In this chapter we walked through a process of architecture risk assessment (ARA) and threat modeling that begins with architecture, uses the concept of a credible attack vector (CAV) to identify attack types and attack surfaces, and then applies security controls, or “mitigations,” to build a defense-in-depth. As a mnemonic, we call this ATASM: “architecture, threat, attack surface, mitigation.” Each of these steps contains a series of sub-steps that when executed produce:

  • • A thorough understanding of the architecture from a security perspective
  • • A list of credible threats
  • • The set of likely attack methods
  • • The list of attack surfaces
  • • A set of security requirements that is specific to this system and its organization’s objectives

The attack surfaces and CAV can be considered the “threat model” of the system. However, as we found going through the process, we must start with the architecture and the results of a set of investigations that we bring to the analysis.

If possible, an ARA benefits from understanding the “3 S’s”: the strategy for the system, the structures that will support it, and the specifications of the underlying environments:

  • • Threat landscape
  • • Intended risk posture
  • • Existing and possible security controls
  • • Any existing security and infrastructure limitations
  • • Data-sensitivity classification
  • • Runtime and execution environments
  • • Deployment models

With this knowledge set in mind, the architecture is decomposed into attackable components and factored to reveal the defensible boundaries. Architecture decomposition and factoring have been discussed at some length in this chapter and in Chapter 3. The unit to use for atomicity, the granularity at which to decompose, is highly context dependent.

Moving from ultimate attack objectives to the system-level goals of specific attack methods, threats are analyzed and then the relevant ones are enumerated into a list. Those threats’ attack methods, now qualified for the system under consideration, are applied to the attack surfaces of the architecture to generate a set of CAVs.

Defenses are applied such that these specifically interrupt each CAV, as was discussed in the chapter on risk. Then, the entire set of defenses is considered as a set of overlapping, interlocking, and supporting defenses to build enough redundancy to create a defense-in-depth. The security requirements should be achievable, relevant, and “real world.”

ATASM has been presented as a series of linear steps. However, in practice, an assessment might proceed to requirements and uncover a previously unknown part of the system, thus returning to the architecture stage of the process. Ultimately, the goal of the ARA and threat model is to achieve a unity between security posture and intended risk tolerance, to achieve balance between defenses and resource limitations.


  • 1. Rosenquist, M. (Dec. 2009). Prioritizing Information Security Risks with hreat Agent Risk Assessment. IT@Intel White Paper. Intel Information Technology. Retrieved from Prioritizing_Info_Security_Risks_with_TARA.pdf
  • 2. Ibid.
  • 3. Open Web Application Security Project (OWASP). (2013). OWASP Top 10 List. Retrieved from
  • 4. Ibid.
  • 5. Ibid.
  • 6. Ibid.
< Prev   CONTENTS   Source   Next >