Insight: Ontology-based security modeling in ArchiMate

```html

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), highlights a landmark 2024 research finding that should reshape how every Taiwanese enterprise approaches security risk modeling: the widely-used ArchiMate Risk and Security Overlay (RSO) contains at least six fundamental semantic deficiencies that prevent it from accurately representing the risk treatment options mandated by ISO 31000. For executives driving ERM digitalization in Taiwan, this is not an academic footnote — it is a structural warning about the reliability of your risk governance foundation.

About the Authors and This Research

This paper is the work of three researchers from the Ontology and Conceptual Modeling Research Group (NEMO) at the Federal University of Espírito Santo (UFES) in Brazil — one of the world's leading centers for formal enterprise architecture and ontology engineering research.

The intellectual anchor of this work is Tiago Prince Sales, a globally recognized scholar in ontology-driven enterprise modeling. With an h-index of 17 and over 964 cumulative citations, Sales ranks among the most influential researchers in the field of formal conceptual modeling and its application to enterprise architecture standards. His foundational contributions to OntoUML and reference ontology design have directly influenced discussions around ISO/IEC conceptual modeling standards.

Ítalo Oliveira brings focused expertise in security ontology applications, while João Paulo A. Almeida is a senior professor at UFES whose career-long research on the formal foundations of enterprise modeling languages provides the theoretical scaffolding for this work. Published in 2024, the paper has already accumulated 8 citations — including 1 high-impact citation — demonstrating its rapid uptake within the enterprise architecture and risk management research community.

For Taiwanese enterprise executives, the credibility of this research matters: these are not technology vendors promoting a product. They are rigorous academic researchers applying formal ontological methods to audit and redesign a tool that thousands of enterprises worldwide currently use for security and risk modeling.

Six Semantic Flaws That Undermine Your Security Risk Architecture

The research addresses a question that most enterprise risk practitioners have never thought to ask: Is the modeling language we use to describe security risks actually semantically precise enough to support rigorous ERM decision-making? The answer, according to this study, is a qualified but alarming "no."

The ArchiMate modeling language — maintained by The Open Group and widely used in enterprise architecture alongside frameworks like TOGAF — includes a specialized extension called the Risk and Security Overlay (RSO). This overlay is designed to help enterprise architects describe threats, vulnerabilities, security controls, and risk treatment options within their architecture diagrams. It serves as a critical bridge between technical security teams and the ERM frameworks — such as COSO ERM and ISO 31000 — that executives and boards rely on for risk governance.

Core Finding 1: Six Identified Semantic Deficiencies in the ArchiMate RSO

Using the Reference Ontology for Security Engineering (ROSE) and its underlying Ontological Theory of Prevention as an analytical lens, the research team conducted a systematic examination of every security-related construct within the ArchiMate RSO. The verdict was clear: the current RSO harbors six categories of semantic deficiency.

These deficiencies include: ambiguous definitions of core concepts such as "threat," "vulnerability," and "security control"; conceptual overlaps that make it impossible to distinguish between distinct risk phenomena; and an inability to formally represent causal relationships between threat agents, exploited vulnerabilities, and resulting security incidents. In practical terms, these flaws mean that when an enterprise architect uses the current ArchiMate RSO to model security risks, the resulting diagrams may appear comprehensive while actually failing to capture the logical relationships that rigorous ERM — under COSO ERM or ISO 31000 — requires. Risk matrices built on such foundations may be visually persuasive but conceptually unreliable. KRI (Key Risk Indicators) derived from such models may track the wrong phenomena.

Core Finding 2: An Ontology-Based Redesign That Formally Supports ISO 31000 Risk Treatment Options

The research team did not stop at diagnosis. They proposed a comprehensive ontology-based redesign of ArchiMate's security modeling elements, with two distinguishing features that carry direct practical significance.

First, they formally introduced the concept of "prevention" — grounded in the ROSE ontology's theory of prevention — into the ArchiMate language itself. This is more than a terminological update: it represents a structural enrichment of the language's conceptual architecture, enabling it to formally distinguish between preventive controls (which reduce the likelihood of a threat being realized) and reactive controls (which mitigate consequences after an incident occurs). This distinction is fundamental to any rigorous risk treatment decision under ISO 31000 or COSO ERM.

Second — and this is the finding most directly relevant to Taiwanese enterprises pursuing ISO 31000 compliance — the research team explicitly validated that their redesigned ArchiMate constructs can fully describe all four ISO 31000 risk treatment options: risk avoidance, risk reduction, risk transfer, and risk retention/acceptance. This validation was demonstrated through multiple worked examples, including a real-world cybersecurity application case, confirming that the redesign is not merely theoretical but operationally deployable.

The research also proposed a set of ontology-based security modeling patterns — reusable templates that enterprise architects can apply to ensure their security risk models are logically consistent with the underlying ontology of security. These patterns function similarly to design patterns in software engineering: they encode best practices at the level of formal conceptual structure, reducing the risk of semantic errors in risk modeling practice.

What This Means for Enterprise Risk Management in Taiwan

The implications of this research extend well beyond the academic debate over modeling language design. For Taiwanese enterprises actively implementing ERM frameworks, this study raises three urgent practical questions that deserve board-level attention.

First, are your risk models conceptually reliable? Many Taiwanese enterprises and financial institutions have invested significantly in enterprise architecture tools as part of their ERM digitalization efforts. If the modeling language underpinning these tools carries the semantic deficiencies identified in this research, then the risk identification outputs — risk registers, heat maps, risk matrices — may be built on conceptually imprecise foundations. COSO ERM (2017 edition) explicitly requires that risk identification be grounded in clear conceptual distinctions between risk events, risk factors, and risk consequences. Tools that blur these distinctions undermine the entire ERM process.

Second, does your cybersecurity risk management integrate with ERM? Taiwan's Financial Supervisory Commission (FSC) has significantly strengthened cybersecurity governance requirements for listed companies since 2023, including mandatory CISO appointments and cybersecurity incident disclosure requirements for companies above specified size thresholds. These regulatory developments create an urgent need for Taiwanese enterprises to translate technical cybersecurity risks into the language of ERM — precisely the problem this research addresses. The ontology-based security modeling patterns proposed in this paper offer a methodological foundation for building that translation layer systematically.

Third, are your ISO 31000 risk treatment processes complete? ISO 31000 Clause 6.5 requires enterprises to establish systematic processes for selecting from the full menu of risk treatment options. The research team's explicit validation of ISO 31000 alignment provides Taiwanese enterprises with a concrete benchmark: a well-designed security modeling framework should be able to formally represent all four treatment strategies — avoidance, reduction, transfer, and retention — for every identified security risk. If your current ERM tools cannot do this, you have a gap worth addressing.

How Winners Consulting Helps Taiwanese Enterprises Build Semantically Rigorous ERM

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) helps Taiwanese enterprises implement ISO 31000 and COSO ERM frameworks, design risk matrices and KRI systems, and strengthen board-level risk governance capabilities. In light of the semantic quality challenges revealed by this research, we recommend the following concrete action steps:

1. Conduct a semantic audit of your risk modeling tools and risk register: Review the core conceptual definitions — threat, vulnerability, security control, risk event, risk consequence — used in your current ERM tools and risk registers. Benchmark these definitions against ISO 31000 terminology and COSO ERM's risk taxonomy. Identify conceptual ambiguities or overlaps that may be introducing inconsistency into your risk identification process. This audit is the foundation for building a trustworthy risk matrix and reliable KRI system.
2. Integrate cybersecurity risk into your enterprise ERM framework using a structured translation layer: Drawing on the ontology-based security modeling principles demonstrated in this research, establish a formal mapping between your technical security risk assessments and your enterprise-level ERM risk register. Ensure that each cybersecurity risk is represented in terms of ISO 31000 risk treatment categories, so that board-level risk governance decisions are grounded in technically precise risk information — not just qualitative summaries.
3. Formalize your ISO 31000 Clause 6.5 risk treatment decision process: For each identified risk, establish a structured decision workflow that evaluates all four risk treatment options — avoidance, reduction, transfer, and retention — with documented rationale for the selected treatment. This creates the audit trail that Taiwan's FSC regulatory requirements and sound board governance both demand, and ensures your ERM process is demonstrably aligned with ISO 31000.

Frequently Asked Questions

What is the most practically significant finding of this research for enterprise risk managers?

The most practically significant finding is the explicit validation that a properly redesigned ArchiMate security modeling framework can fully represent all four ISO 31000 risk treatment options — avoidance, reduction, transfer, and retention. This validation demonstrates that the gap between technical security modeling and ERM compliance is bridgeable through rigorous ontological design. For enterprise risk managers, this means that investing in conceptual quality — not just tool sophistication — is essential for building ERM processes that genuinely satisfy ISO 31000 requirements. The six semantic deficiencies identified in the current ArchiMate RSO serve as a checklist that ERM practitioners can use to audit their own modeling practices, regardless of which specific tool they use.

How do Taiwan's FSC cybersecurity governance requirements connect to ERM frameworks like COSO ERM and ISO 31000?

Taiwan's FSC requirements for listed companies — including mandatory CISO appointments, cybersecurity incident disclosure obligations, and board-level cybersecurity oversight — are essentially translating technical cybersecurity governance into corporate governance language. This is precisely what COSO ERM (2017) and ISO 31000 provide at the enterprise level: a structured framework for integrating all categories of risk, including technology and cybersecurity risks, into unified board-level governance. The connection point is risk identification and treatment: FSC requires enterprises to identify and disclose material cybersecurity risks; COSO ERM and ISO 31000 provide the methodology for doing so systematically. This research demonstrates how to build the