methods used to synthesize results and provide a rationale for the choice(s). If meta-analysis was performed, describe the model(s), method(s) to identify the presence and extent of statistical heterogeneity, and software package(s) used.Methods—Data Synthesis
13eDescribe any methods used to explore possible causes of heterogeneity among study results (e.g. subgroup analysis, meta-regression).Methods—Subgroup Analysis
13fDescribe any sensitivity analyses conducted to assess robustness of the synthesized results.Methods—Sensitivity Analysis
Reporting bias assessment14Describe any methods used to assess risk of bias due to missing results in a synthesis (arising from reporting biases).Methods—Limitations
Certainty assessment15Describe any methods used to assess certainty (or confidence) in the body of evidence for an outcome.Discussion—Strength of Evidence
RESULTS
Study selection16aDescribe the results of the search and selection process, from the number of records identified in the search to the number of studies included in the review, ideally using a flow diagram.Results—Study Selection
16bCite studies that might appear to meet the inclusion criteria, but which were excluded, and explain why they were excluded.Results—Exclusion Criteria
Study Characteristics17Cite each included study and present its characteristics.Results—Study Characteris tics
Risk of bias in studies18Present assessments of risk of bias for each included study.Results—Quality Assessment
Results of individual studies19For all outcomes, present, for each study: (a) summary statistics for each group (where appropriate) and (b) an effect estimate and its precision (e.g. confidence/credible interval), ideally using structured tables or plots.Results—Thematic Results
Results of syntheses20aFor each synthesis, briefly summarise the characteristics and risk of bias among contributing studies.Results—Synthesis
20bPresent results of all statistical syntheses conducted. If meta-analysis was done, present for each the summary estimate and its precision (e.g. confidence/credible interval) and measures of statistical heterogeneity. If comparing groups, describe the direction of the effect.Results—Quantitative Summary
20cPresent results of all investigations of possible causes of heterogeneity among study results.Results—Subgroup Analysis
20dPresent results of all sensitivity analyses conducted to assess the robustness of the synthesized results.Results—Sensitivity Analysis
Reporting biases21Present assessments of risk of bias due to missing results (arising from reporting biases) for each synthesis assessed.Results—Bias Assessment
Certainty of evidence22Present assessments of certainty (or confidence) in the body of evidence for each outcome assessed.Discussion—Evidence Strength
DISCUSSION
Discussion23aProvide a general interpretation of the results in the context of other evidence.Discussion
23bDiscuss any limitations of the evidence included in the review.Discussion—Limitations
23cDiscuss any limitations of the review processes used.Discussion—Limitations
23dDiscuss implications of the results for practice, policy, and future research.Discussion—Implications and Future Work
OTHER INFORMATION
Registration and protocol24aProvide registration information for the review, including register name and registration number, or state that the review was not registered.Methods—Protocol and Registration
24bIndicate where the review protocol can be accessed, or state that a protocol was not prepared.Methods—Protocol and Registration
24cDescribe and explain any amendments to information provided at registration or in the protocol.Not applicable (no amendments)
Support25Describe sources of financial or non-financial support for the review, and the role of the funders or sponsors in the review.Funding Statement
Competing interests26Declare any competing interests of review authors.No Conflicts of Interest
Availability of data, code and other materials27Report which of the following are publicly available and where they can be found: template data collection forms; data extracted from included studies; data used for all analyses; analytic code; any other materials used in the review.Data Availability Statemen

References

  1. Admass, W.S.; Munaye, Y.Y.; Diro, A.A. Cyber security: State of the art, challenges and future directions. Cyber Secur. Appl. 2024, 2, 100031. [Google Scholar] [CrossRef]
  2. Georgescu, T.; Smeureanu, I. Using Ontologies in Cybersecurity Field. Inform. Econ. 2017, 21, 5–15. [Google Scholar] [CrossRef]
  3. Rantos, K.; Spyros, A.; Papanikolaou, A.; Kritsas, A.; Ilioudis, C.; Katos, V. Interoperability Challenges in the Cybersecurity Information Sharing Ecosystem. Computers 2020, 9, 18. [Google Scholar] [CrossRef]
  4. Välja, M.; Heiding, F.; Franke, U.; Robert, L. Automating threat modeling using an ontology framework. Cybersecurity 2020, 3, 19. [Google Scholar] [CrossRef]
  5. Velasco, D.; Rodriguez, G. Ontologies for Network Security and Future Challenges. arXiv 2017, arXiv:1704.02441. [Google Scholar] [CrossRef]
  6. Joque, J.; Haque, S.M.T. Deconstructing Cybersecurity: From Ontological Security to Ontological Insecurity. In Proceedings of the New Security Paradigms Workshop 2020, New York, NY, USA, 26–29 October 2021; pp. 99–110. [Google Scholar] [CrossRef]
  7. Pastuszuk, J.; Burek, P.; Ksiezopolski, B. Cybersecurity Ontology for Dynamic Analysis of IT Systems. Procedia Comput. Sci. 2021, 192, 1011–1020. [Google Scholar] [CrossRef]
  8. Li, H.; Shi, Z.; Pan, C.; Zhao, D.; Sun, N. Cybersecurity knowledge graphs construction and quality assessment. Complex Intell. Syst. 2023, 10, 1201–1217. [Google Scholar] [CrossRef]
  9. Zhao, C.; De Maria, R.; Kumarage, T.; Chaudhary, K.S.; Agrawal, G.; Li, Y.; Park, J.; Chen, Y.C.; Deng, Y.; Liu, H. CyberBOT: Ontology-Grounded Retrieval Augmented Generation for Reliable Cybersecurity Education. In Proceedings of the 34th ACM International Conference on Information and Knowledge Management, New York, NY, USA, 10–14 November 2025; pp. 6752–6756. [Google Scholar] [CrossRef]
  10. Preuveneers, D.; Joosen, W. An Ontology-Based Cybersecurity Framework for AI-Enabled Systems and Applications. Future Internet 2024, 16, 69. [Google Scholar] [CrossRef]
  11. Falconer, S. From Ontologies to Agents: The Semantic Web’s Quiet Rebirth. 2024. Available online: https://seanfalconer.medium.com/from-ontologies-to-agents-the-semantic-webs-quiet-rebirth-dc109199b608 (accessed on 15 January 2025).
  12. Rivadeneira, W.F.B.; Gómez, O.S. Cybersecurity ontologies: A systematic literature review. ReCIBE Rev. Electrón. Comput. Inform. Bioméd. Electrón. 2020, 9, 1–18. [Google Scholar]
  13. de Franco Rosa, F.; Jino, M. A Survey of Security Assessment Ontologies. In Recent Advances in Information Systems and Technologies; Springer International Publishing: Berlin/Heidelberg, Germany, 2017; pp. 166–173. [Google Scholar] [CrossRef]
  14. Souag, A.; Salinesi, C.; Wattiau, I. Ontologies for Security Requirements: A Literature Survey and Classification. In Proceedings of the International Conference on Advanced Information Systems Engineering, Gdansk, Poland, 25–29 June 2012; Springer: Berlin/Heidelberg, Germany, 2012; pp. 61–69. [Google Scholar]
  15. Blanco, C.; Lasheras, J.; Valencia-García, R.; Fernández-Medina, E.; Toval, A.; Piattini, M. A Systematic Review and Comparison of Security Ontologies. In Proceedings of the 2008 Third International Conference on Availability, Reliability and Security, Barcelona, Spain, 4–7 March 2008; pp. 813–820. [Google Scholar] [CrossRef]
  16. Adach, M.; Hänninen, K.; Lundqvist, K. Security Ontologies: A Systematic Literature Review. In Proceedings of the International Conference on Enterprise Design, Operations, and Computing, Bozen-Bolzano, Italy, 3–7 October 2022; Springer: Berlin/Heidelberg, Germany, 2022; Volume 10, pp. 36–53. [Google Scholar] [CrossRef]
  17. Franco Martins Souza, B.; Gil, L.; Reyes Román, J.; Panach, I.; Pastor, O.; Hadad, M.; Rochwerger, B. A framework for conceptual characterization of ontologies and its application in the cybersecurity domain. Softw. Syst. Model. 2022, 21, 1437–1464. [Google Scholar] [CrossRef]
  18. De Colle, G. Towards a Foundational Ontology of Cybersecurity. In Proceedings of the European Semantic Web Conference, Hersonissos, Crete, Greece, 26–30 May 2024; University at Buffalo: Buffalo, NY, USA, 2024. [Google Scholar]
  19. Guizzardi, G.; Botti Benevides, A.; Fonseca, C.M.; Porello, D.; Almeida, J.a.P.A.; Prince Sales, T.; Borgo, S.; Galton, A.; Kutz, O. UFO: Unified Foundational Ontology. Appl. Ontol. 2022, 17, 167–210. [Google Scholar] [CrossRef]
  20. Syed, Z.; Padia, A.; Finin, T.; Mathews, L.; Joshi, A. UCO: A unified cybersecurity ontology. In Proceedings of the Workshops at the Thirtieth AAAI Conference on Artificial Intelligence, Phoenix, AZ, USA, 12 February 2016. [Google Scholar]
  21. de Franco Rosa, F.; Jino, M.; Bonacin, R. Towards an Ontology of Security Assessment: A Core Model Proposal. In Information Technology—New Generations; Springer International Publishing: Berlin/Heidelberg, Germany, 2018; pp. 75–80. [Google Scholar] [CrossRef]
  22. Kitchenham, B.; Charters, S. Guidelines for Performing Systematic Literature Reviews in Software Engineering; Technical Report EBSE-2007-01, Version 2.3; EBSE, School of Computer Science and Mathematics, Keele University: Keele, UK, 2007. [Google Scholar]
  23. Webster, J.; Watson, R.T. Analyzing the Past to Prepare for the Future: Writing a Literature Review. MIS Q. 2002, 26, xiii–xxiii. [Google Scholar]
  24. Kitchenham, B.; Pretorius, R.; Budgen, D.; Pearl Brereton, O.; Turner, M.; Niazi, M.; Linkman, S. Systematic Literature Reviews in Software Engineering—A Tertiary Study. Inf. Softw. Technol. 2010, 52, 792–805. [Google Scholar] [CrossRef]
  25. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, n71. [Google Scholar] [CrossRef]
  26. Long, L. Routine piloting in systematic reviews—A modified approach? Syst. Rev. 2014, 3, 77. [Google Scholar] [CrossRef]
  27. Gacitúa, R.; Astudillo, H.; Hitpass, B.; Osorio-Sanabria, M.A.; Taramasco, C. Recent Models for Collaborative E-Government Processes: A Survey. IEEE Access 2021, 9, 19602–19618. [Google Scholar] [CrossRef]
  28. Landis, J.; Koch, G. The measurement of observer agreement for categorical data. Biometrics 1977, 33, 159–174. [Google Scholar] [CrossRef] [PubMed]
  29. Wieringa, R.; Maiden, N.; Mead, N.; Rolland, C. Requirements engineering paper classification and evaluation criteria: A proposal and a discussion. Requir. Eng. 2005, 11, 102–107. [Google Scholar] [CrossRef]
  30. Petticrew, M.; Song, P.; Wilson, P.; Wright, K. Quality-assessed reviews of health care interventions and the Database of Abstracts of Reviews of Effectiveness (DARE). Int. J. Technol. Assess. Health Care 1999, 15, 671–678. [Google Scholar] [CrossRef]
  31. Gómez-Pérez, A.; Fernández-López, M.; Corcho, O. Ontological Engineering: With Examples from the Areas of Knowledge Management, e-Commerce and the Semantic Web. (Advanced Information and Knowledge Processing); Springer: Berlin/Heidelberg, Germany, 2007. [Google Scholar]
  32. Corcho, O.; Fernández-López, M.; Gómez-Pérez, A. Ontological engineering: Principles, methods, tools and languages. Knowl. Eng. Rev. 2007, 22, 131–197. [Google Scholar] [CrossRef]
  33. Eliot, D. NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide; Number NIST SP 1300 in Special Publication, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar] [CrossRef]
  34. Li, J.; Zhang, B. An ontology-based approach to improve access policy administration of attribute-based access control. Int. J. Inf. Comput. Secur. 2019, 11, 391–412. [Google Scholar] [CrossRef]
  35. Sikos, L.F. OWL Ontologies in Cybersecurity: Conceptual Modeling of Cyber-Knowledge. In Intelligent Systems Reference Library; Springer International Publishing: Berlin/Heidelberg, Germany, 2018; pp. 1–17. [Google Scholar] [CrossRef]
  36. Georgescu, T.M. Natural Language Processing Model for Automatic Analysis of Cybersecurity-Related Documents. Symmetry 2020, 12, 354. [Google Scholar] [CrossRef]
  37. Kotenko, I.; Polubelova, O.; Saenko, I. The Ontological Approach for SIEM Data Repository Implementation. In Proceedings of the 2012 IEEE International Conference on Green Computing and Communications, Besancon, France, 20–23 November 2012. [Google Scholar] [CrossRef]
  38. Meriah, I.; Rabai, L.B.A.; Khedri, R. Towards an Automatic Approach to the Design of A Generic Ontology for Information Security. In Proceedings of the 2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS), Hamilton, ON, Canada, 18–19 May 2021. [Google Scholar] [CrossRef]
  39. Wang, Z.; Zhu, H.; Liu, P.; Sun, L. Social engineering in cybersecurity: A domain ontology and knowledge graph application examples. Cybersecurity 2021, 4, 31. [Google Scholar] [CrossRef]
  40. Ramanauskaitė, S.; Shein, A.; Čenys, A.; Rastenis, J. Security Ontology Structure for Formalization of Security Document Knowledge. Electronics 2022, 11, 1103. [Google Scholar] [CrossRef]
  41. Pandey, R.P.; Jebaraj, S. Construction of Ontology Graphs in a Cyber Security Framework (OCSF). In Proceedings of the International Conference on Contemporary Computing and Informatics, IC3I 2023, Gautam Buddha Nagar, India, 14–16 September 2023; pp. 1885–1889. [Google Scholar] [CrossRef]
  42. Akbar, K.A.; Rahman, F.I.; Singhal, A.; Khan, L.; Thuraisingham, B. The Design and Application of a Unified Ontology for Cyber Security. Lect. Notes Comput. Sci. 2023, 14424, 23–41. [Google Scholar] [CrossRef]
  43. Meriah, I.; Ben Arfa Rabai, L.; Khedri, R. Building a comprehensive and multi-dimensional information security ontology: Elicitation process and OWL implementation. Knowl. Inf. Syst. 2025, 67, 167–195. [Google Scholar] [CrossRef]
  44. Pereira, D.P.; Hirata, C.; Nadjm-Tehrani, S. A STAMP-based ontology approach to support safety and security analyses. J. Inf. Secur. Appl. 2019, 47, 302–319. [Google Scholar] [CrossRef]
  45. Solic, K.; Ocevcic, H.; Golub, M. The information systems’ security level assessment model based on an ontology and evidential reasoning approach. Comput. Secur. 2015, 55, 100–112. [Google Scholar] [CrossRef]
  46. Mandal, D.; Mazumdar, C. Towards an Ontology for Enterprise Level Information Security Policy Analysis. In Proceedings of 7th International Conference on Information Systems Security and Privacy, Online, 11–13 February 2021; SciTePress—Science and Technology Publications: Setúbal, Portugal, 2021. [Google Scholar] [CrossRef]
  47. Iqbal, M.; Matulevičius, R. Corda Security Ontology: Example of Post-Trade Matching and Confirmation. Balt. J. Mod. Comput. 2020, 8, 638–674. [Google Scholar] [CrossRef]
  48. Babiceanu, R.F.; Seker, R. Cybersecurity and Resilience Modelling for Software-Defined Networks-Based Manufacturing Applications. In Studies in Computational Intelligence; Springer International Publishing: Berlin/Heidelberg, Germany, 2017; pp. 167–176. [Google Scholar] [CrossRef]
  49. Aouad, L.; Asghar, M. Defender-centric Conceptual Cyber Exposure Ontology for Adaptive Cyber Risk Assessment. In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications, Online, 8–10 July 2020; SciTePress—Science and Technology Publications: Setúbal, Portugal, 2020. [Google Scholar] [CrossRef]
  50. Alanen, J.; Linnosmaa, J.; Malm, T.; Papakonstantinou, N.; Ahonen, T.; Heikkilä, E.; Tiusanen, R. Hybrid ontology for safety, security, and dependability risk assessments and Security Threat Analysis (STA) method for industrial control systems. Reliab. Eng. Syst. Saf. 2022, 220, 108270. [Google Scholar] [CrossRef]
  51. Shaked, A.; Margalit, O. OnToRisk—A formal ontology approach to automate cyber security risk identification. In Proceedings of the 2022 17th Annual System of Systems Engineering Conference (SOSE), Rochester, NY, USA, 7–11 June 2022. [Google Scholar] [CrossRef]
  52. Kiesling, E.; Strausss, C.; Stummer, C. A Multi-objective Decision Support Framework for Simulation-Based Security Control Selection. In Proceedings of the 2012 Seventh International Conference on Availability, Reliability and Security, Prague, Czech Republic, 20–24 August 2012. [Google Scholar] [CrossRef]
  53. Iqbal, M.; Kormiltsyn, A.; Dwivedi, V.; Matulevičius, R. Blockchain-based ontology driven reference framework for security risk management. Data Knowl. Eng. 2023, 149, 102257. [Google Scholar] [CrossRef]
  54. Chen, J.; Lu, Y.; Zhang, Y.; Huang, F.; Qin, J. A management knowledge graph approach for critical infrastructure protection: Ontology design, information extraction and relation prediction. Int. J. Crit. Infrastruct. Prot. 2023, 43, 100634. [Google Scholar] [CrossRef]
  55. Engelberg, G.; Fumagalli, M.; Kuboszek, A.; Klein, D.; Soffer, P.; Guizzardi, G. An Ontology-Driven Approach for Process-Aware Risk Propagation. In Proceedings of the ACM Symposium on Applied Computing, Tallinn, Estonia, 27–31 March 2023; pp. 1742–1745. [Google Scholar] [CrossRef]
  56. Sánchez-Zas, C.; Villagrá, V.A.; Vega-Barbas, M.; Larriva-Novo, X.; Moreno, J.I.; Berrocal, J. Ontology-based approach to real-time risk management and cyber-situational awareness. Future Gener. Comput. Syst. 2023, 141, 462–472. [Google Scholar] [CrossRef]
  57. Maunero, N.; De Rosa, F.; Prinetto, P. Towards Cybersecurity Risk Assessment Automation: An Ontological Approach. In Proceedings of the 2023 IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC), Abu Dhbai, United Arab Emirates, 13–17 November 2023; pp. 628–635. [Google Scholar] [CrossRef]
  58. Mbaye, B.; Mejri, M.; Saha Fobougong, P. A Proposal for an Ontology to Enhance IT Architecture Resilience. In Proceedings of the 2025 IEEE International Conference on Cyber Security and Resilience (CSR), Chania, Crete, Greece, 4–6 August 2025; pp. 510–517. [Google Scholar] [CrossRef]
  59. Alqahtani, S.S.; Eghan, E.E.; Rilling, J. Tracing known security vulnerabilities in software repositories—A Semantic Web enabled modeling approach. Sci. Comput. Program. 2016, 121, 153–175. [Google Scholar] [CrossRef]
  60. Syed, R. Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. Inf. Manag. 2020, 57, 103334. [Google Scholar] [CrossRef]
  61. Syed, R.; Zhong, H. Cybersecurity vulnerability management: An ontology-based conceptual model. In Proceedings of the Twenty-Fourth Americas Conference on Information Systems (AMCIS), New Orleans, LA, USA, 16–18 August 2018. [Google Scholar]
  62. Li, Y.; Guo, Y.; Hao, Y.; Wang, Y.; Yin, A.; Liu, Y. Intelligent Answer System Based on Vulnerability Knowledge Graph. In Proceedings of the 2021 7th International Conference on Computer and Communications (ICCC), Chengdu, China, 10–13 December 2021. [Google Scholar] [CrossRef]
  63. Bandi, C.; Salehi, S.; Hassan, R.; P D, S.M.; Homayoun, H.; Rafatirad, S. Ontology-Driven Framework for Trend Analysis of Vulnerabilities and Impacts in IoT Hardware. In Proceedings of the 2021 IEEE 15th International Conference on Semantic Computing (ICSC), Laguna Hills, CA, USA, 27–29 January 2021. [Google Scholar] [CrossRef]
  64. Jia, Y.; Yulu, Q.; Shang, H.; Jiang, R.; Li, A. A Practical Approach to Constructing a Knowledge Graph for Cybersecurity. Engineering 2018, 4, 53–60. [Google Scholar] [CrossRef]
  65. Razzaq, A.; Anwar, Z.; Ahmad, H.F.; Latif, K.; Munir, F. Ontology for attack detection: An intelligent approach to web application security. Comput. Secur. 2014, 45, 124–146. [Google Scholar] [CrossRef]
  66. Onwubiko, C. CoCoa: An Ontology for Cybersecurity Operations Centre Analysis Process. In Proceedings of the 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), Glasgow, UK, 11–12 June 2018. [Google Scholar] [CrossRef]
  67. Li, K.; Zhou, H.; Tu, Z.; Feng, B. CSKB: A Cyber Security Knowledge Base Based on Knowledge Graph. In Security and Privacy in Digital Economy; Springer: Singapore, 2020; pp. 100–113. [Google Scholar] [CrossRef]
  68. Garg, S.; Chauhan, R.; Goudar, R.; Kandpal, A.; Joshi, K.; Garg, A. Ontology and Specification-Based Intrusion Detection and Prevention System. In Proceedings of the Confluence 2013: The Next Generation Information Technology Summit (4th International Conference), Institution of Engineering and Technology, Uttar Pradesh, India, 26–27 September 2013. [Google Scholar] [CrossRef]
  69. Sarala, R.; Vijayalakshmi, V.; Zayaraz, G.; Priyanka, E. Risk intelligence retrieval based on ontology. In Proceedings of the 2014 IEEE International Conference on Computational Intelligence and Computing Research, Coimbatore, Tamil Nadu, India, 8–20 December 2014. [Google Scholar] [CrossRef]
  70. Hooi, E.K.J.; Zainal, A.; Maarof, M.A.; Kassim, M.N. TAGraph: Knowledge Graph of Threat Actor. In Proceedings of the 2019 International Conference on Cybersecurity (ICoCSec), Nilai, Negeri Sembilan, Malaysia, 5–26 September 2019. [Google Scholar]
  71. Falk, C. An ontology for threat intelligence. In Proceedings of the European Conference on Cyber Warfare and Security (ECCWS 2016), Munich, Germany, 7–8 July 2016; Academic Conferences and Publishing International Limited: Munich, Germany, 2016; p. 111. [Google Scholar]
  72. Faria, M.R.; de Figueiredo, G.B.; de Faria Cordeiro, K.; Cavalcanti, M.C.; Campos, M.L.M. Applying Multi-Level Theory to an Information Security Incident Domain Ontology. In Proceedings of the ONTOBRAS, Porto Alegre, Brazil, 2–5 September 2019; Almeida, J.P.A., Bax, M., Berardi, R., Baião, F., Eds.; CEUR Workshop Proceedings; CEUR-WS.org: Aix-en-Provence, France, 2019; Volume 2519. [Google Scholar]
  73. Zamfira, A.; Fat, R.; Cenan, C. Applying Semantic Web Technologies to Discover an Ontology of Computer Attacks. Scalable Comput. Pract. Exp. 2019, 20, 699–707. [Google Scholar] [CrossRef]
  74. Yeboah-Ofori, A.; Ismail, U.M.; Swidurski, T.; Opoku-Boateng, F. Cyberattack Ontology: A Knowledge Representation for Cyber Supply Chain Security. In Proceedings of the 2021 International Conference on Computing, Computational Modelling and Applications (ICCMA), Brest, France, 14–16 July 2021. [Google Scholar] [CrossRef]
  75. Chu, G.; Lisitsa, A. Ontology-based Automation of Penetration Testing. In Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP 2020), Valletta, Malta, 25–27 February 2020; SciTePress—Science and Technology Publications: Valletta, Malta, 2020. [Google Scholar] [CrossRef]
  76. Merah, Y.; Kenaza, T. Proactive Ontology-based Cyber Threat Intelligence Analytic. In Proceedings of the 2021 International Conference on Recent Advances in Mathematics and Informatics (ICRAMI), Tebessa, Algeria, 21–22 September 2021. [Google Scholar] [CrossRef]
  77. Kalinin, N. Towards ontology-based cyber threat response. In Proceedings of the Data Analytics and Management in Data Intensive Domains, Voronezh, Russia, 13–16 October 2020; pp. 217–220. [Google Scholar]
  78. Xu, G.; Cao, Y.; Ren, Y.; Li, X.; Feng, Z. Network Security Situation Awareness Based on Semantic Ontology and User-Defined Rules for Internet of Things. IEEE Access 2017, 5, 21046–21056. [Google Scholar] [CrossRef]
  79. Tummazeh, D.A.D.; Harb, M.E.; Sholi, Y.M.; Awad, A.; Hawash, A. Ontological-based Intrusion Detection System (IDS): A Comparative Study. In Proceedings of the 2023 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT), Sakheer, Bahrain, 20–21 November 2023. [Google Scholar] [CrossRef]
  80. Wang, Y.; Zhao, B.; Li, W.; Zhu, L. An Ontology-Centric Approach for Network Security Situation Awareness. In Proceedings of the Proceedings—International Computer Software and Applications Conference, Seoul, Republic of Korea, 3–7 July 2023; pp. 777–787. [Google Scholar] [CrossRef]
  81. Almoabady, T.A.; Alblawi, Y.M.; Albalawi, A.E.; Aborokbah, M.M.; Manimurugan, S.; Aljuhani, A.; Aldawood, H.; Karthikeyan, P. Protecting digital assets using an ontology based cyber situational awareness system. Front. Artif. Intell. 2024, 7, 1394363. [Google Scholar] [CrossRef]
  82. Geko, M.; Tjoa, S. An Ontology Capturing the Interdependence of the General Data Protection Regulation (GDPR) and Information Security. In Proceedings of the ACM Central European Cybersecurity Conference 2018, Ljubljana, Slovenia, 15–16 November 2018. [Google Scholar] [CrossRef]
  83. Casola, V.; Catelli, R.; De Benedictis, A. A First Step Towards an ISO-Based Information Security Domain Ontology. In Proceedings of the 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Utrecht, The Netherlands, 10–12 July 2019. [Google Scholar] [CrossRef]
  84. Dieguez, M.; Sepulveda, S.; Cares, C. On Optimizing the Path to Information Security Compliance. In Proceedings of the 2012 Eighth International Conference on the Quality of Information and Communications Technology, Lisbon, Portugal, 3–6 September 2012. [Google Scholar] [CrossRef]
  85. Pereira, T.S.M.; Santos, H.M.D. An Ontology Approach in Designing Security Information Systems to Support Organizational Security Risk Knowledge. In Proceedings of the International Conference on Knowledge Engineering and Ontology Development, Barcelona, Spain, 4–7 October, 2012; SciTePress—Science and Technology Publications: Setúbal, Portugal, 2012. [Google Scholar] [CrossRef]
  86. Alqahtani, S.S.; Rilling, J. An Ontology-Based Approach to Automate Tagging of Software Artifacts. In Proceedings of the 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Toronto, ON, Canada, 9–10 November 2017. [Google Scholar] [CrossRef]
  87. Agrawal, V. Towards the Ontology of ISO/IEC 27005: 2011 Risk Management Standard. In Proceedings of the HAISA, Frankfurt, Germany, 19–21 July 2016; pp. 101–111. [Google Scholar]
  88. Oliveira, I.; Sales, T.P.; Almeida, J.P.A.; Baratella, R.; Fumagalli, M.; Guizzardi, G. Ontology-based security modeling in ArchiMate. Softw. Syst. Model. 2024, 23, 925–952. [Google Scholar] [CrossRef]
  89. Bella, G.; Castiglione, G.; Santamaria, D.F. An Ontological Approach to Compliance Verification of the NIS 2 Directive. In Proceedings of the CEUR Workshop Proceedings, Sherbrooke, QC, Canada, 19–20 July 2023; Volume 3637. [Google Scholar]
  90. van Vuuren, J.J.; Leenen, L.; Zaaiman, J. Using an ontology as a model for the implementation of the national cybersecurity policy framework for South Africa. In Proceedings of the Proceedings of the ICCWS2014-9th International Conference on Cyber Warfare and Security: ICCWS, West Lafayette, IN, USA, 24–25 March 2014; pp. 107–115. [Google Scholar]
  91. Castiglione, G.; Santamaria, D.F.; Bella, G.; Brisindi, L.; Puccia, G. Guiding cybersecurity compliance: An ontology for the NIS 2 directive. Comput. Secur. 2025, 157, 104617. [Google Scholar] [CrossRef]
  92. Castiglione, G.; Bella, G.; Santamaria, D.F. SecOnto: Ontological Representation of Security Directives. Comput. Secur. 2025, 148, 104150. [Google Scholar] [CrossRef]
  93. Takahashi, T.; Kadobayashi, Y. Reference Ontology for Cybersecurity Operational Information. Comput. J. 2014, 58, 2297–2312. [Google Scholar] [CrossRef]
  94. Mattos, M.M.; Heckmann, J.R.; da Silva, P.F. An Ontology to the Information Security Management. In Proceedings of the 2015 Ninth International Conference on Complex, Intelligent, and Software Intensive Systems, Blumenau, Santa Catarina, Brazil, 8–10 July 2015; pp. 326–329. [Google Scholar] [CrossRef]
  95. Boualem, S.A.; Berrani, M.; Nibouche, F. Maintenance and information security ontology. In Proceedings of the 2017 4th International Conference on Control, Decision and Information Technologies (CoDIT), Barcelona, Spain, 5–7 April 2017. [Google Scholar] [CrossRef]
  96. Adán, B.G.; Lombana, C.; Calvo, M.; Ordoñez, S.; Caviativa, Y.; Garcés, J. Knowledge Base for an Intelligent System in order to Identify Security Requirements for Government Agencies Software Projects. MATEC Web Conf. 2016, 76, 03012. [Google Scholar] [CrossRef]
  97. Vasilevskaya, M.; Nadjm-Tehrani, S.; Gunawan, L.A.; Herrmann, P. Security asset elicitation for collaborative models. In Proceedings of the ACM Workshop on Model-Driven Security, Miami, FL, USA, 2–7 September 2012. [Google Scholar] [CrossRef]
  98. Ochoa, O.; Steinmann, J.; Lischuk, Y. Towards Eliciting and Analyzing Security Requirements Using Ontologies through Use Case Scenarios (Work-in-Progress). In Proceedings of the 2018 International Conference on Software Security and Assurance (ICSSA), Seoul, Republic of Korea, 26–27 July 2018. [Google Scholar] [CrossRef]
  99. Steinmann, J.; Ochoa, O. Supporting Security Requirements Engineering through the Development of The Secure Development Ontology. In Proceedings of the 2022 IEEE 16th International Conference on Semantic Computing (ICSC), Virtual Conference, 26–28 January 2022. [Google Scholar] [CrossRef]
  100. Blanco, C.; Rosado, D.G.; Varela-Vaca, A.J.; Gomez-Lopez, M.T.; Fernandez-Medina, E. Onto-CARMEN: Ontology-driven approach for Cyber-Physical System Security Requirements meta-modelling and reasoning. Internet Things 2023, 24, 100989. [Google Scholar] [CrossRef]
  101. Bergner, S.; Lechner, U. Cybersecurity Ontology for Critical Infrastructures. In Proceedings of the 9th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management, Porto, Portugal, 27–29 September 2017; SciTePress—Science and Technology Publications: Setúbal, Portugal, 2017. [Google Scholar] [CrossRef]
  102. Hosseinzadeh, S.; Virtanen, S.; Díaz-Rodríguez, N.; Lilius, J. A semantic security framework and context-aware role-based access control ontology for smart spaces. In Proceedings of the International Workshop on Semantic Big Data, San Francisco, CA, USA, 26 June–1 July 2016; ACM: New York, NY, USA, 2016. [Google Scholar] [CrossRef]
  103. Canito, A.; Aleid, K.; Praca, I.; Corchado, J.; Marreiros, G. An Ontology to Promote Interoperability between Cyber-physical Security Systems in Critical Infrastructures. In Proceedings of the 2020 IEEE 6th International Conference on Computer and Communications (ICCC), Macao, China, 6–9 December 2020. [Google Scholar] [CrossRef]
  104. Hannou, F.Z.; Rihany, M.; Lammari, N.; Hamdi, F.; Mimouni, N.; Atigui, F.; Si-Said Cherfi, S.; Tourron, P. Semantic-Based Approach for Cyber-Physical Cascading Effects Within Healthcare Infrastructures. IEEE Access 2022, 10, 53398–53417. [Google Scholar] [CrossRef]
  105. Tefek, U.; Esiner, E.; Cheh, C.; Mashima, D. A Smart Grid Ontology: Vulnerabilities, Attacks, and Security Policies. In Proceedings of the 2023 IEEE Conference on Communications and Network Security, CNS, San Diego, CA, USA, 16–18 October 2023. [Google Scholar] [CrossRef]
  106. Khalil, K.; Gehrmann, C.; Vogel, G. CyberROAD: A cybersecurity risk assessment ontology for automotive domain aligned with ISO/SAE 21434:2021. J. Inf. Secur. Appl. 2025, 90, 104015. [Google Scholar] [CrossRef]
  107. Teng, J.; Yang, R.; Wang, T.; Du, J.; Sheng, Q.Z. OntoCPS4PMS: Ontology modeling for collaborative cyber-physical threat defense in power monitoring system. Syst. Eng. 2025, 28, 29–44. [Google Scholar] [CrossRef]
  108. Babayeva, G.; Maennel, K.; Maennel, O.M. Building an Ontology for Cyber Defence Exercises. In Proceedings of the 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS PW), Genoa, Italy, 6–10 June 2022. [Google Scholar] [CrossRef]
  109. Wen, S.F.; Yamin, M.M.; Katt, B. Ontology-Based Scenario Modeling for Cyber Security Exercise. In Proceedings of the 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS PW), Virtual Conference, 6–10 September 2021. [Google Scholar] [CrossRef]
  110. Wang, Y.; Allakany, A.; Kulshrestha, S.; Shi, W.; Bose, R.; Okamura, K. Automatically Generate E-Learning Quizzes from IoT Security Ontology. In Proceedings of the 2019 8th International Congress on Advanced Applied Informatics (IIAI-AAI) IEEE, Toyama, Japan, 7–11 July 2019. [Google Scholar] [CrossRef]
  111. Lavrova, D.S.; Vasilev, Y.S. An ontological model of the domain of applications for the Internet of Things in analyzing information security. Autom. Control Comput. Sci. 2017, 51, 817–823. [Google Scholar] [CrossRef]
  112. Mozzaquatro, B.; Agostinho, C.; Goncalves, D.; Martins, J.; Jardim-Goncalves, R. An Ontology-Based Cybersecurity Framework for the Internet of Things. Sensors 2018, 18, 3053. [Google Scholar] [CrossRef] [PubMed]
  113. Ren, W.W.; Hu, L.; Zhao, K.; Jia, B. Information Security Ontology Model for Internet of Thing. Adv. Mater. Res. 2013, 694–697, 2466–2470. [Google Scholar] [CrossRef]
  114. Mozzaquatro, B.A.; Jardim-Goncalves, R.; Agostinho, C. Towards a reference ontology for security in the Internet of Things. In Proceedings of the 2015 IEEE International Workshop on Measurements and Networking (M and N), Coimbra, Portugal, 12–13 October 2015. [Google Scholar] [CrossRef]
  115. Bughio, K.S.; Cook, D.M.; Shah, S.A.A. Developing a Novel Ontology for Cybersecurity in Internet of Medical Things-Enabled Remote Patient Monitoring. Sensors 2024, 24, 2804. [Google Scholar] [CrossRef]
  116. Oltramari, A.; Henshel, D.S.; Cains, M.; Hoffman, B. Towards a Human Factors Ontology for Cyber Security. Stids 2015, 2015, 26–33. [Google Scholar]
  117. Mouton, F.; Malan, M.M.; Leenen, L.; Venter, H. Social engineering attack framework. In Proceedings of the 2014 Information Security for South Africa, Johannesburg, South Africa, 6–8 October 2014. [Google Scholar] [CrossRef]
  118. Mouton, F.; Leenen, L.; Malan, M.M.; Venter, H.S. Towards an Ontological Model Defining the Social Engineering Domain. In ICT and Society; Springer: Berlin/Heidelberg, Germany, 2014; pp. 266–279. [Google Scholar] [CrossRef]
  119. Oliveira, I.; Calhau, R.F.; Guizzardi, G. Toward a phishing attack ontology. In Proceedings of the CEUR Workshop Proceedings, Sherbrooke, QC, Canada, 19–20 July 2023; Volume 3618. [Google Scholar]
  120. Varvarigou, D.; Espes, D.; Bersano, G. Ontology-based Solution for Handling Safety and Cybersecurity Interdependency in NFV Safety Architecture. Proc. Procedia Comput. Sci. 2023, 220, 527–534. [Google Scholar] [CrossRef]
  121. Kurylets, A.; Goranin, N. Security Ontology OntoSecRPA for Robotic Process Automation Domain. Appl. Sci. 2023, 13, 5568. [Google Scholar] [CrossRef]
  122. Pereira, T.; Santos, H. An Ontological Approach to Information Security Management. In Proceedings of the 7th International Conference on Information Warfare and Security, Seattle, Washington, USA, 22–23 March 2012; University Washington: Seattle, WA, USA, 2012; pp. 368–375. [Google Scholar]
  123. Fernández-Caramés, T.M.; Fraga-Lamas, P. Review of Industry 4.0 from the Perspective of Automation and Supervision Systems: Definitions, Architectures and Recent Trends. Electronics 2024, 13, 782. [Google Scholar] [CrossRef]
  124. García, J.; Martínez, A.; López, D. Cyberattack Detection Systems in Industrial Internet of Things (IIoT) Networks in Big Data Environments. Appl. Sci. 2025, 15, 3121. [Google Scholar] [CrossRef]
Applsci 16 06185 g001
Figure 1. PRISMA 2020 flow diagram showing identification, screening, eligibility assessment, and inclusion of primary studies.
Figure 1. PRISMA 2020 flow diagram showing identification, screening, eligibility assessment, and inclusion of primary studies.
Applsci 16 06185 g001
Applsci 16 06185 g002
Figure 2. A word cloud from the abstracts.
Figure 2. A word cloud from the abstracts.
Applsci 16 06185 g002
Applsci 16 06185 g003
Figure 3. Papers by year.
Figure 3. Papers by year.
Applsci 16 06185 g003
Applsci 16 06185 g004
Figure 4. Distribution of representation formalisms across the reviewed cybersecurity ontology artefacts (N = 93). The figure shows the prevalence of OWL-based representations, including OWL-DL and OWL extended with rule or query mechanisms, compared to RDF(S)-only and conceptual (ontology-grounded) modelling approaches. Counts are derived from the artefact-level classification reported in Table A2.
Figure 4. Distribution of representation formalisms across the reviewed cybersecurity ontology artefacts (N = 93). The figure shows the prevalence of OWL-based representations, including OWL-DL and OWL extended with rule or query mechanisms, compared to RDF(S)-only and conceptual (ontology-grounded) modelling approaches. Counts are derived from the artefact-level classification reported in Table A2.
Applsci 16 06185 g004
Applsci 16 06185 g005
Figure 5. Distribution of modelling paradigms adopted by the reviewed cybersecurity ontology artefacts (N = 93). The figure summarises the dominant conceptual structures used to organise cybersecurity knowledge, including taxonomic/hierarchical, event- or process-centric, graph-based, modular, and hybrid paradigms. The distribution is derived from the artefact characterisation presented in Table A2.
Figure 5. Distribution of modelling paradigms adopted by the reviewed cybersecurity ontology artefacts (N = 93). The figure summarises the dominant conceptual structures used to organise cybersecurity knowledge, including taxonomic/hierarchical, event- or process-centric, graph-based, modular, and hybrid paradigms. The distribution is derived from the artefact characterisation presented in Table A2.
Applsci 16 06185 g005
Applsci 16 06185 g006
Figure 6. Distribution of automated reasoning support enabled in principle by the reviewed cybersecurity ontology artefacts (N = 93). The figure reports the types of reasoning supported by the ontology artefacts based on their representation formalism and modelling choices, including Description Logic reasoning, query-driven reasoning, combined DL and rule-based reasoning, and cases where no explicit automated reasoning is reported. Data are derived from Table A2.
Figure 6. Distribution of automated reasoning support enabled in principle by the reviewed cybersecurity ontology artefacts (N = 93). The figure reports the types of reasoning supported by the ontology artefacts based on their representation formalism and modelling choices, including Description Logic reasoning, query-driven reasoning, combined DL and rule-based reasoning, and cases where no explicit automated reasoning is reported. Data are derived from Table A2.
Applsci 16 06185 g006
Applsci 16 06185 g007
Figure 7. Distribution of cybersecurity ontologies across the revised thematic categories. The figure illustrates how existing ontologies cluster around major areas of focus, showing strongest representation in Risk, Vulnerability and Exposure Modelling, Threats, Attacks and Cyber Threat Intelligence, and Governance, ISMS and Security Compliance. Moderate activity is observed in foundational modelling, requirements engineering, and operational detection. Smaller clusters correspond to specialised domains such as IoT and IIoT security, industrial control systems, social engineering, human-centred security, and access control.
Figure 7. Distribution of cybersecurity ontologies across the revised thematic categories. The figure illustrates how existing ontologies cluster around major areas of focus, showing strongest representation in Risk, Vulnerability and Exposure Modelling, Threats, Attacks and Cyber Threat Intelligence, and Governance, ISMS and Security Compliance. Moderate activity is observed in foundational modelling, requirements engineering, and operational detection. Smaller clusters correspond to specialised domains such as IoT and IIoT security, industrial control systems, social engineering, human-centred security, and access control.
Applsci 16 06185 g007
Applsci 16 06185 g008
Figure 8. The NIST CSF 2.0.
Figure 8. The NIST CSF 2.0.
Applsci 16 06185 g008
Applsci 16 06185 g009
Figure 9. Heatmap illustrating the relationship between cybersecurity ontologies and the NIST CSF 2.0. Color intensity reflects the distribution density across categories: lighter tones correspond to fewer occurrences, whereas darker tones indicate a higher concentration of mapped elements, highlighting areas of greater emphasis.
Figure 9. Heatmap illustrating the relationship between cybersecurity ontologies and the NIST CSF 2.0. Color intensity reflects the distribution density across categories: lighter tones correspond to fewer occurrences, whereas darker tones indicate a higher concentration of mapped elements, highlighting areas of greater emphasis.
Applsci 16 06185 g009
Applsci 16 06185 g010
Figure 10. Evolution of cybersecurity ontology research along three maturity dimensions.
Figure 10. Evolution of cybersecurity ontology research along three maturity dimensions.
Applsci 16 06185 g010
Applsci 16 06185 g011
Figure 11. Distribution of cybersecurity ontology studies according to Wieringa’s classification categories.
Figure 11. Distribution of cybersecurity ontology studies according to Wieringa’s classification categories.
Applsci 16 06185 g011
Applsci 16 06185 g012
Figure 12. Vision for an Integrated Security Ontology. The core ontology encapsulates fundamental cybersecurity concepts such as assets, threats, vulnerabilities, and controls. Surrounding this core are specialized domains—risk management, attack detection, policy compliance, and domain-specific extensions (e.g., IoT, CPS)—that interface with the core ontology. This unified structure aims to reduce fragmentation and promote semantic interoperability across heterogeneous security domains.
Figure 12. Vision for an Integrated Security Ontology. The core ontology encapsulates fundamental cybersecurity concepts such as assets, threats, vulnerabilities, and controls. Surrounding this core are specialized domains—risk management, attack detection, policy compliance, and domain-specific extensions (e.g., IoT, CPS)—that interface with the core ontology. This unified structure aims to reduce fragmentation and promote semantic interoperability across heterogeneous security domains.
Applsci 16 06185 g012
Applsci 16 06185 g013
Figure 13. Illustrative fragment of a Security Knowledge Graph (SKG). This example demonstrates the semantic relationships between a web application, a known vulnerability (CVE-2021-44228), its classification as a weakness (CWE-502), an associated threat actor, and two mitigation strategies. The SKG provides a structured and contextualized view that enables automated reasoning, threat detection, and decision support.
Figure 13. Illustrative fragment of a Security Knowledge Graph (SKG). This example demonstrates the semantic relationships between a web application, a known vulnerability (CVE-2021-44228), its classification as a weakness (CWE-502), an associated threat actor, and two mitigation strategies. The SKG provides a structured and contextualized view that enables automated reasoning, threat detection, and decision support.
Applsci 16 06185 g013
Table 1. Summary of Review, Proposal, and Vision.
Table 1. Summary of Review, Proposal, and Vision.
DimensionContribution
ReviewSystematic analysis of existing security ontologies using three research questions: core concepts, focus areas, and maturity/application levels.
ProposalIntroduction of a high-level integrated security ontology based on the consolidation of core concepts and cross-domain extensions.
VisionDevelopment of a semantic security knowledge graph as a foundation for future intelligent security systems and standardisation efforts.
Table 2. Research questions (scope of the literature review).
Table 2. Research questions (scope of the literature review).
IDResearch QuestionObjectives
RQ1What core concepts and relationships are essential for a complete understanding of security issues?This question aims to identify the fundamental elements and their interconnections that form the basis of understanding security issues. It focuses on identifying the critical components necessary for a holistic grasp of cybersecurity challenges.
RQ2What is the predominant focus of existing security ontologies in the literature?This research question aims to determine the main areas of interest or emphasis within academic research on security ontologies. By exploring existing literature, this question seeks to uncover common themes, topics, and priorities in the development and application of security ontologies.
RQ3What is the current stage of development and application of security ontologies, ranging from theoretical concepts to real-world implementation in industrial settings.This research question seeks to assess the maturity level of security ontologies by investigating the extent to which they have progressed from theoretical proposals to practical usage in real-world industrial applications. By examining the spectrum of development and application, researchers aim to understand the evolution of security ontologies and their adoption in practical contexts. This exploration provides insights into the readiness and effectiveness of security ontologies for addressing real-world cybersecurity challenges.
Table 3. Application of the PICO–C framework to this review.
Table 3. Application of the PICO–C framework to this review.
ElementDefinition in this Study
Population (P)Peer-reviewed academic and industrial studies published between 2012 and 2025 that propose, extend, or evaluate cybersecurity ontologies.
Intervention (I)The ontology artefacts themselves, including conceptual and operational models.
Comparison (C)Comparison across thematic domains and NIST CSF 2.0 alignment, as well as maturity differences and methodological strategies.
Outcome (O)Identification of core concepts, relationships, methodological patterns, maturity indicators, and gaps.
Context (C)Digital libraries covering cybersecurity and knowledge representation domains.
Table 4. Inclusion and exclusion criteria defined in the planning phase.
Table 4. Inclusion and exclusion criteria defined in the planning phase.
Inclusion CriteriaDescription
Ontology focusStudy explicitly proposes, extends, or evaluates a cybersecurity ontology.
Publication typePeer-reviewed journal, conference, or standards report.
Time frame2012–2025.
LanguageEnglish.
AvailabilityFull-text accessible.
Exclusion CriteriaDescription
Non-ontological workModels or taxonomies without an ontology artefact.
Irrelevant domainNon-cybersecurity ontologies.
Non–peer-reviewedTheses, informal reports, non-refereed preprints.
DuplicatesDuplicate records removed using DOI/title matching.
Insufficient detailOntology mentioned but not described.
Table 5. Data-extraction fields and their relation to the PICO–C framework.
Table 5. Data-extraction fields and their relation to the PICO–C framework.
Data FieldDescriptionPICO–C Element
Bibliographic metadataAuthor(s), year, venue, publisherContext
Ontology name/acronymOfficial name or label used by authorsPopulation
Domain focusRisk, vulnerability, threat intelligence, policy, ICS, IoT, etc.Intervention
Ontology artefact linkPublic URL/repository/URI of OWL/RDF/SKOS fileIntervention
Formalism usedOntology language (OWL, RDF/S, F-Logic, etc.)Intervention
Alignment with standardsUse of CVE, CWE, STIX, ATT&CK, ISO 27001/27005, NIST CSF 2.0Comparison
Validation methodReasoning test, expert review, case study, or noneOutcome
Metric reportingStructural or quality metrics (e.g., class count, cohesion)Outcome
Application/maturity levelTheoretical, prototype, or industrial implementationComparison
Availability/licensePublic, restricted, or not availableContext
Notes and commentsObservations, limitations, special contributions
Table 6. Ontology-specific quality assessment criteria (0–2). The checklist also supports a basic risk-of-bias appraisal by making reporting, validation, and reproducibility aspects explicit.
Table 6. Ontology-specific quality assessment criteria (0–2). The checklist also supports a basic risk-of-bias appraisal by making reporting, validation, and reproducibility aspects explicit.
CriterionDescription and Scoring Guideline (0–2)
Q1. Artefact availabilityAvailability of OWL/RDF/SKOS file or public URI. (0 = none, 1 = partial, 2 = fully available)
Q2. Formal representationExplicit formalization using a recognized ontology language (e.g., OWL, RDF/S, F-Logic).
Q3. Alignment with standardsLinks to cybersecurity or knowledge-representation standards (e.g., CVE, CWE, STIX, ISO 27001, NIST 2.0).
Q4. Conceptual clarityClear definition of core entities and relationships (asset, threat, vulnerability, control, etc.).
Q5. Validation or reasoning testPresence of reasoning validation, competency questions, or expert review.
Q6. Metric reportingQuantitative evaluation (e.g., class count, depth, cohesion, or OQuaRE indicators).
Q7. Empirical or industrial useEvidence of deployment or evaluation in a real or simulated context.
Q8. Documentation and reusabilityAvailability of documentation, versioning, and licensing information.
Bias mapping (interpretation aid). The criteria mitigate common biases as follows: reporting and reproducibility bias (Q1, Q8), construct and semantic ambiguity bias (Q2, Q4), standardisation and terminology bias (Q3), validation bias (Q5, Q7), and measurement or over-claim bias (Q6).
Table 7. Classification of the reviewed cybersecurity ontologies according to the revised thematic taxonomy. The table maps each ontology to one or more thematic categories, reflecting the fact that many works span multiple conceptual domains. The taxonomy consists of seven high-level categories: Foundational Concepts; Risk, Vulnerability and Exposure Modelling; Threats, Attacks and Cyber Threat Intelligence; Governance, ISMS and Security Compliance; Security Requirements Engineering; Security Detection, Monitoring and Operations; and Domain-Specific or Application-Oriented Cybersecurity. This categorisation provides an overview of research concentration and thematic coverage across the 93 primary studies.
Table 7. Classification of the reviewed cybersecurity ontologies according to the revised thematic taxonomy. The table maps each ontology to one or more thematic categories, reflecting the fact that many works span multiple conceptual domains. The taxonomy consists of seven high-level categories: Foundational Concepts; Risk, Vulnerability and Exposure Modelling; Threats, Attacks and Cyber Threat Intelligence; Governance, ISMS and Security Compliance; Security Requirements Engineering; Security Detection, Monitoring and Operations; and Domain-Specific or Application-Oriented Cybersecurity. This categorisation provides an overview of research concentration and thematic coverage across the 93 primary studies.
ItemCategoryPaper
(a)Foundational Information Security Concepts [20,34,35,36,37,38,39,40,41,42,43]
(b)Risk, Vulnerability and Exposure Modelling [44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63]
(c)Threats, Attacks and Cyber Threat Intelligence [7,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81]
(d)Governance, ISMS and Security Compliance [21,82,83,84,85,86,87,88,89,90,91,92,93,94,95]
(e)Security Requirements Engineering [96,97,98,99,100]
(f)Security Detection, Monitoring and Operations [7,67,70,72,76]
(g)Domain-Specific and Application-Oriented Ontologies
Access Control (RBAC/ABAC) [101,102]
Cyber-Physical/ICS [103,104,105,106,107]
Human/Pedagogy [108,109,110]
IoT Security [111,112,113,114,115]
Social Engineering [39,116,117,118,119]
Other (Telecom and RPA) [120,121]
Table 8. The NIST CSF 2.0.
Table 8. The NIST CSF 2.0.
FunctionCategoryCodeCount
GOVERNOrganisational ContextGV.OC1
Risk Management StrategyGV.RM19
Roles, Responsibilities and AuthoritiesGV.RR26
PolicyGV.PO26
OversightGV.OV26
Cybersecurity Supply Chain Risk ManagementGV.SC0
IDENTIFYAsset ManagementID.AM8
Risk AssessmentID.RA24
ImprovementID.IM1
PROTECTIdentify Management, Authentication, and Access ControlPR.AA4
Awareness TrainingPR.AT7
Data SecurityPR.DS1
Platform SecurityPR.PS17
Technology Infrastructure ResiliencePR.IR17
DETECTContinuous MonitoringDE.CM36
Adverse Event AnalysisDE.AE32
RESPONDIncident ManagementRS.MA4
Incident AnalysisRS.AN13
Incident Response Reporting and CommunicationRS.CO6
Incident MitigationRS.MI8
RECOVERIncident Recovery Plan ExecutionRC.RP2
Incident Recovery CommunicationRC.CO0
Table 9. Trajectory of security ontology research across three dimensions of maturity.
Table 9. Trajectory of security ontology research across three dimensions of maturity.
#DimensionsPapers
1Theoretical Foundations and Development Practices [38,119]
2Application and Deployment Domains [20,21,35,36,37,39,40,41,42,46,47,48,52,53,54,55,56,57,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,79,80,81,85,87,88,89,90,92,94,95,98,99,102,105,108,110,111,115,116,117,118,121,122]
3Real-World and Industrial Implementations [7,34,39,43,44,45,49,50,51,58,59,78,82,83,84,86,91,93,96,97,100,101,103,104,106,107,109,112,113,114,120]
Table 10. Articles classified according to the Wieringa et al. classification scheme.
Table 10. Articles classified according to the Wieringa et al. classification scheme.
CategoryPapers
Solution Proposal [7,20,21,34,37,38,39,40,41,42,44,46,48,49,52,54,57,58,59,61,63,64,66,67,68,69,70,71,72,74,75,77,82,83,85,87,88,89,90,92,93,94,95,96,98,99,101,103,110,111,113,114,115,116,117,118,122]
Validation Research [36,39,43,45,47,50,51,53,55,56,60,62,65,73,76,78,79,80,81,86,91,100,102,104,106,107,108,109,112,120,121]
Philosophical Paper [35,119]
Opinion Papers [84,105]
Experience Papers(few explicit cases identified; typically integrated within validation or solution categories)
Evaluation Research [97]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Gacitua, R.; Diéguez-Rebolledo, M. Toward a Unified View of Cybersecurity Ontologies: A Systematic Review and Conceptual Consolidation. Appl. Sci. 2026, 16, 6185. https://doi.org/10.3390/app16126185

AMA Style

Gacitua R, Diéguez-Rebolledo M. Toward a Unified View of Cybersecurity Ontologies: A Systematic Review and Conceptual Consolidation. Applied Sciences. 2026; 16(12):6185. https://doi.org/10.3390/app16126185

Chicago/Turabian Style

Gacitua, Ricardo, and Mauricio Diéguez-Rebolledo. 2026. "Toward a Unified View of Cybersecurity Ontologies: A Systematic Review and Conceptual Consolidation" Applied Sciences 16, no. 12: 6185. https://doi.org/10.3390/app16126185

APA Style

Gacitua, R., & Diéguez-Rebolledo, M. (2026). Toward a Unified View of Cybersecurity Ontologies: A Systematic Review and Conceptual Consolidation. Applied Sciences, 16(12), 6185. https://doi.org/10.3390/app16126185

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop