Threat Modelling
Working as an Enterprise Security Architect, my goal is to facilitate decision making by defining the ‘Security Posture’ of the enterprise. This goal requires security concepts to be defined in all layers/elements within scope. With this context in mind, I aim to define security concepts using the ArchiMate language, which is not designed for this purpose, hence stereotypes/specialization of key concepts will be used to get to a level of detail which fits the representation of security. I seek help from the ArchiMate community to validate some of these representations: Use case: - Threat modelling (for architects) • Objective – Identify threats as drivers to identifying controls that mitigate potential risks. • Assumptions – That vulnerabilities will exist. (do not try to identify or assess, that is not threat modelling.) • Principle – Identify threats against the service (“What if” the service was made to malfunction.. in some way), and not at the technology implementation (vulnerabilities) • Principle – Risk is measured with relations to business impact, Threat modelling can be done without the probability / impact, which can be done if a threat cannot be mitigated. Questions
- How to represent a STRATEGIC decision to accept a threat I (and hence risk) is accepted and hence out of scope of the architect. I propose a ‘course of action’. Recognising that this typically is used to decide to do something, it can also be used to capture do nothing.
- How to represent RISK. I propose that a (residual) risk is a ‘constraint’ that you may have to live with. I am open to any suggestions..