There’s a difference between building a threat model and creating a threat modeling culture. To be sure one is part of the other, but to understand the difference requires an analogy.

Imagine threat modeling as bodybuilding. Building a threat model would be your morning weightlifting session. The threat modeling culture would be everything you do to win a body-building competition. That includes all your exercises, your diet, sleep habits, etc. In other words, in a threat modeling culture, threats are something you think about it constantly.

What Comprises a Threat Modeling Culture?

It starts by thinking about threats at the highest level of the enterprise. And thinking about threats not just in application development, but in everything you do.

Next comes creating a comfortable environment for asking questions. You know the old adage, there are no stupid questions. That’s even more applicable in a threat modeling culture, especially how it applies to novices. Without a threat modeling culture, newbies might be afraid to ask questions, when in reality, newbie questions have great value. They ask the questions the experts don’t think of. In a threat modeling culture, these questions are embraced.

And what are the questions being asked constantly in a threat modeling culture? What is of value? Who cares about it? What can I do to protect it?

One other aspect that comprises a threat modeling culture is no information silos. Information is shared freely. The result? More conversations, more incrementally. Questions and conversations occur throughout the whole lifecycle, rather than the end.

Why is it Important?

There are many reasons to institute a threat modeling culture but two really stand out. First is the way you address threats. Within the context of a threat modeling culture, you’re always thinking about threats a little. The payoff? You never have to think about them a lot. You address them incrementally, which is a more efficient (and stress-free) way to address them.

The second benefit to a threat modeling culture is all the conversations that do happen. Without them, assumptions will be made, which will drive poor decisions, and responsibilities will be offloaded. Threats will be addressed incorrectly or not at all. Open lines of communication are the key.

How do You Start?

Step one? Inventory your applications. Step two? Ask the three questions above. What is of value in those applications? Who cares about it? What can I do to protect it?

At the end of the day, you have to know what you’re protecting against threats. Threat modeling itself is a really simple formula: assets + adversaries + controls. A threat modeling culture is just that formula applied to everything in the organization.

The best part about adopting a threat modeling culture is the cost. The only real expense is the time spent thinking about it.

Signs it’s Working

While it would be nice to have a quantified ROI for the time invested in your threat modeling culture, that isn’t always practical. Why? Because it’s impossible to know precisely what chaos you avoided. It’s hard to measure the absence of crisis.

One of the often overlooked benefits of threat modeling is how it helps optimize your security spending. It helps you understand if you’re spending too little or too much. What a threat modeling culture can do is give you a solid feeling that what you spent was the right amount of money to avoid the threats you could. And that’s not too bad.

If you’d like to learn how ThreatModeler can contribute to your threat modeling culture, reach out to us here to start a conversation.