· 3 min read
Designing a Threat Ontology
This ontology can be used in threat modeling. v1.0
A TARA (Threat Analysis and Risk Assessment) is a structured methodology for identifying threats to a system, assessing their likelihood and impact, and determining appropriate controls. It is used across regulated industries — medical devices, automotive, aviation, industrial control systems — wherever cybersecurity risk must be formally documented and accepted.
TARAs are inherently graph-structured. Actors target assets. Attacks decompose into steps. Risks are mitigated by controls. Decisions cite authority. This relational structure maps directly to RDF, enabling TARA data to be stored as a knowledge graph, queried with SPARQL, validated with SHACL, and reasoned over with OWL.
The ontology above defines the classes and properties that make this possible.
Classes
| Class | Description |
|---|---|
tara:Actor | Any entity capable of initiating a threat. Superclass of tara:ThreatActor. |
tara:ThreatActor | rdfs:subClassOf tara:Actor. A typed actor characterized by capability and intent. |
tara:Capability | What a threat actor can technically execute — exploit development, physical access, supply chain insertion. |
tara:Intent | Motivation — financial, geopolitical, competitive, ideological. Both capability and intent must be present for a credible threat. |
tara:Asset | Anything of value that can be threatened: firmware, cryptographic keys, sensor data, a communication channel, a physical interface. |
tara:Attack | An ordered sequence of steps that, if completed, results in a realized threat against one or more assets. |
tara:AttackStep | An atomic action within an attack. Each step uses a technique and may target an asset directly. |
tara:Technique | A specific method of execution, drawn from a taxonomy such as MITRE ATT&CK, ICS-ATT&CK, or a domain-specific equivalent. |
tara:Risk | The probability-impact pair resulting from a successful attack. The central object around which mitigation and acceptance are organized. |
tara:Outcome | The real-world consequence of a realized risk: patient harm, service disruption, data exfiltration, regulatory penalty. |
tara:Control | A countermeasure — preventive, detective, or responsive — that reduces risk to an acceptable residual level. |
tara:Decision | The formal risk treatment decision: mitigate, accept, transfer, or avoid. |
tara:Justification | The rationale for a risk acceptance decision. Must be traceable and auditable. |
tara:Authority | The standard, regulation, or guidance that grounds a justification: ISO 21434, IEC 62443, FDA cybersecurity guidance, NIST SP 800-53. |
Properties
| Property | Domain | Range | Description |
|---|---|---|---|
tara:targets | tara:Actor | tara:Asset | An actor has selected an asset as an objective. |
tara:executes | tara:ThreatActor | tara:Attack | Links an actor to the attack chain they carry out. |
tara:hasCapability | tara:ThreatActor | tara:Capability | Asserts the technical means available to the actor. |
tara:hasIntent | tara:ThreatActor | tara:Intent | Asserts the motivation driving the actor. |
tara:contains | tara:Attack | tara:AttackStep | Structural composition — an attack is fully described by its steps. |
tara:precedes | tara:AttackStep | tara:AttackStep | Establishes execution order within an attack chain. |
tara:targets | tara:AttackStep | tara:Asset | A specific step acts directly against an asset. |
tara:uses | tara:AttackStep | tara:Technique | Maps each step to its technique, enabling cross-product pattern analysis. |
tara:produces | tara:Attack | tara:Risk | A successful attack produces a risk with defined likelihood and severity. |
tara:leadsTo | tara:Risk | tara:Outcome | Connects the abstract risk to its concrete consequence. |
tara:mitigates | tara:Control | tara:Risk | The core mitigation relationship. |
tara:selects | tara:Decision | tara:Control | A decision selects one or more controls as the treatment. |
tara:accepts | tara:Decision | tara:Risk | A decision formally accepts a residual risk after controls are applied. |
tara:requires | tara:Decision | tara:Justification | Every decision requires a justification. |
tara:cites | tara:Justification | tara:Authority | A justification cites the authority that makes acceptance defensible in audit or regulatory review. |
TARA Threat Ontology v1.0 — February 20, 2026 — 3 min read
