*Original posted by @fixbits
Hi all,
a while ago I stumbled upon this Stackoverflow blog post on the importance of reading into cutting edge research in computer science:
I believe the above blog post motivates the importance of reading past tutorials if you want to become good at your field. You should also check out https://paperswelove.org/ by the way.
On the other hand, I have missed from this list of papers that would be relevant for threat modelling one way or the other. So I just wanted to kick-off this thread to collect papers what we love / would love to recommend on threat modeling or on some related area like risk mgmt. Papers which might add a bit more than anecdotal commentary on what seemed to work for the one or the other colleague. Too often I have found that once someone starts to describe “what worked for them” it soon turns into a justification of their current state of practice - for the better of or worse – and mostly lacks any tangible support on why one should repeat the approach.
Nevertheless, I came across a couple of papers that definitely contributed to my view on threats, risk, information security etc. so let’s begin:
Ross Anderson’s paper “Why Information Security is Hard – An Economic Perspective” (https://www.acsac.org/2001/papers/110.pdf) is an excellent summary on why a non-systematic approach of fending off adversaries would be futile…and I happen to think that the practice of threat modeling is in many cases a good systematic approach 
Two great papers from Louis Anthony Tony Cox “What’s wrong with hazard ranking system? An Expository Note” and “Clarifying Types of Uncertainty: When Are Models Accurate, and Uncertaintes Small?” shaped my thinking about risk (ranking, measurement and relevance) fundamentally. I’m mentioning these as I tend to see TM as the risk management tool of the IT/software practitioner and a practice that should be a foundational part of any modern IT risk management process implementation. These papers hopefully help you think about the otherwise abstract ideas of risk, probability (likelihood) etc. and thus give you some ideas on what to keep an eye out when thinking about risk in a TM context … or TM in the context of a risk management process. Unfortunately I do not have any direct link to the Cox paper’s, but I have reached out to the author on this;
The earliest paper what I can identify as an important contribution to TM practice was Bruce Schneier et al. 's “Toward A Secure System Engineering Methodology” (https://www.schneier.com/wp-content/uploads/2016/02/paper-secure-methodology.pdf).
I hope you find these insightful and I am looking forward to extend the list with any suggestions
Cheers, D