The purpose of this study is to explore students’ perceived information security and privacy (IS&P) threats and to classify them in a way that helps in analyzing the problem, creating awareness measures and further improving students’ IS&P education. Using a qualitative research approach, a group of forty two Master’s degree IT students identified seventy five IS&P threats related to them. The identified threats were classified into fourteen categories. Further, using the affinity diagraming technique, the categories were grouped into four domains - Personnel, Devices, Intranet and Internet. In this way, we present a taxonomy of students’ perceived IS&P threats as well as a model that highlights the domains where students consider themselves prone to IS&P threats. The proposed taxonomy and the domain model can be used as a benchmark for designing information security awareness assessment instruments and preparing information security awareness programs. The taxonomy can also be used for highlighting areas where students lack information security related knowledge.