Tarala and Tarala, 2014

Open Threat Taxonomy - Version 1.1






Tarala, J., Tarala, K.K.




What follows is Version 1.1 of the Open Threat Taxonomy. It is the result of numerous conversations between information security professionals over dinners, in the hallways of security conferences, and over countless email exchanges. It is the first official and formal release of a catalog of threats that organization can use as an input to their risk assessment and control selection processes.

Scott Adams, of Dilbert fame, warns – never be the creator, always be the criticizer. Creators open themselves up to attack and criticism. It is better, he says, to show your moral and intellectual superiority through criticizing someone else’s work than to create something yourself. With this project, we are violating that principle by organizing those conversations, cocktail napkins diagrams, and email exchanges into a repository for the community.

This effort is a work in progress. We hope that Version 1.1 will be soon replaced with another better version, and this update and improvement cycle will continue. The community needs to start somewhere and we hope that this version is a start in the right direction.

If you have suggestions or want to help, please let us know. This will continue to be a community effort. Taxonomies are designed to evolve over time and we hope this document will for years to come.

(, p. 3)



Tarala, J., Tarala, K.K., 2014. Open Threat Taxonomy - Version 1.1.


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.