Threat modeling: A critical, yet underused, element of cybersecurity risk analysis

How likely is that a hacker will try to steal your business or personal data? The threat modeling approach to security risk assessment is one way to find out.

The staff at Motherboard recently updated its Guide to Not Getting Hacked to include more suggestions on how to avoid getting into digital hot water. Interestingly, threat modeling, a topic not often discussed, is brought up several times in the guide.

The Electronic Frontier Foundation (EFF) defines a threat model as (threat modeling is listed as a synonym of threat model):

"A way of narrowly thinking about the sorts of protection you want for your data. It's impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible attacks you plan to protect against is called threat modeling. Once you have a threat model, you can conduct a risk analysis."

Put simply, threat modeling is a way to evaluate whether a person or an organization is likely to be hacked.

SEE: Threat Modeling, book review: Know your enemy (ZDNet)

5 questions to consider when modeling threats

When modeling threats, the EFF advises that answering the following questions is a good place to start (the first question has been edited slightly).

  • What do I have that is worth protecting?
  • Who do I want to protect it from?
  • How likely is it that I will need to protect it?
  • How bad are the consequences if I fail?
  • How much trouble am I willing to go through to prevent these consequences?

Determining the type and extent of security measures is next—after who, what, and how have been worked out. The experts at EFF urge caution during this phase. Security is more than tools or software—it is an ongoing process using threat modeling to decide what is the right kind and right amount of security. On the EFF page about risk assessment: "In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it."

SEE: Penetration Testing and Scanning Policy (Tech Pro Research)

Caution against overestimating and overreacting to perceived security threats

One might think if a little of something helps, then more is better—the guide's authors suggest otherwise, as overestimating and overreacting to the perceived threat landscape can be a problem. This is especially true if the security department deploys unneeded custom systems or overly complex hardware and software, and the technology is used incorrectly.

From the guide: "At best, even simple tasks might take longer. In a worst-case scenario, you might be lulling yourself into a false sense of security with services and hardware that you don't need, while overlooking what actually matters to you and the actual threats you might be facing."

Why threat modeling is scant for mobile devices

Mobile-device technologies are immensely popular, and thus are fast becoming the target of choice for cybercriminals, and their success is evident, yet threat modeling is seldom employed to help fend off the bad guys.

"With everyone I've ever worked with outside of Microsoft, no one's done it [mobile-device threat modeling] until we've done it with them and taught them how to do it," states Michael Howard, senior principal cybersecurity architect at Microsoft, in Christopher Null's TechBeacon article. Howard adds that the problem is exacerbated, because few if any threat models exist for mobile devices.

Howard adds, "Many people don't model for threats because they don't realize they can do it. Others mistakenly think they can wing it. Unfortunately, when you do it that way, 99 times out of 100 you get at least something wrong."

SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)

In talking to Steve Manzuik, director of security research at Duo Security, Null believes another reason threat modeling is not used when determining how to best protect mobile devices is the intricacy of the process. "The complexity lies in the fact that a proper threat model relies on clear design documentation and a full understanding of how the application has been implemented," says Manzuik. "In a fast-paced [mobile development] environment, this documentation—and even an understanding of the application—does not always exist."

Threat modeling takes practice

The Motherboard guide suggests that we do not need to be experts when it comes to computer and network security, because the threats and the tools developed to address the threats are constantly changing. It is more important to start thinking about security risks and not be intimidated by the technology.

Null writes that threat modeling is a learned skill, adding, "The OWASP mobile security project threat model provides a great starting point, with an overview of best practices and methodologies such as STRIDE and DREAD."

Also see

Image: Getty Images/iStockphoto

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox