The Open Risk Data functionality of the Open Risk Manual is in still in active development!

Databreach Risk Event Data Model

From Open Risk Data

This is the documentation of the Databreach Risk Event Data Model (and associated Cyber Incident Risk Events) used in Open Risk Data to capture Databreach Risk Events. The Data Model currently derives from the Vocabulary for Event Recording and Incident Sharing (VERIS), adapted to fit into the Wikibase Data Model and all data entries (~6000 events) are imported from that dabase.

In terms of the overall risk taxonomy, a databreach risk event is

  • roughly equivalent to IT Security Risk]
  • which is a subtype of IT Risk]
  • which is a subtype of Operational Risk] (for a managed entity such as a corporation or other organization)
  • which is a subtype of Business Risk], the highest level category, capturing a variety of intangible risks to an organization that are not linked to specific contractual agreements

Event Subcategories

Databreach risk events are further subdivided according to the type of threat action used (membership of multiple classes is possible and not all categories are a form of "attack"):

NB this segmentation follows the VERIS approach, other approaches are possible, see eg. here the EBA Taxonomy and can be used in parallel (future work)

The Data Model Structure

The primary entity documented is a Databreach Risk Event (NB: Several auxiliary entities must be defined).

The full description of Items and Properties is currently (version 0.1) as follows. The current schema is heavily defined by what is availabel in the VERIS database

Databreach Item

The databreach item follows the general pattern of the wikibase datamodel:

  1. Item identifier (a serial ID number, prefixed with Q). This is a unique ID for an Item in the context of the Open Risk Data instance. This is assigned automatically by the system when an item is first inserted into the database. NB: This is not the same as the incident_id which is used to identify events in the VCDB and is here added as a statement
  2. Fingerprint, consisting of:
    1. Multilingual label, a human readable label. This is a unique short textual abbreviation of an Item.
    2. Multilingual description, in the current version (0.1) this simply says "A databreach risk event", providing a way to seach for items
    3. Multilingual aliases, other possible labels for an item (CURRENTLY NOT USED)
  3. Statements, associated with the item, each consisting of:
    1. Claim, consisting of:
      1. Property
      2. Value
      3. Qualifiers (additional property-value pairs)
    2. References (each consisting of one or more property-value pairs)


The fingerprint label is constructed out of incident data as a concatenated string of the form ENTITY + DATE + CATEGORY, where the DATE is MM/YEAR format obtained from timeline/incident data. The objective of the label is to create a user friendly field to help identify each incident

Claims about Items

The list of claims (statements) is as follows

  • is instance of (P5): the risk event type <- mapped from the type of threat "action"
  • is same as item defined by external identifier (P15): mapped from VERIS incident_id
  • involves entity (P6): mapped from VERIS victim.victim_id.
  • has date: the date of occurence <- mapped from "timeline" / incident
  • has textual description: mapped from VERIS summary, with reference URL from VERIS reference

Some Future Fields

  • has external actor (subclass of has actor)
  • has loss amount (quantification of severity)
  • has internal actor (subclass of has actor)

Data Quality Issues

  • A VERIS entry is currently ignored if the there is no victim_id as it suggests incomplete data capture and/or interpretation
  • A VERIS entry is currently ignored if the there is no action category classification as it suggests incomplete data capture and/or interpretation

Auxiliary Entities

For a minimally sufficient description of an incident at this stage we require two additional entities:

  • Company (the entity that is affected)
  • Country (of incorporation for the entity affected - this help resolve potential ambiguity from similarly named entities)

These entities are for now placeholders. Ideally they should link to more complete descriptions in other wikibases

See also