The Cyber Harm Framework

In recent years, we have begun to observe an increase in the breadth and scope of cyber-attacks. With that increase, we also see an increase in the severity of the harms incurred. As a result, the GCSCC has developed a complementary and robust model for understanding the harm experienced by nations as a result of attacks.

Our focus on cyber harms has led to a synthesis of literature on this topic and the launch of a series of case studies of the actual harms identified in specific instances. The results aim to facilitate countries’ understanding of what is at stake and how harm can be reduced, such as by enabling better prioritisation of capacity investments towards harm reduction. The aim is to inform countries on cost-effective measures for the prevention and mitigation of demonstrable cyber-enabled harms, including indirect or secondary effects.

Our approach to case studies that focus on well-reported incidents will enable us to map the level and extent of harms, as opposed to simply speculating about likely harms. Some of the elements observed in each of these case studies include:

  • Specific harm and cost components of the impact experienced by the entity
  • Financial impact of the cost and harm components
  • Impact duration
  • Order of effect (direct or indirect, i.e. incident-impact distance)
  • Interdependencies enabling harm cascades and correlated vulnerabilities

The findings from these case studies are currently facilitating the refinement and inductive refresh of the core elements of a Cyber Harm Framework (CHF).


GCSCC publications on the topic:

Agrafiotis, I., Nurse, J.R.C., Goldsmith, M., Creese, S., Upton, D. (2018), ‘A Taxonomy of Cyber-harms: Defining the Impacts of Cyber-attacks and Understanding How They Propagate’, Journal of Cybersecurity, v 4 n 1, p.1-15.  nd Understanding How They Propagate’, Journal of Cybersecurity, v 4 n 1, p.1-15. [Accessed 4 November 2019]


Agrafiotis, I., Bada, M., Cornish, P., Creese, S. Goldsmith, M., Ignatuschtschenko, E., Roberts, T. and Upton, D. M. (2016). Cyber Harm: Concepts, Taxonomy and Measurement - Working Paper 2016-23. Available from: [Accessed 15 August 2019]