Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoret-ical security models are available that provide best practice security guidelines and are widely utilised as a basis to iden-tify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the var-ious concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the the-oretical security models underpinning security requirements. In this paper, we present an approach to discover such un-known knowns through multi-incident analysis. The ap-proach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.