With threat modeling there needs to be a constant interaction between Risk Management, Regulatory Compliance and modeling the threats. Within Risk Management, and eventually percolated through to threat modeling, several methodologies (i.e. STRIDE, PASTA, CVSS etc.) seemingly exist. How should a threat modeler choose one over the other? Is there a better way club all these methodologies into one concise method of doing threat modeling?
When choosing a threat modeling methodology, it is important to consider the desired outcome. What are the goals of your organization? The quality, consistency, and scalability of various threat modeling methodologies will vary greatly in identify potential threats. The most effective threat modeling will include comprehensive policies in identifying and prioritizing potential threats to a system and determining the value that potential mitigations would have in reducing or neutralizing those threats.
Reply
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.