by Keith McCammon

This is a collection of cybersecurity, risk management, and related models that I’ve collected and/or used over time.

You can find the source on GitHub at https://github.com/keithmccammon/cybersecurity-models. Please fork and submit a pull request if I missed anything!

Functional models

Cybersecurity Framework (CSF) by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce

Cyber Defense Matrix by Sounil Yu

Intrusion and/or adversary analysis models

AI Risk Repository by MIT

ATLAS by the MITRE Corporation

ATT&CK by the MITRE Corporation

Cyber Kill Chain by Lockheed Martin

D3FEND by the MITRE Corporation

Diamond Model by the United States Department of Defense (DoD)

SaaS Attacks by Push Security

Maturity models

Consumer Authentication Strength Maturity Model (CASMM) by Daniel Meissler

CSIRT Maturity Framework by the European Union Agency for Cybersecurity (ENISA)

Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) by the CTI-CMM team / working group

Cybersecurity Capability Maturity Model (C2M2) by the United States Department of Energy (DoE)

Cybersecurity Maturity Matrix by Keith McCammon

Cybersecurity Maturity Model Certification, by the United States Department of Defense (DoD)

Detection Engineering Maturity Model by Kyle Bailey

Essential Eight Maturity Model by the Australian Signals Directorate (ASD)

Red Team Maturity Model (RTCMM) by Brent Harrell and Garet Stroup

Security Incident Management Maturity Model, by the Open CSIRT Foundation

Zero Trust Maturity Model by the Cybersecurity & Infrastructure Security Agency (CISA)

Shared responsibility models

Artificial intelligence (AI) shared responsibility model by Microsoft

AI Security Shared Responsibility Model by Mike Privette

Shared responsibilities and shared fate on Google Cloud by Google

Shared responsibility in the cloud by Microsoft

Shared Responsibility Model by Amazon Web Services

Threat, risk, resilience and other management models

AI Risk Management Framework by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce

CERT Resilience Management Model by Carnegie Mellon University

FAIR Risk Management by the FAIR Institute

OCTAVE by Carnegie Mellon University

Risk Management Framework by the National Institute of Standards and Technology (NIST), U.S. Department of Commerce

Threat Assessment and Remediation Analysis (TARA) by the MITRE Corporation

Categories:

Updated:

You May Also Enjoy

A simple framework for talking to leadership about a cybersecurity program, particularly for an inbound security leader looking to level-set:

Where do your incidents come from?