Skip to main content
Kent Academic Repository

A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate

Agrafiotis, Ioannis, Nurse, Jason R. C., Goldsmith, Michael, Creese, Sadie, Upton, David (2018) A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity, . ISSN 2057-2085. E-ISSN 2057-2093. (doi:10.1093/cybsec/tyy006) (KAR id:69076)


Technological advances have resulted in organisations digitalizing many parts of their operations. The threat landscape of cyber-attacks is rapidly changing and the potential impact of such attacks is uncertain, because there is a lack of effective metrics, tools and frameworks to understand and assess the harm organisations face from cyber-attacks. In this paper, we reflect on the literature on harm, and how it has been conceptualised in disciplines such as criminology and economics, and investigate how other notions such as risk and impact relate to harm. Based on an extensive literature survey and on reviewing news articles and databases reporting cyber-incidents, cybercrimes, hacks and other attacks, we identify various types of harm and create a taxonomy of cyber-harms encountered by organisations. This taxonomy comprises five broad themes: physical or digital harm; economic harm; psychological harm; reputational harm; and social and societal harm. In each of these themes we present several cyber-harms that can result from cyber-attacks. To provide initial indications about how these different types of harm are connected and how cyber-harm in general may propagate, this article also analyses and draws insight from four real-world case studies, involving Sony (2011 and 2014), JPMorgan and Ashley Madison. We conclude by arguing for the need for analytical tools for organisational cyber-harm, which can be based on a taxonomy such as the one we propose here. These would allow organisations to identify corporate assets, link these to different types of cyber-harm, measure those harms and, finally, consider the security controls needed for the treatment of harm.

Item Type: Article
DOI/Identification number: 10.1093/cybsec/tyy006
Uncontrolled keywords: Cybersecurity, Risk, Cyber-attack Impacts, Harm, Organisational Security, Information Systems
Subjects: B Philosophy. Psychology. Religion > BF Psychology > BF41 Psychology and philosophy
H Social Sciences
Q Science > QA Mathematics (inc Computing science) > QA 75 Electronic computers. Computer science
T Technology
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Divisions > Kent Business School - Division > Kent Business School (do not use)
Divisions > Division of Human and Social Sciences > School of Psychology
Divisions > Division for the Study of Law, Society and Social Justice > School of Social Policy, Sociology and Social Research
Depositing User: Jason Nurse
Date Deposited: 12 Sep 2018 12:30 UTC
Last Modified: 04 Jul 2023 11:30 UTC
Resource URI: (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.