This guide provides a rapid framework for CISOs to precisely define cyber risk scope using TLCTC v2.0, with Attack Velocity (Δt) for response mode selection and Domain Boundary Operators for responsibility handoffs.
1. The Core Question: Cyber vs. Operational Risk
To effectively manage risk, you must first know what you own. Ask this one question to determine ownership:
2. Cyber Risk Scope: The 10 Threat Clusters
Your scope as CISO is limited to risks arising from these 10 distinct, non-overlapping threat clusters. V2.0 classifies them by topology: Internal (within your domain) vs. Bridge (cross domain boundaries).
IN SCOPE (CISO)
- #1 Abuse of Functions
- #2 Exploiting Server
- #3 Exploiting Client
- #4 Identity Theft
- #5 Man in the Middle
- #6 Flooding Attack
- #7 Malware
- #8 Physical Attack
- #9 Social Engineering
- #10 Supply Chain Attack
OUT OF SCOPE
- Abuse of Access Rights (Authorized user misuse)
- Error in Use (Unintentional mistakes)
- Software/Hardware Failures (No exploitation)
- Process Failures (No threat actor)
Bridge Cluster Insight: #8, #9, #10 mark where attacks cross from outside your direct control. Use domain boundary operators: ||[context][@Source→@Target]||.
3. The Bow-Tie Model: How Cyber Risks Work
All cyber risks follow this event chain. Your controls are designed to interrupt it at different stages.
Key Point: Loss of Control (the system compromise) happens *before* the Data Risk Event (loss of C, I, or A). This delay is your detection window.
4. Data Risk Events: Two Different Paths
The same data breach (e.g., Loss of Confidentiality) can have two very different causes, requiring different owners and controls.
Path 1: Cyber Threat (CISO)
Flow: Cyber Threat → Loss of Control → Data Risk Event
Example: Ransomware #7 → System Compromise L0 → Loss of Availability L1(A).
Path 2: Other OpRisk (Business)
Flow: Other OpRisk → Data Risk Event (Direct)
Example: Employee Error → Accidentally Emails PII (no compromise) → Loss of Confidentiality L1(C).
5. Attack Paths: Document the Sequence (v2.0 Notation)
Attackers chain threats. V2.0 adds velocity (Δt) and domain boundary operators for precise documentation.
| Attack Path (v2.0) | Meaning & Velocity Class |
|---|---|
| #9 ||[human][@Ext→@Org]|| →[Δt<1m] #4 →[Δt=5m] #1 → #7 | Help Desk Vishing (VC-3/4): Phish helpdesk → Account takeover → Function abuse → Ransomware. |
| #10 ||[update][@Ven→@Org]|| →[Δt=weeks] #7 + [DRE: C] | Supply Chain (VC-1): Trust Acceptance Event → Malware executes. Long dwell = hunting. |
| #4 →[Δt=mins] #1 →[Δt=secs] #9 →[Δt=mins] #4 | MFA Bombing (VC-3): Stolen creds → Spam MFA → Fatigue user → Valid token. |
| #2 [CVE-2024-XXXX] →[Δt=instant] #7 →[Δt<10m] + [DRE: A] | Zero-Day Exploit (VC-4): Server exploit → Immediate exec. Architecture controls mandatory. |
5b. Attack Velocity Classes (v2.0)
Velocity (Δt) determines your feasible response mode. Select controls appropriate to the attack speed you face.
| Class | Δt Scale | Defense Mode | Key Controls |
|---|---|---|---|
| VC-1: Strategic | Days → Months | Threat hunting | Long log retention, correlation |
| VC-2: Tactical | Hours | SIEM alerting | Playbooks, analyst capacity |
| VC-3: Operational | Minutes | Automation (SOAR) | Automated containment |
| VC-4: Real-Time | Seconds → ms | Architecture | Rate limits, fail-closed defaults |
If a critical transition is VC-3 or faster, purely human response is structurally insufficient. Controls must be automated or architectural.
6. Control Types (NIST Functions)
Map your controls against the Bow-Tie stages using the NIST functions. This reveals gaps in your defense for each threat cluster.
IDENTIFY
Find weaknesses.
Ex: Vuln scans (#2), IAM Audit (#4).
PROTECT
Stop threats.
Ex: Patching (#2), MFA (#4).
DETECT
Spot compromise.
Ex: SIEM alerts, Failed login monitor.
RESPOND
Contain/Mitigate.
Ex: Isolate host, Account lockout.
RECOVER
Restore.
Ex: Restore backup, Credential reset.
7. Quick Decision Framework
Use this logic for incident triage and risk categorization.
8. Essential Risk Register Template
Structure your risk register by threat cluster, not by asset or data type, to align with how attacks actually happen.
Risk Register (per Cluster)
9. Critical Reminders & V2.0 Insights
CISO Musts
- Velocity: VC-3/4 attacks require automation.
- Boundaries: #8, #9, #10 cross spheres.
- Credentials ≠ Data: Credential abuse is Loss of Control (#4), NOT Confidentiality loss.
- Chains: Document full attack paths.
Avoid
- Ignoring attack velocity (matching manual controls to machine speed).
- Treating every data breach as cyber.
- Missing boundary crossings in supply chain.
10. Implementation Checklist (v2.0)
Week 1-2: Assessment
- Review risk register & categorize (Cyber vs OpRisk).
- Assess velocity (Δt) of critical paths.
Week 3-4: Scoping & Boundaries
- Define ISMS scope with 10 clusters.
- Map bridge clusters (#8, #9, #10) to owners.
Week 5-8: Control Mapping
- Map controls to Clusters & NIST functions.
- Validate response times against velocity classes.
Week 9-12: Operationalization
- Implement monitoring per cluster.
- Create velocity-appropriate playbooks.
11. Key Definitions (v2.0)
- Cyber Risk
- Probability of IT system/human compromise due to one or more of the 10 threat clusters, leading to consequential damage.
- Loss of Control (L0)
- Central risk event where a system or human is compromised (happens BEFORE data risk events).
- Attack Velocity (Δt)
- Time interval between adjacent attack steps. Determines feasible response mode (VC-1 to VC-4).
- Domain Boundary Operator
- Marks responsibility sphere transitions:
||[context][@Source→@Target]||. Essential for bridge clusters.
Conclusion
Focus CISO resources on the 10 threat clusters. Use velocity classes to select response modes. Clear scope + velocity awareness = effective security.
References
- Kreinz, B. Top Level Cyber Threat Clusters (TLCTC), White Paper V2.0
- NIST Cybersecurity Framework (CSF) 2.0