Affiliations: Arizona State University, Tempe, AZ, USA
Note: [] Address for correspondence: Nong Ye, Professor of Industrial
Engineering, Arizona State University, Information and Systems Assurance
Laboratory, Box 875906, Tempe, AZ 85287-5906, USA. Tel.: +1 480 965 7812; Fax:
+1 480 965 8692; E-mail: nongye@asu.edu
Abstract: Computer and network systems fall victim to many cyber attacks of
different forms. To reduce the risks of cyber attacks, an organization needs to
understand and assess them, make decisions about what types of barriers or
protection mechanisms are necessary to defend against them, and decide where to
place such mechanisms. Understanding cyber attack characteristics (threats,
attack activities, state and performance impact, etc.) helps in choosing
effective barriers. Understanding the assets affected by cyber attacks helps
decide where to place such barriers. To develop these understandings, we
classify attacks in a comprehensive, sensible format. This paper presents the
System-Fault-Risk (SFR) framework for cyber attack classification, which we
base on a scientific foundation, combining theories from system engineering,
fault modeling, and risk-assessment. Our work extends existing classifications
with a focus on separating cause and effect, and further refining effects to
include state and performance.