Difference between revisions of "Threat Model"
From Open Risk Manual
Wiki admin (talk | contribs) |
(No difference)
|
Latest revision as of 10:37, 14 October 2021
Definition
A Threat Model is a formal representation of the risk landscape faced by an individual or organization that explicitly focuses on risks that can be classified as threats.
Classification
- Attacker centric, focusing on Threat Actor identification and analysis
- Asset centric, focusing on Asset identification and analysis
- System centric
Examples
VERIS A4 Threat Model
A cyber incident is viewed as a series of events that adversely affects the information assets of an organization. The VERIS classification employs the A4 threat model[1]: Every cyber incident is comprised of the following elements (the 4 A’s)
- Actors: Whose actions affected the asset?
- Threat Action: What actions affected the asset?
- Assets: Which assets were affected?
- Attributes: How the asset was affected?
References
- ↑ VERIS Incident Description