Challenge of the month: Nominate a question for the “State of Threat Modeling” survey
About this challenge:
Help shape the “State of Threat Modeling” survey the TMC community is launching next year. Your questions will play a key role in gathering insights into the trends, challenges, and successes in threat modeling practices, helping advance the field and our community.
How to participate:
Reply to this post with the question(s) you’d like to be included in the survey.
Like 1-2 questions nominated by others that you find relevant.
When to enter:
Now through November 30, 2024
Prize:
Everyone who completes this challenge will earn a Community Maven badge. The post with the most likes will receive a special prize!
I don’t have a single question, but I had some thoughts I wanted to share.
It would be great to see the questions split between techniques/tooling (how people actually create threat models) and the management of the threat modelling effort in a company (who sponsors it, how it integrates, who it serves, how it’s measured/reported/tracked etc.). This conveniently mirrors some of the post categories we have in this forum
For techniques/tooling questions we can probably leverage Shostack’s 4 Question Framework, and focus on questions that cover relate to each activity in the framework e.g.
What are we look at? = questions about the scope and input required to create a model of the system in you threat modelling approach
What could go wrong? = questions about what security properties (e.g. STRIDE) you evaluate the system model against in order to generate threats
What are we going to do about? = questions about how threats are generated, and evaluated and fed into other processes
Did we do a good job? = questions how people evaluate their own process (it’ll be important to clearly separate those that treat this question as one relating to the technique/tooling vs management)
Do you measure participant-perceived value, for example, by asking “would you recommend threat modeling to a colleague?”
What measures do you report at the highest level you’re reporting them? Who are you reporting them to? (Eg, what does the CEO or the VP of engineering hear about?)