Codifying impacts of cyber attack

Cyber-security researchers have   identified a total of at least 57 different ways in which cyber-attacks can have a negative impact on individuals, businesses and even nations, ranging from threats to life, causing depression, regulatory fines or disrupting daily activities.

Researchers, from the  Department of Computer Science  at the University of Oxford and Kent’s  School of Computing  set out to define and codify the different ways in which the various cyber-incidents being witnessed today can have   negative outcomes.

They also considered how these outcomes, or harms, can spread as time passes. The hope is that this will help to improve the understanding of the multiple harms which cyber-attacks can have, for the public, government, and other academic disciplines.

Overall the researchers identified five key themes under which the impact - referred to in the article as a  cyber-harm  - from a cyber-attack can be classified:

  • Physical/Digital

Each category contains specific outcomes that underline the serious impact cyber-attacks can have. For example, under the Physical/Digital category there is the loss of life or damage to infrastructure, while the Economic category lists impacts such as a fall in stock price, regulatory fines or reduced profits as a possibility.

In the Psychological theme, impacts such as individuals being left depressed, embarrassed, shamed or confused are listed, while Reputational impacts can include a loss of key staff, damaged relationships with customers and intense media scrutiny.

Finally, on a Social/Societal level, there is a risk of disruption to daily life such as an impact on key services, a negative perception of technology or a drop in internal morale in organisations affected by a high-level incident.

The full list of cyber harms can be viewed online.

The researchers point to high-profile attacks against Sony, JP Morgan and online dating website Ashley Madison, as examples where a wide variety of negative outcomes were experienced, from reputational loss, causing shame and embarrassment for individuals or financial damage.

They say these incidents underline why a taxonomy of impacts and harms is so important for businesses. Many successful cyber-attacks have been traced to exploits of well-known vulnerabilities that had not been dealt with appropriately because of a lack of action by firms who did not appreciate the ways in which they could be affected by a cyber-attack.

By providing a detailed breakdown of the many different ways a cyber-attack can impact a business and third-parties, it gives board members and other senior staff a better understanding of both direct and indirect harms from cyber-attacks when considering the threats their organisation faces. This also equally applies to other organisations and even governments or those who manage critical national infrastructure.

Commenting on the article, Dr Jason R.C. Nurse from the School of Computing: ’It’s been well understood that cyber-attacks can have numerous negative impacts. However, this is the first time there has been a detailed investigation into what these impacts are, how varied they can be, and how they can propagate over time. This base figure of 57 underlines how damaging cyber-incidents can be and we hope it can help to better understand how a business, individual or even nation is affected by a cyber-attack. This is going to be even more relevant as everything and everyone becomes connected and the Internet of Things is fully realised.’

The paper, titled  A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate ,  has been published the  Journal of Cybersecurity  (Oxford University Press) as an open access resource.