Dictionary defines: threat – someone or something that could cause trouble, harm, etc.
- Note that the definition has a subject and an object
FAIR defines: threat – Anything that is capable of acting in a manner resulting in harm to an asset and/or organization
- Slightly more specific than the dictionary
ISACA defines: threat – Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
- Slightly more specific than FAIR
ESA defines: threat – the potential for a “threat source” to exploit (intentionally) or trigger (accidental) a specific vulnerability.
- Complicated by use of threat source and specialized term vulnerability. Lacks an object.
O-TTPS defines: Threat – The intention and capability of an adversary to undertake actions that would be detrimental through disruption of processes or subversion of knowledge.
- Complicated by thoroughly describing the nature of a threat.
CIS defines: threat – A potential or foreseeable event that could compromise the security of information assets.
- Complicated by suggestion that threats should be foreseeable and extraneous description of harm
CNSS defines: threat – Any circumstance or event with the potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
- Complicated definition.
ISO/IEC 27000 defines: threat – potential cause of an unwanted incident, which can result in harm to a system or organization
- Complicated by ambiguous word incident.
NIST 800-53 defines: threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
- Overly specific for a definition.
OWASP contains a Category: threat – A threat that plague a product. While known threats are identified based on signatures, files copied onto the hard drive upon installation, registry keys, protocol analysis and others.
- Circular and uses specialized terms and concepts.
PCI DSS defines: threat – Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization
- Overly specific for a definition
STIX defines: threat actors – actual individuals, groups, or organizations believed to be operating with malicious intent.
- Identifies a who but no what.
SDL defines: threat – an attacker’s objective
- Identifies a what but no who.