Logo
TLCTC
Blog / Research & Insights

Cyber Crime Taxonomy: Defining Framework Boundaries

Distinguishing between direct social engineering (Category 1) and system compromise (Category 2) is critical for effective cyber defense and response.

BK
Bernhard Kreinz
15 min read

Executive Summary

The industry term "cyber crime" conflates distinct attack categories requiring fundamentally different defensive approaches. Organizations that treat all "cyber" incidents identically misallocate resources, apply inappropriate controls, and trigger unnecessary technical investigations while neglecting proper procedural, legal, or HR responses.

The TLCTC framework explicitly addresses threats resulting in IT system compromise (Loss of Control), not all forms of fraud, deception, or digitally-enabled harm. This chapter establishes clear boundaries between:

  • Category 1: Social engineering attacks leading directly to business/personal impact without system compromise
  • Category 2: Cyber threats exploiting system vulnerabilities leading to Loss of Control

Understanding this distinction is critical for incident classification, control selection, resource allocation, and risk assessment.

The Bifurcation Point: Where #9 Separates

Social Engineering (#9) is unique among the 10 threat clusters: it is the only cluster that can operate both standalone (pure fraud/manipulation) and as an initial vector (enabling system compromise). This dual nature creates a critical decision point in attack path analysis.

Enlarge
THREAT ACTOR #9 Social Engineering Dual Nature CATEGORY 1 Direct Impact (No Compromise) CATEGORY 2 Bridge to Cyber (System Compromise) HUMAN DOMAIN No Loss of Control Remains here CYBER DOMAIN Loss of Control Crosses boundary RISK EVENT Financial / Reputational TLCTC Applies Descriptively TRIGGERS #1-#8, #10 Data Risk Events TLCTC Applies Operationally
Figure 1: The #9 Bifurcation. Social Engineering is the only cluster operating in both Category 1 and Category 2.

The Critical Decision: Did System Compromise Occur?

Enlarge
Was there Loss of Control? (System Compromise) NO YES Category 1 Social Engineering Only Controls: • Process & Policy • Awareness • Legal / HR Response Team: • Human Resources • Legal & Comms Insurance: • General Liability / D&O Category 2 Cyber Threat Controls: • Technical (Primary) • Detection / Response • Plus Category 1 Response Team: • SOC / CSIRT • Plus HR / Legal Insurance: • Cyber Insurance
Figure 2: Incident Classification Decision Tree based on "Loss of Control".

Category 1: Social Engineering Without System Compromise

Definition: Attacks that exploit human psychological vulnerabilities (#9) leading directly to business or personal risk events without achieving Loss of Control over IT systems. The attack remains entirely in the human domain—no technical systems are compromised.

Key Characteristic

The bow-tie central event "Loss of Control (System Compromise)" never occurs. The attack path terminates at Business/Personal Risk Event without crossing the domain boundary into cyber/technical systems.

Attack Path Notation

#9 →[Δt] [Business/Personal Risk Event]

No other TLCTC clusters (#1-#8, #10) appear in the sequence because no system vulnerabilities were exploited.

Scope Includes

  • Financial Fraud: Wire transfer fraud, CEO fraud/BEC, Romance scams, Investment fraud, Tech support scams.
  • Extortion and Sextortion: Victim coerced into sharing intimate content (no account compromise), Business extortion via threats.
  • Digital Harassment: Cyberbullying, Review bombing, Online defamation, Doxxing (using public info).
  • Reputation Attacks: Fake news, Impersonation on public social media, Brand hijacking.

Control Strategy: Category 1

Since no technical system compromise occurs, technical cybersecurity controls are not the primary defense. Category 1 requires process, policy, awareness, and legal controls.

  • Process Controls: Dual authorization, Out-of-band verification.
  • Awareness: Training on manipulation tactics, Social engineering red flags.
  • Legal/HR: Legal preparedness for defamation/fraud, Employee assistance programs.

Category 2: Cyber Threats with System Compromise

Definition: Attacks exploiting vulnerabilities in IT systems (any of #1-#10) resulting in Loss of Control (system compromise), which may subsequently enable extortion, fraud, harassment, or data theft.

Key Characteristic

The bow-tie central event "Loss of Control (System Compromise)" DOES occur. The attack crosses from human domain into cyber domain.

Attack Path Notation

[Initial Vector] → [TLCTC Clusters] → [Loss of Control] → [Data Risk Events] → [Impact]

Example Paths

  • Data Breach → Extortion:
    #2 → #7 → #4 → #1 → [Loss of Control] → [Exfiltration] → [Extortion]
  • Account Compromise → Reputation:
    #9 → #4 → [Loss of Control] → [Integrity Loss] → [Reputation damage]
  • Supply Chain:
    #10 → #7 → [Loss of Control]

Control Strategy: Category 2

Category 2 requires comprehensive technical controls (primary) PLUS all Category 1 procedural/policy controls.

  • Technical (Primary): Map controls to all relevant threat clusters (#1-#10), NIST CSF functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER).
  • Secondary: Procedural controls remain relevant as #9 may be the initial vector.
  • Metrics: Detection Coverage Score (DCS) calculable: DCS = (Mean Time to Detect) / (Attack Velocity Δt).

Comparative Analysis: Category 1 vs. Category 2

Dimension Category 1: Direct Social Engineering Category 2: System Compromise
Attack Path #9 → [Impact] [Any] → [Clusters] → Loss of Control
Bow-Tie Model Does NOT apply Fully applies
System Compromise? NO YES
Primary Controls Process, policy, awareness, legal Technical + Category 1 controls
Response Team HR, Legal, Communications SOC, CSIRT, Forensics + HR/Legal
Insurance General liability, D&O Cyber insurance + General

The Unique Nature of #9 Social Engineering

#9 Social Engineering is architecturally different. It operates in two modes:

  • Mode 1 (Standalone): Generic vulnerability is human psychological factors. Attack completes in human domain. No system compromise. (Category 1)
  • Mode 2 (Bridge): Generic vulnerability is human factors acting as initial weakness. Attack crosses to cyber domain. System compromise occurs. (Category 2)

Strategic Recommendations

For Security Architects: Defense-in-Depth

Enlarge
THREAT LANDSCAPE Category 1 Category 2 LAYER 1: Human / Process Controls Awareness • Verification • Authorization Cat 1 Stops Here LAYER 2: Technical Preventive MFA • EDR • Segmentation • Patching LAYER 3: Technical Detective SIEM • UEBA • Log Monitoring LAYER 4: Response & Recovery SOAR • Forensics • Backups
Figure 3: Layered Defense Model. Category 1 is addressed entirely at Layer 1. Category 2 requires Defense-in-Depth across all layers.

Budget Allocation Strategy

  • Category 1 Controls (Process/People): Security awareness, Process improvement, Legal support $X
  • Category 2 Controls (Technology): SOC, EDR, Network Security, Cloud Security $A
  • Hybrid (Both): MFA, Incident Response, Forensics $F

Key Insight: Category 1 controls are necessary but not sufficient. Most severe breaches involve Category 2 system compromise. Budget should reflect this asymmetry.

Conclusion

The distinction between Category 1 (Direct Social Engineering) and Category 2 (Cyber Threats with System Compromise) is not academic pedantry—it is operationally essential.

The #9 Bifurcation represents the natural decision point where attacks either remain in the human domain or cross into the cyber domain. The TLCTC framework addresses cyber threats with system compromise (Category 2). For organizations to achieve comprehensive cybersecurity, they must also address direct social engineering threats (Category 1) through robust procedural and policy controls.

Both categories matter. Both require investment. But they require different investments, different teams, and different metrics. Clarity on this distinction is the foundation of effective cyber risk management.