Threat Modelling
The threat modelling process is as follows:
- Define security requirements
- Document application structure
- Identify threats based on the results of the previous step
- Decide on threat measures
- Avoidance (elimination)
- Stay out of a business area or eliminate a process step completely
- Reduction (mitigation)
- Use more secure systems or software
- Be less attractive to attackers
- Prepare for problems: Crisis Organization, Business Continuity Management, Disaster Recovery Preparation
- Sharing (transfer)
- Outsource (often does not really work for IT as Risk reduction as you usually still are responsible)
- Insure
- Retention (accept and budget)
- Ignore it and just hope for the best and maybe keep some money in reserve…
- Avoidance (elimination)
- Validate that threats have been mitigated (or risk is reduced and acceptable) 1
Relevant Note(s): Detection Engineering