Understanding "Add Threat" Screen – Project vs. Component Threats, Use Case & Integration with Risk Library

Discussions Techniques & Tooling
1

Hi everyone,

I’m exploring the “Add Threat” functionality in IriusRisk and had a few questions I was hoping the community could help clarify:

  1. What is the difference between “Project Threats” and “Component Threats” in the context of this feature? How should one decide where to add a new threat?
  2. What does the “Use Case” field represent? Is it tied to a pre-defined structure or taxonomy?
  3. When manually adding a threat, does it get integrated into the Risk Pattern Library, or is it only available for that specific project?
  4. Are there best practices or official documentation that explain the fields on this screen (e.g., impacts, reference ID, ease of exploitation, etc.)?

I want to ensure I’m using this feature correctly for both modeling accuracy and future reusability.

Thanks in advance!

2

Hi there!

Sounds like you’re using IriusRisk, I can help.

  1. When adding a threat to a project, you can choose to add it to the project or to a specific component.

A project level threat applies to the project as a whole. You would do this when a project has threats that are inherent to the project, rather than associated with a specific component.

The component threat option allows you to add a threat to a specific component - such as in the case where you are aware of specific threats that need to be added.

  1. In short, yes, you can see that structure here: Comprehensive Guide to Threat Modeling in IriusRisk: Data Structures, Risk Types, and Calculations - you will also notice that the IriusRisk content is STRIDE aligned in terms of methodology, so use cases will align to STRIDE categories more often than not. You can of course create risk patterns following whatever pattern you need - but the data structure you will work with is defined in the documentation above.
1 Like
3
  1. It wouldn’t automatically get added to an existing Risk Pattern as that could be undesirable as a default behavior. However, you can easily add existing threats and countermeasures to a Custom Risk Pattern Library, whether they are sourced from Project Threats tied to an existing project, existing risk pattern libraries, or project that have be converted into templates. See here: Creating/Enabling Custom Library and Mapping Custom Risk Patterns
4
  1. I would explore here first: IriusRisk - and then consider taking some of the courses here: Threat Modeling Training | Free Certification from IriusRisk
5

Thanks this helps :smiley:

Just one more query would an custom threat created at the model level would be fetched in ‘Project option’ while creating custom risk library?

If yes, this requires the custom threats created at model level to be remembered and fetched at project level in risk pattern library,

Also is a project and a threatmodel both same?