I think that most of our readers have seen various reports or videos that refers to the increasing threats to one of our most valuable assets (information) that we are trying to keep safe in our enterprises as the loss of it can cause irreparable damage to our brand and undermine the trust of our customers as we are holding their personal data. I just came across a 2025 Thales report ( https://shortifyme.co/tifVo ) that provides an overview of key cyber security threats that we should consider and focus on:

• GenAI changes the threat surface faster than organizations can adapt
  69% of respondents see the fast-moving GenAI ecosystem as their most concerning GenAI risk; integrity and trustworthiness of data/models come right behind confidentiality and availability.

• Data and APIs are now the central attack surface
  • 34% of enterprises already use over 500 APIs; in some industries it’s ~50%.
  • 59% say code vulnerabilities are their top AppSec concern; API attacks, supply chain issues, bot or ATO (account takeover attack) follow.
• Tooling is fragmented, classifications are inconsistent
  • 61% use five or more tools just for data discovery/classification, and 57% use five or more key managers.
• Quantum and “harvest now, decrypt later” are real planning problems
  Top quantum concerns are future compromise of current encryption, secure key distribution and the future decryption of today’s data.
• Threat actors & attack types are stable – but the path to your data is not
  Malware, phishing and ransomware remain the top attack types; hacktivists and nation-states are the leading external actors, with human error still a major factor.

To deal with those threats we need a methodical and coherent approach to talk about topics like models, data sets, prompts, agents, provenance, integrity attacks, bias, poisoning etc. We also need to define clear types for data classes, APIs, applications, software components, supply-chain links, secrets. Without a unifying ontology, each tool in our enterprise effectively carries its own “mini-ontology”, so policies and risk views drift. The same applies to stakeholders as often they are using different terms or assign different meanings to key terms. So it’s very important to have at least a lightweight, ontology-based description of risk and cyber-security before you start serious scenario work—especially in the AI / quantum / data-centric world that the 2025 According to the  Thales report:” Without that shared ‘grammar”’ your scenarios will drift, overlap, and miss important threat patterns.”

All of this screams out that  the landscape is heterogeneous, fast-moving, and tool-fragmented. If you don’t impose a coherent conceptual model, your risk scenarios will be apples-and-oranges stories that can’t be compared or prioritized and will not lead to effective storytelling. However, these need to be convincing enough so appropriate funding is provided to reduce the exposure of our enterprise to the changing cyber risk and security landscape. We need a shared language across business, security, and enterprise architecture.

Without an ontology, “risk”, “threat”, “incident”, “breach”, “data”, “service”, “GenAI agent” all mean slightly different things to:

• CISO/Risk function
• Enterprise & Solution architects
• DevSecOps/Platform teams
• Compliance/Legal
• Business owners and product managers

A simple ontology forces us to use effectively terms and to model concepts like:

• Asset = Business Service / Process / Information Object / AI Model that creates value and can be harmed.
• Threat agent = actor (human, organization, AI agent) with motives and capabilities.
• Threat event = action or event initiated by the agent (phishing campaign, model poisoning, API abuse).
• Vulnerability = property of asset or architecture that can be exploited.
• Risk scenario = (Asset, Threat agent, Threat event, Vulnerability, Impact).
• Control / security requirement = formalized constraint linking architecture to risk reduction.

Once you agree on those,  we can model and develop such scenarios as  illustrated in The Open Group Guide “How to Model Enterprise Risk Management and Security with the ArchiMate® Language.” This topic becomes a specialization of the same modeling patterns there, which means that you can compare, rank, and reason across them and focus on those where we have obvious exposure to cybersecurity threats.

Authored by Alex Wyka, EA Principals Senior Consultant and Principal