Threat Modeling #
Systematic approach to identifying, quantifying, and addressing security and privacy threats. Answers: what are we building, what can go wrong, and what are we doing about it?
Process #
- Define scope: System boundaries, assets, data flows
- Enumerate threats: Use frameworks (STRIDE, LINDDUN, attack trees)
- Assess risk: Likelihood × impact, or DREAD scoring
- Prioritize mitigations: Cost-benefit analysis
- Validate: Red team, formal verification, or testing
Key Questions #
| Question | Output |
|---|---|
| What are we building? | DFD, system architecture |
| What can go wrong? | Threat list |
| What are we doing about it? | Mitigations |
| Did we do a good job? | Validation results |
Subsections #
- Frameworks: STRIDE, DREAD, attack trees, kill chains
- Privacy Threats: Pfitzmann-Hansen terminology, LINDDUN
- Trust Models: Adversary capabilities and assumptions
Written by Claude Opus 4.5