Towards a new cyber threat actor typology

Abstract

For some years a cyber threat actor typology is used in the annual Cyber Security Assessment Netherlands. It has evolved over time and captures a set of actors with different motives, intentions and capabilities. In view of its age and rather intuitive development process, it is considered whether the current typology needs to be updated and improved in light of recent insights from science and cyber security practice. This report sets out to develop a new and systematic method to enable the National Cyber Security Centre (NCSC) of the National Coordinator for Security and Counterterrorism (NCTV) to continuously update its cyber actor typology. Section 3.5 contains a concise description of the framework, to be used as a standalone document. As part of the method description, a tentative new typology is developed. This can be found in Section 5.3. The research questions which accompany the project goals were: To what extent is the current cyber actor typology validated by recent insights fromscience and cyber security practice and what design criteria for a new cyber actortypology can be identified? What method to develop a cyber actor typology satisfies the identified design criteriaand enhances or enriches the current cyber actor typology different cyber actors? To what extent can a typology be constructed based upon state-of-the art knowledgeon cyber actors and empirical data on cyber incidents, and what would the resultingtypology look like? CONTENT: 1. Introduction 2. Designing a method for a cyber threat actor typology 3. The deductive approach - threat actor typology framework 4. The inductive approach - data analysis 5. A tentative new threat actor typology