What can threat modeling teach us about threat modeling? 🤪

  • 6 December 2022
  • 2 replies

Userlevel 1

The 4-question philosophy is of course a useful and proven tool for guiding the threat model, but perhaps those 4 questions can too be useful for guiding a successful threat modeling program. 


Having spoken to so many different practitioners of threat modeling, it’s clear that there’s variances in schools of thought, processes that work for one organization versus another, motivations, and challenges that different teams/orgs encounter.


I’d love to hear from the community your wisdom surrounding:

  • What were you trying to build (who owned the activity, etc.)?

  • What can go wrong (analysis paralysis, etc.)?

  • What did you do about it?

  • Finally…how did you evaluate if you did a good job?


Threat modeling is all about collaboration, so I’m curious what the community can share based on their experience :mechanical_arm:

2 replies

Userlevel 2

Hi @Jacob_Teale ,

interesting proposition. Keen to hear your ideas around this area of program evaluation using the 4 question framework concept. 

i am yet to find a one size fits all solution for the program and practice part of threat modelling. For me, in my work context at least; practice and program don’t always work effectively by the same frameworks. I am happy to be persuaded otherwise.

Keen to hear what the rest of the community thinks as well. Keep an eye out for what the community is cooking up on the maturity model and you may be able to see if you can reverse map it to the 4 question framework and see how and where it deviates.

Userlevel 3

I’ve never considered something too useful in a negative way, though I am interested in how the four questions can be “too useful.” I truly believe the best activity for teams to adopt is the traditional 4-question process as it is very easy to adopt, has benefits that expand past security, and allows teams a lightweight way implement “security”

I’m going to frame my answer around other approaches or references I think are useful for a threat modeling enterprise-wide approach:

  • MITRE (Defend, Attack, etc)

By understanding what we know about those attacking your company, industry, etc, there could be a threat modeling approach where we understand what to expect and where the company can spend resources to protect itself. Of course, past performance is no guarantee of the future.

  • Known Threats and Risks from Internal Partner Teams

There is a lot of compliance, risk, privacy, etc knowledge throughout an organization - sometimes this isn’t organized very well. A checklist-type approach can be brought in to understand the relevant issues (or conversely a dictionary of risks vs an application, process, etc) so that teams can review the highest level risks and ensure they are compliant. This of course should be baked into policies/standards/procedures as well. 

I don’t really like this approach, but there is a lot of power in having a dictionary of known threats/risks to be used as a reference. 

  • Automated tools

There is a lot of threat data to be gained from scanning/reviewing configurations, especially in less-technically mature organizations. If we can be aware of certain issues that arise that are actually encoded, we should be able to work with certain teams to remediate issues with a wide brush.