How do you determine the “success” of a threat model program? Is there any Key Performance Indicators you’re using?
It is not just the # of threat models created or # of threats reported, but the impact it makes. I’m curious how the community measures the impact of a threat model?