Threat Modeling Methodology

In analyzing the problems of security software options one seeks attacks which can be used by an attacker to cause harm to users of the product, its owners or holders. Of all many variants of attacks in the first place should pay attention to those options that may cause significant damage. Each option attack can vary a lot of variety parameters: the cost of attack to the attacker, the attacker requisite qualifications required computing power, the degree of popularity (availability) of the investigated product, the degree of interest intruder in the success of the attack, etc. It is very difficult in general to offer an objective and comprehensive list of criteria in order to fully characterize each option attack in full. However, the quality of estimate depends essentially on the project budget to implement security measures, or product testing measures already implemented. In the event of a threat of attack will be underestimated, then the developers will not do no protection against this attack, which can lead to great damage to the owner of the software, its users or its owner. If the danger of attack will be re-evaluated, then this may lead to false need for enhanced measures, which means wasting additional time and human resources. In general, the attack is characterized by such a quantity as a risk.

The notion of risk in the article refers to – combination of the probability of the event (the attack on the software product) and its consequences 2. Ie in general, the risk of attack realization can be represented by the formula: R = C * P. Where R – the risk of attack realization. C – the damage from the attack. Damage can be measured in some quantitative terms, such as monetary units – Russian rubles, U.S. dollars, etc., and can be measured qualitatively, such as balls from 1 to 10, with 10 – the maximum value for the damage.

P – probability implementation of the attack. Probability can be measured, both quantitatively – a rational number from the interval 0, 1, and qualitatively, as in the case of damage. This definition of risk, shared the task of assessing the risk of attack (risk) into two independent subtasks: evaluation of possible damage and probability of attack. However, in practice, due to the fact that the values obtained are also difficult to assess – sought methods that have more detail formalize The notion of risk. Typically, these methods define a set of criteria that one way or another detail how the components of damage, and the components of the probability of an attack. An example of such a classification may serve as a classification dread, which is quite often seen in the literature, which discusses the threat modeling methodology of Microsoft (Microsoft Threat Modeling Methodology).