RISK-CENTRIC THREAT MODELING

“Risk comes from not knowing what you are doing.”

Warren Buffet, Billionaire, Philanthropist, Investor

Understanding and exercising a broad scope of real-world attack patterns better depict the viability of threats. Combined with a risk-centric approach that centers on developing countermeasures commensurate to the value of the assets being protected, PASTA (Process for Attack Simulation and Threat Analysis) allows for a linear threat model to achieve both technical sophistication and accuracy and a marketable message around risk mitigation strategy. This can be achieved by realizing three key attributes as part of its methodology: topicality, substantiation, and probabilistic analysis. These attributes will be exemplified in the step-by-step coverage of the PASTA methodology in this chapter.

For any security process to be successful, it needs to be repeatable, measurable, yield results, and invite more stakeholders than those found in security and compliance. The risk-centric threat model detailed in this chapter provides a linear methodology to encompass all of these aforementioned characteristics. Its multistep process is combined with a multifaceted focus to various stakeholders. In lieu of IT, information security, and business groups maintaining disaccord over security deliverables, a risk-centric threat modeling approach unifies disparate goals over a linear workflow that is comprehensive yet simple to use. Aspects ...