RE: Threat Classification (IT centric)

[Zhihao <zhihao () root sg>]

U could probably check out waltz (1998) or denning's classification..google
for it and you should find it

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of offset
Sent: Wednesday, 11 April, 2007 10:30 PM
To: security-basics () securityfocus com
Subject: Threat Classification (IT centric)

Greetings,

I'm researching threat classifications as part of an overall risk management
program and I need to classify threats as part of the foundation.

Does anyone know of an overall threat classification map?  Or a list of
URLs/resources/papers that would discuss threat classification at a high
level (ie. high level classification such as authentication).  I envision
something that would encompass all layers of IT risk (ie. items picked up
via network scans, wireless, wardialing, host).

The challenge is to take inputs from all types of vulnerability reports,
normalize into a type of threat classification, then apply rules (risk
calculations) to rollup to an enterprise risk management program.

I understand for Web Applications there is the WASC
(http://www.webappsec.org/projects/threat/), perhaps there are others for
web applications?

Do any other threat classification maps exist other than for Web
Applications?

Thanks in advance,
-- 
offset - ubersecurity org