Threat modeling and risk assessment is a structured approach that enables an organization to identify, quantify, and address the threats to a system based on risk to the business. It involves understanding the system from an attacker’s perspective, which can significantly enchance the security measures. The primary goal of threat modeling is to provide the team with a systematic analysis of what controls or defences need to be included, given the nature of the system, the data it must protect, and the potential threats to that data.
Threat modeling has traditionally been applied at the architecture level, looking at system components and data flows to identify attack pathways. When considering the application system, additional consideration should be given to requirements or user-stories, so abuse cases can be identified early on and considered during design. This will save the organization the additional cost and headaches of identifying flaws later when the system is in production.
The threat modeling process is iterative and should be repeated as necessary throughout the lifecycle of a system to reflect changes in threats and the environment. At a minimum, it should be applied early in the application life cycle when high level functionality and architecture is defined, also iteratively at the requirement or user-story level to determine abuse cases and design accordingly. It is also recommended that threat modeling is repeated at the architecture level periodically (at least once a year).
Access to our threat modelling process guide is available here: