Improving Cybersecurity Taxonomies Describing Impact and Cyber Harms Against Organizations

If you work in the cybersecurity field, the term impact is ubiquitous, appearing frequently in information security regulations such as NIS2 (and previously NIS1). It plays a critical role in reporting obligations and the definition of a significant cyber threat.

The definition and classification of impact have been subjects of debate for some time. I recently incorporated a MISP taxonomy inspired by a 2018 publication titled “A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate.” This publication offers a detailed taxonomy of cyber-harms experienced by organizations, helping to better define and classify the impacts of cyber-attacks.

If you are incident responder or DFIR practioners, it’s giving a good way to classify the impact of what you analyse or used as discussion source for the victims of the cyber attacks. Even within a SOC or CSIRT team, you can use consistent terminology to classify the actual impact.

The organizational cyber harms taxonomy is divided into several clear categories (predicates):

• physical-digital
• economic
• psychological
• reputational
• social-societal

For example, the economic category provides a well-defined set of impacts that can be applied in various organizational contexts and cases, ranging from disrupted-operations and reduced-profits to pr-response-costs.

In 2015, when we began designing the MISP taxonomy format, we didn’t anticipate the widespread success of the misp-taxonomies repository. Today, it is widely used across various open source (and proprietary) threat intelligence tools, analytical projects, and open data classification initiatives.

If you use and/or manage a MISP instance, the taxonomy integration is seamless. You can choose to use one or more taxonomies, select specific parts (e.g., a single tag from a larger taxonomy), enforce their usage, run analytics on specific tags, or even filter API responses based on selected tags from the taxonomies.

The organizational cyber harms taxonomy provides a good basis for describing impact on specific events or incidents. This can be used in complement with

• economical-impact is a taxonomy designed to describe the financial impact, whether as a positive or negative outcome, on the tagged information (e.g., data exfiltration loss representing a negative impact for the victim but a positive gain for an adversary).
• nis2 is a taxonomy that includes impacted sectors, the severity of the impact (which is open to interpretation), and the impact outlook (e.g., whether it is increasing or decreasing over time).

An overview of the taxonomy as used in MISP:

My hope is that more organizations will share details about the impacts of their own events, as well as insights from other incidents. I understand this can be challenging, as sharing TTPs of threat actors is currently more widely accepted than sharing details about impacts. However, I truly hope this trend will shift, enabling more robust analytics and a clearer understanding of the actual impact of incidents—whether it is accurately represented or inflated. The formalized organizational cyber harms taxonomy provides a solid foundation for improving the description and analysis of impacts.

Don’t hesitate to propose new taxonomies or suggest improvements via the GitHub repository.

References

• MISP Taxonomy: organizational-cyber-harm - A taxonomy for classifying organizational cyber harms based on categories such as physical, economic, psychological, reputational, and social/societal impacts in MISP standard format.
• The MISP Taxonomies collaborative GitHub repository allows you to propose changes, updates, or corrections to the directory of taxonomies.