Key Message: Use a taxonomy to increase confidence that your organization is identifying cyber security risks.
"Organizations of all sizes in both the public and private sectors are increasingly reliant on information and technology assets, supported by people and facility assets, to successfully execute business processes that, in turn, support the delivery of services. Failure of these assets has a direct, negative impact on the business processes they support. This, in turn, can cascade into an inability to deliver services, which ultimately impacts the organizational mission. Given these relationships, the management of operational cybersecurity-related risks to these assets is a key factor in positioning the organization for success."
In this podcast, Jim Cebula, the Technical Manager of CERT’s Cybersecurity Risk Management Team, discusses a taxonomy that provides organizations with a common language and terminology they can use to discuss, document, and mitigate operational cybersecurity risks. The taxonomy identifies and organizes the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. This podcast is based on an SEI technical report and blog that are listed in Resources.
Operational risks are those arising due to the actions of people, systems and technology failures, failed internal processes, and external events.
Operational cyber security risks are operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.
Tying risks to specific consequences is a key consideration when discussing and identifying risk.Why Use a Taxonomy?
Jim’s SEI blog post on the risk taxonomy provides examples of high profile cybersecurity breaches that have occurred over the past 12 months, such as the Target and Home Depot breaches.
A taxonomy provides a common way to talk about risks and their impacts across the organization. This helps everyone to be on the same page with respect to detecting and responding to these risks.
Given that operational risk is a complex and challenging topic, a taxonomy can provide a foundational structure for identifying and potentially prioritizing these risks:
Using such a taxonomy can provide increased confidence that the majority of cyber security risks have been identified. That said, security is a journey, not a destination and risks are always changing. Increased confidence arises from:
The taxonomy is structured into 4 general categories, each of which has classes, subclasses, and elements.
The categories are:
"Actions of people" describes a class of operational risk characterized by problems caused by the action taken or not taken by individuals in a given situation. This class covers actions by both insiders and outsiders. Its supporting subclasses and elements include:
With respect to staff availability, some example risks may emerge when asking these questions:
"Systems and technology failures" describes a class of operational risk characterized by problematic abnormal or unexpected functioning of technology assets. Its supporting subclasses and elements include failures of:
Some of the recent retailer credit card breaches result from complex networks and the use of vendor remote access credentials.Failed Internal Processes
"Failed internal processes" describes a class of operational risk associated with problematic failures of internal processes to perform as needed or expected. Its supporting subclasses and some elements include:
Examples for process design and controls include those processes required to
An example of a supporting process is ensuring the procurement process is structured to obtain appropriate system and software licenses and materials in a timely manner.Risks to Key Assets and Services
It is important to understand which assets are critical to the delivery of key services. This is one means for prioritizing risk, focusing on those services and the assets on which they depend. Such assets need to be available and productive.External Events
"External events" describes a class of operational risk associated with events generally outside the organization’s control. Often the timing or occurrence of such events cannot be planned or predicted. The supporting subclasses and some elements of this class include:
An example of a legal issue is the need to maintain electronic documents, communications, email, and instant messages in support of litigation.
Examples of service dependencies include:
Civil unrest resulting in cyber attacks and other malicious activity is an example of a business issue. Civil unrest can also affect supply chains.
The operational risk taxonomy report includes a mapping to NIST Special Publication 800-53 Revision 4 , Security and Privacy Controls for Federal Information Systems and Organizations. This information can be used to determine if all potential operational risks described in the taxonomy are addressed by NIST controls.
In addition, the taxonomy can be used to help determine which risks, and thus which controls, need to be added or updated.
The taxonomy can also be used to compliment the use of the SEI’s OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) risk assessment method for identifying cyber security operational risksPrioritization
With respect to prioritization, the taxonomy can be used in concert with other organizational processes such as those that prioritize key services and assets (people, information, technology, facilities) based on the organization’s mission.
You can then identify risks specific to the most critical assets and the pain points if they fail or are not available, which can lead to the identification of risk thresholds.
 Cebula, James, et al. “A Taxonomy of Operational Cyber Security Risks Version 2.” (CMU/SEI-2014-TN-006). Software Engineering Institute: Carnegie Mellon University.
Cebula, James. “A Taxonomy for Managing Operational Risk.” SEI blog post, August 2014.