"Taxonomy of Operational Cyber Security Risks"
I’m a big fan of taxonomies, and this — from Carnegie Mellon — seems like a useful one:
The taxonomy of operational cyber security risks, summarized in Table 1 and detailed in this section, is structured around a hierarchy of classes, subclasses, and elements. The taxonomy has four main classes:
- actions of people — action, or lack of action, taken by people either deliberately or accidentally that impact cyber security
- systems and technology failures — failure of hardware, software, and information systems
- failed internal processes — problems in the internal business processes that impact the ability to implement, manage, and sustain cyber security, such as process design, execution, and control
- external events — issues often outside the control of the organization, such as disasters, legal issues, business issues, and service provider dependencies
Each of these four classes is further decomposed into subclasses, and each subclass is described by its elements.