search menu icon-carat-right cmu-wordmark

A Hybrid Threat Modeling Method

Technical Note
Presents a hybrid method of threat modeling that attempts to meld the desirable features of three methods: Security Cards, Persona non Grata, and STRIDE.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2018-TN-002
DOI (Digital Object Identifier)
10.1184/R1/12366992.v1

Abstract

In FY 2016, the research team evaluated Security Cards, STRIDE (Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, Elevation of privilege), and persona non grata (PnG) for effectiveness in threat identification. Security Cards is an approach that emphasizes creativity and brainstorming over more structured approaches such as checklists. STRIDE involves modeling a system and subsystem and related data flows. PnGs represent archetypal users who behave in unwanted, possibly nefarious ways. The team used two scenarios: an aircraft maintenance scenario and a drone swarm scenario, both described in this technical note in detail, along with the project outcomes. No individual threat modeling method included all identified threats.

The research team subsequently developed the Hybrid Threat Modeling Method (hTMM), considering the desirable characteristics for a Threat Modeling Method. At a high level, the hTMM includes the following steps, described in detail in the technical note: (1) Identify the system you will be threat modeling. (2) Apply Security Cards according to developers’ suggestions. (3) Prune PnGs that are unlikely or for which no
realistic attack vectors could be identified. (4) Summarize results from the above steps, utilizing tool support. (5) Continue with a formal risk assessment method.

Cite This Technical Note

Mead, N., Shull, F., Vemuru, K., & Villadsen, O. (2018, March 27). A Hybrid Threat Modeling Method. (Technical Note CMU/SEI-2018-TN-002). Retrieved April 18, 2024, from https://doi.org/10.1184/R1/12366992.v1.

@techreport{mead_2018,
author={Mead, Nancy and Shull, Forrest and Vemuru, Krishnamurthy and Villadsen, Ole},
title={A Hybrid Threat Modeling Method},
month={Mar},
year={2018},
number={CMU/SEI-2018-TN-002},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/12366992.v1},
note={Accessed: 2024-Apr-18}
}

Mead, Nancy, Forrest Shull, Krishnamurthy Vemuru, and Ole Villadsen. "A Hybrid Threat Modeling Method." (CMU/SEI-2018-TN-002). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, March 27, 2018. https://doi.org/10.1184/R1/12366992.v1.

N. Mead, F. Shull, K. Vemuru, and O. Villadsen, "A Hybrid Threat Modeling Method," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2018-TN-002, 27-Mar-2018 [Online]. Available: https://doi.org/10.1184/R1/12366992.v1. [Accessed: 18-Apr-2024].

Mead, Nancy, Forrest Shull, Krishnamurthy Vemuru, and Ole Villadsen. "A Hybrid Threat Modeling Method." (Technical Note CMU/SEI-2018-TN-002). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 27 Mar. 2018. https://doi.org/10.1184/R1/12366992.v1. Accessed 18 Apr. 2024.

Mead, Nancy; Shull, Forrest; Vemuru, Krishnamurthy; & Villadsen, Ole. A Hybrid Threat Modeling Method. CMU/SEI-2018-TN-002. Software Engineering Institute. 2018. https://doi.org/10.1184/R1/12366992.v1