While there is actually a great deal of overlap between threat assessment and threat modeling in terms of their ultimate objective, they are different in terms of their scope.
As NIST is quick to point out, “The assessment process is an information-gathering activity, not a security- or privacy-producing activity.” Whereas according to OWASP, “Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.” The key differentiator detailed here is “mitigations”.
Threat Assessment
In some ways, threat assessment is more holistic than threat modeling. Where threat modeling tends to focus on system risks only, threat assessment can entail a larger scope. According to the Software Assurance Maturity Model, “The Threat Assessment (TA) practice focuses on identifying and understanding of project-level risks based on the functionality of the software being developed and characteristics of the runtime environment. From details about threats and likely attacks against each project, the organization as a whole operates more effectively through better decisions about prioritization of initiatives for security.”
Here we can see that threat assessment goes beyond the system to assess risks to the project itself. NIST goes so far as to detail what the information produced from the assessment can be used for. That list includes, among other things, the following:
- Identify potential problems or shortfalls in the organization’s implementation of the Risk Management Framework.
- Facilitate security authorization decisions, privacy authorization decisions, and ongoing authorization decisions.
- Inform budgetary decisions and the capital investment process.
These are management and financial decisions, not system decisions. They are within the scope of a threat assessment and clearly outside the scope of threat modeling.
Threat Modeling
As previously mentioned, threat modeling is more of a technique for identifying and mitigating threats in a system or application, and not much beyond that. Again from OWASP, “Threat modeling is a family of activities for improving security by identifying threats, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system. A threat is a potential or actual undesirable event that may be malicious (such as DoS attack) or incidental (failure of a Storage Device). Threat modeling is a planned activity for identifying and assessing application threats and vulnerabilities.”
Another area where threat modeling differs from threat assessment is in its frequency of application. For practical reasons, a Threat Assessment Plan is created and then updated periodically, perhaps every three or six months. Threat modeling on the other hand “is best applied continuously throughout a software development project.” In other words, threat assessment is a project while threat modeling is more of a process. An ongoing process.
Summary
So, which should you do: threat assessment or threat modeling? The answer is obvious. Both. The two do not replace one another. They complement each other.
If you’re not sure where to start with threat assessment, take a look at NIST Special Publication 800-53A. It takes a detailed look into assessing security and privacy controls. And if you’re not sure where to start with threat modeling—especially automated threat modeling—take a look at ThreatModeler.
FAQs About the Threat Assessment vs Threat Modeling
What is the main difference between threat assessment and threat modeling?
Threat assessment is more holistic and focuses on project-level risks, while threat modeling is a technique for identifying and mitigating threats in a system or application.
What is the purpose of threat assessment according to NIST?
Threat assessment is an information-gathering activity used to identify potential problems, facilitate security and privacy decisions, and inform budgetary decisions and the capital investment process.
What is the primary focus of threat modeling?
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
How does the Software Assurance Maturity Model define threat assessment?
The Threat Assessment (TA) practice focuses on identifying and understanding project-level risks based on the functionality of the software being developed and characteristics of the runtime environment.
What is the main differentiator between threat assessment and threat modeling according to OWASP?
The key differentiator is “mitigations,” as threat modeling works to identify and mitigate threats, whereas threat assessment is more focused on information gathering.
Is threat assessment or threat modeling more suitable for financial and management decisions?
Threat assessment is more suitable for financial and management decisions, as it can inform budgetary decisions and the capital investment process.
How often should threat assessment be updated?
A Threat Assessment Plan is created and then updated periodically, perhaps every three or six months.
When should threat modeling be applied?
Threat modeling is best applied continuously throughout a software development project.
Should organizations choose between threat assessment or threat modeling?
No, both threat assessment and threat modeling should be used, as they complement each other.
Where can I find resources for starting threat assessment and threat modeling?
For threat assessment, refer to NIST Special Publication 800-53A. For threat modeling, consider using ThreatModeler for automated threat modeling.
