Taxonomy of technological risks: when things fail badly


"A Taxonomy of Operational Cyber Security Risks" by CMU's James J. Cebula and Lisa R. Young is a year-old paper that attempts to classify all the ways that technology go wrong, and the vulnerabilities than ensue. Fascinating reading, a great primer on technology and security, and as a bonus, there's a half-dozen science fiction/technothriller plots lurking on every page.
This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those de- scribed by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method.
A Taxonomy of Operational Cyber Security Risks (PDF)