threat model

Threat modeling has two distinct, but related, meanings in computer security: The first is a description of the security issues the designer cares about. This is the sense of the question, “What is the threat model for DNSSec?” In the second sense, Threat modeling is synonymous with the development of attack trees, which are descriptions of a set of computer security aspects. That is, when looking at a piece of software (or any computer system), one can define a threat model by defining a set of possible attacks to consider. It is often useful to define many separate threat models for one computer system. Each model defines a narrow set of possible attacks to focus on. A threat model can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. More recently, threat modeling has become an integral part of Microsoft’s SDL (Security Development Lifecycle) process. The two senses derive from common military uses in the United States and the United Kingdom. Threat modeling is based on the notion that any system or organization has assets of value worth protecting, these assets have certain vulnerabilities, internal or external threats exploit these vulnerabilities in order to cause damage to the assets, and appropriate security countermeasures exist that mitigate the threats.