Cyber warfare is a reality taking on increasing importance. Governments, state-sponsored actors, and non-state sponsored actors have used cyber-attacks as the “weapon of choice” due to their specific characteristics. Cyber-attacks can be highly targeted and focused, even tailored to a specific unit or system, providing limited to no physical destruction (unlike a cruise missile) and potentially resulting in no loss of life. There are several incident response frameworks and approaches that an organization can implement to enhance its security posture. Usually, these will address specific adverse events such as computer security incidents, which in turn are limited in scope and coverage, typically within an organization. Nations have made limited effort in confronting severe cyber-attacks targeting and/or threatening them, as well as in preventing these attacks from being launched. In this work, we identify and discuss a decision-taking framework that may allow state actors to adopt new options against severe cyber-attacks, not always complying with international norms. Such options are neither encouraged nor supported. On the contrary, we discuss them so that the international community is made aware of such potential frameworks. More specifically, by defining clear thresholds, roles, and responsibilities, by introducing a structured chain of command, and by identifying the potential of certain actions, policy makers can recognize an extended decision space that may lead to unpredictable deterrence options against cyber-attacks.