TLCTC Blog - 2025/03/15

A CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk

Executive Summary

As a CISO, distinguishing between cyber risks and broader operational risks is critical for effective security resource allocation and control implementation. This guide provides a practical framework using the Top Level Cyber Threat Clusters (TLCTC) to help move beyond control-centric approaches toward threat-informed security management. By understanding the clear distinction between cyber threats and other operational risks, you can build a more resilient security program that addresses root causes rather than just symptoms.

The CISO's Challenge: Control Fixation vs. Threat Context

Most CISOs are well-versed in implementing controls from standard catalogs like ISO 27001, NIST CSF, or CIS. However, these controls often focus on protecting against data risk events (loss of confidentiality, integrity, or availability) without clear connections to the specific threats they address. This "control-first" mindset creates several challenges:

  • Misaligned protection strategies: Controls implemented without threat context may not address the actual attack vectors your organization faces
  • Inefficient resource allocation: Limited security budgets spread across controls without prioritization based on relevant threats
  • Difficulty justifying security investments: When board members ask "what threats are we protecting against?", general references to CIA triad protection are less compelling than specific threat scenarios
  • Reactive rather than proactive security: Focus on compliance-driven controls rather than anticipating attacker methods

The TLCTC framework offers you a powerful lens to overcome these challenges by clearly distinguishing cyber risks from other operational risks and connecting controls directly to threats.

Understanding Operational Risk through the Basel Committee Lens

The Basel Committee on Banking Supervision defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events." This comprehensive definition encompasses:

  • Process risks (errors, inefficiencies)
  • People risks (human errors, fraud, staffing)
  • System risks (IT failures, technology issues)
  • External event risks (natural disasters, third-party failures)

While this definition provides a useful starting point, it doesn't offer the precision CISOs need to distinguish between different types of technology-related risks.

The TLCTC Definition of Cyber Risk: A Game-Changer for CISOs

Bow Tie Diagram

According to the TLCTC framework, cyber risk is specifically:

"The likelihood of occurrence of a cyber event in which control over IT systems or persons is lost due to one or more of the 10 Top Level Cyber Threat Clusters, leading to consequential damage (impact)."

This definition provides you with essential distinctions that transform how you approach security:

  1. Intent-based classification: Cyber risks typically involve malicious intent from unauthorized or unknown entities, while general IT risks often result from accidental failures or authorized users' errors.
  2. Threat-centric approach: Cyber risks are identified and managed based on 10 distinct threat clusters, each exploiting a specific generic vulnerability.
  3. Loss of control as the central event: The pivotal risk event in cyber risk is the loss of control over systems or persons.
  4. Attack sequence awareness: Cyber risks often involve complex attack paths with multiple threat clusters in sequence.

The Cyber Bow-Tie Model: A Strategic Framework for the CISO

Cyber Bow-Tie Model

The cyber bow-tie model illustrated in the diagram is a powerful tool for CISOs to visualize and communicate the distinction between cyber risks and other operational risks:

Left Side (Cause Side):

  • The 10 Top Level Cyber Threat Clusters represent distinct threat vectors that can lead to system compromise
  • These threats are clearly separated from non-cyber IT risks like "Error in Use" or "Abuse of Rights" (by authorized persons)
  • The PREVENT controls are specifically designed to address these threat clusters

Center (Risk Event):

  • "System Risk Event - Loss of Control" or "compromised IT system" represents the central cyber event
  • This is distinct from other IT risk events like "System Failure," which may occur without malicious action

Right Side (Consequence Side):

  • Data Risk Events (Loss of Confidentiality, Integrity, or Availability) can result from either cyber or non-cyber causes
  • The same data risk events can be caused by either cyber threats or authorized user errors
  • These data risk events then cascade into business risk events with various consequences

Moving from Control-Centric to Threat-Informed Security Management

As a CISO, you can use the TLCTC framework to transform your security approach:

1. Map Your Control Catalog to the 10 Threat Clusters

For each control in your security framework:

  • Identify which threat cluster(s) it addresses
  • Determine if it's a preventive control (left side of bow-tie) or detective/corrective control (center/right side)
  • Assess if the control addresses the generic vulnerability or merely the symptoms

Example: Multi-factor Authentication (MFA)

  • Primary threat cluster addressed: #4 Identity Theft
  • Generic vulnerability addressed: Weak credential protection mechanisms
  • Control type: Preventive
  • NIST function: PROTECT

2. Identify Control Gaps Through Threat Analysis

For each of the 10 threat clusters:

  • Assess your organization's exposure to the generic vulnerability
  • Catalog existing controls addressing the threat
  • Identify gaps where threats aren't adequately addressed
  • Prioritize based on risk exposure and business impact

Example Gap Analysis:

Threat Cluster Generic Vulnerability Existing Controls Gaps Identified Priority
#2 Exploiting Server Server-side code flaws WAF, patch management No RASP solution High
#9 Social Engineering Human susceptibility to deception Security awareness, email filtering No phishing simulation program Medium
#10 Supply Chain Attack Reliance on third-party components Vendor assessment No software composition analysis High

3. Develop Threat-Specific KRIs, KCIs, and KPIs

Rather than generic security metrics, develop indicators that directly tie to threat clusters:

Key Risk Indicators (KRIs) - Leading indicators that demonstrate potential for future cyber threats:

  • #2 Exploiting Server: Number of unpatched critical server vulnerabilities over 7 days
  • #4 Identity Theft: Number of accounts with privileged access not using MFA
  • #7 Malware: Percentage of endpoints without updated antivirus signatures

Key Control Indicators (KCIs) - Measure the operational performance of security controls:

  • #2 Exploiting Server: Percentage of CVE alerts processed within 24 hours
  • #4 Identity Theft: Percentage of privileged access reviews completed on schedule
  • #7 Malware: Effectiveness of malware detection engines (false positive/negative rates)

Key Performance Indicators (KPIs) - Demonstrate the outcome of security processes:

  • #2 Exploiting Server: Mean Time to Patch Critical Vulnerabilities
  • #4 Identity Theft: Reduction in unauthorized access attempts
  • #7 Malware: Mean time to detect and contain malware incidents

4. Reframe Board Communications Around Threats

When communicating with the board and executive leadership:

  • Anchor security discussions in specific threat clusters relevant to your industry
  • Present your security roadmap in terms of addressing specific threat vectors
  • Connect security investments directly to threat mitigation
  • Use attack path notation (#9->#3->#7) to illustrate how threats materialize

Example Board Communication:

"Our recent investment in advanced email filtering reduced our exposure to Social Engineering (#9), which is the initial vector in 62% of attacks in our industry. This prevents attackers from progressing to Exploiting Client (#3) and Malware (#7) stages, which could lead to ransomware incidents like those affecting our competitors."

Distinguishing Cyber Risk from IT Risk in Practical Scenarios

Scenario 1: System Outage

Investigation question: What caused the system outage?

  • If caused by a DDoS attack: Classified as Flooding Attack (#6) - a cyber risk
  • If caused by configuration error by authorized admin: Classified as "Error in Use" - an IT operational risk
  • If caused by hardware failure: Classified as "System Failure" - an IT operational risk

Scenario 2: Data Breach

Investigation question: How was access to the data obtained?

  • If through SQL injection: Classified as Exploiting Server (#2) - a cyber risk
  • If through stolen credentials: Classified as Identity Theft (#4) - a cyber risk
  • If by an employee exceeding authorized access: Classified as "Abuse of Rights" - an operational risk

Scenario 3: Malicious Email

Investigation question: What was the nature of the email?

  • If phishing attempt by external actor: Classified as Social Engineering (#9) - a cyber risk
  • If malicious attachments: Could start as Social Engineering (#9) leading to Malware (#7) - cyber risks
  • If inappropriate content sent by employee: Classified as policy violation - an operational risk

Integrating Cyber and Operational Risk Management

Rather than treating cyber risk and operational risk as entirely separate domains, CISOs should implement an integrated risk management approach that:

  1. Uses the TLCTC framework to identify and categorize cyber threats based on generic vulnerabilities
  2. Maintains the bow-tie model to clearly distinguish between causes, events, and consequences
  3. Develops control matrices that address both cyber and non-cyber risks
  4. Implements measurement indicators (KRIs, KCIs, KPIs) for both risk categories
  5. Builds governance structures that recognize the distinctions while enabling coordinated response

Practical Action Plan for CISOs

1. Conduct a threat cluster assessment

  • Evaluate your organization's exposure to each of the 10 threat clusters
  • Determine which clusters pose the highest risk based on your industry and technology environment

2. Map existing controls to threat clusters

  • Review your current control framework (whether based on NIST, ISO, or others)
  • Map each control to the specific threat cluster(s) it addresses
  • Identify controls focusing only on consequences rather than causes

3. Develop threat-specific control matrices

  • For each relevant threat cluster, create a matrix showing:
    • Local controls (specific to systems/components)
    • Umbrella controls (enterprise-wide protections)
    • Control objectives aligned with NIST functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER)

4. Implement threat-informed metrics

  • Develop and track KRIs, KCIs, and KPIs specific to your highest-risk threat clusters
  • Create dashboards that show coverage across the 10 threat clusters

5. Reframe security governance

  • Update security policies to distinguish between cyber and non-cyber controls
  • Train security teams on the TLCTC framework
  • Align incident response procedures to specific threat clusters

Conclusion

As a CISO, distinguishing between cyber risk and broader IT or operational risk is not just an academic exercise—it's essential for effective security management. The TLCTC framework, with its focus on the 10 Top Level Cyber Threat Clusters and generic vulnerabilities, provides a clear, cause-oriented approach that can transform how you implement, communicate, and manage security controls.

By moving beyond a control-fixated approach to one that places threats in their proper context, you can build a more resilient security program that addresses root causes rather than just symptoms. This approach not only improves your security posture but also enables more effective communication with boards and executive leadership about security investments and priorities.

Remember: Effective cybersecurity isn't about implementing controls for their own sake—it's about understanding and addressing the specific threats that exploit your organization's vulnerabilities. The TLCTC framework gives you the precision tool you need to make this shift.