Annex N
A two-tier cause taxonomy used to classify the root cause of an incident. The primary cause type is essential at the Final phase. Multiple causes may be identified.
| Level 1 / Level 2 | Description |
|---|---|
| Internal Process Failures | |
| Process Design Failure | A process was inadequately designed — it lacked necessary controls, was incomplete, or contained structural flaws that allowed the incident to occur. |
| Process Execution Failure | A process that was correctly designed was not followed or was applied incorrectly, leading to the incident. |
| Change Management Failure | A failure in the processes governing changes to systems, processes, or configurations — including inadequate testing, approval, or rollback procedures. |
| Governance Failure | Inadequate or absent governance, oversight, or accountability structures that contributed to or failed to prevent the incident. |
| Unspecified Internal Process Failure | The incident resulted from an internal process failure, but the specific type has not been determined. |
| Human Causal Factors | |
| Human Error | An unintentional mistake by a person — such as a misconfiguration, accidental deletion, or incorrect action — that caused or contributed to the incident. |
| Skills and Knowledge Failure | Insufficient training, expertise, or awareness meant that staff were unable to prevent, identify, or correctly respond to the incident. |
| Occupational Health and Safety | A workplace health or safety issue — including staff incapacitation, illness, or inability to access work — that affected the entity's operational resilience. |
| Unspecified Human Causal Factor | The incident was caused by a human factor, but the specific type has not been determined. |
| Information System Failures | |
| Hardware Failure | A failure of physical ICT or OT components — including servers, storage, networking equipment, or other devices — that caused or contributed to the incident. |
| Software Failure | A defect, bug, or unexpected behaviour in software — including applications, operating systems, or firmware — that caused or contributed to the incident. |
| Network Failure | A failure in the communications infrastructure — including network connectivity, routing, or telecommunications services — that caused or contributed to the incident. |
| Data Failure | A failure relating to the integrity, availability, or quality of data — including data corruption, loss, or inconsistency — that caused or contributed to the incident. |
| Capacity Failure | Systems or infrastructure were unable to handle the volume, load, or demand placed on them — resulting in degradation, failure, or outage. |
| Unspecified Information System Failure | The incident was caused by an information system failure, but the specific type has not been determined. |
| External Dependency Failures | |
| Third-party Failure | A failure by an external service provider, supplier, or outsourcing partner — including cloud providers, managed services, or critical vendors — that caused or contributed to the incident. |
| Utility Failure | A failure in essential utility services such as power, water, cooling, or telecommunications that the entity depends on. |
| Market Infrastructure Failure | A failure in financial market infrastructure — such as payment systems, central counterparties, or exchanges — that caused or contributed to the incident. |
| Unspecified External Dependency Failure | The incident was caused by an external dependency failure, but the specific type has not been determined. |
| Hazards | |
| Natural Hazard | A naturally occurring event — such as a flood, earthquake, storm, or pandemic — that caused or contributed to the incident. |
| Environmental Hazard | An environmental event or condition not primarily natural in origin — such as fire, chemical contamination, or similar physical hazard affecting the entity's operations. |
| Unspecified Hazard | The incident was caused by a hazard, but the specific type has not been determined. |
| Malicious Acts | |
| DoS / DDoS | A denial-of-service or distributed denial-of-service attack intended to overwhelm systems or services and render them unavailable. |
| Identity Theft | The fraudulent acquisition and use of another person's or entity's identity or credentials. |
| Insider Threat | A malicious act carried out by a current or former employee, contractor, or other party with inside access to the entity's systems or information. |
| Malware | Malicious software — including viruses, trojans, spyware, or worms — deployed to compromise, damage, or gain unauthorised access to systems or data. |
| Physical Manipulation, Damage, Theft and Loss | A physical attack on or theft of assets — including tampering with hardware, theft of devices, or physical destruction of infrastructure. |
| Ransomware | A type of malware that encrypts or locks systems or data and demands payment for restoration of access. |
| Resource Hijacking | Unauthorised use of the entity's computing resources — for example, cryptomining or botnet enlistment — without disrupting the entity's own operations. |
| Social Engineering (including Phishing) | Manipulation of individuals into divulging information or performing actions that compromise security — including phishing, vishing, and other deception techniques. |
| Spam | Unsolicited bulk communications used to deliver malicious content, overwhelm communications channels, or facilitate other attacks. |
| Web Application Targeting | Attacks targeting web applications and their vulnerabilities — including SQL injection, cross-site scripting (XSS), and exploitation of application-layer weaknesses. |
| Unspecified Malicious Act | The incident was caused by a malicious act, but the specific type has not been determined. |