Threat modeling is a process of identifying, analyzing and assessing potential threats and vulnerabilities to an information and information systems. Moreover, it is a model to identify appropriate countermeasures against the threats.
Threats to information systems may be due to weaknesses of exiting controls or the absence of one or more security controls altogether. In addition, threat modeling may help to minimize attack surfaces.
Threat modeling in general employ the following three approaches when dealing with potential threats and vulnerabilities to applications and systems.
- Attacker-centric Threat Modeling
- Asset-centric Threat Modeling
- Application/System-centric Threat Modeling
There are tons of threat modeling methodologies in information security. STRIDE, PASTA, DREAD, OCTAVE, VAST and NIST 800-154 are among the most common methodologies in the industry.