TLCTC Framework Glossary

A

Abuse of Functions (Cluster #1)

A threat cluster where an attacker abuses the logic or scope of existing, legitimate software functions, features, or configurations for malicious purposes. This manipulation occurs through standard interfaces using expected input types (data, parameters, configurations, sequence of actions), but in a way that subverts the intended purpose or security controls. The generic vulnerability exploited is the scope, complexity, or inherent trust placed in legitimate software functions, features, and configurations.

Asset

Components of value to an organization, including software, hardware, data, services, and human resources. In the TLCTC framework, the focus is on generic software and hardware assets rather than specific IT system types (as per Axiom VI).

Attack Path / Attack Sequence

The sequence of applied attack vectors (represented by TLCTC cluster numbers) employed by an attacker to achieve their objective. Properly notated using cluster numbers with arrows (e.g., #9->#3->#7) and plus signs for parallel execution (#1+#7).

Attack Surface

The sum of different points (attack vectors) where an unauthorized user can attempt to enter or extract data. In TLCTC, each generic vulnerability represents a distinct generic attack surface.

Attack Vector

The specific method or pathway used by an attacker to exploit a vulnerability. Each TLCTC cluster represents a category of attack vectors targeting a specific generic vulnerability (as defined by Axiom II).

Attacker's View

A perspective included in each threat cluster definition that articulates how an attacker conceptualizes the exploitation of a particular vulnerability (e.g., for #1 Abuse of Functions: "I abuse a functionality, not a coding issue").

Assumptions / Axioms

The foundational principles accepted as true for the TLCTC framework. Key axioms include:

• 1. For every generic vulnerability, there is ONE threat cluster
• 2. Each attack vector is defined by the generic vulnerability it initially targets
• 3. Threats are on the cause side from a Bow-Tie perspective
• 4. Control failure is distinct from actual risk
• 5. Threats are separated from threat actors
• 6. Generic software and hardware assets are the focus rather than IT system types
• 7. Client-server interaction is fundamental to all networked systems
• 8. Threat clusters can form sequences in attack scenarios
• 9. Top-Level Threat Clusters have Sub-Threats (strategic vs. operational separation)

B

Bow-Tie Model

A risk assessment methodology used in TLCTC that visualizes the relationships between:

• Left side (causes): Threats and preventive controls
• Center: Cyber Risk Event (loss of control/system compromise)
• Right side (effects): Consequences (Data Risk Events and Business Risk Events) and detective/reactive/corrective controls

BxI (Base Level Indicator)

The lowest, meaningful level of operational metrics that aggregate into Key Indicators (KxIs) within the hierarchical indicator framework.

C

Cause-Oriented Categorization

The principle behind TLCTC where threats are categorized based on the fundamental underlying cause (the generic vulnerability exploited) rather than observed events, attacker behaviors, or outcomes.

Client-Server Interaction

A fundamental principle (Axiom VII) assumed by the TLCTC framework, stating that networked systems involve components acting as clients (requesters) and servers (providers). This relationship can be contextual rather than absolute, particularly in vertical stack implementations.

Control Design Effectiveness

Evaluates whether a control, as conceived and structured, is capable of achieving its objective if it operates as intended.

Control Failure

A deviation from the control objective, which can allow threats to materialize and impact assets. Distinguished from the risk itself (as per Axiom IV).

Control Objective

The specific aim or purpose that a control is intended to achieve in terms of risk mitigation for a particular threat cluster. Each control is aligned with a single, clear objective.

Control Operational Effectiveness

Focuses on whether the control is actually working as designed in practice, examining if it is being executed correctly and consistently over time.

Control Risk

The risk associated with a control failing to achieve its objective, which is distinct from actual Risk (Threat->Incident/Event->Consequences) per Axiom IV.

Consequences

The negative impacts resulting from a cyber incident, categorized as Data Risk Events (Loss of C/I/A) and subsequent Business Risk Events in the Bow-Tie model.

Cyber Incident

An actual security breach or system compromise that has occurred; the materialization of a Cyber Risk Event.

Cyber Risk

The likelihood of occurrence of a cyber event in which control over IT systems or persons is lost due to one or more of the 10 Top Level Cyber Threat Clusters, leading (via Event-Chains) to consequential damage (impact).

Cyber Risk Event

The central event in the TLCTC Bow-Tie model, representing the compromise of an IT system or human, resulting in a loss of control.

Cyber Threat Radar

A visualization tool based on TLCTC clusters for analyzing and communicating about threat landscapes across organizations or sectors.

D

Data Risk Event

An outcome affecting data, defined specifically as:

• Loss of Confidentiality (C): Data stolen - The attacker gains unauthorized access to data
• Loss of Integrity (I): Data modified - The attacker successfully makes unauthorized changes to data
• Loss of Availability (A): Data inaccessible - The attacker renders data unavailable to legitimate users

Detect (NIST CSF Function)

Within the TLCTC Control Framework, tasks and controls designed to identify the occurrence of a cyber event related to a specific Threat Cluster.

E

Exploit Code

Code designed to target specific vulnerabilities to modify software behavior, distinguished from "Malware Code." Associated with Clusters #2 and #3.

Exploiting Client (Cluster #3)

A threat cluster targeting and leveraging flaws originating directly within the source code implementation of any software acting in a client role. The generic vulnerability is the presence of exploitable flaws within the code implementation of software acting as a client.

Exploiting Server (Cluster #2)

A threat cluster targeting and leveraging flaws originating directly within the server-side application's source code implementation. The generic vulnerability is the presence of exploitable flaws within the server-side source code implementation.

F

Flooding Attack (Cluster #6)

A threat cluster where an attacker intentionally overwhelms system resources or exceeds capacity limits through a high volume of requests, data, or operations, leading to disruption, degradation, or denial of service. The generic vulnerability is finite capacity limitations inherent in any system component.

G

Generic Vulnerability

The fundamental attack surface to a generic weakness or characteristic that is exploited by a specific TLCTC threat cluster (Axiom I). Each generic vulnerability is paired with exactly one threat cluster. For example, the "scope, complexity, or inherent trust placed in legitimate software functions" is the generic vulnerability exploited in Abuse of Functions (#1).

GOVERN (NIST CSF Function)

The strategic function focused on establishing the overall cybersecurity risk management framework. Unlike functions addressing specific threats directly, GOVERN controls are "assurance controls" that set risk appetite, define roles and responsibilities, and establish policies.

I

Identify (NIST CSF Function)

Within the TLCTC Control Framework, tasks and controls focused on understanding the context, identifying assets, and discovering weaknesses or threats related to a specific Threat Cluster.

Identity Theft (Cluster #4)

A threat cluster where an attacker targets weaknesses in identity and access management processes or credential protection mechanisms to illegitimately acquire, steal, or misuse authentication credentials. The generic vulnerability is weak Identity Management Processes and/or inadequate credential protection mechanisms.

Initial Access

A designation for threat vectors that provide the attacker's first entry into a system or network. The TLCTC framework emphasizes analyzing initial access as a critical point for prevention.

K

KCI (Key Control Indicator)

Measures the operational performance of security controls, verifying that the intended actions are taken at the appropriate frequency. These indicators provide insights on the ability to apply the correct controls correctly, and highlight weaknesses in processes.

KPI (Key Performance Indicator)

Measurable values that demonstrate the outcome and performance of security processes in reaching security objectives. KPIs must be time-based and should reflect not only the results but also the effectiveness over time.

KRI (Key Risk Indicator)

Indicators that demonstrate the potential for a future cyber threat. They are primarily leading indicators that show the possible risks before a threat occurs and must be observed in a meaningful timeframe.

KxI Framework

The integrated hierarchy of Key Risk Indicators (KRIs), Key Control Indicators (KCIs), and Key Performance Indicators (KPIs) organized into strategic and operational levels to measure and manage security effectiveness across threat clusters.

L

Local Controls

Specific security measures implemented at the individual system or component level to address particular threat clusters (contrasted with Umbrella Controls).

Loss of Availability (A)

A data risk event where the attacker renders data or services inaccessible to legitimate users.

Loss of Confidentiality (C)

A data risk event where the attacker gains unauthorized access to data.

Loss of Control / System Compromise

The central event in the TLCTC Bow-Tie model, representing the point where a threat successfully materializes, resulting in some form of compromise or unauthorized influence over an IT system or human actor.

Loss of Integrity (I)

A data risk event where the attacker successfully makes unauthorized changes to data.

M

Malware (Cluster #7)

A threat cluster where an attacker abuses the inherent ability of a software environment to execute foreign executable content, including inherently malicious Malware Code or legitimate tools/scripts used for malicious purposes ("dual-use" / LOLBAS). The generic vulnerability is the software environment's designed capability to execute potentially untrusted code.

Malware Code

Code that operates within expected execution paths for harmful purposes, distinguished from Exploit Code which targets specific vulnerabilities to modify software behavior.

Man in the Middle (MitM) (Cluster #5)

A threat cluster where an attacker intercepts, eavesdrops on, modifies, or relays communication between two parties without their knowledge or consent, by exploiting a privileged position on the communication path. The generic vulnerability is the lack of sufficient control, integrity protection, or confidentiality over the communication channel/path.

MFA Bombing / MFA Fatigue

An authentication bypass technique with the TLCTC attack path notation of #4 -> #1 -> #9 -> #4, representing: 1) initial credential theft, 2) abuse of the MFA request function, 3) social engineering to trick the user into approving, and 4) successful authentication.

O

Operational Layer / Operational Security

The tactical tier in the TLCTC two-tiered approach focused on implementing specific controls, detailed threat analysis of sub-threats/TTPs, incident response, vulnerability management, and monitoring. This layer works within the strategic framework defined by the Top Level Cyber Threat Clusters.

P

Physical Attack (Cluster #8)

A threat cluster where an attacker gains unauthorized physical interaction with or causes physical interference to hardware, devices, facilities, or data transmission media. The generic vulnerability is the physical accessibility of hardware, facilities, and communication media, and the exploitability of Layer 1 communications and hardware interfaces.

Process Injection

A technique that can be classified as either:

• #1 (Abuse of Functions) when using designed features (like debugging APIs and DLL injection) where the injection capability was intentionally designed
• #2/#3 (Exploiting Server/Client) when exploiting code flaws (like buffer overflows) where injection was never intended

Protect (NIST CSF Function)

Within the TLCTC Control Framework, tasks and controls aimed at implementing safeguards to prevent the successful exploitation related to a specific Threat Cluster.

R

Recover (NIST CSF Function)

Within the TLCTC Control Framework, tasks and controls related to restoring capabilities or services impaired due to an incident related to a specific Threat Cluster.

Respond (NIST CSF Function)

Within the TLCTC Control Framework, tasks and controls related to taking action upon detection of an incident related to a specific Threat Cluster.

S

Social Engineering (Cluster #9)

A threat cluster where an attacker psychologically manipulates individuals into performing actions counter to their or their organization's best interests. The generic vulnerability is human psychological factors: gullibility, trust, ignorance, fear, urgency, authority bias, curiosity, or general compromisability.

Standardized Attack Sequence Notation

The formal syntax for describing attack paths using TLCTC cluster numbers:

• Sequential execution indicated with arrows (e.g., #9->#3->#7)
• Parallel execution indicated with plus signs (e.g., #1+#7)
• Comprehensive paths may include both (e.g., #9->#3->#7->#7->#1+#7)

Strategic Layer / Strategic Management

The high-level tier in the TLCTC two-tiered approach focused on overarching risk management, policy, governance, resource allocation, and defining risk appetite based on the 10 Top Level Cyber Threat Clusters.

Sub-Threats

Granular threats or TTPs falling under a Top Level Cyber Threat Cluster (Axiom IX). These are managed at the operational level and provide detailed implementation of the high-level strategic framework.

Supply Chain Attack (Cluster #10)

A threat cluster where an attacker compromises systems by targeting vulnerabilities within an organization's supply chain. This involves compromising third-party software components, hardware, services, or distribution/update mechanisms that are trusted and integrated into the organization's own environment or products. The generic vulnerability is the necessary reliance on, and implicit trust placed in, external suppliers.

T

Threat

A set of tactics, techniques and procedures (TTP) that attackers apply to provoke an event or incident, exploiting vulnerabilities in IT systems or human behaviors.

Threat Actor

The individual, group, or entity performing a cyber attack. Distinguished from the Threat (the TTPs used) itself within the TLCTC framework (Axiom V).

Threat Cluster

A grouping of threats that exploit common vulnerabilities related to IT systems and humans. Each of the 10 Top Level Cyber Threat Clusters represents a fundamental way in which systems or humans can be compromised.

Thought Experiment

The logical process used to derive the 10 TLCTC clusters, where the IT landscape is examined systematically to identify distinct attack surfaces or generic vulnerabilities.

TLCTC (Top Level Cyber Threat Clusters)

The framework of 10 cause-oriented threat clusters derived from generic vulnerabilities, designed to bridge strategic and operational security approaches:

1. Abuse of Functions
2. Exploiting Server
3. Exploiting Client
4. Identity Theft
5. Man in the Middle (MitM)
6. Flooding Attack
7. Malware
8. Physical Attack
9. Social Engineering
10. Supply Chain Attack

TLCTC Enumeration

A structured identifier system (TLCTC-XX.YY) where:

• TLCTC- prefix ensures proper attribution to the model
• XX represents the primary cluster number (01-10), zero-padded for consistent formatting
• .YY suffix designed for future refinement (.00 designates current high-level definitions)

This provides machine readability, consistent sorting, and extensibility for sub-categorization.

Two-Tiered Approach

The TLCTC structure distinguishing between:

• Strategic Management Layer: High-level risk management, policy-making, and governance using the 10 Top Level Cyber Threat Clusters
• Operational Layer: Detailed implementation of controls, specific vulnerability management, and threat intelligence using sub-threats and TTPs

U

Umbrella Controls

Security measures that provide protection for groups of IT systems within their scope, such as firewalls, proxies or network zones. These contrast with Local Controls that protect specific systems directly.

V

Vertical Stack Application

The implementation of TLCTC across the layered architecture of IT systems (from application level to hardware), analyzing client/server roles at each protection ring boundary (e.g., Ring 3 to Ring 0) and directional vulnerabilities.

Vulnerability

An attack surface enabled by a weakness that can be exploited by a threat actor. In TLCTC, specific vulnerabilities (like CVEs) map to generic vulnerabilities which define the threat clusters.