I’m building a Threat Modeling Tool and I am facing the following problem:
There are a bunch of threat models (
). Each has threats (
). Threats have their associated mitigations (
).
I see all of those threat models in an overview.
I want to answer: How far are they? Then display in a red-yellow-green gradient if threat models are mature / have good progress.
Threat models that suffer from admiration for the problem (little mitigations) shall have a bad rank.
How would you compute that?
=> I’m looking for coverage metrics.
Check out The Metrics Manifesto by Richard Seiersen — tough but worth it. It introduces BOOM (Burndown, Arrival, Wait, Escape):
• Burndown — time‑to‑remediate. Track the distribution (median, percentiles, survival curve). Example: median patch time 72h → 24h after a process change. Time = risk.
• Arrival — rate/timestamps of new risks (vulns, alerts, new assets). Example: arrivals spike after a big feature/asset onboarding. Why: rising inflow can overwhelm capacity.
• Wait — time from arrival to work start (triage latency). Example: average wait 4h → 16h on Mondays. Why: long waits increase exposure and backlog.
• Escape — fraction of risky events that become incidents. Example: 0.5% of phishing attempts lead to compromise. Why: the ultimate KPI for control effectiveness.
You need timestamped events to build a life‑table (survival analysis) and a versioned history of your threat models to track trends. I thought about adding BOOM support to Risquanter (GitHub - risquanter/register · GitHub) — it tracks model versions, but implementing full BOOM metrics would still be non‑trivial.
1 Like