Logo
TLCTC
Blog / Standards Integration

Why "Cyber" in the Name does not win Cyber Wars

BK
Bernhard Kreinz
7 min read
Frameworks: ISO/IEC 27000-series, TLCTC v1.9
TL;DR

ISO/IEC 27000-series is excellent at governing how to run an ISMS and how to manage risk. But it is deliberately agnostic about what cyber threats actually are, how they chain together, and how fast they move. The TLCTC framework fills that gap with a cause-oriented taxonomy of ten Top Level Cyber Threat Clusters, a standard attack-path notation, and attack velocity (Δt). Use ISO to run the program; use TLCTC to see—and break—the attack paths.

1) Acknowledge & Reframe (TLCTC Lens)

You’re asking where ISO “lacks.” Through the TLCTC lens, the problem is not ISO’s quality—it’s scope and dimensionality.

  • ISO optimizes management: policies, processes, risk cycle, PDCA.
  • TLCTC optimizes threat clarity: what the cyber threats are, how they chain, where they cross domains, and how quickly they move.

In practice:

Strategic Management Layer (ISO + TLCTC)

  • Define context, risks, objectives, governance.
  • Standardize cyber risks using the 10 TLCTC clusters as the cause side of the Bow-Tie (Loss of Control at the center; data/business impacts on the right).

Operational Security Layer (TLCTC + MITRE/CVE/etc.)

  • Map specific TTPs and CVEs to the first exploited generic vulnerability (cluster #1–#10).
  • Express the attack path as a sequence (#X → #Y → #Z), optionally annotated with Δt between steps and domain boundaries (||[channel][@src→@dst]||).
Core TLCTC axioms (short list):
  • Axiom I: For every generic vulnerability, there is exactly one threat cluster.
  • Axiom II: Each distinct attack vector is defined by the generic vulnerability it initially targets.
  • Axiom III: Threats live on the cause side (left of the Bow-Tie). Outcomes like “data breach” live on the right.
  • Axiom V: Threats ≠ threat actors. Actors use the 10 threats.
  • Axiom X: Credentials, tokens, keys, sessions are system control elements; their misuse (#4 Identity Theft) represents Loss of Control, not “just data loss.”

2) What ISO Does Great (Keep it!)

  • ISO/IEC 27001: Gives you the requirements skeleton for an ISMS and points to a control set.
  • ISO/IEC 27005: Gives you a repeatable risk process (context → assess → treat → monitor).
  • ISO/IEC 27000: Provides vocabulary and positions the ISMS family.

These are indispensable. The gap is not governance. The gap is the absence of a crisp, cyber-specific threat taxonomy, attack-path grammar, and velocity concept to standardize how you identify and prioritize cyber risks.

3) Where ISO Lacks (and how TLCTC fixes it)

3.1 No cyber-specific threat taxonomy

ISO tells you to identify “threats” but does not define cyber threats as a distinct category or provide a non-overlapping set. TLCTC does.

The 10 Top Level Cyber Threat Clusters
  1. Abuse of Functions – misuse of legitimate features.
  2. Exploiting Server – server-side flaws.
  3. Exploiting Client – client-side flaws.
  4. Identity Theft – misuse credentials/keys.
  5. Man in the Middle – network position abuse.
  6. Flooding Attack – exhaust capacity.
  7. Malware – foreign code execution.
  8. Physical Attack – physical interference.
  9. Social Engineering – human manipulation.
  10. Supply Chain Attack – trusted component compromise.

Why it matters: Without a standard, teams invent local “threat lists,” mix causes with effects (“data breach”), and forget entire steps in the chain.

3.2 Ambiguity between causes, events and consequences

ISO is outcome-oriented (CIA, incidents, consequences). That’s good for impact analysis, but weak for threat clarity.

TLCTC forces cause clarity via Bow-Tie thinking:

  • Left side: the 10 clusters (#1–#10) = what generic vulnerability is exploited?
  • Center: Loss of Control (system compromise) – the moment the attacker can operate your system.
  • Right side: data and business impacts (Loss of Confidentiality / Integrity / Availability, plus money, safety, reputation, etc.).

3.3 No attack-path notation

ISO doesn’t provide a concise way to write an attack. TLCTC does.

Base grammar (strategic):
  • Sequence: #X → #Y → #Z
  • Parallel: (#A + #B)
  • Boundary: ||[channel][@src→@dst]||

This tiny grammar makes tabletop exercises, intel briefs, and risk registers consistent, machine-parsable, and comparable across teams and vendors.

3.4 No notion of attack velocity (Δt)

ISO 27005 cares about likelihood and impact but is silent on the speed of attack progression. TLCTC introduces Δt = the time between clusters in a path, and defines four velocity classes (Latent/Slow, Medium, Fast, Realtime).

#9 →[24h] #7 →[2min] #4 →[15min] (#1 + #7)

Same clusters, radically different control strategy (SOAR and hard technical kill-switches vs long-term log retention and hunting). Without Δt, those two risks look identical on an ISO heat map.

3.5 Credentials treated as “data,” not as control elements

ISO tends to fold credentials into “information assets” and IAM controls. TLCTC’s Axiom X elevates them to system control elements. If credentials are compromised and used, your system control is compromised (#4), not just “data leaked.”

3.6 Supply-chain transitions and bridge clusters are not first-class in ISO

ISO has supplier controls, but not a first-class notion of domain boundaries or bridge threats. TLCTC adds both.

#10 Supply Chain →[Δt=weeks] #7 Malware
||[updates][@Vendor→@Org]|| →[0s] #7

4) Ransomware, Honestly (as an example)

A typical “phish-to-encrypt” path:

#9 Social #7 Malware #4 ID Theft #1 + #7 Abuse + Encrypt Δt = 30s Δt = 2min Δt = 15min
Figure: A Ransomware Path visualized with Velocity (Δt).

Interpretation: #9 (Phishing) → #7 (First Code Exec) → #4 (Harvest Creds) → Parallel #1/#7 (Admin Tools + Encryption). With TLCTC, you design controls to break the chain at the earliest feasible cluster within the allowed reaction time.

5) ISO ⇆ TLCTC: A Practical Integration Pattern

5.1 In ISO 27005 risk identification, standardize on TLCTC

For every cyber risk in your register: Assign one primary TLCTC cluster by cause (#1–#10). For multi-stage attacks, add the attack path and, where possible, Δt between clusters.

5.2 In ISO/IEC 27001 risk treatment, select controls per TLCTC cluster

TLCTC Cluster Primary intent of controls (examples)
#1 Abuse of Functions Authorization design, least privilege, safe defaults, function scoping, hardening baselines.
#2 Exploiting Server SSDLC, secure coding, SAST/DAST/IAST, patching, RASP, memory-safe stacks.
#3 Exploiting Client Browser/app hardening, sandboxing, EDR, content disarm, rapid update cadence.
#4 Identity Theft Strong auth (MFA), key/secret mgmt, rapid revocation, just-in-time access, anomaly detection.
#5 MitM TLS everywhere, cert pinning, secure DNS, segmentation, authenticated proxies.
#6 Flooding Attack Anycast/CDN, rate limiting, autoscale, circuit breakers, tested runbooks.
#7 Malware App allow-listing, EDR, macro/script policy, egress controls, sandboxing.
#8 Physical Attack Locks, tamper-evidence, secure boot, HSMs, clean-desk, access logging.
#9 Social Engineering Security culture, simulations, role-based training, verified channels, clear playbooks.
#10 Supply Chain SBOM, signed updates, vendor attestation, isolation, pre-prod validation, break-glass.

5.3 In ISO performance evaluation, measure by cluster

Roll these up into a Threat Radar dashboard (10 clusters around the circle, color/length by risk and velocity class). That’s something the board can actually understand.

6) Worked Integrations

6.1 Phish-to-Encrypt (SMB enterprise)

#9 →[30s] #7 →[2min] #4 →[15min] (#1 + #7)

Win from TLCTC: The SoA and runbooks are path-aware and time-aware, not just control-dense.

6.2 Supplier Build Compromise (SaaS)

#10 Supply Chain →[days] #7 Malware
||[dev][@Vendor→@Org]|| →[0s] #7 →[hours] #4 →[hours] #1

Win from TLCTC: The trust crossing is explicit (||...||), and you can place detection/approval controls before the boundary instead of only hardening what’s inside.

7) “Cyber” in the Name ≠ Cyber Clarity

Calling something “cybersecurity” in a title or policy does not define cyber threats. Programs fail when they treat effects as threats or blend IT risks with control failures. TLCTC fixes the semantics and adds minimal, precise notation. The result: ISMS artifacts become operationally truthful and actually defensible.

8) Quick-Start Checklist (Drop-in to your ISO Program)

  • Adopt TLCTC as your enterprise cyber-threat taxonomy (Strategic Layer).
  • Require attack-path notation (with Δt where possible) for every material cyber risk.
  • Map SoA controls by TLCTC cluster.
  • Treat credentials as control elements (Axiom X).
  • Mark supply-chain and other domain boundaries with the boundary operator.
  • Instrument KRIs per cluster and velocity class, and publish a quarterly Threat Radar.

9) FAQ (for skeptics)

Q: Isn’t ISO/IEC 27005 enough?
A: It gives you the process, not the cyber threat taxonomy, path grammar, or velocity model. TLCTC supplies those without fighting ISO.
Q: Does TLCTC overlap ATT&CK/CWE?
A: No. ATT&CK and CWE live at the Operational Layer (techniques, weaknesses). TLCTC sits above, classifying initial cause vectors #1–#10. Map up to TLCTC; don’t mix layers.
Q: We already maintain “threat lists.”
A: Make them TLCTC-clean: no outcomes, no actors, no control failures, no system types. One primary cluster per item; sequences (and Δt) for multi-stage scenarios.

10) Conclusion

ISO runs the machine. TLCTC sharpens the sight—and adds time and topology. Pair them and you transform a compliant ISMS into a path-aware, boundary-aware, and velocity-aware defense program that stops attacks earlier, cheaper, and more reliably.