By taking a broader, more expansive view of threat modeling, organizations can consider the whole picture of their security strategy and improve efficiency. Threat modeling is a systematic approach to finding, prioritizing and fixing security threats, but it can be much more. It invites an exercise in systematic collaborative thinking, and as such its benefits go beyond tangible security fixes.

There are many great approaches to threat modeling, the taxonomy and descriptions of which are beyond the scope of this article. Simply put, the standard approach to threat modeling involves listing possible threats (along with possible threat actors, including employees), ranking them according to probability of exploitation and cost to the organization based on an understanding of the organization’s hackable assets and associating the highest-priority threats with the best actions that could protect against them.

 Potential Benefits of Threat Modeling  

1. It educates and informs all involved. Threat modeling done right brings together security teams, operations and developers to minimize vulnerability to cyber attacks. This is a learning exercise for everyone.

2. It helps with budgeting.The practice of threat modeling involves prioritizing threats and estimating their cost to the organization, as well as identifying the protections against those threats. That provides powerful data for the cost-benefit analysis in the budgeting process. 

3. It’s a communication process and results in further tools for communication. Through the ongoing collaboration needed among leaders on the problems and specifics of threat modeling, each leader learns from the others. They all gain experience in developing a set of documents for the communication of security practices for the whole organization. Threat modeling produces action plans. It also produces educational materials. 

4. It helps the whole business by encouraging a re-consideration of how the business operates. Threats and targets are always changing, and so threat management must also evolve. The output of a threat modeling system is a series of ‘living documents’ which need to be constantly updated and reassessed. This process also clarifies how the whole business operates, and can inform improvements over time. 

5. It’s a prioritization exercise for not only threat mitigation, but also app development. Threat modeling can be the glue that connects development, security and operations. The leaders of all DevSecOps silos are brought together to solve problems together. 

6. It guides new application development. Sometimes the best way to fix a massive vulnerability is to scrap an app and build a new one, this time with security baked in. 

7. It helps the organization choose products, services and platforms. Threat modeling gets everyone focused on security. This informs the selection of hardware, software, services and platforms. That’s one of the payoffs of the culture of security that can result from ongoing threat modeling. 

Three Ways to Take a Holistic Approach

In general, a holistic approach involves as many people in the organization as possible. Here’s how to do it: 

1. Take a more inclusive approach to threat modeling. Recruit not only technology leaders, but business and operational leaders into the process.

2. Set up a communication center. Ongoing communication of threat modeling information will help employees make better decisions about security. Those informed employees can also provide input into future threat modeling actions. 

3. Develop a clear set of primary objectives based on threat modeling priorities. Share these with service providers, consultants, partners, suppliers or anyone else who can contribute to the achievement of your security goals. 

It’s time to not only to embrace the practice of threat modeling, but also to take a holistic approach to the practice and reap the many benefits beyond specific security measures. It’s time to create a culture of security through threat modeling.

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read