Insights: why threat model?

Edward Farrell

Cybersecurity fundamentally boils down to one thing- the protection of systems (weather they are physical, digital or social) from loss, disclosure, disruption, theft, unauthorised access, modification and a raft of other concerns that impact organisations or our environments at large. Fundamentally we need to understand why and contextualise what is occurring, for which a threat model is often warranted.

What is threat modelling & why?

Threat modelling is the use of a structured process to identify potential threats, such as structural vulnerabilities, threat actors, or the absence of appropriate safeguards and subsequently understand their impacts. Threat modelling has a number of benefits:

1. Resources are finite and simply acquiring all the security in the world can be a pyrrhic victory, where an organisation has exhausted its capital on cyber security with no value. Threat modelling allows the efficient allocation of resources to effectively defend an organisation.
2. Defensive teams can be better rehearsed- nested in with resource management is planning and preparing the defence and stakeholders. If the threat is understood, stakeholders can be prepared and operate expeditiously in a high stress environment once a threat is realised.
3. Structured approaches allow us to build beyond “ransomware.” Most C level executives are concerned about ransomware which is front of mind however, by employing a structured approach to understand the environment, 3rd parties and genuine assets and the breadth of threats, a more expanded observation of genuine issues can take place. By way of example, our own structured approach recently identified that confidence in systems was a higher priority than ransomware events, which had already been adequately addressed.
4. Discipline breeds confidence. The panic that is generated from the unknown is what sees most organisations setup for failure. By having a disciplined approach, teams and leaders can more confidently address the issues they face.

Daniel Ting & I will be presenting in Canberra in February 2022 a threat modelling workshop. If you’d like more details on this, reach out and we’d be happy to get you involved.