When making a threat model, you build a comprehensive list of threats your system faces. STRIDE is the guide for finding those threats and categorising them. But once you have the list, the most important step comes next: working out the individual risk severity each threat poses to your business.
Assessing severity
When talking about severity, there is usually a scale to work from. Your organisation may already have one. If not, a good starting point is four levels: Low, Medium, High and Critical. Some teams prefer a more granular scale with six or seven levels.
Whatever you choose, ensure each level has a clear, fixed definition of what it means in practice. Impacts typically fall across several areas, such as financial, technological, customer, reputational and regulatory. For a threat to meet a given severity level, it only needs to meet the criteria for any one of those areas.
For example, a Critical technological impact might be defined as revenue-critical systems being down for 24 hours, with severity decreasing as the duration shortens.
Once you understand the risk level of each threat, you know which threats matter most and which controls to implement first.
Types of control
Controls are the mechanisms used to reduce the risks you have identified. They reduce risk by lowering the likelihood of an attack succeeding, reducing the impact if one does, or both.
There are three categories.
Preventative controls almost completely remove the risk. If a hacker can access a system through an open port, a preventative control is to close the port with a firewall.
Mitigating controls reduce the risk without fully preventing it. If a hacker might brute-force a password, requiring a stronger password makes the attack harder without stopping it entirely.
Detective and monitoring controls do not affect the attacker directly but alert you that an attack may be underway, giving you the opportunity to respond. A detective control that spots an attack in progress might let you reduce system access temporarily while business operations continue in a reduced state, limiting further damage.
Selecting and implementing controls
When identifying controls for each threat, aiming for three to six per threat is a reasonable target, though it is not always achievable. Some threats will have more controls available.
Not every control needs to be implemented. Think of the list as a menu. Once you have all the options, you choose which controls best reduce the risk given your constraints. Controls you do not implement now can stay on the list in reserve, ready to be added if the risk picture changes.
As you implement controls, the risk level of each threat comes down. Every organisation has a tolerance for risk: a level below which you are comfortable accepting the remaining exposure. When each threat is at or below that tolerance, you have done the work for that system and can move on.
This makes threat modelling a practical tool not just for security teams but also for product owners and project managers. They can see a clear roadmap of controls work, understand which items matter most and make decisions about implementation given their other constraints.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →