While there is actually a great deal of overlap between threat assessment and threat modeling in terms of their ultimate objective, they are different in terms of their scope.
As NIST is quick to point out, “The assessment process is an information-gathering activity, not a security- or privacy-producing activity.” Whereas according to OWASP, “Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.” The key differentiator detailed here is “mitigations”.
In some ways, threat assessment is more holistic than threat modeling. Where threat modeling tends to focus on system risks only, threat assessment can entail a larger scope. According to the Software Assurance Maturity Model, “The Threat Assessment (TA) practice focuses on identifying and understanding of project-level risks based on the functionality of the software being developed and characteristics of the runtime environment. From details about threats and likely attacks against each project, the organization as a whole operates more effectively through better decisions about prioritization of initiatives for security.”
Here we can see that threat assessment goes beyond the system to assess risks to the project itself. NIST goes so far as to detail what the information produced from the assessment can be used for. That list includes, among other things, the following:
- Identify potential problems or shortfalls in the organization’s implementation of the Risk Management Framework.
- Facilitate security authorization decisions, privacy authorization decisions, and ongoing authorization decisions.
- Inform budgetary decisions and the capital investment process.
These are management and financial decisions, not system decisions. They are within the scope of a threat assessment and clearly outside the scope of threat modeling.
As previously mentioned, threat modeling is more of a technique for identifying and mitigating threats in a system or application, and not much beyond that. Again from OWASP, “Threat modeling is a family of activities for improving security by identifying threats, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. A threat is a potential or actual undesirable event that may be malicious (such as DoS attack) or incidental (failure of a Storage Device). Threat modeling is a planned activity for identifying and assessing application threats and vulnerabilities.”
Another area where threat modeling differs from threat assessment is in its frequency of application. For practical reasons, a Threat Assessment Plan is created and then updated periodically, perhaps every three or six months. Threat modeling on the other hand “is best applied continuously throughout a software development project.” In other words, threat assessment is a project while threat modeling is more of a process. An ongoing process.
So, which should you do: threat assessment or threat modeling? The answer is obvious. Both. The two do not replace one another. They complement each other.
If you’re not sure where to start with threat assessment, take a look at NIST Special Publication 800-53A. It takes a detailed look into assessing security and privacy controls. And if you’re not sure where to start with threat modeling—especially automated threat modeling—take a look at ThreatModeler.