You have your frameworks. NIST CSF is on one screen, ISO 27002 on another, maybe with a sprinkle of MITRE D3fend or CIS 8 for good measure. You’ve spent countless hours mapping controls, assessing risks, and reporting on compliance. Yet, a nagging question remains: With all these overlapping, complex, and often rigid guidelines, what are we still missing?
The reality is that while these standards are essential, they were not built in a unified way. They have different structures, limited scopes, and can be incredibly complex to apply consistently. This complexity creates gaps: subtle but critical vulnerabilities that can go unnoticed until it’s too late.
But what if there was a way to consolidate the strengths of all these frameworks into one, streamlined model?
In an article published in 2025, researchers did just that. They tackled the persistent problems of complexity and non-standardization by building a new, unified taxonomy of cybersecurity countermeasures. The result, called the Cyber Risk Treatment Taxonomy (CRTT), is more than just an academic exercise. When put to the test in a real-world, high-stakes environment, it exposed critical blind spots that a mature, well-resourced security program had overlooked.
The Problem: Why Juggling Frameworks Isn’t Working
The research begins by validating the frustrations many security leaders feel daily. An analysis of ten major countermeasure taxonomies, including those from NIST, ISO, and MITRE, identified five core problems:
- Complexity: Many frameworks are convoluted and difficult for teams to use effectively.
- Non-Standardization: Inconsistent structures make it nearly impossible to compare or share information between systems.
- Non-Adaptability: They are often too rigid to be tailored to an organization’s specific needs.
- Limited Scope: Many focus heavily on technical assets, neglecting critical areas like suppliers, people, and organizational governance.
- Rapid Obsolescence: They struggle to keep pace with the constant evolution of cybersecurity threats.
These issues mean that even the most diligent CISO is operating with an incomplete picture.
A Unified Solution: Introducing the Cyber Risk Treatment Taxonomy (CRTT)
To solve these issues, the researchers built the CRTT by consolidating the best elements from ten of the world’s most recognized taxonomies. It’s not about replacing NIST or ISO, but about creating a comprehensive and practical lens through which to view your entire control environment.
The CRTT is structured around five core business classes, covering assets that other frameworks often sideline:
- Process (Physical security, change management, operations)
- Technology (Improving, preventing, mitigating, and removing risk)
- People (Access control, teleworking, awareness and training)
- Governance & Management (Policies, incident management, business continuity)
- Suppliers (Service agreements, third-party security, regulatory compliance)
The CISO’s Roadmap: Tiered Controls for Strategic Maturity
Crucially, the CRTT’s 229 countermeasures are not just a flat list. They are categorized into three levels of implementation, providing a clear roadmap for any organization, regardless of its current maturity:
- Direct (Mandatory): The 100 essential countermeasures every organization must have.
- Compensatory (Required): The 70 countermeasures needed to cover failures in direct controls, designed for a medium maturity level.
- Safeguard (Desirable): The 59 advanced countermeasures for minimizing impact after a risk has materialized, designed for highly mature programs.
This tiered approach allows CISOs to move beyond a simple “compliant/non-compliant” mindset and build a strategic plan for continuous improvement.
The Proof: What the CRTT Uncovered at an International Bank
This is where theory meets reality. The researchers applied the CRTT in a year-long case study within the Identity Access Management (IAM) department of an international bank: an organization with a mature security model based on NIST CSF and ISO 27001.
The process was critical, tied directly to the institution’s financial statements and subject to intense scrutiny from auditors. The bank already had 12 countermeasures in place for its user lifecycle process.
After applying the CRTT, the team identified an additional six critical countermeasures that were completely missing from the bank’s existing program:
- Review system trust relationships.
- Mandatory access control.
- Supplier ABC controls.
- Local account monitoring.
- Web session activity analysis.
- Session duration analysis.
The discovery of these gaps in such a critical process was a significant finding. The bank’s internal control area validated the results and immediately created a two-year action plan to implement the missing controls and strengthen the existing ones. The organization considered the CRTT a valuable resource and decided to continue applying it in a pilot program.
Your Next Strategic Move
The lesson here is not that existing frameworks are useless, but that relying on them in isolation creates inherent blind spots. The CRTT provides a powerful new tool for CISOs to conduct a meta-analysis of their control environment, identify gaps that even mature programs miss, and build a more resilient and comprehensive security posture. It’s a way to finally see the whole picture.
For Further Reading:
This blog post is based on the insights and analysis presented in the article: Sánchez-García, I. D., San Feliu, T., & Calvo-Manzano, J. A. (2025). “Building a cyber risk treatment taxonomy”. Cluster Computing, 28, 205. Published online 21 January 2025. https://doi.org/10.1007/s10586-024-04899-1
