Threat modelling
Threat modelling is a technique used to understand how a capability might be attacked or otherwise fail, and identify the measures or controls needed to manage these.
A threat event is an incident or attempted action that could negatively impact the capability. Potential threat events are identified as part of threat modelling.
Threat events should include what the threat is, what allows that threat to become reality, and what the result is. They should also be linked back to your risk appetite and unacceptable losses.
Threat modelling should involve as many stakeholders as is practical. It is important to identify threat events across all domains, not just “cyber”, to give a well-rounded picture of threats a capability may face.
Relevant threat modelling techniques you may wish to consider include:
A threat event is an incident or attempted action that could negatively impact the capability. Potential threat events are identified as part of threat modelling.
Threat events should include what the threat is, what allows that threat to become reality, and what the result is. They should also be linked back to your risk appetite and unacceptable losses.
Threat modelling should involve as many stakeholders as is practical. It is important to identify threat events across all domains, not just “cyber”, to give a well-rounded picture of threats a capability may face.
Relevant threat modelling techniques you may wish to consider include:
- attack trees
- NIST SP 800-154 (Data-Centric threat modelling approach)
- STRIDE
- LINDDUN (for privacy analysis)
Capabilities should refer to guidance on cyber security suitably qualified and experienced person requirements to make sure that they have the correct resources to complete threat modelling.
Benefits
Benefits of threat modelling include:
- informing the design and development phases of a capability
- guiding teams to understand what security controls are required
- understanding exactly how threats will manifest against a system/service
- informing a risk assessment
Outcomes
An understanding of how threats may materialise in the system, aligned against unacceptable losses or risk appetite.
- key information to understand your capability, which helps Secure by Design activities, like defining your risk appetite and risk assessments
- early understanding of security controls that you could use
Responsibility
Who is responsible for threat modelling:
- Senior Responsible Owner (SRO), or suitable equivalent
- delivery team lead
- project management office (PMO)
- delivery team
When to threat model
Capabilities should carry out a threat modelling exercise:
- at pre-concept or concept stage
- in response to capability design and threat changes