
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
20
|
Chapter 1: Threat Modeling and Risk Management
Conclusion
This is enough to get you started with threat analysis and risk management. How far
you need to go is up to you. When I spoke on this subject recently, a member of the
audience asked, “Given my limited budget, how much time can I really afford to
spend on this stuff?” My answer was, “Beats me, but I do know that periodically
sketching out an attack tree or an ALE or two on a cocktail napkin is better than
nothing. You may find that this sort of thing pays for itself.” I leave you with the
same advice.
Resources
Cohen, Fred et al. “A Preliminary Classification Scheme for Information Security
Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis
Based on That Model.” Sandia National Laboratories: September 1998, http://
www.all.net/ journal/ntb/cause-and-effect.html.