Logo
TLCTC
Blog / Framework & Concepts

Cyber Crime Taxonomy: The Critical #9 Bifurcation

Understanding where social engineering splits determines everything about your response, liability, and defense strategy.

BK
Bernhard Kreinz
8 min read
Abstract

When executives say "we suffered a cyber crime," the vagueness creates chaos. The TLCTC framework brings precision by recognizing that Social Engineering (#9) operates in two distinct modes regarding "Cyber Crime". This bifurcation determines whether an incident is an Legal/Personal issue (#9.1) or a Cyber Threat regarding IT-Systems. (#9.2).

The Industry Confusion about Cyber Crime

When executives say "we suffered a cyber crime," they might mean:

  • $2M wire fraud via CEO impersonation call
  • Ransomware attack via phishing email
  • Romance scam targeting an employee
  • Data breach via compromised credentials
  • Sextortion through manipulation
  • Account takeover leading to fraud

These are fundamentally different threats requiring different teams, different controls, and different response strategies. Yet most organizations treat them identically under the vague umbrella of "cyber crime." The TLCTC framework brings precision to this chaos by recognizing that Social Engineering (#9) operates in two distinct modes.

The #9 Bifurcation: Where Attack Paths Separate

Click to Enlarge
THREAT ACTOR #9 Social Engineering #9.1 STANDALONE Direct Impact #9.2 BRIDGE Initial Vector can be a path but most not HUMAN DOMAIN Stays here. NO system compromise CYBER DOMAIN Crosses boundary. System compromise occurs (Private) Business Impact Financial/Reputation Personal Integrity Liability Driven #1-#8, #10 Triggered Data Risk Events TLCTC Operational
Figure 1 — The #9 Bifurcation: Standalone vs. Bridge Modes.
The Critical Question

Did Loss of Control (system compromise) occur?

#9.1: Social Engineering as Standalone Threat

Definition

Pure manipulation leading directly to harm. No IT system is compromised. Classical crimes executed via digital communication channels.
Attack Path: #9 → [(Private) Business Impact]

Examples

  • CEO fraud: Phone call impersonating executive requesting wire transfer
  • Romance scams: Building fake relationships for financial exploitation
  • Investment fraud: Ponzi schemes, fake crypto opportunities
  • Sextortion via manipulation: Coercion to share content, then blackmail
  • Digital harassment: Coordinated online campaigns, review bombing
  • Extortion: Using publicly obtained information for threats

The TLCTC Reality: Minimal Applicability

From a cyber threat perspective, only two controls apply:

  1. Awareness training - Reduce success rate (never eliminate)
  2. Law enforcement coordination - Remove criminals from ecosystem

That's all. You cannot change human nature. The generic vulnerability—human psychological factors (trust, fear, urgency, greed)—is inherent. It exists on both sides:

  • Attacker side: Criminals exploit psychology (always have, always will)
  • Target side: Humans remain susceptible (this is biology, not a technical flaw)

What About Dual Authorization, Verification, Transaction Limits?

These are not cyber threat controls. They are business process controls for liability mitigation and regulatory compliance. They apply equally whether fraud occurs via:

  • Phone call (physical world)
  • In-person manipulation (physical world)
  • Postal mail (physical world)
  • Digital communication (digital world)

These belong in Operational Risk / Fraud Prevention, not cybersecurity threat management.

The Damage & Liability and Legal Driver

This is the critical insight: For #9.1, controls are driven by liability exposure and regulatory mandates, not cyber threat prevention. When an organization's product or service is the fraud vector (e.g., banking wire transfer systems, payment platforms, communication services), regulators and legal systems impose requirements:

Regulatory Examples:

  • PSD2 Strong Customer Authentication (EU)
  • FINMA RS 17/01 operational risk requirements (Switzerland)
  • Banking transaction verification standards (global)
  • Product liability standards (sector-specific)

Liability Drivers:

  • Demonstrate "reasonable care" to courts
  • Reduce financial exposure when fraud occurs
  • Satisfy insurance requirements
  • Comply with duty of care obligations

Example: A bank implements dual authorization for wire transfers not because it prevents #9 social engineering (it doesn't—humans remain manipulable), but because:

  1. Regulators mandate it
  2. It reduces the bank's liability when fraud occurs
  3. It demonstrates "reasonable security measures"
  4. Courts expect it as industry standard

This is why banks "mix" these controls into cybersecurity programs even though they're fundamentally business/compliance controls.

Organizational Response: #9.1

Primary responders:

  • Human Resources (employee victims)
  • Legal/Compliance/Police (fraud, extortion)
  • Communications/PR (reputation attacks)
  • Finance (financial fraud)

NOT primary responders:

  • SOC/Security Operations (no system to investigate)
  • Digital forensics (no compromised systems)
  • CSIRT (no technical incident)

#9.2: Social Engineering as Bridge Threat

Definition

Social engineering that crosses the domain boundary from human trust into technical system compromise. Loss of Control occurs.
Attack Path: #9 → [#1-#8, #10] → [Loss of Control] → [Data Risk Events] → [Business Impact]

Examples

  • Phishing → Malware: #9 → #7 → #4 → (#1+#7) (Ransomware)
  • Credential harvesting → Access: #9 → #4 → #1 → [Exfiltration]
  • Manipulation → Config change: #9 → #1 → [System weakening]
  • Social engineering → Physical access: #9 → #8 → #7

The TLCTC Reality: Full Framework Applies

All cyber threat controls become relevant:

Technical Controls:

  • Email filtering, URL reputation (detect malicious content)
  • EDR, anti-malware (prevent code execution)
  • MFA (prevent credential abuse)
  • Network segmentation (limit lateral movement)
  • Application whitelisting (control execution)
  • SIEM/SOC (detect compromise)

PLUS Awareness Training:

  • #9 is the initial vector, so awareness remains critical
  • But awareness alone is insufficient—technical controls required

Velocity Matters (Δt)

In #9.2 sequences, attack velocity becomes measurable and critical:

#9 →[Δt=2h] #7 →[Δt=30m] #4 →[Δt=15m] (#1+#7)

Detection Coverage Score = (Mean Time to Detect) / (Attack Velocity)

Goal: DCS < 1.0 (detecting faster than attack progresses)

Organizational Response: #9.2

Primary responders:

  • SOC/Security Operations
  • CSIRT/Incident Response
  • Digital forensics
  • IT operations

Supporting responders:

  • HR (if employee accounts involved)
  • Legal (breach notification, regulatory reporting)
  • Communications (customer notification)

Why This Distinction Matters Operationally

Click to Enlarge
Incident Reported Was IT system compromised? (Unauthorized access/control?) NO YES #9.1 #9.2 Route to: • HR • Legal • Finance • Police Route to: • SOC/CSIRT • Forensics • Plus HR/Legal/Police
Figure 2 — Incident Classification Decision Flow.

Resource Allocation

#9.1 Investment

  • Awareness programs (moderate budget)
  • Law enforcement coordination (low budget)
  • Liability/Compliance controls (high budget, externally driven)
  • Business process improvements (finance/operations budget, not cyber)

#9.2 Investment

  • Technical controls (high budget, cyber threat focus)
  • Detection and response capabilities (high budget)
  • PLUS all #9.1 awareness investments

Risk Assessment

Scenario Type Attack Path Cyber Controls Compliance/Liability Residual
Romance Scam #9.1 #9 → [Loss] Awareness only Fraud Detection (mandated), verification of transaction flow Low
Wire fraud - compromised email #9.2 #4->#1 [Customer -> Org] → #9 → [Loss - Customer] MFA + email security + awareness Dual auth (impact reduction) Low

Key insight: Same business outcome, different attack paths, different primary defenses, different risk levels.

Decision Framework: Quick Classification

1. Did an attacker gain unauthorized control over an IT system?
Email account, server, workstation, application, network device?
If NO → likely #9.1 | If YES → #9.2
2. Could digital forensics provide useful evidence?
System logs, memory dumps, network traffic?
If NO → #9.1 (only interviews, financial records relevant) | If YES → #9.2 (technical investigation needed)
3. Would technical controls have prevented this?
EDR, MFA, network segmentation, email filtering?
If NO → #9.1 (pure human manipulation) | If YES → #9.2 (system vulnerability exploited)

Integration with Cyber Crime Frameworks

The TLCTC #9.1 / #9.2 distinction integrates cleanly with regulatory and legal frameworks:

#9.1 (Standalone)

  • Maps to classical fraud, harassment, extortion statutes
  • Criminal law applies (varies by jurisdiction)
  • Regulatory focus: product liability, duty of care
  • Insurance: general liability, D&O, crime/fidelity
  • NOT typically "breach notification" events

#9.2 (Bridge)

  • Maps to computer fraud, unauthorized access statutes
  • Cyber-specific criminal law applies
  • Regulatory focus: breach notification, incident reporting (NIS2, DORA, SEC)
  • Insurance: cyber insurance + general
  • Triggers breach notification if data compromised

Conclusion: Precision Through Bifurcation

Social Engineering (#9) is unique among the 10 TLCTC clusters—it can operate standalone OR as a bridge. Understanding which mode applies transforms your response:

For #9.1: You're dealing with classical crime in a digital medium. Cyber threat controls offer minimal value. Your response is driven by liability exposure and regulatory compliance, not cyber threat management. Focus on awareness, law enforcement, and business process controls like transaction monitoring mandated by your legal/regulatory environment.

For #9.2: You're dealing with a cyber threat enabling system compromise. Full TLCTC framework applies. Technical defenses work because systems can be hardened (unlike human nature). Focus on prevention, detection, response, and measurable control effectiveness.

The critical question is always: Did Loss of Control occur?

Answer that, and you know exactly which playbook to execute.

References

  1. Kreinz, B. Top Level Cyber Threat Clusters (TLCTC), White Paper V1.9.1
  2. EU Payment Services Directive 2 (PSD2) - Strong Customer Authentication.
  3. FINMA Circular 2023/01 "Operational risks".