Threat modeling is the art of assessing and anticipating threats in order to build a more tailored information security program. Essentially the process starts with enumerating threats, assessing probability and impact, then building your risk management or remediation plan. Once that threat has been "modeled," it goes into a risk management state and the next threat is modeled. The process is repeated over and over; once for each threat.
I say art (versus science) as threat modeling is somewhat of an unstructured process; a blank canvas whereby information security professionals analyze threats in various, yet unique ways. One commonality, however, is to focus analysis on the actual threat itself. Yet I see a problem with focusing the equation on threats:
- There are simply too many threats to model
- Threats are constantly changing
- Many different threats produce the same effect or impact
- Focusing on the threat is a preventative approach; so what happens when the threat actually materializes?
Lately I've been pondering whether it's more beneficial to instead focus on the impacts. Here's a very simple "effect model" whereby simply enumerating the threats is as far as I go with analysis.
As you can see, multiple causes (threats) equate to the same impacts (effects). This simple cause-and-effect diagram can be further streamlined as follows:
So, after simply enumerating my risks, I have a rough-cut of my top impacts; listed here in a simple stack-ranked list which I can actually commit to memory:
- Financial Loss (8)
- Damage to Reputation (8)
- Litigation (7)
- Loss of intellectual Property / PII (6)
- Physical Harm to Humans (2)
Knowing that financial loss and damage to reputation are at the top of my list, I should probably think about having a solid cyber insurance policy and a good PR plan. As for litigation and loss of IP/PII, having a good attorney on retainer probably makes sense. Finally physical harm to humans, while low on the connectivity graph, is still the most important aspect of any security program.
In summary, it's sometimes helpful to focus more on impact that the threat itself. Flipping the threat modeling equation around provides a different perspective, and a different way to group and prioritize events which, hopefully, never happen.