The 20 critical security controls developed by the Center for Internet Security are constructed using information learned from which source?

The 20 Critical Security Controls developed by the Center for Internet Security are primarily constructed based on information gathered from known attacks. This approach focuses on real-world experiences and documented security incidents to identify and prioritize the most effective defensive measures organizations can implement to mitigate risks. By analyzing past breaches and security failures, the controls are informed by concrete data that reflects the tactics, techniques, and procedures employed by attackers, leading to the formulation of practical and actionable guidelines designed to improve an organization’s overall security posture.

Using known attacks as the basis for these controls ensures that the recommendations are relevant and grounded in actual security challenges faced by organizations, as well as highlighting the areas where organizations are most vulnerable. This alignment with real threats provides a stronger foundation for security practices compared to relying solely on commercial products, theoretical models, or outdated frameworks.