We hear a lot about risk assessment and threat modeling. Are they just two terms for the same thing, or are they different? In this brief article, we discuss the subtle differences between the two and show how the line between them is blurring.
What is the True Purpose of Risk Assessment?
Risk assessment encompasses several activities. According to the American Society of Safety Professionals, conducting a risk assessment consists of three major activities: risk identification, risk analysis and risk evaluation.
Risk identification is concerned with understanding the consequences and impacts of individual risks. Risk analysis is about prioritizing the risks based on those consequences and impacts. And risk evaluation is about answering these questions for each risk: Can we handle it? Do we need controls? If so, what might they be?
NIST takes it a step further by adding in their definition of risk assessment that “Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.”
So, while there is some mention of security controls from both sources, it seems as though the true purpose of risk assessment is risk tolerance. In other words, can we handle the risks we’ve identified or do we need to do something about it? Let’s contrast that with threat modeling.
What is the True Purpose of Threat Modeling?
To understand the true purpose of threat modeling, look no further than OWASP, the Open Web Application Security Project. OWASP is a nonprofit foundation that works to improve the security of software and has been spearheading the threat modeling movement since its inception.
From OWASP, “Threat modeling is a family of activities for improving security by identifying threats, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system.”
Like risk assessment, threat modeling is also concerned with identifying and prioritizing threats. But its true purpose can be seen in the two words defining countermeasures. Whereas risk assessment answers the question “Do we need countermeasures?”, threat modeling defines those countermeasures when the answer is yes.
Overlap and Differences
We can see there is a great deal of overlap in the definition and activities of risk assessment and threat modeling. There are also two subtle differences, one of which was already addressed: considering counter measures vs. defining them. But there is one more.
At their core, risk assessment and threat modeling are both processes. Processes that should continue throughout the lifecycle of a system or application. But unlike risk assessment, which is almost entirely a human-driven activity, the cybersecurity industry has created automated tools for performing threat modeling, which eliminates much of the human input.
Perhaps the availability of automated threat modeling tools is a consequence of threat modeling’s purpose: to define mitigations. Automated threat modeling tools are good at identifying categories of threats and then creating libraries of mitigations to address those threats.
One good tool for doing so is ThreatModeler. ThreatModeler is really more of a platform than a tool and it automates much of the threat modeling process. Whether the application is on-premises, in a cloud or in multiple clouds, ThreatModeler enables true DevSecOps by providing automated, continuous visibility into flows in application design.
To learn more about ThreatModeler, reach out to the company here with your questions.