Threat Modeling Methodology: TRIKE

Threat Modeling Methodology: TRIKE

TRIKE is an open source threat modeling process focused on the security auditing process from a risk management and defense perspective. This risk-based approach looks at implementation, threats and risk models, meaning it ensures the assigned level of risk for each asset is acceptable to its stakeholders.

The purpose of this methodology is to ensure that the risk attributed to each asset is acceptable to all stakeholders. It also serves a purpose in being able to communicate its effects with stakeholders, as well as empower them to understand and reduce risks to their organization. This benefits users by enabling coordination and collaboration, through its built in prioritization of threat mitigation and automated components.

In addition, by using Data Flow Diagrams, illustrations are created for the flow of data, and the user is therefore able to perform actions within a system. TRIKE allows users to enumerate and assign a risk value, as well as create security controls or preventative measures to address threats. Due to this methodology requiring the team to understand the entire system, organizations can face difficulties when applying this process to large-scale systems.

The purposes of TRIKE¹

• To ensure that the risk this system entails to each asset is acceptable to all stakeholders
• To be able to communicate its effects to the stakeholders
• Empower stakeholders to understand and reduce the risks to them and other stakeholders implied by their actions within their domains

Some benefits of using TRIKE²

• Holistic approach: TRIKE provides a comprehensive framework that considers business, application, and technology layers, offering a more holistic view of security.
• Collaborative: coordination and collaboration across stakeholders via this conceptual framework.
• Aids prioritization: It contains built-in prioritization of threat mitigation and security controls or preventive measures are defined to address the threats.
• Ease of risk management: Threats are analyzed to enumerate and assign a risk value, allowing it to contribute to overall risk management.
• Visual Representation: Utilizes visual models to represent threat scenarios, making it easier for stakeholders to understand and engage in the threat modeling process.

Are there any limitations to TRIKE?

• Complexity: TRIKE can be more complex and may require a higher level of expertise compared to some other threat modeling methodologies. This may pose a challenge for less experienced teams.
• Resource intensive: conducting a thorough TRIKE analysis can be time-consuming. It could also require training to effectively implement.
• Alignment challenges: aligning security measures with business objectives can sometimes be challenging, particularly in organizations where there may be competing priorities.

Should I consider other Threat Modeling methodologies?

To learn more about other methodologies please visit Threat Modeling Methodologies.

Information Sources:

1. EC-Council, Cyber Threat Modeling eccouncil.org/threat-modeling

2. Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/  

‍