Computer and network systems fall victim to many cyber attacks of different forms. To reduce the risks of cyber attacks, an organization needs to understand and assess them, make decisions about what types of barriers or protection mechanisms are necessary to defend against them, and decide where to place such mechanisms. Understanding cyber attack characteristics (threats, attack activities, state and performance impact, etc.) helps in choosing effective barriers. Understanding the assets affected by cyber attacks helps decide where to place such barriers. To develop these understandings, we classify attacks in a comprehensive, sensible format. This paper presents the System-Fault-Risk (SFR) framework for cyber attack classification, which we base on a scientific foundation, combining theories from system engineering, fault modeling, and risk-assessment. Our work extends existing classifications with a focus on separating cause and effect, and further refining effects to include state and performance.
展开▼