search menu icon-carat-right cmu-wordmark

A Taxonomy of Operational Risks for Cyber Security

In this podcast, James Cebula describes how to use a taxonomy to increase confidence that your organization is identifying cyber security risks.

Software Engineering Institute



Organizations of all sizes in both the public and private sectors are increasingly reliant on information and technology assets, supported by people and facility assets, to successfully execute business processes that, in turn, support the delivery of services. Failure of these assets has a direct, negative impact on the business processes they support. This, in turn, can cascade into an inability to deliver services, which ultimately impacts the organizational mission. Given these relationships, the management of operational cybersecurity-related risks to these assets is a key factor in positioning the organization for success.

In this podcast, Jim Cebula, the Technical Manager of the CERT Cybersecurity Risk Management Team, discusses a taxonomy that provides organizations with a common language and terminology they can use to discuss, document, and mitigate operational cybersecurity risks. The taxonomy identifies and organizes the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. This podcast is based on an SEI technical report and blog post.

About the Speaker

Headshot of James Cebula

James J. Cebula

Jim Cebula is an SEI alumni employee.

Jim Cebula is the Technical Manager of the Cybersecurity Risk Management Team within the CERT Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Jim's current work focuses on risk management and information resilience, critical infrastructure …

Read more
Headshot of Julia Allen.

Julia H. Allen

Julia Allen is an SEI alumni employee.

Julia Allen is a principal researcher within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, security governance, and measurement and analysis. Prior to this technical assignment, …

Read more