Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 72 views

    Threat Modeling Activity Handout

    Uploaded by

    gregoryhage
    The document provides guidance on threat modeling to help identify risks. It instructs the reader to consider what assets need protection, from which adversaries, and the potential consequences of failing to protect those assets. The reader is then given a sample threat model for a jewelry store owner to identify assets, adversaries, consequences, likelihood of threats, and protections to address risks. Threat modeling is presented as a process to systematically assess risks and plan appropriate protections.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Threat Modeling Activity Handout

    Uploaded by

    gregoryhage
    72 views4 pages
    The document provides guidance on threat modeling to help identify risks. It instructs the reader to consider what assets need protection, from which adversaries, and the potential consequences of failing to protect those assets. The reader is then given a sample threat model for a jewelry store owner to identify assets, adversaries, consequences, likelihood of threats, and protections to address risks. Threat modeling is presented as a process to systematically assess risks and plan appropriate protections.

    Original Description:

    Original Title

    Threat_Modeling_Activity_Handout

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides guidance on threat modeling to help identify risks. It instructs the reader to consider what assets need protection, from which adversaries, and the potential consequences of failing to protect those assets. The reader is then given a sample threat model for a jewelry store owner to identify assets, adversaries, consequences, likelihood of threats, and protections to address risks. Threat modeling is presented as a process to systematically assess risks and plan appropriate protections.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    72 views4 pages

    Threat Modeling Activity Handout

    Uploaded by

    gregoryhage
    The document provides guidance on threat modeling to help identify risks. It instructs the reader to consider what assets need protection, from which adversaries, and the potential consequences of failing to protect those assets. The reader is then given a sample threat model for a jewelry store owner to identify assets, adversaries, consequences, likelihood of threats, and protections to address risks. Threat modeling is presented as a process to systematically assess risks and plan appropriate protections.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 4

    ASSESSING RISKS FOR MORE INFORMATION: SEC.EFF.

    ORG
    A PROJECT OF THE ELECTRONIC FRONTIER FOUNDATION

    READ MORE ABOUT ASSESSING YOUR RISKS AT


    HTTPS://SSD.EFF.ORG/
    1 What assets are you protecting?
    THREAT MODELING helps you identify threats to the
    things you value and who you need to protect them ● $1 million worth of diamonds
    from. When building a threat model, you can ask ● Money in the safe
    yourself the following questions. ● Alarm code
    ● Anything else?
    ● What do I want to protect?

    ● Who do I want to protect it from?

    ● What are the consequences if I fail?

    ● How likely are these consequences? 2 Who are your adversaries?


    ● How can I address the most likely risks? ● Jewelry thieves
    ● Anyone else? (Consider: Who might have
    THREAT MODELING GLOSSARY: access to the jewelry store safe? What about
    cleaning crews, or maintenance staff?)
    Asset: What I want to protect
    Adversaries: Who I want to protect my assets from Consider:
    Threats: What are the potential consequences if I ● What would motivate your adversaries?
    fail? ● What are your adversaries’ capabilities?
    Risk: The likelihood that a particular threat against a
    particular asset will actually occur
    Adversary capability: What an adversary is able to
    do to achieve its aim. For example, a country's
    security services might have the capability to listen to
    telephone calls while a neighbor may have the
    capability to watch you from their window. To say 3 What are the consequences if you fail?
    that an adversary “has" a capability does not mean
    that they will necessarily use that capability. It does
    mean that you should consider and prepare for the ● Theft of jewelry
    possibility. ● Any other threats? (What if the safe code or
    alarm code is stolen?)
    Try it! Make a threat model for a jewelry store owner:

    THREAT MODEL FOR A


    JEWELRY STORE OWNER 4 How likely are these consequences?
    4 Map the likelihood of these threats
    occurring on the back!
    YOU inherit a JEWELRY STORE in the city.
    The JEWELRY STORE has:
    5 How you can address the most likely risks?
    ● $1 million worth of diamonds.
    ● A staff of five people. ● Changing the passcode every month, and after
    ● An alarm system. an employee leaves.
    ● A safe. ● What else?
    ● A cash register.
    ● A camera monitoring the door.
    ● A pin-protected alarm for the door.
    THREAT MODELING
    Risk FOR A JEWELRY STORE
    How likely are these consequences? This depends on your adversaries’ capabilities.

    High
    likelihood
    Employee misplaces
    their key.

    High-profile protest
    against this particular
    jewelry store.

    Enraged bear
    destroys store
    door.

    Low
    likelihood

    Low consequence High consequence Threat


    ASSESSING YOUR RISKS
    A PROJECT OF THE ELECTRONIC FRONTIER FOUNDATION
    READ MORE ABOUT ASSESSING YOUR RISKS AT HTTPS://SSD.EFF.ORG/ AND HTTPS://SEC.EFF.ORG/

    1 ASSETS: 3 CONSEQUENCES:

    What are the consequences if you


    What do you want to protect?
    fail to protect those assets?

    4 LIKELIHOOD:

    Map the likelihood on the next page!

    2 ADVERSARIES:
    5 PROTECTIONS:

    Who do you want to protect it from? What kinds of protections make


    sense in response?

    Fill this section out after completing #4 on the back.


    Determining appropriate measures depends on your
    appetite for risk.

    What would motivate your adversaries?

    What are your adversaries’ capabilities?


    6 PLAN FOR CHANGE:

    Technologies and threats change.


    Plan to reassess your risks.

    I will reevaluate my threat model on:


    Risk
    High
    likelihood

    Low
    likelihood

    Threat

    You might also like