Why threat modeling is important

In our experience, we have discovered that, in many cases, threat modeling sessions are avoided due to the fear of their potential complexity. It is a popular misconception but there are many good reasons to start doing them.

Sebastian Obara 2023.02.13   –   5 MIN read

TL;DR – Why threat modeling is important

Threat modeling is important because it helps: 

  1. Identify vulnerabilities: Threat modeling helps you identify potential vulnerabilities in infrastructures and applications that may pose a threat to your organization both from the technical and business perspective. 
  2. Prioritize risks: Threat modeling allows organizations to prioritize their efforts by identifying the most significant ones and focusing on mitigating those in the first place. 
  3. Improve security at the stage of creation: Threat modeling can ensure that infrastructures and applications are secure from the outset and because of that security risks and necessary security changes will be minimal in the future.  
  4. Reduce cost of security risks: by considering potential threats in advance, we spend less money on fixing them in the future. 
  5. Enhance communication: Threat modeling can help improve communication between different teams and stakeholders, ensuring that everyone has a clear understanding of the risks that your organization is facing. 
  6. Facilitate compliance: Threat modeling can help your organization meet regulatory and compliance requirements by identifying potential risks and assisting in their mitigation. 

How does a threat modeling session work? 

Threat modeling is the most effective way to identify, prioritize, and mitigate potential security risks at your organization. It is like a penetration test but done “on a piece of paper”. Understanding the potential threats your organization/application/infrastructure may face enables you to take actions to protect it in advance rather than react when they occur. Threat modeling helps you to prioritize resources more efficiently by focusing on the most urgent threats first. It can also help your organization develop more secure systems and practices from the very beginning as well as improve overall security posture. 

How to prepare a threat modelling session? 

The answer is very simple – this approach has proven fast and effective thanks to an organized, well-prepared, and thoughtful session. You can quickly achieve the goal of identifying, prioritizing and reducing potential security threats. The key to success is perceiving threat modeling session as a productive meeting: 

  • Inviting people with domain knowledge as well as security knowledge,  
  • Picking a convenient time frame,  
  • Preparing the ground rules and space for work,
  • Adjusting the tools and the scope of the session – for example discussing a specific scope of a given system.

A big mistake that is often made by teams is a lack of people with different domain expertise at the meeting. If someone has been working on the infrastructure/application for a long time, they may not take into account some important details and see them as something obvious. Gathering people from different contexts makes them create a fresh perspective, discover issues that were neglected before – this is a very important part of the whole process. In addition, threat modeling may result in some key domain changes. This is why people who will be involved in their later implementation should take part in the session from the very beginning. 

Thoughtful rules are an important aspect of a threat modeling session, e.g., making a contract, involving different people, planning breaks, and everything else that allows you to conduct a productive meeting. By gaining practice and experience, you will learn how to conduct threat modeling sessions faster and more efficiently. 

Threat Modeling Session – is a simple and fast method that helps you identify, prioritize, and mitigate potential security risks.  

When threat modeling session should be initiated?

  1. Implementing threat modeling session to the project’s design phase can help identify potential threats and vulnerabilities early on, allowing your team to address them before they become serious. 
  2. If your organization uses Scrum, it is the best way to identify threats together with the development team and iteratively take care of the security of the software under development. 
  3. Conducting regular threat modeling sessions as a part of a security review process can help to ensure that your organization’s security posture remains strong and up to date. 
  4. Whenever there is a major change in your organization, system, or device under protection, threat modeling helps to identify any new threats or vulnerabilities that may have occurred. 
  5. If your organization experiences a sudden security incident, a quick threat modeling session helps to ease it more efficiently and understand what went wrong and how to prevent similar incidents in the future. 

By conducting threat modeling sessions at the important moments, you can ensure that your organization is prepared to handle potential threats and that its security posture remains strong. 

Threat modeling can be applied in your organization 

It may be difficult for everyone in your organization to understand what threat modeling gives and what benefits it brings, especially since some of the people you work with know the concepts of threats only superficially. Be prepared and try not to get disappointed too quickly when the first difficulties arise. There are many reasons why it can be complicated to convince others that threat modeling is important, and I hope the following list of arguments will be helpful for you:  

Misperception Arguments
“Threat modeling has no practical application – it is just theory.” Preparing materials in advance (a particular goal, rules, roles, time, breaks, schedule) will save you tons of time. Announcing the purpose of the session and its next steps will help to make threat modeling less abstract and theoretical. Keeping everyone informed about the results will also be essential for the process. 
“We are doing OK with security – it is just an extra cost.” 71% of organizations worldwide fell victim to ransomware attacks in 2022 and there are 2,244 new cyberattacks every day1.
Threats are constantly evolving and we are exposed to them especially if we are introducing changes to our solutions, systems, applications on a daily basis. 
Threat modeling assists in proper planning and risk analysis before the implementation of new changes and starting new projects. For instance, it can help a team of developers to save time and money, because subsequent modifications tend to be very difficult and time-consuming. 
“Threat modeling is an IT-only solution. Other businesses do not need it.” According to the research by Comparitech, CGI, and Oxford Economics, there is a correlation between experiencing a cyber attack by a company and steady decline in the value of its shares2
Threats do not only affect business’s reputation but may also lead to bankruptcy (downtime in service delivery, an attack aimed at your customers). 
“We do not have enough knowledge to carry out a threat modeling session.” Without trying, we’ll never know what we are lacking. There are many free materials on the Internet (like this article and the videos) on how to do it.  
You can also ask experts to assist you in this matter: https://www.securing.pl/en/service/threat-modeling/.
“Threats are negligible in our case.” Sometimes people taking part in the session, see only their piece of the pie. However, it is valuable to understand what may threaten your company or your application more holistically. Be sure to use examples that are appropriate for your case when describing potential threats. 
“This is pointing out mistakes in the team and it can spoil the atmosphere.” It is not possible to cover your code with 100% of tests, people make mistakes and will continue to make them. Making remuneration dependent on the number of mistakes made and errors found is not good practice. It is worth promoting cyber security knowledge and culture of the experimentation so that your team members do not make the same mistakes in the future.  
1 – https://www.websiterating.com/research/cybersecurity-statistics-facts/#sources;
2 – https://www.comparitech.com/blog/information-security/data-breach-share-price-2018/

Doing threat modeling and understanding the risks at the planning stage is less expensive than changing already implemented solutions. 

Summary

To sum up and at the same time answer the main question – threat modeling is important because it changes the way technical people and other employees at your organization perceive the aspects of discovering, identifying, and mitigating threats. Be prepared for challenges during the threat modeling session, use some arguments in conversation, and try to convince other people.  

Each threat modeling session will bring you and your organization one step closer to being more secure and aware of the threats.   

If you are interested in implementing threat modeling in your organization be sure to check out our Threat Modeling Training

Sebastian Obara
Sebastian Obara IT Security Consultant