From c7c721d2b088e179208692f7f39ab00808c07caa Mon Sep 17 00:00:00 2001
From: iglocska <andras.iklody@gmail.com>
Date: Wed, 18 Jul 2018 15:53:41 +0200
Subject: [PATCH] Rework of the NIS taxonomy

---
 nis-impact/README.md                |  49 -----------
 nis-nature/.machinetag.json.swp     | Bin 12288 -> 0 bytes
 nis-nature/README.md                |  49 -----------
 nis-nature/machinetag.json          |  69 ----------------
 nis/README.md                       |   9 ++
 {nis-impact => nis}/machinetag.json | 124 ++++++++++++++++++++++++----
 6 files changed, 116 insertions(+), 184 deletions(-)
 delete mode 100644 nis-impact/README.md
 delete mode 100644 nis-nature/.machinetag.json.swp
 delete mode 100644 nis-nature/README.md
 delete mode 100755 nis-nature/machinetag.json
 create mode 100644 nis/README.md
 rename {nis-impact => nis}/machinetag.json (50%)

diff --git a/nis-impact/README.md b/nis-impact/README.md
deleted file mode 100644
index 8bdaf67..0000000
--- a/nis-impact/README.md
+++ /dev/null
@@ -1,49 +0,0 @@
-# Admiralty Scale
-
-The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and
-the credibility of an information.
-
-## Source Reliability
-
-<dl>
-<dt>A</dt>
-<dd>Completely reliable</dd>
-<dt>B</dt>
-<dd>Usually reliable<dd>
-<dt>C</dt>
-<dd>Fairly reliable </dd>
-<dt>D</dt>
-<dd>Not usually reliable</dd>
-<dt>E</dt>
-<dd>Unreliable</dd>
-<dt>F<dt>
-<dd>Reliability cannot be judged</dd>
-</dl>
-
-## Information Credibility
-
-<dl>
-<dt>1</dt>
-<dd>Confirmed by other sources</dd>
-<dt>2</dt>
-<dd>Probably true</dd>
-<dt>3</dt>
-<dd>Possibly true</dd>
-<dt>4</dt>
-<dd>Doubtful</dd>
-<dt>5</dt>
-<dd>Improbable</dd>
-<dt>6</dt>
-<dd>Truth cannot be judged</dd>
-</dl>
-
-# Machine-parsable Admiralty Scale
-
-The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
-along with their human-readable description. The software can use both
-representation on the user-interface and store the tag as machine-parsable.
-
-~~~~
-admiralty-scale:source-reliability="b"
-~~~~
-
diff --git a/nis-nature/.machinetag.json.swp b/nis-nature/.machinetag.json.swp
deleted file mode 100644
index 346dc5f66362434ee8a607a4bc11dbe74ac31f1a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 12288
zcmeI2J&YSg7>4KI2!A0UP}0y0MyarUmjF@}1Oh3bAaQ`W@FSuijd#c1!Mih?nOXZx
zh|*BeQPZWMqM}a?1rjY45)w59O`=GNcxQIkx9hXH%cTk$OYhm<-P!%VXTG1YZU&p5
zyt_ru^fw7!&k*uc|AUKfkj=I9Ekd+X)*asOB}S==%$W5qBtniqWO47pD`)%-+aos;
zmGO=G>Wxg8yl2^tk}4D2Y)D~xlG#G@jf_RO6}N2E|I#SgzD@WR2m}I$BJdP>`SdBD
znJ;!;pwB(~@uBV#1_c6vKp+qZ1OkCTAP@)y0)fDTNx<f7<QhzWs51ZU>V0kDz4{v7
z0)apv5C{YUfj}S-2m}IwKp+qZ1OkCT-~lASVnTkwkN;Z_!+8AvzyAGy_h~}@gkFbw
z(DTr7=+-epeuF-TwxKQPG;{>I^CTfRp?{#ipg*7+(2vk{=xb;j`t}Jzu0aK~1$7|v
zI3Wr21@szp92z`E$fwX2bP~G#C?RK|4d^6v`v@VwLMNc3&^mPI5!e9z4*d+>fUZN|
zKyN~?LN7tbpug7%`2qSK`VN{vpFt;}qtH5Z7hG;bj?YcUD7*rJ{{exkgwjh8rS6k^
zmEYW_`iT47iMffi$gNPabC!1AQ&VdAgll1EU79P)r4=ltBFkB1sW3EE(|(7zvE{47
zcXB3U9=qY^#VF}?Nqr9YpRlyx?o`q~b!C3h)z<Y3_H6N36xlu|W&WboR+TqdVOKf0
zaq@tcIal|w%elPTs(WYE!DQ$eU|y`?b#e{YBW69}dfqBuN<Zdw4>tc75>ADTM2ttd
z*^UcNt)h&^!sx<>2~|UUw~5d(&6&0{P|y<*@h(lpnB!bwMT+?8(|44ne1~Ou>JH~>
z$~BD&+od?pBpzhB#x^jj3Ty?#cy6OUwOWiu9FE}`yT+{Mh+S!OONLCO*kEQF)7gwc
zZ*<Qa-CJ_$0cU<Cql~2@5~?s1xq^gh0qBB2G#hZ;W7e{0>=@+9%wYObS{~}s2{H*c
zF<F-yHc%xMAr0mO#QeCf!!iUz2Mb^Bk=E9NjjK@2ed(3HG_Si~PDznr_PN$dcd6*}
zJ~cCAc}Ay7k1_9&(wav$MFkoZmQI<Wg~9QuR&ullD)t##Hb(RSXv8#6xiJ#DXEf(`
z&1!nv3?OfL&s*NS<bHwpZIK9rJmJ_Z3AIB9kz=gV2#ORH#Y!PZh!2%AO^5gc*N3T6
zF+u|Am|QMAjj2fEp>QV;l~wP%oth1k*ou^@Oz+jEH?O;2ELDn@1*Z&=Dqg0-CMX&x
zF0O*W%!naEOe;1(EnzyI0uZh4<fsj;KQbu5kU4%+)FFJzwTgI*;&Dh|+hqtZDJ#tY
zD!urx;<HbYcbj&5-rGi*FT1R%I>V*1q1J7FvBkUcRksR<)>T=XXwH1W_lbszFJ#$R
z5L;Sh;A44|NMEdSu1${o6cey=qZgM6<xwrnm@;EjB+#Icy_mDc!&-Ayj+k48#^ZV?
z73egQ7I}mn#Bx+7f$K_qC*r;ru{1^dv92y4GW^wQ;Mx(MckZ0pu4?AqF}@cKi_}*Q
zH*hyHCPgZ_W&_{D{77a59)opGs)X|dMH=D4jqj0?qL|IlABRIUEp*LtircXW<0Or^
zwhZq^*n+wKfIdO7__ChrJTlwQpQ<8_spgjp<T5Iwba$z2DD=oZ&{a)3Xquq(h)MBP
z`H*?%Y^~I`t3_Tr0_I7+yKbu|r4epeLe^`xWx@3kLbOas{Iz_f^vq#gj4V1$5OQ{w
za|&DF2kLhfhx;_OmLp4^w#19&X)|9w)v43L%GZ=j;Zx4Vz3#!0YEOI1sVGIHi{Z=%
zc)82HCR;D3s?z1t%{lE;&!?UBAeJ`rg~ae<95tV>eeY;TvWy!n&;25Bcb7d*ULpSi
DFhvT`

diff --git a/nis-nature/README.md b/nis-nature/README.md
deleted file mode 100644
index 8bdaf67..0000000
--- a/nis-nature/README.md
+++ /dev/null
@@ -1,49 +0,0 @@
-# Admiralty Scale
-
-The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and
-the credibility of an information.
-
-## Source Reliability
-
-<dl>
-<dt>A</dt>
-<dd>Completely reliable</dd>
-<dt>B</dt>
-<dd>Usually reliable<dd>
-<dt>C</dt>
-<dd>Fairly reliable </dd>
-<dt>D</dt>
-<dd>Not usually reliable</dd>
-<dt>E</dt>
-<dd>Unreliable</dd>
-<dt>F<dt>
-<dd>Reliability cannot be judged</dd>
-</dl>
-
-## Information Credibility
-
-<dl>
-<dt>1</dt>
-<dd>Confirmed by other sources</dd>
-<dt>2</dt>
-<dd>Probably true</dd>
-<dt>3</dt>
-<dd>Possibly true</dd>
-<dt>4</dt>
-<dd>Doubtful</dd>
-<dt>5</dt>
-<dd>Improbable</dd>
-<dt>6</dt>
-<dd>Truth cannot be judged</dd>
-</dl>
-
-# Machine-parsable Admiralty Scale
-
-The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
-along with their human-readable description. The software can use both
-representation on the user-interface and store the tag as machine-parsable.
-
-~~~~
-admiralty-scale:source-reliability="b"
-~~~~
-
diff --git a/nis-nature/machinetag.json b/nis-nature/machinetag.json
deleted file mode 100755
index d159d99..0000000
--- a/nis-nature/machinetag.json
+++ /dev/null
@@ -1,69 +0,0 @@
-{
-  "namespace": "nis-nature",
-  "description": "This taxonomy is used to classify the nature of the incident, i.e. the type of threat that triggered the incident, the severity of that threat.",
-  "version": 1,
-  "predicates": [
-    {
-      "value": "root-cause",
-      "expanded": "Root cause category",
-      "description": "The Root cause category is used to indicate what type event or threat triggered the incident."
-    },
-    {
-      "value": "severity",
-      "expanded": "Severity of the threat",
-      "description": "The severity of the threat is used to indicate, from a technical perspective, the potential impact, the risk associated with the threat. For example, the severity is high if an upcoming storm is exceptionally strong, if an observed DDoS attack is exceptionally powerful, or if a software vulnerability is easily exploited and present in many different systems. For example, in certain situations a critical software vulnerability would require concerted and urgent work by different organizations."
-    }
-  ],
-  "values": [
-    {
-      "predicate": "root-cause",
-      "entry": [
-        {
-          "value": "system-failures",
-          "expanded": "System failures",
-          "description": "The incident is due to a failure of a system, i.e. without external causes. For example a hardware failure, software bug, a flaw in a procedure, etc. triggered the incident."
-        },
-        {
-          "value": "natural-phenomena",
-          "expanded": "Natural phenomena",
-          "description": "The incident is due to a natural phenomenon. For example a storm, lightning, solar flare, flood, earthquake, wildfire, etc. triggered the incident."
-        },
-        {
-          "value": "human-errors",
-          "expanded": "Human errors",
-          "description": "The incident is due to a human error, i.e. system worked correctly, but was used wrong. For example, a mistake, or carelessness triggered the incident."
-        },
-        {
-          "value": "malicious-actions",
-          "expanded": "Malicious actions",
-          "description": "The incident is due to a malicious action. For example, a cyber-attack or physical attack, vandalism, sabotage, insider attack, theft, etc., triggered the incident."
-        },
-        {
-          "value": "third-party-failures",
-          "expanded": "Third party failures",
-          "description": "The incident is due to a disruption of a third party service, like a utility. For example a power cut, or an internet outage, etc. triggered the incident."
-        }
-      ]
-    },
-    {
-      "predicate": "severity",
-      "entry": [
-        {
-          "value": "high",
-          "expanded": "High",
-          "description": "High severity, potential impact is high."
-        },
-        {
-          "value": "medium",
-          "expanded": "Medium",
-          "description": "Medium severity, potential impact is medium."
-        },
-        {
-          "value": "high",
-          "expanded": "High",
-          "description": "Low severity, potential impact is low."
-        }
-      ]
-    }
-  ]
-}
diff --git a/nis/README.md b/nis/README.md
new file mode 100644
index 0000000..748bdbc
--- /dev/null
+++ b/nis/README.md
@@ -0,0 +1,9 @@
+# NIS Cybersecurity Incident Taxonomy
+
+The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 September 2017, also known as the blueprint. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.
+
+The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
+along with their human-readable description. The software can use both
+representation on the user-interface and store the tag as machine-parsable.
+
+
diff --git a/nis-impact/machinetag.json b/nis/machinetag.json
similarity index 50%
rename from nis-impact/machinetag.json
rename to nis/machinetag.json
index 54190c9..c9f2d2c 100755
--- a/nis-impact/machinetag.json
+++ b/nis/machinetag.json
@@ -1,27 +1,46 @@
 {
-  "namespace": "nis-impact",
-  "description": "This taxonomy is used to classify the impact of the incident, i.e. the impact it has on services, in which sector(s) of the economy and society.",
+  "namespace": "nis",
+  "description": "The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 September 2017, also known as the blueprint. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.",
   "version": 1,
   "predicates": [
     {
-      "value": "sectors-impacted",
+      "value": "impact-sectors-impacted",
       "expanded": "Sectors impacted",
       "description": "The impact on services, in the real world, indicating the sectors of the society and economy, where there is an impact on the services."
     },
     {
-      "value": "severity",
+      "value": "impact-severity",
       "expanded": "Severity of the impact",
-      "description": "The severity of the impact, nationally, in the real world, for society and/or the economy, i.e. the level of disruption for the country or a large region of the country, the level of risks for health and/or safety, the level of physical damages and/or financial costs."
+      "description": "The severity of the impact, nationally, in the real world, for society and/or the economy, i.e. the level of disruption for the country or a large region of the country, the level of risks for health and/or safety, the level of physical damages and/or financial costs.",
+      "exclusive": true
     },
     {
-      "value": "outlook",
+      "value": "impact-outlook",
       "expanded": "Outlook",
-      "description": "The outlook for the incident, the prognosis, for the coming hours, considering the impact in the real world, the impact on services, for the society and/or the economy"
+      "description": "The outlook for the incident, the prognosis, for the coming hours, considering the impact in the real world, the impact on services, for the society and/or the economy",
+      "exclusive": true
+    },
+    {
+      "value": "nature-root-cause",
+      "expanded": "Root cause category",
+      "description": "The Root cause category is used to indicate what type event or threat triggered the incident.",
+      "exclusive": true
+    },
+    {
+      "value": "nature-severity",
+      "expanded": "Severity of the threat",
+      "description": "The severity of the threat is used to indicate, from a technical perspective, the potential impact, the risk associated with the threat. For example, the severity is high if an upcoming storm is exceptionally strong, if an observed DDoS attack is exceptionally powerful, or if a software vulnerability is easily exploited and present in many different systems. For example, in certain situations a critical software vulnerability would require concerted and urgent work by different organizations.",
+      "exclusive": true
+    },
+    {
+      "value": "test",
+      "expanded": "Test",
+      "description": "A test predicate meant to test interoperability between tools. Tags contained within this predicate are to be ignored."
     }
   ],
   "values": [
     {
-      "predicate": "sectors-impacted",
+      "predicate": "impact-sectors-impacted",
       "entry": [
         {
           "value": "energy",
@@ -81,47 +100,118 @@
       ]
     },
     {
-      "predicate": "severity",
+      "predicate": "impact-severity",
       "entry": [
         {
           "value": "red",
           "expanded": "Red",
-          "description": "Very large impact"
+          "description": "Very large impact",
+          "colour": "#CC0033"
         },
         {
           "value": "yellow",
           "expanded": "Yellow",
-          "description": "Large impact."
+          "description": "Large impact.",
+          "colour": "#FFC000"
         },
         {
           "value": "green",
           "expanded": "Green",
-          "description": "Minor impact."
+          "description": "Minor impact.",
+          "colour": "#339900"
         },
         {
           "value": "white",
           "expanded": "White",
-          "description": "No impact."
+          "description": "No impact.",
+          "colour": "#ffffff"
         }
       ]
     },
     {
-      "predicate": "outlook",
+      "predicate": "impact-outlook",
       "entry": [
         {
           "value": "improving",
           "expanded": "Improving",
-          "description": "Severity of impact is expected to decrease in the next 6 hours."
+          "description": "Severity of impact is expected to decrease in the next 6 hours.",
+          "colour": "#339900"
         },
         {
           "value": "stable",
           "expanded": "Stable",
-          "description": "Severity of impact is expected to remain the same in the 6 hours."
+          "description": "Severity of impact is expected to remain the same in the 6 hours.",
+          "colour": "#FFC000"
         },
         {
           "value": "worsening",
           "expanded": "Worsening",
-          "description": "Severity of impact is expected to increase in the next 6 hours."
+          "description": "Severity of impact is expected to increase in the next 6 hours.",
+          "colour": "#CC0033"
+        }
+      ]
+    },
+    {
+      "predicate": "nature-root-cause",
+      "entry": [
+        {
+          "value": "system-failures",
+          "expanded": "System failures",
+          "description": "The incident is due to a failure of a system, i.e. without external causes. For example a hardware failure, software bug, a flaw in a procedure, etc. triggered the incident."
+        },
+        {
+          "value": "natural-phenomena",
+          "expanded": "Natural phenomena",
+          "description": "The incident is due to a natural phenomenon. For example a storm, lightning, solar flare, flood, earthquake, wildfire, etc. triggered the incident."
+        },
+        {
+          "value": "human-errors",
+          "expanded": "Human errors",
+          "description": "The incident is due to a human error, i.e. system worked correctly, but was used wrong. For example, a mistake, or carelessness triggered the incident."
+        },
+        {
+          "value": "malicious-actions",
+          "expanded": "Malicious actions",
+          "description": "The incident is due to a malicious action. For example, a cyber-attack or physical attack, vandalism, sabotage, insider attack, theft, etc., triggered the incident."
+        },
+        {
+          "value": "third-party-failures",
+          "expanded": "Third party failures",
+          "description": "The incident is due to a disruption of a third party service, like a utility. For example a power cut, or an internet outage, etc. triggered the incident."
+        }
+      ]
+    },
+    {
+      "predicate": "nature-severity",
+      "entry": [
+        {
+          "value": "high",
+          "expanded": "High",
+          "description": "High severity, potential impact is high.",
+          "colour": "#CC0033"
+        },
+        {
+          "value": "medium",
+          "expanded": "Medium",
+          "description": "Medium severity, potential impact is medium.",
+          "colour": "#FFC000"
+        },
+        {
+          "value": "high",
+          "expanded": "High",
+          "description": "Low severity, potential impact is low.",
+          "colour": "#339900"
+        }
+      ]
+    },
+    {
+      "predicate": "test",
+      "entry": [
+        {
+          "value": "test",
+          "expanded": "Test",
+          "description": "Test value meant for testing interoperability. Tags with this value are to be ignored.",
+          "colour": "#F81894"
         }
       ]
     }