Papers we love - TM selection

  • 11 October 2022
  • 4 replies
  • 111 views

Userlevel 3
Badge

Hi all, 

a while ago I stumbled upon this Stackoverflow blog post on the importance of reading into cutting edge research in computer science:
https://stackoverflow.blog/2022/04/07/you-should-be-reading-academic-computer-science-papers/

I believe the above blog post motivates the importance of reading past tutorials if you want to become good at your field. You should also check out https://paperswelove.org/ by the way.

On the other hand, I have missed from this list of papers that would be relevant for threat modelling one way or the other. So I just wanted to kick-off this thread to collect papers what we love / would love to recommend on threat modeling or on some related area like risk mgmt. 
Papers which might add a bit more than anecdotal commentary on what seemed to work for the one or the other colleague. Too often I have found that once someone starts to describe “what worked for them” it soon turns into a justification of their current state of practice - for the better of or worse – and mostly lacks any tangible support on why one should repeat the approach.

Nevertheless, I came across a couple of papers that definitely contributed to my view on threats, risk, information security etc. so let’s begin:

Ross Anderson's paper "Why Information Security is Hard  – An Economic Perspective" (https://www.acsac.org/2001/papers/110.pdf) is an excellent summary on why a non-systematic approach of fending off adversaries would be futile...and I happen to think that the practice of threat modeling is in many cases a good systematic approach :-)

Two great papers from Louis Anthony Tony Cox "What's wrong with hazard ranking system? An Expository Note" and "Clarifying Types of Uncertainty: When Are Models Accurate, and Uncertaintes Small?" shaped my thinking about risk (ranking, measurement and relevance) fundamentally. I'm mentioning these as I tend to see TM as the risk management tool of the IT/software practitioner and a practice that should be a foundational part of any modern IT risk management process implementation. These papers hopefully help you think about the otherwise abstract ideas of risk, probability (likelihood)  etc. and thus give you some ideas on what to keep an eye out when thinking about risk in a TM context ... or TM in the context of a risk management process. Unfortunately I do not have any direct link to the Cox paper’s, but I have reached out to the author on this; 

The earliest paper what I can identify as an important contribution to TM practice was Bruce Schneier et al. 's  "Toward A Secure System Engineering Methodology" (https://www.schneier.com/wp-content/uploads/2016/02/paper-secure-methodology.pdf).

I hope you find these insightful and I am looking forward to extend the list with any suggestions :-)

Cheers, D


4 replies

Userlevel 2
Badge

If we really want to think about cutting edge, this message is going to seem like it has nothing to do with threat modeling :)

For me the books How to Measure Anything and How to Measure Anything in Cybersecurity Risk by Douglas Hubbard were very illuminating in the traditional cybersecurity/risk sense.

But for the thing that has had the biggest impact on my perspective on threat modeling is further afield. Mind you, it has challenged how I think about everything from product management to threat modeling, and technology in general. 

It all started with the Cynefin framework*, which taught me the importance of context and how not everything can be reduced to a set of fundamental elements. I had read books on chaos theory etc before, but this frameworks really helps bring it all together. That’s led me to spending the past 4 or 5 years or so digging into various topics from post-modern philosophy to software architecture. Here are some of the highlights

  • Truth: Philosophy in Transit by John D. Caputo - This has really helped to free me from the invisible cartesian shackles that had shaped my view of the world for the past 30 years.
  • The Strength of Loose Concepts -- Boundary Concepts, Federative Experimental Strategies and Disciplinary Growth: The Case of Immunology - a very interesting read on the importance on the flexibility of language
  • https://www.3ammagazine.com/3am/introduction-fractal-ontology/ - a thought provoking post on fractal ontologies
  • Difference and Repetition by Gilles Deleuze - challenges a lot of assumptions I made about the relationships between things, i’m still working through this book however

Tying all of this back to threat modeling is a (probably very long) post in itself.

https://thecynefin.co/about-us/about-cynefin-framework/

Userlevel 1

Hi, my reference for TM is the book “Threat Modeling: Designing for Security” by @adamshostack 

Userlevel 3
Badge

Heyho,

thanks for all the replies and suggestions! I am a bit busy with personal stuff, so I can only chip in sporadically.

@zeroxten How to Measure Anything in Cybersecurity Risk by Douglas Hubbard is indeed great. It inspired me to experiment with quantitative models derived from info avilable in TMs. I am using a slightly tweaked version of the OpenThreatModel to trigger my flow. The early results look really promising 😎 

@dfernandez “Threat Modeling: Designing for Security” - definitive classic  @adamshostack I heard you are working on a new book? When can we add it to the list? 😉

Userlevel 3
Badge

My new book (https://threatsbook.com) should be available on Feb 7.

 

Also,while I’m promoting my own work, my https://shostack.org/files/papers/modsec08/Shostack-ModSec08-Experiences-Threat-Modeling-At-Microsoft.pdf (Modsec, 2008) is academic. I even wrote it in LaTeX. :)

 

On the book side, while it’s not about security, Decker and Conklin’s “Do Safety Differently” very much applies. I think we can just substitute “security” for “safety” each time it appears and the book reads well.

Reply


V2