Categorizing and Assessing the Severity of Disruptive Cyber Incidents

Publication Date: 
April 2017
Description: 
CISSM Policy Brief
Project: 
A Multi-stakeholder Approach to Cybersecurity Risk Management
Document Type: 
Conference Reports, Presentations and Other Documents

Faced with a rapidly growing volume and range of cyber attacks, policymakers and organizational leaders have had difficulty setting priorities, allocating resources, and responding effectively without a standard way to categorize cyber events and estimate their consequences. Presidential Policy Directive 41 laid out the Obama administration’s principles for executive branch responses to significant cyber incidents in the public or private sector. But it neither drew important distinctions between different types of cyber incidents, nor gave a standard way to determine where a particular incident falls on its 0-5 point severity scale. This policy brief demonstrates how an analytical framework developed at the Center for International and Security Studies at the University of Maryland (CISSM) can help address these problems. It first differentiates between low-level incidents and more significant cyber events that result in either exploitation of information and/or disruption of operations. It categorizes five types of disruptive events and analyzes 2,030 cyber events in a dataset developed from media sources, showing that cyber exploitation remains more common than disruption, and that most disruptive activity fits into two categories: message manipulation and external denial of service attacks.  Finally, the brief offers a standard method to assess the severity of different categories of disruptive attacks against different kinds of organizations based on the scope, magnitude, and duration of the event. This Cyber Disruption Index (CDI) is then applied to survey data on Distributed Denial of Service (DDoS) attacks in the private sector to assess severity within a common category of disruptive events. Of 3,900 cases reported, only 5 events (less than 1% of the DDoS cases) had a combined scope, magnitude, and duration severe enough to be a priority for prevention and potentially warrant government involvement.