Available online at https://threat-modeling.net/threat-modeling-of-threat-modeling/

Created by Hendrik Ewerlin - https://hendrik.ewerlin.com/security - 2024-02-29

Motivation / About this document

This document threat models threat modeling. #meta

Threat modeling will more likely be a success if we tame the threats to the threat modeling process.

Why is threat modeling so important?

Threat modeling is cruicial for building secure systems:

A system is secure, iff it is protected from danger.

So the obvious questions are: What danger / threats? What protection / mitigations?

These questions align nicely with Questions 2 and 3 from Shostack’s Four Question Framework: “What can go wrong? What are we going to do about it?” Answering these four question is what a threat modeling process does.

This makes threats visible (Goal 1: Clarity) and tames them (Goal 2: Security).

What makes threat modeling a success?

The ultimate goal is to create a secure system. We create that system by threat modeling and implementing mitigations. This is a security activity performed by humans and we can investigate it’s usability (see ISO 9241-11:2018).

1. Effectiveness: We need the complete thing. We need threat modelers to finish the threat modeling and developers to finish mitigations. If the process gets stuck somewhere, or the mitigations are not implemented, we end up with nice conversations and plans, but zero improvement of the system.