search menu icon-carat-right cmu-wordmark

A Taxonomy of Operational Risks for Cyber Security

October 2014 Podcast
James J. Cebula Contributor Julia H. Allen

In this podcast, James Cebula describes how to use a taxonomy to increase confidence that your organization is identifying cyber security risks.



Organizations of all sizes in both the public and private sectors are increasingly reliant on information and technology assets, supported by people and facility assets, to successfully execute business processes that, in turn, support the delivery of services. Failure of these assets has a direct, negative impact on the business processes they support. This, in turn, can cascade into an inability to deliver services, which ultimately impacts the organizational mission. Given these relationships, the management of operational cybersecurity-related risks to these assets is a key factor in positioning the organization for success.

In this podcast, Jim Cebula, the Technical Manager of the CERT Cybersecurity Risk Management Team, discusses a taxonomy that provides organizations with a common language and terminology they can use to discuss, document, and mitigate operational cybersecurity risks. The taxonomy identifies and organizes the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. This podcast is based on an SEI technical report and blog post.

About the Speaker

James J. Cebula

Jim Cebula is the Technical Manager of the Cybersecurity Risk Management Team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Jim's current work focuses on risk management and information resilience, critical infrastructure resilience assessment, cloud computing, and cyber insurance. Jim joined CERT in 2009 after spending nearly 15 years in project management, IT, and security roles with Bechtel Corporation, most recently as a cybersecurity manager. He is a Certified Information Systems Security Professional (CISSP) and is a member of IEEE, ACM, and InfraGard.

Julia H. Allen

Julia Allen is a principal researcher within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, security governance, and measurement and analysis. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a Bachelor’s of Science in Computer Science (University of Michigan) and a Master’s of Science degree in Electrical Engineering (University of Southern California). Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2010).