Threat Model

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

A model of an information processing system that shows data flows around the system and which spots in the network that a susceptible to attack.


Carnegie Mellon University Software Engineering Institute published a report on "Threat Modeling: 12 Available Methods" [1]

Loren Kohnfleder paper 'Threat Modeling Retrospective'[2]

Crispin Cowan on The Calculus of Threat Modeling [3]

Adam Shostack in 20 Years of STRIDE [4]



A comprehensive Data Flow Diagram is the first step to creating a threat model.

STRIDE is an acronym for: Spoofing identity, Tampering data, Repudiation (denial of responsibility), Information disclosure (data breach), Denial of Service (DoS), and Elevation of privilege.[5]

Each threat is a violation of a desirable property for a system:

Threat Desired property
Spoofing Authenticity
Tampering Integrity
Repudiation Non-repudiability
Information disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization


  1. Nataliya Shevchenko, Threat Modeling: 12 Available Methods (2018-12-03)
  2. Loren Kohnfleder, Threat Modeling Retrospective Medium
  4. Adam Shostack, 20 Years of STRIDE: Looking Back, Looking Forward. Dark Reading
  5. The threats to our Products. (199) Microsoft
  • Michael Howard, Praerit Garg Loren M. Kohnfelder, RAPID APPLICATION SECURITY THREAT ANALYSIS US Patent 7,243,374 B2 (2007-07-12) Abstract
The following Subject matter provides for modeling an application's potential security threats at a logical component level early in the design phase of the application. Specifically, in a computer system, multiple model components are defined to represent respective logical elements of the application. Each model component includes a corresponding set of security threats that could potentially be of import not only to the component but also to the application as a whole in its physical implementation. The model components are interconnected to form a logical model of the application. One or more potential security threats are then analyzed in terms of the model components in the logical model.