Chapter 1: Categorizing cyber effects
Category:
Chapter
Published:
30 May 2023
Page Range:
7–31
Collection:
Business 2023
DOI:
https://doi.org/10.4337/9781839109362.00007
Keywords:
Strategic Cyber Effects; Taxonomy; Cyber Risk; Threat Landscape
Full access

Immature classification methods for cyber events prevent technical staff, organizational leaders, and policy makers from engaging in meaningful and nuanced conversations about the threats they face. This chapter differentiates cyber effects across the technical impacts on the IT network themselves (primary), the impacts on organizations (secondary), and larger impacts to society (second order). A taxonomy of primary effects is applied and used to analyze over 7,000 publicized cyber events from 2014–2020. Industry sectors vary in the scale of events they are subjected to, the distribution between exploitive and disruptive event types, and the method by which data is stolen or organizational operations are disrupted. These results highlight significant differences by sector and demonstrate that strategies may vary based on deeper understandings of the threat environment.

Keywords: Strategic Cyber Effects; Taxonomy; Cyber Risk; Threat Landscape

  • Acquisti, A., Friedman, A., & Telang, R. (2006). “Is there a cost to privacy breaches? An event study.” ICIS 2006 Proceedings, https://aisel.aisnet.org/icis2006/94/.

  • Agrafiotis, I., Nurse, J. R., Goldsmith, M., Creese, S., & Upton, D. (2018). “A taxonomy of cyber-harms: defining the impacts of cyber-attacks and understanding how they propagate.” Journal of Cybersecurity, 4(1), tyy006.

  • Campbell, K., Gordon, L. A., Loeb, M. P., & Zhou, L. (2003). “The economic cost of publicly announced information security breaches: empirical evidence from the stock market.” Journal of Computer Security 11(3), 431–48.

  • Cimpanu C. (2016). “Iranian hacker defaces IWF website following controversial Rio Olympics decision.” Softpedia News, http://news.softpedia.com/news/iranian-hackers-deface-iwf-website-following-controversial-rio-olympics-decision-507436.shtml.

  • de Bruijne, M., van Eeten M., Ganan, C., & Pieters, W. (2017). “Towards a new cyber threat actor topology: a hybrid method for the NCSC cyber security assessment.” Delft University of Technology, https://www.wodc.nl/binaries/2740_Volledige_Tekst_tcm28-273243.pdf.

  • Erman, M. & Finkle, J (2017). “Merck says cyber attack halted production, will hurt profits.” Reuters, https://www.reuters.com/article/us-merck-co-results/merck-says-cyber-attack-halted-production-will-hurt-profits-idUSKBN1AD1AO.

  • Garg, A., Curtis, J., & Halper, H. (2003). “Quantifying the financial impact of IT security breaches.” Information Management & Computer Security 11(2), 74–83.

  • Gruschka, N. & Jensen, M. (2010). “Attack surfaces: a taxonomy for attacks on cloud services.” Paper presented at the IEEE CLOUD, https://ieeexplore.ieee.org/document/5557984.

  • Hansman, S. & Hunt R. (2005). “A taxonomy of network and computer attacks.” Computers and Security 24(1), 31–43.

  • Harry, C. & Gallagher, N. (2018). “Classifying cyber events: a proposed taxonomy.” Journal of Information Warfare 17(3), 17–31.

  • Howard, J. & Longstaff, T. (1998). “A common language for computer security incidents.” Technical Report, Sandia National Laboratories.

  • Hu, J., Pota, H. R., & Guo, S. (2013). “Taxonomy of attacks for agent-based smart grids.” IEEE Transactions on Parallel and Distributed Systems 25(7), 1886–95.

  • Kjaerland, M. (2005a). “A taxonomy and comparison of computer security incidents from the commercial and government sectors.” Computers and Security 25, 522–38.

  • Kjaerland, M. (2005b). “A classification of computer security incidents based on reported attack data.” Journal of Investigative Psychology and Offender Profiling 2(2), 69–146.

  • Koerner, B. (2016). “Inside the cyberattack that shocked the US government.” Wired, October, https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/.

  • Krebs, B. (2016). “Malware infected all Eddie Bauer stores in US and Canada.” Krebs on Security, https://krebsonsecurity.com/2016/08/malware-infected-all-eddie-bauer-stores-in-u-s-canada/.

  • Kundur, D., Feng, X., Liu, S., Zourntos, T., & Butler-Purry, K. L. (2010, October). “Towards a framework for cyber attack impact analysis of the electric smart grid.” 2010 First IEEE International Conference on Smart Grid Communications (pp. 244–9). IEEE.

  • Lamothe, D. (2015, January). “U.S military social media accounts apparently hacked by Islamic State sympathizers.” Washington Post, http://www.washingtonpost.com/news/checkpoint/wp/2015/01/12/centcom-twitter-account-apparently-hacked-by-islamic-statesympathizers/.

  • Lee, R., Assante, M., & Conway, T. (2014). “German steel mill cyber attack.” Sans Institute, https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf.

  • Lee, R., Assante, M., & Conway, T. (2016). “Analysis of the cyber attack on the Ukrainian power grid.” Sans Institute, https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf.

  • Matthews, L. (2017). “NotPeyta ransomware attack cost shipping giant Maersk over $200 million.” Forbes, https://www.forbes.com/sites/leemathews/2017/08/16/notpetya-ransomware-attack-cost-shipping-giant-maersk-over-200-million/#40970b504f9a.

  • McQuade, M. (2018). “The untold story of NotPeyta, the most devestating cyberattack in history.” Wired, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.

  • Mirkovic, J. & Reiher, P. (2004). “A taxonomy of DDoS attack and DDoS defense mechanisms.” SIGCOMM Comput. Commun. Rev. 34(2), 39–53.

  • Nash, K., Castellanos, S., & Janofsky, A. (2018). “One year after NotPeyta cyberattack, firms wrestle with recovery costs.” Wall Street Journal, https://www.wsj.com/articles/one-year-after-notpetya-companies-still-wrestle-with-financial-impacts-1530095906.

  • Pacheco, J. & Hariri, S. (2016, September). “IoT security framework for smart cyber infrastructures.” 2016 IEEE 1st International Workshops on Foundations and Applications of Self* Systems (FAS* W) (pp. 242–7). IEEE.

  • Ramsbrock, D., Berthier, R., & Cukier, M. (2007, June). “Profiling attacker behavior following SSH compromises.” 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’07) (pp. 119–24). IEEE.

  • Reza, A. (2016). “Anti-DDoS firm Staminus hacked, private data posted on line.” Hack Read, https://www.hackread.com/anti-ddos-firm-staminus-hacked-private-data-posted-online/.

  • Romanosky, S., Ablon, L., Kuehn, A., & Jones, T. (2019). “Content analysis of cyber insurance policies: how do carriers price cyber risk?” Journal of Cybersecurity 5(1), tyz002.

  • Rumer, E. (2017). “Russian active measures and influence campaigns.” Testimony, US Senate Select Committee on Intelligence, https://www.intelligence.senate.gov/sites/default/files/hearings/S%20Hrg%20115-40%20Pt%201.pdf.

  • Saini, A., Gaur, M. S, & Laxmi V. S (2015). “A taxonomy of browser attacks,” in M. M. Cruz-Cunha & I. M. Portela (eds.), Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance (pp. 291–313). IGI Global.

  • Simmons, C., Ellis, C., Shiva, S., Dasgupta, D., & Wu, Q (2009). “AVOIDIT: a cyber attack taxonomy.” University of Memphis, https://www.researchgate.net/publication/229020163_AVOIDIT_A_Cyber_Attack_Taxonomy.

  • Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., & Thomas, C. B. (2018). “Mitre att&ck: design and philosophy.” MITRE, https://www.mitre.org/news-insights/publication/mitre-attck-design-and-philosophy.

  • Taormina, R., Galelli, S., Douglas, H. C., Tippenhauer, N. O., Salomons, E., & Ostfeld, A. (2019). “A toolbox for assessing the impacts of cyber-physical attacks on water distribution systems.” Environmental Modelling & Software 112, 46–51.

  • TrendMicro (2020). “Securing the pandemic-disrupted workplace.” TrendMicro, https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/securing-the-pandemic-disrupted-workplace-trend-micro-2020-midyear-cybersecurity-report.

  • Woolf, N. (2016). “DDoS attack that disrupted internet was the largest of its kind in history, experts say.” The Guardian, https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet.

  • Zhu, B. & Sastry, S. (2017). “SCADA-specific intrusion detection/prevention systems: a survey and taxonomy,” Department of Electrical Computer and Security Engineering, University of California at Berkeley, Berkeley, CA.

Cover The Elgar Companion to Digital Transformation, Artificial Intelligence and Innovation in the Economy, Society and Democracy
The Elgar Companion to Digital Transformation, Artificial Intelligence and Innovation in the Economy, Society and Democracy
Handbook
Published:
30 May 2023
Print ISBN:
9781839109355
eISBN:
9781839109362
DOI:
https://doi.org/10.4337/9781839109362
Pages:
448
Collection:
Business 2023
Buy Print