16 August 2011

Taxonomy of Operational Cyber Security Risk

This week Bruce Schneier mentioned a document published in December 2010 by CERT, at Carnegie Mellon University's Software Engineering Institute. I hadn't been aware of this previously.

Table in the CERT document 'Taxonomy of Operational Cyber Security Risks' showing the four classes and their associated sub-classes and elements

The Taxonomy of Operational Cyber Security Risks is part of CERT's work on resilience management. It identifies and organises sources of operational risk to information and technology assets that have consequences affecting the confidentiality, availability or integrity of information or information systems.

The taxonomy is based around four classes: actions of people, systems and technology failures, failed internal processes, and external events.

The taxonomy complements the previous the Department of Homeland Security (DHS) Risk Lexicon and also discusses harmonisation with the Federal Information Security Management Act of 2002 (FISMA 2002), security guidance contained within the National Institute of Standards and Technology (NIST) Special Publications series, and the threat profile concept contained within the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method.

The mapping of NIST SP 800-53 Rev 3 controls to the taxonomy subclasses and elements in Appendix 3 is especially useful.

For those in the field of operational defense of applications, there is currently a discussion in the OWASP Defenders community' mailing list about creating a Top 10 for operational web application security risks. Ryan Barnett's initial message is here, and the discussion continues here, here, and here. Contribute your thoughts.

Posted on: 16 August 2011 at 10:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter


Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Taxonomy of Operational Cyber Security Risk
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/2011/8/16/Taxonomy-of-Operational-Cyber-Security-Risk
Requested by on Tuesday, 1 December 2015 at 21:50 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2011-2015 clerkendweller.uk