Faced with a rapidly growing volume and range of cyber attacks, policymakers and
organizational leaders have had difficulty setting priorities, allocating resources, and
responding effectively without a standard way to categorize cyber events and estimate
their consequences. Presidential Policy Directive 41 laid out the Obama
administration’s principles for executive branch responses to significant cyber incidents
in the public or private sector. But it neither drew important distinctions between
different types of cyber incidents, nor gave a standard way to determine where a
particular incident falls on its 0-5 point severity scale. This policy brief demonstrates
how an analytical framework developed at the Center for International and Security
Studies at the University of Maryland (CISSM) can help address these problems. It first
differentiates between low-level incidents and more significant cyber events that result
in either exploitation of information and/or disruption of operations. It categorizes five
types of disruptive events and analyzes 2,030 cyber events in a dataset developed from
media sources, showing that cyber exploitation remains more common than disruption,
and that most disruptive activity fits into two categories: message manipulation and
external denial of service attacks. Finally, the brief offers a standard method to assess
the severity of different categories of disruptive attacks against different kinds of
organizations based on the scope, magnitude, and duration of the event. This Cyber
Disruption Index (CDI) is then applied to survey data on Distributed Denial of Service
(DDoS) attacks in the private sector to assess severity within a common category of
disruptive events. Of 3,900 cases reported, only 5 events (less than 1% of the DDoS
cases) had a combined scope, magnitude, and duration severe enough to be a priority
for prevention and potentially warrant government involvement