A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate

Agrafiotis, Ioannis, Nurse, Jason R. C., Goldsmith, Michael, Creese, Sadie, Upton, David (2018) A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity, . ISSN 2057-2085. E-ISSN 2057-2093. (doi:10.1093/cybsec/tyy006)

PDF - Publisher pdf

Creative Commons Licence
This work is licensed under a Creative Commons Attribution 4.0 International License.
Download (1MB) Preview
[img]
Preview
PDF - Author's Accepted Manuscript
Download (986kB) Preview
[img]
Preview
Official URL
https://doi.org/10.1093/cybsec/tyy006

Abstract

Technological advances have resulted in organisations digitalizing many parts of their operations. The threat landscape of cyber-attacks is rapidly changing and the potential impact of such attacks is uncertain, because there is a lack of effective metrics, tools and frameworks to understand and assess the harm organisations face from cyber-attacks. In this paper, we reflect on the literature on harm, and how it has been conceptualised in disciplines such as criminology and economics, and investigate how other notions such as risk and impact relate to harm. Based on an extensive literature survey and on reviewing news articles and databases reporting cyber-incidents, cybercrimes, hacks and other attacks, we identify various types of harm and create a taxonomy of cyber-harms encountered by organisations. This taxonomy comprises five broad themes: physical or digital harm; economic harm; psychological harm; reputational harm; and social and societal harm. In each of these themes we present several cyber-harms that can result from cyber-attacks. To provide initial indications about how these different types of harm are connected and how cyber-harm in general may propagate, this article also analyses and draws insight from four real-world case studies, involving Sony (2011 and 2014), JPMorgan and Ashley Madison. We conclude by arguing for the need for analytical tools for organisational cyber-harm, which can be based on a taxonomy such as the one we propose here. These would allow organisations to identify corporate assets, link these to different types of cyber-harm, measure those harms and, finally, consider the security controls needed for the treatment of harm.

Item Type: Article
DOI/Identification number: 10.1093/cybsec/tyy006
Uncontrolled keywords: Cybersecurity, Risk, Cyber-attack Impacts, Harm, Organisational Security, Information Systems
Subjects: B Philosophy. Psychology. Religion > BF Psychology > BF41 Psychology and philosophy
H Social Sciences
Q Science > QA Mathematics (inc Computing science) > QA 75 Electronic computers. Computer science
T Technology
Divisions: Faculties > Sciences > School of Computing
Faculties > Sciences > School of Computing > Security Group
Faculties > Social Sciences > Kent Business School > Business process/operations
Faculties > Social Sciences > School of Psychology
Faculties > Social Sciences > School of Social Policy Sociology and Social Research > Criminology
Depositing User: Jason Nurse
Date Deposited: 12 Sep 2018 12:30 UTC
Last Modified: 29 May 2019 21:08 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/69076 (The current URI for this page, for reference purposes)
  • Depositors only (login required):

Downloads

Downloads per month over past year