Attack trees (ATs) suffer from syntactic ambiguity, absence of domain-specific ontological foundations, lack of modeling guidance, and poor semantic interoperability—severely limiting their utility in conceptual modeling, qualitative attribution analysis, and quantitative security assessment. To address these issues, this paper proposes an ontology-based analytical framework for ATs grounded in the COVER ontology and anchored in the Unified Foundational Ontology (UFO). We systematically identify and formalize four fundamental structural deficiencies in ATs through ontological analysis. Leveraging formal semantic modeling and ontology-compliance verification, we achieve the first rigorous semantic clarification of AT language and establish cross-tool semantic interoperability guarantees. The framework provides both a theoretical foundation and a practical pathway for developing a new risk modeling paradigm that is semantically consistent, formally verifiable, and integrable across heterogeneous tools and domains.

Attack Trees (AT) are a popular formalism for security analysis. They are meant to display an attacker's goal decomposed into attack steps needed to achieve it and compute certain security metrics (e.g., attack cost, probability, and damage). ATs offer three important services: (a) conceptual modeling capabilities for representing security risk management scenarios, (b) a qualitative assessment to find root causes and minimal conditions of successful attacks, and (c) quantitative analyses via security metrics computation under formal semantics, such as minimal time and cost among all attacks. Still, the AT language presents limitations due to its lack of ontological foundations, thus compromising associated services. Via an ontological analysis grounded in the Common Ontology of Value and Risk (COVER) -- a reference core ontology based on the Unified Foundational Ontology (UFO) -- we investigate the ontological adequacy of AT and reveal four significant shortcomings: (1) ambiguous syntactical terms that can be interpreted in various ways; (2) ontological deficit concerning crucial domain-specific concepts; (3) lacking modeling guidance to construct ATs decomposing a goal; (4) lack of semantic interoperability, resulting in ad hoc stand-alone tools. We also discuss existing incremental solutions and how our analysis paves the way for overcoming those issues through a broader approach to risk management modeling.