Threat Modeling: Process, Tools & Example

Instructor: David Delony

David is a freelance writer specializing in technology. He holds a BA in communication.

In this lesson, you'll learn about threat modeling to keep your organization safe from hackers. You'll learn about protecting assets from threats, both internal and external, ranging from hackers to natural disasters. Updated: 11/02/2021

What is threat modeling?

Security might be a nebulous topic, but you can make your business more secure by anticipating the kinds of threats you might face. You could deal with natural disasters, hackers, even rogue employees. A little time spent on prevention can be worth more than a pound of cure.

What kinds of threats?

Everyone, ranging from self-employed professionals to enterprise companies, will have to deal with some kind of security threat. For the purposes of this lesson, we'll define a threat as something that will prevent a user from accessing some kind of asset, namely important data. Threat modeling is the process of identifying assets that you want to protect from threats.

The threats vary from person to person. The biggest risk a person using a laptop faces is someone stealing it, while a company running a web app will mainly have to worry about hackers breaking in from the outside.

Threat definitions

The Electronic Frontier Foundation has an excellent set of questions that everyone should ask themselves when defining threats:

  • What do you want to protect?
  • Who do you want to protect it from?
  • How likely is it that you will need to protect it?
  • How bad are the consequences if you fail?
  • How much trouble are you willing to go through in order to try to prevent those?

Protecting Assets

Ultimately, threat modeling is about figuring out what you want to protect. The actions that you'll take to protect your assets will flow from this decision.

Let's take one example of how threat modeling might be used in practice. FaceSpace is a social media network that wants to make sure its security is up to par, so its security team is conducting a threat model on its entire infrastructure.

A social media service's biggest assets will be its user base, messages, photos, among other things. A lot of this information is sensitive, so the company will go to great lengths to keep it safe while balancing that against the need to be available to users.

Strategies Against External Threats

Most of the company's threats will be external: mainly hackers exploiting weaknesses in its software. The company will spend most of its efforts making sure that all of the inputs are handled properly, lessening the possibility of a buffer overflow or SQL injection attack.

Since the company's application is database-driven, they'll also have to vet their database and database administrators very carefully. Ideally, administrators will have the minimum permissions necessary to doing their job. They won't be able to access or make changes to the entire database.

Modern web applications have all sorts of components that work together and all have their own threats, so security professionals will have to analyze all these components together to figure out all how all these pieces are vulnerable. This could range from the file servers to individual developer laptops that are logged into production servers. The company's security requirements will change as the hardware and software components of its system change.

The company might try penetration testing to see if they can break into all of these components the way a hacker would. This means they will act as hackers and try to break into the core components of the system. They'll document and fix any problems they'll find and revisit these threat modeling plans periodically.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it now
Create an account to start this course today
Used by over 30 million students worldwide
Create an account