Logo
TLCTC
About the Framework
Abstract

The cybersecurity industry is trapped in a pre-paradigmatic state, characterized by semantic diffusion and fragmented terminology. Drawing on the philosophy of science—specifically Kuhn, Popper, Carnap, and Quine—this article argues that technical threats follow scientific principles and that we need a shared foundation, like TLCTC, to turn our craft into a science.

From Alienation to Causal Reality

Enlarge
Alienation in Cybersecurity - The TLCTC Origin

The Origin: When speaking different languages makes you feel like an alien in your own industry.

The Origin: The "Alien" in the Room

"My journey didn't begin with a framework; it began with a sense of profound alienation."

As a security professional, I would sit in meetings with experts, stakeholders, and vendors, and realize we were speaking entirely different languages. One person called "Ransomware" a threat; another called "Data Loss" a threat; a third listed "Missing Patches" as a threat.

I felt like an alien. How could we manage risk if we couldn't even agree on what a "threat" was? The industry was drowning in a semantic blur, conflating causes, effects, and control failures. This frustration became my motivation. I realized that to solve the "Identify" problem in operational risk, I had to stop listening to the noise and go back to first principles.

The Foundation: Axioms and the Thought Experiment

I retreated to the drawing board to invest my time in a logic-based solution. I established non-negotiable Axioms—fundamental truths such as "Threats are on the cause side of the Bow-Tie" and "Every generic vulnerability corresponds to exactly one threat cluster".

Through a rigorous Thought Experiment, I derived the 10 Top Level Cyber Threat Clusters (TLCTC). These weren't arbitrary categories; they were the mathematical result of mapping the generic vulnerabilities inherent in all IT systems.

The Hurdle: "Control Catalogue Fixation"

I felt I had solved the logical problem. But when I brought this concept to my first peer reviews, I hit a wall. The reaction wasn't excitement; it was a collective "So what?"

Control Catalogue Fixation

I realized then that the industry is suffering from "Control Catalogue Fixation." Security professionals are conditioned to look for solutions (firewalls, EDR, policies) before they understand the problem—and this isn't entirely their fault. Regulators reinforce this mindset by demanding evidence of controls rather than evidence of threat understanding. Compliance frameworks ask "what controls do you have?" not "what threats are you facing?" The result is an industry so focused on how to stop bad things that it has lost sight of what is actually attacking them.

Logic alone wasn't enough. I had to prove that correct identification changes the outcome.

Bridging the Gap: Applying Reality to Defense

I expanded the framework to demonstrate that accurate threat identification isn't just academic—it is the only way to align the three critical pillars of an organization:

  • Strategic Alignment: Moving leadership away from vague "cyber fear" to defined Risk Appetite and Key Risk Indicators (KRIs) based on specific clusters.
    The CISO as Strategic Partner
  • Operational Defense: Empowering SOCs to stop chasing alerts and start tracking Attack Paths and Attack Velocity, distinguishing between the initial compromise (e.g., #9 Social Engineering) and the final payload (e.g., #7 Malware).
    MITRE ATT&CK
  • Secure Development (SDLC): Defining the distinct security responsibilities of the Programmer (Architecture/Strategy) versus the Coder (Implementation).
    Secure SDLC

The Future: A Call for Harmonization

I have built the TLCTC framework as a "one-man show" to solve a problem that plagued me for years. The logic is sound, and the application is proven.

"But I cannot shift the landscape alone. To move beyond 'Control Catalogue Fixation,' we need global harmonization."

I invite major players—NIST, MITRE, and Standards Bodies—to adopt this causal-based taxonomy. It is time we stopped speaking different languages. It is time to anchor cyber defense in causal reality.

Clearing the Fog: Scope & Misconceptions

To truly adopt causal reality, we must first unlearn the misconceptions that have plagued our industry for decades. Here is how TLCTC resolves the "Semantic Blur."

The Main Fallacy

Process is Not Taxonomy

Why the "Kill Chain" approach describes time, not threats, and why mixing them creates operational chaos.

The Standards Gap

"Cyber" in the Name

A critical look at why Standards (ISO/NIST and many others) are essential for governance but fail at granular threat identification.

Compliance Risk

EU Regulation vs. TLCTC

How to align Operational Risk with Compliance (NIS2/DORA) without letting compliance dictate your threat model.

Operational Scope

The Decision Tree

A practical guide to scoping incidents: Is it a System Risk Event? Or just a Process Failure?

Due Diligence: Examining the Landscape

I did not create TLCTC in a vacuum. To ensure I wasn't reinventing the wheel, I spent months mapping the existing landscape of global standards, regulations, and frameworks. The goal was not to replace them, but to identify the specific Taxonomy Gap that TLCTC now fills.

Read the Standards Gap Analysis Read the Regulatory Gap Analysis
Click to Enlarge Map
The Cyber Standards and Regulations Landscape - A TLCTC Centric View
Figure: The Cyber Landscape. TLCTC acts as the unifying taxonomy at the center, bridging the specific gaps left by Governance Standards (ISO, NIST), Compliance (NIS2, GDPR), and Technical Frameworks (ATT&CK, CVE).
Enlarge Logic Map
Core Theory Scientific Foundations

The Logical Foundations of TLCTC

Why TLCTC is not a new logical model — but a domain-specific application of established scientific principles to a field that has stubbornly resisted formalization.

Explore the Logic
BK
Bernhard Kreinz
Creator of the TLCTC Framework

My Coordinates