The article “A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate” by Ioannis Agrafiotis, Jason R. C. Nurse, Michael Goldsmith, Sadie Creese, and David Upton, approaches the way of identifying cyber-attacks. They talk about how “we may be selecting our risk treatments and controls based on knowledge that does not fully take account of the ways in which harm can emerge, nor of the breadth of harms that can result from a single cyber-attack” (Ioannis Agrafiotis et al., 2018), meaning we are looking at each cyber-attacks isolated and are not seeing how they connect to each other. In their article they try to create a taxonomy which shows how each cyber-attack intertwines with one another.
Their approach to finding a taxonomy, on which one could rely, was to study real life incidents that had happened in the past and used archives from datasets such as Hackmaggedon and VERIS Community Database(VCDB). In their article they talked about four of such cases – The Sony Cases, The JP Morgan Case, and The Ashley Madison Case – and showed how their taxonomy could predict what was going to happen after the initial cyber-attack in each case. They explain that in The Sony Cases after the earthquake in 2011 in Japan “77 million PlayStation Network (PSN) subscribers as well as 24.6 million Sony Online Entertainment accounts had been exposed due to an external breach” (Ioannis Agrafiotis et al., 2018). They also talk about a case in 2014 where sensitive data including “more than 30 000 internal documents, 170 000 emails, social-security numbers of Sony’s employees, personnel reviews and medical histories, and movies which had not yet been released”(Ioannis Agrafiotis et al., 2018) and how many of their employees suffered from identity theft. They also explained that due to the cyber-attacks the Sony stock had dropped after each cyber-attack and how in 2011 it even affected the Japanese economy. They also explain that the cyber-attacks did not only harm the companies themselves, but also the relationship between the company and its employees, customers, and suppliers generating a greater loss in money.
With their taxonomy they try to “ outline the range of categories of harm and structure them in a way that allows cascading harms to be considered”(Ioannis Agrafiotis et al., 2018) and have done so successfully, because they compared the initial cyber-attack on Sony and the events that had happened afterwards with their taxonomy. In their taxonomy they looked for what closely resembled the initial cyber-attack and went from there and they successfully showed how the taxonomy was able to predict what other harms were going to occur.
