Mechanism-Centered Risk Taxonomy

• Mechanism-centered risk taxonomy is a formal system that categorizes risks by mapping causal mechanisms, linking objects (assets, vulnerabilities) and morphisms (relations, paths) to demonstrate risk propagation.
• It applies structured frameworks such as ICAR in cybersecurity and hierarchical taxonomies in autonomous systems to enable targeted scenario generation and quantitative risk scoring.
• The approach integrates mechanistic clarity with compositional analysis, facilitating dynamic risk quantification and improved risk mitigation strategies across various domains.

A mechanism-centered risk taxonomy is a formal classification system that organizes risks according to the underlying causal or operational mechanisms by which hazards, vulnerabilities, or adversarial elements lead to negative outcomes. Unlike merely enumerative taxonomies or checklists, mechanism-centered approaches emphasize the identification, linkage, and structural relationships of the system elements and threat actions that propagate risk. This methodology is applied across domains such as cybersecurity—where risks propagate through hardware/software weaknesses, exploits, and adversary tactics—and autonomous systems, where adversarial elements interact with both the internal (ego) and external (environmental) subsystems to precipitate failure or harm. Canonical frameworks such as the ICAR category in cybersecurity and hierarchical adversarial taxonomies for autonomous vehicles exemplify this paradigm (Valence, 2023Saffary et al., 29 Feb 2024).

1. Formal Definition and Ontological Structure

A mechanism-centered risk taxonomy formally encodes the types of system elements (“objects”) and the relations or process steps (“morphisms”) through which risk is realized. In ICAR, the foundational category for information security, objects include CPE (assets), CVE (vulnerabilities), CVSS (severity quantifiers), CWE (weakness classes), CAPEC (attack patterns), Technique, and Tactic. Morphisms are semantically typed arrows, such as Has₁ (asset has vulnerability), Has₃ (vulnerability arises from weakness), and accomplishesTactic (attack technique serves an adversary goal), with identities and composition laws enforcing the interconnection and propagation of risk information (Valence, 2023).

In autonomous vehicles, a hierarchical taxonomy segregates internal (ego) mechanisms (e.g., vehicle mechanics, software threats) and exogenous environmental mechanisms (e.g., ambient lighting, infrastructure anomalies, traffic agents), with recursively nested subcategories and codified decision rules. This explicit mapping from physical/process mechanisms to risk classes supports both forensic analysis and scenario synthesis (Saffary et al., 29 Feb 2024).

2. Hierarchical Levels and Mechanism Types

Mechanism-centered taxonomies organize risk elements across multiple abstraction layers, corresponding either to a cyber-physical process chain or to system-environment boundaries:

• Asset Impact Mechanisms: Encompass the identification of assets and their direct vulnerabilities and severity metrics (ICAR: CPE→CVE, CVE→CVSS).
• Weakness & Exploitation Mechanisms: Capture root-causes (CVE→CWE), propagation via bug-patterns or attack patterns (CWE→CAPEC→Technique).
• Adversary Strategic Mechanisms: Abstract goals and tactics (Technique→Tactic), dynamic traversals (sieves/cosieves), and surface metrics such as attack or threat surface (Valence, 2023).

For autonomous vehicles, the structure splits cleanly into ego (internal state, e.g., A.1–A.4) and exogenous (environmental and infrastructural, e.g., B.1–B.2.2) categories, down to discrete mechanisms (e.g., B.2.1.1 pothole, B.1.2 rain). Robust classification rules, often involving quantitative thresholds directly tied to sensor outputs or behavioral logs, are integral for mechanistic assignments (Saffary et al., 29 Feb 2024).

3. Morphisms, Relations, and Path-Equivalence

A signature feature is the encoding of risk propagation as morphisms, supporting compositional analysis and enabling formal path queries. In ICAR, morphisms such as Has₄ (CWE→CAPEC) and accomplishesTactic (Technique→Tactic) represent not just relational links but causal routes by which weaknesses are exploited and system objectives threatened. Path-equality constraints and compositionality (e.g., isChildOf∘isParentOf = id) implement semantic facts, allowing the taxonomy to enforce correct risk flow closure and resolve ambiguities in relational chains (Valence, 2023).

Compositional mechanisms enable queries such as: “Which techniques can exploit a vulnerability of asset X?”—traversing asset→vulnerability→attack pattern→technique. In the vehicle domain, hierarchical decision rules and formulas (e.g., sensor_integrity < 0.8 ⇒ Vehicle Mechanics) formalize event classification under mechanistic logic (Saffary et al., 29 Feb 2024).

4. Risk Quantification and Analytical Workflows

Mechanism-centered taxonomies support risk quantification by assigning each mechanism M a composite risk score

$R(M) = P(M)\cdot S(M)$

where $P(M)$ is the probability of occurrence within the operational design domain (ODD) and $S(M)$ is a severity index normalized to worst-case harm. Probabilities may be estimated from empirical event frequencies; severity from induced harm metrics such as injury/fatality rates (Saffary et al., 29 Feb 2024). In cyber-physical settings, attack/threat surface metrics, derived via categorical pullbacks and aggregations, serve as aggregated risk estimators (Valence, 2023).

Typical risk assessment workflows include:

• Classification: Map events or scenarios to mechanistic codes via crisp decision rules.
• Scoring: Compute $R(M)$ for each active risk mechanism.
• Prioritization: Focus mitigation or training on mechanisms with the highest cumulative $R(M)$.
• Iteration: Refine $P(M)$ and $S(M)$ as new data accrue, regenerating coverage for under-observed risk mechanisms (Saffary et al., 29 Feb 2024).

5. Mechanism-Based Query Systems and Applications

A key operational advantage is the capacity for mechanism-centered taxonomies to drive structured queries and scenario generation. In the ICAR framework, canonical queries (Q1–Q10) encompass instantiation, enumeration, filtering, aggregation, and mapping along the risk mechanism graph—for example, listing all vulnerable assets, filtering vulnerabilities by severity, or measuring attack and threat surfaces via domain-theoretic constructs such as pullbacks and (co)sieves (Valence, 2023).

For autonomous systems, scenario generators sample from the space of high-risk mechanisms (weighted by $R(M)$), stochastically parameterizing situations to produce edge and corner-case events for validation or model improvement. This targeting ensures that rare, high-impact mechanisms are not overlooked in simulation or training cycles (Saffary et al., 29 Feb 2024).

6. Generalization and Extensibility Across Domains

The mechanism-centric paradigm generalizes beyond its originating domains. In cybersecurity, the categorical structure is sufficiently expressive to accommodate extensions for emerging cyber-physical threats by the addition of new objects and morphisms. In autonomous systems, the root structure supports easy integration of novel risk dimensions (e.g., quantum sensor failures, AI model drift) as new “leaves” in the hierarchy. For other autonomous platforms (drones, marine vessels), internal/external mechanism splits persist with domain-specific refinements (e.g., energy state, weather), preserving analytical and generative advantages (Saffary et al., 29 Feb 2024).

A plausible implication is that adoption of rich, mechanism-centered taxonomies may substantially improve systematic risk coverage, facilitate targeted scenario engineering, and enable dynamic updates as threat landscapes evolve. The emphasis on mechanistic clarity, compositional structure, and quantitative scoring distinguishes mechanism-centered taxonomies from enumerative lists, creating a principled foundation for risk-informed analysis, mitigation, and assurance.