Cyber Threat Intelligence Frameworks for Converting Heterogeneous Threat Feeds into Actionable Quantitative Risk Intelligence: A Systematic Review

Abstract

The scale, speed, and sophistication of cyber threats continue to grow, creating an urgent need for security frameworks that can convert heterogeneous threat feeds into actionable, quantitative risk intelligence. Existing approaches offer useful capabilities in isolation: some concentrate on Cyber Threat Intelligence (CTI) sharing and semantic reasoning, others on large-scale threat graph analytics or federated risk modelling, and others on automated policy-based response. However, the literature has not yet converged on a framework that can continuously ingest raw threat intelligence, correlate it with asset context, and produce dynamic, asset-specific cyber risk scores for timely mitigation. This paper presents a systematic literature review of frameworks that aim to bridge CTI to cyber risk assessment. Following PRISMA guidelines, 45 peer-reviewed articles published between 2019 and 2025 were selected from an initial collection of 380 papers. The review consolidates existing approaches, including graph-based threat intelligence platforms, ontology-based risk monitoring, federated learning for risk classification, and security-policy-controlled systems. Key findings reveal that while individual components exist such as threat entity reputation scoring (TITAN: macro-F1=0.89), mobile device risk classification (FedCRI: F1>99%), and semantic risk reasoning (ontology-based) no single framework integrates raw CTI ingestion, asset context correlation, continuous quantitative risk scoring, and automated policy response. Furthermore, only 11% of reviewed studies address CTI provenance and trust, and only 7% provide fully automated end-to-end pipelines. Based on these findings, a research agenda is proposed for advancing unified CTI-to-risk frameworks in enterprise environments. The review also highlights three important gaps: (1) lack of analysis of the real-time processing constraints and computational latency in CTI-to-risk pipelines, (2) limited use of emerging Generative AI techniques such as Large Language Models for unstructured threat intelligence processing, and (3) no standardized mathematical formulation for quantitative cyber risk scoring. These findings form the foundation for a research agenda towards the evolution of unified, real-time, AI-enhanced CTI-to-risk frameworks in the enterprise.