Skip to content

Threat Modeling

As an institutional defender, I have the disadvantage of having to guess right the first time to detect an attack at the earliest stage. Every institution also has a limited budget, so as a defender I've had to choose what doors I watch with given levels of scrutiny. The only way to do so is to build a threat model.

To understand threat modeling, you need to start with the risk equation.

Risk = (Threat to asset x vulnerability allowing reach x impact to institution) / mitigations


If your business has a gum ball machine in the lobby that takes quarters, the threat is the loss of the gum ball machine, its quarters, and its gum balls. The vulnerability is it can be beaten with a key, someone can use slugs to get gum balls, or someone can grab it and run. The impact is the cost of the lost goods, the reputational impact, and the time lost replacing it, updating policy and procedures, or working with the police. The mitigation could be bolting it to the floor, having a custom key, or hiring someone to either man the machine or protect it.

You need to understand what you are trying to protect, to understand the threat to it, what vulnerabilities it has, the impact to its loss, and if the mitigation is appropriate. Hiring an armed guard will make the loss of the gum ball machine unlikely. The cost outweighs the benefit.

What are you trying to protect? It could be any number of things.

  • Money
  • Physical property
  • Intellectual property
  • Access // Trust
  • Reputation // Brand

The asset needs to be defined, before you can understand the risk involved. Most likely, your institution has multiple asset types. These assets will not carry the same risk, and will not be protected the same way.

In a bank, the obvious asset at risk is the money. That asset exists both as physical currency and digital bits. Each has its own threat model. Both are at risk from thieves, insider threats, or potential destruction. How do you define each? How do you prioritize which one you want to protect more? How do you define your crown jewels?

Think about the threat to the assets. Someone could take the physical money. Someone could manipulate the digital bits to make someone else take ownership of the money. How do they accomplish either feat? Are you more worried about masked assailants taking the currency from a branch office, or a digital adversary abusing the SWIFT banking system to move money to another bank and account in an unauthorized manner? If you controlled security spend, how much would you spend depending which? How would you prioritize your detection capabilities?

Think about the vulnerabilities. Who has access to move the money? Who determines who has that access? How is that access granted? Who audits that behavior? When and how often? How do you define trust of the people involved in access? How do you verify that trust? What about the systems involved? What physical protections exist? How strong are they? What hardware and software is in use to control access to the digital assets? How often are they patched? What is the software // hardware lifecycle? What policies governing use of these assets are in place?

Think about the impact. How does the loss of the asset affect the institution? What is the total cost of that loss? How do you quantify the loss of trust? The failing morale? The loss of time investigating, then vetting and putting in place new mitigations (procedures, audits, hardware and software)?

In order to prioritize your defenses, you need to understand what you are protecting, the impact of its loss, how it can be lost, and and why (and potentially who) that loss would occur. Then design your mitigations based on that. That is your threat model.


Leave a Reply

Your email address will not be published. Required fields are marked *