Creating a Generic Diagram of a Threat Model

View the original Working Session content


Preparation session

A model of threat modeling


  • Publish working draft
  • (DSL session: what should it be usable for)
  • Make model more cohesive
  • Extended and/or peer-review on slack
  • Extended by academia (?)


Are 4 questions sufficient?

Q1: System descriptionModel or Text?
-DSL would require some structure (e.g. (P)->(EE) )
-Model - Diagram - View - Viewpoint
-ISO 42010 (summary: http://www.iso-architecture.org/ieee-1471/cm/ - see notes below)
Q2: What can go wrong?Risk vs. Threat?
-- Synopsis
-- OWASP risk rating
-Firesmith - specifying reusable security requirements: http://www.jot.fm/issues/issue_2004_01/column6/
-Use of kill chain
-Meta language (to describe graphs, etc.)
Q3. MitigationFocus on mitigations
-At least mention 4 different steps/options
Q4. validationChecklist
-Formal model
-Context conditions

Summary of ISO 42010:

  • Model kind: conventions for a type of modelling. Examples of model kinds include data flow diagrams, class diagrams, Petri nets, balance sheets, organization charts and state transition models.
  • Architecture viewpoint: Work product establishing the conventions for the construction, interpretation and use of architecture views to frame specific system concerns
  • Architecture view: Work product expressing the architecture of a system from the perspective of specific system concerns
  • Architecture description AD: Work product used to express an architecture


Session organiser(s)


Attached materials: