Threat modeling is a process by which potential threats can be identified, enumerated, and mitigations can be prioritized. Depending on your inception context, you might have to explicitly add an activity for raising the conversation and listing the threat scenarios to be considered. The APA threat modeling activity organize the threats by exploring the Attackers, the Principals and the Assets.

Step by step:

      1. Explain the following template to everyone: Attackers use Principals to get Assets

    – Attacker –the threat agent, the individual or organisation who performs the malicious activities to an asset.
    – Principal – the entity that can be authenticated
    – Asset – the valuable data and/or equipment to be secure

    1. Ask the participants to list the Attackers, the Principals and the Assets
    2. Describe the threats by combining Attackers, Principals and Assets into the template
    3. Have a conversation about the threats (consider categorising and rating each threat)

    step 2 example (obfuscated for confidentiality)

    Example: Hactivist uses Website to get Bank account info

    I learned this activity from Rodrigo Rech, a security specialist.


>> This content is part of a series on inception activities.