November 2024 Challenge: Nominate a question for the 'State of Threat Modeling' survey

Challenge of the month: Nominate a question for the “State of Threat Modeling” survey

About this challenge:
Help shape the “State of Threat Modeling” survey the TMC community is launching next year. Your questions will play a key role in gathering insights into the trends, challenges, and successes in threat modeling practices, helping advance the field and our community.

How to participate:

  1. Reply to this post with the question(s) you’d like to be included in the survey.
  2. Like :heart: 1-2 questions nominated by others that you find relevant.

When to enter:
Now through November 30, 2024

Prize:
Everyone who completes this challenge will earn a Community Maven badge. The post with the most likes will receive a special prize!

How are people automating the validation of threats being mitigated by engineering/developers ?

How do you make threat modeling approachable to a wider audience, even those without a technical background?

How do you measure the effectiveness of Threat Modeling? Architectural Risk?

1 Like

Why do you Threat Model? Governance, Risk Management, part of your architectural process, because someone told you you had to, read in a blog, other?

1 Like

I don’t have a single question, but I had some thoughts I wanted to share.

It would be great to see the questions split between techniques/tooling (how people actually create threat models) and the management of the threat modelling effort in a company (who sponsors it, how it integrates, who it serves, how it’s measured/reported/tracked etc.). This conveniently mirrors some of the post categories we have in this forum :slight_smile:

For techniques/tooling questions we can probably leverage Shostack’s 4 Question Framework, and focus on questions that cover relate to each activity in the framework e.g.

  • What are we look at? = questions about the scope and input required to create a model of the system in you threat modelling approach
  • What could go wrong? = questions about what security properties (e.g. STRIDE) you evaluate the system model against in order to generate threats
  • What are we going to do about? = questions about how threats are generated, and evaluated and fed into other processes
  • Did we do a good job? = questions how people evaluate their own process (it’ll be important to clearly separate those that treat this question as one relating to the technique/tooling vs management)
1 Like

What sort of questions do you want? Multi-choice? likert scale? open text?

It will be a combination of different question types, depending on the specifics of each question. :slight_smile:

  • What are the tools and techniques you adopted for your own threat modeling style?
  • What are tools and techniques you designed yourself or modifications you have made?
  • What is part of your Threat Modeling training?
1 Like
  1. Do you maintain or revisit threat models once they are completed? If so, is there a triggering event or is it periodic?
  2. How many groups leverage a completed threat model? E.G., development, QA, red team.
1 Like
  • Is your threat modelling process documented?
  • How do you define/decide the scope of the threat model?
  • Do you leverage threat model templates for different types of systems?
  • Are threat models available from other teams to use as examples?
  • What security properties (or set of threats) do you try to determine e.g. STRIDE, ATT&CK, DREAD, CIA, CWE, in-house threat library etc.
  • How do you evaluate the risk of each threat?
  • Do you capture controls of mitigated threats?
  • How do you decide that a threat model is finished? e.g. time-box, security review, tool analysis, etc.
  • What artifacts (excluding threats) are produced? e.g. tool specific, dashboard, document, PDF, spreadsheet, JSON, etc.
  • Who are the audiences that consume the threat model output?
  • What triggers the review/update of an existing threat model?
1 Like
  1. How many teams/squads do you have that threat model?
  2. How much time per month on average do your squads threat model?
  3. What is the average duration of each of your threat modeling sessions?
  4. How many real-world threats do you find without a pre-existing countermeasure per session
  5. Essentially would be great to gather the data to calculate - ‘return on threat modeling investment’ ROTI - inspired by ROSI :slight_smile:
1 Like
  • Do you measure participant-perceived value, for example, by asking “would you recommend threat modeling to a colleague?”
  • What measures do you report at the highest level you’re reporting them? Who are you reporting them to? (Eg, what does the CEO or the VP of engineering hear about?)
1 Like
  • What key components should an internal Threat Library include? What attributes or data models are essential?
  • What should be the core elements of Threat Modeling Training plan?
  • How to manage the scope of a Threat Modeling exercise, specially for complex systems with interdependent teams?
  • What methods to use to track and evaluate the success of Threat Modeling efforts?

What has been the biggest “Aha moment” that you’ve experienced (or witnessed) during a threat modeling exercise or activity?

(Collect some anecdotes and stories - if done well, the stories can draw in people who might not otherwise have an interest.)