End User Survey

  • 6 January 2023
  • 6 replies
  • 68 views

Userlevel 2

If an organization was to conduct a survey about its Threat Modeling program what are the top 5 things that the survey must aim to ask?

 

Say, the stakeholders for this survey would be the application architects & managers.


6 replies

Userlevel 5

Hi @preethisampath! Thank you for the question :) To help clarify, would you mind sharing a bit more context: what’s the intent of the survey? In other words, what would you like to find out from the survey? Also, where and how do you envision to leverage the survey results? Having the context will help other members share input that better addresses your needs 😊

Userlevel 3
Badge

For an existing program, I’d ask:

  • Does your team know when they need to perform threat modelling (TM)?
  • Is there a clear process for initiating and preparing TM session? Asking for help? (I’m making a massive assumption here of a very mature program where it’s team-driven and they can ask security engineer to attend on difficult cases).
  • How often did it happen in your team / application in your scope in the last x months?
  • Is there a clear process for translating TM findings into further investigation/prioritisation/work?
  • In the last x months, how many changes/additional controls/mitigations have you implemented as a result of TM?

Again, every question has tons of hidden assumptions on the maturity of your program and the team topologies.

Userlevel 4
Badge

It’s @irene221b ‘s last question that I find most useful: what actually got built as a result of a model?

 

the answer to that question highlights whether models are effective.

That metric can also be used to determine the effectiveness of those responsible for leading modelling (security architects, security champions, whomever). Most of the measures of security people doing secure design, I find pretty meaningless because project size and complexity vary, dev teams vary in their capacity and skill to define needed security, all of which make things like Total Security Requirements or number of projects worked and the like, meaningless.

But, effective security practitioners know how to get security items built! That single metric can only come about when:

  • models actually get built (whether formal or not)
  • dev and security work well together
  • dev agree that security matters, the “why” has been explained and accepted
  • prioritization is effective

Not exactly 1 number to ‘rule them all’, but certainly one very useful number

Userlevel 2

Hi @preethisampath! Thank you for the question 🙂 To help clarify, would you mind sharing a bit more context: what’s the intent of the survey? In other words, what would you like to find out from the survey? Also, where and how do you envision to leverage the survey results? Having the context will help other members share input that better addresses your needs 😊

 

Hi @Shuning, the idea is to take an end user survey to gauge the impact of Threat Modeling on applications. This will help to identify pain points and come up with ways to improve the program 

Userlevel 3
Badge

From what I have seen working with many organization, there seems to be a lack of unified vision around threat modeling outputs and then when there is, there hasn’t been much gap analysis provided to determine if or how we might actually create that output. In light of that, this would be my top five. 

  1. Do we have a clear expectation what our threat modeling output should be?
  2. Do you feel like you have the resources to consistently create this output?
  3. What are we doing well with regard to threat modeling?
  4. What is not working or won’t scale as we push to scale our threat modeling? 
  5. What can be improved with regard to threat modeling? 

Was there a specific topic you were hoping to explore with your survey?

Userlevel 1
Badge

Here’s what I ask as I get into a new TM. If I made a survey post-TM, I’d want to know those things happened. So here’s my top 5:

1) Did you have everything you needed to make a successful TM? If not, what were you missing?
2) Do you feel the TM improved the security of your product/design?
3) What is something you learned in the TM process?
4) What aspect of the TM took you the longest to complete? How could that time have been shortened?
5) On a scale of 1 to 10, how would you rate your TM? 

Reply


V2