STRIDE Threat Model: Example & Overview

Instructor: David Gloag

David has over 40 years of industry experience in software development and information technology and a bachelor of computer science

In this lesson, we'll take a look at the idea of a threat model, what it is, what STRIDE is and how the two are related. We'll then go over an example of the two being used together.

The Value of Information

We live in a world that makes heavy use of information. We use it to determine whether we need a jacket or umbrella for the day. Businesses use it to determine whether they made a profit for the week. Governments use it to determine things like incoming tax revenue. In fact, you could say that most of us rely on it. Of course, there are those that will try to exploit that information for personal gain, perhaps through ransom or through sale to the highest bidder. It's a sad fact, but true none the less. So, it will come as no surprise that there are also those out there who are working to determine the significance of these threats. One way they do that is to use a threat model.

What is a Threat Model?

A threat model, or threat risk model, is a process that reviews the security of any web-based system, identifies problem areas, and determines the risk associated with each area. There are five steps in the process:

  • Identify Security Objectives - This step determines the overall goals the organization has in regard to its security.
  • Survey the System - This step determines the components of the system, the routes through which data travels, and trust boundaries (connections made to outside networks).
  • Decompose the System - This step determines the components of the system that have an effect on security, like the login module.
  • Identify Threats - This step enumerates any potential outside threats that the system has. This generally focuses on those that are known. (How do you identify those that aren't?)
  • Identify Vulnerabilities - This step looks at the identified threats and determines if the system is weak in these areas.

What is STRIDE?

STRIDE is an acronym that stands for:

  • Spoofing Identity - This is a threat where one user takes on the identity of another. For example, an attacker takes on the identity of an administrator.
  • Tampering with Data - This is a threat where information in the system is changed by an attacker. For example, an attacker changes an account balance.
  • Repudiation - This is a threat where an attacker deletes or changes a transaction or login information in an attempt to refute that they ever took place. For example, deleting a purchase transaction so the item isn't charged to you.
  • Information Disclosure - This is a threat where sensitive information is stolen and sold for profit. For example, information on the latest widget is stolen and offered to a competitor for profit.
  • Denial of Service - This is a threat where the resources of a system are overwhelmed and processing stops for everyone. For example, a disgruntled attacker could have automated servers continually log into a system, tying up all connections so legitimate users can't get in.
  • Elevation of Privilege - This is a threat similar to spoofing, but instead of taking on the ID of another, they elevate their own security level to an administrator.

How Are STRIDE and a Threat Model Related?

STRIDE integrates seamlessly with a threat model's 'Identify Threats' step. Specifically, it provides a means to classify and assess the risk associated with an identified threat. The threat types mentioned in the previous section form the means to classify threats to a system under review. Further, each classification can be assigned a risk. This then can be used to determine where attention and budget should be focused.

Example of a STRIDE Threat Model

Okay, let's look an example. Consider the system that provides web access to your bank account.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account
Support