The cybersecurity field faces a critical challenge in how standards and frameworks reference each other, creating a web of circular definitions that undermines effective cyber risk management. This "standards cross-reference problem" manifests across all major standards, frameworks, and methodologies.
The issue is pervasive across both international standards and specialized frameworks. ISO 27001 and ISO 27005, despite incorporating "cybersecurity" in their titles, fail to provide explicit definitions of cyber threats or offer structured categorization. Instead, ISO 27005 provides a general definition of "threat" in the context of information security and lists examples that mix actual cyber threats with broader IT risks and control failures.
MITRE ATT&CK, while excellent at documenting tactical techniques, lacks a high-level strategic framework for threat categorization and overemphasizes post-compromise techniques. STRIDE, another widely used framework, mixes fundamentally different concepts - combining actions (like Spoofing) with outcomes (like Information Disclosure) and security properties (like Repudiation), creating confusion in threat modeling and risk assessment.
This inconsistency extends to other major frameworks. The NIST Cybersecurity Framework (CSF), despite its cyber-specific focus, points to NIST SP 800-30 for threat definitions - a document that provides a general information security perspective rather than cyber-specific categorization. ETSI TR 103 331, focused on cyber security and threat information sharing, neither provides its own definition of cyber threats nor offers structured categorization. ENISA's threat landscape mixes IT system types with threats, while OWASP conflates vulnerabilities with outcomes.
This cross-referencing creates several critical issues:
The impact on operational cybersecurity is severe. Organizations attempting to integrate multiple approaches (such as ISO 27001, NIST CSF, MITRE ATT&CK, and STRIDE) find themselves navigating a maze of cross-references and conflicting categorizations. Security teams struggle to map threats across frameworks, leading to gaps in coverage and inefficient resource allocation. This becomes particularly challenging when trying to connect strategic risk management with tactical security operations.
The solution requires breaking this cycle of circular references by establishing clear, logically-derived definitions and categories for cyber threats. Rather than continuing the pattern of cross-referencing and mixing different security concepts, the cybersecurity community needs a framework that provides fundamental definitions and structured categorization based on generic vulnerabilities, enabling consistent understanding and application across different standards and frameworks.
No additional updates are scheduled at this time.