Approaches To Threat Modeling
There are at least three general approaches to threat modeling:
- Attacker-centric
- Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets.
- Software-centric
- Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.
- Asset-centric
- Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.
Read more about this topic: Threat Model
Famous quotes containing the words approaches to, approaches, threat and/or modeling:
“Perfect happiness I believe was never intended by the deity to be the lot of any one of his creatures in this world; but that he has very much put in our power the nearness of our approaches to it, is what I steadfastly believe.”
—Thomas Jefferson (1743–1826)
“No one ever approaches perfection except by stealth, and unknown to themselves.”
—William Hazlitt (1778–1830)
“The sickness of our times for me has been just this damn thing that everything has been getting smaller and smaller and less and less important, that the romantic spirit has dried up, that there is no shame today.... We’re all getting so mean and small and petty and ridiculous, and we all live under the threat of extermination.”
—Norman Mailer (b. 1923)
“The computer takes up where psychoanalysis left off. It takes the ideas of a decentered self and makes it more concrete by modeling mind as a multiprocessing machine.”
—Sherry Turkle (b. 1948)