In your experience, where do security orgs typically go wrong when it comes to threat modeling?
Sort By:
Oldest
Director of IT in IT Services8 months ago
Underestimating evolving threats undermines effective threat modeling. CISO in Software8 months ago
I concur
VP of IT8 months ago
Threat model limited to external perimeter and not including internal threat.CISO in Software8 months ago
+1
Director of IT in Healthcare and Biotech8 months ago
Threat modeling is complicated, and if you don't understand how to perform it, the details of your actual threat actors, and the technical aspects of the attacks, you won't be able to complete your assessment. Companies really interested in threat modeling should ensure the team has the appropriate training and experience. Engaging with an external partner to build a team is a great way to ensure success.Senior Information Security Manager in Software8 months ago
A lot of firms think they can do it themselves.This is a great book on the topic: Threat Modeling: Designing for Security by Adam Shostack.
https://amzn.to/3Hh1yRu
Too few firms take the time to have their people read it.
CISO in Software8 months ago
Adam's book is one of the best.
CISO/CPO & Adjunct Law Professor in Finance (non-banking)8 months ago
Presuming past cyber issues will be the future threat or otherwise restricting the scope of possibilities is dangerous. Prediction of the future involves unknowns, therefore the brainstorming element of threat modeling should be as freewheeling as possible, with prohibitions against labeling input as “impossible’ or a “silly idea”. It is essential that the widest possible net be cast to prepare for the next step. The next step is to determine which of the items from the brainstorming session are currently a realistic issue, which are conceivable given the upcoming infrastructure/business changes, and those which don’t seem to have any possible connection to the business. If all of the items from the brainstorming session are currently realistic issues then the process was conducted improperly and it should be re-done correctly. Imagination wasn’t employed.Next estimate the likelihood and severity of the issue. Prioritize the issues/risks. Determine the resources required to implement the risk mitigation strategies. Build out a plan to implement the mitigation strategies taking the resources required, resources available and the priority of the issues/risks. If new issues/risks crop up at this point the initial brainstorming should be augmented with the new risks and the subsequent phases should be re-done.