UNIDIR: A Taxonomy of Malicious ICT Incidents

The international community is expressing growing concerns regarding threats in the sphere of information communication technology (ICT) security. The exprets from the United Nations Open-ended working group stated that “ICT incidents are increasing in frequency and sophistication, and are constantly evolving and diversifying”

Member States have also acknowledged that the threat landscape varies by region and State and that what constitutes a threat varies according to each country’s characteristics. However, despite pointing to the deterioration of the ICT security environment, the United Nations cyber processes have not focused on mapping a common threat landscape.

One of the reasons for the lack of a shared characterization of the threat environment at the multilateral level is the absence of consensus and clarity in describing the threats. This lacuna originates from multiple factors. First, there is a gap in common standards in the public and private sectors on how to categorize and measure cyber incidents. Second, some existing taxonomies are too technical and too detailed to be consulted and used by non-ICT experts or practitioners. While relevant for subject experts’ assessments, such technicalities and details may hinder discussions at the political or strategic level. Third, some taxonomies employ concepts that are highly contested by some Member States, such as ‘threat actor’ or ‘cyber attack’, or they refer to actions that are not considered inconsistent with their obligations under the framework of responsible State behaviour. Therefore, these terms are not conducive for discussions in international multilateral forums.

The taxonomy of malicious ICT incidents presented here is composed of a simple radial diagram (see figure). In the left section, there are the elements or inputs necessary for a malicious ICT incident to take place. These are the perpetrator, the vector, the victim, the targeted asset, and the cybersecurity failures. At the center of the radial diagram, there is the malicious ICT act, which refers to the intentional act that leverages ICTs to compromise the confidentiality, integrity, and availability of data. On the right part of the infographic, there are the possible outputs resulting from the malicious ICT act.

This taxonomy uses the terms ‘incident’ and ‘act’ in two distinct ways. The first refers to the broader understanding of a malicious ICT event, which encompasses all the elements identified in the taxonomy. The second refers directly to the penetration or hacking of a system or a network.

Each cell of the radial diagram focuses on a specific component of the incident that helps to identify and to categorize it. The cells have been created drawing on a review of the existing technical literature and interviews with ICT experts. Within the categories, additional items are listed to help the reader to further identify the specifics of each element. The list is not be considered closed, rather new typologies of items can be included as needed. In the following paragraphs, each of the taxonomy components is explained.

The input cells, identified by outgoing arrows, represent key elements that are necessary for the realization of a malicious ICT incident. The output cells, identified by incoming arrows, refer to key elements that may occur as a result of a malicious ICT act.


Source: UNIDIR