Cyber Security Risk Taxonomies
powers-old-account 270000NC1K Visits (1991)
On August 10th, Bruce Schneier pointed out a new paper released by the CERT group at Carnegie Mellon's Software Engineering Institute called 'A Taxonomy of Cyber Security Risks” and sparked a new round of discussions about the utility of developing taxonomies and whether or not there is need for another.
In my view, taxonomies are useful to the extent that they a) help ensure completeness of other work and b) they are based in a credible body of data. The latter point is especially important because if a group of researchers sit in a room and make up taxonomies, they are likely to include items that are extraneous and waste everyone's time (see point a above) and they are likely to be too fine grained in some areas and not fine-grained enough in other areas.
The stated goal of the CERT groups work on this paper is:
That's certainly in alignment with what I think a taxonomy is good for. But where's the data backing it up? The report does not refer to a specific body of data they are drawing from. But they do state:
Backtracking to the CERT Resilience Management Model, (CERT-RMM) the section “The Evolution of CERT-RMM” documents the early origins of the model to OCTAVE and:
When you look at the list of companies in the acknowledgments that contributed to the CERT-RMM you start to feel a sense of credibility in the work effort.
The CERT-RMM model does not define an operational risk taxonomy to use, but it does call for one, at least indirectly in the practice labeled “RISK:SG1.SP1 Determine Risk Sources and Categories” it states:
So the “Taxonomy of Cyber Security Risks” paper has a place in
the model and given that the model was based on collaborative work
from a good cross section of industry stakeholders, I give it some
credibility. And you have to give the taxonomy credit for its
simplicity. Go download the paper and look at Table 1 to see an overview of the taxonomy.
There's two points I'd like to make about the taxonomy. First, it goes way beyond the concept of IT security. It's broad enough to cover all the issues that can disrupt operations in an organization. That's what warrants, the “Cyber” designation in the title. Because of this, we have to think of this taxonomy as an enterprise risk management taxonomy, of which IT operations are a significant component.
Secondly, these are categories of operational risks, not specific examples of operational risk. Within any one of these taxonomy elements, an organization could identify multiple, specific examples of that category of risk, which are specific to the organization's mission, location, infrastructure, and domain of business.
Getting back to the criteria for judging a taxonomy, does the Taxonomy of Cyber Security Risks satisfy the criteria for helping ensure completeness? The jury's still out I'd say, I'd be anxious to hear experiences from people who have used it. But if an organization seriously explored every single element in the taxonomy looking for examples of that kind of risk in the organization, they would get a good sense that they've done due diligence.
As far as the second criteria goes, hard to say. Given the collection of stakeholders that contributed to it, I'd say it's off to a good start. But what would really give this taxonomy some credibility is a use case/practice paper from an organization that actually used it to build a risk catalog for their organization. It would be very interesting to see the distribution of actual documented risks across the elements of the taxonomy. Id' like to see this both in terms of how many types of risk are found in each category but the aggregated potential impact of the risks in each category.
It's interesting to look over the taxonomy and speculate which elements of it will typically contain the highest value-at-risk for the organization.