July 29, 2020 By Mike Elgan 2 min read

By taking a broader, more expansive view of threat modeling, organizations can consider the whole picture of their security strategy and improve efficiency. Threat modeling is a systematic approach to finding, prioritizing and fixing security threats, but it can be much more. It invites an exercise in systematic collaborative thinking, and as such its benefits go beyond tangible security fixes.

There are many great approaches to threat modeling, the taxonomy and descriptions of which are beyond the scope of this article. Simply put, the standard approach to threat modeling involves listing possible threats (along with possible threat actors, including employees), ranking them according to probability of exploitation and cost to the organization based on an understanding of the organization’s hackable assets and associating the highest-priority threats with the best actions that could protect against them.

 Potential Benefits of Threat Modeling  

1. It educates and informs all involved. Threat modeling done right brings together security teams, operations and developers to minimize vulnerability to cyber attacks. This is a learning exercise for everyone.

2. It helps with budgeting.The practice of threat modeling involves prioritizing threats and estimating their cost to the organization, as well as identifying the protections against those threats. That provides powerful data for the cost-benefit analysis in the budgeting process. 

3. It’s a communication process and results in further tools for communication. Through the ongoing collaboration needed among leaders on the problems and specifics of threat modeling, each leader learns from the others. They all gain experience in developing a set of documents for the communication of security practices for the whole organization. Threat modeling produces action plans. It also produces educational materials. 

4. It helps the whole business by encouraging a re-consideration of how the business operates. Threats and targets are always changing, and so threat management must also evolve. The output of a threat modeling system is a series of ‘living documents’ which need to be constantly updated and reassessed. This process also clarifies how the whole business operates, and can inform improvements over time. 

5. It’s a prioritization exercise for not only threat mitigation, but also app development. Threat modeling can be the glue that connects development, security and operations. The leaders of all DevSecOps silos are brought together to solve problems together. 

6. It guides new application development. Sometimes the best way to fix a massive vulnerability is to scrap an app and build a new one, this time with security baked in. 

7. It helps the organization choose products, services and platforms. Threat modeling gets everyone focused on security. This informs the selection of hardware, software, services and platforms. That’s one of the payoffs of the culture of security that can result from ongoing threat modeling. 

Three Ways to Take a Holistic Approach

In general, a holistic approach involves as many people in the organization as possible. Here’s how to do it: 

1. Take a more inclusive approach to threat modeling. Recruit not only technology leaders, but business and operational leaders into the process.

2. Set up a communication center. Ongoing communication of threat modeling information will help employees make better decisions about security. Those informed employees can also provide input into future threat modeling actions. 

3. Develop a clear set of primary objectives based on threat modeling priorities. Share these with service providers, consultants, partners, suppliers or anyone else who can contribute to the achievement of your security goals. 

It’s time to not only to embrace the practice of threat modeling, but also to take a holistic approach to the practice and reap the many benefits beyond specific security measures. It’s time to create a culture of security through threat modeling.

More from

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today