Threat Catalogue Overview

In OSA the threat catalog serves as a list of generic risks that need to be taken into account when rating the applicability of controls. The below is an early draft of v0.1 of the OSA threat catalog, it contains the top level break down but not yet the list of threats that will finally makeup the threat catalog

Comparison of existing work

We have started with a comparison of prominent existing threat catalogs. Click on the below miniature picture to receive a PDF describing the comparison

Threat Classification Method

For the classification of top-level threats, we propose to categorize the threat space into sub spaces according to a model of three orthogonal dimensions labeled Motivation, Localization and Agent. Figure 1 provides a visualization of the orthogonal threat dimensions.

Threat Agent
The threat agent is the actor that imposes the threat on a specific asset. For the specific classification of the threat agent, three classes are identified as follows:
  • Humans
  • Technological
  • Force Majeure
While the first class is pretty obvious and refers to threats caused by humans like for example users, attackers, auditors, the community or governmental bodies. Technological threats are caused by physical and chemical processes on material. As an example of technological threats, aging processes are identified. Threats by force Majeure agents are primarily environmental like for example earthquakes, lightning, wind or water but also due to animals and wildlife. While this threat agent provides a neat top-level threat, the top-level impact on technology most frequently creates a larger mesh of threats at lower levels. Examples are lightning strikes that caused trees pulling down power lines which then caused power outages due to grid-breakdowns.

Threat Motivation
The second dimension describes a categorization of threats along a binary classification that focuses on the motivation of this threat. This distinguishes between deliberate and accidental. We argue that this top-level threat distinction is sufficient to classify all the threats along the motivation axis to answer the question 'why' a threat is created, For example combined with the agent dimension, a threat caused by a human threat agent is caused either by a deliberate intention or accidentally by carelessness. For the technological class, only accidental threats are conceivable/possible, since deliberate motivation is only possible for a human. The same applies to force Majeure.

Please contribute your experience in the discussion forum

The above classification was elaborated by the "security architecture" working group of ISSS. A full report can be found here.