Logo
TLCTC
TLCTC · A blind-spot in plain sight

What CIS
Cannot See

A framework that measures attack frequency by asset class can never detect over-investment by cause. Here is the blind spot — in one chart.

CIS RAM does not have a broken answer. It has a missing axis. And the consequence of that missing axis is not abstract — it is a specific, measurable distortion that the framework cannot perceive about itself.

To see it, you only need to ask one question CIS RAM never asks: where, by cause, does our control effort actually go?

The two axes

Every risk framework measures along some axis. The axis you choose determines what you can see — and what you can't.

CIS RAM measures by

Asset class hit
Users
Devices
Data
Software
Network

Six buckets. The VCDB Index. Frequency that an asset type appears as a target.

TLCTC measures by

Cause cluster
#1 Abuse
#2 Server
#4 Identity
#6 Flooding
#5 MITM

Ten mutually-exclusive generic vulnerabilities. The mechanism, not the target.

These are not two views of the same thing. "A server was attacked" (asset) and "the server was exploited / abused / reached with stolen credentials" (cause) are orthogonal. One asset bucket can hold three causes. One cause can strike five asset types. You cannot derive one axis from the other.

CIS chose the asset axis. So the cause axis is simply not in the data.

Map the 153 Safeguards by cause. This appears.

Every CIS Controls v8.1 Safeguard, assigned to the cluster whose generic vulnerability it acts upon. Bar length = preventive control effort landing on that cause.

#2Exploiting Server
19
#4Identity Theft
17
#1Abuse of Functions
12
#7Malware
12
#3Exploiting Client
9
#9Social Engineering
9
#8Physical Attack
8
#10Supply Chain
7
#5Man in the Middle
5
#6Flooding Attack
1
Preventive Safeguard-fragments per cause cluster · CIS Controls v8.1 · 10×6×2 TLCTC matrix
19:1
#2 Server vs. #6 Flooding
preventive coverage
36
of ~105 cause-acting
fragments sit on #2+#4
0
CIS RAM signals that
flag this distribution

Why CIS cannot see this

The skew above is not a secret. It is sitting in the control set, in plain sight, the whole time. The reason no CIS RAM assessment has ever surfaced it is structural: the chart is drawn on an axis CIS RAM does not possess.

CIS RAM's expectancy engine pairs two numbers — how often an asset class is hit, and how mature a Safeguard is. There is no cause variable anywhere in that calculation. So when the control set pours nineteen preventive measures onto server exploitation and one onto flooding, the engine has no coordinate in which that fact can register. It can tell you that devices are attacked in 74% of incidents. It cannot tell you that your defenses against server exploitation outnumber your defenses against flooding nineteen to one — because "server exploitation" and "flooding" are not entries in its vocabulary. They are causes. CIS speaks assets.

A blind spot is not an error. It is a region the instrument cannot resolve — no matter how carefully you read it.

Why it matters

You might object: maybe server exploitation deserves nineteen controls. Maybe flooding is a one-control problem. Perhaps. But that is a decision a risk framework should let you make — and defend. Right now CIS RAM cannot present the distribution, so the distribution was never decided. It accreted. Each Safeguard was added on its own merits, against an asset-frequency justification, with nothing in the method ever asking "and how does this balance our effort across causes?"

The due-care consequence

Under DoCRA — CIS RAM's own standard — a "reasonable person" balances effort against foreseeable harm. But you cannot demonstrate a balanced, reasonable allocation across threats you cannot enumerate. If a flooding attack causes harm, "we had one control, weighted by asset-class frequency" is not a defense. "We deliberately allocated N controls to flooding because our cause-balanced assessment judged it an N-control risk" is. The first is an accident. The second is due care. Only the cause axis can produce the second.

This is the whole argument, and it is small enough to hold in one hand: CIS RAM can tell you whether a risk is reasonable to accept. It cannot show you how your own defenses are distributed across the causes of those risks — because it measures the wrong axis. The distribution is right there. CIS simply cannot see it.

The fix is free

The cause axis exists. It is ten mutually-exclusive clusters, openly published, CC BY 4.0. Adopt it underneath CIS RAM and nothing of value is lost: Impact × Expectancy stays, the reasonableness test stays, the legal translator stays. What is gained is sight — a control set that can finally see its own shape, name its own gaps, and defend its own balance.

CIS does not need to be replaced. It needs to be able to see.

Read the full argument: Why CIS Cannot Answer Your Cyber Threat Risk · or the evidence: 153 Safeguards → 74 objectives.

Distribution data: full v8.1 → matrix mapping (153 Safeguards). Asset-axis figures from CIS RAM VCDB Index. Cluster-axis figures from the accompanying mapping engine; strategy grain illustrative, pending ratification.