Irfaan Santoe
CISO - OWASP Chapter Leader
January 16, 2023

The Hierarchy of Needs for Threat Modeling

The Hierarchy of Needs for Threat Modeling


As a security executive who implemented Threat Modeling at scale for a global financial institution;

As a supporter of Maslow’s Hierarchy of Needs;

As an Inner Engineer(*);

I felt compelled to share with you the parallels that can be drawn between Maslow’s model and the different phases a security executive goes through when scaling Threat Modeling within their organization.

During this blog post, you will explore the following:

  1. Maslow’s Hierarchy of Needs: what is it?
  2. The information security problem that Threat Modeling at scale is solving.
  3. The Hierarchy of Needs for Threat Modeling.
  4. My advice for organizations at each stage of their Threat Modeling journey.

I do expect the reader to have a basic understanding of Threat Modeling and scaling it. If this is not the case, please go through the following articles first:

1. Maslow’s Hierarchy of Needs in a nutshell

Abraham Maslow’s theory on motivation is one of the most known and famous theories out there talking about why we, human beings, do what we do.

“ WHY do we do the things we are doing NOW? And with that, why are we NOT able to do the things within our full potential? ”

The model explains the different categories of human needs and the deepest levels of human motivation.

Human needs hierarchy

§  Physiological Needs:

It is important that basic conditions are met for humans to survive. These conditions include sufficient access to Food, Water, Air, Shelter, Sleep etc. In the event these conditions are not met, humans enter a survival mode of physiological nature. If one’s greatest motivation comes from this category in the model, we could compare life with that experienced by wild animals.

§  Safety Needs

This need stems from a desire to be in-control of our day-to-day activities and actions. By seeking order and predictability, humans create a control which invokes feelings of safety. Within this category of the model, you will mostly seek financial security (e.g., having employment), emotional security (e.g., having friends and family, or emotional support), and good health and well-being (e.g., preventing injuries, accidents, etc.).

§  Social Belonging

When our physiological and safety needs are met, humans feel the need to belong somewhere. Unconsciously or consciously, we will attach ourselves to social groups and may participate in social movements, such as hobbyist societies, group sports, or religious or political groups).

§  Self-esteem

In the category Self-esteem, humans are driven by the desire for admiration and respect from us and/or others around us. There is a strong need that our value, growth, knowledge, expertise gets validated.

§  Self-actualization

Here humans are fulfilling their true potential. We are less concerned with external validations and possess greater self-awareness when it comes to your body, mind, emotions, and energies. We are self-aware in the functioning of our body, mind, emotions, and energies. We are content with that what we are, and are not, doing. There is an ease in every cell in our body, we have broken our limitations, which were mostly set by ourselves, and we are living life as it is, in its original form.

Want to know more about Maslow’s model? I recommend visiting:

2. The information security problem that Threat Modeling at scale is solving

So why am I spending time thinking, executing, learning, leading, and writing about Threat Modeling? Like most of the security executives out there, I want to solve the information security problem. One of the highlights in my professional career is when I truly realized what Bruce Schneir said:

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” Bruce Schneir

I read it, heard about it many times before, but I only internalized this knowledge Bruce embarked into the world when working with Global IT Executives to set and drive the security agenda. Here some key observations of what the information security problem is that we are solving:

§  Un-seen digital growth - Our world has never been so digital as now. Everything is getting connected with each other while an unmatched number of devices consumes information. And this is the just the beginning of the digital, artificial intelligence area we are barking upon! This brings new known and unknown attack vectors to our attack surface! The one thing that is at the core of this new revolution: Software!

§  Un-parallel growth in software production – We are writing millions, if not billions of lines of code each day. All this is to expand and enhance our experience of the digital world. And with each line of code we write, there is yet another possibility of the creation of a security flaw.

§  Security automation is not there yet - while we are getting better at automating security checks and testing, we are far from the ideal state where we can automate a complete check on relevant security flaws. We still need humans to analyze software's context, identify true security flaws and discard many false positives from today’s security automation.

§  New strategies for the information security problem - There are two key reasons why CISOs are gently asking CIOs and CTOs that their (Dev)(Ops) engineers take full responsibility in solving this software security problem:

  1. There is a gigantic need for more security professionals across the globe. Executives will never be able to staff the needed Security Folks to go through all these lines of code to identify and fix security flaws.
  2. With the current and future speed of software production, and with the adoption of new promising development methodologies like DevOps, and technologies like the Cloud, it is far more efficient and effective to ask THOSE designing, writing and operating software, to identify and fix unwanted security flaws.

A smart strategy to cope with this security problem is to the Threat Modeling at the source of software creation.

“A straightforward and logical security strategy for battling information security risks is for (Dev)(Ops) engineers to do Threat Modeling.”

3. The Hierarchy of Needs for Threat Modeling

While going through the process of implementing Threat Modeling at scale, security executives will find themselves driven by the following 'Needs';

§  Physiological Needs

As a security executive you are expected explain how your organization is secured. Mostly you will set up and drive security projects and programs to improve your organization's security posture. Questions will arise from non-security executives on how your organization has secured specifics apps, infrastructure, and information flows. This is where you and your team will implicitly threat model the situation. It might also be an explicit threat modeling exercise where you establish what your organization is doing, what can go wrong (threats) and the measures to mitigate the threats. You will then identify gaps and relevant improvements.

This sort of implicit threat modeling exercises is executed because of ad-hoc security questions asked within your organization. Responding to these requests helps in understanding the basic security of your organization.

§  Safety Needs

There is a moment when the status quo is challenged for each security process. And this is the same for your security risk identification processes, especially when your organization is embarking on a cloud and DevOps journey. You are challenged to re-think your existing security risk identification process because they are hampering must-do transformations within your organization. Or your existing security risk identification process becomes obsolete, looking at the IT transformation your organization is going through. Conducting periodic risk assessments by the security teams before the application goes to production is not going to work in a DevOps & Cloud model. So naturally, to preserve your security risk profile, you will consider other ways of doing security risk identification, including Threat Modeling.

§  Social Belonging

You are in this phase when you start observing other organizations, your peers, and leading companies doing Threat Modeling at scale. The feeling creeps that you might be missing out on the norm, that they know something you don’t, and that they have found the solution to your struggling problems. So, you connect with them, talk to them about the scaling practices, and join forces to learn from each other. Conversations on the best Threat Modeling methodologies (e.g. STRIDE vs PASTA vs DREAD etc.) or automation tooling or completeness of the threat models are what keeps you occupied. And internally within your company, you are building alliances between Security and IT leaders to nurture Threat Modeling initiatives and build a circle where you want to belong to (or hope others want to belong).

§  Self-esteem

You are in this category when you actively talk about and promote Threat Modeling within and outside of your organization. You take the stage that vendors and partners provide, to talk about how you approached it, share good practices, warn about pitfalls, etc. You happily give and share insights with your peers and appreciate being positioned as Thought Leader on the matter, getting feedback and food for thoughts on how to improve even further. Internally, you will promote Threat Modeling as 'the way' to get security done and drive integrations of other security processes and instruments like scoping of penetration testing, demonstrating security (compliance), security monitoring of your applications and infrastructure. You are institutionalizing Threat Modeling within your organization.

§  Self-Actualization

You are in this stage when you know everything that is needed to know about how to scale threat modeling in the organization. You are confident about what it is and what it isn’t, what it brings on the table, limitations and challenges, and how to position it within your organization. Hence, it brings maximum value (actual plateau of productivity). You are in-sync with Threat Modeling’s true potential and feel fulfilled with that realization. With this realization, you further drive Threat Modeling within your organization and guide others to do so. In setting-up Threat Modeling at scale at any organization, you consciously switch between the different categories of the Hierarchy of Needs for Threat Modeling, and you do this with ease! You do what is needed at that moment to get your organization to scale Threat Modeling. You are a Guru in showing the path of scaling Threat Modeling.

4. My advice for organizations at each stage of their Threat Modeling journey

Now imagine that you are exploring an unknown territory. Let’s do this: imagine you want to sail to the other side of the world to find gold. So, you have a couple of options here.

  1. You can sail using your own experience, and with trial and error, you hope that one day you reach that place that has the gold. This might happen fast or can take forever - or may never happen.
  2. You can purchase a map and follow the map with the hope that you don’t take the wrong turns. There is a good chance you will get the gold, as there is a good chance you will take a few wrong turns.
  3. You can get a satellite GPS that will guide you through every stroke of the wind to get the gold fast and efficiently.

The choice is yours.

All the categories of the Hierarchy of Needs for Threat Modeling limits you to see and reason what is the best way to scale Threat Modeling. Except when you are Self-Actualized.

You might choose the first option and go sailing endlessly and not find the gold. The second option can be appealing. Or you go for the third option, getting a satellite GPS to sail the unknown territory.

If you decide to get your satellite GPS, there is a pool of Self-Actualized people who can guide you in this process nautical mile-by-nautical mile.

Self actualized

(*) Inner Engineers build themselves in such way that external factors do not influence their inner state.