Skip to Main Content
The Internet is a dangerous place for any critical application and is particularly risky for binding government elections where every vote must count. The complex interplay of people, processes, equipment, software, policies, and legislation in a networked environment that spans national boundaries makes, for example, determining the precise likelihood of a threat nearly impossible. This does not mean, however, that the risk analyst cannot model, understand, and assess the risks to Internet voting systems. To that end, this paper presents a threat tree for risks to Internet voting systems. The Internet voting threat tree was successfully vetted by a panel of elections officials, security experts, academics, election law attorneys, representation from governmental agencies, voting equipment vendors, and voting equipment testing labs. We submit that this threat tree is sufficiently abstract to be useful in a wide range of risk assessment techniques.