By taking a broader, more expansive view of threat modeling, organizations can consider the whole picture of their security strategy and improve efficiency. Threat modeling is a systematic approach to finding, prioritizing and fixing security threats, but it can be much more. It invites an exercise in systematic collaborative thinking, and as such its benefits go beyond tangible security fixes.

There are many great approaches to threat modeling, the taxonomy and descriptions of which are beyond the scope of this article. Simply put, the standard approach to threat modeling involves listing possible threats (along with possible threat actors, including employees), ranking them according to probability of exploitation and cost to the organization based on an understanding of the organization’s hackable assets and associating the highest-priority threats with the best actions that could protect against them.

 Potential Benefits of Threat Modeling  

1. It educates and informs all involved. Threat modeling done right brings together security teams, operations and developers to minimize vulnerability to cyber attacks. This is a learning exercise for everyone.

2. It helps with budgeting.The practice of threat modeling involves prioritizing threats and estimating their cost to the organization, as well as identifying the protections against those threats. That provides powerful data for the cost-benefit analysis in the budgeting process. 

3. It’s a communication process and results in further tools for communication. Through the ongoing collaboration needed among leaders on the problems and specifics of threat modeling, each leader learns from the others. They all gain experience in developing a set of documents for the communication of security practices for the whole organization. Threat modeling produces action plans. It also produces educational materials. 

4. It helps the whole business by encouraging a re-consideration of how the business operates. Threats and targets are always changing, and so threat management must also evolve. The output of a threat modeling system is a series of ‘living documents’ which need to be constantly updated and reassessed. This process also clarifies how the whole business operates, and can inform improvements over time. 

5. It’s a prioritization exercise for not only threat mitigation, but also app development. Threat modeling can be the glue that connects development, security and operations. The leaders of all DevSecOps silos are brought together to solve problems together. 

6. It guides new application development. Sometimes the best way to fix a massive vulnerability is to scrap an app and build a new one, this time with security baked in. 

7. It helps the organization choose products, services and platforms. Threat modeling gets everyone focused on security. This informs the selection of hardware, software, services and platforms. That’s one of the payoffs of the culture of security that can result from ongoing threat modeling. 

Three Ways to Take a Holistic Approach

In general, a holistic approach involves as many people in the organization as possible. Here’s how to do it: 

1. Take a more inclusive approach to threat modeling. Recruit not only technology leaders, but business and operational leaders into the process.

2. Set up a communication center. Ongoing communication of threat modeling information will help employees make better decisions about security. Those informed employees can also provide input into future threat modeling actions. 

3. Develop a clear set of primary objectives based on threat modeling priorities. Share these with service providers, consultants, partners, suppliers or anyone else who can contribute to the achievement of your security goals. 

It’s time to not only to embrace the practice of threat modeling, but also to take a holistic approach to the practice and reap the many benefits beyond specific security measures. It’s time to create a culture of security through threat modeling.

More from

How to Spot a Nefarious Cryptocurrency Platform

Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

Are Threat Actors Using ChatGPT to Hack Your Network?

Though the technology has only been widely available for a couple of months, everyone is talking about ChatGPT. If you are one of the few people unfamiliar with ChatGPT, it is an OpenAI language model with the “ability to generate human-like text responses to prompts.” It could be a game-changer wherever AI meshes with human interaction, like chatbots. Some are even using it to build editorial content. But, as with any popular technology, what makes it great can also make…

Why Crowdsourced Security is Devastating to Threat Actors

Almost every day, my spouse and I have a conversation about spam. Not the canned meat, but the number of unwelcomed emails and text messages we receive. He gets several nefarious text messages a day, while I maybe get one a week. Phishing emails come in waves — right now, I’m getting daily warnings that my AV software license is about to expire. Blocking or filtering has limited success and, as often as not, flags wanted rather than unwanted messages.…

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen. Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper…