Riskvista: A Comprehensive Study Of Security Tool Integration, Cyber Risk Scoring, And Dashboard-Based Decision Support In Enterprise Environments

Muhammad Usama khan; Muhammad Zamin Ali Khan; Syed Talib Zaheer Zaidi; Amad Asif; Khalid Bin Muhammad; Faigha Karim; Ammad Mallick

doi:10.71146/kjmr878

Authors

Muhammad Usama khan UHF Solutions Pvt Ltd, Karachi, Pakistan Author
Muhammad Zamin Ali Khan Department of Computer Science, Iqra University, Karachi, Pakistan Author
Syed Talib Zaheer Zaidi HBL, Karachi, Pakistan Author
Amad Asif Graphica Pro Artistry (Australia, Broadmeadows, Victoria) Author
Khalid Bin Muhammad COCSE, Ziauddin University, Karachi, Pakistan Author
Faigha Karim Department of Computer Science, Iqra University, Karachi, Pakistan Author
Ammad Mallick Department of Computer Science, Cardiff Metropolitan University, London, UK Author

DOI:

https://doi.org/10.71146/kjmr878

Keywords:

Cybersecurity, Cyber Risk Assessment, Vulnerability Management, Risk Scoring

Abstract

Organizations utilize several security solutions (vulnerability scanners, static code analyzers, network discovery tools) for continuous cyber posture monitoring. Despite the high information value provided by such tools, it is difficult to unify, correlate, and interpret the outputs generated due to the disparate nature of the data. This significantly hinders the visibility and prioritization efforts of an organization. In this paper, I propose RiskVista, an open-source cyber risk assessment and integration prototype which gathers vulnerability data and asset information from various security tools using RESTful APIs or file imports, normalizes these data into a canonical form ACS (asset-centric schema) and calculates normalized risk scores for assets and business capabilities. RiskVista implements an understandable composite risk scoring system based on severity i.e CVSS, exposure, exploitability, and impact to the business. Scores range from 0 to 100 with corresponding letter grades to provide more intuitive understanding of the problem and allow triage. The solution features a web providing access to several dashboards including tool onboarding, vulnerabilities overview, most vulnerable assets, and business capability level risks. An evaluation methodology will be designed for future implementation of RiskVista.

Downloads

Download data is not yet available.

References

[1] Z. M. Amin, N. Anwar, M. S. Mohd Shoid, N. R. Ahmad, and S. Samuri, "Discovering the Variables of Cyber Risk Assessment Through a Systematic Literature Review," Journal of Information and Knowledge Management, vol. 15, Special Issue 2, pp. 55-65, Aug. 2025, doi: 10.24191/jikm.v15iSI2.7241.

[2] I. D. Sanchez-Garcia, J. Mejia, and T. San Feliu Gilabert, "Cybersecurity Risk Assessment: A Systematic Mapping Review, Proposal, and Validation," Applied Sciences, vol. 13, no. 1, Art. no. 395, 2023, doi: 10.3390/app13010395.

[3] M. Walkowski, J. Oko, and S. Sujecki, "Vulnerability Management Models Using a Common Vulnerability Scoring System," Applied Sciences, vol. 11, no. 18, Art. no. 8735, 2021, doi: 10.3390/app11188735.

[4] N. A. Chandra, K. Ramli, A. A. P. Ratna, and T. S. Gunawan, "Information Security Risk Assessment Using Situational Awareness Frameworks and Application Tools," Risks, vol. 10, no. 8, Art. no. 165, 2022, doi: 10.3390/risks10080165.

[5] F. Cremer, B. Sheehan, M. Fortmann, A. N. Kia, M. Mullins, F. Murphy, and S. Materne, "Cyber Risk and Cybersecurity: A Systematic Review of Data Availability," The Geneva Papers on Risk and Insurance - Issues and Practice, vol. 47, pp. 698-736, 2022, doi: 10.1057/s41288-022-00266-6.

[6] F. A. Kaufhold, M. Rohen, and C. Reuter, "Cyber Threat Observatory: Design and Evaluation of an Interactive Dashboard for Computer Emergency Response Teams," in Proc. European Conf. on Information Systems (ECIS), Timisoara, Romania, 2022.

[7] H. I. Kure, S. Islam, and M. A. Razzaque, "An Integrated Cyber Security Risk Management Approach for a Cyber-Physical System," Applied Sciences, vol. 8, no. 6, Art. no. 898, 2018, doi: 10.3390/app8060898.

[8] M. Ouaissa, M. Ouaissa, Z. Nadifi, S. El Himer, Y. Al Masmoudi, and A. Kartit, "A Framework for Cyber Threat Modeling and Risk Assessment in Smart City Environments," Frontiers in Computer Science, vol. 7, Art. no. 1647179, 2025, doi: 10.3389/fcomp.2025.1647179.

[9] L. Allodi, M. Cremonini, F. Massacci, and W. Shim, "Measuring the Accuracy of Software Vulnerability Assessments: Experiments with Students and Professionals," Empirical Software Engineering, vol. 25, no. 2, pp. 1063-1094, 2020, doi: 10.1007/s10664-019-09797-4.

[10] R. C. Poonia, K. Upreti, B. P. Alapatt, and S. Jafri, "Real-Time Cyber-Physical Risk Management Leveraging Advanced Security Technologies," in Proc. 9th Int. Congress on Information and Communication Technology (ICICT 2024), Lecture Notes in Networks and Systems, vol. 1011, Springer, Singapore, pp. 339-350, 2024, doi: 10.1007/978-981-97-4581-4_25.

[11] National Institute of Standards and Technology (NIST), "Guide for Conducting Risk Assessments," NIST Special Publication 800-30 Rev. 1, Sep. 2012, doi: 10.6028/NIST.SP.800-30r1.

[12] National Institute of Standards and Technology (NIST), "Managing Information Security Risk: Organization, Mission, and Information System View," NIST Special Publication 800-39, Mar. 2011, doi: 10.6028/NIST.SP.800-39.

[13] International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Information Security, Cybersecurity and Privacy Protection - Information Security Risk Management, ISO/IEC 27005:2022, 2022.

[14] FIRST.Org, Inc., "Common Vulnerability Scoring System Version 3.1: Specification Document (Revision 1)," 2019. [Online]. Available: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.

[15] J. Jacobs, S. Romanosky, B. Edwards, I. Adjerid, and M. Roytman, "Exploit Prediction Scoring System (EPSS)," Digital Threats: Research and Practice, vol. 2, no. 3, pp. 1-17, 2021, doi: 10.1145/3436242.

[16] Cybersecurity and Infrastructure Security Agency (CISA), "Known Exploited Vulnerabilities (KEV) Catalog." [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. Accessed: Jan. 18, 2026.

[17] National Institute of Standards and Technology (NIST), "National Vulnerability Database (NVD)." [Online]. Available: https://nvd.nist.gov/.

[18] The CVE Program, "Overview - About the CVE Program." [Online]. Available: https://www.cve.org/about/overview. Accessed: Jan. 18, 2026.

[19] Qualys, Inc., Qualys API (VM, PA/PC) User Guide, ver. 10.37, Jan. 5, 2026. [Online]. https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf. Accessed: Jan. 18, 2026.

[20] SonarSource Sarl, "Web API | SonarQube Server (Documentation)." [Online]. Available: https://docs.sonarsource.com/sonarqube-server/extension-guide/web-api/. Accessed: Jan. 18, 2026.

[21] Hussain Saleem, M Zamin Ali Khan, et al “Towards Identification and Recognition of Trace Associations in Software Requirements Traceability” Vol 9, Issue 5, pp 257-263 Sep, 2012.

[22] Hussain Saleem, M Zamin Ali Khan, et al “Mobile Agents: An Intelligent Multi-Agent System for Mobile Phones” Vol 6 Issue 2, pp 26-34, Oct 2012

[23] Saim Masood Shaikh, Muhammad Zamin Ali Khan et al “NAVIGATING CONTEMPORARY CHALLENGES OF SOFTWARE QUALITY ASSURANCE IN SOFTWARE TESTING” Vol 3 Issue 9, PP 45-71, April 2025.

[24] Humera Azam, M.Zamin Ali Khan et al, “Quality Assurance in the Digital Age: Exploring Contemporary Challenges in Software Testing” Vol 5 , Issue 2, PP 9-26, 2025

[25] Muhammad Zulqarnain Siddiqui , Muhammad Zamin Ali Khan et al, “ANALYSIS OF THE EFFECTIVENESS OF GENERATIVE AI MODELS FOR TEXT-TO-SQL TASKS IN BUSINESS INTELLIGENCE SYSTEMS” Vol3 Issue 12, PP 1777-1794 Dec 2025