Security Research
Showing results for 
Search instead for 
Do you mean 

HP Security Briefing, episode 13 – The art and near-science of threat modeling

Angela_Gunn ‎05-30-2014 11:28 AM - edited ‎05-30-2014 11:37 AM

In this month’s Security Briefing, we discuss the history of, and current trends in, threat modeling, with an emphasis on approaches to introducing threat-modeling processes to the reader’s enterprise. You can listen to this episode of the HP Security Briefing podcast on the Web or via iTunes, and you can read or download the detailed companion report here.


Many enterprises would say it’s all anyone can do to combat attacks on software, networks, and other assets as they’re discovered. Effective security strategy, however, entails getting out in front of attacks as much as possible. That process, whether it’s applied to software development, network management, or any number of other tech-related processes in the enterprise, is called threat modeling.


Approaches to threat modeling can be divided into three essential types: software-centric, asset-centric, and attacker-centric. They’re derived not only from years of thinking (and a number of high-profile mishaps) in the tech industry, but from decades of sociological studies and centuries of military theory.


At its base, threat modeling is yet another permutation of risk management, the soul of information security. Threat modeling asks that we assign value to our assets, examine them closely for potential vulnerabilities, assess what risks those vulnerabilities pose to our enterprise, and plan to mitigate them (or not). Threat modeling is not auditing -- though auditing can be useful as we determine which assets or controls merit the modeling effort – but a way of learning from the past to manage future risk. 


In this month’s briefing, we give an overview of the threat-modeling landscape – what it affects, how it got this way, what the current notable conditions are, and how to introduce the pertinent concepts to your organization. Along the way we’ll learn which branch of the US Armed Forces – and which former SEAL Team commander – has the best guidance for threat modelers; start to STRIDE and to view security with DREAD; enjoy some PASTA; and play a few card games. We’ll take operations-management advice from rock gods and we’ll set ground rules for pre-empting threats before they can harm your enterprise.


(We’ll also explain our name change. This HP Security Briefing continues the series previous known as the HP Security Research Threat Intelligence Briefing and is thirteenth in that line. The archive for this and all previous Briefings can be found and bookmarked here.)

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all