Since 2008 we have had the privilege of working with organizations such as the SANS Institute and the Center for Internet Security on the Critical Security Controls project. This project began as an effort to parse information about threats to information systems and develop a prioritized defense model that the community could share as they attempt to defend their information systems. These controls are based on the knowledge of threats to information systems.

As we sought to formalize the data regarding these threats we hoped to map to existing cyber security threat models to help explain the effort. However as we researched available models what we found were examples of threat models but no attempts to create a full catalog of threats to information systems. We found a number of organizations who published threat reports of the most critical threats of the day, but few groups attempting to document a full list of threats to information systems.

This project is our attempt to do just that.

The goal of this project is simple, to maintain a free, community driven, open source taxonomy of potential threats to information systems. Our hope is that this taxonomy will serve as a resource for organizations attempting to prioritize their defenses and choose controls most appropriate for defending their information systems. We believe that the nature of a common internet and homogeneous systems leads to common threats to information systems. This taxonomy has been created to identify those threats in order to help organizations choose defenses most appropriate to defend such systems.

Download the Open Threat Taxonomy