Threat modeling: A critical, yet underused, element of cybersecurity risk analysis

Threat modeling: A critical, yet underused, element of cybersecurity risk analysis

The staff at Motherboard recently updated its Guide to Not Getting Hacked to include more suggestions on how to avoid getting into digital hot water. Interestingly, threat modeling, a topic not often discussed, is brought up several times in the guide.

The Electronic Frontier Foundation (EFF) defines a threat model as (threat modeling is listed as a synonym of threat model):

“A way of narrowly thinking about the sorts of protection you want for your data. It’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. Coming up with a set of possible attacks you plan to protect against is called threat modeling. Once you have a threat model, you can conduct a risk analysis.”

Put simply, threat modeling is a way to evaluate whether a person or an organization is likely to be hacked.

SEE: Threat Modeling, book review: Know your enemy (ZDNet)

5 questions to consider when modeling threats

When modeling threats, the EFF advises that answering the following questions is a good place to start (the first question has been edited slightly).

  • What do I have that is worth protecting?

  • Who do I want to protect it from?

  • How likely is it that I will need to protect it?

  • How bad are the consequences if I fail?

  • How much trouble am I willing to go through to prevent these consequences?

Determining the type and extent of security measures is next—after who, what, and how have been worked out. The experts at EFF urge caution during this phase. Security is more than tools or software—it is an ongoing process using threat modeling to decide what is the right kind and right amount of security. On the EFF page about risk assessment: “In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it.”

SEE: Penetration Testing and Scanning Policy (Tech Pro Research)

Caution against overestimating and overreacting to perceived security threats

One might think if a little of something helps, then more is better—the guide’s authors suggest otherwise, as overestimating and overreacting to the perceived threat landscape can be a problem. This is especially true if the security department deploys unneeded custom systems or overly complex hardware and software, and the technology is used incorrectly.

From the guide: “At best, even simple tasks might take longer. In a worst-case scenario, you might be lulling yourself into a false sense of security with services and hardware that you don’t need, while overlooking what actually matters to you and the actual threats you might be facing.”

Why threat modeling is scant for mobile devices

Mobile-device technologies are immensely popular, and thus are fast becoming the target of choice for cybercriminals, and their success is evident, yet threat modeling is seldom employed to help fend off the bad guys.

“With everyone I’ve ever worked with outside of Microsoft, no one’s done it [mobile-device threat modeling] until we’ve done it with them and taught them how to do it,” states Michael Howard, senior principal cybersecurity architect at Microsoft, in Christopher Null’s TechBeacon article. Howard adds that the problem is exacerbated, because few if any threat models exist for mobile devices.

Howard adds, “Many people don’t model for threats because they don’t realize they can do it. Others mistakenly think they can wing it. Unfortunately, when you do it that way, 99 times out of 100 you get at least something wrong.”

SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)

In talking to Steve Manzuik, director of security research at Duo Security, Null believes another reason threat modeling is not used when determining how to best protect mobile devices is the intricacy of the process. “The complexity lies in the fact that a proper threat model relies on clear design documentation and a full understanding of how the application has been implemented,” says Manzuik. “In a fast-paced [mobile development] environment, this documentation—and even an understanding of the application—does not always exist.”

Threat modeling takes practice

The Motherboard guide suggests that we do not need to be experts when it comes to computer and network security, because the threats and the tools developed to address the threats are constantly changing. It is more important to start thinking about security risks and not be intimidated by the technology.

Null writes that threat modeling is a learned skill, adding, “The OWASP mobile security project threat model provides a great starting point, with an overview of best practices and methodologies such as STRIDE and DREAD.”

Also see hacker-security-istock-578833436.jpg

Image: Getty Images/iStockphoto


Middle Market CEO, CRO, CFO or Directors – Cyber Job Security Index

Why Cybersecurity Equals Job Security. Better manage your reputational and financial risk.

January 8, 2018 – Dallas, Texas and Atlanta, Georgia – Strategic enterprise risk management (ERM) expert and speaker Gary W. Patterson, FiscalDoctor®, points out that “It’s not if, but when, you’ll be attacked” in his article How Safe Is Your Business? Why Cybersecurity Equals Job Security for CEOs, CFOs and Others published by Corporate Compliance Insights (CCI)  at


  • Why CSuite jobs now are at risk and actually being lost.

  • How organizations, not unlike yours, are silently and invisibly breached every day

  • Which preventive steps you can implement.

Before you start spending any money for an external assessment of your cyber exposure, start with Three-Minute Self-Scoring Review to suggest your Cyber Job Security category and the article’s accompanying 5-step remedy.

Who should consider applying this process with applications for profitable growth, risk assessments and enterprise risk management (ERM) type issues, inside a value based operational and strategic assessment framework?

  • Family business, private and public business and equity group investors

  • Corporate directors, key committee chairs and board chairs

  • Corporate officers and C-suite executives

  • Shareholders, stakeholders, regulators and legislators

  • SMB, middle market and global 2000

About Corporate Compliance Insights

Corporate Compliance Insights is a professionally designed and managed forum dedicated to online discussion and analysis of corporate compliance, risk assessment, ethics, audit and corporate governance topics. Additionally, Corporate Compliance Insights is a focused knowledge-sharing forum designed to educate and encourage informed interaction within the corporate compliance community – dealing with issues of ethics, audit, compliance, FCPA, governance, risk, fraud and GRC.

Corporate Compliance Insights is founded by Maurice Gilbert, managing partner of Conselium, a compliance-focused executive search firm.

About Gary W. Patterson

Patterson, a Big 4 CPA / Stanford MBA, speaks regularly on business growth, accountability, facilitation, governance, risk management, achieving corporate financial goals, and building long-term wealth.

He can also help increase your profitability providing access to 100 best of business experts often better and cheaper than incumbents. Gary can be reached at 678-319-4739 or

© Gary W. Patterson.   ###

Gary W. Patterson

FiscalDoctor Inc.


Meet the 9 cyber security startups that showcased their innovative product ideas at AISS

NASSCOM’s Data Security Council of India (DSCI) chose 9 startups for the Most Innovative Product of the Year at the Annual Information Security Summit 2017 to provide impetus to budding security product companies.

The Indian industry is riding high on the wave of entrepreneurial traction in the domain of cyber security and security product development with over 50 security product companies emerging in the last few years.

Though currently at a nascent stage, these organisations are enjoying robust sales traction and moving forward with the concern of being recognised in the global world.

To provide impetus to the growth of the Indian cyber security market, NASSCOM’s Data Security Council of India (DSCI) is working towards contributing and building a favorable ecosystem for growth-led, sustainable business segments of security product and services companies in the country.

Many initiatives and activities have been undertaken by DSCI to encourage indigenous product development, providing a platform to startups to connect with the key stakeholders of the ecosystem.

One such initiative is the NASSCOM-DSCI Excellence Awards for Product companies, comprising two categories. The Security Product Company of the Year is for companies that have developed Information Security/Privacy product, while the Most Innovative Product of the Year (Innovation Box) is for  startups.

The competition comprised an evaluation process by an jury comprising Vishal Salvi, Chief Information Security Officer and SVP, Infosys; Shivkumar Pandey, Chief Information Security Officer, BSE; Sanjay Bahl, Director General, Cert-In; Venkat Vallabhaneni, General Partner, Parampara; and Bindu Dey, Secretary, Technology Development Board.

After jury evaluation along with live audience polling, Lucideus Technologies and Security Brigade were announced winners and AppsPicket occupied the runner-up spot at the Awards Night during the Annual Information Security Summit 2017.

The Lucideus Tech team receiving the excellence award

We take a closer look at the companies:

The winners & runner-up

Lucideus Technologies: Launched in 2012, Delhi-based Lucideus Technologies is a complete cyber security solutions provider that enables clients to secure web-based resources. They assist clients eliminate the risk of unauthorised access to key systems, files or databases by identifying vulnerabilities in web spaces. They also organise ethical hacking and web-security based workshops and seminars.

Security Brigade: Founded in 2006, Security Brigade is an information security consulting firm based out of Mumbai that specialises in delivering high quality services through expert-driven manual testing. It offers Penetration Testing, Vulnerability Assessment, Web-application Security and Source Code Security Audit. The company won the award for its flagship product – ShadowMap. Using internet-wide scanning, big data analysis & machine learning ShadowMap continuously identifies and maps an organisation’s Shadow IT and infrastructure.

AppsPicket: Launched in 2015, AppsPicket’s mission is to bring advanced cryptography to all businesses, whether small, medium or large. The startup, based out of Delhi and London, works in the Strong Authentication (2FA) and Cloud Security domain. It aims to use advanced cryptography to solve real-world security problems with its range of products, including Cryptopass, Developer SDK and Authportal. The brand’s next-generation Two Factor Authentication – I2FA – is making adoption of strong user authentication simpler and frictionless.

The other finalists

Adoroi Tech Ventures: Launched in 2006, this Mumbai-based venture helps companies increase their ROI on offline/online advertising, generate high quality leads, intelligent geo-call patching and routing, provides high security layers for existing financial processes and offers internet-less banking for the rural masses using its proprietary technology platform.

Block Armour: Harnessing the potential of Blockchain and emerging technology, Mumbai-based Block Armour, launched in 2016, aims to disrupt cybersecurity. Blending cybersecurity insights, IT security best practices and emerging technologies, Block Armour aims to provide a base for a new breed of identity management, data/information integrity, and IoT-related security solutions.

HaltDos: Launched in 2015, Noida-based HaltDos is an AI-driven website protection service that secures websites against cyber threats.  Its comprehensive offering provides DDoS protection, Web Application Firewall and Load Balancing features in a single solution and is available on the cloud as well as on-premise appliance.

Instasafe: Bengaluru-based InstaSafe is a cloud-based security solutions provider, that helps mobile and remote workers securely access enterprise apps, email and web on a SaaS model. Launched in 2012, InstaSafe offers hardware-free, zero configuration, self-service style, fully redundant Security-as-Service which can be deployed in minutes with comprehensive reporting.

Kratikal Tech: Launched in 2016, the Noida-based startup provides end-to-end cyber security solutions. It offers a complete suite of vulnerability assessment and penetration testing services as well as security auditings like PCI DSS, HIPAA, GDPR and ISO 27001. Kratikal Tech’s product People Risk Assessment (PRA) Engine claims to access the real-time threat posture of an organisation from a people point of view, reducing the cyber risk to up to 90 percent.

Primeauth: Hyderabad-based Primeauth provides easy, reliable, scalable and user friendly Two Factor (2FA), Multi Factor Authentication (MFA). It also specialises in areas of SSH (Secure Shell) authentication, Cloud, Identity & Access management, aimed at eliminating the need for expensive traditional hardware token or OTPs.

Promoting innovation in the cybersecurity space

DSCI’s objective is to act as a catalyst for startups working in the cybersecurity space to come up with more innovative product ideas and address real risks, build resilience, increase trustworthiness and create a conducive environment for businesses.

The initiative is an attempt to provide support to product companies in various aspects by bringing these new players nearer to established security leaders, innovators and other stakeholders on a common platform for idea sharing, guidance and collaboration.

BULKRATE Price   Buy More, Enjoy Higher Discount
Free Shipping Anywhere in the World!

Leave a Reply

Your email address will not be published. Required fields are marked *