Threat modelling is analysing representations of a system to highlight concerns about security and privacy characteristics. -- Braiterman et al. (2020)
4+1: five concurrent views model
AADL: architecture analysis and design language
ACH: analysis of competing hypotheses
ACTM: architectural component-based threat modelling
ADVISE: adversary view security evaluation
AEGIS: appropriate and effective guidance for information security
ARA: architectural risk analysis
ATAM: architecture trade-off analysis method
ATASM: threat model process armature
ATM: adaptive threat modelling
ATMS: Apple threat modelling strategies
ATM: approachable threat modelling
ATT&CK: adversarial tactics techniques and common knowledge
AVOIDIT: Memphis cyber attack taxonomy
AWS: Amazon Web Services threat modelling tips
A&K: dependency and vulnerability analysis
BSI 200-3: German risk analysis standard
C4: context, containers, components, and code
CAIRIS: computer aided integration of requirements and information security
CAPEC: common attack pattern enumeration and classification
CARTA: continuous adaptive risk and trust assessment
CBEST: Bank of England cyber threat modelling
CCE: consequence-driven cyber-informed engineering
CCTF: common cyber threat framework
CDA: ceremony design and analysis
CIGITAL: Cigital threat model process
CISCO: Cisco threat modelling process
CORAS: model-based method for security risk analysis
CRAMM: CCTA risk analysis and management method
CSA: Cloud Security Alliance top threats
CSD: Centre for Secure Design top ten
CSRA: cyber-security supply-chain risk assessment
CTM: continuous threat modelling
CVSS: common vulnerability scoring system
CWE: common weakness enumeration
CWRAF: common weakness risk analysis framework
CWSS: common weakness scoring system
CYBERPHA: safety-oriented process for ICS risk assessment
D3FEND: knowledge graph of cyber-security countermeasures
DFD3: version 3 data flow diagram
DOLEV-YAO: Dolev-Yao adversary model
DSTM: data-centric system threat modelling
DTM: developer-driven threat modelling
DTM: DFD-based threat modelling
EVITA: e-safety vehicle security engineering process
FAIR: factor analysis of information risk
FAGAN: Fagan inspection process
FHM: flaw hypothesis methodology
FPVA: first principles vulnerability assessment
FRAP: facilitated risk analysis process
FTM: flexible threat modelling
GATM: generalised approach to threat modelling
GITHUB: GitHub threat modelling process
GITLAB: GitLab threat modelling how-to
GOVCAR: gov cybersecurity architecture review
GTM: guerrilla threat modelling
HAZOP: guidewords applied to use cases
HEAVENS: automotive threat analysis and risk assessment
HTA: hierarchical task analysis
HTMM: hybrid threat modelling method
IAM: infosec assessment methodology
ICPIA: integrated cyber physical impact analysis
IDART: information design assurance red team
IDDIL/ATC: Lockheed Martin common threat analysis methodology
IEC 62443-4-1: IEC SR-2 threat model requirements
IRAM2: ISF information risk assessment methodology
ISO 27005: ISO infosec risk management standard
ISO 31000: ISO risk management standard
IT-GRUNDSCHUTZ: German elementary threats
ITM: incremental threat modelling
ITM: integrated threat modelling
LAVA: Los Alamos vulnerability and risk assessment methodology
LINDDUN: Leuven privacy threat analysis framework
LINDDUN GO: Leuven lightweight approach to privacy threat modelling
LINDUN: Leuven privacy threat trees
MACRA: maritime cyber-risk assessment
MAGERIT: methodology for risk analysis and management
MDTM: medical device threat modelling
MEHARI: method for harmonised analysis of risk
MEII: minimum essential information infrastructure process
MIGRA: Selex risk analysis toolkit
MIS: mapping the information system
MLRF: machine learning risk framework
NEAT: necessary-explained-actionable-tested security warnings
NIST: SP 800-30 risk assessment process
NO DIRT: threat modelling for digital healthcare
OCTAVE: operationally critical threat asset and vulnerability evaluation
OCTAVE-S: OCTAVE for small organisations
OCTAVE ALLEGRO: OCTAVE aimed at information assets
OI: oesterreichisches informationssicherheitshandbuch risk analysis
OODA: observe-orient-decide-act loop
OWASP: top ten web application security risks
O-DM: Open Group dependency modelling
PA: ISI vulnerability taxonomy
PASTA: process for attack simulation and threat analysis
PDPE: pattern-directed protection evaluation
PRISMA: product risk management
PTA: practical threat analysis
PTES: penetration testing execution standard
PYTM: pythonic framework for threat modelling
RATM: risk assessment and threat modelling
QIS: quickscan information security
RAVIB: risicoanalyse voor informatiebeveiliging
RDSA: risk-based design security analysis
RFC 3552: IETF security considerations guidelines
RISK IT: ISACA risk evaluation process
RRA: risk remediation analysis
RTMP: rapid threat model prototyping
SAEM: security attribute evaluation method
SARA: simple to apply risk analysis
SDL: security development lifecycle
SDR: security design review process
SERA: security engineering risk analysis
SMTS: security modelling in trusted systems
SNAM: survivable network analysis method
SPDD: secure and private by design and default
SQUARE: security quality requirements engineering
SSEM: secure system engineering methodology
SSVC: stakeholder-specific vulnerability categorisation
STM: self-serve threat modelling
STPA: systems theoretic process analysis
STRIDE: six security threat categories
SVA: security vulnerability analysis
TAF: threat analysis framework
TARA: threat agent risk assessment
TARA: threat assessment and remediation analysis
THREAGILE: agile threat modelling toolkit
THREATSPEC: threat modelling code annotations
TMC: threat modelling capabilities
TMD: threat modelling for developers
TMD: threat modelling for developers
TMM: threat modelling manifesto
TMPPT: threat modelling process for product teams
TMSA: threat model and security analysis
TRIKE: Trike threat modelling methodology
TSA: threat susceptibility assessment
TTM: tactical threat modelling
TTM: test-focused threat modelling
TVRA: threat vulnerability risk analysis
T-MAP: USC attack path analysis
UML: unified modelling language
VTM: value-driven threat modelling
XUUL: OWASP lightweight threat modelling process
To do.
Below, I've collected an overview of experience reports from in-house threat modellers:
Peter Torr, Microsoft, 3 October 2005. Demystifying the threat-modelling process. IEEE Security & Privacy. paper
Larry Osterman, Microsoft, 30 August 2007 to 1 October 2007. Some final thoughts on threat modelling. blog posts
Adam Shostack, Microsoft, 26 September 2007 to 5 November 2007, The trouble with threat modelling. blog posts
Jeffrey Ingalsbe et al., Ford and SEI, 7 January 2008. Threat modelling: diving into the deep end. IEEE Software. paper
Adam Shostack, Microsoft, 17 or 18 May 2008. SDL threat modelling: past, present, and future. LayerOne. slides and recording
Greg Hughes et al., Microsoft and Ford, 10 or 11 or 12 or 13 June 2008. The importance of threat modelling. TechEd North America. interview
Adam Shostack, Microsoft, 28 September 2008. Experiences threat modelling at Microsoft. MODSEC. paper
Danny Dhillon, EMC, 17 October 2008. Threat modelling at EMC. BlueHat. recording and interview
Adam Shostack, Microsoft, 17 October 2008. Threat modelling at Microsoft. BlueHat. recording and interview
Danny Dhillon, EMC, 12 May 2011. Developer-driven threat modelling. IEEE Security & Privacy. paper
Wouter de Meijer, Worth, 9 October 2018. Security in the design phase. blog post
Robert Reichel, GitHub, 2 September 2020. How we threat model. blog post
Jeevan Saini, Segment, 29 March 2021. Threat modelling redefined: the self-serve threat model. blog post
Mark Loveless, GitLab, 9 July 2021. How we're creating a threat model framework that works for GitLab. blog post
Judy Kelly, Red Hat, 18 July 2022. A collaborative approach to threat modelling. blog post
Rui Covelo, OutSystems, 3 October 2022. Developer-driven threat modelling at OutSystems. blog post
Steve Lipner & Michael Howard, SAFECode and Microsoft, 10 April 2023. Inside the Windows security push: a twenty-year retrospective. paper
Arjen, Tweede golf, 31 May 2023. Threat modelling. blog post
Arne Padmos & Vanina Yordanova, Adyen, 11 August 2023. Threat modelling at Adyen. blog post
Jamie Dicken, New Relic, 7 May 2024. Teaching software engineers to threat model: we did it, and so can you. RSAC. slides and recording
To do.
This document is licensed under a CC BY 4.0 licence. The desired citation is as follows:
Padmos, A. (2022). Threat modelling. https://github.com/arnepadmos/threats
Note that all documents stored under the archive directory have been copied with the purpose of preventing bit rot. If you would like to have a specific document removed, please file a bug report. If you are the owner of a document that has not been made freely and publicly available, please consider doing so as this will increase both its visibility and its longevity.