July 29, 2020 By Mike Elgan 2 min read

By taking a broader, more expansive view of threat modeling, organizations can consider the whole picture of their security strategy and improve efficiency. Threat modeling is a systematic approach to finding, prioritizing and fixing security threats, but it can be much more. It invites an exercise in systematic collaborative thinking, and as such its benefits go beyond tangible security fixes.

There are many great approaches to threat modeling, the taxonomy and descriptions of which are beyond the scope of this article. Simply put, the standard approach to threat modeling involves listing possible threats (along with possible threat actors, including employees), ranking them according to probability of exploitation and cost to the organization based on an understanding of the organization’s hackable assets and associating the highest-priority threats with the best actions that could protect against them.

 Potential Benefits of Threat Modeling  

1. It educates and informs all involved. Threat modeling done right brings together security teams, operations and developers to minimize vulnerability to cyber attacks. This is a learning exercise for everyone.

2. It helps with budgeting.The practice of threat modeling involves prioritizing threats and estimating their cost to the organization, as well as identifying the protections against those threats. That provides powerful data for the cost-benefit analysis in the budgeting process. 

3. It’s a communication process and results in further tools for communication. Through the ongoing collaboration needed among leaders on the problems and specifics of threat modeling, each leader learns from the others. They all gain experience in developing a set of documents for the communication of security practices for the whole organization. Threat modeling produces action plans. It also produces educational materials. 

4. It helps the whole business by encouraging a re-consideration of how the business operates. Threats and targets are always changing, and so threat management must also evolve. The output of a threat modeling system is a series of ‘living documents’ which need to be constantly updated and reassessed. This process also clarifies how the whole business operates, and can inform improvements over time. 

5. It’s a prioritization exercise for not only threat mitigation, but also app development. Threat modeling can be the glue that connects development, security and operations. The leaders of all DevSecOps silos are brought together to solve problems together. 

6. It guides new application development. Sometimes the best way to fix a massive vulnerability is to scrap an app and build a new one, this time with security baked in. 

7. It helps the organization choose products, services and platforms. Threat modeling gets everyone focused on security. This informs the selection of hardware, software, services and platforms. That’s one of the payoffs of the culture of security that can result from ongoing threat modeling. 

Three Ways to Take a Holistic Approach

In general, a holistic approach involves as many people in the organization as possible. Here’s how to do it: 

1. Take a more inclusive approach to threat modeling. Recruit not only technology leaders, but business and operational leaders into the process.

2. Set up a communication center. Ongoing communication of threat modeling information will help employees make better decisions about security. Those informed employees can also provide input into future threat modeling actions. 

3. Develop a clear set of primary objectives based on threat modeling priorities. Share these with service providers, consultants, partners, suppliers or anyone else who can contribute to the achievement of your security goals. 

It’s time to not only to embrace the practice of threat modeling, but also to take a holistic approach to the practice and reap the many benefits beyond specific security measures. It’s time to create a culture of security through threat modeling.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today