Threat Modeling: A Summary of Available Methods
August 2018 • White Paper
Nataliya Shevchenko, Timothy A. Chick, Paige O'Riordan, Tom Scanlon, Carol Woody, PhD
This paper discusses twelve threat modeling methods from a variety of sources that target different parts of the development process.
Software Engineering Institute
Threat modeling methods are used to create an abstraction of the system; profiles of potential attackers, including their goals and methods; and a catalog of potential threats that may arise. There are many threat modeling methods that have been developed. Not all of them are comprehensive; some focus on the abstraction and encourage granularity while others are more people-centric. Some methods focus specifically on risk or privacy concerns. Threat modeling methods can be combined to create a more robust and well-rounded view of potential threats.
Software systems are increasingly being integrated into physical infrastructures, such as smart cars. These hybrids are often referred to as cyber-physical systems; this term accounts for their multiple components. While innovative, cyber-physical systems are vulnerable to threats that manufacturers of traditional physical infrastructures may not consider. Performing threat modeling on cyber-physical systems with a variety of stakeholders can help catch threats across a wide spectrum of threat types.
To best use threat modeling, it should be performed early in the development cycle. This means that potential issues can be caught early and remedied, preventing a much costlier fix down the line. Thinking about security requirements with threat modeling can lead to proactive architectural decisions that allow for threats to be reduced from the start.
The twelve threat modeling methods discussed in this paper come from a variety of sources and target different parts of the process. No one threat modeling method is recommended over another; the decision of which method(s) to use should be based on the needs of the project and its specific concerns.