“…To collect information as input for the process, different sources are possible, such as performing systematic literature reviews (SLRs) (e.g., [40], [41]), interviewing experts [39], conducting studies [42], or making an estimation based on existing sources [43]. Considering SLRs, we expand their scope (see Figure 5) to include not only traditional academic publishing, such as journal papers and conference proceedings, but also online platforms such as security events (e.g., blackhat 14 ), vulnerability databases (e.g., NVD 15 ), blogs, and technical reports, since, oftentimes, the recent cyber threats are publicly disclosed online [44].…”