GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations

Harika Asili; Şerif Bahtiyar

doi:10.1109/ACIT65614.2025.11185738

GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations

Harika Asili^*, Şerif Bahtiyar

^*Corresponding author for this work

Department of Computer Engineering

Istanbul Technical University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Recently, organizations supplies many ingredients of their products from third-party organizations, where security of the third-party organizations is a crucial for the success of the product. This circumstance makes, the rapid risk assessment of the organizations a challenging task. This paper introduces GEN-TPRM, a third-party security risk assessment model that uses open-source intelligence (OSINT), LLM-based question answering, and scoring aligned with ISO/IEC 27001:2022 and Gartner risk thresholds. It integrates publicly verifiable indicators like breach disclosures, CVEs, and regulatory penalties into risk-specific directional QA replies and a standardized risk index. The model integrates a retrieval-augmented LLM layer with a logistic regression classifier trained on historical security cases. The approach was validated through a real-world case study of 100 well-known vendors. The model generates transparent outputs without requiring internal access to vendor environments, offering a lightweight, scalable solution for lifecycle-based third-party pre-risk management.

Original language	English
Title of host publication	2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings
Publisher	Institute of Electrical and Electronics Engineers
Pages	497-500
Number of pages	4
ISBN (Electronic)	9798331595432
DOIs	https://doi.org/10.1109/ACIT65614.2025.11185738
Publication status	Published - 2025
Event	15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Hybrid, Sibenik, Croatia Duration: 17 Sept 2025 → 19 Sept 2025

Publication series

Name	Proceedings - International Conference on Advanced Computer Information Technologies, ACIT
ISSN (Print)	2770-5218
ISSN (Electronic)	2770-5226

Conference

Conference	15th International Conference on Advanced Computer Information Technologies, ACIT 2025
Country/Territory	Croatia
City	Hybrid, Sibenik
Period	17/09/25 → 19/09/25

Bibliographical note

Publisher Copyright:
© 2025 IEEE.

Keywords

augmented generation
large language model
security
source intelligence
TPRM

Access to Document

10.1109/ACIT65614.2025.11185738

Cite this

Asili, H., & Bahtiyar, Ş. (2025). GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations. In 2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings (pp. 497-500). (Proceedings - International Conference on Advanced Computer Information Technologies, ACIT). Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ACIT65614.2025.11185738

Asili, Harika ; Bahtiyar, Şerif. / GEN-TPRM : An OSINT-Driven Risk Assessment Model for Third-Party Organizations. 2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings. Institute of Electrical and Electronics Engineers, 2025. pp. 497-500 (Proceedings - International Conference on Advanced Computer Information Technologies, ACIT).

@inproceedings{a8c36e0805e44c2482418ba0f91ff861,

title = "GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations",

abstract = "Recently, organizations supplies many ingredients of their products from third-party organizations, where security of the third-party organizations is a crucial for the success of the product. This circumstance makes, the rapid risk assessment of the organizations a challenging task. This paper introduces GEN-TPRM, a third-party security risk assessment model that uses open-source intelligence (OSINT), LLM-based question answering, and scoring aligned with ISO/IEC 27001:2022 and Gartner risk thresholds. It integrates publicly verifiable indicators like breach disclosures, CVEs, and regulatory penalties into risk-specific directional QA replies and a standardized risk index. The model integrates a retrieval-augmented LLM layer with a logistic regression classifier trained on historical security cases. The approach was validated through a real-world case study of 100 well-known vendors. The model generates transparent outputs without requiring internal access to vendor environments, offering a lightweight, scalable solution for lifecycle-based third-party pre-risk management.",

keywords = "augmented generation, large language model, security, source intelligence, TPRM",

author = "Harika Asili and {\c S}erif Bahtiyar",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 ; Conference date: 17-09-2025 Through 19-09-2025",

year = "2025",

doi = "10.1109/ACIT65614.2025.11185738",

language = "English",

series = "Proceedings - International Conference on Advanced Computer Information Technologies, ACIT",

publisher = "Institute of Electrical and Electronics Engineers",

pages = "497--500",

booktitle = "2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings",

}

Asili, H & Bahtiyar, Ş 2025, GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations. in 2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings. Proceedings - International Conference on Advanced Computer Information Technologies, ACIT, Institute of Electrical and Electronics Engineers, pp. 497-500, 15th International Conference on Advanced Computer Information Technologies, ACIT 2025, Hybrid, Sibenik, Croatia, 17/09/25. https://doi.org/10.1109/ACIT65614.2025.11185738

GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations. / Asili, Harika; Bahtiyar, Şerif.
2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings. Institute of Electrical and Electronics Engineers, 2025. p. 497-500 (Proceedings - International Conference on Advanced Computer Information Technologies, ACIT).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - GEN-TPRM

T2 - 15th International Conference on Advanced Computer Information Technologies, ACIT 2025

AU - Asili, Harika

AU - Bahtiyar, Şerif

PY - 2025

Y1 - 2025

N2 - Recently, organizations supplies many ingredients of their products from third-party organizations, where security of the third-party organizations is a crucial for the success of the product. This circumstance makes, the rapid risk assessment of the organizations a challenging task. This paper introduces GEN-TPRM, a third-party security risk assessment model that uses open-source intelligence (OSINT), LLM-based question answering, and scoring aligned with ISO/IEC 27001:2022 and Gartner risk thresholds. It integrates publicly verifiable indicators like breach disclosures, CVEs, and regulatory penalties into risk-specific directional QA replies and a standardized risk index. The model integrates a retrieval-augmented LLM layer with a logistic regression classifier trained on historical security cases. The approach was validated through a real-world case study of 100 well-known vendors. The model generates transparent outputs without requiring internal access to vendor environments, offering a lightweight, scalable solution for lifecycle-based third-party pre-risk management.

AB - Recently, organizations supplies many ingredients of their products from third-party organizations, where security of the third-party organizations is a crucial for the success of the product. This circumstance makes, the rapid risk assessment of the organizations a challenging task. This paper introduces GEN-TPRM, a third-party security risk assessment model that uses open-source intelligence (OSINT), LLM-based question answering, and scoring aligned with ISO/IEC 27001:2022 and Gartner risk thresholds. It integrates publicly verifiable indicators like breach disclosures, CVEs, and regulatory penalties into risk-specific directional QA replies and a standardized risk index. The model integrates a retrieval-augmented LLM layer with a logistic regression classifier trained on historical security cases. The approach was validated through a real-world case study of 100 well-known vendors. The model generates transparent outputs without requiring internal access to vendor environments, offering a lightweight, scalable solution for lifecycle-based third-party pre-risk management.

KW - augmented generation

KW - large language model

KW - security

KW - source intelligence

KW - TPRM

UR - https://www.scopus.com/pages/publications/105019940476

U2 - 10.1109/ACIT65614.2025.11185738

DO - 10.1109/ACIT65614.2025.11185738

M3 - Conference contribution

AN - SCOPUS:105019940476

T3 - Proceedings - International Conference on Advanced Computer Information Technologies, ACIT

SP - 497

EP - 500

BT - 2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings

PB - Institute of Electrical and Electronics Engineers

Y2 - 17 September 2025 through 19 September 2025

ER -

Asili H, Bahtiyar Ş. GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations. In 2025 15th International Conference on Advanced Computer Information Technologies, ACIT 2025 - Conference Proceedings. Institute of Electrical and Electronics Engineers. 2025. p. 497-500. (Proceedings - International Conference on Advanced Computer Information Technologies, ACIT). doi: 10.1109/ACIT65614.2025.11185738

GEN-TPRM: An OSINT-Driven Risk Assessment Model for Third-Party Organizations

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this