Essential / TL;DR / Take Home Message Threat Model

Have you seen Judges Tell All?

Some key takeaways:

  • TM report should tell a story
  • Good TM report ≠ “here’s 200 threats”
  • What’s the essence / TL;DR / take home message?
  • … especially when reporting to upper management

If we were to design a threat modeling approach that has this as it’s first goal and wants to keep things highly relevant / condensed / essential…

How would it look like?

2 Likes

Here’s some of my thoughts:

I didn’t have time to write a short letter, so I wrote a long one.

Less is more.

Less comes from reduction.

We can go :plus: :minus: :plus: :minus: :plus: :minus: :plus: :minus: [add reduce, add recude, …]

  • :puzzle_piece: Scope & Diagrams: Can we condense, simplify, strike-out, out-scope?
  • :cloud_with_lightning_and_rain: Threats: Which threats are essential, most likely, most harmful?
  • :umbrella: Mitigations: If we only have limited time, what are the most important things we should do?

What’s the value per space in the document?

Big picture

What’s the big picture?

First of all, should we report “We’re secure” / “We can be secure if we spend effort in those key mitigations” / “We’re doomed“? :wink:

:open_file_folder: Cluster, :hash: tag, mark, :star: highlight.

Summarize, end sessions with a summary of lessons learned.

The TM of TM has [2.1.6] Irrelevant threats and [2.1.7] Loss of big picture.