Scroll to discover
Watch a Demo
Skip to content

Which Threat Modeling Methodology is Best for Your Organization?

Learn how threat modeling and associated methodologies can improve the evaluation of cybersecurity threats, and provide actionable countermeasures

 

Community Edition - Email banner (1)

How to choose the right threat modeling methodology for your organization

Organizations are increasingly aware of the pressing need to bring threat modeling into their cyber security operations. In doing so, businesses can identify, understand and manage the threats they face, protecting them from the evolving threat landscape. 

However, while organizations are conscious of the need to threat model, it can be daunting to know where to begin. This is in part due to the range of threat modeling methodologies that companies can make use of, as each is a unique approach and provides varied benefits. Among these, the most common are STRIDE, OCTAVE, TRIKE AND PASTA. We will unpack these methodologies and how to assess which is right for your organization. 

Some of the options for a methodology include:

STRIDE: useful for analyzing systems and networks if adopters have a strong understanding of their threats. 

OCTAVE: takes an operational approach as opposed to technological. Great for risk-focused teams. 

TRIKE: open source approach based upon defense outlooks and techniques.

PASTA: a scalable option for collaboration across technical and compliance teams, to consider the probability of attacks. 

Learn more about these below. 

Threat Modeling Methodologies

  • STRIDE

    STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, developed by Loren Kohnfelder and Praerit Garg in 1999 to identify potential vulnerabilities and threats to company products. Microsoft's STRIDE methodology aims to ensure that an application meets the security requirements of Confidentiality, Integrity, and Availability (CIA)...

    Read more about STRIDE

  • OCTAVE®

    OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology. This technique focuses on assessing organizational risks, rather than technological risks, for example if a company experiences a data breach, which could impact that business operationally. 

    Read more about OCTAVE

  • TRIKE

    TRIKE is an open source threat modeling process focused on the security auditing process from a risk management and defense perspective. This risk-based approach looks at implementation, threats and risk models, meaning it ensures the assigned level of risk for each asset is acceptable to its stakeholders.

    Read more about TRIKE

  • PASTA

    The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology co-founded by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana. PASTA has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.

    Read more about PASTA

  • Additional methods

    Okay, so what isn't considered threat modeling?

    If you are new to threat modeling, you may not be entirely sure what it is - or isn't! Here we demystify some terms that are often confused with threat modeling.

    Additional Methods

  • STRIDE
  • OCTAVE®
  • TRIKE
  • PASTA
  • Additional methods

STRIDE

STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, developed by Loren Kohnfelder and Praerit Garg in 1999 to identify potential vulnerabilities and threats to company products. Microsoft's STRIDE methodology aims to ensure that an application meets the security requirements of Confidentiality, Integrity, and Availability (CIA)...

Read more about STRIDE

OCTAVE®

OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology. This technique focuses on assessing organizational risks, rather than technological risks, for example if a company experiences a data breach, which could impact that business operationally. 

Read more about OCTAVE

TRIKE

TRIKE is an open source threat modeling process focused on the security auditing process from a risk management and defense perspective. This risk-based approach looks at implementation, threats and risk models, meaning it ensures the assigned level of risk for each asset is acceptable to its stakeholders.

Read more about TRIKE

PASTA

The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling methodology co-founded by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana. PASTA has the added benefit of scalability, it can scale up or scale down as required which is ideal for growing businesses, while most other threat modeling frameworks can also map into it.

Read more about PASTA

Additional methods

Okay, so what isn't considered threat modeling?

If you are new to threat modeling, you may not be entirely sure what it is - or isn't! Here we demystify some terms that are often confused with threat modeling.

Additional Methods

No methodology? Perhaps you are unsure if you even need one.  

Finding the right threat modeling methodology requires a thorough assessment of an organization's needs. This can range from the size of business, the type of business and the potential risks it faces, as well as who within the organization will need to understand and operate it. By following these steps and implementing the right methodology, whether it be STRIDE, OCTAVE Allegro, or none at all, companies can continue with normal business operations, feeling confident that their assets are secure. If you’re interested in understanding what threat modeling methodology will work best for your organization, get in touch with the IriusRisk team here: Talk to us 

What are the benefits of IriusRisk Threat Modeling?

IriusRisk’s platform automates the threat modeling process, enabling developers to design and build secure software. At scale. IriusRisk is the industry leader in automated threat modeling and secure software design, working with clients that include four of the top 10 Globally Systemically Important Banks (G-SIBs). By using IriusRisk, you can:

  • Generate a threat model within minutes
  • Identify threats to your product AND countermeasures
  • Avoid delays to deployment and speed up time-to-production
  • Save time, cost, and development rework
  • Ditch the PDFs and instantly identify areas for compliance
  • Create a culture of collaboration between security and development teams
IriusRisk Threat Modeling giff
 
References

Cybersecurity and Infrastructure Security Agency, Architecture Risk Analysis (2013) https://www.cisa.gov/uscert/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis#:~:text=Architectural%20risk%20analysis%20examines%20the,not%20the%20absence%2C%20of%20flaws

EC-Council, Cyber Threat Modeling eccouncil.org/threat-modeling
EC-Council, DREAD Threat Modeling eccouncil.org/cybersecurity-exchange/threat-intelligence/dread-threat-modeling-intro/ 
European Union Agency for Cybersecurity, Octave enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_octave.html
First, Common Vulnerability Scoring System version 3.1: Specification Document https://www.first.org/cvss/specification-document
Microsoft, Chapter 3 - Threat Modeling (2010) https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=pandp.10)
Microsoft, STRIDE Chart (2007) microsoft.com/security/blog/2007/09/11/stride-chart/
NIST, National Vulnerability Database nvd.nist.gov/vuln-metrics/cvss
OWASP, Advanced Threat Modeling owasp.org/www-pdf-archive/AdvancedThreatModeling.pdf  
OWASP, Top Ten (2021) owasp.org/www-project-top-ten/ 
Software Engineering Institute, Threat Modeling: 12 Available Methods (2018) https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/
Spiceworks, Top 10 Cyber Threat Intelligence Tools (2022) https://www.spiceworks.com/it-security/vulnerability-management/articles/best-cyber-threat-intelligence-tools/
Versprite, What is PASTA Threat Modeling? (2021) versprite.com/blog/what-is-pasta-threat-modeling/