A Taxonomy of Cyber-Harms: Defining The Impacts of Cyber-Attacks and Understanding How They Propagate

Journal of Cybersecurity, 2018, 1–15
doi: 10.1093/cybsec/tyy006
Review article
Review article
A taxonomy of cyber-harms: Defining the

impacts of cyber-attacks and understanding
Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

how they propagate
Ioannis Agrafiotis1,*, Jason R. C. Nurse2, Michael Goldsmith3,
Sadie Creese4, and David Upton 5
1
Department of Computer Science, University of Oxford, Oxford, OX1 3QD, UK, 2School of Computing, University of
Kent, Canterbury, CT2 7NF, UK, 3Department of Computer Science, University of Oxford, Oxford, OX1 3QD, UK,
4
Department of Computer Science, University of Oxford, Oxford, OX1 3QD, UK and 5Saı̈d Business School,
University of Oxford, Oxford, OX1 1HP, UK
*Corresponding address: Department of Computer Science, University of Oxford, Oxford, OX1 3QD, UK.
E-mail: ioannis.agrafiotis@cs.ox.ac.uk
Received 25 August 2017; revised 23 July 2018; accepted 6 September 2018
Abstract
Technological advances have resulted in organizations digitalizing many parts of their operations.
The threat landscape of cyberattacks is rapidly changing and the potential impact of such attacks is
uncertain, because there is a lack of effective metrics, tools and frameworks to understand and as-
sess the harm organizations face from cyber-attacks. In this article, we reflect on the literature on
harm, and how it has been conceptualized in disciplines such as criminology and economics, and
investigate how other notions such as risk and impact relate to harm. Based on an extensive litera-
ture survey and on reviewing news articles and databases reporting cyber-incidents, cybercrimes,
hacks and other attacks, we identify various types of harm and create a taxonomy of cyber-harms
encountered by organizations. This taxonomy comprises five broad themes: physical or digital
harm; economic harm; psychological harm; reputational harm; and social and societal harm. In
each of these themes, we present several cyber-harms that can result from cyber-attacks. To pro-
vide initial indications about how these different types of harm are connected and how cyber-harm
in general may propagate, this article also analyses and draws insight from four real-world case
studies, involving Sony (2011 and 2014), JPMorgan and Ashley Madison. We conclude by arguing
for the need for analytical tools for organizational cyber-harm, which can be based on a taxonomy
such as the one we propose here. These would allow organizations to identify corporate assets,
link these to different types of cyber-harm, measure those harms and, finally, consider the security
controls needed for the treatment of harm.
Key words: cybersecurity; risk; cyber-attack impacts; harm; organisational security; information systems
Introduction example, denial-of-service (DoS) attacks on networks, data breaches

Society depends heavily on technology for interaction, commerce on corporate and personal devices, and viruses that can cripple com-
and industry. While technology has led to significant advances in puter infrastructures [1]. Theft of corporate secrets, sabotage of sys-
these areas, particularly through the use of Internet, it also has tems in order to compromise services and systems integrity, and the
exposed organizations and individuals to a host of new risks result- copying of customer data to sell their identities on the dark web (in
ing from attacks through digital interfaces. These include, for order to facilitate other crimes) are all examples of the kinds of acts
C The Author(s) 2018. Published by Oxford University Press.

V 1
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unre-
stricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.
2 Journal of Cybersecurity, 2018, Vol. 0, No. 0
that are perpetrated and can all result in harm to an enterprise which of the harm, which might result from cyber-attacks. It is this lack of
is dependent on digital technologies to conduct their business, and knowledge that may result in the deployment of controls incapable
which are often custodians of people’s data and metadata about of mitigating the overall harm. Such limitations may prevent us
people. We initially define cyber-harm as the damage that arises as a from identifying and understanding all the potential harms that can
direct result of an attack conducted wholly or partially via digital result and the relationships that might exist between them.
infrastructures, and the information, devices and software applica- Essentially, we may be selecting our risk treatments and controls
tions that these infrastructures are composed of. Understanding the based on knowledge that does not fully take account of the ways in
nature of such cyber-harm is critical to ensure that the controls and which harm can emerge, nor of the breadth of harms that can result
methods of mitigation we deploy are effective and proportionate to from a single cyber-attack. If one simply takes each risk and treats it
the risks. This article surveys the literature with a view to elucidate in isolation, one may not see the connection between various risks
the nature of cyber-harm and to underpin further research aimed at and the cascade of harms that can result.
analytical frameworks for reasoning about such harm.

Why we need a taxonomy of cyber-harm for
Approaches to identifying risk arising from cyber-
organizations
attacks In this article, we present a prototype taxonomy of organizational
To address risks arising from cyber-attacks, many and various solu-
cyber-harm which should help researchers and practitioners alike to
tions have been proposed. These include processes and technologies
consider the full range of harms that might result from cyber-
designed to prevent unauthorized and potentially threatening actors
attacks, when developing risk treatments. This is necessary to under-
from accessing the digital systems and assets. They also include
pin our assessment of risk, and also our ability to quantify the harm
novel intrusion-detection and prevention systems designed to iden-
resulting from such risks. We explore the topic of cyber-harm, with
tify emergent threats and help organizations limit any resulting
the intention of developing a more holistic understanding of what
harm. There is a general acceptance that digital infrastructures are
constitutes organizational cyber-harm than is available in the extant
socio-technical systems, and therefore the people involved must also
literature. In what follows, we critically examine cyber-harm,
be considered an attack surface for the purpose of preventing cyber-
including how it and related topics such as cyber-risk, criminology
attacks and mitigating cyber-risk.
and cyber-economics, feature in existing research and practice as
Threats and attacks have traditionally been at the centre of
documented in the literature. Next, we focus specifically on defining
organizational security and cyber-risk discussions, as noted by the
a taxonomy of the various types of organizational cyber-harm. This
US National Institute of Standards and Technology (NIST) [2];
is required to adequately model and reason about harms. We present
looking at these is an intuitive response, since to prevent cyber-harm
and draw insights from four case studies in order to provide initial
we must know how we might be attacked in cyberspace. One ap-
indications about how different types of harm in our taxonomy are
proach to assess the resulting harm is to be able to anticipate such
connected and how cyber-harm may propagate.
threats and their likely intent. An alternative to such a threat-driven
Finally, we conclude our work with a brief discussion of the
approach is to focus security risk analysis on assets and impacts first.
need for analytical tools for organizational cyber-harm. One such
Here, the process involves the identification of the impacts on busi-
tool, in the form of a conceptual model based on our taxonomy and
ness assets if they are compromised, and then consideration of the
general reflection, is considered which could enable organizations to
threats that could lead to those impacts [2]. Such analysis identifies
better understand, achieve and enhance their cybersecurity. We ex-
and prioritizes those components that are critical for the organ-
pect to reveal nuances about how these harms may be linked and
izations’ mission. One advantage of an impact-oriented approach is
how their negative impacts on organizations might be measured,
that the range of impacts that can be identified in an organization is
and ultimately to support cybersecurity tasks such as harm reduction
not driven solely by the knowledge of threats and attacks (which is
and the prioritization of cyber-risk for treatment.
necessarily incomplete, as no one can be sure that they have com-
plete knowledge due to dynamic threat-landscape where novel
attacks are developed frequently). In an environment in which the
What is cyber-harm for organizations?
threat landscape for organizations changes rapidly and novel attack-
patterns continually emerge, understanding the potential impact of Traditional definitions of harm
these attacks on organizational assets may alleviate the associated Harm is a concept that has been researched in-depth in various fields
uncertainty, at least initially in risk-management activities. including philosophy, psychology, sociology and law; but signifi-
Regardless of whether the risk analysis begins with threats to cantly less in cybersecurity. In the dictionary definitions of harm, the
assets, or with potential impact on assets, the ultimate result is the most common relates it to hurt, injury or damage of some sort [3].
enumeration and estimation of the greatest risks faced by an organ- Although these definitions may be regarded as accurate representa-
ization. Controls are then selected to address the risks deemed most tions of the meaning being conveyed, they arguably oversimplify a
significant. The primary advantage of such risk-based approaches complex concept that has been the subject of significant thinking
(whichever is followed) is that the security budget and response are and research effort over the last few decades.
set to be proportionate to the risks faced. Both critically depend In law, for instance, even though the definitions of harm concen-
upon our ability to accurately prioritize such risks. trate on injury and damage (as described above), they often extend
However, there exists very little data on the effectiveness of risk this to consider the ‘subject’ of harm, i.e. an individual or the inter-
controls once they are deployed, and how they might actually result ests of a collective [4]. An example of ‘ultimate harm’ in the context
in lower risk exposure across all assets and functions of an organ- of an individual, therefore, is death. The medical domain maintains
ization. This means that we lack the scientific framework or founda- a similar interpretation of harm and focuses on ill-treatment or im-
tion upon which to select and compare the relative benefits of these pairment of an individual’s health [5]. Harm is so core to the prac-
controls. We suggest that there is a comparable lack of knowledge tice of medicine that many regard the primary duty of a physician as
Journal of Cybersecurity, 2018, Vol. 0, No. 0 3
ascribing to the principle of non-maleficence, i.e. literally doing no nature’ . The second transformation, namely the end of tradition,
harm [5]. describes ‘a process of individualisation’ [16], where people question
Kleinig provides one of the more critical and philosophical dis- traditions, institutions and old societal norms.
cussions on harm, and synthesizes traditional definitions as well as A risk society that has experienced these two transformations
existing research from several disciplines including law, ethics, experiences ‘uncontrollable risk’ because the risks are now
health and philosophy [6]. Based on his comprehensive reflection, he ‘manufactured, second-ordered and unnatural’ [17]. Unanticipated
suggests that harm may be understood as the impairment of the wel- advances in technology can increase the gap between actual and per-
fare interests of a being, with welfare interests regarded as those ne- ceived risks, transform visible risks to invisible to virtual and render
cessary to the functioning of individuals as purposeful, self-reflective these risks borderless—a concept described by Giddens as the ‘scien-
and responsible agents. This description is insightful for at least two tization of nature’, ‘the colonization of nature’ or ‘the end of nature’
reasons. First, it highlights the conventional use of harm to define a [16]. Therefore, the traditional concept of risk perceived as the prob-
negative consequence (as a result of some action), and secondly, it ability of an adverse event multiplied by the magnitude of impact
centres on beings or individuals as the typical subject of harm. This must be expanded. In order to expand our understanding of risk,

definition accurately captures the use and understanding of harm in Beck and Giddens suggest that manufactured risks can be analysed
other areas such as psychology (e.g. self-harm), medicine and law in three dimensions: spatial, temporal and social. Spatial, because
(e.g. harm to individuals) [7]. these risks cross national borders and can affect the globe; temporal
In recent years, harm has increasingly been applied in broader because manufactured risks may influence generations that have not
contexts, such as harm to companies or industries. For instance, been born yet; and social because the effects are a combination of
there has been research exploring how environmental violation actions of many individuals that shift individual risks to systemic
events harm the reputation of an organization [8] and more topical- risks.
ly, analysis of how cyber-attacks can result in harm to businesses A major concern with manufactured risks is that societies experi-
and even to the economy of a nation [9, 10]. ence a denial of responsibility from organizations and individuals
for creating these risks which results in avoidance of action in terms
The relationship between harm, impact and risk in of risk management, a concept coined as ‘organised irresponsibility’
organizations [15]. Organized irresponsibility disincentives organizations to invest
Narrowing our focus to the enterprise context, two concepts closely in controls to mitigate harms and to provide compensation for indi-
related to harm are ‘impact’ and ‘risk’. Both of these concepts fea- viduals, despite the fact that they acknowledge the reality of cata-
ture prominently in the literature and practice of organizational in- strophes [15]. Whilst the risks that Beck and Giddens describe in
formation security. Broadly speaking, impact is the effect of an risk societies are inspired by advances in nuclear, chemical and bio-
action by one person or thing upon another and can be either posi- medical technologies, advances in information technology and
tive or negative. This characterization of impact as a generic term is cyberspace share the same characteristics. Therefore, all these con-
supported by others in security across academia and government cepts can be adopted from the risk community to help understand
[11, 12]. the nature of cyber-harm to an organization, by designing a tax-
The European Union for Network and Information Security onomy on cyber-harms. We believe that such a taxonomy will help
Agency (ENISA) defines impact as the result of an unwanted inci- enterprises to engage in security risk management tasks intended to
dent [13]; this is a definition it borrows from the International identify, assess, prioritize and treat the various risks that they face.
Organization for Standardization and the International
Electrotechnical Commission (ISO/IEC) [14]. Whilst not definitive, Insights from criminology and white collar crimes
the arguable suggestion here is that impact is adverse. For the NIST, A stream of literature where harm has a pivotal role is criminology
developing an understanding of impact is a significant component of in general and the study of white-collar crime in particular.
the risk management process for organizations. They describe im- Criminologists, due to difficulties in defining crimes and identifying
pact as the ‘harm that can be expected to result’ from consequences their detrimental impact, propose to depart from the notion of crime
of unauthorized actions or loss of confidentiality, integrity or avail- and focus on that of social harm [18–21]. Therefore, harm is key to
ability [2]. Their appreciation of impact is clearly oriented on harm, social policy and observations of different types of harm occurring
potentially with the intent of stressing ‘impact’ as undesirable or an from crimes shape practical guidance [19], rendering the develop-
impairment of organizational interests. A significant observation ment of sound methods to systematically assess harm of increasing
that can be made based on our reflection so far is that, although im- importance. Greenfield et al. [19], present a framework comprising
pact is a non-specific term, in security, it often implies a negative a set of processes to empirically assess harm. They identify five key
outcome [11]. On occasion, this adverse meaning is made explicit dimensions where harm may manifest, namely: functional integrity;
through the use of words such as harm. material support and amenity; freedom from humiliation; privacy or
The term ‘risk’ is associated with many of the concepts presented autonomy; and reputation. They also define five magnitude levels of
above and its theoretical underpinnings are provided by the seminal these types of harm and examine the cascading nature of harm by
works of Beck and Giddens [15–17]. According to Beck [17], risk is examining real-world crimes that have caused severe harm to
a modern concept that presupposes decision-making and is a result society.
of the speed of modernization that has transformed our society to a In a similar vein, Van Slyke et al. [18] construct a taxonomy of
risk society. The increased influence of science and the technological harms for white-collar crimes by focusing on the victimization elem-
innovations have resulted in two major transformations that define ent of these crimes. They examine a series of white-collar crimes and
the era of risk society. The first transformation, namely the end of list the costs arising from these offences. They complement desktop
nature refers to the fact that almost all aspects of the physical world research with victim surveys, and focus on the severe lasting effect
are influenced by human interventions, shifting the focus of atten- of harms in certain individuals. Further insights are provided by sug-
tion from ‘what nature could do to us’ to ‘what we have done to gesting that harms can be conceptualized as a pyramid, with chronic
harms at the top, ‘one-off’ victims who suffered severe losses in the others, to provide a holistic understanding on the economics of in-
middle and victims who are unaware of the fraud, or have incurred formation security [25].
small costs, at the bottom. Secondary effects of harm are also con- In a similar vein, Moore highlights further challenges in the field
sidered, with the authors suggesting that these relate to victims who of economics of cybersecurity [26]. Drawing from concepts from the
experience great losses or suffer psychological effects. field of economics, Moore identifies challenges, inter alia, mis-
Furthermore, Van Slyke’s study considers harms that may relate aligned incentives such as the natural tension between efficiency and
not only to individuals but also to other stakeholders, such as com- resilience in IT systems, information asymmetries and externalities.
munities, neighbourhoods, governments and society at large. He suggests that to overcome these challenges regulatory interven-
Specific focus is also given to calculating the costs of crime, with the tion is necessary. Moore further identifies online identity theft, in-
authors arguing for three types of costs, those incurred in anticipa- dustrial cyber-espionage, critical infrastructure protection and
tion of a crime, those incurred as a consequence of it and those in botnets as the most persistent threats in cybersecurity and proposes
responding to it. They suggest two approaches to calculating these a series of regulatory solution options.
costs: ‘bottom-up’ based on surveying crime cases and estimating in- Other efforts focus on the evolution of risk frameworks, model-

dividually different harms; and ‘top-down’, trying to estimate how ling the resilience of business systems [27]. In these models, research-
much the public is willing to pay to avoid or reduce these crimes. ers try to understand how catastrophes may disrupt globally critical
Brenner presents the first approach to identify metrics for estimating services by examining the interconnectedness of assets. A threat-
crime that originates in cyberspace [22]. Although she acknowledges based model is created and each threat: is attributed with different
that designing metrics and scales for cybercrime is extremely diffi- mechanisms of destruction; is related to specific vulnerabilities; and
cult, due to ‘apprehension’, scale and evidence issues, she proposes a presents different challenges for the resilience of systems. The tax-
simple taxonomy of harms consisting of three main types, namely onomy of threats is developed through an extensive review of histor-
individual, systemic and inchoate. ical incidents extended as far back as in 1000AD. Similarly to crime
The researchers in the discipline of criminology studied in this taxonomies, correlations and triggering mechanisms for various
survey all concur that estimating the cost of crimes, as well as pro- types of catastrophes are sought. One of the many classes of threat
viding models for assessing harms, present significant technical and examined by this article is cyber-threat.
methodological challenges [18–20]. These challenges arise due to A similar approach is proposed by Lloyds of London, where they
limited utility of conventional research tools such as surveys, poor consider fictional but realistic scenarios to understand the concept
statistical data obtained by law-enforcement agencies and the ten- of cyber-risk aggregation [28]. The authors of the report note that
dency of individuals to conceal crimes from the authorities due to cyber-risk is a growing global threat due to the increase in cyber-
embarrassment or lack of ways to report these crimes [18]. In add- incidents during the last years. They utilize two fictional scenarios,
ition, only a small percentage of cases are prosecuted and there is no namely a ‘cloud service provider’ hack and a ‘mass vulnerability’,
consolidated source of information aggregating different crimes or and seek to calculate direct and indirect costs for both organizations
incidents. The keen reader will have recognized the stark similarities and insurers. They conclude that the potential for a cyber-attack to
with incidents in cyberspace. There are several lessons to be learnt sweep through many organizations and the secondary effects of the
from the discipline of criminology, but we need to emphasize that attack due to interdependencies between organizations could have
all the approaches from this context determine harm arising from disastrous consequences.
specific crimes, whereas in this article, we present an asset-driven There are a few institutes, which provide aggregate data and
approach. There are clearly parallels between non-cyber-crime and publish annual reports of cyber-incidents. For example, the Cyber
cyber-crimes from a harm perspective (since their victims are com- Security Breaches Survey (CSBS) from the UK Government annually
mon), which can be used to design a taxonomy of cyber-harm. captures trends in cyber-incidents and details of cybersecurity risks
[29]. The report presents statistics about how organizations operate
in cyberspace and identifies common types of threat. To comment
Cyber-economics briefly on key findings in the 2017 report, the survey highlights that
Felici et al. [23] emphasize the need to further explore the field of all UK businesses are potentially exposed to cyber-threats.
economics by focusing on cyber-incidents. They postulate that ICT Government sources of guidance on cybersecurity threats remain
stimulates new markets and is integrated into current economic sec- few, but 75% of the organizations, which take advantage of this in-
tors that foster growth. They argue that the field of cybersecurity formation, find it useful. They have identified that a sizeable propor-
economics is essential in assisting ICT to hold this dual role. They tion of businesses still lack security controls despite the fact that the
further suggest that challenges in this field require a multidisciplin- vast majority of them have increased their cybersecurity budget. The
ary approach and that models created by researchers must acknow- most common types of successful attacks are related to staff receiv-
ledge the new information regarding cyber-incidents, their impact ing fraudulent emails (in 72% of cases where firms identified a suc-
and their relations to the dynamics of other cyber-actors. cessful attack or an attempt). The next most common issue is related
Anderson et al. [24] are pioneers in providing a first approach to to viruses, spyware and malware (33%), people impersonating the
measuring costs of cyber-incidents. In their article, they highlight the organization in emails or online (27%) and ransomware (17%).
difficulties in assessing impact due to the fast pace of technological Based on such reports and drawing on their previous work [24,
developments and the large asymmetries between estimating costs 25], Anderson et al. provide a set of recommendations in order to
and revenues and their real values. Similar to the models presented address the lack of statistical data in the European Union (EU) and
in the criminology literature, in their model Anderson et al. equate to further the field of security economics [30]. They propose to the
harm with cost and consider direct and indirect costs, defence and EU the introduction of a comprehensive security-breach notification
crime costs, as well as costs to society. They extend their work by law and the publication of loss statistics. They also identify that
considering concepts from economics such as the ‘moral-hazard common vulnerabilities can trigger cascading effects in cyber-
effect’, the hidden-action problem and network neutrality, amongst attacks and propose diversity as a security measure. Finally, they
highlight the problem of moral hazard in Critical National software-development companies and report that on average ven-
Infrastructure (CNI) and propose the regulation of best practice dors lose 0.6% of their market value when software vulnerabilities
approaches to cybersecurity for these stakeholders. are exposed. Regarding exposure or leakage of customer data,
Focusing on the incentives for CNI and regulatory approaches, Acquisti et al. [37] provide significant statistical evidence that there
Laube et al. examine the economics of mandatory security-breech is a negative short-term impact on the value of stocks, but this effect
reporting to authorities [31]. They design a principal-agent model decreases rapidly over time. Further evidence of the negative effects
able to describe conflicts of interest between regulators and organ- on the market value of an organization that may arise from a cyber-
izations. Their model considers security investment and firms’ inter- breach once it is made public is presented by Cavusoglu, Mishra and
dependence, mandatory security-breach reporting and security Raghunathan [38]. More recently, there have been concerns regard-
audits. They conclude that laws, which enforce mandatory security- ing associating fluctuations in stock prices with cyber-incidents and,
breach reporting are essential for high-security interdependent firms in particular, with data breaches [39].
with the premise that disclosure costs are low. There are types of attacks, however, that do not seem to have
Kshetri attempts to define a cost-benefit calculus using a similar an impact on the value of the stock of organizations, such as DoS

methodology to Laube et al. [32], but he focuses on the perspective [40]. In a similar vein, Campbell et al. [41] suggest that there is no
of the attacker. He identifies characteristics of cyber-criminals, impact when the security breach concerns non-sensitive data. There
cyber-crime victims and law-enforcement agents and argues that is a distinguishable difference, though, when the breach concerns
these three classes of entity, when they interact, lead to a vicious cir- confidential data, causing the market value of the organization to
cle of cyber-crime. He provides a calculus that considers the benefits drop briefly. Finally, Kannan, Rees and Sridhar argue that there is
and costs to an attacker and reasons about whether a cyber-crime no significant difference in the loss of market value depending on
may occur. It is worth noting that the authors suggest that psycho- whether the security breach affects the confidentiality, availability
logical effects as well as criminal conviction are part of an attacker’s or integrity of data [42]. These are all interesting points, but they
benefits or losses. attest to the difficulty of characterization and quantification of
Edwards et al. [33], explore a publicly available dataset of data cyber-harm.
breaches and apply a Bayesian Generalised Linear Model to unveil Other approaches have focused on ‘measuring’ harm by way
trends in data breaches. They conclude that the size and frequency of qualitative severity levels (or brackets, similar to high, me-
of data breaches has been stable in recent years, but their impact is dium, low) based on whether certain attacks have harms within
growing due to the ability of threat-actors to monetize personal in- defined criteria thresholds. One article, for example, outlines six
formation better and to the increasing number of electronic financial main levels of risk impact from minor (1) to business-critical (6),
transactions. An interesting approach, based on the ‘top-down’ and attributes for impact criteria include reputation, human cap-
methodology described in the criminology field, is presented by ital and financial [14]. For minor impact, the thresholds are as
Nguyen et al. [34]. The authors attempted to elicit ‘premiums’ that follows: the reputation threshold is zero to limited negative publi-
some users would be willing to pay to protect their assets from city and no impact on the institution’s reputation; human capital
cyber-incidents. Their results show that participants in their survey threshold is that the attack affects less than 5% of employees and
were willing to pay a premium of between $9 and $11 monthly to there is no impact on recruitment or retention of staff; and the fi-
protect their social-media accounts, while they were willing to wait nancial threshold is an annual loss of less than $1 million in the
between 8 and 9 additional minutes to receive their emails, provided current fiscal year. Each of these thresholds (and associated val-
these would be free of spam and phishing emails. ues) increases as the rating progresses from minor through to
Much of the research on cyber-economics is naturally intended moderate, substantial, serious, severe and business-critical. The
to be viewed through a societal or supply-chain economy lens, but it advantage of such a quasi-quantified approach lies in the fact
has consequences for organizations as well and places harm located that accuracy in metrics is not required and it may be possible to
at a single organization in the context of the wider societal actors obtain a rough estimate of the harm quickly. These thresholds
who can implement levers which can help organizations mitigate would, of course, change depending on the enterprise.
such harms and mandate or incentivize behaviours necessary for A very promising approach to quantifying harm is detailed in a
success. report published by the World Economic Forum [43]. The aim of
their approach is to understand the benefits from digitalizing func-
tions and services of organizations, the costs that may occur when
Monetizing cyber-incidents attacks may be realized, determining the threat imposed to organ-
The ability to quantify harm would allow an organization to make izations and to try to find the optimal investment in cybersecurity.
better decisions regarding the treatment of a particular risk. We They introduce the notion of the cyber-Value-at-Risk (VaR) a ‘risk
have reflected on current literature to determine the extent to which measure for a given portfolio and time horizon as a threshold loss
techniques exist to quantify cyber-harm (or indeed, attack impact). value’ [43]. VaR considers the probability that a loss will exceed the
Generally, we found that there is a lack of effective metrics, tools profits in a given time. Those authors outline the properties that the
and frameworks for estimating the harm from cyber-attacks on Cyber-VaR value should have, but highlight that they do not pro-
organizations. The approaches that we have identified are either vide the means to quantify and compute these properties. A com-
quantitative or qualitative in nature. Most approaches endeavour to pleted model would be able to provide answers such as ‘given a
monetize the metric output values, in terms of financial loss, in order successful cyber-attack, a company will lose not more than X
to be able to compare harm between cyber-incidents. These amount of money over a period of time, with 95% accuracy’ [43].
approaches consider direct and indirect costs emanating from a The core components of such a model are quantifying the assets
cyber-attack for different harms [35–38]. under threat, computing the vulnerabilities and creating threat pro-
Fluctuations in stock market prices have attracted the interest of files of attackers. In terms of harms, they provide an example of
many researchers, the idea being to compare the price of the stock how the assets of an oil company may be impacted and identify
before and after a cyber-attack. Telang and Wattel [36] focus on harms regarding future revenue loss, litigation and public relations
costs, business interruption costs and reputational damage, even There have been several attacks that have exemplified the physic-
bankruptcy if the attack is persistent for a certain number of days. al reality of cyber-harm. Two of the most prominent are the recent
It is evident that models reasoning about harm are scarce and are Ukrainian blackout [50], where malware facilitated the shut down
either based on fictional scenarios or try to reason about harms of a power plant and prevented essential systems from rebooting;
based on statistical data about costs. However, the quantification of and the remote hijacking of the Jeep Cherokee, where white hat
harm is still an unsolved problem for organizations. Most hackers obtained full control of the vehicle, resulting in car manu-
approaches have focused on insight from stock-market prices; how- facturer Chrysler recalling 1.4 million vehicles before any malicious
ever, they fall short in estimating the harm related to cyber-attacks attack was attempted [51]. The Chrysler attack drew the attention
and incidents. This is because usually drops in stock-market prices of the automotive industry to the risks that Internet-of-Things (IoT)
are brief [40, 41], while costs that relate to other types of harm such may pose to all manufacturers. These add to the other better-known
as physical damages or incident response costs are neglected. Cyber- impacts of attacks including damaged corporate reputation, loss of
VaR is promising but much more needs to be done before this customers and business partners, and (financial) compensation to
becomes a viable option for organizations. affected parties; as witnessed by Sony, Target and Ashley Madison

In summary, therefore, we believe that a model that is asset- [52]. It is evident that cyber-harm is potentially more than the sum
driven may provide a different perspective on the notion of cyber- of the impacts considered in traditional risk assessments, and that a
harm and insights from criminology and other fields can underpin novel taxonomy focusing on understanding the full spectrum of
such efforts. Further research is required on the topic of the quantifi- cyber-harm is required. A similar rationale is presented in [53],
cation of harms (both direct and indirect), potentially through the where the authors reflect on the notion of cyber-harm from a nation-
linkage with assets and threats. We will return to this observation at al perspective.
the conclusion of this article as it provides inspiration for how to
evolve from a cyber-harm taxonomy to a model capable of under-
pinning analytics on cyber-harm and the effectiveness of risk con- Defining a taxonomy of organizational
trols in addressing it. cyber-harm
To facilitate more effective reasoning about cyber-harm and to ad-
dress the various challenges identified regarding modelling it, it is
Emergence of cyber-harm as a concept in organizations
useful to describe a taxonomy for organizational harm. This should
The origin of cyber-harm is firmly rooted in the psychological do-
outline the range of categories of harm and structure them in a way
main and describes the harm or negative impact to individuals that
that allows cascading harms to be considered, and in a format that
might occur as a result of interactions in cyberspace (e.g. cyberbully-
organizations would be able to apply during security risk analyses.
ing) [44, 45]. In recent years, that term, similarly to ‘harm’ itself, has
A key advantage would also be that it would force consideration of
been expanded and applied to more general contexts. The adapta-
harms not usually deemed ‘corporate’ and thus rarely properly
tion of cyber-harm to cybersecurity more broadly builds on this
assessed. A good example of this is the psychological harm to indi-
conceptualization, and aims to focus on the adverse impacts of
viduals resulting from cyber-attacks. We present such a cyber-harm
cyber-attacks across all stakeholders, including individuals, com-
taxonomy in this section. To support this research, in addition to
munities, organizations and nations. For instance, there is literature
the literature considered above, we have conducted a comprehensive
exploring cyber-harm in the domain of cyber-warfare [46, 47].
survey of known cyber-incidents found in publicly available data-
Here, cyber-harm is loosely perceived as harm perpetrated via the
bases [54, 55], in combination with case studies and news reports.
Internet or similar electronic means, most often involving some
form of cyber-incident or intentional attack (such as an outsider
hacking into an enterprise or an insider inserting an infected drive Taxonomy of cyber-harm
into a workstation). This description encompasses other research There have been several attempts to define the impacts of cyber-
work that suggests that cyber-harm may also be caused via other attacks [2, 12, 56], however, their use and adoption has been lim-
means, such as cyber-exploitation, where the goal of the attack is ited. For our taxonomy, we have created and analysed a dataset of
primarily to obtain data from the targeted system [48]. news articles, literature and databases of cyber-incidents. More spe-
To consider cyber-harm in the context of organizations, there- cifically, we have collected news articles, such as [57], published in
fore, is to consider the detrimental impacts resulting from cyber- major newspapers and security magazines, which target national
events or incidents that could take place that would involve the and international audiences. To identify these articles, we searched
organization in any fashion. Incidents could be intentional attacks for articles that contained phrases such as, inter alia, ‘cyber attack’,
such as compromising systems, or unintentional due to mistakes, ‘cyber incident’ and ‘hackers’, commonly used when cybersecurity
user errors or broadly natural phenomena, and may derive from ex- incidents are discussed. We reviewed literature focusing on taxono-
ternal parties as well as from within the organization. This distinc- mies of harm ranging from white-collar crimes to psychology.
tion of harm to intentional and unintentional has traditionally been Finally, datasets such as Hackmageddon [54] and those from the
localised to cyber-assets: for instance, a computer network might be VERIS Community Database (VCDB) [55], albeit limited in the var-
infected or a web server forced offline because of a DoS attack. But iety of the cyber attacks they contain, were utilized due to the ab-
the reliance of society on technology has positioned such harm also sence of more holistic datasets. VCDB is a public effort to collect
in the physical sphere. The consequence of this is that as cyber and cybersecurity incident reports with a specified structure. Verizon
physical spaces overlap, attacks on enterprises using cyberspace can RISK team is responsible for the maintenance of the database, which
have a tangible, offline harm. As the US Department of Homeland contains more than 5 000 incidents. Out of these incidents, we
Security states, such harm could also include physical damage to focused on the most contemporary reports that contained informa-
property or bodily harm [49]. Our understanding of cyber-harm tion relevant to our taxonomy, excluding incidents whose source
should not be limited to the online components of a system, but ra- were physical attacks. Hackmageddon is a well-known cyber-inci-
ther should be extended to include the offline components as well. dent website that collects public reports and document on a monthly
basis. The same rationale as that applied with the VCDB regarding • Psychological harm (i.e. harm which focuses on an individual
extracting relevant incidents was followed here, and we again and their mental well-being and psyche)
focused on contemporary reports. • Reputational harm (i.e. harm pertaining to the general opinion
We then applied content analysis [58] to process the sources in held about an entity)
our dataset. Content analysis is a qualitative data analysis technique, • Social and Societal harm (i.e. a capture of harms that may result
aiming to identify key ‘themes’ in documents. There are three in a social context or society more broadly) [2, 61, 62].
approaches to content analysis: the first is the inductive approach
For each one of these types, we identified several sub-types that
that is based on ‘open coding’, meaning that the categories or
characterized that harm in further detail. In Tables 1–5 below, we
themes are freely created by the researcher. In open coding, headings
present and describe the main sub-types as well as including appro-
and notes are written in the transcripts while reading them and dif-
priate references to articles that exemplify them. Harm types are
ferent categories are created to include similar notes that capture the
designed to be distinctive, however, all types may be attempted to be
same aspect of the phenomenon under study. The second approach
interpreted in economic terms. Thus, economic harm may overlap
is deductive content analysis that requires the prior existence of a

with other harm types.
theory to underpin the classification process. This approach is more
Briefly reflecting on a selection of the harm definitions contained
structured than the inductive method and the initial coding is crafted
above: examples of Reputational harms that an organization may
by the key features and variables of the adopted theory [58, 59]. In
suffer as a result of a cyber-incident are damaged public image of an
the process of coding, excerpts are ascribed to categories and the
organization (e.g. an organization may be regarded as insecure or in-
findings are dictated by the theory or prior research. However, there
capable of protecting customer data) and reduced corporate good-
could be novel categories that may contradict or enrich a specific
will (i.e. the business becomes one that others are reluctant to
theory. Therefore, if deductive approaches are followed strictly,
interact or trade with). Harms in the Social and Societal space range
these novel categories that offer a refined perspective may be
from negative changes of public perception (e.g. after an attack, the
neglected. This is the reason why we opted for the third type, which
public may view a certain type of technology as unreliable or inse-
is a mixture of the deductive and inductive approaches.
cure), to the disruption of the daily lives of the public. For instance,
We used harms identified in the literature of white-collar crimes
the cyber-attack on a Ukrainian power company caused a blackout
[18, 19] and other taxonomies of harm [2, 11, 60] as core themes
that affected 700 000 homes, numerous communities and society as
for our deductive approach. Themes to which we could not match
a whole in the country [50]. This attack had imminent impact on so-
excerpts from articles and cyber-incident datasets were excluded
ciety and the harm caused is analogous to the speed of detection and
from our taxonomy. We then considered excerpts that were not allo-
the effective mitigation controls in place. As nations, and subse-
cated to any themes. This process was iterative; we created themes
quently organizations, vary in their cybersecurity maturity, the
based on an inductive approach and in the following iterations, we
extent of these harms will vary as well.
merged themes which described substantially identical notions. We
Physical or Digital harm is one of the most familiar types of
concluded the process when there was an iteration in which no fur-
harm for organizations, and examples of it are: damaged or unavail-
ther themes could be merged. Two researchers were involved in the
able systems; corrupted data files; exfiltration or theft of sensitive or
process of content analysis. The first person identified the themes
customer data; and bodily injury to employees or customers. From
and the second verified the content by independently using the pro-
these examples, it can be seen that at the current description level of
posed thematic schema to replicate the results of the first researcher.
the taxonomy (as shown in Fig. 1) assets are not specifically named.
Once we obtained all the relevant themes, we divided the harm
This is intentional and enables users of the taxonomy either to main-
types into categories to form hierarchies of harm. Subsequently, we
tain a separate asset listing (or asset taxonomy) and map the two as
reflected on the resulting structure in the context of a smaller set of
necessary, or to add a different category in this taxonomy to detail
cyber-incidents to determine whether the harm from these incidents
the relevant assets that may be harmed in that particular way. Our
could be modelled, and incorporating any refinements (e.g. identify
decision was informed by the fact that management of such assets is
incidents that could not be described by the types of harm in the tax-
achieved by different methodologies in organizations. Abstracting
onomy) necessary. The hierarchies that we define in our taxonomy
the taxonomy as arranged above follows a similar approach to one
contribute to the novelty of the research given that existing models
of the most well-known computer incident taxonomies [75].
(e.g. [2, 12, 56]) only focus on lists of impacts and losses from
One of the intended advantages of our taxonomy is its clear
cyber-attacks. We believe that the provision of structure through a
mapping of the key types and sub-types of cyber-harm. In the face of
harm taxonomy is useful, particularly in engaging with different
an incident, therefore, organizations could quickly obtain some gen-
types of stakeholders who may be affected in different ways by
eral understanding of the types of resulting harm that they may face.
cyber-attacks. Moreover, it allows us later to consider how harms
This is also important because it may force consideration of aspects
propagate across and between different high- and low-level catego-
not usually deemed ‘corporate’ and thus rarely properly assessed.
ries in the time period after an attack has occurred. In Fig. 1, we pre-
Moreover, this broadens understanding of risk and could be incor-
sent our taxonomy for organizational cyber-harm, where the main
porated during initial risk assessment phases as well. A good ex-
categories are coloured in orange and the subtypes of harm in
ample of this is the psychological harm to individuals. If a business
yellow.
is victim to a cyber-attack, this not only impacts them but also indi-
To structure our taxonomy, we have taken inspiration from
viduals including customers and employees. In the attack on UK
existing research on categorizations of harm [18, 19]. The main
Internet Service Provider TalkTalk in 2015, customers not only
harm types we include are:
experienced financial loss, but felt worried and upset about the at-
• Physical or Digital harm (i.e. harm describing a physical or digit- tack and TalkTalk’s response [70, 71]. This could be of interest to
al negative effect on someone or something) an organization because such harms could be prolonged and further
• Economic harm (i.e. harm that relates to negative financial or impact company reputation and repeat customer business, or result
economic consequences) in customers recommending that their friends and colleagues

Figure 1. Taxonomy of organizational cyber-harms.
completely avoid the company. Social-media platforms such as real-world attacks, which provide initial insights into how our tax-
Twitter can exacerbate this harm due to the great visibility they give onomy can be used to identify propagation sequences of different
to customers and the public [35]. This highlights a subset of the types of cyber-harm, thus illustrating how cyber-harm can emerge
wide span of consequential harms, captured in the taxonomy, that and cascade. The four case studies were chosen based on the detailed
result from cyber-incidents. accounts of the impact of cyber-attacks in the organizations that
was publicly available, and because of the long-lasting effects of
these attacks. Using the harms in our taxonomy shown in Fig. 1, we
The propagation of cyber-harm identify the assets that were targeted in the case studies, which types
As the literature from criminology and cyber-economics suggests of harm occurred first and how these harms in turn triggered differ-
[18, 19, 24, 25], harm has interesting characteristics that relate to ent types of harm. Our aim is to explore common sequences of
cascading effects. In this section, we consider four case studies of harms, which may be likely to result given that an initial harm has
Table 1. Defining elements in the taxonomy for the physical or digital harm type
Cyber-harm type Cyber-harm sub-type
Physical or digital Damaged or unavailable – The asset has been physically or digitally affected to the point where it is not available to fulfil
its intended purpose [57]
Destroyed – The asset has been physically or digitally ruined [12]
Theft – The asset has been physically or digitally stolen [63]
Compromised – The asset has been physically or digitally affected [63]
Infected – The asset has been physically or digitally contaminated [50]
Exposed or leaked – The asset has been physically or digitally disclosed [64]
Corrupted – The asset has been physically or digitally debased or its integrity affected [50]
Reduced performance – The asset has had its ability to function lowered [57]
Bodily injury – The body of the human asset has been wounded [12]
Pain – The human asset has experienced agony [12]

Loss of life – The human asset is no longer alive [65]
Prosecution – Legal proceedings have been launched against an individual or organization [57, 66]
Abuse – The asset has been physically or digitally misused [67]
Mistreatment – The asset has been physically or digitally brutalized [67]
Identity theft – The theft of personal identity information [67]
Table 2. Defining elements in the taxonomy for the economic harm type
Economic Disrupted operations – The operational assets (e.g. processes) are not functioning as expected [12]
Disrupted sales or turnover – The amount of sales or turnover of the organization has been reduced [52]
Reduced customers – The number of customers of the organization has dropped [52]
Reduced profits – The profits of the organization have dropped [52, 68]
Reduced growth – The growth of the organization has dropped [68]
Reduced investments – The investments made by external parties into the organization have dropped [67]
Fall in stock price – The stock price of the organization has dropped [67]
Theft of finances – Finances of the organization have been stolen [69]
Loss of finances or capital – Finances or capital have been diminished [67]
Regulatory fines – Fines levied by regulatory bodies that the organization is liable to pay [12]
Investigation costs – The fees payable by the organization for investigating an incident [67]
PR response costs – The fees payable by the organization for engaging a public relations after an incident [67]
Compensation payments – The costs that the organization has had to pay as compensation to those affected by the incident [70]
Extortion payments – The costs that the organization has had to pay to continue its operations (e.g. after ransom-related incidents)
[65]
Loss of jobs – The organization has had to reduce its number of employees [12]
Scam victims – The organization or its stakeholders have been conned [65]
Table 3. Defining elements in the taxonomy for the psychological harm type
Psychological Confusion – Disarray experienced by the organization’s stakeholders [70, 71]

Discomfort – Uneasiness experienced by the organization’s stakeholders [35, 70, 71]
Frustration – Dissatisfaction experienced by the organization’s stakeholders [57]
Worry or anxiety – Nervousness experienced by the organization’s stakeholders [57]
Feeling upset – Anger experienced by the organization’s stakeholders [70, 71]
Depressed – Low-spiritedness experienced by the organization’s stakeholders [65]
Embarrassed – Humiliation experienced by the organization’s stakeholders [65]
Shameful – Disgracefulness experienced by the organization’s stakeholders [65]
Guilty – Regret or remorsefulness experienced by the organization’s stakeholders [65]
Loss of self-confidence – Lack of courage or certainty experienced by the organization’s stakeholders [50]
Low satisfaction – Lack of contentment experienced by the organization’s stakeholders [72]
Negative changes in perception – An adverse change in how stakeholders regard a stakeholder [65]
occurred. We perform this analysis here in order to demonstrate The Sony cases
that the taxonomy can adequately characterize harms arising in such In April 2011, amid unstable economic conditions, Sony announced
scenarios. This could, however, also be used in gaining a better that personal information for 77 million PlayStation Network (PSN)
understanding of the broader risk facing the organization along the subscribers as well as 24.6 million Sony Online Entertainment
dimensions proposed by Beck and Giddens [15–17]. accounts had been exposed due to an external breach [64]. The data
Table 4. Defining elements in the taxonomy for the reputational harm type
Reputational Damaged public perception – An adverse change in how the public regards the organization [12]
Reduced corporate goodwill – A negative change in the established reputation of an organization [67]
Damaged relationship with customers – An adverse change in relationship between the organization and its customers [67]
Damaged relationship with suppliers – An adverse change in relationship between the organization and its suppliers [62]
Reduced business opportunities – A negative change in the chances for organizational expansion and growth [67]
Inability to recruit desired staff – Difficulty to attract and recruit appropriate employees for roles within the organization [73]
Media scrutiny – Media outlets continuously examining the organization [12]
Loss of key staff – Key employees within the organization have either been let go, reassigned, or have resigned [74]
Loss or suspension of accreditation or certifications – The organization has had its accreditation or certifications removed tempor-
arily or permanently [12]
Reduced credit scores – Stakeholders associated with the organization have had or are at risk of having their credit scores negative-

ly impacted [68]
Table 5. Defining elements in the taxonomy for the social and societal harm type
Social and societal Negative changes in public perception – An adverse change in how society generally regards the organization [52]
Disruption in daily life activities – Daily life activities and services in a society not functioning as expected [68]
Negative impact on nation – An adverse impact on how a nation (including its services, etc.) functions [50]
Drop in internal organization morale – A reduction how employees within the organization perceive that organization [57, 66]
breach involved information about account logins, passwords, credit Sony was forced to replace a large number of its systems, set up
card details, purchase histories and billing addresses. Sony’s facilities a hotline for identity fraud, provide psychological counselling for
in Japan were also heavily impacted from the earthquake of March employees and organize seminars on data security. Following the at-
2011, resulting in the suspension of several critical operations, tack, Sony’s employees received emails threatening their families if
which rendered the cyber-attack well timed to inflict maximum they did not denounce Sony, their credit cards were available for
damage. Sony had to place its PSN services offline the day following sale on Dark Net markets, and some witnessed their bank accounts
the attack [67] to assess the extent of the incident, resulting in loss exceeding credit limits. A survey conducted by the Identity Theft
of revenue; incurred response costs regarding identifying and Resource Center regarding victims of identity theft, reported that
addressing the vulnerabilities exploited and notifying the customers; victims’ experienced ‘denial, frustration, rage, fear, betrayal, and
a rough estimate of the costs is $171 million. This figure, however, powerlessness in the days, weeks, and years after the violation’ [57].
does not include punitive damages from lawsuits, costs from identity Class-action lawsuits from employees were filed, either because
theft or any other misuse of stolen credit cards, nor the loss of busi- Sony did not notify those whose data was leaked, or over fears of
ness and market capitalization [67]. how personal leaked information could be potentially used. This
In late April 2011, Sony provided a comprehensive recovery plan also contributed to the fact that some key staff left the company;
and an accurate calculation of the costs inflicted from the earth- and furthermore, the press discovered Sony’s diversity issues,
quake, but they were still not yet able to calculate the full organiza- which were discussed extensively in the content of the leaked emails
tional harm from the cyber-attack [64]. The aggregated impact of [57, 66].
the earthquake and the data breach resulted in a significant decrease
in Sony’s market evaluation as depicted in stock-exchange markets.
Sony’s share price dropped 19% after the earthquake, a drop The JP Morgan case
equivalent to the general Japanese stock exchange market, but soon JP Morgan Chase, one of the largest banks in the USA, reported that
recovered 50% of this loss [64]. After the cyber-attack, however, hackers obtained administrator access to several of their servers.
Sony’s price sustained a 12% loss (this time it was not a reflection of Information regarding names, phone numbers, email and physical
the rest of the Japanese economy), and the revelation of the security addresses of account holders was exfiltrated, affecting 76 million
weaknesses once Sony had restored service prolonged the recovery households and seven million small businesses. JP Morgan had
phase [64]. announced an increase in their cybersecurity budget of $250 million
Three years after these incidents, in November 2014, confiden- per year just before the attack occurred [76]. The company was
tial data from Sony Pictures were once again leaked. The data forced to replace the majority of its IT infrastructure, a process that
included more than 30 000 internal documents, 170 000 emails, was time-consuming and hindered the daily lives of employees. The
social-security numbers of Sony’s employees, personnel reviews and remaining budget was spent hiring more than 1000 employees to
medical histories, and movies which had not yet been released. The monitor the company’s systems [74]. Of significant interest are the
same cyber-attack paralysed all of Sony’s systems, rendering the on- two long-term effects, which resulted from this hack. The majority
line database of stock footage unsearchable, the telephone system of the customers whose information was leaked were obliged to
offline, computers and servers unusable; this was described by the monitor their finances in fear of fraud, while they received fake
FBI as an ‘unprecedented digital assault that would have felled 90 emails directing them to impostor websites for financial exchanges.
per cent of companies it hit’ [57]. As a result, many became victims of financial fraud. The second

Figure 2. Propagation of harm after the cyber-attacks on Sony in 2011 (a) and 2014 (b), JPMorgan (c) and Ashley Madison (d).
effect was the replacement of their chief information security officer Once the data was publicly available and easily searchable, cus-
because of his inadequate collaboration with federal authorities in tomers became susceptible to blackmail, with professional and per-
an attempt to try to control the investigation and obscure the leak- sonal ramifications [72]. Many of the leaked email addresses
age of information [74]. contained the ‘.mil’ domain, indicating people who serve in the US
military. Adultery, however, is a crime in the US military and mem-
bers of Ashley Madison were subject to a year of confinement or dis-
The Ashley Madison case
honourable discharge [77]. In a similar vein, owners of 1, 200 ‘.sa’
In July 2015, details of 33 million accounts and personal informa-
email addresses were exposed to a potential death sentence, which is
tion about people registered on Ashley Madison, a website facilitat-
the punishment in Saudi Arabia for adultery. New practices of
ing extramarital affairs, were leaked [63]. A core principle of Ashley
cybercrime emerged, with criminals threatening to expose people
Madison’s business model was privacy and security, through which
whose email addresses were found in the Ashley Madison dataset to
they would build a trust relationship with their customers. The
their ‘significant other’, unless $225 were paid in bitcoin [65].
cyber-attack, therefore, had dramatic consequences for the reputa-
Public figures were coerced into ‘painful personal admissions’,
tion of the company, not only because it exposed the vulnerabilities
others were divorced, while the Toronto police reported two sui-
of the system, but because it proved that Ashley Madison’s promise
cides potentially linked to the cyber-attack [65].
to delete data upon customers’ request was not kept [77]. As a result
of this practice, Ashley Madison became liable to lawsuits [77], with
many organizations soliciting litigants on Twitter [72]. What are of Analysis of case studies for propagation of harm
great interest in this case, however, are the repercussions of what We start our analysis with a digest of the different types of harm
was coined as ‘collateral damage’ which are peculiar to the nature of arising from the case studies and their impact on the organization
the services the website offered. and its employees and customers. This is presented below as a visual
in Fig. 2, and then discussed in general in the remainder of the pattern, ‘physical’ harms lead to ‘economic’ harms, which if not
section. addressed may lead to ‘reputational’ harms for organizations. When
There are several salient points that can be seen in the cases ‘psychological’ harms for employees occur after ‘physical harms’,
assessed. Focusing on one of the most prevalent classes of cyber- then ‘economic’ and ‘physical’ harms may follow for employees and
attack in the literature, i.e. data breaches (e.g. details of JP Morgan customers. The presence of such types of harm may amplify the ‘eco-
customers or employees at Sony), the direct type of harm which nomic’, ‘reputational’ and more scarcely ‘social’ harms that organ-
occurs based on our taxonomy is ‘exposure or leakage of digital in- izations already experience.
formation’. As it is evident in the case studies presented above, dif- To reflect more generally on the cases in terms of commonalities
ferent entities and stakeholders were affected by the various harms in harm propagation, exposed or leaked data, especially when it
that occurred (e.g. the organization under attack, its employees, cus- contains personal information, usually has a significant impact on
tomers and suppliers). the organization and its customers. Customers often feel confused
We commence our analysis for the subsequent types of harm and frustrated, and this may escalate significantly depending on the
from an organization’s perspective, since they are the main targets data that has been leaked (sometimes it may be identity theft, and

of data breaches. The most prominent type of harm is ‘reputational other times loss of life). As certain personal information is held for
damage’, which may lead to ‘damaged relationships with employees life such as names and social security numbers, the harm associated
and customers’. By the time the attack is publicly announced, ‘eco- with a cyber-attack can last for years—this is particularly why more
nomic harms’ may be triggered due to potential regulatory fines companies are offering credit-monitoring services after data leaks.
from ‘law enforcement’ (as happened in the case of Sony), which Similar broad propagation effects can be also seen in more recent
may be amplified from relevant harms including ‘PR response costs’ hacks including that of Equifax in 2017 [78] and the Singapore gov-
(to give notice of the incident and to manage the company’s re- ernment’s national health database in 2018 [79].
sponse including both online and offline media), ‘reduced numbers In terms of the organizational harms, the leakage of data typical-
of customers, falls in stock prices and reduced growth’. A key point ly has some negative impact on operations, and tends to involve PR
to note here is that this harm propagation also alludes to the tem- response costs and loss in revenue in some. A subsequent harm that
poral dimension present with risk more generally, as discussed in is often incurred by the organization is a damaged relationship with
Section ‘What is cyber-harm for organizations?’. customers, suppliers and the public. Possibly the largest difference in
Departing from organizations and focusing our perspective on the cases is the exact harm that can result. With Ashley Madison,
employees and customers, ‘psychological’ harm is the most common this related in loss of life due to suicide, which may be understand-
type of harm following ‘leakage of digital information’. People feel able given the personal nature of the data leaked. For JPMorgan,
‘confusion, discomfort, frustration’ and ‘worry’ and the magnitude however, we saw the reassignment of the executive in charge of pro-
of these types of harm depends on the environment within which the tecting their network. To consider our earlier reflections on risk in
attack was realized. For example, when a financial institution such Section ‘What is cyber-harm for organizations?’, it is unclear
as JP Morgan has been breached, psychological harms were more se- whether this represented some instance of ‘organised irresponsibil-
vere than in the Sony case. In the cases where individuals were ity’ or poor management of incident response.
blackmailed additional types of harm such as ‘extortion payments’ To consider the situation today, there are several recent exam-
occurred. In a similar vein, ‘identity theft’ may be experienced and ples of similar propagations of organizational harm—for instance,
this can result in compensation payments by the banking sector. In the case of Facebook and Cambridge Analytica in 2018 [80]. Here,
extreme circumstances, the ultimate example being that of Ashley the ‘end’ harm of this incident was the closure of latter, and regula-
Madison, where psychological harms resulted in ‘loss of life’ because tory fines and severe public criticism for the former. It is the un-
individuals felt ‘shamed’ and ‘embarrassed’. Regarding ‘social known nature of such attack consequences that may lead to some
harm’, it may occur in situations where not all the aforementioned organizations attempting to avoid harm propagation using other —
types of harm are addressed appropriately and in a timely manner. potentially questionable—means. The Uber breach is an intriguing
An example where such a harm was manifested is the Sony case, example of this, where the company opted to secretly pay hackers
where there was ‘disruption of daily lives’ and a ‘drop in internal rather than publicly revealing the leak of details of 57 million cus-
organization morale’. tomers and drivers [81].
It should be evident that in the cases presented above that the se- It is important to understand the propagation trends of harm, as
quence of types of harm, which occurred when information was we may be able to ascertain what the likely harm is in future attacks
leaked, is similar, the main difference being the impact and the and put in place measures to mitigate it. This is a very different lens
length of the chain describing the propagation of different types of to that of a kill-chain [82], which seeks to explain the phases of an
harm. These attributes depend on how well, and timely, stakehold- attack. If we were to orientate a defensive strategy solely around a
ers who were responsible for addressing harmful situations respond kill-chain then we might find ourselves investing in the defensive
to the events that unfold. Thus, as alluded to in Fig. 2, there is a tem- measures and incident responses, which are not actually tightly
poral element that is critical to the propagation of harm which is coupled with limiting the harm to the organization.
also related to the quality of controls thatorganizations have in place
to mitigate harms.
In a similar vein, we can observe how types of harm unfold when
the assets under attack are ‘destroyed’. Starting from an organ-
Conclusions, reflection and future work
ization’s perspective, emerging harms are ‘disrupted operations, Technological advancements have forced organizations to digitalize
deteriorating sales’ and ‘loss of key staff’ (in cases where they are parts of their functionality and operations. While investments in IT
forced to resign). It is important to note that the types of direct harm may result in profit and prosperity, there is always the risk lurking
that manifest in most cases depend on the assets exploited by the of cyber-attacks and incidents. The threat landscape of cyber-
attacks. The presence of subsequent waves of harm is influenced by attacks is rapidly changing and the impact of such attacks is
the remediation measures, which organizations have in place. As a uncertain. There is, however, as we showed on Section ‘What is
cyber-harm for organizations?’, a lack of effective metrics, tools and understanding of how we might go about modelling the intercon-
frameworks seeking to understand and assess the harm organ- nections that exist between harms, and so the possible cascading
izations face from cyber-attacks. effects.
According to the CUNA president and CEO Jim Nussie, organ- Therefore, our next steps are to extend this research by designing
izations are not incentivized to invest in and prioritize security [83]. an asset-oriented model. Our decision is based on the fact that such
It is of paramount importance for board members to obtain a com- an approach encourages organizations to focus on their core assets,
prehensive cost-benefit analysis on how cutting-edge technologies and think beyond current threats to consider the full range of harms
and investments in implementing strong cybersecurity practices may that might potentially result to assets. Reflecting on our taxonomy
hedge the risk of a cyber-attack and its harmful impact. The case and the case studies presented in the article, we believe that such a
studies presented in Section ‘The propagation of cyber-harm’ illus- model should comprise six different stages in defining and assessing
trated that organizations lack sufficient models to estimate the the notion of cyber-harm. These are: identifying core assets; identify-
harm, direct and indirect, from cyber-attacks. What it is further evi- ing direct harm to assets; determining the stakeholders that hold an
dent from our analysis of the case studies is that organizations re- interest in direct harm; identifying different types of cyber-harm

main oblivious to the harms that consumers or their employees occurring from the direct harm; measuring the overall indirect harm
experience. Therefore, it is impossible without a holistic understand- (i.e. propagating harm) for all the stakeholders; and understanding
ing of all possible harms for organizations to prioritize controls to this variety of cyber-harm and security controls in place that might
mitigate these harms. Current practices which organizations adopt be able to treat it.
either myopically calculate the harm from a cyber-attack or estimate Every stakeholder may perceive or experience harm differently,
financial damages from the stock-market exchanges. In this way, and the consequences of cyber-attacks should be assessed based on
they neglect the indirect harms resulting from cyber-attacks and the their views, resulting in the existence of different ‘lenses’ to examine
harms that consumers experience; these harms are not always visible cyber-harm. We believe that such a model is crucially required if
and may have more longitudinal effects. organizations are to optimally structure their cybersecurity controls
Based on a thorough literature review and on analysing a series for minimizing harms. This is especially relevant as technologies
of cyber-incidents, we have presented a taxonomy of cyber-harms such as the IoT and Artificial Intelligence (AI) mature and become
aimed at providing further insight into the direct and indirect harms widely deployed, and organizations look to manage risk—be it
which organizations and individuals may experience. Our expect- through internal methods or investment in cyber-insurance [84].
ation is that our taxonomy should provide the essential broad know- Our review of the literature suggests that the majority of successful
ledge of harms for organizations, enable them to consider indirect cyber-attacks exploit well-known vulnerabilities and the inertia of
harms to consumers and other corporate and non-corporate actors, organizations to provide appropriate cybersecurity policies due to
as well as shift the current tendency of organizations to remain in- the misconception of the risks that may emerge. It is, therefore, cru-
active or tolerate harms which impact non-corporate actors. We cial for board members to obtain an accurate estimate of direct and
hope to avoid situations and perspectives such as the following, indirect harm from cyber-attacks before reconsidering the threat
where the former executive director of Sony Pictures was reported landscape their organizations face. We believe a taxonomy of harms
stating ‘[I]t’s a valid business decision to accept the risk of a security is a decisive first step towards this direction.
breach. I will not invest $10 million to avoid a possible $1 million
loss’ in 2005 [83]. The reality is that cyber-attacks can have much
more significant and long-lasting harms beyond what is initially per- References
ceived. Our taxonomy would help to elucidate these, and thereby 1. ISACA. State of Cybersecurity: Implications for 2015. http://www.isaca.
support better decision-making in risk management and the selec- org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf (13 July
tion of security controls. 2018, date last accessed).
While we believe that our taxonomy elucidates many of the key 2. National Institute of Standards Technology. Special Publication 800-30
aspects of cyber-harm for organizations, we emphasize that this Revision 1: Guide for Conducting Risk Assessments. http://dx.doi.org/10.
version is especially intended to motivate further discourse on this 6028/NIST.SP.800-30r1 (13 July 2018, date last accessed).
topic in the field. As such, there are several outstanding questions 3. Oxford English Dictionary. Definition of harm. 2013.
still to be addressed. For example, is this taxonomy of harm able to 4. Schulhofer SJ. Harm and punishment: a critique of emphasis on the results
of conduct in the criminal law. UPa L Rev 1974;122:1497–1607.
capture and usefully structure all the types of harm that may occur
5. Sharpe V, Faden A. Medical Harm: Historical, Conceptual, and Ethical
to organizations as a result of a cyber-incident? Although we
Dimensions of Iatrogenic Illness. 1998. New York: Cambridge University
sought to be comprehensive in our research, by considering real Press, 1974.
cases and relevant literature, we appreciate that discussions with 6. Kleinig J. Crime and the concept of harm. Am Philos Q 1978;15:27–36.
business and security professionals in organizations, particularly 7. Gratz KL. Risk factors for and functions of deliberate self-harm: an empir-
those that have suffered a cyber-incident, may lead to an expanded ical and conceptual review. Clin Psychol 2006; 10:192–205.
set of harm categories or a refined harm structure. A key activity, 8. Zou HL, Zeng RC, Zeng SX. How do environmental violation events
therefore, is the expansion of the taxonomy in Fig. 1, and charac- harm corporate reputation? BSE 2015; 24:836–54.
terization of more rigorous and useful harm quantification metrics 9. Andoh-Baidoo FK, Amoako-Gyampah K, Osei-Bryson K-M. How
and magnitudes. Internet security breaches harm market value. IEEE Secur Priv 2010; 8:
36–42.
Although there has been significant research in the space of
10. U. K. Government. Chancellor’s Speech to GCHQ on Cyber Security.
understanding the impact of cyber-incidents, as discussed in previ-
https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-
ous sections, the lack of a model which can support analytics cyber-security (13 July 2018, date last accessed).
regarding the detection, measurement, prediction and prioritization 11. New Zealand Government. Risk Assessment Process: Information
of cyber-harms is evident. The taxonomy developed and presented Security. https://www.ict.govt.nz/assets/ICT-System-Assurance/Risk-
in this article is essential to the creation of such a model, which can Assessment-Process-Information-Security.pdf (13 July 2018, date last
then underpin analytics—such analytics include a more functional accessed).
12. UVM. Enterprise Risk Management Program: Guide to Risk Assessment 39. Kvochko E, Pant R. Why data breaches don’t hurt stock prices. Harvard
& Response. https://www.uvm.edu/sites/default/files/UVM-Risk-Manage Business Review, 2015. https://hbr.org/2015/03/why-data-breaches-dont-
ment-and-Safety/Guide_to_Risk_Opportunity_Assessment_Response.pdf hurt-stock-prices (13 July 2018, date last accessed).
(13 July 2018, date last accessed). 40. Hovav A, D’Arcy J. The impact of denial-of-service attack announcements
13. ENISA. Security Risk Management Glossary. https://www.enisa.europa. on the market value of firms. RMIR 2003;6:97–121.
eu/activities/risk-management/current-risk/risk-management-inventory/ 41. Campbell K, Gordon LA, Loeb MP, et al. The economic cost of publicly
glossary (13 July 2018, date last accessed). announced information security breaches: empirical evidence from the
14. ISO/IEC. ISO/IEC 13335-1: 2004 Part 1: Concepts and models for infor- stock market. J Comput Secur 2003;11:431–448.
mation and communications technology security management, 2004. 42. Kannan K, Rees J, Sridhar S. Market reactions to information security
15. Beck U. Risk Society: Towards a New Modernity. Vol. 17. London: Sage, breach announcements: an empirical analysis. IJEC 2007;12:69–91.
1992 . 43. World Economic Forum. Partnering for cyber resilience towards the
16. Giddens A. The Consequences of Modernity. Cambridge: Polity Press, quantification of cyber threats. http://www3.weforum.org/docs/WEFUSA_
1990. QuantificationofCyberThreats_Report2015.pdf (13/07/2018, last accessed)
17. Beck U. The terrorist threat: world risk society revisited. Theory Cult Soc 44. C¸etin B, Yaman E, Peker A. Cyber victim and bullying scale: a study of

2002;19:39–55. validity and reliability. Comput Educ 2011;57:2261–2271.
18. Van Slyke SR, Van Slyke S, Benson ML. The Oxford Handbook of White- 45. Harvard Mental Health Letter. Protecting children and teens from cyber-
Collar Crime. Oxford University Press, 2016. harm. Harvard Health Pubs 2008;25:4–5.
19. Greenfield VA, Paoli L. A framework to assess the harms of crimes. Br J 46. Gartzke E. The myth of cyberwar: bringing war in cyberspace back down
Criminol 2013;53:864–885. to earth. Int Secur 2013;38:41–73.
20. Levi M. Social reactions to white-collar crimes and their relationship to 47. Charles P, Pfleeger SL. Analyzing Computer Security: A Threat/
economic crises. In: Deflem M (ed.), Economic Crisis and Crime. Vulnerability/Countermeasure Approach. Upper Saddle River, NJ:
Sociology of Crime, Law and Deviance, Volume 16. Emerald Group Prentice Hall, 2012 .
Publishing Limited, 2011, 87–105. 48. Kesan JP, Hayes CM. Thinking through active defense in cyberspace. In:
21. Spalek B. White-collar crime and secondary victimization: an analysis of the Proceedings of the Workshop on Deterring Cyberattacks: Informing
effects of the closure of BCCI. Howard J Crim Just 2001;40:166–79. Strategies and Developing Options, Washington, DC: The National
22. Brenner SW. Cybercrime metrics: old wine, new bottles? Va. JL & Tech Academies Press; 2010, 327–42.
2004;9:13–13. 49. US Department of Homeland Security. Cyber risk management and cyber-
23. Felici M, Wainwright N, Cavallini S, et al. What’s new in the economics security insurance. http://www.dhs.gov/cybersecurity-insurance (13 July
of cybersecurity? IEEE Secur Priv 2016;14:11–13. 2018, date last accessed).
24. Anderson R, Barton C, Böhme R, et al. Measuring the cost of cybercrime. 50. Titcomb J. Ukrainian blackout blamed on cyber-attack. The Telegraph,
The Economics of Information Security and Privacy, 2013; 265–300. 2015 http://www.telegraph.co.uk/technology/news/12082758/Ukrainian-
25. Anderson R, Moore T. The economics of information security. Science blackout-blamed-on-cyber-attack-in-world-first.html (13 July 2018, date
2006;314:610–613. last accessed).
26. Moore T. The economics of cybersecurity: principles and policy options. 51. Greenberg A. Hackers remotely killed a jeep on the highway- with me in
IJCIP2010;3:103–17. it. Wired, 2015; http://www.wired.com/2015/07/hackers-remotely-kill-
27. Punter A, Coburn A, Ralph D. Evolving risk frameworks: modelling resili- jeep-highway/ (13 July 2018, date last accessed).
ent business systems as interconnected networks. Centre for Risk Studies, 52. Lee T. Forget the Ashley Madison or Sony Hacks – a crippling cyberattack
University of Cambridge 2016. http://cambridgeriskframework.com/ is imminent in the US. The Guardian, 2015. http://www.theguardian.
page/17 (13 July 2018, date last accessed). com/technology/2015/jul/26/cybercrime-hacking-internet-of-things-target
28. Lloyds of London. Counting the cost. https://www.lloyds.com/news-and- (13 July 2018, date last accessed).
insight/risk-insight/library/technology/countingthecost (13 July 2018, 53. Agrafiotis I, Bada M, Cornish P, et al. Cyber harm: concepts, taxonomy
date last accessed). and measurement. Saı̈d Business School Working Paper 2016; 23. doi:
29. Klahr R, Shah J, Sheriffs P, et al. Cyber security breaches survey 2017: http://dx.doi.org/10.2139/ssrn.2828646.
main report, 2017. https://www.gov.uk/government/statistics/cyber-secur 54. Paolo Passeri, Hackmageddon. Cyber attacks timeline, 2016; http://www.
ity-breaches-survey-2017 (13 July 2018; date last accessed). hackmageddon.com/category/security/cyber-attacks-timeline (13 July
30. Anderson R, Böhme R, Clayton R, et al. Security economics and European 2018, date last accessed).
policy. In: Pohlmann N., Reimer H., Schneider W. (eds). ISSE 2008 55. Veris Community D. http://veriscommunity.net/vcdb.html (13 July 2018,
Securing Electronic Business Processes 2009; 55–80. date last accessed)
31. Laube S, Böhme R. The economics of mandatory security breach reporting 56. UK Government and Marsh, Ltd. UK cyber security: the role of insurance in
to authorities. J Cybersecur 2016;2:29–41. managing and mitigating the risk. https://www.gov.uk/government/publica
32. Kshetri N. The simple economics of cybercrimes. IEEE Secur Priv 2006;4: tions/uk-cyber-security-the-role-of-insurance (13 July 2018, date last accessed).
33–39. 57. Hess A. Inside the Sony hack.Slate, 2015 [CrossRef][10.3998/mij.15031809.
33. Edwards B, Hofmeyr S, Forrest S. Hype and heavy tails: a closer look at 0002.203] http://www.slate.com/articles/technology/users/2015/11/sony_
data breaches. J Cybersecur 2016;2:3–14. employees_on_the_hack_one_year_later.html (13 July 2018, date last
34. Nguyen KD, Rosoff H, Richard SJ. Valuing information security from a accessed).
phishing attack. In: International Conference on Applied Human Factors 58. Elo S, Kyngäs H. The qualitative content analysis process. J Adv Nurs
and Ergonomics. Cham: Springer, 2017. 2008;62:107–15.
35. Why it pays to complain via Twitter. BBC News, 2014. http://www.bbc. 59. Hsieh HF, Shannon SE. Three approaches to qualitative content analysis.
co.uk/news/business-27381699 (13 July 2018, date last accessed). Qual Health Res 2005;15:1277–88.
36. Telang R, Wattal S. An empirical analysis of the impact of software vul- 60. Pemberton S. Social harm future (s): exploring the potential of the social
nerability announcements on firm stock price. IEEE Trans Softw Eng harm approach. Crime Law Soc Change 2007; 48:27–41.
2007;33:544–57. 61. The Parliament of the Commonwealth of Australia. Privacy Amendment
37. Acquisti A, Telang R, Friedman A. Is there a cost to privacy breaches? An (Notification of Serious Data Breaches) Bill 2015. https://www.ag.gov.au/
event study. Proceedings of the 3rd International Conference on Consultations/Pages/serious-data-breach-notification.aspx (13 July 2018,
Intelligent Systems (ICIS), 2006. date last accessed).
38. Cavusoglu H, Mishra B, Raghunathan S. The effect of internet security 62. Gizmodo. Last month’s massive target hack was the heating guy’s fault,
breach announcements on market value: capital market reactions for 2014. http://gizmodo.com/last-months-massive-target-hack-was-the-heat
breached firms and internet security developers. IJEC 2004; 9:70–104. ing-guys-1516926877 (13 July 2018, date last accessed).
63. InfoSec Institute. Ashley Madison revisited: legal, business and security 74. JP Morgan security exec reassigned after breach. Europe TechWeek,
repercussions,. 2015, 8. http://resources.infosecinstitute.com/ashley-madi 2015. http://www.techweekeurope.co.uk/e-management/jobs/jp-morgan-
son-revisited-legal-business-and-security-repercussions (13 July 2018, exec-reassigned-171644 (13 July 2018, date last accessed).
date last accessed). 75. Howard JD, Longstaff TA. A common language for computer security
64. Dark Reading. Sony data breach cleanup to cost $171million, 2011 http:// incidents. Sandia National Laboratories, 1998. https://prod.sandia.gov/
www.darkreading.com/attacks-and-breaches/sony-data-breach-cleanup- techlib-noauth/access-control.cgi/1998/988667.pdf (13 July 2018, date
to-cost-\$171-million/d/d-id/1097898 (13 July 2018, date last accessed). last accessed).
65. Ashley M. Aftermath: confessions, suicide reports and hot on the hacker’s 76. JP Morgan Chase reveals massive data breach affecting 76m households.
trail. National Post, 2015 http://news.nationalpost.com/news/canada/ash The Guardian, 2014. http://www.theguardian.com/business/2014/oct/02/
ley-madison-aftermath-confessions-suicide-reports-and-hot-on-the-hack jp-morgan-76m-households-affected-data-breach (13 July 2018, date last
ers-trail (13 July 2018, date last accessed). accessed).
66. Variety. Sony hack attack opens minefield of legal questions that has 77. The Verge. The mind-bending messiness of the Ashley Madison data
hollywood worried, 2015,07–13. http://variety.com/2015/biz/news/sony- dump,2015. http://www.theverge.com/2015/8/19/9178855/ashley-madi
hack-attack-opens-minefield-of-legal-questions-that-has-hollywood-wor son-data-breach-implications (13 July 2018, date last accessed).

ried-1201471664 (13 July 2018, date last accessed).
78. Krebs on Security. Breach at Equifax May Impact 143M Americans,
67. PwC. Limiting the impact of data breachesthe case of the Sony Play
2017. https://krebsonsecurity.com/2017/09/breach-at-equifax-may-im
Station Network, 2011 http://www.strategyand.pwc.com/reports/limit
pact-143m-americans/ (13 July 2018, date last accessed).
ing-impact-data-breaches-case (13 July 2018, date last accessed).
79. Singapore personal data hack hits 1. 5m, health authority says. BBC
68. The Huffington Post. A look back at the target breach, 2015. http://www.
News, 2018. https://www.bbc.com/news/world-asia-44900507 (13 July
huffingtonpost.com/eric-dezenhall/a-look-back-at-the-target_b_7000816.
2018, date last accessed).
html (13 July 2018, date last accessed).
80. Revealed: 50 million Facebook profiles harvested from Cambridge
69. White L. and Bergin T. Tesco says $3million stolen in cyber theft, resumes
Analytica in major date breach. The Guardian, 2018. https://www.the
service. Reuters, 2016. http://www.reuters.com/article/us-tesco-bank-
guardian.com/news/2018/mar/17/cambridge-analytica-facebook-influ
idUSKBN1331TX (13 July 2018, date last accessed).
ence-us-election (13 July 2018, date last accessed).
70. Talktalk hackers go on £600 spending spree with stolen card details as
boss says its too early to consider compensation. The Mirror, 2015. http:// 81. Uber concealed huge data breach. BBC News, 2017. https://www.bbc.co.
www.mirror.co.uk/news/uk-news/talktalk-hackers-go-600-spending- uk/news/technology-42075306 (13 July 2018, date last accessed).
6694321 (13 July 2018, date last accessed). 82. Hutchins EM, Cloppert MJ, Amin RM. Intelligence-driven computer net-
71. McDaid L. Talktalk cyber-attack: county Londonderry man targeted. work defense informed by analysis of adversary campaigns and intrusion
BBC News, 2015. http://www.bbc.co.uk/news/uk-34613921 (13 July kill chains. In: Ryan J. (ed.). Leading Issues in Information Warfare &
2018, date last accessed). Security Research Vol. 1, Reading, UK: Academic Publishing
72. Top data security expert fears traumatic aftermath in Ashley Madison hack. International Limited; 2011.
The Guardian, 2015. https://www.theguardian.com/technology/2015/aug/ 83. Infosec Institute. How harmful can a data breach be?, 2016. http://resour
19/ashley-madison-hack-outcome (13 July 2018, date last accessed) ces.infosecinstitute.com/the-cost-of-a-data-breach-how-harmful-can-a-
73. Sony seeking more cybersecurity staff amid hack. The Wall Street Journal, data-breach-be (13 July 2018, date last accessed).
2014. http://blogs.wsj.com/cio/2014/12/22/sony-seeking-more-cybersecur 84. Woods D, Agrafiotis I, Nurse JR, et al. Mapping the coverage of security
ity-staff-amid-hack-fallout/ (13 July 2018, date last accessed). controls in cyber insurance proposal forms. JISA 2017;8:8.

A Taxonomy of Cyber-Harms: Defining The Impacts of Cyber-Attacks and Understanding How They Propagate

Uploaded by

Copyright:

Available Formats

A Taxonomy of Cyber-Harms: Defining The Impacts of Cyber-Attacks and Understanding How They Propagate

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Taxonomy of Cyber-Harms: Defining The Impacts of Cyber-Attacks and Understanding How They Propagate

Uploaded by

Copyright:

Available Formats

Journal of Cybersecurity, 2018, 1–15

A taxonomy of cyber-harms: Defining the

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Introduction example, denial-of-service (DoS) attacks on networks, data breaches

C The Author(s) 2018. Published by Oxford University Press.

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Cyber-harm type Cyber-harm sub-type

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Cyber-harm type Cyber-harm sub-type

Cyber-harm type Cyber-harm sub-type

Psychological Confusion – Disarray experienced by the organization’s stakeholders [70, 71]

Cyber-harm type Cyber-harm sub-type

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Cyber-harm type Cyber-harm sub-type

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

Downloaded from https://academic.oup.com/cybersecurity/article/4/1/tyy006/5133288 by guest on 13 August 2020

You might also like