Threat modeling is the process at looking at all the significant and likely potential threats to a scoped scenario, ranking their potential damage in a given time period, and figuring cost‐effective mitigations to defeat the highest‐priority threats. Threat modeling is used in all sorts of industries and in our particular case planning computer security defenses. Threat modeling is used in the security development lifecycle (SDL) efforts when programming and reviewing software and across computer devices and infrastructure. Only by using threat modeling can a defender quantify threats, risks, and mitigations, and compare the implemented plan against the reality of what occurs.

Why Threat Model?

Threat modeling reduces risk. At the very least it allows one or more people to consider the various threats and risks in a scenario. It allows multiple threats to be weighed against each other, mitigations to be developed and evaluated, and, hopefully, cost‐effective, useful mitigations to be deployed. We know for sure that, over the long run, software programmed using threat modeling consideration has fewer bugs and vulnerabilities than software that is not threat modeled. If software is being threat modeled for the first time, modelers may discover more bugs and vulnerabilities than in a prior period, and that increased number of vulnerabilities may continue for some period of time, but eventually the number of newly discovered bugs and vulnerability should fall. ...