"The recent Heartbleed vulnerability demonstrates the main message of the report," according to report author Jason Healey, director of the Atlantic Council's Cyber Statecraft Initiative. "The Internet is so complex and tightly coupled to the real world, it turns out we were all gravely exposed to a cyber risk in an obscure technology that few understand and we didn't see coming. This time it was just passwords, but what happens once the internet is connected to the electrical grid or driverless cars?"

The report details system-wide and local-risk recommendations based on an analysis of the impact of possible shocks. But cyber risks are not self-contained within individual enterprises, so to understand the risks, managers must expand their horizons, and recognize the "cyberization" of risks, as organizations are unknowingly exposed to risks outside their own organizations, having outsourced, interconnected or otherwise exposed themselves to a complex, unknowable "network of networks."

Addressing this issue, the report identifies seven aggregations of risk that arise from the interconnectedness of different elements of technology in business. Click through the following slides to learn more about the 7 Aggregations of Cyber Risk.

1.     Internal IT enterprise

Description: Risk associated with the cumulative set of an organization's (mostly internal) IT
Examples: Hardware; software; servers; and related people and processes

This may seem like the most obvious risk, but a Harvard Business Review Survey found that 20% of companies believe they have an inadequate security budget.

2.     Counterparties and partners

Description: Risk from dependence on, or direct interconnection (usually non-contractual) with an outside organization
Examples: University research partnerships; relationship between competing/cooperating banks; corporate joint ventures; industry associations

This risk is specific to an individual organization, arising from dependence on or interconnection with an outside organization. The main cyber threat in this instance would be if one of the counterparties suffers a disruption that affects the others, regardless of internal security controls.

3.     Outsourced and Contract

Description: Risk usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider Examples: IT and cloud providers; HR, legal, accounting, and consultancy; contract manufacturing

It is common for organizations to have contractual relationships with third-parities to handle certain business functions. However, behind words such as "cloud storage" or "software-as-service" lies a complex set of systems that could pose risk.

If the outsourcing provider has lax security controls or inadequate business community procedures, businesses that outsource, who may have thought that they have transferred their cyber risk responsibilities, could fall victim to a breach. The Target data breach in 2013 is a prime example, which was due, in part, because network credentials were stolen from a refrigeration, heating and air conditioning subcontractor.

4.     Supply Chain

Description: Both risks to supply chains for the IT sector and cyber risks to traditional supply chains and logistics
Examples: Exposure to a single country; counterfeit or tampered products; risks of disrupted supply chain

5. Disruptive technologies:

Description: Risks from unseen effects of or disruptions either to or from new technologies, either those already existing but poorly understood, or those due soon
Examples: Internet of things; smart grid; embedded medical devices; driverless cars; the largely automatic digital economy

Disruptive technologies include the range of innovations that increase dependence. Though hyperconnectivity has its benefits, it also means that internet shocks could ripple through the system in countless ways, simply because the universe of unknown and unknowable dependencies. As systems get more complex and interdependent, coupled with fewer workarounds, the shocks could have an impact on the "normal" internet, the study claims.

6. Upstream infrastructure:

Description: Risks from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems, and telecommunications
Examples: Internet infrastructure like internet exchange points and submarine cables; some key companies and protocols used to run the internet (BGP and Domain Name System); internet governance

Upstream infrastructure failures are to be expected to cascade into cyber failures, the report indicates, as this happens anytime a desktop computer dies when the power goes out. At the same time, though, there are several important factors to consider. Not all upstream infrastructures are the same, and disruptions to finance, electricity and IT would have greater impacts as these different sectors become increasingly linked in the modern world of business operation, including the internet.

Disruptions to finance, electricity or telecommunications could cause possible failures in cyberspace, which are likely to magnify and reflect failures back into other infrastructures.

With the depth and interconnectedness of the infrastructures, these feedback loops can be difficult to identify. They can also be more difficult to isolate and mitigate.

7. External Shocks

Description: Risks from incidents outside the system, outside of the control of most organizations and likely to cascade
Examples: Major international conflicts; malware pandemic

The report indicates that external shocks are the most upstream of all cyber risk connections, affecting not only a single company or sector, but all of cyberspace, and have the potential to cascade to non-cyber systems. External shocks are also most outside the control of a single company or government agency, which often means that they are the most overlooked. They include cyber conflicts, large-scale disruptive attacks and failures or malware pandemics.