What is Threat Modeling?

Threat modeling is a systematic way to identify security and privacy threats to information systems and applications, and how to protect against them. In short, the idea of threat modeling is to consider what could go wrong from a security and privacy perspective and what can be done about it. It is part of risk management, and its goal is to understand how and who could attack or unintentionally cause security problems and what the consequences could be – and through this, develop effective protection solutions.

Threat modeling helps identify security and privacy threats at a very early stage in the design of software, information systems, or their new features, even before a single line of code has been written. Threat modeling saves time and costs compared to a situation where security issues would only be discovered during implementation or testing. Additionally, it helps prioritize security testing on the most critical features of information systems and software. At the same time, threat modeling complements security testing because security testing of maintenance operations and other processes is difficult; threat modeling helps identify security problems in operating procedures.

Threat modeling is part of several secure software development best practices and is included in, for example, Microsoft’s Secure Development Lifecycle (SDL), the OWASP Software Assurance Maturity Model (SAMM), and the Finnish Digital and Population Data Services Agency’s Handbook for Secure Application Development. In addition to software development, this method can also be applied to the procurement of software and cloud services. In this case, threat modeling helps clarify security responsibilities and understand what kind of protection measures the service provider implements and what protective measures need to be implemented internally.

Threat modeling should be conducted in a workshop format with participants including software developers, information system and application architects, testers, product owners, key users, and security experts. Multiple perspectives enable more comprehensive threat identification, insight into existing protection measures, and understanding of how the realization of threat scenarios would affect the business.
In addition to brainstorming, threat modeling typically uses various threat modeling methods that help identify threats systematically and comprehensively from different perspectives. Commonly used threat modeling methods include STRIDE, which focuses on data breaches and architecture, LINDDUN, which specializes in privacy threats, and evil user stories, which focus on user actions. Human-caused threats can also be threat modeled using the HARMS model. Attack trees can be used to visualize the progression of an attack or other threat scenario.

Threat modeling doesn’t end with identifying threats; next, risks are assessed based on the likelihood of threat scenarios occurring and the severity of their consequences. Protection measures are selected and implemented based on the magnitude of risks and added to the development queue, the backlog.
When considering ways to protect against threats, it’s worth noting that not everything can or needs to be fixed with technology. Various processes, such as regular review of access rights, training, and exercises are often effective measures. It’s also not always possible to completely prevent threats from materializing. Instead, identifying harmful situations, such as detecting anomalous activity from logs, or correcting them after the fact, for example by restoring backups, may be more cost-effective to implement.

The threat model of software or a cloud service is not static. New features are developed, previous ones are modified, technology or architecture changes, the user base or business grows, or the threat environment changes, for example as attack methods evolve. Therefore, the threat model should be updated regularly. In change situations, it’s good to pause for a moment and consider whether the change could have security or privacy implications and hold a short threat workshop if necessary. The threat model should also be reviewed, for example, before releasing a new version and deploying to production to ensure that all protection measures have been implemented. Threat modeling is part of secure software development and information system procurement. Through threat modeling, attack methods can be anticipated, risks assessed, and effective protection measures planned already in the development phase.

Would you like to hear more about our threat modeling service?