Create a standard structure for Threats and Controls

[ColinEberhardt]

We need to decide on a standard structure for how we document Threats and Controls, i.e. what information we include in each case, and what metadata to include. Currently we have:

• Threat
  • Identifier - sequential, numeric, prefixed
  • type - a threat classification using the CIA triad
  • title - brief, few words
  • narrative - a free-form text narrative, containing a Severity section
• Control
  • identifier - sequential, numeric, prefixed
  • type - Preventative or Detective
  • mitigates - the list of threats a give control mitigates
  • title - brief, few words
  • narrative - a free-form text narrative, containing a Potential Tools and Approaches section

[ColinEberhardt]

Personally I think the current metadata is sufficient. However, I don't think the classification of Threat / Control is entirely compatible with what we are capturing. I'd prefer Risk / Mitigation as I feel this is a better fit.

[Neetuj]

I agree that instead of Threats is makes more sense to be called as Risks ( Product /consumer of the Threatmodel can decide how to act on the risk and accept, mitigate or pivot).
Severity could be broken down in Likelihood + impact